Symptom
OData API query is not restricted by the Role Based Permission(RBP) Settings.
Environment
Successfactors
Reproducing the Issue
For example:
- You have defined the RBP settings and the API user who has this role assigned (API user T) has restriction to access the target group A.
- There has an OData API Query which will return group A and B as response.
- When the API user (API user T) runs this query, the expect result is he can only view the target group A.
- But the issue is, he can also view group B as well.
Cause
If login user enabled Employee Central HRIS OData API (read-only) permission , then OData will bypass all permissions and return all data.
Resolution
Please disable this permission and OData API will respect RBP settings.
*Please be aware of that when disable EC OData API permission, in integration cases there may have performance issue.
Keywords
RBP; Role-based Permission; OData API , KBA , LOD-SF-INT-ODATA , OData API Framework , Problem
Product
SAP SuccessFactors HCM Core 1802