
This chapter covers the following topics:

Privileges and Roles for Managing Oracle E-Business Suite

Oracle Application Management Pack for Oracle E-Business Suite uses the native Enterprise Manager functionality of privileges and roles for security.

User privileges provide a basic level of security in Oracle Enterprise Manager. They are designed to control user access to data and to limit the kinds of SQL statements that users can execute. When creating a user, you grant privileges to enable the user to connect to the database, to run queries and make updates, to create schema objects, and more.

A role is a collection of Oracle Enterprise Manager resource privileges, or target privileges, or both, which you can grant to administrators or to other roles. Resource privileges allow a user to perform operations which are not dependent on a specific target type. Target privileges allow an administrator to perform operations on a target. This management pack includes target-instance level privileges, which are for a particular target instance, and target-type level privileges, which are for all target instances of that type. An example of a resource privilege is the "Edit Global Preferences" resource privilege, which enables a user to edit global preferences for Oracle Application Management Pack for Oracle E-Business Suite. An example of a target-instance level privilege is the "Start and Stop Services" which enables a user to start and stop services using the Administration menu for a given instance.

Privileges and roles are managed through the functions available from Setup menu > Security in the Cloud Control console. For more information, see the Oracle Enterprise Manager Cloud Control Administrator's Guide.

Ready-to-use privileges shipped with the management pack are listed in the tables below. Please note the following in regard to privileges:

The table below lists ready-to-use resource privileges in Oracle Application Management Pack for Oracle E-Business Suite. These resource privileges are to be granted while creating or updating users in the "EM Resource Privileges" screen under the resource type "Oracle E-Business Suite Plug-in".

Resource Privileges
Name Description
Create release package request This privilege is required to access any Customization Manager page.
Specifically, this privilege is used to create a request to release a package.
Approve release package request Used to approve the release of a package.
Edit global preferences Required for editing global preferences of the Oracle Application Management Pack for Oracle E-Business Suite.
Create/edit approval hierarchy Used to create or edit approval hierarchies for the approval process of change requests.
Raise Customization Discovery Request Used to create a request to discover customizations.

The following table lists ready-to-use target instance level privileges. With these privileges, a user can perform the specified action against only the given target.

Target Privileges
Name Description
Create splice request
  • To create a request to register a new custom application

  • To create a request to validate an existing custom application

  • To create a request to auto-correct an existing invalid custom application

Approve splice request
  • To approve a request to splice an application

  • To hide and unhide custom applications

Create Patch Manager request To create a Patch Manager request
Approve Patch Manager request To approve a Patch Manager request
Start and Stop Services To start and stop services using the Administration Dashboard

The following table lists ready-to-use target type level privileges. With these privileges, a user can perform the described action against any eligible target.

Target Type Level Privileges
Name Description
Create splice request
  • To create a request to register a new custom application

  • To create a request to validate an existing custom application

  • To create a request to auto-correct an existing invalid custom application

Approve splice request
  • To approve a request to splice an application

  • To hide and unhide custom applications

Create Patch Manager request To create a Patch Manager request
Approve Patch Manager request To approve a Patch Manager request
Use advanced options in Oracle E-Business Suite Patching To use advanced options while patching, such as HotPatch Mode
Start and Stop Services To start and stop services using the Administration Dashboard

The following table lists ready-to-use roles:

Code  Name  Included Privileges  Description 
EBS_SUPER_USER Oracle E-Business Suite Super User All target type privileges, all resource privileges, and CREATE_TARGET Role with unrestricted access to all management activities for Oracle E-Business Suite
EBS_ACP_SUPER_USER Change Management Super User
  • Resource privilege "Approve release package request"

  • Target type level privilege "Approve splice request"

  • Target type level privilege "Approve Patch Manager request"

Role with privileges to create as well as approve all Change Management requests.

Change Management Privileges

Change Management for Oracle E-Business Suite provides a centralized view to monitor and orchestrate changes (both functional and technical) across multiple Oracle E-Business Suite systems. Change Management offers the capabilities to manage changes introduced by customizations, patches, and functional setups during implementation or maintenance activities. For more information, see: Introduction to Change Management.

The Change Approval process helps ensure that all changes done using any of the products in Change Management go through a change approval mechanism. This change control mechanism is a multilevel approval process for any change that results in a configuration or code change of an Oracle E-Business Suite instance. The Change Approval process uses privileges and roles to enforce the approval process.

Required Privileges and Roles

The seeded "Change Management Super User" role (code EBS_ACP_SUPER_USER) has privileges to submit and approve all Change Management requests.

For more information on these privileges, see: Privileges and Roles for Managing Oracle E-Business Suite.

A user must have the "Operator any Target" privilege in order to submit a patch run in Patch Manager, create a package in Customization Manager, or register a custom application. This privilege is described as:

In addition to the above Target Type privilege, a user must have the "Job System" resource privilege, as described below:

Specific Privileges for Features

The default roles EBS_SUPER_USER and EBS_ACP_SUPER_USER provide privileges on all targets. If these roles are provided to a particular user, there is no need to provide any specific privileges to that user. If you want to provide specific privileges to a user, follow the instructions in this section, which describe specific privileges for Cloning, Patch Manager, and Customization Manager.

There are two types of required privileges: Target Privileges and Resource Privileges.

Target Privileges

  1. Common privileges

    • Module: Customization Manager/Patch Manager

      • View any Target

      • Execute Command Anywhere

      • Execute Command as any Agent

    • Module: Cloning

      • View any Target

      • Execute Command Anywhere

      • Execute Command as any Agent

      • Operator any Target

      • Add any Target

  2. Application Change Management (ACMP) specific privileges

    • Module: Customization Manager

      • Requestor: Create splice request

      • Approver: Approve splice request

      • Super User: Both

    • Module: Patch Manager

      • Requestor: Create Patch Manager request

      • Approver: Approve Patch Manager request

      • Super User: Both

  3. Oracle E-Business Suite Patching privileges

    • Use of advanced patching options

All above privileges can be provided either as "Common to All Targets" or "Specific to Target" by adding a target at the bottom of the Target Privilege screen and editing the target-specific privilege.

Note: The following privileges are not present as part of Target Specific Privileges but they are included under "Operator":

Resource Privileges

To grant Resource Privileges, click Edit for each Resource Privilege and select the sub-privileges.

  1. Common Privileges:

    • Module: ALL

      Edit the following Resource Types in the Resource Privileges screen and select the privileges.

      • Job System

      • Deployment Procedure

      • Oracle E-Business Suite Plug-in

  2. Change Management-Specific Privileges

    • Module: Customization Manager, Patch Manager

      Edit the Resource Type "Oracle E-Business Suite Plug-in" in the Resource Privileges screen and select the following privileges.

      • Requestor: Create release package request

      • Approver: Approve release package request

      • Super User: All

      • Edit global preferences

      • Create/edit approval hierarchy

All above privileges can be provided either "Common to All Targets" or "Specific to Target" by adding a target on the Resource Privilege page and selecting the applicable targets.