User Permissions

Overview

The legacy Access Permissions feature for Oracle CPQ is being deprecated and end of life and removal of this functionality will occur in Oracle CPQ 25C. Access Permissions, sometimes referred to as Admin Segmentation, have been replaced by Administrator Groups.

Administrator Groups are currently an opt-in feature, but enabling this feature this will become mandatory and that will disable legacy Access Permissions. If you have not enabled Administrator Groups, we recommend administrators plan to transition to Administrator Groups.

Oracle CPQ is commonly administered by teams of individuals who are often a composite of different skill sets. Using the Administrator Access Control feature, companies can delegate and restrict access to certain areas of CPQ. This prevents unauthorized users from introducing unintentional errors, clarifies areas of responsibility, and protects sensitive or proprietary information.

The following Administrator Groups are available:

User Administrator - User Administrator users can view and manage users. This includes creating users, resetting passwords and deactivating users. Host company user administrators can manage all users on a site. Partner company user administrators can manage all users in their company. This permission is only available to Full Access users.

Web Services Only - Web Services Only users are special user accounts which do not have access to the CPQ user interface., they can only log in via API. They are intended to be used as part of an integration, automation or other remote access scenario. Web Services Only users are not counted against the site's quota of user licenses, but they will consume API interactions when used. This permission is available to Host Company Full Access, Sales Agent, Channel Agent and Restricted Access users. It is not valid for guest or Application Administrator/SuperUser accounts.

Access Administrator - Access Administrator users can view and manage Administrator groups and manage their access permissions. This permission is available when the General Site Option 'Enable Administrator Groups' is set to 'Yes'. This permission is only available to Host Company Full Access users.

Allow Proxy Login- Allow Proxy Login Users can log in as any user on the site and impersonate that user by clicking the proxy login button from the users list page. This permission can only be managed by User Administrators (when Enable Administrator Groups is set to 'No') or Access Administrators (when Enable Administrator Groups is set to 'Yes'). This permission is only available to Host Company Full Access users.

Application Administrator - Introduced for host sites in Oracle CPQ 25A, Application Administrators are elevated users who gain additional privileges. They can perform special or sensitive tasks that Full Access admins cannot. Multiple users can be marked as Application Administrators. This permission is only available to Host Company Full Access users.

Administration

ClosedAssign User Administrator Privileges to FullAccess Users

Users with User Administrator permissions see all users when they click on the users tab. In addition, User Administrators can perform the following functions:

  • Proxy in as other users
  • Modify users
  • Reset passwords
  • Add new users or inactivate existing users
  • Create shared folders
  • Commerce archiving if the user belongs to Host Company
  • Schedule Usage Reports if the user belongs to Host Company
  • Access the Migration Center (Oracle CPQ 21B and later)
  • Send Broadcast Emails (Oracle CPQ 21B and later)
  • Access Single Sign-On (SSO) (Oracle CPQ 21B and later)

When the Enable Administrator Groups option on the General Site Options page is set to Yes, an Access Administrator checkbox displays as a Permissions property on the User Administration and My Profile pages.

To assign User Administrator privileges to FullAccess users, perform the following steps:

  1. Open the Admin Home page.
  2. Under Users, select Internal Users.

    The User Administration List page opens.

  3. Click the user login link for the FullAccess user you want to make an Access Administrator.

    The User Administration page opens.

  4. Select the User Administrator checkbox.

    User Administration

  5. Click Apply.

Note: Users must be logged in as a Application Administrator/SuperUser or a FullAccess user with Access Administrator permissions in order to change the Access Administrator permission for other users.

ClosedUpdate User Permissions Using SOAP Web Services



ClosedAssign Access Administrator Privileges to FullAccess Users

When the Enable Administrator Groups option on the General Site Options page is set to Yes, an Access Administrator checkbox displays as a Permissions property on the User Administration and My Profile pages.

Notes:

  • Only Access Administrators can create and edit Administrator groups.
  • This checkbox is always checked for the Host Company SuperUser and defaults to unchecked for all FullAccess users.
  • When Administrator Groups are first enabled, the SuperUser must assign Access Administrator permissions to other FullAccess users.

To assign Access Administrator privileges to FullAccess users, perform the following steps:

  1. Open the Admin Home page.
  2. Under Users, select Internal Users.

    The User Administration List page opens.

  3. Click the user login link for the FullAccess user you want to make an Access Administrator.

    The User Administration page opens.

  4. Select the Access Administrator checkbox.

    User Administration

  5. Click Apply.

Note: Users must be logged in as a SuperUser or a FullAccess user with Access Administrator permissions in order to change the Access Administrator permission for other users.


ClosedAssign Allow Proxy Login Privileges

Proxy login allows administrators to log in as another user to verify changes to their setup or isolate issues reported by users. When the Enable Administrator Groups option on the General Site Options page is set to Yes, an Allow Proxy Login checkbox displays as a Permissions property on the User Administration and My Profile pages.

