3478896 - TrendData_SysOverallPotential OData API query is not respecting RBPs

TrendData_SysOverallPotential OData API query is not restricted by the Role Based Permission(RBP) Settings.

• SAP SuccessFactors HCM
• OData API - Trend Entities

1. Set RBPs for a user with the 'Exclude granted users from having the same access to themselves' option enabled to prevent them from viewing/querying their own data.
2. Data is not visible on the UI for the user as expected.
3. Perform an OData API query with the same user to fetch their own data.
4. The OData API response will return their data despite the restrictions applied via RBPs.

TrendData_SysOverallPotential API will validate whether the API user (performing the API call) has the 'Export Extended User Information' and/or the 'Label for trend element sysOverallPotential' permissions and if so, RBPs will be bypassed and the user will be able to query the trend data of any user including him/herself.

In order to resolve the issue, you need to remove either or both permissions.

1. Administrator Permissions -> Manage User -> Export Extended User Information
2. User Permissions -> Employee Data -> Label for trend element sysOverallPotential

SAP SuccessFactors API Reference Guide (OData V2) - Trend Entities

TrendData_SysOverallPotential, potential, rating, label, RBP, OData API , KBA , LOD-SF-INT-ODATA , OData API Framework , LOD-SF-INT-API , API & Adhoc API Framework , LOD-SF-EP , People Profile (Employee Profile / PP3) , Problem