System Privileges

This document is written to give system administrators and installation technicians a quick introduction to the Foundation1 System Privileges concepts in IFS Applications.

Contents

Purpose

System privileges are used to grant a user the necessary rights to use a specific functionality, unrelated to data or method authorization. Foundation1 defines five different system privileges:

It is not possible to create or modify system privileges. In general a system privilege gives elevated authority in the system and should be used very carefully.
 

Defined system privileges

These are the existing system privileges and their usage.

Privilege Purpose
ADMINISTRATOR This system privilege lets the logged on user act as Appowner, with the exception of method security. This system privilege also gives the user the ability to see more, but not necessarily all, data. This privilege is granted to the FND_ADMIN permission set. This is a very high privilege and should be used with care.
CONNECT Any user that wants to access IFS Applications through an IFS Client must have Connect system privilege. It is possible to access IFS Applications methods from non IFS Clients, like SQLPlus, without having this privilege.

Allow access to IFS Middleware Server activities and services. Without this privilege a user will never reach any backend method at all (will return a HTTP 401 Unauthorized response).

IMPERSONATE USER Allow the authenticated user the possibility to impersonate (run as) some other user. This is a very high privilege and should be used with care.
DEFINE SQL Allows the user to enter SQL statements that should be executed by the application through some system service. This is a very high privilege and should be used with care. With the ability to define SQL the user can add or change SQL statements that defines what data to retrieve from the system. A user with this privilge will therefore get access to any data that can be reached through database views. 
DEBUGGER This privilege gives ability to get server debug stack trace in the IFS Enterprise Explorer debug console

Detailed information about system privileges

System privilege Used in
ADMINISTRATOR             Methods
  • Archive_API.Remove_User_Instance
    Allows you to delete any report
  • Batch_SYS.Init_All_Processes_
    Allows to execute
  • Batch_SYS.Process_Batch_Schedule_
    Allows you to execute any Scheduled Task
  • Batch_Queue_API.Delete___
    Allows you to delete any Batch Queue
  • Batch_Schedule_API
    Allows you to perform operations on all scheduled tasks
  • CONNECTIVITY_SYS.Init_All_Processes__
    Allows you to start Connectivity background process
  • Data_Archive_API.Init_All_Processes_
    Allows you to start Data Archiving background process
  • Fnd_User_API.Get_User_Security_Info_
    Returns % for ADMINISTRATOR, otherwise Fnd_User
  • Fnd_User_API.Set_Property
    Allows you to set properties on any user
  • Fnd_User_Properties_API
    Allows you to set properties on any user
  • Oracle_Account_API.Alter_User__
    Allows you to Alter any user
  • Oracle_Account_API.Expire_Password__
    Allows you to expire any users password
  • Oracle_Account_API.Lock_Account__
    Allows you to lock any user account
  • Oracle_Account_API.Unlock_Account__
    Allows you to unlock any user account
  • Performance_Analyze_API.Remove
    Allows you to remove any Performance Analyze
  • Replication_SYS.Init_All_Processes__
    Allows you to start Replication background process
  • Report_Definition_API.Count_Available_Reports
    Returns all reports
  • Report_Definition_API.Report_Definition__
    Returns all reports
  • Transaction_SYS.Init_Processing__
    Allows you to start Background Queues background process
  • Transaction_SYS.Init_All_Processing__
    Allows you to start all Background Queues background process

Views

  • ARCHIVE_DISTRIBUTION
    Lets you see all rows
  • BATCH_JOB
    Allows you to see all background jobs
  • BATCH_SCHEDULE
    Allows you to see all scheduled tasks
  • BATCH_SCHEDULE_METHOD
    Allows you to see all tasks
  • DEFERRED_JOB
    Allows you to see all background jobs
  • HISTORY_LOG
    Allows you to see all History logs
  • PRINT_JOB
    Allows you to see all Print Jobs
  • QUICK_REPORT
    Allows you to se all Quick Reports
DEFINE SQL Services
  • Define scheduled tasks
  • Define data archive objects and data archive orders
  • Define monitoring entries
  • Define quick reports
  • Define custom objects

Granting system privileges to users

System privileges are always granted to permission sets, never directly to users. Use IFS Solution Manager to administrate permission sets and the system privileges granted.