User Group Security Not Working in Quality

(Doc ID 473445.1)

Last updated on JUNE 11, 2017

Applies to:

Oracle Quality - Version 11.5.9 to 12.2.4 [Release 11.5 to 12.2]
Information in this document applies to any platform.

Symptoms

The User Group Security is not working in Quality,

OBSERVED BEHAVIOR: The user, despite being disabled from the User Group, still has an access to the plan.

The issue can be tested with the following steps (on the Quality Security Functionality)
1. Using the System Administrator responsibility, Navigate to Security -> Users and create a new FND user.
2. Add to the user the following responsibilities:
a. Manufacturing and Distribution Manager
b. System Administrator
c. Application Developer
3. Set the profile value for "QA:Collection Plan Security" as "YES" at the site level.
4. Select the Manufacturing and Distribution Manager responsibility.
5. Set the profile value for "HZ: Execute API Callouts" as "NO".
6. Navigate to Quality -> Setup -> User Groups
7. Create a new user group. Add the FND user created in step#1. Save the data.
8. Navigate to Quality -> Setup -> Grant Privileges. Select the User Group name created in the previous step.
In the Collection Plan listing, select one of the Collection Plan names that appear in the LOV.
Check all the
5 privileges for the UserGroup -> Collection Plan combination. Save.
9. Select the system administrator responsibility. Run the concurrent program "Synchronize WF
Local Tables" for the Orig System "HZ_GROUP". Check for its successful completion.

Note for R12:

The User should log out of the application after changing the profile value and  
then run the 'Workflow Directory Services User/Role Validation' program using the Sysadmin  
responsibility for the entities HZ Groups and HZ Parties. The customer should also  
ensure that the profile value "QA:Collection Plan Security" is set to 'Yes' and is not set on the user or resp level. It needs to be set to the site level.


10.Log into the application using the new FND user created. Select the Manufacturing and Disribution Manager responsibility.
11. Navigate to Quality -> Setup -> Collection plans. Do a blind query on the Collection Plan name.

Expected Behavior:
The only plan that should come up, should be the one on which the privileges have been granted in step #8.
12. Log on using the Prev User. Select the Manufacturing and Dist Manager resp. Navigate to Quality-> Setup-> User Group. Disable the new FND user from the User group.
13. Run the concurrent program using the System Admin resp as done in step #9
14. Re-login using the new FND user and repeat step 11.

Expected Behavior
No collection plans should be brought up on doing a blind query.

15. Using the prev user, reenable the new FND user in the User Group and repeat steps 9, 10, 11

Expected Behavior
The Collection plan on which the privileges have been granted, should be listed again.

16. Repeat the same with Multiple FND users added under the FND group and multiple FND Groups created.

Please try this from Note 335824.1 UNABLE TO DELETE/DISABLE USER LOGIN FROM USER GROUP NAME IN QUALITY MODULE

Symptoms
Unable to delete/disable User Login from User Group Name defined in Quality
Module. User Login ID once included in an User Group (in Quality Module) cannot
be disabled/deleted.
Cause


Quality Define User Groups form does not get saved when the member is disabled because of the
exception
raised in HZ_REGISTRY_VALIDATE_V2PUB.validate_party (in ARH2RGVB.pls)
when validating HR security.

Solution
Step 1
------
Responsibility: Application Developer
Navigation: Profile
Query up name = HZ_CREATED_BY_MODULE
Check the checkbox Visible under User Access.
Check the checkbox Visible and Updatable for Site under Hierarchy Type
Access level
.
Save the form.
.
Step 2
------
Responsibility: System Administrator
Navigation: Profile -> System
Query up Profile = HZ: Created By Module
Set value for site as HR API (There is a space between HR and API.Do
not set any value for other levels - Application, Responsibility...)
.
Save the form.
.
Now try to disable the member in the Quality User Group form and save the form. The form should
get saved without any issues.


You have to run the synchronize program every time you make any changes to the user group. Please
try this and let me know

I disabled user from the user group and I launched concurrent program “Synchronize WF Local
Tables”
(Parameters: Orig System= ALL, Parallel Process = 0, Logging Mode = Logging, Temporaney
Tablespace= Null,
Raise Errors = Yes) but the user can see all collection plan related to that group yet





Please try this Workaround in your test instance

Go to SYSADMIN > Security > USER > Define
Query the user you want to delete on the user group.

Notice that the field 'customer' is filled with the entire user first and last name entered on the
user group field in QA.
Clear this customer field; This will remove the user on the user group and, they will no longer
have any privilege on this group.

The work around works but the client (General Electrics) doesn't accept this workaround because
in this way the user will be deleted from all security groups. Customer asks to disable an user
only on a particular group Please give us a different solution/workaround



Also please use Note 262680.1 to find out the HZ patchset level you are on.
the HZ patchset level is 11i.HZ.L






EXPECTED BEHAVIOR
Once a user has been disabled from a user group he shouldn't have an access to the collection
plans associated to that user group

STEPS
The issue can be reproduced at will with the following steps:
1. Create collection plan "CP_TEST"
2. create a new user group "UG_TEST" and add a user "USR_TEST"
3. Set grant privileges: the grantee as "UG_TEST" and the collection plan as "CP_TEST"
4. Enable all privileges.
5. Save the results
6. set profile "QA:Collection Plan Security" to yes
7. Select Enter/Update/View results: We find that only the plan that had been associated to the
User group is displayed in the list
8. Query Up the User group created above and disable the User "USR_TEST" - Select
Enter/Update/View results: the User desipte being disabled form the User Group "UG_TEST" still
has an access to the plan "CP_TEST"


Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms