R12: OIE: Expense Report Pending Approval URL Allows Access By Unauthorized Users
Last updated on SEPTEMBER 22, 2016
Applies to:Oracle Internet Expenses - Version 12.1.2 and later
Information in this document applies to any platform.
'WF: GUEST Access to Notification' profile option
Expense Report Details link
How is it possible to prevent Unauthorized Users from accessing the URL/Link in approval notifications for the OIE application?
For example, a user creates expense report, submits receipts and waits for manager approval. The approving manager receives a pending approval notification email with link to expense report, displayed as "Expense Report Details."
Note that the link contains viewable Report Header ID. (Usually within the URL, the Report Header ID parm value is encrypted.)
The manager is able to cut/paste the contents of the link and pass to other active users. Those other active users may be unauthorized to view the expense report, however, using this method they are able to view the report.
In the example, the URL looks like this:
Is there a solution to encrypt the notification URL generated by the string so that it can not be accessed by any other active user?
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms