Learn about Redwood and be one of the first to join the conversation

Visit Redwood Community
Able to reset password even after not having "Reset Password" privilege — Cloud Customer Connect
You're almost there! Please answer a few more questions for access to the Applications content. Complete registration
Interested in joining? Complete your registration by providing Areas of Interest here. Register

Able to reset password even after not having "Reset Password" privilege

Received Response
21
Views
5
Comments

Summary:


Content (required):

This is a big security risk that the users are able to reset the password even though the role "XXXX Employee Custom" does not have any privilege to reset the password. User clicked on the "Forgot Password" link in the login page, provided the username, selected "Forgot Password" option and the user got the email to reset the password. Once clicked on the link, user was able to Reset the password.

We created "XXXX Employee Custom" role as a copy of Oracle provided "Employee" role and removed the "Reset Password" privilege. Still the user has access to reset the password with only this role "XXXX Employee Custom" This is a big security risk as we have a single sign on enabled and in some cases we want the user to login using username and password of fusion but we don't want users the privilege to reset their passwords.

Howdy, Stranger!

Log In

To view full details, sign in.

Register

Don't have an account? Click here to get started!