Why does this setting allow a user with only ‘WFM Viewer’ permissions to trigger a schedule publish via the API? We are seeing unexpected behavior in our Chicago WFM deployment.
- Assign ‘WFM Viewer’ role to a test service account.
- Attempt POST /api/v2/wfm/scheduling/schedules/{id}/publish with valid auth.
- Receive 200 OK instead of 403 Forbidden.
This bypasses our compliance audit trails. Is this a known vulnerability or a role mapping quirk in the latest release?