A quick introduction of the IFS Applications user concept for system administrators and installation technicians.
To be able to logon to IFS Applications you need to be a Foundation1 User. IFS Applications has its own User Registry in the database where all users need to be registered.
Most business logic authorization rules are mapped to the Foundation1 User.
If
Database Authentication is used then the Foundation1 User also must be an
active Oracle User. This is done by a one to one mapping on name between the
Foundation1 user and the Oracle database user.
If external Open ID Connect Providers (such as ADFS or Azure AD) are used, then the Foundation1 user must be mapped to
the corresponding user identity in the external user registry. This mapping
happens using the directory-id field of the fnd_user_tab.
There are also a few other Oracle users that are of great importance to IFS Applications, see Special Users in IFS Applications.
Special users and service users used for integrations does not have to be mapped to a corresponding user identity in the external user registry.
There are some "users" which are not mapped to actual end-users (as in humans) but only for technical purposes. These users all have some elevated privileges and should be considered security critical.
| User | Name | Purpose | Special privileges |
|---|---|---|---|
| Application owner Appowner |
Any name, but often called <IFSAPP> | Provides views, tables, packages methods for IFS Applications. | Database schema owner. Grants on SYS views and system privileges grants. |
| IFS System User | IFSSYS | IFS Middleware Server always connects to the database as user IFSSYS. | SELECT on all views, EXECUTE on all methods, SELECT, UPDATE, INSERT on tables with LOB columns |
| IAL Owner | Any name, but often called <IFSINFO> | Owner of all created IAL objects used for reporting and statistics for end-users. | SELECT on all views |
| Oracle System user | SYS and SYSTEM | The System accounts for the database, owns or is granted most Oracle
internal tables. Some installation steps must be run as SYS. |
Has privileges to perform anything in the database |
IFS Applications comes with a few pre-defined accounts that are granted pre-defined roles. These accounts are created during installation and are locked by default. Information about how to unlock and set these pre-defined users passwords can be found in Create Foundation1 Users / Set passwords. These Foundation1 users should always be mapped to an active Oracle user. These users must not be mapped to external user registries even if an external user registry (for example ADFS, Azure AD) is used for interactive user authentication.
| User | Purpose | Role |
|---|---|---|
| IFSADMIN | Used to administrate IFS Applications using IFS Solution Manager, especially right after installation when no other user accounts have yet been created. | FND_ADMIN |
| IFSPRINT | Used by the IFS Report Formatter. | FND_PRINTSERVER |
| IFSPLSQLAP | Used to authenticate PL/SQL Access Provider calls to IFS Middleware Server. | FND_PLSQLAP |
| IFSCONNECT | Used by IFS Connect | FND_CONNECT |
| IFSMOBILITY | Used by the IFS Touch Apps framework for registering push notifications and for loading Aurena Native Apps configuration into the IFS Middleware Server. | FND_TOUCHAPPS_CONFIG |
| IFSSCHEDULING | Used by the IFS PSO Integration framework to send/receive scheduling data with IFS PSO (Planning and Scheduling Optimization) | FNDSCH_WEBSERVICE |
| IFSSYNC | Used by the Data Synchronization functions. This user is used to configure the required environment setups and also to route data among sites. | FND_SYNC |
| IFSMONITORING | Used by the IFS System Monitoring functions. | FND_MONITORING |
For some IFS Aurena Native Apps there are some "users" which are not mapped to actual end-users (as in humans). These users have no elevated privileges and are used to collect data that is to be synchronized to the mobile users for the IFS Aurena Native Apps. These users should not be set active or used for any purpose othat than that which they are intended so to not be considered a security risk.
| User | Name | Purpose |
|---|---|---|
| Grouped Push User for IFS Aurena Native App | IFS<APP_NAME> | Used by the Grouped Push functionality in IFS Aurena Native Apps to
collect data that will be sent to the mobile users. AA Grouped Push User will be created for each IFS Aurena Native App that is deployed into the environment that has at least one entity defined in Synchronization Rules with Grouped Push as the Delivery Method. For these entities the Grouped Push User must have access to all business roles that are used to filter the data to the mobile users. These business roles could be access to all Companies and/or Sites that will be used by the mobile users running the IFS Aurena Native App. |