Security

This chapter covers the following topics:

• Privileges and Roles for Managing Oracle E-Business Suite
• Change Management Privileges
• Specific Privileges for Features

Privileges and Roles for Managing Oracle E-Business Suite

Oracle Application Management Pack for Oracle E-Business Suite uses the native Enterprise Manager functionality of privileges and roles for security.

Note: In Releases 3.1 and 4.0, security was managed through the amp.properties file and disabled by default. In this release, the amp.properties file is no longer used, and security through privileges and roles is enabled by default.

User privileges provide a basic level of security in Enterprise Manager. They are designed to control user access to data and to limit the kinds of SQL statements that users can execute. When creating a user, you grant privileges to enable the user to connect to the database, to run queries and make updates, to create schema objects, and more.

A role is a collection of Enterprise Manager resource privileges, or target privileges, or both, which you can grant to administrators or to other roles. Resource privileges allow a user to perform operations which are not dependent on a specific target type. Target privileges allow an administrator to perform operations on a target. This management pack includes target-instance level privileges, which are for a particular target instance, and target-type level privileges, which are for all target instances of that type. An example of a resource privilege is the "Edit Global Preferences" resource privilege, which enables a user to edit global preferences for Oracle Application Management Pack for Oracle E-Business Suite. An example of a target-instance level privilege is the "Start and Stop Services" which enables a user to start and stop services using the Administration Menu for a given instance.

Privileges and roles are managed through the functions available from Setup menu > Security in the Cloud Control console. For more information, see the Oracle Enterprise Manager Cloud Control Administrator's Guide.

Ready-to-use privileges shipped with the management pack are listed in the tables below. Please note the following in regard to privileges:

• The user SYSMAN has all the listed privileges by default.

• The use of privileges on a system is enabled by default, which means that a user will not be able to perform an action unless the appropriate privilege(s) are granted to that user.

• All target privileges are given against the target "Oracle E-Business Suite".

• Each privilege listed in the tables below does not include any other privilege. For example, the "Approve release package request" privilege does not include the privilege "Create release package request".

For privileges used by the features in Change Management (Patch Manager and Customization Manager), see the section Change Management Approval Framework and Privileges.

The following table lists ready-to-use resource privileges in Oracle Application Management Pack for Oracle E-Business Suite:

Privileges applicable to all targets

Name	Description
Create release package request	To create a request to release a package
Approve release package request	To approve the release of a package
Edit global preferences	To edit global preferences of the Oracle Application Management Pack for Oracle E-Business Suite

The following table lists ready-to-use target instance level privileges. With these privileges, a user can perform the specified action against only the given target.

Target Privileges

Name	Description
Create splice request	To create a request to register a new custom application To create a request to validate an existing custom application To create a request to auto-correct an existing invalid custom application
Approve splice request	To approve a request to splice an application To hide and unhide custom applications
Create Patch Manager request	To create a Patch Manager request
Approve Patch Manager request	To approve a Patch Manager request
Start and Stop Services	To start and stop services using the Administration Dashboard

The following table lists ready-to-use target type level privileges. With these privileges, a user can perform the described action against any eligible target.

Target Type Level Privileges

Name	Description
Create splice request	To create a request to register a new custom application To create a request to validate an existing custom application To create a request to auto-correct an existing invalid custom application
Approve splice request	To approve a request to splice an application To hide and unhide custom applications
Create Patch Manager request	To create a Patch Manager request
Approve Patch Manager request	To approve a Patch Manager request
Start and Stop Services	To start and stop services using the Administration Dashboard

The following table lists ready-to-use roles:

Roles

Code	Name	Included Privileges	Description
EBS_SUPER_USER	Oracle E-Business Suite Super User	All target type privileges, all resource privileges, and CREATE_TARGET	Role with unrestricted access to all management activities for Oracle E-Business Suite
EBS_ACP_SUPER_USER	Change Management Super User	Resource privilege "Approve release package request" Target type level privilege "Approve splice request" Target type level privilege "Approve Patch Manager request"	Role with privileges to create as well as approve all Change Management requests.

Change Management Privileges

Change Management for Oracle E-Business Suite provides a centralized view to monitor and orchestrate changes (both functional and technical) across multiple Oracle E-Business Suite systems. Change Management offers the capabilities to manage changes introduced by customizations, patches and functional setups during implementation or maintenance activities. For more information, see: Introduction to Change Management.

The Change Approval Framework helps ensure that all changes done using any of the products in Change Management go through a change approval mechanism. This change control mechanism entails one level of approval for any change that results in a configuration or code change of an Oracle E-Business Suite instance. The Change Approval Framework uses privileges and roles to enforce the approval process.

Required Privileges and Roles

The seeded "Change Management Super User" role (code EBS_ACP_SUPER_USER) has privileges to submit and approve all Change Management requests.

For more information on these privileges, see: Privileges and Roles for Managing Oracle E-Business Suite.

A user must have the "Operator any Target" privilege in order to submit a patch run in Patch Manager or create a package in Customization Manager. This privilege is described as:

• Name - Operator any Target

• Description - Ability to perform administrative operations on all managed targets

• Included Privileges - View any Target

• Applicable Target Types - All Target Types

In addition to the above Target Type privilege, a user must have the "Job System" resource privilege, as described below:

• Name - Job System

• Description - Job is a schedulable unit of work that administrator defines to automate the commonly run tasks

• Privilege Grants Applicable to all Resources - Create

  Note: You must also assign Resource Type Privilege of "Create" to the user using the "Manage Privilege Grants" feature, available from Setup menu > Security > Administrators. For more information on managing privilege grants, see the Enterprise Manager Cloud Control documentation.

Specific Privileges for Features

The default roles EBS_SUPER_USER, EBS_ACP_SUPER_USER provide privileges on all targets. If these roles are provided to a particular user, there is no need of providing any specific privileges to that user. If you want to provide specific privileges to a user, follow the instructions in this section, which describes specific privileges for Cloning, Patch Manager, and Customization Manager.

There are two types of required privileges: Target Privileges and Resource Privileges.

Target Privileges

1. Common Privileges

   • Module: Customization Manager/Patch Manager

     • View any Target

     • Execute Command Anywhere

     • Execute Command as any Agent

   • Module: Cloning

     • View any Target

     • Execute Command Anywhere

     • Execute Command as any Agent

     • Operator any Target

     • Add any Target

2. Application Change Management (ACMP) Specific Privileges

   • Module: Customization Manager

     • Requestor: Create splice request

     • Approver: Approve splice request

     • Super User: Both

   • Module: Patch Manager

     • Requestor: Create Patch Manager request

     • Approver: Approve Patch Manager request

     • Super User: Both

All above privileges can be provided either as "Common to All Targets" or "Specific to Target" by adding a target at the bottom of the Target Privilege screen and editing the target-specific privilege.

Note: The following privileges are not present as part of Target Specific Privileges but they are included under "Operator":

• View Any Target

• Execute Command Anywhere

• Execute Command as any Agent

• Operator any Target

Resource Privileges

To grant Resource Privileges, click Edit for each Resource Privilege and select the sub-privileges.

1. Common Privileges

   • Module: ALL

     • Job System

     • Deployment Procedure

     • Oracle E-Business Suite Plug-in

2. ACMP-Specific Privileges

   There is only one ACMP-specific privilege based on user role.

   • Module: Customization Manager

     • Oracle E-Business Suite Plug-in

     • Requestor: Create release package request

     • Approver: Approve release package request

     • Super User: All

All above privileges can be provided either "Common to All Targets" or "Specific to Target" by adding a target in Resource Privilege page and selecting the applicable targets.