My Oracle Support Banner

Fusion Global Payroll : Security issue with Payroll Activity Report (Doc ID 2529748.1)

Last updated on OCTOBER 06, 2020

Applies to:

Oracle Fusion Global Payroll Cloud Service - Version 11.13.19.10.0 and later
Oracle Fusion Global Payroll - Version 11.12.1.0.0 and later
Information in this document applies to any platform.

Goal

On : 11.13.19.01.0 version, Technology Management - Fusion Security

Submit Payroll Process and Report security Flaw

Oracle has a flaw in security when 'Submit Payroll Process and Report' pattern parameters are evaluated.
It affects almost every pattern in a way how security constraints treat NULL value for non-mandatory parameter. For the security NULL is parsed as 'acceptable nothing' and is allowed to pass to the lower level Base Process. Base Process, mostly, is considering NULL as "ALL" and not aware of security rules set on top level, delivering entire data set and creating a data breach.

Example.
Run Payroll Activity Report pattern.
Non-mandatory parameter 'Payroll Name' can be left blank and the process will deliver ALL payrolls' information even if the user's security role is not allowing the user to run the process for some particular payrolls, user cannot pick them (prohibited payroll names) from the parameter's LOV, but blank parameter gives it all.
Workaround of making "Payroll Name" mandatory is not acceptable because the users having "View All" security role will not be able to get all payrolls in one run, and will do it picking one by one, having 200+ payrolls it is really not an option.

Correct security should include "All" option handling for those patterns that are considering parameter's NULL value as "All". One of the possible solutions is to make the parameter 'Mandatory' (so NULL value can't be passed to the lower level) and add "All" option into the parameter's LOV (from Smart Lookup) returning all possible values constrained by top level security. This will give ability to "View All" users to pick "All" option and get it all, and, the same for constrained users, "All" will return entire set of parameter values excluding constraints.
 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Goal
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.