My Oracle Support Banner

R12: OIE: Expense Report Pending Approval URL Allows Access By Unauthorized Users (Doc ID 2185781.1)

Last updated on JULY 10, 2020

Applies to:

Oracle Internet Expenses - Version 12.1.2 and later
Information in this document applies to any platform.
Expense Report
Pending Approval
'WF: GUEST Access to Notification' profile option
Expense Report Details link
Unauthorized Users


How is it possible to prevent Unauthorized Users from accessing the URL/Link in approval notifications for the OIE application?  

For example, a user creates expense report, submits receipts and waits for manager approval.   The approving manager receives a pending approval notification email with link to expense report, displayed as "Expense Report Details."

Note that the link contains viewable Report Header ID. (Usually within the URL, the Report Header ID parm value is encrypted.)

The manager is able to cut/paste the contents of the link and pass to other active users.  Those other active users may be unauthorized to view the expense report, however, using this method they are able to view the report.

Is there a solution to encrypt the notification URL generated by the string so that it can not be accessed by any other active user?


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.