Skip to main content

I’m running into an issue where, for employees that need access to many different areas of the system, I receive an error message “maximum of 148 enabled roles exceeded” after assigning additional permission sets to the user account.  This is primarily for a few executive positions in our organization.

I thought if I recreated a new permission set with all of my functional roles attached to the end user role, that would take care of the problem but it did not.

 

What’s the best way to handle giving a user account access to the various areas of the system, without using IFSAPP_FULL?

The maximum roles allowed is dictated by an Oracle database parameter called MAX_ENABLED_ROLES

The default value is 150 and when a new session is initiated Oracle will attempt to enable all the default roles of the account if their number will be less than ( (value of the MAX_ENABLED_ROLES parameter) – 2 ). 

This query below should indicate the number of roles that have been granted to all users, including roles that have been granted via roles and sorted in Descending Order. This will give you an idea which users have been granted roles > theshold.

select "Grantee", count(*) "Role Number" from
(
select distinct connect_by_root grantee "Grantee", granted_role
from dba_role_privs
connect by prior granted_role=grantee
)
group by "Grantee"
order by "Role Number" desc

The Oracle parameter won’t accept any value higher than 150, so your options are limited to review the Permission Sets granted to user and check for any inherited roles. Remove roles that won’t make any impact to User access.

Good luck!


Hi @jchristy ,

 

@Srikanth is spot-on on the cause of the issue. You would need to cut down on the accumulated number of roles that the specific users eventually inherit by merging few of the permission sets in to a new ones where possible.

 

i.e Let’s say User A has End-user Permission set  EUPS1 & EUPS2 attached to them. EUPS1 has FPS1, FPS2 ,FPS3 functional roles attached to it in addition to FND_ENDUSER(which in turn has FND_RUNTIME attached to it) while EUPS2 has FPS4 & FPS5 attached. Overall the number of roles counted against the user would be 9. If you create a new Functional Permission set called FPS-Combined by combining FPS1+FPS2+FPS3 and use attach that to EUPS1, then the role count would reduce by 2 making the total count 7. 

The duplicate option combined with “merge permission set” RMB option in the permission set window is really handy when it comes to doing this.

Cheers.


Thanks for the feedback.

I found an end user role that had many functional roles attached to it that was causing a few users to exceed that 148 max roles limit.  I identified the users using the query shared above (thanks @Srikanth ) and stepped thru each end user permission and unchecked them looking at the attached counter to see if it dropped.

We have a Finance EUPS that has a ton of FPS’s attached to it because they need access to so many different areas.  We will work on building a new FPS and look to add all the grants there as opposed to leveraging many different FPS’s.