Skip to main content
Question

How to prevent permission set deletion

  • January 12, 2023
  • 5 replies
  • 150 views
K
Sidekick (Customer)
Forum|alt.badge.img+4
  • KRTI
  • Sidekick (Customer)
  • 12 replies

Hi 

Does anyone know how we can  prevent accidental deletion of permission sets?

Apparently. it is possible to delete a permission set which is assigned to users. We see some strange behaviour:

 . Anyone in IT who can maintain permission sets can also delete them,. Even if the user is not granted  the FND_ROLE_API.Delete function, the user can still delete the permission set.

 - This cannot even be prevented  by a custom event on fnd_role as the application wipes permission set assignments from fnd_user_role first and this is not rolled back when the the custom event throws an error. 

This seems like very unsafe application design that we cannot prevent accidental or intentional deletion of permission sets. 

Sanuri Karunarathana
pwlm
DHCRADPA
4 people like this
  • Sanuri Karunarathana
    Sanuri Karunarathana
  • pwlm
    pwlm
  • DHCRADPA
    DHCRADPA
  • E
    Eleazar_AyaviriCarrillo

5 replies

R
Hero (Partner)
Forum|alt.badge.img+13
  • Ruchira
  • Hero (Partner)
  • 130 replies
  • January 13, 2023

security_sys.drop_role is the correct sec object which will grant the particular user the delete permission set access

 

 

Cheers, Ruchira
Sanuri Karunarathana
1 person likes this
  • Sanuri Karunarathana
    Sanuri Karunarathana
L
Superhero (Customer)
Forum|alt.badge.img+23
  • Link
  • Superhero (Customer)
  • 1169 replies
  • January 13, 2023

Hi @KRTI 

it is true. Therefore I recommend you to  export all your permission sets. Sometimes you do unwanted changes and the permission set doesn’t work properly.

But before deleting the permission set you get a warning message:

 

Kind regards
K
Sidekick (Customer)
Forum|alt.badge.img+4
  • KRTI
  • Author
  • Sidekick (Customer)
  • 12 replies
  • January 13, 2023

Hi @Ruchira 

Unfortunately we are still able to drop permission sets even when there are absolutely no grantees on SECURITY_SYS.DROP_ROLE

eqbstal
Superhero (Partner)
Forum|alt.badge.img+21
  • eqbstal
  • Superhero (Partner)
  • 677 replies
  • February 13, 2023

@KRTI Do you still have the problem? Did a cache refresh on security help anything?

 

Thanks for using the community, it helps me. I hope I can help you.
K
Sidekick (Customer)
Forum|alt.badge.img+4
  • KRTI
  • Author
  • Sidekick (Customer)
  • 12 replies
  • February 13, 2023

Hi

We created a case with IFS and it turns out that this is not possible. We also tried to prevent this using events, but we were not able to make the event trigger before the permission set had been unassigned from all users. 

eqbstal
1 person likes this
  • eqbstal
    eqbstal

Reply


Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings