Required Permissions

SailPoint's Oracle E-Business Suite Connector supports the service account permissions provided through the AD_ZD.GRANT_PRIVS API from Oracle E-Business Suite version 12.2.4 and later versions. For more information on these versions, refer to Support for AD_ZD.GRANT_PRIVS Package.

For previous versions:

  1. Log in to the Oracle database as database administrator for creating the Service Account (Minimum privileges user for the configured application) using SQL*Plus as follows:

    Copy 
    create role ${new role};
    create user ${new user} identified by ${password};
    grant create session to ${new user};
    grant create synonym to ${new user};
    alter user ${new user} enable editions;
    grant ${new role} to ${new user};

  2. Grant SELECT permissions to the new role created in the above step (${new role}):

    Copy 
    grant select on APPS.FND_PRODUCT_GROUPS to ${new role};
    grant select on APPS.FND_USER to ${new role};
    grant select on SYS.DBA_USERS to ${new role}; -- Only required if the proxy user is not provided.
    grant select on APPS.FND_RESPONSIBILITY_VL to ${new role};
    grant select on APPS.FND_APPLICATION_VL to ${new role};
    grant select on APPS.FND_DATA_GROUPS to ${new role};
    grant select on APPS.FND_USER_RESP_GROUPS_ALL to ${new role};
    grant select on DUAL to ${new role};
    grant select on APPS.PER_ALL_PEOPLE_F to ${new role};
    grant select on APPS.RA_CUSTOMERS to ${new role};
    grant select on APPS.FND_MENUS to ${new role};
    grant select on APPS.FND_REQUEST_GROUPS to ${new role};
    grant select on APPS.FND_APPLICATION to ${new role};
    grant select on APPS.FND_DATA_GROUP_UNITS to ${new role};
    grant select on APPS.FND_APPLICATION_TL to ${new role};
    grant select on APPS.FND_RESPONSIBILITY to ${new role};
    grant select on APPS.WF_ROLES to ${new role};
    grant select on APPS.WF_LOCAL_ROLES to ${new role};
    grant select on APPS.WF_ALL_ROLES_VL to ${new role};
    grant select on APPS.WF_ROLE_HIERARCHIES to ${new role};
    grant select on APPS.FND_REQUEST_GROUP_UNITS to ${new role};
    grant select on APPS.WF_LOCAL_USER_ROLES TO ${new role};
    grant select on APPS.FND_USER_RESP_GROUPS_DIRECT TO ${new role};
    grant select on APPS.PER_PERIODS_OF_PLACEMENT TO ${new role};
    grant select on APPS.PER_PERIODS_OF_SERVICE TO ${new role};
    grant select on APPS.FND_MENUS_VL to ${new role};
    grant select on APPS.FND_MENU_ENTRIES to ${new role};
    grant select on APPS.FND_MENU_ENTRIES_VL to ${new role};
    grant select on APPS.FND_FORM_FUNCTIONS to ${new role};
    grant select on APPS.FND_FORM_FUNCTIONS_VL to ${new role};

  3. Check the Rights present on Oracle E-Business FND packages (INVOKER / DEFINER):

    Copy 
    SELECT dbo.object_name,
    (DECODE(SIGN(bitand(options,16)),1,'INVOKER','DEFINER')) "authid"
    FROM dba_objects dbo, sys.PROCEDURE$ p
    WHERE p.obj# = dbo.object_id
    AND dbo.object_type = 'PACKAGE'
    AND dbo.object_name IN ('FND_USER_PKG','FND_RESPONSIBILITY_PKG', 'WF_LOCAL_SYNCH', 'FND_WEB_SEC', 'FND_GLOBAL','FND_USER_RESP_GROUPS_API')
    AND dbo.owner = 'APPS';

    Note
    Remove any new line character inserted in the query.

    Based on the above query result, perform one of the following procedures if the rights present are INVOKER or DEFINER:

    For INVOKER rights

    1. Create Packages:

      1. Copy the package scripts from http://files.accessiq.sailpoint.com/integrations/OracleEBS/resources.zip (open link in new window) directory to the OracleHome\bin directory and rename the type of scripts from *.txt to *.sql:

      2. Using SQL*Plus, create one more session to the Oracle database by the APPS user and run the following:

        @SP_xxx package

        For example, if FND_USER_PKG has invoker rights, run the @SP_FND_USER _PKG

      3. Perform this step for all xxx packages, where xxx package is FND_USER_PKG, FND_RESPONSIBILITY_PKG, WF_LOCAL_SYNCH, FND_WEB_SEC, FND_GLOBAL, or FND_USER_RESP_GROUPS_API.

