R12: OIE: Expense Report Pending Approval URL Allows Access By Unauthorized Users (Doc ID 2185781.1)

Last updated on SEPTEMBER 22, 2016

Applies to:

Oracle Internet Expenses - Version 12.1.2 and later
Information in this document applies to any platform.
Expense Report
Pending Approval
'WF: GUEST Access to Notification' profile option
Expense Report Details link
URL
Unauthorized Users

Goal

How is it possible to prevent Unauthorized Users from accessing the URL/Link in approval notifications for the OIE application?  

For example, a user creates expense report, submits receipts and waits for manager approval.   The approving manager receives a pending approval notification email with link to expense report, displayed as "Expense Report Details."

Note that the link contains viewable Report Header ID. (Usually within the URL, the Report Header ID parm value is encrypted.)

The manager is able to cut/paste the contents of the link and pass to other active users.  Those other active users may be unauthorized to view the expense report, however, using this method they are able to view the report.

In the example, the URL looks like this:
https://myinstance.com:21080/OA_HTML/OA.jsp?akRegionCode=O
IEMAINPAGE&akRegionApplicationId=200&CurrentPage=OIEConfirmPage&retainAM=Y&OIERefreshAM=Y&startFrom=WF&ReportHeaderId=12345&NtfId=16729018&dbc=t1cf1d8&transactionid=1952104729&oapc=3&oas=0yaRERdV9MbrlAjgPfq1PA..


Is there a solution to encrypt the notification URL generated by the string so that it can not be accessed by any other active user?

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms