Clarity PPM: @WHERE:SECURITY clause in Risk management portlets and lookups returning incorrect results for users with OBS and Instance rights - odfsec_risk_v2

book

Article ID: 221168

calendar_today

Updated On:

Products

Clarity PPM SaaS Clarity PPM On Premise

Issue/Introduction

With the recent changes to odfsec_risk_v2, the @WHERE:SECURITY clause in the Risk management portlets and lookups are not returning correct data for users having OBS and Instance rights.

Cause

STEPS TO REPRODUCE: 

1. Login as admin and create a security group Risk and provide the below OBS rights
   Project - Risk, Issue, Change Request - Delete 
   Project - Risk, Issue, Change Request - Edit 
   Project - Risk, Issue, Change Request - View 
   Project - Risk, Issue, Change Request - Create 
   Project - View 
Global Rights
   Projects - Navigate 
Provide the View instance rights to the Risk Management Portlet

2. Create a Resource ABC and add the above security group to this resource
3. Create a project XYZ and set the OBS to be the same as the one given in the Security group
4. Create a few risks in the project - Risk1, Risk2, Risk3 
5. Logout and login as resource ABC
6. Navigate to Project XYZ - Risks/Issues/CR tab
   Result: As expected, Risk1, Risk2 and Risk3 can be seen.
7. Navigate to Home Page and configure to show Risk Management portlet
8. Filter for the project XYZ

Expected: Risk1, Risk2 and Risk3 can be seen in the Risk Management portlet
Actual: The above risks are missing from the portlets. 

Workaround: odfsec_risk_v2 is not honoring the OBS and Instance rights. The fix for this issue is to make the below code change to the security clause. 

Change @WHERE:SECURITY:RISK:[email protected] to AND @WHERE:SECURITY:RISK:[email protected]

This defect impacts the lookups - RIM_BROWSE_RISKS and RIM_BROWSE_ISSUES and the fix is the same to replace odf_pk with pk_id

Environment

Release : 15.9.2

Resolution

This is impacting 15.9.2 and has been flagged as a defect - DE62129

Please implement the fix provided above.