- In both test and production environments users can edit custom objects such as Time Off
USE CASE EXAMPLE: after time off approval an employee can edit the time off request and change the externalCode externalName Payroll Code
- How can this be prevented?
- How to set permission on the objects.
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
SAP SuccessFactors Employee Central
Reproducing the Issue
Reproducing the above use case.
This is an example, however all custom object are susceptible to such unauthorize editing.
- In this case, the user is able to edit the time of object after it has been approved:
- The user is able to make changes to external code and successfully save the change. This is an action which can impact payroll:
The object has not been secured and the Role Based Permissions (RBP) have not been configured:
- Secure the object and configure RBP:
- The below configuration means the object RBP will be defined in Miscellaneous:
- Once the above configuration is done, the object will now appear in the select area, in this case we have chosen Miscellaneaous:
- Notice the user no longer has editing rights, and will not be able to make any changes, but can still view the details:
KB article 2285199 - How to create a Custom Foundation Object
SF, Success Factors, EC, MDF Permissions, objects, RBP, Role Based Permissions , KBA , LOD-SF-EC-RBP , Roles & Permissions (EC Core only) , LOD-SF-EC-MDF , MDF & EC2MDF Migration , LOD-SF-FWK , Platform Framework , How To