Users can no longer access Groups under Settings while proxying as another user after the 2H 2021 release.
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
SAP SuccessFactors HXM Suite
Reproducing the Issue
- Proxy as another user in the system
- Access 'Settings' from the top right side of the header
- Observe 'Groups' is no longer visible in Settings while proxying
This is expected behavior post 2H 2021 release.
The ability to access Groups under Settings while proxying as another user has been removed as part of the 2H 2021 release.
This change had to be been made to address the following security gap->
- Previously, having Proxy rights for "Options(Mobile)", used to grant the ability to access Options -> Groups as well during proxy. But, the proxy permission "Options(Mobile)" is meant to provide access to Settings->Mobile only. Providing additional access to My Groups is a violation of the Principle of Least Privilege.
Therefore, access to My Groups was removed to ensure that proxy users have access to only the functionality that it is designed to grant access to.
In 1H 2022 release, Our Product team is planning to provide a new proxy permission to control the visibility of the Group Editing via proxy, this will be compliant with our data protection guidelines. But since it is a new feature that requires several framework changes, the earliest possible timeline is the next major release.
Groups, Settings, Proxy, Release, PLA-26829 , KBA , LOD-SF-PLT-PRX , Proxy , Product Enhancement