      4. After performing the above step, log out from the APPS session.

    2. Grant EXECUTE permissions to the new role created in the above step (${new role}):

      Copy 
      grant execute on APPS.SP_FND_USER_PKG to ${new role};
      grant execute on APPS.SP_FND_RESPONSIBILITY_PKG to ${new role};
      grant execute on APPS.SP_WF_LOCAL_SYNCH to ${new role};
      grant execute on APPS.SP_FND_WEB_SEC to ${new role};
      grant execute on APPS.SP_FND_GLOBAL to ${new role};
      grant execute on APPS.SP_FND_USER_RESP_GROUPS_API to ${new role};

    3. Sign in to the Service Account ${new user} and create the following synonym:

      Note
      Ensure that the synonyms are created under the Service Account login. If this is not performed under the Service Account login a failure may occur while performing operations (Troubleshooting).

      Copy 
      create synonym FND_PRODUCT_GROUPS for APPS.FND_PRODUCT_GROUPS;
      create synonym FND_USER for APPS.FND_USER;
      create synonym DBA_USERS for SYS.DBA_USERS;
      create synonym FND_RESPONSIBILITY_VL for APPS.FND_RESPONSIBILITY_VL;
      create synonym FND_APPLICATION_VL for APPS.FND_APPLICATION_VL;
      create synonym FND_DATA_GROUPS for APPS.FND_DATA_GROUPS;
      create synonym FND_USER_RESP_GROUPS_ALL for APPS.FND_USER_RESP_GROUPS_ALL;
      create synonym PER_ALL_PEOPLE_F for APPS.PER_ALL_PEOPLE_F;
      create synonym RA_CUSTOMERS for APPS.RA_CUSTOMERS;
      create synonym FND_MENUS for APPS.FND_MENUS;
      create synonym FND_REQUEST_GROUPS for APPS.FND_REQUEST_GROUPS;
      create synonym FND_APPLICATION for APPS.FND_APPLICATION;
      create synonym FND_RESPONSIBILITY for APPS.FND_RESPONSIBILITY;
      create synonym FND_APPLICATION_TL for APPS.FND_APPLICATION_TL;
      create or replace synonym FND_DATA_GROUP_UNITS for APPS.FND_DATA_GROUP_UNITS;
      create or replace synonym WF_ROLES for APPS.WF_ROLES;
      create or replace synonym WF_LOCAL_ROLES for APPS.WF_LOCAL_ROLES;
      create or replace synonym WF_ROLE_HIERARCHIES for APPS.WF_ROLE_HIERARCHIES;
      create or replace synonym WF_ALL_ROLES_VL for APPS.WF_ALL_ROLES_VL;
      create synonym FND_REQUEST_GROUP_UNITS for APPS.FND_REQUEST_GROUP_UNITS;
      create synonym PER_PERIODS_OF_SERVICE for APPS.PER_PERIODS_OF_SERVICE;
      create or replace synonym WF_LOCAL_USER_ROLES for APPS.WF_LOCAL_USER_ROLES;
      create or replace synonym FND_USER_RESP_GROUPS_DIRECT for APPS.FND_USER_RESP_GROUPS_DIRECT;
      create synonym PER_PERIODS_OF_PLACEMENT for APPS.PER_PERIODS_OF_PLACEMENT;
      create or replace synonym FND_USER_PKG for APPS.SP_FND_USER_PKG;
      create or replace synonym FND_RESPONSIBILITY_PKG for APPS.SP_FND_RESPONSIBILITY_PKG;
      create or replace synonym WF_LOCAL_SYNCH for APPS.SP_WF_LOCAL_SYNCH;
      create or replace synonym FND_WEB_SEC for APPS.SP_FND_WEB_SEC;
      create or replace synonym FND_GLOBAL for APPS.SP_FND_GLOBAL;
      create or replace synonym FND_USER_RESP_GROUPS_API for APPS.SP_FND_USER_RESP_GROUPS_API;
      create synonym FND_MENUS_VL for APPS.FND_MENUS_VL;
      create synonym FND_MENU_ENTRIES for APPS.FND_MENU_ENTRIES;
      create synonym FND_MENU_ENTRIES_VL for APPS.FND_MENU_ENTRIES_VL;
      create synonym FND_FORM_FUNCTIONS for APPS.FND_FORM_FUNCTIONS;
      create synonym FND_FORM_FUNCTIONS_VL for APPS.FND_FORM_FUNCTIONS_VL;

    For DEFINER rights

    1. Grant EXECUTE permissions to the new role (${new role}):

      Copy 
      grant execute on APPS.FND_USER_PKG to ${new role};
      grant execute on APPS.FND_RESPONSIBILITY_PKG to ${new role};
      grant execute on APPS.WF_LOCAL_SYNCH to ${new role};
      grant execute on APPS.FND_WEB_SEC to ${new role};
      grant execute on APPS.FND_GLOBAL to ${new role};
      grant execute on APPS.FND_USER_RESP_GROUPS_API to ${new role};

    2. Sign in to the Service Account ${new user} and create the following synonym:

      Note
      Ensure that the synonyms is created under the Service Account login. If this is not performed under the Service Account login a failure may occur while performing operations(Troubleshooting).

