My Oracle Support Banner

Unauthorized Users Are Able to Modify Other User's Responsibilities in Non-Admin Views (Doc ID 2225544.1)

Last updated on MARCH 02, 2017

Applies to:

Siebel CRM - Version [IP2013] and later
Information in this document applies to any platform.


On :  8.1.1.x version, Client Functionality

Unauthorized users are able to add/remove Responsibilities of users in non-administration views. This occurs because of Mvg associated to non-admin views, which itself has another Mvg to the Responsibilities. Although the fields are read-only, the Responsibility Mvg is not. Once users are in the Responsibility Mvg, they are able to modify other users Responsibilities.

Only authorized users should be able to modify users responsibilities in administration screens. In this case, it should only be allowed in Administration - Users by Admin Users only.

It can be reproduced in the following views:
View: Activity List View
Applet: Activity List Applet With Navigation
Applet List Column: Employees
                MVG applet: Employee Mvg Applet
                MVG applet List Column: Responsibility
                               Second MVG Applet: Responsibility Mvg Applet
1. Navigate to the Activity List View.
2. In the Employee column, open up the Employee Mvg.
3. In the "Selected" section of the Mvg, navigate to the "Responsibility" column and open up the Mvg.
4. This brings up the Responsibility Mvg, where unauthorized users can make changes to other users profiles.

This causes security issues where unauthorized users can modify other users, including SADMIN's responsibilities.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.
My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.