EAP: User can Bypass Department Chartfield Security on Payment Requests using Accounting Tags. (Doc ID 2802918.1)

Last updated on FEBRUARY 19, 2023

Applies to:

Symptoms

User can bypass Department Chartfield security on Payment Requests when using Accounting Tags.

Replication Steps:
1. Navigate to: “Setup FSCM > Common Definitions > Design Chartfields > Accounting Tags”
2. Create a new tag named “XYZ_DEPT_11000”.

3. Navigate to: “Setup FSCM > Security > Chartfield Security > Secure Chartfield Options” and establish department security.

4. Navigate to: “PeopleTools > Security > Permissions & Roles > Roles” and create

5. Navigate to: “Setup FSCM > Security > Chartfield Security > Maintain Security Rules >
Define Security Rules” and create a new rule named “DEPT_11000” .

6. Navigate to “PeopleTools > Security > User Profiles > User Profiles” and assign this Role to VP1

7. Navigate to: “Setup FSCM > Security > Chartfield Security > Maintain Security Rules >
Assign Rule to Role” and configure and “Build” it

8. Logged in as VP1.
9. Click on the “Payment Request Center” tile.
10. Enter the Summary information.
11. Select a Supplier.
12. Enter line information. Select Accounting Tag “DEPTS”. This has departments that VP1 should not have access to. Do not click on the Accounting Details icon, just click “Next"
13. Submit. This generated Payment Request “##########”
14. Execute SQL to see the Payment Request  distribution data. 
Select * from PS_PR_DIST WHERE REQUEST_ID =’##########’
One will see one is able to generate a Payment Request for department that are restricted. This should not be allowed.

ChartField Security rules are not being adhered to and allow an employee to submit a Payment Request for the department they are not authorized to use.

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.