      Copy 
      create synonym FND_PRODUCT_GROUPS for APPS.FND_PRODUCT_GROUPS;
      create synonym FND_USER for APPS.FND_USER;
      create synonym DBA_USERS for SYS.DBA_USERS;
      create synonym FND_RESPONSIBILITY_VL for APPS.FND_RESPONSIBILITY_VL;
      create synonym FND_APPLICATION_VL for APPS.FND_APPLICATION_VL;
      create synonym FND_DATA_GROUPS for APPS.FND_DATA_GROUPS;
      create synonym FND_USER_RESP_GROUPS_ALL for APPS.FND_USER_RESP_GROUPS_ALL;
      create synonym PER_ALL_PEOPLE_F for APPS.PER_ALL_PEOPLE_F;
      create synonym RA_CUSTOMERS for APPS.RA_CUSTOMERS;
      create synonym FND_MENUS for APPS.FND_MENUS;
      create synonym FND_REQUEST_GROUPS for APPS.FND_REQUEST_GROUPS;
      create synonym FND_APPLICATION for APPS.FND_APPLICATION;
      create synonym FND_RESPONSIBILITY for APPS.FND_RESPONSIBILITY;
      create synonym FND_APPLICATION_TL for APPS.FND_APPLICATION_TL;
      create or replace synonym FND_DATA_GROUP_UNITS for APPS.FND_DATA_GROUP_UNITS;
      create or replace synonym WF_ROLES for APPS.WF_ROLES;
      create or replace synonym WF_LOCAL_ROLES for APPS.WF_LOCAL_ROLES;
      create or replace synonym WF_ROLE_HIERARCHIES for APPS.WF_ROLE_HIERARCHIES;
      create or replace synonym WF_ALL_ROLES_VL for APPS.WF_ALL_ROLES_VL;
      create synonym FND_REQUEST_GROUP_UNITS for APPS.FND_REQUEST_GROUP_UNITS;
      create synonym PER_PERIODS_OF_SERVICE for APPS.PER_PERIODS_OF_SERVICE;
      create or replace synonym WF_LOCAL_USER_ROLES for APPS.WF_LOCAL_USER_ROLES;
      create or replace synonym FND_USER_RESP_GROUPS_DIRECT for APPS.FND_USER_RESP_GROUPS_DIRECT;
      create synonym PER_PERIODS_OF_PLACEMENT for APPS.PER_PERIODS_OF_PLACEMENT;
      create or replace synonym FND_USER_PKG for APPS.FND_USER_PKG;
      create or replace synonym FND_RESPONSIBILITY_PKG for APPS.FND_RESPONSIBILITY_PKG;
      create or replace synonym WF_LOCAL_SYNCH for APPS.WF_LOCAL_SYNCH;
      create or replace synonym FND_WEB_SEC for APPS.FND_WEB_SEC;
      create or replace synonym FND_GLOBAL for APPS.FND_GLOBAL;
      create or replace synonym FND_USER_RESP_GROUPS_API for APPS.FND_USER_RESP_GROUPS_API;
      create synonym FND_MENUS_VL for APPS.FND_MENUS_VL;
      create synonym FND_MENU_ENTRIES for APPS.FND_MENU_ENTRIES;
      create synonym FND_MENU_ENTRIES_VL for APPS.FND_MENU_ENTRIES_VL;
      create synonym FND_FORM_FUNCTIONS for APPS.FND_FORM_FUNCTIONS;
      create synonym FND_FORM_FUNCTIONS_VL for APPS.FND_FORM_FUNCTIONS_VL;

      Important
      In the case of a permission mismatch, validate the Service Account Permissions as mentioned in the Validating Service Account Permissions on Oracle E-Business document.

Additional Permissions for Menu Group Object

The following permissions are required:

Copy 
grant select on APPS.FND_MENUS_VL to ${new role};
grant select on APPS.FND_MENU_ENTRIES to ${new role};
grant select on APPS.FND_MENU_ENTRIES_VL to ${new role};
grant select on APPS.FND_FORM_FUNCTIONS to ${new role};
grant select on APPS.FND_FORM_FUNCTIONS_VL to ${new role};

Service Account Permissions Provided Through the AD_ZD.GRANT_PRIVS API

The Oracle E-Business source supports the service account permissions provided through the AD_ZD.GRANT_PRIVS API from Oracle E-Business Suite 12.2.4 version onward.

The syntax for granting permissions via AD_ZD.GRANT_PRIVS is:

EXECUTE APPS.AD_ZD.GRANT_PRIVS( X_PERMISSIONS in VARCHAR2, X_OBJECT_NAME in VARCHAR2,X_GRANTEE in VARCHAR2, X_OPTIONS in VARCHAR2 default NULL);

For example, you can use: EXECUTE APPS.AD_ZD.GRANT_PRIVS('SELECT','FND_USER','<some user>');, which is equivalent to "grant select on APPS.FND_USER to ${some user};"

The following two permissions cannot be granted using the AD_ZD.GRANT_PRIVS API because the objects are owned by SYSTEM:

  • grant select on SYS.DBA_USERS to ${new user};

  • grant select on DUAL to ${new user};