Users can no longer access Groups under Settings while proxying as another user after the 2H 2021 release.
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
SAP SuccessFactors HXM Suite
Reproducing the Issue
- Proxy as another user in the system
- Access 'Settings' from the top right side of the header
- Observe 'Groups' is no longer visible in Settings while proxying
This is expected behavior post 2H 2021 release.
The ability to access Groups under Settings while proxying as another user has been removed as part of the 2H 2021 release.
This change had to be been made to address the following security gap->
- Previously, having Proxy rights for "Options(Mobile)", used to grant the ability to access Options -> Groups as well during proxy. But, the proxy permission "Options(Mobile)" is meant to provide access to Settings->Mobile only. Providing additional access to My Groups is a violation of the Principle of Least Privilege.
Therefore, access to My Groups was removed to ensure that proxy users have access to only the functionality that it is designed to grant access to.
As part of the 1H 2022 release, our Product team have added a new 'Options (Groups)' module permission when creating proxy assignments.
When this 'Options (Groups)' module permission is granted when creating a proxy assignment, the proxy user will be able to access Groups under Settings while proxying as the account holder.
Groups, Settings, Proxy, Release, PLA-26829 , KBA , LOD-SF-PLT-PRX , Proxy , Product Enhancement