Update Permission Sets

A new version of IFS Applications brings new functionality in a wide range of business processes. By default no users are given access to new functions in the business processes. Existing windows that users already have access to, might also be updated with additional functionality and none of these new functions are accessible by default. When moving from one core release to another a complete review of permission sets might be needed. When applying a new delivery such as an Update patch, the existing permission sets can be used by just doing minor updates.

The standard procedure is to get the list of modified windows in Presentation Object Grants. Then go through the list and decide what permission sets that need to be updated.

As a complement to this, technicians may do an update of permission sets in a bulk job executed directly in the database.

Note: This step must be done before information about the changes done to the presentation objects (Change Information) are reset.

There is also the alternative of re-importing permission sets through Solution Manager which is also discussed in this document.

It is recommended that a validation of security is performed after the upgrade in order to verify that the security enforced is as expected.

Contents

How to update Permission Sets from Solution Manager

Navigate to Permission Sets page and select one or more permission sets that need to be updated. Right Click on the selected one or more permission sets and select Update Permission Sets... action.

Apply On Section contains what are the Presentation Objects that needs to be updated in the Permission Set.

  1. Modified Presentation Objects - Only the Modified Presentation Object's dependencies will be effected.
  2. All Presentation Objects - All the Presentation Objects and their dependencies will be effected regardless of whether they have been modified or not.

Grant Options Section contains how the Presentation Objects need to be updated with grants.

  1. Full or Read Only according to existing grants - Presentation Objects will be granted depending on their existing grants. If any transactional methods are granted to a Presentation Object, then Full Grants will be applied on the relevant Presentation Object and/or it's dependencies (based on the selection in Apply On Section). Otherwise Read Only will be granted for the presentation object.
  2. Read Only - Read Only Grants will be given for the Presentation Object and/or it's dependencies (Any existing grants already given will not be revoked).
  3. Full - Full Grants will be given for the Presentation Object and/or it's dependencies (Already revoked grants on the Presentation Objects will be re-granted if All Presentation Objects option is select in the Apply On section).

Run as Background Job - This option will run the update process as a background job.

Notify me when completed -  This option will notify the user once the update process is completed as a background job. This option cannot be checked until "Run as Background Job" is checked since it is disabled by default. If this is unchecked then the user will not be notified after the completion of the background Job.

Bulk Update of Permission Sets

Database package Pres_Object_Util_API contains a method Upgrade_Roles. This method can be used to update permission sets.

The method is executed in the database using any database tool.

PROCEDURE  Upgrade_Roles  (
   rolelist_                 IN VARCHAR2,
   upgrade_option_           IN VARCHAR2 DEFAULT 'GRANT_NEW_DB_OBJECTS',
   grant_new_dependencies_   IN VARCHAR2 DEFAULT 'FALSE',
   grant_mode_               IN VARCHAR2 DEFAULT 'DYNAMIC', 
   raise_error_              IN VARCHAR2 DEFAULT 'FALSE')

The purpose of the method is to update the permission sets by granting new database methods and views that are needed for the windows that the permission set currently gives access to.

Example:

Window Part Cost is modified in the delivery. A new menu action is added in this window to "Move Part Cost into Cost Set 1". Access for this option is by default not granted. The update operation will detect the new option since it is a new database method added to the presentation object for Part Cost (frmPartCost) and grant this method to the permission set if the permission set currently grants access to the Part Cost window.

 

Determining what needs to be granted

The bulk update mechanism uses the presentation object change information to determine what needs to be granted. A method, view or window (presentation object) is considered to be "New" until the change information is reset in the Presentation Object Grants window. A presentation object is considered "Modified" if there are changes related to presentation object security (i.e. Method, View) used or changes to the dependencies of the presentation object when compared to the last state when the change information was reset. (Note: This is not considered when upgrade_option_ is set to REGRANT_ALL.)


Parameter Description

rolelist_  The name of one permission set or a comma separated list of permission sets.
upgrade_option_ This defines how the upgrade should be done. The parameter can be set to 'GRANT_NEW_DB_OBJECTS', 'REGRANT_MODIFIED_PO' or 'REGRANT_ALL'. 'GRANT_NEW_DB_OBJECTS' is default.

GRANT_NEW_DB_OBJECTS: The Database objects (methods and views) that have been added to the presentation object are granted. If grant_new_dependencies_ is set to TRUE then this will also grant dependent presentation objects.

REGRANT_MODIFIED_PO: Regrant the presentation objects that have new database objects (methods and views) are re-granted.

REGRANT_ALL: Regrant all presentation objects which are granted to permission set. This can be useful to include granting to objects that are not added by the latest deliveries to make sure all grants are given for the window.

See Usage Scenarios for detail description of behavior

grant_new_dependencies_ This controls whether the grant process should do recursive granting of child windows according to the presentation object structure. This can be set to 'TRUE'  or 'FALSE'. Default value is 'FALSE'.

 
Setting this parameter to 'TRUE' will recursively grant new presentation objects that are added as dependency to a granted presentation object. Such as a new dialog added to an existing window. For upgrade option 'REGRANT_ALL', this means that all dependencies will be granted.

grant_mode_ This parameter controls how grants should be given to the objects which were selected based on the value given for upgrade_option_ . The value can be set to 'DYNAMIC', 'QUERY' or 'FULL'. 'DYNAMIC' is default.

DYNAMIC: Grants are given based on how the presentation objects are currently granted.
  • When upgrade_option_ is set to GRANT_NEW_DB_OBJECTS and the presentation object is currently granted as Query (Read-only), then only newly added views and query only methods are granted. If grant_new_dependencies_ is set to TRUE, this will also grant the new dependent presentation objects as query only.
  • When upgrade_option_ is set to GRANT_NEW_DB_OBJECTS and the presentation object is currently granted with one or more transactional methods (not read-only), then the newly added views or any newly added method will be granted. If grant_new_dependencies_ is set to TRUE, this will also grant the new dependencies as with FULL permission (permission to query and modify data).
  • When upgrade_option_ is set to REGRANT_MODIFIED_PO or REGRANT_ALL, if the presentation object is currently granted as query only the re-granting will also occur as query only. If one or more transactional methods were granted before then the regrant will give FULL permission to the presentation object (Note: This means that any previously revoked method access in the presentation object will be regranted. However existing dependencies to other presentation which were previously not granted will be regranted only when REGRANT_ALL is specified)

QUERY: Only query methods and views are granted. Presentation objects (including dependent presentation objects) are granted as query only

FULL: Both query and non-query (transactional) method is granted. Presentation objects (including dependent Presentation Objects) are granted with with FULL permission.

See Usage Scenarios for detail description of behavior

raise_error_ This control if the operation should stop if any error occur or continue. This can be set to 'TRUE' or 'FALSE'. 'FALSE' is default. If value is 'TRUE' the grant operation will stop the process incase any of the grant operations encounters an error , like for example the database view does not exist

 

How to use it

The simple PL/SQL block below is an example of how the method can be used:

BEGIN
   Log_Sys.Set_Log_Level_(Log_Sys.info_,Log_Category_API.DB_APPLICATION,TRUE);
   Pres_Object_Util_API.Upgrade_Roles(rolelist_ =>         'SALES_MANAGER,SALES_DEPARTMENT,CONTROLLER',
                                      upgrade_option_ =>   'GRANT_NEW_DB_OBJECTS',
                                      grant_new_dependencies_ => 'TRUE');
END;

The first call is made to enable logging of the operation using DBMS_OUTPUT. The operation Upgrade_Roles will write logs when the info level (or higher trace level) is set and Log Category is application.

The second call will update the three listed permission sets, by finding any new methods or views (specified by upgrade_option_ =>'GRANT_NEW_DB_OBJECTS') or new dependent presentation objects (grant_new_dependencies_ => 'TRUE') for the already granted presentation object. It will use the default value for grant_mode_ and hence dynamically grant query or not depending on how the presentation object is currently granted. The output will contain information about which Database Objects and Presentation Objects that were granted in the update process and how they were granted (i.e. Query or not)..

Note: Some grant operations like grant to packages and views implicitly commit the transaction and others require that commit is done after execution

Usage Scenarios

The following describes the parameter combination to use in a couple of usage scenarios. The value for grant_new_dependencies_ is TRUE in all occasions.

Behavior/Usage Value for upgrade_option_ Value for grant_mode_
Grant only newly added methods, views and presentation object dependencies of the presentation object based on how the presentation object is currently granted to permission set. (Default behavior / parameter combination of the method ). GRANT_NEW_DB_OBJECTS DYNAMIC
Grant only newly added methods, views and presentation object dependencies of the presentation object with Full permission. GRANT_NEW_DB_OBJECTSFULL
Grant only newly added methods, views and presentation object dependencies of the presentation object with Query permission. This will not remove existing grants of the presentation object which have been already given. GRANT_NEW_DB_OBJECTSQUERY
Grant all modified presentation objects and newly added presentation object dependencies in the permission set based on how the presentation object is currently granted to permission set. This will not grant any existing presentation object dependencies which had not been granted previously. REGRANT_MODIFIED_PO DYNAMIC
Regrant all modified presentation objects and newly added presentation object dependencies in the permission set with Full permission. This will not grant any existing presentation object dependencies which had not been granted previously. REGRANT_MODIFIED_POFULL
Regrant all modified presentation objects and newly added presentation object dependencies in the permission set with Query permission. This will not grant any existing presentation object dependencies which had not been granted previously, nor will it remove any existing grants already given for the permission set. REGRANT_MODIFIED_POQUERY
Regrant all presentation objects in the permission set based on how the presentation objects are currently granted to the permission set. This will grant any existing presentation object dependencies which had not been granted previously. REGRANT_ALLDYNAMIC
Regrant all presentation objects in the permission set with Full privileges. This will grant any existing presentation object dependencies which had not been granted previously.REGRANT_ALLFULL
Regrant all presentation objects in the permission set with Query privileges. This will grant any existing presentation object dependencies which had not been granted previously. .REGRANT_ALLQUERY

Update by Importing Permission Sets

Existing permission sets can be updated by exporting and re-importing them into the system.

Re-grant existing presentation objects

This describes how to re-grant all presentation objects that a permission set grants. Note that this will give full access even if the presentation object was earlier granted read only access.

  1. Select the permission sets you want to update in the permission sets window.
  2. Use the Export Permission Sets action. In the export dialog, deselect the option include database objects. Export the permission sets to file system.
  3. Import the permission sets again to the same environment. Select the option to replace the existing permission sets when the question is raised.

Now the permission sets contains full grants to the presentation objects. New links to new windows still may need to be granted manually.

Re-grant existing presentation objects keeping existing restrictions

This describes how to re-grant all presentation objects that a permission set grants but keep existing restrictions. Note that all database views and methods that are not restricted earlier are granted. For example if only query methods are granted before but there are new methods added to the presentation object in the new version that can modify the data, these are also granted.

  1. Select the permission sets you want to update in the permission sets window.
  2. Use the Export Permission Sets action and keep the option include database objects selected. Export the permission sets to file system.
  3. Edit the permission set xml files by modifying the FULL_PO_GRANT attribute from value 0 to value 1.
  4. Import the permission sets again to the same environment. Select the option to replace the existing permission sets when the question is raised.

Now the permission sets contains new grants to the presentation objects but keep restrictions from previously.

References