Security Problem With User Role Access When Changing Existing Itinerary (Doc ID 554432.1)

Last updated on SEPTEMBER 08, 2016

Applies to:

Oracle Transportation Management - Version: 5.5.03
Information in this document applies to any platform.
Checked for relevance on 07-DEC-2010

Symptoms

-- Problem Statement:
On 5.5.03 , Find that an user with a level of access that prevents them from editing and saving itineraries is allowed to modify itineraries

EXPECTED BEHAVIOR
Expect that the user is not allowed to edit and save itineraries

-- Steps To Reproduce:
The issue can be reproduced at will with the following steps:
1. Set up a user Level with the function Itinerary - View Alone attached
2. Attach the user level to a user role and attach a user to this role.
3. log in as the user with the user role and level and try to edit an existing itinerary and save it.
User is allowed to save the itinerary

-- Business Impact:
The issue has the following business impact:
Due to this issue, users cannot trust the security mechanism of OTM

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms