Unauthorized Users Are Able to Modify Other User's Responsibilities in Non-Admin Views (Doc ID 2225544.1)

Last updated on MARCH 02, 2017

Applies to:

Siebel CRM - Version 8.1.1.11.11 [IP2013] and later
Information in this document applies to any platform.

Symptoms

On :  8.1.1.x version, Client Functionality

ACTUAL BEHAVIOR  
---------------
Unauthorized users are able to add/remove Responsibilities of users in non-administration views. This occurs because of Mvg associated to non-admin views, which itself has another Mvg to the Responsibilities. Although the fields are read-only, the Responsibility Mvg is not. Once users are in the Responsibility Mvg, they are able to modify other users Responsibilities.

EXPECTED BEHAVIOR
-----------------------
Only authorized users should be able to modify users responsibilities in administration screens. In this case, it should only be allowed in Administration - Users by Admin Users only.

STEPS
-----------------------
It can be reproduced in the following views:
View: Activity List View
Applet: Activity List Applet With Navigation
Applet List Column: Employees
                MVG applet: Employee Mvg Applet
                MVG applet List Column: Responsibility
                               Second MVG Applet: Responsibility Mvg Applet
1. Navigate to the Activity List View.
2. In the Employee column, open up the Employee Mvg.
3. In the "Selected" section of the Mvg, navigate to the "Responsibility" column and open up the Mvg.
4. This brings up the Responsibility Mvg, where unauthorized users can make changes to other users profiles.

BUSINESS IMPACT
-----------------------
This causes security issues where unauthorized users can modify other users, including SADMIN's responsibilities.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms