Fusion Performance Management: HR Specialist Can See Evaluations They Should not if They Click View Performance Document Link From Approval Email

(Doc ID 2006465.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Fusion Performance Management Cloud Service - Version 11.1.9.2.0 and later
Oracle Fusion Performance Management - Version 11.1.9.2.0 and later
Information in this document applies to any platform.

Symptoms

On : 11.1.9.0.0 version, Manage Worker Performance

ACTUAL BEHAVIOR
---------------
Mgr/HR Spec can see eval they shouldn't if they click View Perf Doc link from approval email notif

When an approver forwards an approval email notification to another user (who doesn’t have access to the worker/subject of the approval notification) the other user can click the View Perf Doc link within the email notification and see the full performance document, causing a security breach. This is only true when 1) the receiver of the forwarded email has a Manager and/or HR Specialist Role and 2) if that receiver has an active session of the application open (If they are not a manager and/or HR Spec, a tab opens but no content is displayed which is correct. Regardless if the user is a manager and/or HR Spec or not, if they do not have an active session of the application open, the user is directed to a log-in screen which is correct). Note: we use Single Sign On. See attached for steps/screenshots

EXPECTED BEHAVIOR
-----------------------
Expect security to enforce who has access to full performance document.


STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. As an Approver forward an approval email to another user.
2. The other user click on link and see entire performance document.


Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms