Required Permissions
SailPoint's Oracle E-Business Suite Connector supports the service account permissions provided through the AD_ZD.GRANT_PRIVS API from Oracle E-Business Suite version 12.2.4 and later versions. For more information on these versions, refer to Support for AD_ZD.GRANT_PRIVS Package.
For previous versions:
-
Log in to the Oracle database as database administrator for creating the Service Account (Minimum privileges user for the configured application) using
SQL*Plusas follows:Copycreate role ${new role};
create user ${new user} identified by ${password};
grant create session to ${new user};
grant create synonym to ${new user};
alter user ${new user} enable editions;
grant ${new role} to ${new user};Note
For more information on altering users, refer to the User Editions section. -
Grant SELECT permissions to the new role created in the above step (${new role}):
Copygrant select on APPS.FND_PRODUCT_GROUPS to ${new role};
grant select on APPS.FND_USER to ${new role};
grant select on SYS.DBA_USERS to ${new role}; -- Only required if the proxy user is not provided.
grant select on APPS.FND_RESPONSIBILITY_VL to ${new role};
grant select on APPS.FND_APPLICATION_VL to ${new role};
grant select on APPS.FND_DATA_GROUPS to ${new role};
grant select on APPS.FND_USER_RESP_GROUPS_ALL to ${new role};
grant select on DUAL to ${new role};
grant select on APPS.PER_ALL_PEOPLE_F to ${new role};
grant select on APPS.RA_CUSTOMERS to ${new role};
grant select on APPS.FND_MENUS to ${new role};
grant select on APPS.FND_REQUEST_GROUPS to ${new role};
grant select on APPS.FND_APPLICATION to ${new role};
grant select on APPS.FND_DATA_GROUP_UNITS to ${new role};
grant select on APPS.FND_APPLICATION_TL to ${new role};
grant select on APPS.FND_RESPONSIBILITY to ${new role};
grant select on APPS.WF_ROLES to ${new role};
grant select on APPS.WF_LOCAL_ROLES to ${new role};
grant select on APPS.WF_ALL_ROLES_VL to ${new role};
grant select on APPS.WF_ROLE_HIERARCHIES to ${new role};
grant select on APPS.FND_REQUEST_GROUP_UNITS to ${new role};
grant select on APPS.WF_LOCAL_USER_ROLES TO ${new role};
grant select on APPS.FND_USER_RESP_GROUPS_DIRECT TO ${new role};
grant select on APPS.PER_PERIODS_OF_PLACEMENT TO ${new role};
grant select on APPS.PER_PERIODS_OF_SERVICE TO ${new role};
grant select on APPS.FND_MENUS_VL to ${new role};
grant select on APPS.FND_MENU_ENTRIES to ${new role};
grant select on APPS.FND_MENU_ENTRIES_VL to ${new role};
grant select on APPS.FND_FORM_FUNCTIONS to ${new role};
grant select on APPS.FND_FORM_FUNCTIONS_VL to ${new role}; -
Check the Rights present on Oracle E-Business FND packages (INVOKER / DEFINER):
CopySELECT dbo.object_name,
(DECODE(SIGN(bitand(options,16)),1,'INVOKER','DEFINER')) "authid"
FROM dba_objects dbo, sys.PROCEDURE$ p
WHERE p.obj# = dbo.object_id
AND dbo.object_type = 'PACKAGE'
AND dbo.object_name IN ('FND_USER_PKG','FND_RESPONSIBILITY_PKG', 'WF_LOCAL_SYNCH', 'FND_WEB_SEC', 'FND_GLOBAL','FND_USER_RESP_GROUPS_API')
AND dbo.owner = 'APPS';Note
Remove any new line character inserted in the query.Based on the above query result, perform one of the following procedures if the rights present are INVOKER or DEFINER:
For INVOKER rights
-
Create Packages:
-
Copy the package scripts from
identityiq\integration\OracleEBS\iiqIntegration-OracleEBS.zipdirectory to theOracleHome\bindirectory and rename the type of scripts from*.txtto*.sql: -
Using SQL*Plus, create one more session to the Oracle database by the APPS user and run the following:
@SP_xxx package
For example, if FND_USER_PKG has invoker rights, run the
@SP_FND_USER _PKG -
Perform this step for all xxx packages, where xxx package is FND_USER_PKG, FND_RESPONSIBILITY_PKG, WF_LOCAL_SYNCH, FND_WEB_SEC, FND_GLOBAL, or FND_USER_RESP_GROUPS_API.
