Oracle Application Management Pack for Oracle E-Business Suite uses the native Enterprise Manager functionality of privileges and roles for security.
Note: In Releases 3.1 and 4.0, security was managed through the amp.properties file and disabled by default. In this release, the amp.properties file is no longer used, and security through privileges and roles is enabled by default.
User privileges provide a basic level of security in Enterprise Manager. They are designed to control user access to data and to limit the kinds of SQL statements that users can execute. When creating a user, you grant privileges to enable the user to connect to the database, to run queries and make updates, to create schema objects, and more.
A role is a collection of Enterprise Manager resource privileges, or target privileges, or both, which you can grant to administrators or to other roles. Resource privileges allow a user to perform operations against specific types of resources. Target privileges allow an administrator to perform operations on a target. This management pack includes target-instance level privileges, which are for a particular target instance, and target-type level privileges, which are for all target instances of that type. An example of a resource privilege is the "Edit Global Preferences" resource privilege, which enables a user to edit global preferences for Oracle Application Management Pack for Oracle E-Business Suite. An example of a target-instance level privilege is the "Start and Stop Services" which enables a user to start and stop services using the Administration Dashboard for a given instance.
Privileges and roles are managed through the functions available from Setup menu > Security in the Cloud Control console. For more information, see the Oracle Enterprise Manager Cloud Control Administrator's Guide.
Ready-to-use privileges shipped with the management pack are listed in the tables below. Please note the following in regard to privileges:
The user SYSMAN has all the listed privileges by default.
The use of privileges on a system is enabled by default, which means that a user will not be able to perform an action unless the appropriate privilege(s) are granted to that user.
All target privileges are given against the target "Oracle E-Business Suite".
For privileges used by the features in Change Management (Patch Manager and Customization Manager), see the section Change Management Approval Framework and Privileges.
The following table lists ready-to-use resource privileges in Oracle Application Management Pack for Oracle E-Business Suite:
Name | Included Privilege | Description |
---|---|---|
Create release package request | (none) | To create a request to release a package |
Approve release package request | Create release package request | To approve the release of a package |
Edit global preferences | (none) | To edit global preferences of the Oracle Application Management Pack for Oracle E-Business Suite |
The following table lists ready-to-use target instance level privileges. With these privileges, a user can perform the specified action against only the given target.
Name | Included Privileges | Description |
---|---|---|
Create splice request | (none) |
|
Approve splice request | Create splice request |
|
Create Patch Manager request | (none) | To create a Patch Manager request |
Approve Patch Manager request | Create Patch Manager request | To approve a Patch Manager request |
Start and Stop Services | (none) | To start and stop services using the Administration Dashboard |
The following table lists ready-to-use target type level privileges. With these privileges, a user can perform the described action against any eligible target.
Name | Included Privileges | Description |
---|---|---|
Create splice request | (none) |
|
Approve splice request | Create splice request |
|
Create Patch Manager request | (none) | To create a Patch Manager request |
Approve Patch Manager request | Create Patch Manager request | To approve a Patch Manager request |
Start and Stop Services | (none) | To start and stop services using the Administration Dashboard |
The following table lists ready-to-use roles:
Code | Name | Included Privileges | Description |
---|---|---|---|
EBS_SUPER_USER | Oracle E-Business Suite Super User | All target type privileges, all resource privileges, and CREATE_TARGET | Role with unrestricted access to all management activities for Oracle E-Business Suite |
EBS_ACP_SUPER_USER | Change Management Super User |
| Role with privileges to create as well as approve all Change Management requests. |
Assign the database role "em_oam_monitor_role" for the database you would like to use, OR use the "em_monitor" database user for discovery and monitoring.
Ready-to-use roles for Oracle Application Management Pack for Oracle E-Business Suite would need to be assigned to only trusted Enterprise Manager users.
Change Management for Oracle E-Business Suite provides a centralized view to monitor and orchestrate changes (both functional and technical) across multiple Oracle E-Business Suite systems. Change Management offers the capabilities to manage changes introduced by customizations, patches and functional setups during implementation or maintenance activities. For more information, see: Introduction to Change Management.
The Change Approval Framework helps ensure that all changes done using any of the products in Change Management go through a change approval mechanism. This change control mechanism entails one level of approval for any change that results in a configuration or code change of an Oracle E-Business Suite instance. The Change Approval Framework uses privileges and roles to enforce the approval process.
Specific privileges are required to access the relevant containers in the Change Management tab. These are:
For rendering this container... | Logged-in user must have these privileges |
---|---|
Patch Manager | Create Patch Manager request |
Customization Manager | Create release package request |
If the user has ANY of the above privileges, the Change Management home page will be rendered.
The seeded "Change Management Super User" role (code EBS_ACP_SUPER_USER) has privileges to submit and approve all Change Management requests.
For more information on these privileges, see: Privileges and Roles for Managing Oracle E-Business Suite.
A user must have the "Operator any Target" privilege in order to submit a patch run in Patch Manager or create a package in Customization Manager. This privilege is described as:
Name - Operator any Target
Description - Ability to perform administrative operations on all managed targets
Included Privileges - View any Target
Applicable Target Types - All Target Types
In addition to the above Target Type privilege, a user must have the "Job System" resource privilege, as described below:
Name - Job System
Description - Job is a schedulable unit of work that administrator defines to automate the commonly run tasks
Privilege Grants Applicable to all Resources - Create
Note: You must also assign Resource Type Privilege of "Create" to the user using the "Manage Privilege Grants" feature, available from Setup menu > Security > Administrators. For more information on managing privilege grants, see the Enterprise Manager Cloud Control documentation.
The default roles EBS_SUPER_USER, EBS_ACP_SUPER_USER provide privileges on all targets. If these roles are provided to a particular user, there is no need of providing any specific privileges to that user. If you want to provide specific privileges to a user, follow the instructions in this section, which describes specific privileges for Cloning, Patch Manager, and Customization Manager.
There are two types of required privileges: Target Privileges and Resource Privileges.
Common Privileges
Module: Customization Manager/Patch Manager
View any Target
Execute Command Anywhere
Execute Command as any Agent
Module: Cloning
View any Target
Execute Command Anywhere
Execute Command as any Agent
Operator any Target
Add any Target
Application Change Management (ACMP) Specific Privileges
Module: Customization Manager
Requestor: Create splice request
Approver: Approve splice request
Super User: Both
Module: Patch Manager
Requestor: Create Patch Manager request
Approver: Approve Patch Manager request
Super User: Both
All above privileges can be provided either as "Common to All Targets" or "Specific to Target" by adding a target at the bottom of the Target Privilege screen and editing the target-specific privilege.
Note: The following privileges are not present as part of Target Specific Privileges but they are included under "Operator":
View Any Target
Execute Command Anywhere
Execute Command as any Agent
Operator any Target
To grant Resource Privileges, click Edit for each Resource Privilege and select the sub-privileges.
Common Privileges
Module: ALL
Job System
Deployment Procedure
Oracle E-Business Suite Plug-in
ACMP-Specific Privileges
There is only one ACMP-specific privilege based on user role.
Module: Customization Manager
Oracle E-Business Suite Plug-in
Requestor: Create release package request
Approver: Approve release package request
Super User: All
All above privileges can be provided either "Common to All Targets" or "Specific to Target" by adding a target in Resource Privilege page and selecting the applicable targets.