My Oracle Support Banner

Change Manager - Return For Correction (RFC) - Security Issue (Doc ID 1532740.1)

Last updated on OCTOBER 17, 2023

Applies to:

Oracle Self-Service Human Resources - Version 12.1 HRMS RUP4 and later
Information in this document applies to any platform.


On : 12.1 HRMS RUP4 version, Assignment,Term,Pay,ChgMgr,LOA

Change Manager : Security issue on the field 'Assign New Direct Reports’ that is not restricted with any Security Profile when the LOV is opened after an Return for Correction (RFC).  Note that the Manager is opening the Change Manager page from the Returned for Correction notification received in the worklist.

Steps to Reproduce
The issue can be reproduced at will with the following steps:

1.  Responsibility: Manager Self-Service (logged in as <MGR1>)

 2. Menu: Change Manager

 3. Manager selects Action against an employee <EMP1>

 4. See page: "Change Manager: Effective Date Options"

 5. Select: Changes should take effect on the effective date as entered below

 6. Manager selects Continue Button

 7. See page: 'Change Manager'

 8. Manager wants to Assign a New Direct Report to employee <EMP1> and when selecting the Search icon they are able to see the following direct reports (who they have security access to based on Supervisor Assignment)

 9. Manager selects employee <MGR2>

10. Manager selects Next button

11. See page "Change Manager: Review"

12. Manager adds an Adhoc Approver <APPROVER1>

13. Manager Submits for Approval to <APPROVER1> who then ‘Returns for Correction’

14. See notification: "Change Manager for <EMP1>  (Proposed by MGR1) "

15. Click Return for Correction,

16. Manager <MGR1> receives the notification in her worklist

17. See notification: "Change Manager for <EMP1> is Returned For Correction

18. See Page: Change Manager: Effective Date Option

19. Click button Continue

20. See Page: Change Manager

21. If the Manager then searches for a different employee on the ‘Assign New Direct Reports’ they are able to see ALL employees, not just those who they had supervisor access to all.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.