User Group Security Not Working in Quality
(Doc ID 473445.1)
Last updated on AUGUST 22, 2020
Applies to:Oracle Quality - Version 11.5.9 to 12.2.4 [Release 11.5 to 12.2]
Information in this document applies to any platform.
The User Group Security is not working in Quality,
OBSERVED BEHAVIOR: The user, despite being disabled from the User Group, still has an access to the plan.
The issue can be tested with the following steps (on the Quality Security Functionality)
1. Using the System Administrator responsibility, Navigate to Security -> Users and create a new FND user.
2. Add to the user the following responsibilities:
a. Manufacturing and Distribution Manager
b. System Administrator
c. Application Developer
3. Set the profile value for "QA:Collection Plan Security" as "YES" at the site level.
4. Select the Manufacturing and Distribution Manager responsibility.
5. Set the profile value for "HZ: Execute API Callouts" as "NO".
6. Navigate to Quality -> Setup -> User Groups
7. Create a new user group. Add the FND user created in step#1. Save the data.
8. Navigate to Quality -> Setup -> Grant Privileges. Select the User Group name created in the previous step.
In the Collection Plan listing, select one of the Collection Plan names that appear in the LOV.
Check all the
5 privileges for the UserGroup -> Collection Plan combination. Save.
9. Select the system administrator responsibility. Run the concurrent program "Synchronize WF
Local Tables" for the Orig System "HZ_GROUP". Check for its successful completion.
Note for R12:
The User should log out of the application after changing the profile value and
then run the 'Workflow Directory Services User/Role Validation' program using the Sysadmin
responsibility for the entities HZ Groups and HZ Parties. The customer should also
ensure that the profile value "QA:Collection Plan Security" is set to 'Yes' and is not set on the user or resp level. It needs to be set to the site level.
10.Log into the application using the new FND user created. Select the Manufacturing and Disribution Manager responsibility.
11. Navigate to Quality -> Setup -> Collection plans. Do a blind query on the Collection Plan name.
The only plan that should come up, should be the one on which the privileges have been granted in step #8.
12. Log on using the Prev User. Select the Manufacturing and Dist Manager resp. Navigate to Quality-> Setup-> User Group. Disable the new FND user from the User group.
13. Run the concurrent program using the System Admin resp as done in step #9
14. Re-login using the new FND user and repeat step 11.
No collection plans should be brought up on doing a blind query.
15. Using the prev user, reenable the new FND user in the User Group and repeat steps 9, 10, 11
The Collection plan on which the privileges have been granted, should be listed again.
16. Repeat the same with Multiple FND users added under the FND group and multiple FND Groups created.
Please try this from Note 335824.1 UNABLE TO DELETE/DISABLE USER LOGIN FROM USER GROUP NAME IN QUALITY MODULE
Unable to delete/disable User Login from User Group Name defined in Quality
Module. User Login ID once included in an User Group (in Quality Module) cannot
Quality Define User Groups form does not get saved when the member is disabled because of the
raised in HZ_REGISTRY_VALIDATE_V2PUB.validate_party (in ARH2RGVB.pls)
when validating HR security.
Responsibility: Application Developer
Query up name = HZ_CREATED_BY_MODULE
Check the checkbox Visible under User Access.
Check the checkbox Visible and Updatable for Site under Hierarchy Type
Save the form.
Responsibility: System Administrator
Navigation: Profile -> System
Query up Profile = HZ: Created By Module
Set value for site as HR API (There is a space between HR and API.Do
not set any value for other levels - Application, Responsibility...)
Save the form.
Now try to disable the member in the Quality User Group form and save the form. The form should
get saved without any issues.
You have to run the synchronize program every time you make any changes to the user group. Please
try this and let me know
I disabled user from the user group and I launched concurrent program “Synchronize WF Local
(Parameters: Orig System= ALL, Parallel Process = 0, Logging Mode = Logging, Temporaney
Raise Errors = Yes) but the user can see all collection plan related to that group yet
Please try this Workaround in your test instance
Go to SYSADMIN > Security > USER > Define
Query the user you want to delete on the user group.
Notice that the field 'customer' is filled with the entire user first and last name entered on the
user group field in QA.
Clear this customer field; This will remove the user on the user group and, they will no longer
have any privilege on this group.
The work around works but the client (General Electrics) doesn't accept this workaround because
in this way the user will be deleted from all security groups. Customer asks to disable an user
only on a particular group Please give us a different solution/workaround
Also please use Note 262680.1 to find out the HZ patchset level you are on.
the HZ patchset level is 11i.HZ.L
Once a user has been disabled from a user group he shouldn't have an access to the collection
plans associated to that user group
The issue can be reproduced at will with the following steps:
1. Create collection plan "CP_TEST"
2. create a new user group "UG_TEST" and add a user "USR_TEST"
3. Set grant privileges: the grantee as "UG_TEST" and the collection plan as "CP_TEST"
4. Enable all privileges.
5. Save the results
6. set profile "QA:Collection Plan Security" to yes
7. Select Enter/Update/View results: We find that only the plan that had been associated to the
User group is displayed in the list
8. Query Up the User group created above and disable the User "USR_TEST" - Select
Enter/Update/View results: the User desipte being disabled form the User Group "UG_TEST" still
has an access to the plan "CP_TEST"
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document