E1: 07: Employee Self Service (ESS) Manager Review & Approval Security Breach (Doc ID 1947528.1)

Last updated on DECEMBER 03, 2015

Applies to:

JD Edwards EnterpriseOne Time and Labor - Version 9.0 to 9.0 [Release 9.0]
Information in this document applies to any platform.

Symptoms

JD Edwards EnterpriseOne 9.0 / Tools Release 9.1 / Self Service Manager Review and Approval / P051129

On the Manager Review and Approval screen, any supervisor who is set up as a delegate, has the ability to change the Manager Number field. Normally, when the delegate uses the Visual Assist to look up another supervisor number, you choose a supervisor number that they are not a delegate for, the program will give them an error and disable the buttons, such as Find Timecards or Find Employees with Missing Timecards. If, however, they ENTER another supervisor number that they are not a delegate for, and then immediately click on Find Timecards, WITHOUT tabbing out of the Manager number field first, then it displays the data for this other manager (that they should not have access to). It very briefly displays the error on the screen for a fraction of a second, and it will grey out the Find Timecards button, but it has already displayed the data that they shouldn’t see. The edit is being done AFTER the data has been displayed rather than before.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms