My Oracle Support Banner

Approvals Administrator Scope Includes Other ProcessIDs With the Same ProcessID Parent, Allowing Any Administrator To View ProcessIDs To Which It Is Not Entitled (Doc ID 2643621.1)

Last updated on MARCH 02, 2020

Applies to:

PeopleSoft Enterprise HCM Human Resources - Version 9.2 to 9.2 [Release 9]
Information in this document applies to any platform.

Symptoms

AWE administrators for a specific process Definition ID have the ability to administer transactions for other process Definition IDs having the same Process ID parent key even though the Administrator does not have the Role associated with administering the other process Definition IDs.

In HCM 9.2, prompting for a Process ID (Parent key),  then the Definition ID (Child key) using the Monitor Approvals component reveals the entire list of Definition IDs associated with the Process ID even though the Admin-user has only 1 AWE Administrator Role for 1  Definition ID in their User Profile.

These users can also administer AWE transactions they should not have access to based on the Approval Monitor configuration for the Process ID.

Customers expect the User with AWE Administrator Role to have access only to the specific Process ID to which it is assigned.


The issue can be reproduced at will with the following steps:

1. Delivered process Definition ID (NewPosition) in the PS demo 9.2 environment with AWE Administrator as the Admin Role.

2. New clone of delivered process Definition ID (Customer #2 NewPosition) in the PS demo 9.2 environment, with Customer AWE Administrator Role as the Admin Role. (This is new with no transactions created yet for this Definition ID.)

3. Approval Monitor Configuration in 9.2 PS Demo environment:

4. Confirm the HFG User only has the AWE Administrator role in their profile for administering the “NewPosition” process Definition ID.

5. Added the new “Customer AWE Administrator” role to the non-FederalGovernmentSpecific user profile for administering the “Customer #2 NewPosition” process Definition ID.

6. Login as user: FEDERAL GOVERNMENT SPECIFIC

7. Open the Monitor Approvals component: Workforce Administration> Self Service Transactions> Approvals and Delegation> Monitor Approvals

8. FEDERAL GOVERNMENT SPECIFIC User: Definition ID prompt results for Monitor Approvals show this user has access to both Definition IDs but should only have access to the “NewPosition” Definition ID based on the configurations.

9. Also, selecting the Search button for the criteria below shows the FEDERAL GOVERNMENT SPECIFIC user has access to all the current “NewPosition” transactions which are the only “NewPositionApproval” transactions in the 9.2 demo environment since no “Customer #2 NewPosition” transactions have been generated yet.

10. Login as user: non-FederalGovernmentSpecific user

11. Open the Monitor Approvals component: Workforce Administration> Self Service Transactions> Approvals and Delegation> Monitor Approvals

non-FederalGovernmentSpecific  User: Definition ID prompt results for Monitor Approvals show this user has access to both Definition IDs but should only have access  to the “Customer #2 NewPosition” Definition ID value.

12. Also, selecting the Search button for the criteria below shows the HCRUSA user erroneously has access to all the current “NewPositionApproval” transactions in the 9.2 demo environment, but should not have access to any since no “Customer #2 NewPosition” tranactions have been generated yet. Once “Customer #2 NewPosition” transactions are eventually created this administrator should only have access to those transactions.

13.  Multiple customers configured with their own Admin Role for their process Definition ID for the NewPositionApproval Process ID. Each process Definition ID has a unique customer Administrator Role configured.
As indicated below, logged in as a customer administrator for 1 process Definition ID, the user/admin can erroneously administer transactions for all process Definition IDs.



Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.