SAP Knowledge Base Article - Public

3000418 - Time Type object can be updated from workflow details of a time off request


An employee is able to edit time type configuration in manage data from the time type pop-up in workflow request. This leads to security issues as the employee is able to update objects that they do not have permission to access.


  • SAP SuccessFactors Employee Central: Time Off

Reproducing the Issue

  1. Proxy as any employee in the system
  2. Navigate to any pending time off request, in 'view my pending requests
  3. The pop-up box is visible next to the time type in the leave request, and that can be used to edit the time type configuration


A default screen is assigned to employee time object which is overriding the hard-coded permissions, that ensure that the time type object cannot be edited from workflow details.


Remove the default screen assigned to employee time object in configure object definition.


Time Type, permission, secured, edit, default screen, employee time, workflow request, time off, employee central , KBA , LOD-SF-EC-TIM-WAN , Workflows - Alerts - Notifications , Problem


SAP SuccessFactors Employee Central all versions ; SAP SuccessFactors HXM Core all versions