My Oracle Support Banner

Pricing Security At Responsibility Level Allows Unexpected Responsibility to Have View Privileges (Doc ID 1596634.1)

Last updated on FEBRUARY 03, 2019

Applies to:

Oracle Advanced Pricing - Version 11.5.10 and later
Information in this document applies to any platform.

Symptoms

On : 12.1.3 version, Pricing Object Security

ACTUAL BEHAVIOR
---------------
Find that pricing security set at responsibility level allows an unexpected responsibility the ability to view a price list.

EXPECTED BEHAVIOR
-----------------------
Expect only responsibilities that are given view and/or maintain privilege to be able to view/update price list(s).

STEPS
-----------------------
The issue can be reproduced at will with the following steps:

1) Responsibility = Oracle Pricing Administrator
2) Navigate to: Run Requests.
3) Program - Security Control
4) Pass the Parameter security control on.
5) Submit the Request.

6) Go to System Administrator -> profile -> System
Set the below profile options at site level.
  QP: Security Default Maintain Privilege = Responsibility
  QP: Security Default ViewOnly Privilege = Responsibility

7) Set the below profile option at resp level.
 Query for responsibility which belongs to UK organization(UK Order Management Superuser)
  Set MO: Operating Unit = UK Operations at resp level (MO: Default Operating Unit = UK Operations at resp level)
 Query for resp which belongs to US organization(US Pricing Maintenance User)
  Set MO: Operating Unit = ASCIT at resp level (MO: Default Operating Unit = ASCIT at resp level)

  *Note: MO: Operating Unit = ASCIT at site level


8) Create price list = US Test PL Sec Profile ON
  using responsibility =US Pricing Maintenance User


9) Create price list = UK Test PL Sec Profile ON
  using responsibility =UK Order Management Superuser



10) Under Privileges,
Query entity type = Standard Pricelist = %Test PL Sec% shows

 price list = UK Test PL Sec Profile ON
 grantee type = responsibility
 grantee name = UK Order Management Superuser
 access level = maintain
 effective start date = 17-Oct-2013

 price list = US Test PL Sec Profile ON
 grantee type = responsibility
 grantee name = US Pricing Maintenance User
 access level = maintain
 effective start date = 17-Oct-2013


11) Using responsibility =US Pricing Maintenance User
  can query (view) price list = UK Test PL Sec Profile ON
  *Note: This responsibility is not able to query (view) nor update this price list.

12) Using responsibility =UK Order Management Superuser
  *Note: Can query (view) price list = US Test PL Sec Profile ON which is NOT expected and is the issue.
         This responsibility is unable to update this price list which is correct and expected.


NOTES
-----------
Pricing security profile QP: Security Control was initially turned on manually via the system administrator and navigate to: profile > system
We took the following actions:
1) Disable pricing security.
  Responsibility = Oracle Pricing Administrator
  Navigate to: Run Requests.
  Program - Security Control
  Pass the Parameter security control off.
  Submit the Request.

2. Delete the current privileges
Under Privileges,
Query entity type = Standard Pricelist = %Test PL Sec% shows

price list = US Test PL Sec Profile ON
grantee type = responsibility
grantee name = UK Order Management Superuser
access level = maintain
effective start date = 17-Oct-2013

price list = UK Test PL Sec Profile ON
grantee type = responsibility
grantee name = US Pricing Maintenance User
access level = maintain
effective start date = 17-Oct-2013


3. Enable pricing security.
  Responsibility = Oracle Pricing Administrator
  Navigate to: Run Requests.
  Program - Security Control
  Pass the Parameter security control on.
  Submit the Request.

4. Assign privileges
Under Privileges, Express Create Privileges as follows:

Entity type = standard pricelist
Entity name = US Test PL Sec Profile ON
Grantee type = responsibility
Grantee name = UK Order Management Superuser
Access level = maintain
Effective start date = 18-Oct-2013

Entity type = standard pricelist
Entity name = UK Test PL Sec Profile ON
Grantee type = responsibility
Grantee name = US Pricing Maintenance User
Access level = maintain
Effective start date = 18-Oct-2013

5. Retested.
>>The issue still remains.



BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, users cannot use pricing security to limit access to price lists by responsibility.

Changes

 .

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.
My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.