Search Results ibc_object_grant_groups




Overview
Explore in AI Chat

Overview

The IBC_OBJECT_GRANT_GROUPS table is a core data structure within the Oracle E-Business Suite Content Manager (IBC) module. It functions as the central repository for mapping specific object instances to security grant groups. This mapping is fundamental to the platform's security and access control model, enabling administrators to define and enforce granular permissions on content items, folders, and other managed objects. By linking an object instance to a grant group, the system determines which users or roles have specific access privileges (such as view, edit, or delete) to that instance. Its role is critical for implementing inheritance-based security models, as indicated by its self-referential foreign key, allowing permissions to propagate through hierarchical object structures.

Key Information Stored

The table's primary purpose is to maintain the relationship between an object instance, a security group, and its inheritance source. The key columns include:

  • OBJECT_GRANT_GROUP_ID: The primary key uniquely identifying each mapping record.
  • OBJECT_ID: A foreign key to FND_OBJECTS, identifying the specific object instance (e.g., a content item or category) to which the grant group is applied.
  • GRANT_GROUP_ID: A foreign key to IBC_GRANT_GROUPS, identifying the security group containing the defined access rules and principals.
  • INHERITED_FROM: A self-referencing foreign key to the table's own primary key. This column is pivotal for tracking permission inheritance, pointing to the parent OBJECT_GRANT_GROUP_ID from which the current grant group mapping was derived. A NULL value typically indicates a direct, non-inherited assignment.

Common Use Cases and Queries

This table is primarily accessed for security administration, auditing, and troubleshooting within the Content Manager. Common operational scenarios include auditing all direct security assignments for a particular object, identifying the inheritance chain for a specific object's permissions, and cleaning up orphaned mappings. A typical query to find all grant groups assigned to a specific object instance, showing whether the assignment is inherited, would be:

SELECT ogg.OBJECT_GRANT_GROUP_ID, ogg.OBJECT_ID, ogg.GRANT_GROUP_ID, gg.NAME, ogg.INHERITED_FROM
FROM IBC_OBJECT_GRANT_GROUPS ogg,
IBC_GRANT_GROUPS gg
WHERE ogg.GRANT_GROUP_ID = gg.GRANT_GROUP_ID
AND ogg.OBJECT_ID = :p_object_id
ORDER BY ogg.INHERITED_FROM NULLS FIRST;

Another critical use case is generating a report of all objects that have inherited their security from a specific parent object, which involves a hierarchical query using the CONNECT BY clause on the INHERITED_FROM column.

Related Objects

The IBC_OBJECT_GRANT_GROUPS table is integral to the Content Manager's security schema, with documented relationships to the following key objects:

  • IBC_GRANT_GROUPS: Referenced via the GRANT_GROUP_ID foreign key. This table defines the grant groups themselves, which contain the detailed grants (permissions) assigned to users and roles.
  • FND_OBJECTS: Referenced via the OBJECT_ID foreign key. This foundational E-Business Suite table registers all deployable objects, providing the context for the object instance being secured.
  • Self-Reference (IBC_OBJECT_GRANT_GROUPS): The table has a recursive relationship with itself through the INHERITED_FROM column. This relationship is used twice: first, where this table references its own primary key (to point to a parent mapping), and second, where other rows in this table reference it (as a parent for child mappings). This design directly supports the implementation of permission inheritance hierarchies.