Make sure that the people search box embedded into many of the Talent screens does not circumvent security access rules set up by legal entity. Currently, if a person has no personnel management access in a given legal entity, they can still type names into the search box, click on the results, and see user information from entities they do not have access to. This information includes sensitive details like identification numbers, emergency contacts, and many other things linked to the worker record.

I have reported this to Microsoft as a security bug, and they directed me to place this idea here instead of addressing it through the standard maintenance process.
Category: General
Ideas Administrator

This issue was fixed as part of issue 758144 which has been back ported to 10.0.29.   This posting is provided “as is” with no warranties, and confers no rights.