Security issue with Supplier Change Request When Login Employee Portal

(Doc ID 2323953.1)

Last updated on NOVEMBER 01, 2017

Applies to:

PeopleSoft Enterprise SCM Purchasing - Version 9.2 and later
Information in this document applies to any platform.

Symptoms

Security issue with Supplier Change Request When Login Employee Portal.

When access Supplier Portal, the security allows the supplier to access or create change request only for supplier (s) associated to Supplier User setup. That is correct.

In the Employee Portal the supplier can access or create change request for all suppliers listed in the prompt list and should not.

Customer considered this a bug.  They expected to have a setup to avoid to user be able to change all suppliers at Employee Portal OR a way to block this user only at Employee Portal.


STEPS
The issue can be reproduced at will with the following steps:
1. Look the User Profiles (DVP1)
2. At Supplier User setup. DVP1 has set only 4 Suppliers
3. Login as DVP1 at Employee Portal
4. At Initiate Supplier Change. User can see all Suppliers at look up supplier id.
5. And can change any supplier in the list - Customer issue
6. Login at Supplier Portal
7. User has access only for supplier defined at Supplier User page. Working as expected


Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms