SAP Knowledge Base Article - Public

2453406 - Access is provided instead of restriction-Role Based Permission

Symptom

  • The requirement is managers should be able to see only the field X for the employee's belonging to his department and should not be able to see the field X belonging to different department. But he is able to see field X for all the department employee's.
  • User is able to perform an action while he has no access given in his permission role.

Environment

  • SAP SuccessFactors Employee Central - Role Based Permission
  • SAP SuccessFactors Platform - Role Based Permission
  • SAP SuccessFactors Analytics - Role Based Permission

Cause

In case Manager is getting access to field X from more than one Permission Group, and only one of those Permission Group is restricting the access to field X,

while other Permission Groups are providing access then system will provide access.

 

RBP always works in logic OR condition.

OR condition status if statement 1 is true and statement 2 is false then the result is true.

 

For example in OR logic :

If someone provides Manager a two road passes to particular road.

1. One pass is expired.

2. 2nd Pass is valid.

Then Traffic Police tries to block him passing through the road.

Manager will still have access to pass that road by showing his valid pass: statement 1 is false Or statement 2 is true then grant to road is true. 0 or 1 = 1

AND logic:

If someone provides Manager a two road passes to particular road.

1. One pass is valid.

2. 2nd Pass is also valid.

Then Traffic Police tries to block him passing through the road.

Manager will still have access to pass that road by showing his valid pass: statement 1 is true AND statement 2 is true then grant to road is true. 1 + 1 = 1

If we give access in one role but restricting in another, it means we are giving access.

Resolution

If you find that users have access to applications or data they should not have, we recommend the following steps:

1. Run the View User Permission report to determine - through which role - the permission was granted to the employees.
2. If that does not clarify how/why they have that permission or creates concern about where else this permission is visible, then use the RBP Permission to User Report with the Single Permission Filter to validate what other groups have access to this permission.

In case we have to restrict an access then we need to find out all the permission role names from which that user is getting access and remove that access from each permission role.

This is how RBP works when multiple permission roles or permission groups are providing the user access to a particular thing (field or Action).

Keywords

Employee Central, Role Based Permission issue, RBP, unable to restrict access , KBA , role based permission not working , able to access even after restriction , employee central , LOD-SF-EC-RBP , Roles & Permissions (EC Core only) , LOD-SF-ANA-RBP , Roles & Permissions , LOD-SF-PLT-RBP , Role Based Permissions , Problem

Product

SAP SuccessFactors Employee Central all versions ; SAP SuccessFactors HXM Core all versions