Question

IFS System Account Access

  • 4 September 2020
  • 3 replies
  • 362 views
S
Rank
Userlevel 5
Badge +10

Hi,

We are looking at SOX/SOD and some of the IFS system user accounts are appearing in the report due to the level of access they have.

IFSPRINT currently has the IFSAPP_ALL permission set assigned which i think is a standard IFS permission set supplied as part of install. 

Does anyone know what actual access does this user account require in IFS?

IFSWEBCONFIG has FND_WEBCONFIG permission set assigned which has access to vast areas of the system.

Again do we know what this is used for and what level of access this actually needs?

Thanks in advance

3 replies

paul harland
Rank
Userlevel 7
Badge +24

hi Shaun

I don’t think IFSPRINT technically needs IFSAPP_ALL.  When we set up print jobs, in particular standard reports but using crystal, it was necessary to grant views that were not granted by default to the user IFSPRINT.  The best practice would be to set up a dedicated role, something like IFSPRINTVIEWS and grant those views to it.

Granting a “full” access role like IFSAPP_ALL was probably a shortcut to solve the same problem, but it does typically mean the IFSPRINT user having more access than it needs.

paul harland
Rank
Userlevel 7
Badge +24

The IFS recommendation is not to edit the contents of any of the roles starting FND_.

NickPorter
Rank
Userlevel 6
Badge +18

IFSAPP_ALL doesn’t look like a standard IFS permission set.  My guess is that this was created by an admin or possibly your implementation partner and was intended to provide additional access for report purposes like @paul harland noted.

FND_WEBCONFIG is the name of a standard IFS permission set but it is possible that someone has modified this from what was delivered.  This is not something that should have been done but unfortunately there is nothing to stop an IFS system admin from doing so.

Reply


Terms & ConditionsCookie settings