Able to reset password even after not having "Reset Password" privilege
Summary:
Content (required):
This is a big security risk that the users are able to reset the password even though the role "XXXX Employee Custom" does not have any privilege to reset the password. User clicked on the "Forgot Password" link in the login page, provided the username, selected "Forgot Password" option and the user got the email to reset the password. Once clicked on the link, user was able to Reset the password.
We created "XXXX Employee Custom" role as a copy of Oracle provided "Employee" role and removed the "Reset Password" privilege. Still the user has access to reset the password with only this role "XXXX Employee Custom" This is a big security risk as we have a single sign on enabled and in some cases we want the user to login using username and password of fusion but we don't want users the privilege to reset their passwords.