Challenges with sandbox testing
Have you ever encountered a situation where you have personalized a page and need a business user to test it before deploying it to production, only to find that the user is unable to access your sandbox for testing?
This is a common limitation with sandboxes, as any non-admin users don’t have necessary privileges to get through sandbox. What we have been doing (until now) is either assign “Application Implementation Consultant” role or any other admin roles such as “Human Capital Management Application Administrator” to the user and revoke it later, but not any more now.
In this article, we will explore alternative solutions that enable users to complete sandbox testing without requiring admin privileges. We will provide detailed guidance on how to overcome this obstacle.
1. Create a custom role (one time setup)
To solve this issue, we need to create a custom rule that grants access to view or edit any sandbox. This abstract role only needs to be created once, you can follow below steps to do so:
Navigate to : Tools » Security Console » Roles » Create Role
On Create Role : Basic Information page, enter details as follows and click on Next button
- Role Name : AVI Sandbox Access – View Only
- Role Code : AVI_VIEW_ONLY_SANDBOX
- Role Category : HCM – Abstract Roles
On Create Role AVI Sandbox Access – View Only: Function Security Policies page, perform below steps.
- Click on the button “Add Functional Security Policy”, which will bring up a pop-up window.
- Search for the policy “FND_VIEW_SANDBOX_PRIV”
- Click on Add Privilege to Role button.
Now click on the 7th train stop “Summary” and then click on Save and Close button. Custom role is now ready.
1.1. Additional Privilege for the Sandbox
As the requirement here was to give view-only access of the sandbox so that users dont accidently publish the sandbox while testing it, we have assigned privilege “FND_VIEW_SANDBOX_PRIV” to our custom role. Go through the table below to see what all other privileges are available. If required, you also also give user access to publish the sandbox.
| Privilege Name | Description |
| FND_VIEW_SANDBOX_PRIV | Allows read-only access to all sandboxes. |
| FND_MANAGE_SANDBOX_PRIV | Allows management of all sandboxes. |
| FND_ADMINISTER_SANDBOX_PRIV | Allows administration of all sandboxes. |
1.2. Assign custom role to test sandbox
Custom role created in the previous step can be assigned to user and then user can follow below navigation to enter a sandbox.
Navigation : Configuration » Sandboxes
Here user will see list of all sandboxes and then click on “Enter Sandbox” button where he actually need to perform testing.
One drawback of this approach is that it requires business users to navigate through a process that they may not be familiar with, increasing the risk of mistakenly accessing the wrong sandbox. To address this issue, a profile option can be used to assign a sandbox directly to the user, eliminating the need for navigation. This option is discussed in the next step.
2. Enable profile FND_USER_SANDBOX (optional step)
In previous releases, the “FND_USER_SANDBOX” profile was all that was required to grant sandbox access to users without the need for any additional privileges or roles. However, this approach has changed in recent releases. Nevertheless, we can still use this profile smartly to assign sandboxes to users, eliminating the need to navigate through different pages and reducing the likelihood of users mistakenly assigning themselves the wrong sandbox.
Navigate to Configuration » Sandboxes » Search for the sandbox you want to share for testing and then click on the Enter Sandbox button. This is an important step to get the sandbox id, which you will need in the next step.
2.1. Enable profile option
Search for the task “Manage Administrator Profile Values” and then either search for the profile option code “FND_USER_SANDBOX” or profile display name “Active Sandbox”.
Now scroll below to profile values section and search for the user name you have currently logged in with. (In this example I have logged in with user name iavinash so I am searching the same)
As soon as you search for the user name you will see a profile value against that user name, this is the sandbox id you are looking to share with user for testing. Make a note of that profile value.
In the same section (FND_USER_SANDBOX: Profile Values), click on the Add (+) button, and then enter details as follows
- Profile Level : User
- User Name : Enter the user name of the person you would like to give sandbox access.
- Profile Value : Enter the profile value (sandbox id) you got earlier.
Once you have done the necessary changes click on Save and Close button.
2.2 Verify user has access to correct sandbox
Now you login through user who has got sandbox access through profile option FND_USER_SANDBOX, and has also been assigned custom role “AVI Sandbox Access – View Only”. You will notice that sandbox is automatically displayed on the home page as soon as user logs in, there is no need for the user to assign sandbox themselves.
3. Conclusion
In this article, we have discussed how to assign a sandbox directly to a non-admin user. To summarize, the following steps need to be performed:
-
Create a custom role that includes one of the following privileges, depending on the requirement:
- FND_VIEW_SANDBOX_PRIV
- FND_MANAGE_SANDBOX_PRIV
- FND_ADMINISTER_SANDBOX_PRIV.
-
Optionally, assign the sandbox to the user with the help of the profile option FND_USER_SANDBOX.
We hope that this article has been helpful. If you have any questions or thoughts on this topic, please feel free to share them in Oracle Cloud HCM forum.
