Change Manager - Return For Correction (RFC) - Security Issue
Last updated on SEPTEMBER 13, 2016
Applies to:Oracle Self-Service Human Resources - Version 12.1 HRMS RUP4 and later
Information in this document applies to any platform.
On : 12.1 HRMS RUP4 version, Assignment,Term,Pay,ChgMgr,LOA
Change Manager : Security issue on the field 'Assign New Direct Reports’ that is not restricted with any Security Profile when the LOV is opened after an Return for Correction (RFC). Note that the Manager is opening the Change Manager page from the Returned for Correction notification received in the worklist.
Steps to Reproduce
The issue can be reproduced at will with the following steps:
1. Responsibility: Manager Self-Service (logged in as Jane Doe)
2. Menu: Change Manager
3. Manager selects Action against an employee John Smith
4. See page: "Change Manager: Effective Date Options"
5. Select: Changes should take effect on the effective date as entered below
- Effective Date: 31-jan-2013
6. Manager selects Continue Button
7. See page: 'Change Manager'
8. Manager wants to Assign a New Direct Report to employee John and when selecting the Search icon they are able to see the following direct reports (who they have security access to based on Supervisor Assignment)
9. Manager selects employee James Jones
10. Manager selects Next button
11. See page "Change Manager: Review"
12. Manager adds an Adhoc Approver Sally Brown
13. Manager Submits for Approval to Sally Brown who then ‘Returns for Correction’
14. See notification: "Change Manager for John Smith (Proposed by Jane Doe) "
- NID: 3456789
- Related Applications: Link Return For Correction
15. Click Return for Correction,
- See page "Return For Correction" with Switch Responsibility: Manager Self-Service
- Jane Doe is selected
- Enter a note and Submit back to Jane Doe
16. Manager Jane Doe receives the notification in her worklist
17. See notification: "Change Manager for John Smith is Returned For Correction
- NID: 3456788
- Related Applications: Continue Action - Click
18. See Page: Change Manager: Effective Date Option
19. Click button Continue
20. See Page: Change Manager
- The current responsibility has been switched to : XXX AP Enquiry’ is displayed
21. If the Manager then searches for a different employee on the ‘Assign New Direct Reports’ they are able to see ALL employees, not just those who they had supervisor access to all.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms