Skip to main content

Hi

I am interested to know when you create new users, what is the default permission set you grant them to allow them to login to the application?

I have compared FND_ENDUSER, FND_RUNTIME and FND_CONNECT and either they have too much access or not enough…

FND_ENDUSER gives users the ability to create new database task schedules which we wouldnt want to grant whereas FND_CONNECT gives users access to Schedule Application Server Tasks. Both these functions I would only allow the IFS Administrator to have access. 

Functional permission sets would supplement this initial permission set; so i wouldn’t expect it to have access to any of the functional screens. 

Please provide your thoughts and recommendations 

Regards

Shaun

FND_RUNTIME is the real baseline that we use, attached to our basic ‘all users’ permission set, to allow them to log in and get what all users should for our environment. 

FND_ENDUSER contains FND_RUNTIME.  I’ve not personally run into issues with it giving too much access.  Are you sure what you’re seeing about the scheduling tasks isn’t something you want users to do, e.g. scheduling a report to run at a later time?

FND_CONNECT is misleading… there isn’t any need to give this to a normal user.

Nick

Hi Shaun

You raise a valid point. And it is better to get it right first time, rather than go back and remove access at a later date.

That said we tend to grant FND_CONNECT (This may or may not have been altered), + any additional in house roles specific to the job.

I will look into the ability to schedule server tasks under the FND_CONNECT role. Do you think your users would attempt this?

Regards

Mike

Thanks both for your comments. 

I have granted access to just the permission sets and logged in each time to see what access the user would get. 

Below are the screenshots for each:

FND_CONNECT

 

FND_ENDUSER

FND_RUNTIME

 

I know you are not meant to modify these FND_ permission sets.

To me FND_RUNTIME has the least amount of additional access granted. So we could build upon this with our own permission sets. Report Definitions is the only screen maybe they shouldn’t have access too.

Access i think all users would need in addition include background jobs, order report and quick report.

Hi Shaun

You raise a valid point. And it is better to get it right first time, rather than go back and remove access at a later date.

That said we tend to grant FND_CONNECT (This may or may not have been altered), + any additional in house roles specific to the job.

I will look into the ability to schedule server tasks under the FND_CONNECT role. Do you think your users would attempt this?

Regards

Mike

I don’t understand.  Why do you grant FND_CONNECT to normal end users?  There should be absolutely no need for that and I wouldn’t suggest it.

FND_RUNTIME (at a minimum) or FND_ENDUSER (if you’re ok with it) should be the way to go.  FND_RUNTIME would need to be added to another baseline permission set that you use in a hierarchy since it it by default a Functional Role and can’t be granted directly to users. 

If any reduction is truly needed to FND_ENDUSER, I would create a copy of it with a separate name and use that instead.  You should never modify those FND_ permission sets.

Nick

Hi Shaun

You raise a valid point. And it is better to get it right first time, rather than go back and remove access at a later date.

That said we tend to grant FND_CONNECT (This may or may not have been altered), + any additional in house roles specific to the job.

I will look into the ability to schedule server tasks under the FND_CONNECT role. Do you think your users would attempt this?

Regards

Mike

I don’t understand.  Why do you grant FND_CONNECT to normal end users?  There should be absolutely no need for that and I wouldn’t suggest it.

FND_RUNTIME (at a minimum) or FND_ENDUSER (if you’re ok with it) should be the way to go.  FND_RUNTIME would need to be added to another baseline permission set that you use in a hierarchy since it it by default a Functional Role and can’t be granted directly to users. 

If any reduction is truly needed to FND_ENDUSER, I would create a copy of it with a separate name and use that instead.  You should never modify those FND_ permission sets.

Nick

 

Hi Nick

It was decided at some point in the past that this was the best option for us. It obviously worked for us and perhaps has not been thought about since. Given your reaction I will definitely review this.

Cheers

Mike

Reply


Terms & ConditionsCookie settings