Security Class change not mentioned on Release Documentation

there was a post in another community that brought attention to security class change that was not mentioned or documented in the TMSecurity Delta document. this is a big concern and i can't help but continue voicing our need for better documentation with better guidance on exact changes so we dont have surprises or have to search so hard for these.

here is a link to the post -

https://community.infor.com/infor-cloudsuite-financials/f/infor-cloudsuite-hcm-global-hr-talent-ghr-payroll-topics/33362/feature-or-bug-any-supervisor-now-has-access-to-all-employee-and-workassignment-actionrequests-as-of-the-october-2023-cu/87930#87930

in case the link above does not work correctly, here is what was mentioned in the post -

Feature or Bug?: Any Supervisor now has access to all Employee and WorkAssignment ActionRequests (as of the October 2023 CU)

OnlineMichael Cleverly3 days ago

The October 2023 HR Talent CU brought updates to the GHRDirectSupervisor_ST and GHRIndirectSupervisor_ST security classes for which I can't find any mention in the HR Talent Release Report and that I'm trying to make sense of.

As written the change is very broad:

    ActionRequest BusinessClass
        is accessible
            for all inquiries, NotInProcess.UpdateParameters, InProcess.UpdateParameters, NotInProcess.View, InProcess.View,
                Rejected.ViewParameters, Complete.ViewParameters, Rejected.View, Complete.View
            when (BusinessClass = "Employee"
                or BusinessClass = "WorkAssignment")

There is no limitation that the Employee or WorkAssignment related-ActionRequest record be for someone they have a supervisory relationship to. It's literally anyone/everyone. The ParameterView field of ActionRequest contains all of the data for the request, which in the case of Employee and WorkAssignment is highly sensitive (plenty of PII, pay rates, in some cases banking details, etc.).

Why would every supervisor need both read access and the ability to update (potentially change??) the parameters for any in-flight Hire, Rehire, Terminate, ChangePayRate, or other similar action on these two business classes for people they do not supervise? (They could access it via the application's web UI, ISD, or via a REST URL.).

I wish my organization had a Pre-Prod tenant so I could have had an extra two weeks to figure out how to deal with this issue. I'm curious to hear how others in the community approach this.

Find more posts tagged with

Accepted answers

All comments

Noe Ramos

I did want to add – I overlooked the mentioning of the ActionRequest addition but yes it’s mentioned in the document as

'ActionRequest BusinessClass - NEW'

but does not show the detailed LPL as it does with the changes.

I do feel Infor should post the lpl class configuration below that line of 'new' so we could easily see what exactly they are adding as that would be very helpful and we would not have to go taking deep dives into coding to find what we are looking for. The document shows many references of ‘new’ without the text to quickly define what new lines of code were added like they do for the changes.

there are many that have -new- but no detail to what code was added as new so we have to take the time to go and find those details. it would be great if those details could be already in this delta document

the example of changes for add/remove is -

so i would imagine a green box below the -new- items.

dEPM-699 - Standard Exchange.mp4

Copyright © 2025 Infor. All rights reserved.