SP3 Process Sync Ignores Security
(Doc ID 2154528.1)
Last updated on OCTOBER 06, 2022
Applies to:Oracle Utilities Meter Data Management - Version 220.127.116.11 to 18.104.22.168 [Release 2.1]
Information in this document applies to any platform.
In Meter Data Management version 22.214.171.124, a user with 'Inquire' only permissions is able to process the sync.
As a part of SP3 there is a new piece of functionality that allows for the online transition of data syncs through the UI. This provides a new "Process Sync" button on the UI; however, this button does not check the sync BO's application service when a user navigates to the sync and attempts to click the button.
There are a few "read-only" user groups that only have Inquire access to sync BOs, in particular, for Service Points, Install Events, and Usage Subscriptions. These users can successfully process a Pending or Erred sync, and that is not desirable.
The application service not being checked is Sync Request Inbound Ongoing BO - D1-SYNCREQINONGOBOAS.
These sync BO's share a common UI Map and UI Map Service script. These currently do not check the application service above.
UI Map: Sync Request Inbound Display - D1-SyncRequestInboundDisplay
UI Map SS: Sync Request Inbound - Retrieve Details for Display - D1-SynInDisp
This can be reproduced using following steps:
The issue can be reproduced at will with the following steps:
1. Perform XAI submission to create sync request
2. Navigate to sync request
3. Attempt to synchronize the sync request by clicking on "Process Sync" button.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document