User Is set to View ONLY Access for Several Workspaces but still is able to Perform Actions on a Item
Use Case:
Set ROLE Access for a Screen/Form to ‘View Only’ Ex: Purchases Orders
from ‘Access Right by Role”
It is assumed that for Purchase Orders this ROLE/USER can only VIEW PO’s but not Edit them.
By default all FIELDS and ACTIONs within the FORM are set to INHERITED.
However, the ACTIONs on the PO are still Available and can be utilized: for example, an open PO can Receipted or be Put on HOLD. Since this is VIEW ONLY access shouldn’t ACTIONS also be VIEW ONLY? And this inadvertently gives ACTIONABLE / EDIT access to user that should be VIEW ONLY.
This is a security Flaw and Has been caught in client Compliance AUDITs
The only way I’ve been able to counter this is at the FORM Access Level is to REVOKE the ACTION ITEMS
Is there any way around this? Shouldn’t VIEW ONLY apply to ACTIONs as view only also?
IS this a BUG? Shouldn't this be fixed?
NOTE: This applies to ALL FORMS Access across all Workspaces.