"Privileged" Users in EBS

Hello Erman! Trust you are in good health.
Today we had a requirement from our auditors - to provide them the list of "privileged" users in EBS. I am not sure what exactly is meant by "privileged" users. For example, is a user with Application Developer" responsibility a privileged user? Which responsibilities - other than System Administrator - can we use to identify privileged users?

Okay. If it is not certain and it is abstract, then you will define the privileged users/responsibilities, and then report the users which belong to that group. For instance, SYSADMIN is privileged user. System Administrator is a privileged responsibility in that context.
But a custom user may also have critical responsibilities and can be considered as a privileged user.
That list may differ.. It depends on the responsibilities assigned to your users.

You can query the database to find those things..
Tables like fnd_user  fnd_user_resp_groups , fnd_responsibility can be queried for this. There are some scripts already available in oracle blogs for querying these tables.

We have also standard concurrent programs for listing the active users and active responsibilities.
check -> Active Users Report & Active Responsibilities Report

Some more tips on this... ->

Responsibilities with Broad System Access:

Application Developer: Can create and modify custom code, potentially impacting system behavior and data integrity.
Responsibilities with direct database access via SQL tools: These users can bypass application-level controls.
Network and system administration related responsibilities: These have the capacity to alter the underlying infrastructure supporting EBS.

Responsibilities with Access to Sensitive Data:

Finance and Accounting focused responsibilities: Handle financial transactions and hold confidential financial information.
HR responsibilities: Access and manage employee data which may be deemed personally identifiable information (PII).
Responsibilities handling customer data: Especially important to scrutinize under privacy regulations like GDPR.

Thanks you very much, Erman!