Symptom
When Pay Components are accessed in Document Generation via rules mapping, the logged in user's permissions are not checked. Even though the logged in user does not have permission to view the subject user's Pay Components, he/she can still generate a document with the subject user's Pay Components if the mapping is done through rules. Though, the permissions are respected when the mapping is direct.
Environment
Employee Central: Document Generation
Cause
The Document Generation framework uses the rules framework when the mapping is done through rules. The scenarios and the ways the rules can be configured involving Payment Components can be vast and there is no single way it can be handled in the system. Currently this is a limitation in the Document Generation with respect to permissions when Pay Components are used in rule mappings.
Resolution
Please note that permissions are respected when direct mapping is in use. For rule mappings, restrict/provide permissions of Document Generation templates based on if the logged in user has permissions for the Pay Components (that are mapped using rules) of the target user.
Keywords
rule mapping, ECT-97528, permission , KBA , LOD-SF-EC-DOC , Document Generation , Bug Filed