SAP Knowledge Base Article - Public

3058437 - CSF field permissions getting removed from RBP Permission roles post 1H 2021 release

Symptom

In few SuccessFactors instances, some previously-existing EC related permissions were found to be missing in concerned permission roles after the 1H 2021 release.

Environment

SAP SuccessFactors HXM Suite

Cause

RBP Framework regularly, daily at most of cases, refreshes the RBPModel in memory, which calls permission collectors to get dynamic permissions from modules.  These missed permissions are expected to be collected by an EC field permission collector normally.

In this scenario, the EC collector threw an exception due to their newly added validator for CSF data model detecting that the gender-country-specific field was not correctly configured.
And consequently, RBPModel didn’t get permissions from this collector, thereby resulting in these permissions to be considered as non-existing/invalid ones in memory. However at database level these permissions indeed were already being used and configured for some roles.


Now, Security Center had a migration script to add some new permissions to existing roles. The migration script was successfully executed during the preview release.

During the migration process, the migration script called a RBP method to retrieve the permission list for specific roles. This RBP method queried the permission list from database and filtered out all ‘non-existing/invalid’ permissions based on their status in memory, which is the expected behavior.

Then the migration script added the new permissions, from the Security Center, to the permission list and called the update role method, which wrote the new permission list to DB and overrode the old one. As a  result, some EC field permissions were missed out in the concerned permission roles.

Resolution

Customer needs to either correct or remove the incorrect field configuration in CSF Data Model.
Steps for the same->

  1. Download the CSF Data Model or Go to Manage Business Configuration in Admin Centre.
  2. Check if gender-country-specific is configured under globalInfo_xxx, and, is not linked to picklist of type gender_xxx.
  3. Create picklist in the system of type gender_xxx, if it doesn’t exist, and then assign it with field gender-country-specific under gloablInfo for all the countries wherever this field is configured.
  4. Re-upload the CSF Data Model, or, Save the changes in Manage Business Configuration- depending on which process is being used.


The configuration change should trigger the RBPModel refresh job. It is also possible to trigger ad-hoc RBP refresh in provisioning, or wait for daily refresh.

  • If above change was made for production in this week (before the 2105 production release), no further action is needed.
  • But if the issue is found after the production release or from preview instances, please review the role change audit to find any affected roles (should be changed by ‘v4admin'). Once the refresh job (type: RefreshRBPDataModel) is completed, go to admin page and add the missed permissions back to the affected roles

Keywords

CSF data model,1H 2021,Permissions missing,Permissions removed,CSF fields,CSF permissions , KBA , LOD-SF-PLT-RBP , Role Based Permissions , LOD-SF-EC , Employee Central , Problem

Product

SAP SuccessFactors HXM Suite all versions