Question

How to prevent permission set deletion

  • 12 January 2023
  • 5 replies
  • 112 views
K
Rank
Userlevel 1
Badge +4
  • KRTI
  • Sidekick (Customer)
  • 11 replies

Hi 

Does anyone know how we can  prevent accidental deletion of permission sets?

Apparently. it is possible to delete a permission set which is assigned to users. We see some strange behaviour:

 . Anyone in IT who can maintain permission sets can also delete them,. Even if the user is not granted  the FND_ROLE_API.Delete function, the user can still delete the permission set.

 - This cannot even be prevented  by a custom event on fnd_role as the application wipes permission set assignments from fnd_user_role first and this is not rolled back when the the custom event throws an error. 

This seems like very unsafe application design that we cannot prevent accidental or intentional deletion of permission sets. 

5 replies

R
Rank
Userlevel 5
Badge +12

security_sys.drop_role is the correct sec object which will grant the particular user the delete permission set access

 

 

Cheers, Ruchira
Link
Rank
Userlevel 7
Badge +22

Hi @KRTI 

it is true. Therefore I recommend you to  export all your permission sets. Sometimes you do unwanted changes and the permission set doesn’t work properly.

But before deleting the permission set you get a warning message:

 

Kind regards
K
Rank
Userlevel 1
Badge +4

Hi @Ruchira 

Unfortunately we are still able to drop permission sets even when there are absolutely no grantees on SECURITY_SYS.DROP_ROLE

eqbstal
Rank
Userlevel 7
Badge +21

@KRTI Do you still have the problem? Did a cache refresh on security help anything?

 

Please like this response if it helped you
K
Rank
Userlevel 1
Badge +4

Hi

We created a case with IFS and it turns out that this is not possible. We also tried to prevent this using events, but we were not able to make the event trigger before the permission set had been unassigned from all users. 

Reply


Terms & ConditionsCookie settings