This chapter covers the following topics:
Oracle Application Management Pack for Oracle E-Business Suite uses the native Enterprise Manager functionality of privileges and roles for security.
User privileges provide a basic level of security in Oracle Enterprise Manager. They are designed to control user access to data and to limit the kinds of SQL statements that users can execute. When creating a user, you grant privileges to enable the user to connect to the database, to run queries and make updates, to create schema objects, and more.
A role is a collection of Oracle Enterprise Manager resource privileges, or target privileges, or both, which you can grant to administrators or to other roles. Resource privileges allow a user to perform operations which are not dependent on a specific target type. Target privileges allow an administrator to perform operations on a target. This management pack includes target-instance level privileges, which are for a particular target instance, and target-type level privileges, which are for all target instances of that type. An example of a resource privilege is the "Edit Global Preferences" resource privilege, which enables a user to edit global preferences for Oracle Application Management Pack for Oracle E-Business Suite. An example of a target-instance level privilege is the "Start and Stop Services" which enables a user to start and stop services using the Administration menu for a given instance.
Privileges and roles are managed through the functions available from Setup menu > Security in the Cloud Control console. For more information, see the Oracle Enterprise Manager Cloud Control Administrator's Guide.
Ready-to-use privileges shipped with the management pack are listed in the tables below. Please note the following in regard to privileges:
The user SYSMAN has all the listed privileges by default.
The use of privileges on a system is enabled by default, which means that a user will not be able to perform an action unless the appropriate privilege(s) are granted to that user.
All target privileges are given against the target "Oracle E-Business Suite."
Each privilege listed in the tables below does not include any other privilege. For example, the "Approve release package request" privilege does not include the privilege "Create release package request".
The table below lists ready-to-use resource privileges in Oracle Application Management Pack for Oracle E-Business Suite. These resource privileges are to be granted while creating or updating users in the "EM Resource Privileges" screen under the resource type "Oracle E-Business Suite Plug-in".
Name | Description |
---|---|
Create release package request | This privilege is required to access any Customization Manager page. Specifically, this privilege is used to create a request to release a package. |
Approve release package request | Used to approve the release of a package. |
Edit global preferences | Required for editing global preferences of the Oracle Application Management Pack for Oracle E-Business Suite. |
Create/edit approval hierarchy | Used to create or edit approval hierarchies for the approval process of change requests. |
Raise Customization Discovery Request | Used to create a request to discover customizations. |
The following table lists ready-to-use target instance level privileges. With these privileges, a user can perform the specified action against only the given target.
Name | Description |
---|---|
Create splice request |
|
Approve splice request |
|
Create Patch Manager request | To create a Patch Manager request |
Approve Patch Manager request | To approve a Patch Manager request |
Start and Stop Services | To start and stop services using the Administration Dashboard |
The following table lists ready-to-use target type level privileges. With these privileges, a user can perform the described action against any eligible target.
Name | Description |
---|---|
Create splice request |
|
Approve splice request |
|
Create Patch Manager request | To create a Patch Manager request |
Approve Patch Manager request | To approve a Patch Manager request |
Use advanced options in Oracle E-Business Suite Patching | To use advanced options while patching, such as HotPatch Mode |
Start and Stop Services | To start and stop services using the Administration Dashboard |
The following table lists ready-to-use roles:
Code | Name | Included Privileges | Description |
---|---|---|---|
EBS_SUPER_USER | Oracle E-Business Suite Super User | All target type privileges, all resource privileges, and CREATE_TARGET | Role with unrestricted access to all management activities for Oracle E-Business Suite |
EBS_ACP_SUPER_USER | Change Management Super User |
|
Role with privileges to create as well as approve all Change Management requests. |
Change Management for Oracle E-Business Suite provides a centralized view to monitor and orchestrate changes (both functional and technical) across multiple Oracle E-Business Suite systems. Change Management offers the capabilities to manage changes introduced by customizations, patches, and functional setups during implementation or maintenance activities. For more information, see: Introduction to Change Management.
The Change Approval process helps ensure that all changes done using any of the products in Change Management go through a change approval mechanism. This change control mechanism is a multilevel approval process for any change that results in a configuration or code change of an Oracle E-Business Suite instance. The Change Approval process uses privileges and roles to enforce the approval process.
The seeded "Change Management Super User" role (code EBS_ACP_SUPER_USER) has privileges to submit and approve all Change Management requests.
For more information on these privileges, see: Privileges and Roles for Managing Oracle E-Business Suite.
A user must have the "Operator any Target" privilege in order to submit a patch run in Patch Manager, create a package in Customization Manager, or register a custom application. This privilege is described as:
Name - Operator any Target
Description - Ability to perform administrative operations on all managed targets
Included Privileges - View any Target
Applicable Target Types - All Target Types
In addition to the above Target Type privilege, a user must have the "Job System" resource privilege, as described below:
Name - Job System
Description - Job is a schedulable unit of work that administrator defines to automate the commonly run tasks
Privilege Grants Applicable to all Resources - Create
Note: You must also assign the resource type privilege of "Create" to the user using the "Manage Privilege Grants" feature, available from Setup menu > Security > Administrators. For more information on managing privilege grants, see the Oracle Enterprise Manager Cloud Control documentation.
Note: To view development procedures submitted by other users in Patch Manager, the user should also have the "Edit Any Procedure Configuration" resource privilege under "Job System."
The default roles EBS_SUPER_USER and EBS_ACP_SUPER_USER provide privileges on all targets. If these roles are provided to a particular user, there is no need to provide any specific privileges to that user. If you want to provide specific privileges to a user, follow the instructions in this section, which describe specific privileges for Cloning, Patch Manager, and Customization Manager.
There are two types of required privileges: Target Privileges and Resource Privileges.
Common privileges
Module: Customization Manager/Patch Manager
View any Target
Execute Command Anywhere
Execute Command as any Agent
Module: Cloning
View any Target
Execute Command Anywhere
Execute Command as any Agent
Operator any Target
Add any Target
Application Change Management (ACMP) specific privileges
Module: Customization Manager
Requestor: Create splice request
Approver: Approve splice request
Super User: Both
Module: Patch Manager
Requestor: Create Patch Manager request
Approver: Approve Patch Manager request
Super User: Both
Oracle E-Business Suite Patching privileges
Use of advanced patching options
All above privileges can be provided either as "Common to All Targets" or "Specific to Target" by adding a target at the bottom of the Target Privilege screen and editing the target-specific privilege.
Note: The following privileges are not present as part of Target Specific Privileges but they are included under "Operator":
View Any Target
Execute Command Anywhere
Execute Command as any Agent
Operator any Target
To grant Resource Privileges, click Edit for each Resource Privilege and select the sub-privileges.
Common Privileges:
Module: ALL
Edit the following Resource Types in the Resource Privileges screen and select the privileges.
Job System
Deployment Procedure
Oracle E-Business Suite Plug-in
Change Management-Specific Privileges
Module: Customization Manager, Patch Manager
Edit the Resource Type "Oracle E-Business Suite Plug-in" in the Resource Privileges screen and select the following privileges.
Requestor: Create release package request
Approver: Approve release package request
Super User: All
Edit global preferences
Create/edit approval hierarchy
All above privileges can be provided either "Common to All Targets" or "Specific to Target" by adding a target on the Resource Privilege page and selecting the applicable targets.