SAP Knowledge Base Article - Public

3023095 - [ONB 2.0]Permission refreshing issue after conversion of external user to internal user and HRIS sync job for New Hires


  • The new hires who was created through ONB or HRIS Sync cannot see or be viewed their employee info although they already be configured in correct permission groups.
  • Due to which HR or any other responsible group is not able to view the employee profile from employee search.
  • They receive the below error: You do not have permission to view this profile.


SAP SuccessFactors Onboarding 2.0

Reproducing the Issue

  1. Hire a candidate from the Manage Pending Hire to EC
  2. Run the Convertexternaluseronstartdate and HRIS sync job
  3. Now the HR or any other permission group having the permission to view the employee profile for a respective permission group which the employee is part , should be able to view the employee profile.
  4. But they receive the error : You do not have permission to view this profile.


  • ONB is calling a platform owned 'ConvertExternalUsertoInternalUser' SCA to convert external user to internal user, who expect there should be overall refresh be triggered by this SCA.
  • However, that is not the true behavior in the existing SCA. It only does DGRefresh for the default 'EVERYONE' group.
  • As the result, the converted internal user cannot be refreshed in other groups after the conversion.
  • Once HRIS sync runs for the user, they might be able to be refreshed in other groups by the all DG refresh.
  • However, HRIS sync only pick the user when EC related data was changed for this user


The workaround for the issue is to trigger the 'Refresh Access Membership' or 'Refresh Rule User' job for it.

Please review below for the two different scenarios:

  1. Go to provisioning of the customer's instance
  2. Go to the Manage Scheduled Jobs and select the "Refresh RBP Rules" job type, and then click the Refresh button

Scenario 1: There is the submitted 'Refresh RBP Rules' job shown in the list

Please wait for the job to be completed or manually run it now. The frequency of the job execution relays on the specific configuration of the job.

Scenario 2: There is no job shown in the list

Then enable the switch below in provisioning:

  • Ensure 'Enable Refresh Framework' in 'Company Setting' is checked
  • Login to the instance and go to the permission group which included the new user or someone who needs to view the employee profile of the new user

  • In above role, user in group_a wants to see the new hire in group_b
  • Take below actions for either 'group_a' or 'group_b‘:
    1. Open the group and click 'save' without any changes. Attached screenshot for reference:

    2. The job 'Refresh Access Membership' then will be triggered

    3. Once the job be completed, go to User Role Search to check the result


Permission profile employee profile RBP Refresh ONB, OBD , KBA , LOD-SF-OBX-EC , Integration EC - MPH, Hire , Problem


SAP SuccessFactors Onboarding 2011