ESFO 9.1: Department Security By Permission List Is Being Bypassed At Staffing Orders Create/Update Level

(Doc ID 1520040.1)

Last updated on SEPTEMBER 01, 2017

Applies to:

PeopleSoft Enterprise FIN Staffing Front Office - Version 9.1 to 9.1 [Release 9]
Information in this document applies to any platform.

Symptoms

ISSUE:

In PeopleSoft Enterprise FSCM Application, the Staffing Front Office module offers a very complete Department Security functionality, based on hard-coded Department Security Tree (DEP_SECURITY), along with the table PS_SCRTY_TBL_DEPT. This Tree and Record form the basis for all Staffing Department Security Views. However, an issue has been found where in the below page such security configuration is not properly working:

    - Navigation: Staffing > Orders and Assignments > Add/Update Orders.

The application affected is referring to the below listed Application Designer objects, according to the navigation path mentioned above:

    - Component (FO_ORDERS)
    - Page (FO_ORDER_HDR)
    - Record (RS_SO_HDR)
    - SubRecord (FO_SO_HDR_SBR)
    - Field (DEPTID)
    - EditTable (DEPT_ALL_VW).

When a Staffing User is assigning a Department value at the Order level, the View behind the look-up feature (DEPT_ALL_VW), displays all Department values available in the system, including those set as Inactive, and even those whom the user should not have access to as security has not been granted. The Staffing Users must not be able to see or assign Departments to which they have not been granted security access to.

REPLICATION STEPS:

   - Log into the FSCM Online Application as User ID VP1
   - Navigate to: Set Up Financials/Supply Chain > Security > Staffing Apply Security Tree
   - Select the Effective Date from January 1st 1990, and apply the changes
   - Navigate to: Tree Manager > Tree Manager
   - Open existing Tree DEP_SECURITY for the Effective Date of January 1st 1990
   - Confirm that there is a specific Node for Department ID 20000
   - Navigate to: PeopleTools > Security > Permissions & Roles > Permission Lists
   - Open the existing Permission List EPPB9000, and confirm that Menu FO_PAYBILL_PROJECT is properly listed
   - Navigate to: PeopleTools > Security > Permissions & Roles > Roles
   - Open delivered Role 'PBM User', and make sure that Permission List EPPB9000 is linked properly
   - Navigate to: Set Up Financials/Supply Chain > Security > Staffing Department Security
   - Open Permission List EPPB9000, define Set ID SHARE and Department ID 20000, and save the changes
   - Navigate to: Set Up Financials/Supply Chain > Common Definitions > Design ChartFields > Define Values > ChartField Values > Department
   - Open existing Department ID 20000 under Set ID SHARE, and create a new Effective Date row for January 31st 1900, and set the Status to INACTIVE
   - Navigate to: PeopleTools > Security > User Profiles > User Profiles
   - Open User ID VP2, and in the General tab, under the Row Security field, place Permission List EPPB9000, while in the Roles tab, add Role 'PBM User'
   - Navigate to: Set Up Financials/Supply Chain > Security > Security Options
   - Select the radio button called 'No Security'
   - Navigate to: Set Up Financials/Supply Chain > Security > Apply Security Setups
   - Launch the FIN9000 SQR Process to apply the latest security configuration
   - Log into the FSCM Online Application as User ID VP2
   - Navigate to: Staffing > Orders and Assignments > Add/Update Orders
   - Open existing Order ID 0000000030, from PC Business Unit US004 and Branch ID CA001
   - In the Order tab, click on the Department field look up view (DEPT_ALL_VW), and confirm that the displayed results contain Department ID 20000
   - The View is showing all existing Department ID values, even those that have been set to Inactive status, or those whom the user has not been granted access to via Department Security

To gather more information concerning this scenario and its related problem, refer to the available Replication Steps Word Document containing the complete configuration and the replication steps necessary to reproduce the issue.

BUSINESS IMPACT:

After having configured all the Department Security settings, the system is bypassing it at the time of creating or updating existing Orders, by showing all Department values, no matter what security has been granted, and even displaying those that are Inactive. Transactions can be entered into the system using incorrect Department IDs.

EXPECTED BEHAVIOR:

The Department ID View behind the look up feature in the Order transaction (FO_ORDER_HDR), should always filter the displayed results taking into consideration the security settings put in place, the granted access by Permission List for each user, and take into account that Inactive Department values should no longer be included. The Staffing Users must not be able to see or assign Departments to which they have not been granted security access to.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms