SAP Knowledge Base Article - Public

2274351 - Include Self and Exclude Self Criteria When Adding a Rule - RBP

Symptom

Under Role Based Permissions (RBP), while adding a rule, the system allows enabling the two options below when granting the Role to any Hierarchical Role:

  • Option 1: Include access to Granted User (Self)
  • Option 2: Exclude Granted User from having the permission access to him/herself

Scenario A

When the both options are enabled, Option 2 will override Option 1. In this scenario granted users will be excluded to have permission access on themselves.

Example: Permission to delete documents (Performance forms).
Significance of the permission: All Managers will be able to look for forms and delete them for their target population but not their own forms.
Concern: When system allows you to select Option 1, it still allows you to check Option 2. This appears to be contradicting in nature.

RBP1.PNG 

Scenario B

Only Include access to Granted User (Self) is enabled: the granted users will be included to have permission access on themselves.
When both options are disabled, granted users will not have permission access on themselves, meaning by default system considers Option 2 as enabled.
Concern: Considering Option 2 is system default, why is there additional checkbox?

RBP2.PNG

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

SAP SuccessFactors HCM Suite

Reproducing the Issue

  1. Go to Admin Center > Manage Permission Roles
  2. Open any listed permission role and under Permission Role Detail (i.e. Grant this role to...)
  3. For any rule, click Edit Granting
  4. This will open a new window "Grant this role to..."
  5. Look for the available options under "Specify the target population whom the above granted users have permission to access".
  6. This section denotes the target population on which granted users will have access
  7. Below are the two options which are available in Granting the Role to any Hierarchical Role:
    1. Option 1: Include access to Granted User (Self)
    2. Option 2: Exclude Granted User from having the permission access to him/herself

Resolution

  1. Scenario A: As both the options conflict, one of them is designed to have higher priority. Customers are requested to select one at a time, meeting their respective business requirements.
  2. Scenario B: As there is a hierarchal relationship (Example: Manager and Employees), managers will by default have access to their reports and NOT for themselves. Unless choosing Option 1, the manager himself will NOT be in target population.

Keywords

SF, success factors, cloud, PLT, platform, BizX, biz x, RBP , KBA , LOD-SF-PLT-RBP , Role Based Permissions , How To

Product

SAP SuccessFactors HXM Suite all versions