Employee Can View And Update Other Employees’ Data (Doc ID 2240826.1)

Last updated on APRIL 20, 2017

Applies to:

Oracle Fusion Global Human Resources Cloud Service - Version 11.1.11.1.0 and later
Information in this document applies to any platform.

Symptoms

On : Rel 11 version, Global Human Resources

ACTUAL BEHAVIOR
---------------
User with only seeded Employee role attached is able to view and actually update other employees’ information via the Directory or Person Gallery. This includes viewing their salaries, adding absence records, managing their User Accounts, Personal Contributions etc.

EXPECTED BEHAVIOR
-----------------------
Employee role to provide access to view own data.

STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Log in as an employee
2. Person gallery
3. Select a card of another employee
4.able to view and actually update other employees’ information



BUSINESS IMPACT
-----------------------
The issue has the following business impact: Security issue

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms