My Oracle Support Banner

EAR 9.2: Refund Status Business Unit Secured View (Record SP_BUARAP_CLSVW) Displays All Permission Lists And Business Unit Values (Doc ID 2586638.1)

Last updated on SEPTEMBER 11, 2019

Applies to:

PeopleSoft Enterprise FIN Receivables - Version 9.2 to 9.2 [Release 9]
Information in this document applies to any platform.

Symptoms

ISSUE:

Having defined at the Security Options level the Row Level Security configuration of 'Permission List Level Security' and 'Business Unit', the same is being completely bypassed at the Refund Status search page when using the Business Unit look-up functionality.

Not only the Business Unit secured view (Record SP_BUARAP_CLSVW) shows all the company's defined Permission Lists, regardless if the User has been linked to them (At PeopleTools User Profile via Permission Lists or Roles), but also the complete list of Business Unit values existing in the system, even those the User should not have access to.

REPLICATION STEPS:

    1.- Log into the FSCM Online Application as a System Administrator User
    2.- Navigate to: Set Up Financials/Supply Chain > Security > Security Options
    3.- Configure the below settings:
         a) Permission List Level Security = Y
         b) Business Unit = Y
    4.- Navigate to: Set Up Financials/Supply Chain > Security > Unit by Permission List
    5.- Open Permission List ALLPAGES, and define Business Units US001, US003, and US005.
    6.- Navigate to: PeopleTools > Security > User Profiles > User Profiles
    7.- Open the User ID of the System Administrator, and ensure Permission List ALLPAGES is defined in the General tab
    8.- Navigate to: Set Up Financials/Supply Chain > Security > Apply Security Setups
    9.- Create a new Run Control ID and launch the Apply Security Views process (SEC_VIEWS AE Program)
    10.- Navigate to: Accounts Receivable > Receivables Maintenance > Refunds > Refund Status
    11.- Click on the look-up icon for Business Unit field
    12.- ISSUE #1: The 'Look Up Business Unit' search results page displays the first column as 'Primary Permission List'
    13.- Navigate to: PeopleTools > Security > Permission & Roles > Copy Permission Lists
    14.- Copy delivered Permission List ALLPAGES into a newly created Permission List named OSS-ALL
    15.- Navigate to: Set Up Financials/Supply Chain > Security > Unit by Permission List
    16.- Open Permission List OSS-ALL, and define Business Units GRB01, FRAE1, CAN01, and AUS01.
    17.- Navigate to: Accounts Receivable > Receivables Maintenance > Refunds > Refund Status
    18.- Click on the look-up icon for Business Unit field
    19.- ISSUE #2: The 'Look Up Business Unit' search results page displays the results of Permission List OSS-ALL, with all 4 Business Unit values, which should not be available to this User

To gather more information concerning this scenario and its related problem, refer to the available Replication Steps Word Document here linked containing the complete configuration and the replication steps necessary to reproduce the issue.

ACTUAL RESULT:

Not only does the Refund Status Business Unit view (Record SP_BUARAP_CLSVW) show all the company's Permission Lists defined with Business Units, regardless if the User has been linked to them (At PeopleTools User Profile via Permission Lists or Roles), but also the complete list of Business Unit values existing in the system, even those the User should not have access to.

EXPECTED BEHAVIOR:

The Business Unit look-up feature at the Refund Status search page should only display those Business Unit values defined to the Permission Lists that have been linked to a particular User (via Permission Lists in PeopleTools Profile, or Roles), and the Primary Permission List column should not be displayed at all.

NOTE: In the  attached document, user details / company name / address / email / telephone number represent a fictitious sample (based upon made up data used in the Oracle Demo Vision instance).  Any similarity to actual persons, living or dead, is purely coincidental and not intended in any manner.

Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.