Fusion Performance Management: HR Specialist Can See Evaluations They Should not if They Click View Performance Document Link From Approval Email
(Doc ID 2006465.1)
Last updated on MARCH 08, 2017
Applies to:Oracle Fusion Performance Management Cloud Service - Version 22.214.171.124.0 and later
Oracle Fusion Performance Management - Version 126.96.36.199.0 and later
Information in this document applies to any platform.
On : 188.8.131.52.0 version, Manage Worker Performance
Mgr/HR Spec can see eval they shouldn't if they click View Perf Doc link from approval email notif
When an approver forwards an approval email notification to another user (who doesn’t have access to the worker/subject of the approval notification) the other user can click the View Perf Doc link within the email notification and see the full performance document, causing a security breach. This is only true when 1) the receiver of the forwarded email has a Manager and/or HR Specialist Role and 2) if that receiver has an active session of the application open (If they are not a manager and/or HR Spec, a tab opens but no content is displayed which is correct. Regardless if the user is a manager and/or HR Spec or not, if they do not have an active session of the application open, the user is directed to a log-in screen which is correct). Note: we use Single Sign On. See attached for steps/screenshots
Expect security to enforce who has access to full performance document.
The issue can be reproduced at will with the following steps:
1. As an Approver forward an approval email to another user.
2. The other user click on link and see entire performance document.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!