Change Manager - Return For Correction (RFC) - Security Issue (Doc ID 1532740.1)

Last updated on SEPTEMBER 13, 2016

Applies to:

Oracle Self-Service Human Resources - Version 12.1 HRMS RUP4 and later
Information in this document applies to any platform.

Symptoms

On : 12.1 HRMS RUP4 version, Assignment,Term,Pay,ChgMgr,LOA

Change Manager : Security issue on the field 'Assign New Direct Reports’ that is not restricted with any Security Profile when the LOV is opened after an Return for Correction (RFC).  Note that the Manager is opening the Change Manager page from the Returned for Correction notification received in the worklist.



Steps to Reproduce
The issue can be reproduced at will with the following steps:

1.  Responsibility: Manager Self-Service (logged in as Jane Doe)

 2. Menu: Change Manager

 3. Manager selects Action against an employee John Smith

 4. See page: "Change Manager: Effective Date Options"

 5. Select: Changes should take effect on the effective date as entered below

 6. Manager selects Continue Button

 7. See page: 'Change Manager'

 8. Manager wants to Assign a New Direct Report to employee John and when selecting the Search icon they are able to see the following direct reports (who they have security access to based on Supervisor Assignment)

 9. Manager selects employee James Jones

10. Manager selects Next button

11. See page "Change Manager: Review"

12. Manager adds an Adhoc Approver Sally Brown

13. Manager Submits for Approval to Sally Brown who then ‘Returns for Correction’

14. See notification: "Change Manager for John Smith  (Proposed by Jane Doe) "

15. Click Return for Correction,

16. Manager Jane Doe receives the notification in her worklist

17. See notification: "Change Manager for John Smith is Returned For Correction

18. See Page: Change Manager: Effective Date Option

19. Click button Continue

20. See Page: Change Manager

21. If the Manager then searches for a different employee on the ‘Assign New Direct Reports’ they are able to see ALL employees, not just those who they had supervisor access to all.


Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms