User Permissions

Overview

The legacy Access Permissions feature for Oracle CPQ is being deprecated and end of life and removal of this functionality will occur in Oracle CPQ 25C. Access Permissions, sometimes referred to as Admin Segmentation, have been replaced by Administrator Groups.

Administrator Groups are currently an opt-in feature, but enabling this feature this will become mandatory and that will disable legacy Access Permissions. If you have not enabled Administrator Groups, we recommend administrators plan to transition to Administrator Groups.

Oracle CPQ is commonly administered by teams of individuals who are often a composite of different skill sets. Using the Administrator Access Control feature, companies can delegate and restrict access to certain areas of CPQ. This prevents unauthorized users from introducing unintentional errors, clarifies areas of responsibility, and protects sensitive or proprietary information.

The following Administrator Group permissions are available:

Application Administrator - Introduced for host sites in Oracle CPQ 25A, Application Administrators are elevated users who gain additional privileges. They can perform special or sensitive tasks that Full Access admins cannot. Multiple users can be marked as Application Administrators. This permission is only available to Host Company Full Access users. For detailed information, see Application Administrator.

User Administrator - User Administrator users can view and manage users. This includes creating users, resetting passwords and deactivating users. Host company user administrators can manage all users on a site. Partner company user administrators can manage all users in their company. This permission is only available to Full Access users.

Access Administrator - Access Administrator users can view and manage Administrator groups and manage their access permissions. This permission is available when the General Site Option 'Enable Administrator Groups' is set to 'Yes'. This permission is only available to Host Company Full Access users.

  • Only administrators with Access Administrator privileges can grant Access Administrator privileges to other Full Access users.
  • There is a maximum of 500 FullAccess users per site.

Allow Proxy Login- Allow Proxy Login Users can log in as any user on the site and impersonate that user by clicking the Proxy Login icon from the Users list page. This permission can only be managed by User Administrators (when Enable Administrator Groups is set to 'No') or Access Administrators (when Enable Administrator Groups is set to 'Yes'). This permission is only available to Host Company Full Access users.

Web Services Only - Web Services Only users are special user accounts which do not have access to the CPQ user interface. They can only log in via API. They are intended to be used as part of an integration, automation or other remote access scenario. Web Services Only users are not counted against the site's quota of user licenses, but they will consume API interactions when used. This permission is available to Host Company Full Access, Sales Agent, Channel Agent and Restricted Access users. It is not valid for guest or Application Administrator/SuperUser accounts.

Refer to User Types and User Type Access Summary for more information.

Administration

ClosedAssign Application Administrator Privileges to FullAccess Users

When the Enable Administrator Groups option on the General Site Options page is set to Yes, an Application Administrator checkbox displays as a Permissions property on the User Administration and My Profile pages.

Notes:

  • Upon upgrade to Oracle CPQ 25A, this checkbox is always checked for the Host Company SuperUser and defaults to unchecked for all FullAccess users. The new Application Administrator (formerly SuperUser) account can be used to assign Application Administrator permissions to other FullAccess users.

  • Every site is required to have at least one FullAccess user, other than the SuperUser, with this Application Administrator permission assigned. Only an Application Administrator can grant Application Administrator permissions to another user.

  • Only Application Administrators can create and edit Administrator groups.
  • When Administrator Groups are first enabled, the Application Administrator/SuperUser must assign Access Administrator permissions to other FullAccess users.

To assign Application Administrator privileges to Host Company FullAccess users, perform the following steps:

  1. Navigate to the Admin Home page.

  2. Click Internal Users in the Users section.

    The Users page opens. Refer to Users Page for detailed information.

  3. On the Users page, click Add.

    The User Detail page for that user opens. Refer to My Profile for detailed information.

  4. Select the Application Administrator checkbox in the Permissions section.

    Application Administrator Permission

  5. Click Apply.

Note: Permissions changes take effect immediately for the logged in user. Permission changes made to other users will take effect on their next login.

ClosedAssign User Administrator Permission to FullAccess Users

FulAccess Users with User Administrator permissions see all users when they click on the users tab. In addition, User Administrators can perform the following functions:

  • Proxy in as other users
  • Modify users
  • Reset passwords
  • Add new users or inactivate existing users
  • Commerce archiving if the user belongs to Host Company
  • Schedule Usage Reports if the user belongs to Host Company

When the Enable Administrator Groups option on the General Site Options page is set to Yes, an Access Administrator checkbox displays as a Permissions property on the User Detail page.

To assign User Administrator privileges to FullAccess users, perform the following steps:

  1. Open the Admin Home page.

  2. Under Users, select Internal Users.

    The Users page opens.

  3. Click the user Login link for the FullAccess user you want to make an Access Administrator.

    The User Detail page for that user opens.

  4. Select the User Administrator checkbox in the Permissions section.

    User Administrator Permission

  5. Click Apply.

Note: Users must be logged in as a Application Administrator or Access Administrator permissions in order to change the Access Administrator permission for other users.

ClosedUpdate User Permissions Using SOAP Web Services

ClosedAssign Access Administrator Privileges to FullAccess Users

When the Enable Administrator Groups option on the General Site Options page is set to Yes, an Access Administrator checkbox displays as a Permissions property on the User Administration and My Profile pages.

Notes:

  • Only Access Administrators can create and edit Administrator groups.
  • This checkbox is always checked for the Host Company SuperUser and defaults to unchecked for all FullAccess users.
  • When Administrator Groups are first enabled, the SuperUser must assign Access Administrator permissions to other FullAccess users.

To assign Access Administrator privileges to FullAccess users, perform the following steps:

  1. Navigate to the Admin Home page.

  2. Click Internal Users in the Users section.

    The Users page opens. Refer to Users Page for detailed information.

  3. On the Users page, click Add.

    The User Detail page for that user opens. Refer to My Profile for detailed information.

  4. Select the Access Administrator checkbox in the Permissions section.

    Access Administrator Permission

  5. Click Apply.

Note: Users must be logged in as an Application Administrator or Access Administrator permissions in order to change the Access Administrator permission for other users.

ClosedAssign Allow Proxy Login Privileges

Proxy login allows administrators to log in as another user to verify changes to their setup or isolate issues reported by users. When the Enable Administrator Groups option on the General Site Options page is set to Yes, an Allow Proxy Login checkbox displays as a Permissions property on the User Administration and My Profile pages.

To grant Allow Proxy Login privileges to FullAccess users, perform the following steps:

  1. Navigate to the Admin Home page.

  2. Click Internal Users in the Users section.

    The Users page opens. Refer to Users Page for detailed information.

  3. On the Users page, click Add.

    The User Detail page for that user opens. Refer to My Profile for detailed information.

  4. Select the Allow Proxy Login checkbox in the Permissions section.

    Allow Proxy Login Permission

  5. Click Apply.

Note: Users must be logged in as a SuperUser or Access Administrator permissions to change the Allow Proxy Login permission.

ClosedAssign Web Services Access and SSO Settings

When the Web Services Only checkbox is selected for an internal user, that user may only make Web Services calls to the Oracle CPQ site; logging in through the web interface will not be permitted. Only FullAccess users with the ability to create/modify users can change this setting.

  • Any user that does not have Web Services Only checked will have their password expire within the defined Admin setting. The user will be prompted to change their password on next login.
  • Users with Web Services Only checked do not have their password expire, due to the nature of the account.

To assign Web Services access and SSO Settings, perform the following steps:

  1. Navigate to the Admin Home page.

  2. Click Internal Users in the Users section.

    The Users page opens. Refer to Users Page for detailed information.

  3. On the Users page, click Add.

    The User Detail page for that user opens. Refer to My Profile for detailed information.

  4. Select the Web Services Only checkbox to only a user to access an Oracle CPQ site via Web Services calls.

    Web Services Only Permission and Enable SSO

    When selected, the user can only access the system by logging in through the SOAP or REST APIs. The user will not be able to access the Oracle CPQ user interface. For more information on Oracle CPQ Web Services see the topics An Overview of Web Services 2.0 and SOAP APIs and REST API Overview topics.

  5. Select the Enable SSO setting.

    If the User is enabled for Single Sign-On login and the site is enabled for SSO, the user can access login via this method.

  6. Set the External SSO ID, if desired.

    If the External SSO ID is set it will be used for SSO, otherwise the User's Login will be used.

  7. Click Apply.

Notes

If a site exceeds the license limitations on any of the license types (Internal User & Partner Organization User), the administrator will not be allowed to create any new users until the license count is decreased and no longer exceeds the license limit. When the license limit is reached, an error message appears instructing the administrator to contact Customer Support and purchase additional licenses.

User license count excludes Web Services Only users in the count. In addition, once the maximum number of licenses is allocated, Web Services Only users can still be added to the site.

  • Only Application Administrator or FullAccess users with proper permissions can view or modify other user profiles. All lower access users can only view and modify their own profile.
  • Administrative functions can only be performed by FullAccess users, including the Application Administrator. Admin functions include making changes to configuration (adding attributes, creating rules, and so on) and modifying Commerce Processes.
  • A Restricted Admin User has no access to other areas of the administration platform. If a FullAccess user is restricted from any Product Family or Data Table (by folder), the user will automatically lose access to other areas of the Administration Platform. The user will only have access to the Product Family and/or Data Table that the SuperUser has allowed them access to.
  • Only administrators with Access Administrator privileges can grant Access Administrator privileges to other Full Access users.
  • There is a maximum of 500 FullAccess users per site.
  • Users can be granted access to profiles through Auto-Forwarding Rules.
  • You can remove a Company Type: User Type set from the Access Rights list box by selecting the set and clicking the less than symbol ( < ).
  • You can remove a group from the Selected Groups list box by selecting the group and clicking the less than symbol ( < ).

Related Topics

Related Topics Link IconSee Also