The October 2023 HR Talent CU brought updates to the GHRDirectSupervisor_ST and GHRIndirectSupervisor_ST security classes for which I can't find any mention in the HR Talent Release Report and that I'm trying to make sense of.
As written the change is very broad:
ActionRequest BusinessClass
is accessible
for all inquiries, NotInProcess.UpdateParameters, InProcess.UpdateParameters, NotInProcess.View, InProcess.View,
Rejected.ViewParameters, Complete.ViewParameters, Rejected.View, Complete.View
when (BusinessClass = "Employee"
or BusinessClass = "WorkAssignment")
There is no limitation that the Employee or WorkAssignment related-ActionRequest record be for someone they have a supervisory relationship to. It's literally anyone/everyone. The ParameterView field of ActionRequest contains all of the data for the request, which in the case of Employee and WorkAssignment is highly sensitive (plenty of PII, pay rates, in some cases banking details, etc.).
Why would every supervisor need both read access and the ability to update (potentially change??) the parameters for any in-flight Hire, Rehire, Terminate, ChangePayRate, or other similar action on these two business classes for people they do not supervise? (They could access it via the application's web UI, ISD, or via a REST URL.).
I wish my organization had a Pre-Prod tenant so I could have had an extra two weeks to figure out how to deal with this issue. I'm curious to hear how others in the community approach this.
