Symptom
TrendData_SysOverallPotential OData API query is not restricted by the Role Based Permission(RBP) Settings.
Environment
- SAP SuccessFactors HCM
- OData API - Trend Entities
Reproducing the Issue
- Set RBPs for a user with the 'Exclude granted users from having the same access to themselves' option enabled to prevent them from viewing/querying their own data.
- Data is not visible on the UI for the user as expected.
- Perform an OData API query with the same user to fetch their own data.
- The OData API response will return their data despite the restrictions applied via RBPs.
Cause
TrendData_SysOverallPotential API will validate whether the API user (performing the API call) has the 'Export Extended User Information' and/or the 'Label for trend element sysOverallPotential' permissions and if so, RBPs will be bypassed and the user will be able to query the trend data of any user including him/herself.
Resolution
In order to resolve the issue, you need to remove either or both permissions.
- Administrator Permissions -> Manage User -> Export Extended User Information
- User Permissions -> Employee Data -> Label for trend element sysOverallPotential
See Also
Keywords
TrendData_SysOverallPotential, potential, rating, label, RBP, OData API , KBA , LOD-SF-INT-ODATA , OData API Framework , LOD-SF-INT-API , API & Adhoc API Framework , LOD-SF-EP , People Profile (Employee Profile / PP3) , Problem