When the report is cross domain, user is able to see sensitive data. As defined in the RBP/target population settings of the domains involved, this data should not be visible to the user or the report should display the column as blank or null.
If it's a single domain report from either of the domains used, RBP is respected.
SuccessFactors Reporting and Analytics
- Ad Hoc or ORD Live Data
Reproducing the Issue
1. In Ad Hoc reporting or ORD Detailed Reporting Live Data, create a cross domain report with the following sub domain schemas (SDS)
Domain 1: Employee Profile
Domain 2: Succession (MDF Position based nominations)
2. Check the data that user is able to see VS RBP cell level permissions and target population settings.
Result: User is able to see data for a specific field or column which should be restricted from view.
This is most probably due to the following:
1. The following Provisioning switches are on:
- Enable Ad Hoc Cell Level Permission (Employee Profile Only)
- Enable Ad hoc row level permission for Succession subdomain schema (only support MDF Position)
- Enable Ad hoc field level permission for Succession subdomain schema (only support MDF Position)
- Enable Ad hoc cell level permission for Succession subdomain schema (only support MDF Position)
- Enable Field Level Permission for data model elements (in all Sub domain schemas)
- Enable Cell Level Permission for data model elements (in all Sub domain schemas)
- Enable Cell Level Permissions on group by reports
- Enable database type left outer join for cross domain Adhoc reports
2. Limited support for the SDS used in the cross domain report
As confirmed by Engineering, currently there is only a limited number of domains that work well with Cell Level Permissions for Cross Domain reporting when the function Left Outer Join is used.
Only the following subdomain schemas are supported:
1. Employee Profile
2. Performance Management
3. Compensation Planning
4. Compensation Eligibility
If the cross domain involves another SDS outside of these four, RBP will not apply for both domains in the report.
There is already an enhancement request for this in order to to support cell level permissions for all domains for all cross domain functions (RPT-6957), however we do not have an estimated release date as of yet.
A possible workaround for now is to disable the switch "Enable database type left outer join for cross domain Adhoc reports in Provisioning", but please note that may not be best if you need the left outer join function in the reports.
2437889 - Cross Domain Adhoc Target Population
Cross Domain report, Ad Hoc, ORD, RBP, cell level permission, sensitive data displayed, left outer join, LOJ, succession cross domain, employee profile cross domain , KBA , LOD-SF-ANA-ADH , Adhoc Reports & Report Builder , Product Enhancement