1 Reply Latest reply on Jun 28, 2015 11:07 AM by 2847264

    Roles, Grants & User Management


      Hi guys



      Before you go further:

      Rather than answering this yourself, you can just give me a link to a tutorial showing how to do this, but please Don't refer to a MOS document...sadly i have

      no access to it


      I have a quick question i need you to help me with.

      It's about Oracle User Security Management. Specifically what i don't understand are Roles, grants & Data Security.


      I tried getting this from the following link:



      I understand that roles stack over each others, each of them is meant to entail some responsibilities + other sub roles. What i don't know how to do

      is how to control the function security & the data security here as i could in the system administrator responsibility and go beyond that.


      I will illustrate what i need exactly, and will do my best to be as clear as possible about it.

      This example is fictional, but it mirrors what i need. Here we go:


      Let's say we have the System Administrator responsibility.

      a) First Function Security: In the old fashioned way, you would use menu exclusions to control what user can, can't see which requires a tedious process of creating a new menu, responsibility then assign that to the user.
      I want to do the same here using user management. I would like to divide it's functionality and offer it up in increasing manner from a single function in role 1 in the figure to the whole thing role 3 that includes the full responsibility as it's in the vision Demo Instance. How do i do so? I am sure this is where Grants come into play (In step 3 it's has some menu that you need to specify. what does that mean? The users only has access to this menu or what? ).


      b) Then the 2nd problem: Data Security. Presumably i got a) with, next I would like to control what users can access on the given responsibilities.

      for example, in the users form, I want the local admin of finance to access finance users only. How do i do so? Choose a specific Object, then limit the

      rows you want with a predicate, right? Weird thing is, to try this out I assigned some user the Security Administrator. Then Created a new Grant and specified

      the object FND_USER, and chose a specific single object instance to this grant. Presumably, if this worked right, i shouldn't be able to find any other user when i search using the User Page in the User Management Responsibility, yet somehow all the user came out. Did i misunderstand? where did i go wrong if not?


      In the terms specified in the page above, FND_USER is the object here, and finance_users is the object instance set we want to limit our admin access to.

      same applies for supply chain, HR..etc. Then finally the super admin have access to All instance sets = ALL ROWS.


      c) Again, let's say we had a) & b) in place. I want to control the operations available on the form. Namely DML & Querying stuff...how can i get that?

      Using Permission sets?


      d) Again, Let's assume we managed to do both a), b) & c). I have my roles all set up nicely the way i want them. I have like 30 users that i want to have

      the local admin of finance role..assigning this to each one would defeat the purpose of all this abstraction effort...surely oracle has some sort of user grouping functionality. So how do i create a user groups and assign roles to the whole group instead of a single user at a time?


      Thanks in advance.