-
After performing the above step, log out from the APPS session.
-
-
Grant EXECUTE permissions to the new role created in the above step (${new role}):
Copygrant execute on APPS.SP_FND_USER_PKG to ${new role};
grant execute on APPS.SP_FND_RESPONSIBILITY_PKG to ${new role};
grant execute on APPS.SP_WF_LOCAL_SYNCH to ${new role};
grant execute on APPS.SP_FND_WEB_SEC to ${new role};
grant execute on APPS.SP_FND_GLOBAL to ${new role};
grant execute on APPS.SP_FND_USER_RESP_GROUPS_API to ${new role}; -
Sign in to the Service Account ${new user} and create the following synonym:
Note
Ensure that the synonyms are created under the Service Account login. If this is not performed under the Service Account login a failure may occur while performing operations (Troubleshooting).Copycreate synonym FND_PRODUCT_GROUPS for APPS.FND_PRODUCT_GROUPS;
create synonym FND_USER for APPS.FND_USER;
create synonym DBA_USERS for SYS.DBA_USERS;
create synonym FND_RESPONSIBILITY_VL for APPS.FND_RESPONSIBILITY_VL;
create synonym FND_APPLICATION_VL for APPS.FND_APPLICATION_VL;
create synonym FND_DATA_GROUPS for APPS.FND_DATA_GROUPS;
create synonym FND_USER_RESP_GROUPS_ALL for APPS.FND_USER_RESP_GROUPS_ALL;
create synonym PER_ALL_PEOPLE_F for APPS.PER_ALL_PEOPLE_F;
create synonym RA_CUSTOMERS for APPS.RA_CUSTOMERS;
create synonym FND_MENUS for APPS.FND_MENUS;
create synonym FND_REQUEST_GROUPS for APPS.FND_REQUEST_GROUPS;
create synonym FND_APPLICATION for APPS.FND_APPLICATION;
create synonym FND_RESPONSIBILITY for APPS.FND_RESPONSIBILITY;
create synonym FND_APPLICATION_TL for APPS.FND_APPLICATION_TL;
create or replace synonym FND_DATA_GROUP_UNITS for APPS.FND_DATA_GROUP_UNITS;
create or replace synonym WF_ROLES for APPS.WF_ROLES;
create or replace synonym WF_LOCAL_ROLES for APPS.WF_LOCAL_ROLES;
create or replace synonym WF_ROLE_HIERARCHIES for APPS.WF_ROLE_HIERARCHIES;
create or replace synonym WF_ALL_ROLES_VL for APPS.WF_ALL_ROLES_VL;
create synonym FND_REQUEST_GROUP_UNITS for APPS.FND_REQUEST_GROUP_UNITS;
create synonym PER_PERIODS_OF_SERVICE for APPS.PER_PERIODS_OF_SERVICE;
create or replace synonym WF_LOCAL_USER_ROLES for APPS.WF_LOCAL_USER_ROLES;
create or replace synonym FND_USER_RESP_GROUPS_DIRECT for APPS.FND_USER_RESP_GROUPS_DIRECT;
create synonym PER_PERIODS_OF_PLACEMENT for APPS.PER_PERIODS_OF_PLACEMENT;
create or replace synonym FND_USER_PKG for APPS.SP_FND_USER_PKG;
create or replace synonym FND_RESPONSIBILITY_PKG for APPS.SP_FND_RESPONSIBILITY_PKG;
create or replace synonym WF_LOCAL_SYNCH for APPS.SP_WF_LOCAL_SYNCH;
create or replace synonym FND_WEB_SEC for APPS.SP_FND_WEB_SEC;
create or replace synonym FND_GLOBAL for APPS.SP_FND_GLOBAL;
create or replace synonym FND_USER_RESP_GROUPS_API for APPS.SP_FND_USER_RESP_GROUPS_API;
create synonym FND_MENUS_VL for APPS.FND_MENUS_VL;
create synonym FND_MENU_ENTRIES for APPS.FND_MENU_ENTRIES;
create synonym FND_MENU_ENTRIES_VL for APPS.FND_MENU_ENTRIES_VL;
create synonym FND_FORM_FUNCTIONS for APPS.FND_FORM_FUNCTIONS;
create synonym FND_FORM_FUNCTIONS_VL for APPS.FND_FORM_FUNCTIONS_VL;
For DEFINER rights
-
Grant EXECUTE permissions to the new role (${new role}):
Copygrant execute on APPS.FND_USER_PKG to ${new role};
grant execute on APPS.FND_RESPONSIBILITY_PKG to ${new role};
grant execute on APPS.WF_LOCAL_SYNCH to ${new role};
grant execute on APPS.FND_WEB_SEC to ${new role};
grant execute on APPS.FND_GLOBAL to ${new role};
grant execute on APPS.FND_USER_RESP_GROUPS_API to ${new role}; -
Sign in to the Service Account ${new user} and create the following synonym:
Note
Ensure that the synonyms is created under the Service Account login. If this is not performed under the Service Account login a failure may occur while performing operations(Troubleshooting).Copycreate synonym FND_PRODUCT_GROUPS for APPS.FND_PRODUCT_GROUPS;
create synonym FND_USER for APPS.FND_USER;
create synonym DBA_USERS for SYS.DBA_USERS;
create synonym FND_RESPONSIBILITY_VL for APPS.FND_RESPONSIBILITY_VL;
create synonym FND_APPLICATION_VL for APPS.FND_APPLICATION_VL;
create synonym FND_DATA_GROUPS for APPS.FND_DATA_GROUPS;
create synonym FND_USER_RESP_GROUPS_ALL for APPS.FND_USER_RESP_GROUPS_ALL;
create synonym PER_ALL_PEOPLE_F for APPS.PER_ALL_PEOPLE_F;
create synonym RA_CUSTOMERS for APPS.RA_CUSTOMERS;
create synonym FND_MENUS for APPS.FND_MENUS;
create synonym FND_REQUEST_GROUPS for APPS.FND_REQUEST_GROUPS;
create synonym FND_APPLICATION for APPS.FND_APPLICATION;
create synonym FND_RESPONSIBILITY for APPS.FND_RESPONSIBILITY;
create synonym FND_APPLICATION_TL for APPS.FND_APPLICATION_TL;
create or replace synonym FND_DATA_GROUP_UNITS for APPS.FND_DATA_GROUP_UNITS;
create or replace synonym WF_ROLES for APPS.WF_ROLES;
create or replace synonym WF_LOCAL_ROLES for APPS.WF_LOCAL_ROLES;
create or replace synonym WF_ROLE_HIERARCHIES for APPS.WF_ROLE_HIERARCHIES;
create or replace synonym WF_ALL_ROLES_VL for APPS.WF_ALL_ROLES_VL;
create synonym FND_REQUEST_GROUP_UNITS for APPS.FND_REQUEST_GROUP_UNITS;
create synonym PER_PERIODS_OF_SERVICE for APPS.PER_PERIODS_OF_SERVICE;
create or replace synonym WF_LOCAL_USER_ROLES for APPS.WF_LOCAL_USER_ROLES;
create or replace synonym FND_USER_RESP_GROUPS_DIRECT for APPS.FND_USER_RESP_GROUPS_DIRECT;
create synonym PER_PERIODS_OF_PLACEMENT for APPS.PER_PERIODS_OF_PLACEMENT;
create or replace synonym FND_USER_PKG for APPS.FND_USER_PKG;
create or replace synonym FND_RESPONSIBILITY_PKG for APPS.FND_RESPONSIBILITY_PKG;
create or replace synonym WF_LOCAL_SYNCH for APPS.WF_LOCAL_SYNCH;
create or replace synonym FND_WEB_SEC for APPS.FND_WEB_SEC;
create or replace synonym FND_GLOBAL for APPS.FND_GLOBAL;
create or replace synonym FND_USER_RESP_GROUPS_API for APPS.FND_USER_RESP_GROUPS_API;
create synonym FND_MENUS_VL for APPS.FND_MENUS_VL;
create synonym FND_MENU_ENTRIES for APPS.FND_MENU_ENTRIES;
create synonym FND_MENU_ENTRIES_VL for APPS.FND_MENU_ENTRIES_VL;
create synonym FND_FORM_FUNCTIONS for APPS.FND_FORM_FUNCTIONS;
create synonym FND_FORM_FUNCTIONS_VL for APPS.FND_FORM_FUNCTIONS_VL;Important
In the case of a permission mismatch, validate the Service Account Permissions as mentioned in the Validating Service Account Permissions on Oracle E-Business document.
-