User is able to view AND/OR edit All MDF Objects such as Positions, when they do not have permission to do so.
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
SAP SuccessFactors - Employee Central
Reproducing the Issue
- Login as a user with a restricted permission pool for Positions
- Navigate to the Position Org Chart
- The User can see and/or edit permission which are not part of their target population.
One cause of this can be due to the addition of target permissions for "External Onboarding User".
- When adding a target population for type "External Onboarding User", any to MDF Objects which permissions provided in that role, will inherit All access permissions for each MDF Object.
- If you review the granting section when this User Type is selected, you will see there is a difference in section three. From the above screenshot you can the section "Data Access Period Settings" where as it would normally be the "Specify the target population for the other objects.". This makes it hard to see what permissions are provided to MDF objects
- In the permission role if you select the "Print Preview" option and review the output, under the required object for example Position, you will see that "All access" permissions are provided to any granting that users User Type: External Onboarding User
- This is a limitation of the feature.
- Based on the above information, permission granting for User Type: External Onboarding User, should not be provided in Permission Roles where MDF object permissions need to have a restricted target.
- You should only grant permissions for User Type: External Onboarding User, which does not include any MDF Permissions.
- This may require you to create a separate role for achieve this.
permissions, position, mdf, object, External Onboarding User, onboarding, restriction, all, granting , KBA , LOD-SF-EC-POS , Position Management , LOD-SF-MDF , Metadata Framework , Problem