API user is able to retrieve Photo details (via OData API) of a user that is not in the target population of API user.
"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."
SAP SuccessFactors HCM Suite
Reproducing the Issue
1. Sample API user 'testapi' made an API call to query Photo of sample user 'usera' --> this user is out of the target population of api user 'testapi'
Photo?$filter=userId eq 'usera' photo2
2. In the response, the photo was retrieved.
- Photo will not check the target population of the permission, it will check the only key permission 'Photo' under 'Employee Data', if it is checked, this API user could get the Photo of any user including him/herself.
- This is the reason the photo is still retrievable even though the API user does not have the permission for this target user in User Role Search.
- API user can get the Photo info from API request even the API user does not have permission to the target user.
- So the situation is that EP API for Photo request seems not support the sub_filed with verify on the target population, if API user have the permission, it still get the Photo info from any user, and it is working as designed now.
You can submit an enhancement request to have a functionality to respect the target population be considered within future development cycles – you can do this on our Customer Community Portal at https://influence.sap.com/successfactors
For detailed steps on how to raise an enhancement request please follow KBA Article ##2090228 on “How to submit an enhancement request”.
2281168 - How to create Enhancement Request for Successfactors Integrations
2317289 - How to query the SF Odata Photo entity and retrieve the image
2755101 - How to upsert or insert profile photo - SuccessFactors OData API
2852291 - Able to retrieve deleted photo via Odata API, Photo Entity
Photo entity, outside target population, SuccessFactors OData API HCM suite, retrieve , KBA , LOD-SF-INT-ODATA , OData API Framework , LOD-SF-INT , Integrations , How To