User Without Required Privilege Is Able to Add User Group to Own Profile by Drag and Drop from 'Recently Visited' Pane, In Agile (Doc ID 1950202.1)

Last updated on NOVEMBER 05, 2015

Applies to:

Oracle Agile Product Collaboration - Version 9.3.3.0 and later
Information in this document applies to any platform.

Symptoms

On Oracle Agile PLM version 9.3.3,  Roles & Privileges

ACTUAL BEHAVIOR  
-----------------------
User without required privilege is able to add User Group to own profile by Drag and Drop from 'Recently Visited' pane


EXPECTED BEHAVIOR
-----------------------
Expect to not be able to add Other Privileges if not allowed.


STEPS
-----------------------
The issue can be reproduced at will with the following steps:


1. Start with any user without Privileges to modify User Group access (Create a user with just Read & Discover for both Users and User Groups, the latter so that one can get a User Group in their Recently Visited)
    Log in as the Limited access User:
2. Search for and access any user group.
3. Access own Profile's User Group tab.
Note that the Add button is grayed out, denoting no Privilege
4. Drag the User Group from the Recently Visited pane to own User Group tab.  
User now has that User Group and all of it's associated Roles and Privileges.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms