3485800 - Admin with no RBP Permission can Access the Application Security Feature Settings

• An admin user with no RBP access for Application Security Feature Settings can open the tool
• "You don’t have permission to make changes." when saving changes on the Application Feature Settings

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

SAP SuccessFactors HCM Core

1. Login to instance using an admin user with no RBP permission for Application Security Feature Settings and go to Admin Center. 
2. On the Tools box, search for Application Security Feature Settings. The result would prompt even without the necessary permissions. 
3. Click the tool and the page for the tool would open. 
4. Try to make a change and "You don’t have permission to make changes" would prompt instead. 

Previously these settings on the Application Security Feature Settings were in Platform Feature Settings. To introduce this new page smoothly, not only users with the necessary RBP permission (Manage Security > Manage Application Security Feature Settings) can access the page. 

Users who have security_admin/generate_admin can also access this page. This page have no sensitive data. The reason for this is to let administrator know that there are some configurations to protect the system. However, if you want to change the settings or update configurations on the page, you need to have the following permissions: Manage Security > Manage Application Security Feature Settings.

For example, if a user has Manage System Properties > Platform Feature Settings or Manage Security > Manage SAML SSO Settings, that means they are one of the administrators and they should know the configurations. However, they cannot change it without the permission documented on the help guide: Manage Security > Manage Application Security Feature Settings. Hence, the "You don’t have permission to make changes" message would prompt anytime an admin user would try to make a change on the tool. 

If this admin user can see Platform Feature Settings before or they have one of the admin permissions, ex: one of the following list (maybe more) - they can access the said page:

• Manage Security
• Admin Center permissions
• Manage System Properties
• Manage SAP System Configuration
• Manage Security Center

The employees who can access this feature should have some admin permissions before they can access this page but they cannot change the setting. 

To avoid confusion and further customer tickets/query, the Engineering team have planned to do a patch with following changes:

1. Add additional permission check to ensure only users with either of following permissions are able to Read application security settings page:
   
   • Manage Application Security Feature Settings
   • Platform Feature Setting (this will be aligned with the access control behavior in previous releases)
2. Work with UA to add details to user guide to explain what exactly settings would allow the Read and Edit access to the application security settings. 

• User Experience Enhancements to Application Security Settings and Tools | SAP Help Portal
• Enabling Security Scan of User Inputs | SAP Help Portal

application feature settings, platform feature settings, security, rbp, permission, admin, LOD-SF-PLT-RBP, security feature, security, security settings, sf, successfactors, role based permission,  , KBA , LOD-SF-PLT-RBP , Role Based Permissions , Problem