SAP Knowledge Base Article - Public

3525086 - Unauthorized Access to Manage Pending Hires Data Via Hardcoded Link - Employee Central

Symptom

  • Users are able to access Manage Pending Hire Data, even though they don't have permissions.
  • This unauthorized access is achieved by using a hardcoded URL (like saved in bookmarks).

Environment

SAP SuccessFactors HCM Suite

Reproducing the Issue

  1. Login to instance;
  2. Proxy as a user who does not have "manage pending hire" permission;
  3. Access the hardcoded URL for Manage Pending Hires.

Cause

This is a known code issue that will be fixed. 

Resolution

Engineering team has confirmed that the code fix is planned to be released in the 2H2024 (October 14th for Preview and November 15th for Production). After the fix, if a user tries to access the MPH using a hardcoded link without having the "manage pending hire" permission, they will see a "no permission" error message on the screen.

Keywords

Unauthorized Access, Manage Pending Hire Data, SAP SuccessFactors Platform, Data Privacy, GDPR Compliance, Hardcoded URL, Proxy User, INC9322503, ECT-243041 , KBA , LOD-SF-EC-INT-UI , MPH UI & Column Config Tool , LOD-SF-EC-HIR , Hire & Rehire Wizards , Known Error

Product

SAP SuccessFactors Platform all versions