3714184 - Compound Employee API response is including employment records outside of permission scope - SuccessFactors CE API

• An API user assigned to a specific permission role is accessing data outside the defined scope.
• The API user retrieves both current and past employment records, including records from regions not permitted by the assigned role.
• Example: Employee currently working in Region North America has a past assignment in Brazil, and both records are returned via the API. However, API User should not have access to past assignment of the employee.

• SAP SuccessFactors HCM Suite
• Compound Employee API

1. Assign the API user to a permission role that restricts access to specific regions or populations.
2. Query the Compound Employee API for an employee with multiple employment records across different regions.
3. Observe that the API response includes records outside the defined scope of the permission role.

• The permission for the Compound Employee API restricts accessible data based on the definition of the target population, such as a country/region or department.
• The permission check is performed at the person level. If a person has multiple employments, all employments are included in the response, even if the target population only includes a subset.

Expected behavior. 

As mentioned in the below Guide page: "The permission check is performed at the person level. If a person has multiple employments, all employments are included in the response, even if the target population only includes a subset."

Granting Permissions for Restricted Access to Compound Employee API

Granting Permissions for Restricted Access to Compound Employee API

compound employee api, permission scope, api data access, employment records, restricted access, target population, multiple employments, region permissions, api user permissions, data outside scope , KBA , LOD-SF-INT-CE , Compound Employee API , Problem