A new version of IFS Applications brings new functionality in a wide range of business processes. By default no users are given access to new functions in the business processes. Existing windows that users already have access to, might also be updated with additional functionality and none of these new functions are accessible by default. When moving from one core release to another a complete review of permission sets might be needed. When applying a new delivery such as an Update patch, the existing permission sets can be used by just doing minor updates.
The standard procedure is to get the list of modified windows in Presentation Object Grants. Then go through the list and decide what permission sets that need to be updated.
As a complement to this, technicians may do an update of permission sets in a bulk job executed directly in the database.
Note: This step must be done before information about the changes done to the presentation objects (Change Information) are reset.
There is also the alternative of re-importing permission sets through Solution Manager which is also discussed in this document.
It is recommended that a validation of security is performed after the upgrade in order to verify that the security enforced is as expected.
Navigate to Permission Sets page and select one or more permission sets that need to be updated. Right Click on the selected one or more permission sets and select Update Permission Sets... action.
Apply On Section contains what are the Presentation Objects that needs to be updated in the Permission Set.
Grant Options Section contains how the Presentation Objects need to be updated with grants.
Run as Background Job - This option will run the update process as a background job.
Notify me when completed - This option will notify the user once the update process is completed as a background job. This option cannot be checked until "Run as Background Job" is checked since it is disabled by default. If this is unchecked then the user will not be notified after the completion of the background Job.
Database package Pres_Object_Util_API
contains a method
Upgrade_Roles
. This method can be used to update permission sets.
The method is executed in the database using any database tool.
PROCEDURE Upgrade_Roles ( rolelist_ IN VARCHAR2, upgrade_option_ IN VARCHAR2 DEFAULT 'GRANT_NEW_DB_OBJECTS', grant_new_dependencies_ IN VARCHAR2 DEFAULT 'FALSE', grant_mode_ IN VARCHAR2 DEFAULT 'DYNAMIC', raise_error_ IN VARCHAR2 DEFAULT 'FALSE')
The purpose of the method is to update the permission sets by granting new database methods and views that are needed for the windows that the permission set currently gives access to.
Example:
Window Part Cost is modified in the delivery. A new menu action is added in this window to "Move Part Cost into Cost Set 1". Access for this option is by default not granted. The update operation will detect the new option since it is a new database method added to the presentation object for Part Cost (frmPartCost) and grant this method to the permission set if the permission set currently grants access to the Part Cost window.
The bulk update mechanism uses the presentation object change information to determine what needs to be granted. A method, view or window (presentation object) is considered to be "New" until the change information is reset in the Presentation Object Grants window. A presentation object is considered "Modified" if there are changes related to presentation object security (i.e. Method, View) used or changes to the dependencies of the presentation object when compared to the last state when the change information was reset. (Note: This is not considered when upgrade_option_ is set to REGRANT_ALL.)
rolelist_ | The name of one permission set or a comma separated list of permission sets. |
upgrade_option_ | This defines how the upgrade should be done. The parameter can be set to
'GRANT_NEW_DB_OBJECTS', 'REGRANT_MODIFIED_PO' or
'REGRANT_ALL'.
'GRANT_NEW_DB_OBJECTS' is default. GRANT_NEW_DB_OBJECTS: The Database objects (methods and views) that
have been added to the presentation object are granted.
If grant_new_dependencies_ is set to TRUE then this will
also grant dependent presentation objects. REGRANT_ALL: Regrant all presentation objects which are granted to permission set. This can be useful to include granting to objects that are not added by the latest deliveries to make sure all grants are given for the window. See Usage Scenarios for detail description of behavior |
grant_new_dependencies_ | This controls whether the grant process should do recursive granting
of child windows according to the presentation object structure. This
can be set to 'TRUE' or 'FALSE'. Default value is 'FALSE'.
|
grant_mode_ | This parameter controls how grants should be given to the objects
which were selected based on the value given for
upgrade_option_ .
The value can be set to 'DYNAMIC', 'QUERY' or 'FULL'.
'DYNAMIC' is default. DYNAMIC: Grants are given based on how the presentation objects are currently granted.
