SAP Knowledge Base Article - Public

2662925 - Users can 'Edit' Objects Without Permissions From Payment Information, Work Order Information & Benefit Enrollment UI

Symptom

Any user who has edit permissions for Payment Information, Work Order Information or can Enroll For Benefits can edit Objects such as Country, Currency, Payment Method, VendorInfo etc even if they don't have sufficient permission settings

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

Environment

  • SAP SuccessFactors HXM Suite
  • SAP SuccessFactors Employee Central - Payment Information, Contingent Worker & Global Benefits

Reproducing the Issue

Example from Payment Information -

  1. Proxy as a user who has edit permissions for Payment Infromation but not for Country, Currency, etc.
  2. Go to Profile
  3. Click pencil to edit Payment Information
  4. Click to view e.g. 'Currency'

Edit1.jpg

  1. From Currency screen click to 'Edit'

Edit2.jpg

  1. User can now edit Currency settings and Save

Edit3.jpg

Cause

This issue is caused by the Security settings of the Objects which can be edited

Resolution

To correct this, the below steps need to be taken for all editable Objects. We will use Country in this example:

  1. Admin Center -> 'Configure Object Definition' of Object 'Country'
  2. Take Action -> Make Correction
  3. Under 'Security' change the 'Secured' field from 'No' to 'Yes'
  4. Leave the 'Permission Category' field as 'No Selection' (this will cause the Object permissions to be displayed under Miscellaneous in permission role settings)

ObjectSecurity.jpg


Important Note: If using this method ALL Permission Roles now need to be updated to provide 'View' Permissions under 'Micellaneous Permissions' to the newly secured Object. You may also need to update any other Permission Role(s) that should be allowed edit these Objects, etc. 

To do so follow the reamining steps:

  1. Admin Center ->Manage Permission Roles
  2. Locate the Permission Role to adjusted -> Clicks on Permissions
  3. Navigate to 'Miscellaneous Permissions' and give necessary permissions to the newly secured Object

Permissions.jpg

Keywords

Payment Information, Edit, View, Permission, Country, Currency, Payment Method, Role, Permissions, Object, Secure, Security, Benefit, Enrollment, Editable, Work Order Information, VendorInfo, Vendor, Contingent Worker , KBA , LOD-SF-EC-PAY , Payment Information (Bank Information) , LOD-SF-EC , Employee Central , LOD-SF-EC-GBF , Global Benefits , LOD-SF-EC-CWF , Contingent Workforce , Problem

Product

SAP SuccessFactors Employee Central all versions ; SAP SuccessFactors HCM suite all versions