Service Administrator in FDI inherently bypasses all row-level data security and there is no way to turn this off. This means anyone who manages the instance automatically gains unrestricted access to every row across every pillar — including HCM compensation, all ledgers, etc.
Real problems this causes:
- HCM Service Admins can see every employee's salary even though their HCM job role would never allow it in Fusion HCM. HR and Legal regularly flag this during rollouts.
- Customers with SOX / GDPR / internal data classification policies cannot comply, because admins are not supposed to have blanket data access.
- Separation of duties is impossible — a delegated admin (e.g. someone managing security for one pillar) is forced to receive enterprise-wide data visibility along with their admin rights.
- Production environments end up either with no admin (because granting Service Admin is too risky) or with admins who can see far more than they should.
Proposal: Either
- Make the data bypass a separately-grantable role; Mapped by default to the Service Admin Job Role but can be unmapped as needed.
- Add a new role like "Service Administrator (No Data Bypass)"; Same admin capabilities, but still subject to the user's normal data security assignments.
Existing Service Admin behavior should not change automatically. This should be an additive option so customers can choose per administrator.
