Skip to content

Installation and Security

This document will highlight some part to consider regarding installation and security

Lobby Runtime Security

Lobby Runtime Security is mainly based on Presentation Objects

Lobbies shows only granted pages(Presentation Objects) for the user.

When the user opens a lobby page the layout of the page is loaded without any PO check. Data is loaded individually in lobby elements. In this case presentation Object grants are checked for each data source used by the element. If the relevant data source is not granted, a cross sign is displayed on the element.

Figure: Element with no grants

With the Power BI element a Power BI Report or visual can be embedded into a Lobby page. A report or the underlying data source optionally can use row level security (RLS), when this is the case the identity of the logged in user is used to send to the Power BI Server. In this way the logged in user cannot see data that he shouldn't have access to.

Lobby Designer Security

Lobby page designer, lobby element designer and lobby data source designer can be taken as tools for designing lobbies. Lobby Designer Security is mainly base on projections. There is a separate projection for each designer.

  • LobbyDatasourceConfiguration.projection: Datasource designer
  • LobbyElementConfiguration.projection: Element Designer
  • LobbyConfiguration.projection: Page designer

The logged in user must have grants for these projections in order to,

  • Open designers
  • View metadata of Lobby items
  • Do CRUD operations on Lobby items

There are two permission sets which created to grant access to above all three lobby designers.

1. FND_LOBBY_ADMIN

Following projections are granted for FND_LOBBY_ADMIN permission set

  • LobbyConfiguration
  • LobbyElementConfiguration
  • LobbyDatasourceConfiguration

Datasource designer is a special tool among three lobby designers. The user is able to access any table/view in the database and execute any query through the Datasource designer. So an extra layer of protection has been implemented (LOBBY DATASOURCE DESIGNER system privilege) on Datasource designer to protect data from unauthorized users.

A user who has grants for LobbyDatasourceConfiguration.projection will be able to

  • Open Datasource designers
  • View metadata of data sources
  • Export data sources
  • Plug a data source into an element

In order to do following operations in the data source, the user must have grants for LOBBY DATASOURCE DESIGNER system privilege

  • Create / import data sources
  • Edit data sources
  • Delete data sources
  • Preview data in a data source

A user who has FND_LOBBY_ADMIN permission set can create lobby elements, create lobby pages and only view the data source definition.

FND_LOBBY_ADMIN permission set does not include LOBBY DATASOURCE DESIGNER system privilege.

2. FND_LOBBY_SQLDS_ADMIN

Following permission sets are granted for FND_LOBBY_SQLDS_ADMIN permission set

  • FND_LOBBY_ADMIN
  • QUERY_DESIGNER_ADMIN

Apart from that FND_LOBBY_SQLDS_ADMIN permission set includes the LOBBY DATASOURCE DESIGNER system privilege.

Since this permission set includes QUERY_DESIGNER_ADMIN permission set, the user can navigate to Query Overview and Query Designer screens and consume it's functionalities.

So a user who has FND_LOBBY_SQLDS_ADMIN permission set can create lobby elements, create lobby pages, manipulate data sources, preview data sources and can consume the functionalities of Query Overview and Query Designer screens.

System Parameter for Data Access & Configurations in Lobbies

While the permission sets and projection grants mentioned above determine access for lobby designers, access to newly created lobby presentation objects such as Lobby Pages, Lobby elements and Data Sources are handled by a System Parameter : "Permission set to be granted Lobby presentation objects by default", which is available under the Lobby category.

This parameter allows administrative users to specify the default permission set that will be automatically assigned to newly created lobby objects.

If left unconfigured, no user group will have access to the new lobby objects by default, and access must be granted manually.

Assigning a permission set to this parameter ensures all users with that permission set can view and manage newly created lobby objects by default. It is recommended to assign this permission set to your lobby designers and administrators to streamline access and object management.

Example :

Lets consider a scenario using one of the standard permission sets available within the system : FND_LOBBY_ADMIN

When FND_LOBBY_ADMIN is set:

  1. Any user assigned with the FND_LOBBY_ADMIN permission set will automatically receive access to all the lobby pages that are created or imported by Lobby Designer or Lobby Admin users.
  2. These users will be able to access, edit, and share those lobby pages with other users, including those who do not have the FND_LOBBY_ADMIN permission set.

Note : A custom permission set can be created and add it to the system parameter mentioned above, to define the specific actions a user is authorized to perform and the data they are permitted to access.

Power BI Security

In the Power BI element designer the report dropdown is automatically filled with the reports that are available within the Power BI Workspace the Power BI Service is linked to, this is not a per user list but the same for all the users. The data in preview mode will use the RLS security meaning that the logged in user cannot see data that he is not allowed to see. The sequence and security tokens used of a Lobby designer creating a new Power BI Element and a Lobby page viewer visiting a page which has a Power BI Element on it are drawn in the below diagram.

PBI Embedded sequence

The Install and Reconfigure process

The Lobby items included with IFS Applications are automatically deployed to your database when running the IFS Cloud Installer. Note that every time the Installer is run, the Lobby items that ship with IFS Cloud will be redeployed and overwritten

Important: If configuration changes (i.e.: not Personalization changes) are needed on any Lobby item that was included with IFS Cloud, be sure to create a copy of that item and do the necessary configuration changes on the newly copied item..