EGRC 8.6.4.x: Manage Access Approvals Requests Are Not User Security Setup Secured.
(Doc ID 1957772.1)
Last updated on JANUARY 31, 2019
Applies to:Oracle Application Access Controls Governor - Version 8.6.4 to 8.6.5 [Release 8]
Information in this document applies to any platform.
On : 188.8.131.5240 version, Application Access Contr. Gov.
In Oracle Application Access Controls Governor (AACG), models and controls define conflicts among duties that can be assigned in a company’s applications, and identify users who have access to those conflicting duties.
AACG can also implement “preventive analysis” — it can evaluate controls as duties are assigned to users of the company’s applications, preventing them from gaining risky access.
User which does not have access to the corresponding 'pre-incidents' and approval functional security is able to see the user provisioning requests from EBS.
When navigate to Manage Access Approvals, requests should only be seen if user has access to the 'pre-incidents' and approval functional security.
The issue can be reproduced at will with the following steps:
1. Create SOB perspective hierarchy with SOB1 and SOB2 as child.
2. Create two controls for R1 and R2 Resp respectively.
a. Assign SOB1 at incident level perspective for control1.
b. Assign SOB2 at incident level perspective for control2.
3. Build the user security so that user1 can only access request for SOB1 and user 2 can only access SOB2.
4. Run CA for both the controls.
5. In EBS, create new user EBS_SOB1 and assign R1.
6. Remove end date and request submission to GRC.
7. Wait for UP job to finish.
8. Login as SOB1 user, and verify the pending request, approve and preview and it shows the control and incident data correctly.
9. Login as SOB2 user
EBS_SOB1 should not be shown under manage Access Approval page.
EBS_SOB1 is showing up under manage Access Approval page.
The issue has the following business impact:
Due to this issue, users cannot use PEA functionality effectively.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document