External Suppliers Can Edit Internal User Profile Roles/Supplier Access
(Doc ID 2314666.1)
Last updated on OCTOBER 05, 2017
Applies to:PeopleSoft Enterprise SCM eSupplier Connection - Version 9.2 and later
Information in this document applies to any platform.
External Suppliers can edit internal user profile roles/supplier access.
Currently, when a supplier navigates to maintain supplier information > user profiles, they have access to update profile information of any user associated to their supplier ID. However, due to how the system works and the fact that the eSettlements security relies on users having the supplier access, these external users can remove roles and supplier access from the internal user.
Since this is the supplier portal and the users should only truly update supplier profiles, the SQL should be updated.
Currently, the SQL behind the page is this:
SELECT DISTINCT A.OPRID
FROM PS_VENDOR_USER A
, PS_EXT_VND_OPRSRC2 C
, PSROLEUSER D
WHERE A.VENDOR_ID IN (
FROM PS_VENDOR_USER B
WHERE A.SETID = B.SETID
AND B.OPRID = %OperatorId)
AND A.OPRID = C.OPRID2
AND A.OPRID = D.ROLEUSER
AND D.ROLENAME IN (
FROM PSROLEGRANTVW E
WHERE E.OPRID = %OperatorId)
AND A.OPRID <> %OperatorId
Criteria should be added to look into PSOPRALIAS as well to limit the OPRALIASTYPE to only be VND.
The issue is that this supplier page returns all users associated to the supplier ID that is tied to the user who logged in. This causes issues though since a user can then remove roles/suppliers from a user ID that is an internal user. There should be restriction on the page to only return users that have an OPR ALIAS TYPE of VND, meaning the user is an external user.
With the current access, we have suppliers in production that have the ability to remove security roles and supplier access to users with an OPR ALIAS TYPE of EMP, NON, BID, and CUST - - these profiles should not be accessible.
The issue can be reproduced at will with the following steps:
1. Login at Supplier as SVP1
2. Go to Navigation: Maintain Supplier Information > User Profile. Search. Showing only 5 users.
3. Sign out and Login as VP1
4. Go to Navigation: Maintain Supplier Information > User Profile. Search.
5. Select user JSCOTT
6. Add a Supplier to JSCOTT
7. Select a Supplier. OK.
8. Save JSCOTT.
9. Sign out and Login at Supplier as SVP1
10. Search on navigation: Maintain Supplier Information > User Profiles.
Now is possible to see user id: JSCOTT in the list. This is happening because the supplier page returns all users associated to the supplier ID that is tied to the user who logged in.
This causes issues though since a user can then remove roles/suppliers from a user ID that is an internal user. There should be restriction on the page to only return users that have an OPR ALIAS TYPE of VND, meaning the user is an external user.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!