Several seeded REST APIs are available to help you show data in List and Document blocks safely and securely, so you don't have to write REST APIs.
These APIs typically start with function-data/* and accept one or more parameters. All these API calls use the GET method only.
When defining your List and Document blocks, you can specify the REST API endpoint to retrieve the data. This is where you specify the function-data REST API you want to use.
These APIs include a functionName path parameter, the code name of an Application (FND) Function, or Permission. So the REST API can query this Data Object to return data, you must define the Application Function or Permission with a Data Object against it, which is nearly always a database view. You must include the Function or Permission in a Permission Set (or Menu) and grant access so that the appropriate users can access it.
When you grant Permission Sets access, you can specify an Instance Set, a WHERE predicate applied to restrict the set of rows returned by the Data Object.
The REST API builds the SQL query as follows:
SELECT *
FROM <database view on the Data Object linked to the Function or Permission>
WHERE <Instance Sets defined on the Grant>
Your Instance Set can include global variables, such as fnd_global.employee_id, to help restrict the rows. To join your Data Object, you prefix the predicate with &TABLE_ALIAS.<column_name>, substituted for the table alias at runtime. For example, this predicate limits rows to just those where the person Id on the view is the same as the logged-on person: &TABLE_ALIAS.person_id = fnd_global.employee_id.
If a user has multiple grants that apply to them, the Instance Set conditions for each Grant are combined using a logical OR (essentially a SQL OR statement).,/p>
Take care to write Instance Sets that perform well and are fast. Poorly performing Instance Sets may have a detrimental impact on the performance of your application.
Registering your custom database view
New database views you create on the database aren't be available as the source of a Data Object until you register them. Registering a database view creates metadata in standard Oracle tables such as fnd_views and fnd_view_columns.
You can use our helper utility to register your view. Change the below parameters and run this PL/SQL script:
BEGIN
xxas_fnd_dictionary_pkg.add_view
(p_application_short_name => xxas_util_pkg.app
,p_view_name => 'YOUR_DATABASE_VIEW_NAME_V'
,p_description => 'YOUR_DATABASE_VIEW_NAME_V');
END;
/COMMIT;
You will need to re-run this each time you change the view's definition, such as adding a new column or changing a column alias.
Defining Grants
You create grants using Oracle-standard pages, such as Functional Administrator: Security: Grants or User Management.
Before creating grants, you will need to have already:
- Created a Permission Set and included your Function or Permission.
- Created relevant Instance Sets to restrict the rows a user sees in the underlying Data Object. You create Instance Sets using the Functional Developer role (you cannot create Instance Sets through Functional Administrator).
When defining Permission Sets, use one Permission per Permission Set (1:1). It might seem sensible to group related permissions into a single set. Still, our experience tells us this leads to confusion and, sometimes, failed security (e.g., if any permissions have different Data Objects against them).
The Grant pages can be a little confusing, so here are some tips on defining grants for use with the function-data REST APIs:
- When naming grants, we use the naming standard <Role Name> - <Permission Set> (<Instance Set>). For example, Applaud Employee Self Service Role - Applaud Absences (belonging to logged-on person).
- The Grantee Type is nearly always a Group of Users, and the Grantee the name of a role, such as Applaud Employee Self Service Role.
- You can grant it to All Users, but we don't recommend you do this. For example, external iProcurement users would gain access - is that what you'd want? Usually, it's better to control through roles.
- You can grant to Specific Users, but this is often a bad idea because of the maintenance overhead. You could grant it to just yourself for testing purposes but don't forget: you might think something is working fine, but it might be only you who can see it.
- Always leave Operating Unit and Responsibility blank.
- Always set the Data Object to the same Data Object-defined on the Function or Permission inside the Permission Set. This must match; the Grant will not work at all otherwise.
- The defining of the Data Object Context, the Data Context Type is usually Instance Set. All Rows mean that every user granted access can see every row in the Data Object. This might be the case for something like an Announcements list, but in most cases, you want to restrict the rows based on the user's context, for example, just absences for the logged-on person.
- You will not need to use Instance Set parameters.
- The Set is the name of the Permission Set that includes your Function or Permission. This is a good chance for you to double-check the Data Object on the Grant matches the Data Object on the permission inside the Permission Set.
function-data REST APIs
REST API | Example | Usage |
---|---|---|
function-data/{functionName} | function-data/XXX_MY_FUNCTION | This REST API accepts no additional parameters, so the queried Data Object will be unrestricted. However, you can grant with Instance Sets to apply restrictions. |
function-data/{functionName}/by-pk1/{instancePk1Value} |
function-data/XXX_MY_FUNCTION/by-pk1/12345 function-data/XXX_MY_FUNCTION/by-pk1/{PERSON_ID} function-data/XXX_MY_FUNCTION/by-pk1/{INSTANCE_PK1_VALUE} |
Use this API to restrict the results from the Data Object by the value of Column 1 (the 1st column defined on the Data Object definition). Although you can hard-code the value (as in the example here that uses 12345), you want to use a dynamic variable most of the time. You can pass any of the keys available to the page by including the key name in curly braces (eg, {PERSON_ID}). You can also pass any of Columns1..5 defined on the Data Object against the block (the data object on the block is nearly always different to the data object against functionData). |
function-data/{functionName}/by-pkN/{instancePk1Value} |
function-data/XXX_MY_FUNCTION/by-pk2/{PERSON_ID} function-data/XXX_MY_FUNCTION/by-pk3/{PERSON_ID} function-data/XXX_MY_FUNCTION/by-pk4/{PERSON_ID} function-data/XXX_MY_FUNCTION/by-pk5/{PERSON_ID} |
The same as above, except by-pkN can restrict the results from the Data Object by the value of Column 2-5 (the 2nd, 3rd, 4th or 5th) column defined on the Data Object definition). |
function-data/{functionName}/by-person/{personId} |
function-data/XXX_MY_FUNCTION/by-person/12345 function-data/XXX_MY_FUNCTION/by-person/{PERSON_ID} function-data/XXX_MY_FUNCTION/by-person/{INSTANCE_PK1_VALUE} |
Use this API to restrict the results from the Data Object on its PERSON_ID column. The view on the Data Object must have a column called PERSON_ID for this to work, but this column does not need to be defined as one of the 5 Data Object columns. Although you can hard-code the person Id (as in the example here that uses 12345), you want to use a dynamic variable most of the time. You can pass any of the keys available to the page by including the key name in curly braces (e.g., {PERSON_ID}). You can also pass any of Columns1..5 defined on the Data Object against the block (the data object on the block is nearly always different from the data object against functionData). |
function-data/{functionName}/by-creator-person/{personId} | function-data/XXX_MY_FUNCTION/by-creator-person/12345 function-data/XXX_MY_FUNCTION/by-creator-person/{PERSON_ID} function-data/XXX_MY_FUNCTION/by-creator-person/{INSTANCE_PK1_VALUE} |
This is identical in behavior to the above (by-person), except the data object is restricted by a CREATOR_PERSON_ID column. The view on the Data Object must have a column called CREATOR_PERSON_ID for this to work, but this column does not need to be defined as one of the 5 Data Object columns. |
function-data/{functionName}/by-job/{assignmentId} | function-data/XXX_MY_FUNCTION/by-job/12345 function-data/XXX_MY_FUNCTION/by-job/{ASSIGNMENT_ID} function-data/XXX_MY_FUNCTION/by-job/{INSTANCE_PK1_VALUE} |
This is identical in behavior to the above (by-person), except the data object is restricted by an ASSIGNMENT_ID column. The view on the Data Object must have a column called ASSIGNMENT_ID for this to work, but this column does not need to be defined as one of the 5 Data Object columns. |