2767161 - Access to non-secured foundation objects

User doesn't have access to Manage Data but is still able to edit the object as seen from the timestamp of the object in Manage Data.

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental." 

• SAP SuccessFactors Employee Central
• SAP SuccessFactors HXM Suite
• Metadata Framework (MDF)

Missing permission on Access to non-secured objects (previously known as 'Read/Write Permission on Metadata Framework')

After 1902 release this permission is no longer required to access Objects which are marked as 'Secured='Yes' on Configure Object Definitions however it is required for non-secured MDF objects as per the scenarios below.

• If this permission is not granted, on manage data user will be able to see only objects which are marked as Secured='Yes' and user has access.
• If this permission is granted, user will get access to all objects which are marked as 'Secured='No' and the secured objects on which user has access. 

For foundation objects, there is a separate permission "MDF Foundation Objects" where you can control which Foundation Objects you have view/create/insert/correct or delete access.

To know if the user is having access to non-secured objects:

1. Go to "User Role Search" admin tool
2. Enter and select user in "Access Users".
3. Select Permission Category = "Metadata Framework"
4. Now click "Search Roles" Button
5. You'll get list of permission roles which are giving access to all the non-secured objects to the effected user.

Now as per your requirement:

1. Go to Manage Permission Roles;
2. Select the Role you desire;
3. Click in Permission...;
4. Navigate to the session Metadata Framework;
5. Check or uncheck the option "Access to non-secured objects (previously known as 'Read/Write Permission on Metadata Framework')".

Note:

if the country object is not marked as secured, user can update the records if there is quick card which points to object Such as: Bank , Legal Entity, PaymentInformationDetailV3, Person, TimeAccountType, WorkSchedule, PayScaleArea , Type. Area Group, CountrySpecificValidationConfiguration, TimeType

For example, if user has access to view the LegalEntity , user can click the quick card of legal entity -->then click on quick card of Country -->than the user can click on manage and user can update the country object.

To help prevent this issue, you can set the Country as Secured = 'Yes' and grant read-only access to ‘Everyone’ — with visibility limited to just two fields: Code and Name.

FAQ - Additional Information

Q) Where can I get information on this from the Guide?

A) Guide: Implementing the Metadata Framework (MDF) - List of MDF Core Objects

Q) If a user has access to any of the object which has a country field (and shows quick card) the user can manipulate the country object?

A) To prevent this, you can set the country as 'Secured='Yes' and grant access as read-only to 'Everyone'  with just two fields (code and name)

Restrict access to unsecured objects under manage data, MDF-27490, able to edit an object without access to manage data, manage data, without permission, secured object, non secured object, object definition, permission, Incident INC3919379, Object Definition: Country/Region (Country), Implementing the Metadata Framework (MDF), unSecured, Secured, No, Yes       , KBA , LOD-SF-EC-FOO , Foundation Objects (Organisation, Pay and Job Structures) , LOD-SF-EC-RBP , Roles & Permissions (EC Core only) , LOD-SF-EC-ADM , Admin Tools (EC Core only) , Problem

SAP SuccessFactors Employee Central all versions ; SAP SuccessFactors HCM Suite all versions