EGRC 8.6.5.9182: Role-based (grant) Security - Even Though Grant Flag is Not Selected in Menu Definition, Function is Getting Reported in Incident Result.

(Doc ID 2124146.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Application Access Controls Governor - Version 8.6.5 and later
Information in this document applies to any platform.

Symptoms

On : 8.6.5.9182 version, Application Access Contr. Gov.

In Oracle Application Access Controls Governor (AACG), models and controls define conflicts among duties that can be assigned in a company’s applications, and identify users who have access to those conflicting duties.
AACG can also implement “preventive analysis” — it can evaluate controls as duties are assigned to users of the company’s applications, preventing them from gaining risky access.

ACTUAL BEHAVIOR
---------------
Even though Grant flag is not selected in menu definition, function is getting reported in incident result.

EXPECTED BEHAVIOR
-----------------------
If Grant flag is off, it should not be getting reported in Incident result set.

STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Make sure grant flag is off for function used in model.
2. Run the model.
3. Review the result.

Test Case:
========

1. Create Model Test SR 3-11586807101 to look for access point 'Search Person / User UI' for XXXX DataSource.
2. Ran the model and got following incidents for 'TEST_SR3-11586758181' User:
User Management-Application Object Library > User Management : Top Level Menu > Search Person / User UI
User Management-Application Object Library > User Management : Top Level Menu > User Management - Home Page Menu > User Management - User Administration and Setups > Search Person / User UI
User Management-Application Object Library > User Management : Top Level Menu > User Management - Home Page Menu > User Management - User Administration and Setups > User Maintenance UI's > Search Person / User UI
3. Verified in EBS that
For 'User Management : Top Level Menu' Menu, grant flag is unchecked for all submenus and Functions attached to it.
For 'User Management - Home Page Menu' Sub Menu, grant flag is unchecked for all submenus and Functions attached to it.
For 'User Management - User Administration and Setups' Sub Menu, grant flag is unchecked for all submenus and Functions attached to it.
For 'User Maintenance UI's' Sub Menu, grant flag is unchecked for all submenus and Functions attached to it.
4. Created global condition with following logic
Menu Function Gran Flag Equal Y
Unchecked.
5. Ran the model again and got following incidents for 'TEST_SR3-11586758181' User:
User Management-Application Object Library > User Management : Top Level Menu > User Management - Home Page Menu > User Management - User Administration and Setups > Search Person / User UI
User Management-Application Object Library > User Management : Top Level Menu > User Management - Home Page Menu > User Management - User Administration and Setups > User Maintenance UI's > Search Person / User UI

Expected:
========
None

BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, users cannot do remediation effectively.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms