SAP Knowledge Base Article - Public

3557543 - Unauthorized Changes made to MDF objects by users who do not have access to areas such as Manage Data

Symptom

  • An update was made to and object such as: "Country/Region" by a user who only has an employee role and no admin access.
  • The change was made without direct access to Manage Data or Import/Export Data.
  • This issue raises a security concern as objects are being altered by unauthorized users.

Environment

SAP SuccessFactors HCM Core

Reproducing the Issue

  1. Log onto affected system with provided support access. 
  2. Navigate to Manage Data. 
  3. Select the object which was modified e.g. Country/Region. 
  4. Take note in the bottom right corner of the user who last made the change to the object. 
  5. Go to Manage Permission Roles/User Role Search and validate the user permissions. 
  6. Proxy as the user who made the change and notice the user has no access to the Manage Data or Import/Export Data to have made these changes. 

Cause

The issue arises due to the object not being marked as secured. This allows a user to make changes to the object without direct access to Manage Data or Import/Export Data.

The user can make changes through other areas such as People Profile, Manage Position, Position Org Chart, etc., which have access to one or more objects referencing the object that was changed.

Resolution

Please keep the following points in mind to ensure unauthorized changes are not made to objects by users:

  1. A user does not need access to Manage Data to change this object/an object.
  2. Understand that there are several areas such as People Profile, Manage Position, Position Org Chart, etc., which allow access to one or more objects referencing the object such as "Country/Region".
  3. If a user goes to one of these areas and can see the quick card next to these referenced objects, they can make changes to such an object without direct access to Manage Data or Import/Export Data.
  4. To prevent unauthorized users from updating critical objects, mark the object as Secured and controlled by additional RBP. Grant 'View' permission to everyone and 'Edit' access to only specific authorized users.
  5. Important: Core MDF objects cannot be marked as secured and please do not make any changes to the objects. The full list of objects that cannot be changed can be found here: List of MDF Core Objects | SAP Help Portal 
  6. In cases where objects cannot be marked as secured but are critical in your system, ensure than unauthorized users do not have the RBP "Access to non-secured objects" to ensure these changes cannot be made by the users who are not authorized to do so. 

See Also

Keywords

SAP SuccessFactors, MDF, Unauthorized Changes, Country/Region Object, Security Issue, Manage Data, Role-Based Permissions, Secured Object, Quick Card, Object, LOD-SF-MDF, no access, changes , KBA , LOD-SF-MDF-OBJ , Object Definition & Field Related Issues , LOD-SF-MDF-MGD , Manage Data - Create, Update & Delete , LOD-SF-MDF-RBP , RBP Permissions on Objects , Problem

Product

SAP SuccessFactors HCM Core all versions