3640114 - Role-based permissions (rbp) bypass via direct URL access in Manage Pending Hire page

Users without appropriate permissions can access hire page via a direct URL to the Manage Pending Hire page.

SAP SuccessFactors Employee Central: Manage Pending Hires

1. Go to Manage Pending Hire page.
2. Open an draft (for example: Onboarding) and copy the draft URL.
3. Proxy as a user without RBP permissions to access to relevant module.
4. Confirm that the draft is not visible in the drafts section for the proxied user.
5. Paste the copied draft URL into the browser while still proxied as the user without permissions and hit enter.
6. Observe that the draft loads and is accessible despite the lack of RBP permissions.

This is a Known Issue.

• The fix for this issue is planned to be deployed on 1H 2026 release (b2605).
• For release timelines, please review SAP SuccessFactors Product Release & Road Map Information.

• SAP SuccessFactors Product Release & Road Map Information
• SAP SuccessFactors Patches Knowledge Base
• KB Article 2171560 - How to be notified of new or updated SAP Notes or KBAs

rbp bypass, manage pending hire, mph page, unauthorized access, sap successfactors, onboarding draft, direct url access, sensitive information, role-based permissions, regression issue, sap successfactors security, mph ui, column config tool, 1h 2026, 2026, ECT-258285, b2605 , KBA , LOD-SF-EC-INT-UI , MPH UI & Column Config Tool , LOD-SF-EC , Employee Central , LOD-SF-EC-INT , Manage Pending Hires (Integration RCM/ ONB/ OBX + UI) , LOD-SF-OBX , Onboarding 2.0 , LOD-SF-OBX-EC , Integration EC - MPH, Hire , Known Error