User Permissions
Overview
Administrator Groups are currently an opt-in feature, but enabling this feature this will become mandatory and that will disable legacy Access Permissions. If you have not enabled Administrator Groups, we recommend administrators plan to transition to Administrator Groups.
Oracle CPQ is commonly administered by teams of individuals who are often a composite of different skill sets. Using the Administrator Access Control feature, companies can delegate and restrict access to certain areas of CPQ. This prevents unauthorized users from introducing unintentional errors, clarifies areas of responsibility, and protects sensitive or proprietary information.
The following Administrator Groups are available:
User Administrator - User Administrator users can view and manage users. This includes creating users, resetting passwords and deactivating users. Host company user administrators can manage all users on a site. Partner company user administrators can manage all users in their company. This permission is only available to Full Access users.
Web Services Only - Web Services Only users are special user accounts which do not have access to the CPQ user interface., they can only log in via API. They are intended to be used as part of an integration, automation or other remote access scenario. Web Services Only users are not counted against the site's quota of user licenses, but they will consume API interactions when used. This permission is available to Host Company Full Access, Sales Agent, Channel Agent and Restricted Access users. It is not valid for guest or Application Administrator/SuperUser accounts.
Access Administrator - Access Administrator users can view and manage Administrator groups and manage their access permissions. This permission is available when the General Site Option 'Enable Administrator Groups' is set to 'Yes'. This permission is only available to Host Company Full Access users.
Allow Proxy Login- Allow Proxy Login Users can log in as any user on the site and impersonate that user by clicking the proxy login button from the users list page. This permission can only be managed by User Administrators (when Enable Administrator Groups is set to 'No') or Access Administrators (when Enable Administrator Groups is set to 'Yes'). This permission is only available to Host Company Full Access users.
Application Administrator - Introduced for host sites in Oracle CPQ 25A, Application Administrators are elevated users who gain additional privileges. They can perform special or sensitive tasks that Full Access admins cannot. Multiple users can be marked as Application Administrators. This permission is only available to Host Company Full Access users.
Administration
Assign User Administrator Privileges to FullAccess Users
Users with User Administrator permissions see all users when they click on the users tab. In addition, User Administrators can perform the following functions:
- Proxy in as other users
- Modify users
- Reset passwords
- Add new users or inactivate existing users
- Create shared folders
- Commerce archiving if the user belongs to Host Company
- Schedule Usage Reports if the user belongs to Host Company
- Access the Migration Center (Oracle CPQ 21B and later)
- Send Broadcast Emails (Oracle CPQ 21B and later)
- Access Single Sign-On (SSO) (Oracle CPQ 21B and later)
When the Enable Administrator Groups option on the General Site Options page is set to Yes, an Access Administrator checkbox displays as a Permissions property on the User Administration and My Profile pages.
To assign User Administrator privileges to FullAccess users, perform the following steps:
- Open the Admin Home page.
-
Under Users, select Internal Users.
The User Administration List page opens.
-
Click the user login link for the FullAccess user you want to make an Access Administrator.
The User Administration page opens.
-
Select the User Administrator checkbox.
- Click Apply.
Note: Users must be logged in as a Application Administrator/SuperUser or a FullAccess user with Access Administrator permissions in order to change the Access Administrator permission for other users.
Update User Permissions Using SOAP Web Services
Assign Access Administrator Privileges to FullAccess Users
When the Enable Administrator Groups option on the General Site Options page is set to Yes, an Access Administrator checkbox displays as a Permissions property on the User Administration and My Profile pages.
Notes:
- Only Access Administrators can create and edit Administrator groups.
- This checkbox is always checked for the Host Company SuperUser and defaults to unchecked for all FullAccess users.
- When Administrator Groups are first enabled, the SuperUser must assign Access Administrator permissions to other FullAccess users.
To assign Access Administrator privileges to FullAccess users, perform the following steps:
- Open the Admin Home page.
-
Under Users, select Internal Users.
The User Administration List page opens.
-
Click the user login link for the FullAccess user you want to make an Access Administrator.
The User Administration page opens.
-
Select the Access Administrator checkbox.
- Click Apply.
Note: Users must be logged in as a SuperUser or a FullAccess user with Access Administrator permissions in order to change the Access Administrator permission for other users.
Assign Allow Proxy Login Privileges
Assign Application Administrator Privileges to FullAccess Users
Assign Web Services Access and SSO Settings
Notes
If a site exceeds the license limitations on any of the license types (Internal User & Partner Organization User), the administrator will not be allowed to create any new users until the license count is decreased and no longer exceeds the license limit. When the license limit is reached, an error message appears instructing the administrator to contact Customer Support and purchase additional licenses.
In Oracle CPQ 23C and later, user license counting was modified to exclude Web Services Only users in the count. In addition, once the maximum number of licenses is allocated, Web Services Only users can still be added to the site.
- Only Application Administrator/SuperUser or FullAccess users can view or modify other user profiles. All lower access users can only view and modify their own profile.
- Administrative functions can only be performed by FullAccess users, including Application Administrator/SuperUser. Admin functions include making changes to configuration (adding attributes, creating rules, and so on) and modifying Commerce Processes.
- A Restricted Admin User has no access to other areas of the administration platform. If a FullAccess user is restricted from any Product Family or Data Table (by folder), the user will automatically lose access to other areas of the Administration Platform. The user will only have access to the Product Family and/or Data Table that the SuperUser has allowed them access to.
- Users can be granted access to profiles through Auto-Forwarding Rules.
- You can remove a Company Type: User Type set from the Access Rights list box by selecting the set and clicking the less than symbol ( < ).
- You can remove a group from the Selected Groups list box by selecting the group and clicking the less than symbol ( < ).