To grant Allow Proxy Login privileges to FullAccess users, perform the following steps:

  1. Open the Admin Home page.
  2. Under Users, select Internal Users.

    The User Administration List page opens.

  3. Click the user login link for the FullAccess user you want to make an Access Administrator.

    The User Administration page opens.

  4. Select the Allow Proxy Login checkbox.

    User Administration

  5. Click Apply.

Note: Users must be logged in as a SuperUser or a FullAccess user with Access Administrator permissions to change the Allow Proxy Login permission.


ClosedAssign Application Administrator Privileges to FullAccess Users

When the Enable Administrator Groups option on the General Site Options page is set to Yes, an Application Administrator checkbox displays as a Permissions property on the User Administration and My Profile pages.

Notes:

  • Upon upgrade to Oracle CPQ 25A, this checkbox is always checked for the Host Company SuperUser and defaults to unchecked for all FullAccess users. The new Application Administrator (formerly SuperUser) account can be used to assign Application Administrator permissions to other FullAccess users.
  • Every site is required to have at least one FullAccess user, other than the SuperUser, with this Application Administrator permission assigned. Only an Application Administrator can grant Application Administrator permissions to another user.

  • Only Application Administrators can create and edit Administrator groups.
  • When Administrator Groups are first enabled, the Application Administrator/SuperUser must assign Access Administrator permissions to other FullAccess users.

To assign Application Administrator privileges to Host Company FullAccess users, perform the following steps:

  1. Open the Admin Home page.
  2. Under Users, select Internal Users.

    The User Administration List page opens.

  3. Click the user login link for the FullAccess user you want to make an Application Administrator.

    The User Administration page opens.

  4. Select the Application Administrator checkbox.

    Application Administrator Permission

  5. Click Apply.

Note: Permissions changes take effect immediately for the logged in user. Permission changes made to other users will take effect on their next login.


ClosedAssign Web Services Access and SSO Settings

When the Web Services Only checkbox is selected for an internal user, that user may only make Web Services calls to the Oracle CPQ site; logging in through the web interface will not be permitted. Only FullAccess users with the ability to create/modify users can change this setting.

  • Any user that does not have Web Services Only checked will have their password expire within the defined Admin setting. The user will be prompted to change their password on next login.
  • Users with ‘Web Services Only checked do not have their password expire, due to the nature of the account.

To assign Web Services access and SSO Settings, perform the following steps:

  1. Open the Admin Home page.
  2. Under Users, select Internal Users.

    The User Administration List page opens.

  3. Click the user login link for the FullAccess user you want to make an Access Administrator.

    The User Administration page opens.

    User Administration

  4. Select the Web Services Only checkbox to only a user to access an Oracle CPQ site via Web Services calls.

    When selected, the user can only access the system by logging in through the SOAP or REST APIs. The user will not be able to access the Oracle CPQ user interface. For more information on Oracle CPQ Web Services see the topics An Overview of Web Services 2.0 and SOAP APIs and REST API Overview topics.

  5. Select the Enable SSO setting.

    If the User is enabled for Single Sign-On login and the site is enabled for SSO, the user can access login via this method.

  6. Set the External SSO ID, if desired.

    If the External SSO ID is set it will be used for SSO, otherwise the User's Login will be used.

  7. Click Apply.

Notes

If a site exceeds the license limitations on any of the license types (Internal User & Partner Organization User), the administrator will not be allowed to create any new users until the license count is decreased and no longer exceeds the license limit. When the license limit is reached, an error message appears instructing the administrator to contact Customer Support and purchase additional licenses.

In Oracle CPQ 23C and later, user license counting was modified to exclude Web Services Only users in the count. In addition, once the maximum number of licenses is allocated, Web Services Only users can still be added to the site.

  • Only Application Administrator/SuperUser or FullAccess users can view or modify other user profiles. All lower access users can only view and modify their own profile.
  • Administrative functions can only be performed by FullAccess users, including Application Administrator/SuperUser. Admin functions include making changes to configuration (adding attributes, creating rules, and so on) and modifying Commerce Processes.
  • A Restricted Admin User has no access to other areas of the administration platform. If a FullAccess user is restricted from any Product Family or Data Table (by folder), the user will automatically lose access to other areas of the Administration Platform. The user will only have access to the Product Family and/or Data Table that the SuperUser has allowed them access to.
  • Users can be granted access to profiles through Auto-Forwarding Rules.
  • You can remove a Company Type: User Type set from the Access Rights list box by selecting the set and clicking the less than symbol ( < ).
  • You can remove a group from the Selected Groups list box by selecting the group and clicking the less than symbol ( < ).

Related Topics

Related Topics Link IconSee Also