For more information, please refer to this announcement explaining best practices for getting answers to questions.
View-Only Owner of plan has additional access to plans outside of Oracle seeded functionality
Summary:
Hi Everyone,
We have a Line Manager that has the seeded Oracle Line Manager role. While using this role, a manager is able to navigate to succession plans of a direct report through Person Spotlight (this is expected functionality). However, when the Line Manager is added as a Viewer of a plan that their direct report is a candidate/incumbent of - the manager is able to do the following:
1) add candidates
2) remove candidates
3) update worker readiness
4) add candidates to talent pools
5) change the plan name
6) change the plan privacy level
7) add owners
8) remove owners
All of these are things that a Line Manager with Viewer role shouldn't be able to do. We found some Oracle documentation that verifies this - screenshotted a reference chart and attached the link below: