Skip to main content

We have are seeing some strange behaviour when creating and testing permission sets and was wondering if anyone else has seen this.

After creating a functional permission set we assign it to an empty test-end user role. We then in turn grant this end user role to a test end user.

Sometimes when logging in we get error messages such as the one shown below. When checing the functional role we can see that all methods for the quoted API are granted. This happens for any random functional role and any number of API’s.

The only work around we have found is to re-assign the functional role to another end user role and then assign the end user role to another end user. After having refreshed the security cache we no longer get the error message.

We have also tried to refresh dictionary and reference cache but that makes no difference. IFS have even provided us with a script that clears down the whole dictionary cache, but even that made no difference.

 

Hi @magnum80,

Yes, we have come across this error a few times, but it was months ago when we went through this process so my memories are vague. It seems that when you apply permissions to a process, it doesn’t necessarily include all associated APIs.

We had to track down the API calls and apply the additional permissions. After applying permissions under Presentation Objects by Navigator/Module, go into Database Objects and track down the API to see what is/is not assigned...

 

Thanks for your reply GPIE. The thing with the errors we are getting is that they are false. We have verified that all relevant API’s and methods are granted. This is proven by the fact that the permission set works without error by simply assigning it to another end user role and user. We don’t have to make any amendments to the functional permission set.

But when you assign it to another user role, that user role might already have permission to read INSTANT_INVOICE_API due to another permission set, so the error goes away. If you test each process independently, you will get many more of these errors than you would if you were testing more fully developed sets. 

I am using specific test end users which have nothing but FND_CONNECT and the test end user role assigned. They definitely don’t have the API granted through something else...

So what do you mean by “permission set works without error by simply assigning it to another end user role and user”. I thought you meant that if you assign the test permission set to an actual user/role, the error goes away. That’s why I suggested that that user/role might have other permission sets applying.

If not, what do you mean by that statement?

In the first instant I have let’s say the following assignment. I log in as USER7 and get the error message.

Funct Role PC_SUP_INV_SA → End User Role PC_TEST_EUR2 → User USER7

 

Without changing any details of the functional role I change to this

Funct Role PC_SUP_INV_SA → End User Role PC_TEST_EUR4 → User USER5

 

When I log in as USER5 i no longer get the error message.

The end user roles doen’t have any database objects or presentation objects granted to them. 

The end users only have FND_CONNECT and the Test end user roles assigned.

 

OK. I misunderstood. That is very weird. Have you run the User Security Report to see if there are any differences?

Reply


Terms & ConditionsCookie settings