Skip to main content

I am keen understand what the practices others are following with regard to version/change control of permission sets in IFS. 

We have tried Exporting Permission sets via XML to a version control system SVN/Git Repository with mixed success. If carried out diligently, is that it provides a full audit and commentary and it is possible to restore the old permission set (it does need to be imported as a new name)
However, it is easily forgotten or skipped in a rush, and we were finding that a large number of Permission sets were updated with either Quick Report or IAL deployment. Exporting each permission set in this scenario was not workable..

We are keen to audit/track permissions changes that grant/revoke the Functional Areas that we have defined within Segregation of Duties analysis. We are now looking to capture changes to this with a daily report (using two IALs that snapshot the access on alternative days). This will allow us to interrogate and possibly ensure compliance with the external version control system, however this could end up being time consuming.

Are we missing anything? What would be ideal is a Security Checkpoint that would force you to re-authenticate and enter a comment when making a change that is going to impact Permission Sets…

I am hoping we are missing something that could simplify this? We are currently using APP9 Update 16

Do you have PL/SQLDeveloper?  If not there will be some editing needed to pull out the list prompts.

SELECT d.grantee AS ROLE, package_name, object_name AS Method_Name, COUNT(*)
  FROM ifsapp.security_sys_privs_tab D, dba_arguments A
 WHERE d.privilege = 'EXECUTE'
   AND A.OWNER = 'IFSAPP'
   AND a.PACKAGE_NAME = d.table_name
   AND a.position IN (0, 1)
   AND d.grantee LIKE &<name="Role Name" TYPE="string" REQUIRED="yes" RESTRICTED="no" DESCRIPTION="no"
                     LIST="SELECT ROLE FROM IFSAPP.Fnd_Role_tab WHERE FND_ROLE_TYPE = 'ENDUSERROLE' ORDER BY ROLE">
   AND NOT EXISTS
       (SELECT ROLE, package_name, method_name
          FROM ifsapp.security_sys_tab
         WHERE ROLE = d.grantee
           AND package_name = a.package_name
           AND UPPER(method_name) = a.object_name)
   AND object_name NOT LIKE DECODE (&<name="Include Read Only Modules" TYPE="string" REQUIRED="yes" RESTRICTED="yes" LIST="YES, NO">,
                                       'YES', 'K', 'NO', 'GET%')
 GROUP BY d.grantee, package_name, object_name
 ORDER BY d.grantee, package_name, object_name

Another option is to add a trigger on the ifsapp.security_sys_tab table and track any changes that way.

Terms & ConditionsCookie settings