Arun Kumar K

Role based access – With example

There are times you might have noticed in R12 that users cannot view others report or program output.
This is because of RBAC (Role Based Access Control) concept newly introduced in R12.

Here we can discuss in detail when trying to View a Concurrent Request Output as a user other than the
user who submitted the request in R12 and also the solution for the same.
We need to know about RBAC before we learn about the problem.

To quickly know about RBAC, we need to learn about Function Security and Data Security.

Function Security:

Function security is the base layer of access control in E-business suite. It restricts the user access to
individual menus or menu functions but does not have control on retrieving the data.

For example , an organization could use function security to provide sales team with necessary menus
and menu functions for querying customer details. Note that, it does not restrict the data in querying
customers.
Arun Kumar K

Data security is the next layer of access control as it builts on top of functional security as it provides
control withing E-business suite on the data user can access. It restricts access to individual data that is
displayed on the screen once the user has selected menu and menu options.

RBAC is the next layer and builds upon Data Security and Function Security. With RBAC, access control is
defined through roles, and user access to Oracle E-Business Suite is determined by the roles granted to
the user.
A role can be configured to consolidate the responsibilities, permissions, function security and data
security polices that users require to perform a specific function.

Starting with R12, 'View Output' button grayed out when trying to view a concurrent request output file
as privileges to report output files and log files generated by a concurrent program are controlled using
Role Based Access (RBAC) model.

Let’s create an role in R12 so that users can view other’s output. User should have same responsibility
which the other user used to submit that report.

As SYSADMIN user with “Functional Developer” responsibility, Search for object Concurrent Requests.
Arun Kumar K

Click on Concurrent Requests.

Click on Object Instance Sets tab.

Click on Create Instance Set button.

Enter Name, Code and Description for new instance set as below.

Name : Request Output Of The Same Responsibility

Code : FND_CONC_OUTPUT

Description : Request Output Of The Same Responsibility

- Enter the following for predicate:

&TABLE_ALIAS.request_id in (select cr.request_id from fnd_concurrent_requests cr where

cr.responsibility_id = fnd_global.resp_id and cr.responsibility_application_id =
fnd_global.resp_appl_id)

And then apply.

2. As the SYSADMIN user with “User Management”, go to Roles and Role Inheritance tab.
Create a Role as below.
Arun Kumar K

And then click ‘SAVE’

And in the same page then create a Grant for the Role.
Enter Name and Description for the new Grant.

Click next and provide the below details

Click Next and for Set choose set as ‘Request Operations’.

Arun Kumar K

And then click next and finish.

Now, you can assign this role to anyone who want to view the users output provided the responsibilities
are available with them. These roles are very helpful for administrators or L3/L4 team so that they can
work on any issues related to others program.

Role based access is very powerful and provides security for any organization and also comply with
security policy at application level.

Reference :
Oracle E-business Security Guide – R12.