Pricing Security At Responsibility Level Allows Unexpected Responsibility to Have View Privileges (Doc ID 1596634.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Advanced Pricing - Version 11.5.10 and later
Information in this document applies to any platform.

Symptoms

On : 12.1.3 version, Pricing Object Security

ACTUAL BEHAVIOR
---------------
Find that pricing security set at responsibility level allows an unexpected responsibility the ability to view a price list.

EXPECTED BEHAVIOR
-----------------------
Expect only responsibilities that are given view and/or maintain privilege to be able to view/update price list(s).

STEPS
-----------------------
The issue can be reproduced at will with the following steps:

1) Responsibility = Oracle Pricing Administrator
2) Navigate to: Run Requests.
3) Program - Security Control
4) Pass the Parameter security control on.
5) Submit the Request.

6) Go to System Administrator -> profile -> System
Set the below profile options at site level.
  QP: Security Default Maintain Privilege = Responsibility
  QP: Security Default ViewOnly Privilege = Responsibility

7) Set the below profile option at resp level.
 Query for responsibility which belongs to UK organization(UK Order Management Superuser)
  Set MO: Operating Unit = UK Operations at resp level (MO: Default Operating Unit = UK Operations at resp level)
 Query for resp which belongs to US organization(US Pricing Maintenance User)
  Set MO: Operating Unit = ASCIT at resp level (MO: Default Operating Unit = ASCIT at resp level)

  *Note: MO: Operating Unit = ASCIT at site level


8) Create price list = US Test PL Sec Profile ON
  using responsibility =US Pricing Maintenance User


9) Create price list = UK Test PL Sec Profile ON
  using responsibility =UK Order Management Superuser



10) Under Privileges,
Query entity type = Standard Pricelist = %Test PL Sec% shows

 price list = UK Test PL Sec Profile ON
 grantee type = responsibility
 grantee name = UK Order Management Superuser
 access level = maintain
 effective start date = 17-Oct-2013

 price list = US Test PL Sec Profile ON
 grantee type = responsibility
 grantee name = US Pricing Maintenance User
 access level = maintain
 effective start date = 17-Oct-2013


11) Using responsibility =US Pricing Maintenance User
  can query (view) price list = UK Test PL Sec Profile ON
  *Note: This responsibility is not able to query (view) nor update this price list.

12) Using responsibility =UK Order Management Superuser
  *Note: Can query (view) price list = US Test PL Sec Profile ON which is NOT expected and is the issue.
         This responsibility is unable to update this price list which is correct and expected.


NOTES
-----------
Pricing security profile QP: Security Control was initially turned on manually via the system administrator and navigate to: profile > system
We took the following actions:
1) Disable pricing security.
  Responsibility = Oracle Pricing Administrator
  Navigate to: Run Requests.
  Program - Security Control
  Pass the Parameter security control off.
  Submit the Request.

2. Delete the current privileges
Under Privileges,
Query entity type = Standard Pricelist = %Test PL Sec% shows

price list = US Test PL Sec Profile ON
grantee type = responsibility
grantee name = UK Order Management Superuser
access level = maintain
effective start date = 17-Oct-2013

price list = UK Test PL Sec Profile ON
grantee type = responsibility
grantee name = US Pricing Maintenance User
access level = maintain
effective start date = 17-Oct-2013


3. Enable pricing security.
  Responsibility = Oracle Pricing Administrator
  Navigate to: Run Requests.
  Program - Security Control
  Pass the Parameter security control on.
  Submit the Request.

4. Assign privileges
Under Privileges, Express Create Privileges as follows:

Entity type = standard pricelist
Entity name = US Test PL Sec Profile ON
Grantee type = responsibility
Grantee name = UK Order Management Superuser
Access level = maintain
Effective start date = 18-Oct-2013

Entity type = standard pricelist
Entity name = UK Test PL Sec Profile ON
Grantee type = responsibility
Grantee name = US Pricing Maintenance User
Access level = maintain
Effective start date = 18-Oct-2013

5. Retested.
>>The issue still remains.



BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, users cannot use pricing security to limit access to price lists by responsibility.

Changes

 .

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms