2662925 - Users can 'Edit' Objects Without Permissions From Payment Information, Work Order Information & Benefit Enrollment UI

Any user who has edit permissions for Payment Information, Work Order Information or can Enroll For Benefits can edit Objects such as Country, Currency, Payment Method, VendorInfo etc even if they don't have sufficient permission settings

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

• SAP SuccessFactors HXM Suite
• SAP SuccessFactors Employee Central - Payment Information, Contingent Worker & Global Benefits

Example from Payment Information -

1. Proxy as a user who has edit permissions for Payment Information but not for Country, Currency, etc.
2. Go to Profile
3. Click pencil to edit Payment Information
4. Click to view e.g. 'Currency'

1. From Currency screen click to 'Edit'

1. User can now edit Currency settings and Save

This issue is caused by the Security settings of the Objects which can be edited

To correct this, the below steps need to be taken for all editable Objects. We will use Country in this example:

1. Admin Center -> 'Configure Object Definition' of Object 'Country'
2. Take Action -> Make Correction
3. Under 'Security' change the 'Secured' field from 'No' to 'Yes'
4. Leave the 'Permission Category' field as 'No Selection' (this will cause the Object permissions to be displayed under Miscellaneous in permission role settings)

Important Note: If using this method ALL Permission Roles now need to be updated to provide 'View' Permissions under 'Miscellaneous Permissions' to the newly secured Object. You may also need to update any other Permission Role(s) that should be allowed edit these Objects, etc. 

To do so follow the below steps:

1. Admin Center ->Manage Permission Roles
2. Locate the Permission Role to adjusted -> Clicks on Permissions
3. Navigate to 'Miscellaneous Permissions' and give necessary permissions to the newly secured Object

FAQ - Additional Information

Q) Where can I get information on this from the Guide?

A) Guide: Implementing the Metadata Framework (MDF) - List of MDF Core Objects                                                                                                                                                            

2767161 - Access to non-secured foundation objects

3498317 - Work Schedules Are Not Available When Creating Temporary Change

3557543 - Unauthorized Changes to MDF Objects by Users Without Access to Manage Data

2744431 - How to Create Change Audit Reports and What Reports are Available.

Payment Information, Edit, View, Permission, Country, Currency, Payment Method, Role, Permissions, Object, Secure, Security, Benefit, Enrollment, Editable, Work Order Information, VendorInfo, Vendor, Contingent Worker, Object Definition: Country/Region (Country), Implementing the Metadata Framework (MDF), unSecured, Secured, No, Yes      , KBA , LOD-SF-EC-PAY , Payment Information (Bank Information) , LOD-SF-EC , Employee Central , LOD-SF-EC-CWF , Contingent Workforce , LOD-SF-EC-GBF , Global Benefits , LOD-SF-EC-FOO , Foundation Objects (Organisation, Pay and Job Structures) , Problem

SAP SuccessFactors Employee Central all versions ; SAP SuccessFactors HCM Suite all versions