Why can a non-authorized user approve a PO using email from an authorized user
We just noticed the following scenario.
1) User A enters a PO and a notifcation is sent to user B who is authorized in our PO Hierarchy to approve PO's from user A.
2) User B receives the email notification and sends it on (via Mocrosft Outlook, not Oracle) to user C.
3) User C does not have any Purchasing responsibility and is not even in our PO Hierarchy,
4) But when user C opens the document attached to the email, it takes him to an Oracle EBS login page, where user C logs in as user C.
5) The PO Approval Form is automatically brought up with the Approve, Forward, Reject, etc. buttons for user C. It says at the top that User C is logged in.