Hi all,
We are testing the new FAW/FDI HCM Viewer Role and noticed that Viewer users can still access Profile → Access Tokens.
The page states that these tokens can be used for:
- API calls
- Testing embedded content
- Using an MCP server
My questions are:
- Why are Access Tokens available and visible for users with only the FAW Licensed HCM Viewer Role?
- What actions can a Viewer user actually perform with these tokens?
- Do the tokens inherit only the Viewer permissions, or do they provide any additional capabilities?
- Is there a supported way to disable e.g. Advanced, Mobile Access, Access Tokens, MCP Connect in the user profile?
We would like to better understand the security implications and recommended configuration.
Thanks in advance.