It just happened to me that it seems permissions in Oracle Application Server (OAS) can be set on any user. A user was added lazy (missed to write in camel case) and the right to connect to the server was added to the user but written in camel case. OAS accepts both even if the user the right is added is not there. And you can’t verify the correct permissions on the enterprise manager of OAS because they are not shown there.
So to me it seems I shouldn’t be lazy and instead of just creating a user and assign permissions to the user. I should create also a user role which has the permissions assigned and assign the user role to the created user. In this case I can even change the permissions of the user role afterwards in the enterprise manager with a simple mouse click. A lazy man has more to do.