QUERY: Only query methods and views are granted. Presentation objects (including dependent presentation objects) are granted as query only FULL: Both query and non-query (transactional) method is granted. Presentation objects (including dependent Presentation Objects) are granted with with FULL permission. See Usage Scenarios for detail description of behavior |
raise_error_ | This control if the operation should stop if any error occur or continue. This can be set to 'TRUE' or 'FALSE'. 'FALSE' is default. If value is 'TRUE' the grant operation will stop the process incase any of the grant operations encounters an error , like for example the database view does not exist |
The simple PL/SQL block below is an example of how the method can be used:
BEGIN Log_Sys.Set_Log_Level_(Log_Sys.info_,Log_Category_API.DB_APPLICATION,TRUE); Pres_Object_Util_API.Upgrade_Roles(rolelist_ => 'SALES_MANAGER,SALES_DEPARTMENT,CONTROLLER', upgrade_option_ => 'GRANT_NEW_DB_OBJECTS', grant_new_dependencies_ => 'TRUE'); END;
The first call is made to enable logging of the operation using DBMS_OUTPUT.
The operation Upgrade_Roles
will write logs when the
info level (or higher trace level) is set and
Log Category is application.
The second call will update the three listed permission sets, by finding any
new methods or views (specified by upgrade_option_
=>'GRANT_NEW_DB_OBJECTS'
) or new dependent presentation objects (grant_new_dependencies_
=> 'TRUE'
) for the already granted
presentation object. It will use the default value for grant_mode_
and hence
dynamically grant query or not depending on how the presentation object is
currently granted. The output will contain information about which Database
Objects and Presentation Objects that were granted in the update process and how they were granted (i.e.
Query or not)..
Note: Some grant operations like grant to packages and views implicitly commit the transaction and others require that commit is done after execution
The following describes the parameter combination to use in a couple of usage scenarios. The value for grant_new_dependencies_ is TRUE in all occasions.
Behavior/Usage | Value for upgrade_option_ | Value for grant_mode_ |
---|---|---|
Grant only newly added methods, views and presentation object dependencies of the presentation object based on how the presentation object is currently granted to permission set. (Default behavior / parameter combination of the method ). | GRANT_NEW_DB_OBJECTS | DYNAMIC |
Grant only newly added methods, views and presentation object dependencies of the presentation object with Full permission. | GRANT_NEW_DB_OBJECTS | FULL |
Grant only newly added methods, views and presentation object dependencies of the presentation object with Query permission. This will not remove existing grants of the presentation object which have been already given. | GRANT_NEW_DB_OBJECTS | QUERY |
Grant all modified presentation objects and newly added presentation object dependencies in the permission set based on how the presentation object is currently granted to permission set. This will not grant any existing presentation object dependencies which had not been granted previously. | REGRANT_MODIFIED_PO | DYNAMIC |
Regrant all modified presentation objects and newly added presentation object dependencies in the permission set with Full permission. This will not grant any existing presentation object dependencies which had not been granted previously. | REGRANT_MODIFIED_PO | FULL |
Regrant all modified presentation objects and newly added presentation object dependencies in the permission set with Query permission. This will not grant any existing presentation object dependencies which had not been granted previously, nor will it remove any existing grants already given for the permission set. | REGRANT_MODIFIED_PO | QUERY |
Regrant all presentation objects in the permission set based on how the presentation objects are currently granted to the permission set. This will grant any existing presentation object dependencies which had not been granted previously. | REGRANT_ALL | DYNAMIC |
Regrant all presentation objects in the permission set with Full privileges. This will grant any existing presentation object dependencies which had not been granted previously. | REGRANT_ALL | FULL |
Regrant all presentation objects in the permission set with Query privileges. This will grant any existing presentation object dependencies which had not been granted previously. | .REGRANT_ALL | QUERY |
Existing permission sets can be updated by exporting and re-importing them into the system.
This describes how to re-grant all presentation objects that a permission set grants. Note that this will give full access even if the presentation object was earlier granted read only access.
Now the permission sets contains full grants to the presentation objects. New links to new windows still may need to be granted manually.
This describes how to re-grant all presentation objects that a permission set grants but keep existing restrictions. Note that all database views and methods that are not restricted earlier are granted. For example if only query methods are granted before but there are new methods added to the presentation object in the new version that can modify the data, these are also granted.
Now the permission sets contains new grants to the presentation objects but keep restrictions from previously.