Change Manager - Return For Correction (RFC) - Security Issue
(Doc ID 1532740.1)
Last updated on FEBRUARY 05, 2019
Applies to:Oracle Self-Service Human Resources - Version 12.1 HRMS RUP4 and later
Information in this document applies to any platform.
On : 12.1 HRMS RUP4 version, Assignment,Term,Pay,ChgMgr,LOA
Change Manager : Security issue on the field 'Assign New Direct Reports’ that is not restricted with any Security Profile when the LOV is opened after an Return for Correction (RFC). Note that the Manager is opening the Change Manager page from the Returned for Correction notification received in the worklist.
Steps to Reproduce
The issue can be reproduced at will with the following steps:
1. Responsibility: Manager Self-Service (logged in as <MGR1>)
2. Menu: Change Manager
3. Manager selects Action against an employee <EMP1>
4. See page: "Change Manager: Effective Date Options"
5. Select: Changes should take effect on the effective date as entered below
- Effective Date: 31-jan-2018
6. Manager selects Continue Button
7. See page: 'Change Manager'
8. Manager wants to Assign a New Direct Report to employee <EMP1> and when selecting the Search icon they are able to see the following direct reports (who they have security access to based on Supervisor Assignment)
9. Manager selects employee <MGR2>
10. Manager selects Next button
11. See page "Change Manager: Review"
12. Manager adds an Adhoc Approver <APPROVER1>
13. Manager Submits for Approval to <APPROVER1> who then ‘Returns for Correction’
14. See notification: "Change Manager for <EMP1> (Proposed by MGR1) "
- NID: 3456789
- Related Applications: Link Return For Correction
15. Click Return for Correction,
- See page "Return For Correction" with Switch Responsibility: Manager Self-Service
- <APPROVER1> is selected
- Enter a note and Submit back to<APPROVER1>
16. Manager <MGR1> receives the notification in her worklist
17. See notification: "Change Manager for <EMP1> is Returned For Correction
- NID: 3456788
- Related Applications: Continue Action - Click
18. See Page: Change Manager: Effective Date Option
19. Click button Continue
20. See Page: Change Manager
- The current responsibility has been switched to : XXX Enquiry’ is displayed
21. If the Manager then searches for a different employee on the ‘Assign New Direct Reports’ they are able to see ALL employees, not just those who they had supervisor access to all.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document