Hi Community,

We are running into a serious issue with Report Center / reporting in SuccessFactors: it seems that RBP (Role-Based Permissions) is no longer being respected in reports.

• Until recently, reports limited users to only their permitted target population.

• Now HR admins can run reports and pull all employees’ data (including salaries), even outside their scope.

• This behavior happens in Production only; in Preview, permissions still work correctly.

• We compared a “Permissions to User” (RBP) report in both systems — role/population assignments look identical.

• Interestingly: via the regular UI, the user cannot see those out-of-scope records — the leak happens only via reporting.

Has anyone else seen this “RBP bypass via reports” issue? A few questions:

• Are there known bugs where reports ignore target populations or field-level permissions (e.g. for salary/compensation)?

• Could caching, metadata sync, or permission propagation delays cause the differing behavior between Prod and Preview?

• What logs or diagnostics should I check (report audit logs, data model logs, debug traces, etc.)?

• Could an API, integration, or backend load (e.g. OData, People Analytics) be retrieving data outside RBP?

• Are there any interim mitigations or guard rails (e.g. masking, other controls) we can apply immediately?

Thanks in advance for any insights or similar experiences you can share!

Appreciate your support!