External Suppliers Can Edit Internal User Profile Roles/Supplier Access

(Doc ID 2314666.1)

Last updated on OCTOBER 05, 2017

Applies to:

PeopleSoft Enterprise SCM eSupplier Connection - Version 9.2 and later
Information in this document applies to any platform.

Symptoms

External Suppliers can edit internal user profile roles/supplier access. 

Currently, when a supplier navigates to maintain supplier information > user profiles, they have access to update profile information of any user associated to their supplier ID. However, due to how the system works and the fact that the eSettlements security relies on users having the supplier access, these external users can remove roles and supplier access from the internal user.

Since this is the supplier portal and the users should only truly update supplier profiles, the SQL should be updated.

Currently, the SQL behind the page is this:
SELECT DISTINCT A.OPRID
 ,C.OPRDEFNDESC
  FROM PS_VENDOR_USER A
  , PS_EXT_VND_OPRSRC2 C
  , PSROLEUSER D
 WHERE A.VENDOR_ID IN (
 SELECT B.VENDOR_ID
  FROM PS_VENDOR_USER B
 WHERE A.SETID = B.SETID
  AND B.OPRID = %OperatorId)
  AND A.OPRID = C.OPRID2
  AND A.OPRID = D.ROLEUSER
  AND D.ROLENAME IN (
 SELECT E.ROLENAME
  FROM PSROLEGRANTVW E
 WHERE E.OPRID = %OperatorId)
  AND A.OPRID <> %OperatorId

Criteria should be added to look into PSOPRALIAS as well to limit the OPRALIASTYPE to only be VND.

The issue is that this supplier page returns all users associated to the supplier ID that is tied to the user who logged in. This causes issues though since a user can then remove roles/suppliers from a user ID that is an internal user. There should be restriction on the page to only return users that have an OPR ALIAS TYPE of VND, meaning the user is an external user.

With the current access, we have suppliers in production that have the ability to remove security roles and supplier access to users with an OPR ALIAS TYPE of EMP, NON, BID, and CUST - - these profiles should not be accessible.


STEPS
The issue can be reproduced at will with the following steps:
1. Login at Supplier as SVP1
2. Go to Navigation: Maintain Supplier Information > User Profile. Search. Showing only 5 users.
3. Sign out and Login as VP1
4. Go to Navigation: Maintain Supplier Information > User Profile. Search.
5. Select user JSCOTT
6. Add a Supplier to JSCOTT
7. Select a Supplier. OK.
8. Save JSCOTT.
9. Sign out and Login at Supplier as SVP1
10. Search on navigation: Maintain Supplier Information > User Profiles.
  Now is possible to see user id: JSCOTT in the list. This is happening because the supplier page returns all users associated to the supplier ID that is tied to the user who logged in.

This causes issues though since a user can then remove roles/suppliers from a user ID that is an internal user. There should be restriction on the page to only return users that have an OPR ALIAS TYPE of VND, meaning the user is an external user.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms