business process procedures - sap service …sapidp/... · web viewprevent the api user from being...

SuccessFactors Compensation1405

October 2014

English

SuccessFactors Compensation: Role Based Permission (FI5)

SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermany

Building Block Configuration Guide

SAP Best Practices SuccessFactors Compensation: Role Based Permission (FI5): Configuration Guide

Copyright

© 2014 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

© SAP SE of 16

http://global.sap.com/corporate-en/legal/copyright/index.epx#trademark


Icons

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Typographic Conventions

Type Style Description

Example text Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths and options.

Cross-references to other documentation.

Example text Emphasized words or phrases in body text, titles of graphics and tables.

EXAMPLE TEXT Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE.

Example text Screen output. This includes file and directory names and their paths, messages, source code, names of variables and parameters as well as names of installation, upgrade and database tools.

EXAMPLE TEXT Keys on the keyboard, for example, function keys (such as F2) or the ENTER key.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text> Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.

© SAP SE of 16


Contents

1 Purpose.................................................................................................................................. 5

1.1 Using the Configuration Guide........................................................................................5

2 Basic Settings.........................................................................................................................5

3 Prerequisites..........................................................................................................................5

3.1 Activating RBP in Provisioning........................................................................................6

3.1.1 Manage Permission Groups and Role for Admin User.............................................6

3.1.2 Managing Employee Import.....................................................................................8

3.1.3 Managing Permission Groups..................................................................................9

3.1.4 Managing Permission Roles...................................................................................10

3.1.5 Creating User IDs...................................................................................................14

© SAP SE of 16


SuccessFactors Compensation: Role Based Permission

1 Purpose

This document describes the configuration steps that have to be done in SuccessFactors to implement Role Based Permissions (RBP) for Compensation. Role-based permission management is a way of managing your permissions. The role-based permission framework allows you to have as many roles in the system as your company requires while at the same time granting each role a different level of permission granularity.RBP grants permissions to assigned roles. The following roles are delivered in this Packaged Solution:

Compensation Administrator

Manager

Employee (for access to Employee Profile)

Compensation Planner

System Administrator (Admin User)

SAP API User

1.1 Using the Configuration GuideThis document is set up to support SAP Talent Hybrid customers who are implementing SuccessFactors Compensation integrated with SAP ERP HCM.

Note: Role Based Permissions (RBP) should only be activated once all configuration guides have been fully completed.

Please note the configurations included in this guide are based on the US country version. To include other country requirements the country specific configurations will need to be added.

2 Basic Settings

In this section of the document, the steps to set up RBP are detailed for this Packaged Solution.

2.1 PrerequisitesBefore you start installing this scenario, you must install the prerequisite building blocks. For more information, see the Building Block Prerequisites Matrix for this Packaged Solution. You will find this document in the content library, attached to the Step-by-Step Guide.

Further in order to complete this CFG ensure all the activities in the Quick Guide have been completed.

It is important to note that in order to perform some of the steps within this guide; the implementer is required to have completed the SuccessFactors Intro to Mastery and the SuccessFactors Compensation Mastery training. Thus, this documentation is written with an assumption that its audience is familiar with the SuccessFactors Compensation solution. Additionally, the consultant must also have access to the Provisioning environment for the customer. Follow the procedures from SuccessFactors in order to obtain provisioning access to the Customer’s system according to the Partner Portal site.

© SAP SE of 16


2.2 Activating RBP in Provisioning

UseIn this activity, the RBP is activated in the SuccessFactors Provisioning system.

To access the provisioning system:

To access the SuccessFactors provisioning system see the example link below. The link will differ based on the server name for the customer system.

https:// performancemanager8.successfactors.com/provisioning_login

Procedure1. Select the company name for which RBP should be activated.

2. Select Company Settings

3. Activate Role Based Permissions by selecting a check box for Role-based Permission (This will disable Administrative Domains)

4. Select the “Save Feature” button to save the setting for activating RBP.

2.2.1 Manage Permission Groups and the Role for Admin User

UseOnce RBP is activated the Admin user permissions created initially as part of the Quick Guide are no longer valid. The Admin user must be reset with RBP permissions in order to complete the remaining steps.

Procedure1. Go to Administration Tools. In the Manage Employees portlet, select. Set User

Permissions

2. In the Set User Permissions section, select Manage Role-Based Permission Access. The Manage Role-Based Permission Access page opens.

3. Choose Add User

4. In the username field enter the Admin user name and press Search.

© SAP SE of 16


5. Select the Admin Username in the Search User portlet and press the Grant Permissions button. Your Admin user now has access to maintain role based permissions.

6. Go to Administration Tools. In the Manage Employees portlet, select. Set User Permissions.

7. In the Set User Permissions section, select Manage Permission Groups. The Manage Permission Groups page opens.

8. Choose the Create New button to create a new Permission Group. The Permission Group page opens.

9. In the Group Name field, provide a name for the following Permission Groups:

a. Admin

10. In the Choose Group Members section, choose the Pick a Category dropdown menu and select a category if further categories are required. These categories help you define the group. For a list of categories, check out the section Permission Group Categories in the Managing Permission Groups section of this guide.

11. Select Username and enter the Admin user name

12. Choose the Done button after making your selection.

13. The Permission Group is now listed along with other existing Permission Groups on the Manage Permission Groups page described in step1

14. Go to Administration Tools. In the Manage Employees portlet, select. Set User Permissions.

15. In the Set User Permissions section, select Manage Permission Roles. The Manage Permission Roles page opens

16. Choose the Create New button to add a permission role. The Permission Role Detail page opens.

17. In the Role Name field, type a name describing what the role allows you to do.

18. Create the following roles:

a. Administrators

19. In the Description field provide a statement describing what the role allows. When thinking of a name for the role, think about what the role allows the group

20. In the Permission Settings section, choose the Permission button to specify the permission you want to assign to the role. The Permission Settings window opens.

21. On the left side of the page, you'll see the different permission categories. Choose a permission category to reveal the different permissions. Make the following selections and select the Select All check box for the following user permissions in the table below:

22. Select the Done button when all the permissions have been completed

23. Choose the Add button under 3. Grant this role to specify the permission group to be granted the role and specify the target population:

© SAP SE of 16


24. From the Grant Role to dropdown list, select Permission Group.

25. Choose the Select button to specify the permission group to be granted the role. The Select Groups page opens.

26. In the permission group field, type the name of the permission group to be granted. Choose the Search icon (magnifying lens) to search for the group. The page gets updated with the search results. Assign to the Admin group created in the permissions group step above.

27. Select the checkbox against the group name and choose Done. The group name gets added to the Selected Groups column.

28. Select Everyone for the Target population.

29. Choose the Done button to assign this role to the permission group as listed in the table below.

30. You are taken back to the Permission Role Detail page.

31. Choose the Save Changes button to complete creating the role. If you choose Cancel at this stage, the role will not be created.

32. Once this role is successfully created, the new role will be listed on the Permission Role List.

Role User Permissions Administrator Permissions

Permission Groups

Target Population

Administrator

Objectives – Select All

Career Development Planning – Select All

Compensation – Select All

Employee Data – Select All

Employee views – Select All

General User Permission – Select All

Recruiting Permissions – Select All

Reports Permissions – Select All

Succession Planners – Select All

Manage Career Development – Select All

Manage Compensation – Select All

Manage Competencies and Skills – Select All

Manage Dashboards/Reports – Select All

Manage Documents – Select All

Manage Form Templates – Select All

Manage integration tools – Select All

Manage Recruiting - Select All

Manage Succession – Select All

Manage system properties – Select All

Manage User –

Admin Everyone

© SAP SE of 16


Select All

Manage Variable Pay – Select All

Employee Central API – Select All

Manage Talent Card – Select All

© SAP SE of 16


Note: For the Administrator role, we have enabled access to all areas within SuccessFactors although not all may be used. If you want to restrict access to Compensation only (or other specific areas) then only flag the relevant check boxes when performing this task.

2.2.2 Managing Employee Import

UseIn this activity, permissions for the System Administrator user to import employee data into the SuccessFactors system must be set in order to import employee data.

Ensure the Admin user is assigned to the correct job code. You can use the Admin created as part of the Quick guide initial steps. If you wish to create a new Admin as part of RBP then step 2.2.5 Creating User IDs will need to be created first.

Please note- If using the SAP ERP HCM and SuccessFactors integration rapid deployment solution the SAP API user permissions to import employee data needs to be set.


Permissions> Manage Employee Import

2. Select the Search Users button

3. For the Admin and/or SAP API users created make the following selections:

a. Manage employee import

b. All Divisions

c. All Departments

d. All Locations

2.2.3 Managing Permission Groups

UseIn a role-based security framework, Permission Groups are used to define groups of employees that have a set group of permissions. For example, you might have a Permission Group called Managers which would list all managers who have access to compensation information.Groups are also used to define the target population a granted user has access to. For managers this would be the employees who report to them. Permission groups allow you to group a set of employees that match a predefined condition. A condition may be determined by a single parameter or multiple parameters. For example, if you want to create a group of HR employees, you'd create a group where Department = HR. To make the condition even more specific, you can specify multiple conditions. For example HR employees in the US. To create this group, you'll create a group with the following parameters — Department = HR and Location = US.


Permissions.

2. In the Set User Permissions section, select Manage Permission Groups. The Manage Permission Groups page opens.

3. Choose the Create New button to create a new Permission Group. The Permission Group page opens.

4. In the Group Name field, provide a name for the following Permission Groups:

a. Compensation Administrator

© SAP SE of 16


b. Manager

c. Employee

d. Compensation Planner

e. SAP API (required to reset the permissions for the PI/HCI permissions if utilizing the integration between SAP and SuccessFactors)

5. In the Choose Group Members section, choose the Pick a Category dropdown menu and select a category if further categories are required. These categories help you define the group. For a list of categories, check out the section Permission Group Categories

6. Select Job Code for Manager; Username(s) for System or SAP API User

7. Choose in the field next to the selected category. Select the following:

Group Name Group Name Field

Job Code Manager

Username apiuser

Country Select country(ies) to include all Employees in that region

© SAP SE of 16


Note: You can enter different criteria to select the Compensation Administrators or Planners. You may choose to select by Username if there aren’t many of these users or by job code if you’ve set up your system to have specific jobs for Compensation.

8. Choose the Done button after making your selection.

9. If there are employees you'd like to exclude from the Permission Group definition, select them in the Exclude these people from the group section. For this example, we'll skip this step since we don't need to exclude anyone.

10.

11. Choose Done to complete the process.

12. The Permission Group is now listed along with other existing Permission Groups on the Manage Permission Groups page described in step1

2.2.4 Managing Permission Roles

UsePermission roles control the access rights an employee or a group has to the application or employee data. With the new role-based permission framework, you can choose to grant a role to a specific employee, a manager, a group or to all employees in the company.Before granting permission roles to employees, we suggest you first think about:

the different roles you have in your company the employees who should be assigned each role whose data the employees will have access to


Permissions.

2. In the Set User Permissions section, select Manage Permission Roles. The Manage Permission Roles page opens

3. Choose the Create New button to add a permission role. The Permission Role Detail page opens.

4. In the Role Name field, type a name describing what the role allows you to do.

5. Create the following roles:

a. Compensation Administration

b. Managers

c. Employee

d. Compensation Planner

e. SAP API (required to reset the permissions for the PI/HCI permissions if utilizing the integration between SAP and SuccessFactors)

6. In the Description field provide a statement describing what the role allows. When thinking of a name for the role, think about what the role allows the group

7. In the Permission Settings section, choose the Permission button to specify the permission you want to assign to the role.

8. The Permission Settings window opens.

9. On the left side of the page, you'll see the different permission categories. Choose a permission category to reveal the different permissions. Make the following selections and select the “Select All” check box for the following user permissions in the table below:

10. Select the Done button when all the permissions have been completed

© SAP SE of 16


11. Choose the “Add” button under 3. Grant this role to specify the permission group to be granted the role and specify the target population:

12. From the Grant Role to dropdown list, select Permission Group.

13. Choose the Select button to specify the permission group to be granted the role for example “Managers” group. Assign the group as per the table listed below.

14. The Select Groups page opens. In the permission group field, type the name of the permission group to be granted. Choose the Search icon (magnifying lens) to search for the group. The page gets updated with the search results.

15. Select the checkbox against the group name and choose Done. The group name gets added to the Selected Groups column.

16. Select “Everyone” for the Target population.

17. Select the Exclude Granted User if the granted user should not have permission rights to him/herself. (Please note – if the user is required to update their employee profile record then this checkbox should not be selected)

This is a very important step. If you do not select this checkbox, members of this permission group will be able to edit their own salary as well.

18. Choose the Done button to assign this role to the permission group as listed in the table below.

19. You are taken back to the Permission Role Detail page.

20. Choose the Save Changes button to complete creating the role. If you choose Cancel at this stage, the role will not be created.

21. Once this role is successfully created, the new role will be listed on the Permission Role List.

Role User Permissions Administrator Permissions

Permission Groups

Target Population

Comp Admin/ Comp Planner


Employee Views – Select Profile

General User Permission – Select All

Compensation Permissions – Select All

Manage Compensation Permissions – Select All

Manage User – Employee Export

Manage Form Templates - Form Templates

Compensation Administrator

Everyone

Managers Compensation – Select All


Employee views – Select All

General User Permission – Select the following:

Live Profile Access

Organizational Chart Navigation Permission

Company Info Access >

Manage Compensation Permissions – Select All

Manage system properties – Select all except “org chart

All Managers Grant User’s Direct Reports

(Select ‘Include access to the Reports of the Granted User’s Direct Reports and All levels down)

© SAP SE of 16


User Search

Reports Permissions- Select All

configuration”

All Direct Reports(and their reports All level(s) down

SAP API User

Compensation – Select All

General User Permission

- User Login

- SFAPI User Login

- Permission to Create Forms

Reports Permissions- Select All

Manage Compensation – Select All

Manage Dashboards/Reports – Select All

Manage Documents – Select All

Manage Form Templates – Select All

SAP API Everyone

Employee General User Permission – Select the following:

- User Login

- Live Profile Access

- Organizational Chart Navigation Permission

- Company Info Access > User Search

Employee data –

Select the following:

- ???user.personalCompensationStatement??? – Edit and view access.

Employee views –

Select the following:

- Compensation Statement

Everyone Target population of granted user (Self).

© SAP SE of 16


Optional Security considerations

Prevent the API user from being able to login to the application UI by removing “User login permission”

When setting up the API and resolving errors it would be useful to have access to the API data dictionary and API audit log. These can be granted in the “Manager Integration Tools permissions”. Please note in the API audit log the full payload data (including sensitive data) can be visible in the log. Therefore this should only be granted to the appropriate users.

2.2.5 Share Ad Hoc Reports with API UserThe adhoc reports previously uploaded for equity planning and compensation integration are shared with the API user created in this document. The user performing this step must have permission to build Ad Hoc reports.

Share the Report with the API User:1. Navigate to Reports2. Choose Analytics3. Choose Ad Hoc Reports4. Locate the Report Name previously created and choose the drop down to the right of the report name5. Choose ‘Share’6. In the ‘Quick Search’ box, enter the name of the API user in use for the integration7. In the resulting hit list, place a check in the box to the left of the appropriate user8. Choose the ‘Share’ button.

2.2.6 Creating User IDs

UseIn this activity, you create the user IDs needed to access SuccessFactors.

Please note - If implementing the SAP ERP HCM and SuccessFactors Integration the creation of users will be transferred from the Core SAP HCM system, therefore the following steps will not be required. Please refer to the Transfer of SAP ERP HCM Basic Employee Data to SuccessFactors (SF7) Business Process Documentation (BPD) part of the SAP ERP HCM and SuccessFactors Integration rapid deployment solution

Procedure1. Go to Administration Tools. In the Manage Employees portlet, select. Update User

Information.

2. In the Update User Information section, select Employee Export. The Employee Export opens.

3. Choose the Export User File button and save the user ID CSV file to your computer.

4. Unzip the downloaded file and open the user ID CSV file in Excel.

5. Remove all rows except the first 2 header rows. Add rows for the user IDs you require including user IDs for the following and save the file :

a. User_Manager. Please include the superior managers username in the manager field

b. User_Manager2

c. User_Manager3

© SAP SE of 16


d. User_CompAdmin

e. User_CompPlanner

f. User_Employee

g. User_SystemAdmin (a new system administrator user id can be created otherwise the original administrator created as part of the Quick Guide can be reused)

h. User_SAPapi (a new SAPapi user id can be created otherwise the original SAP api user created can be reused)

6. Go to Administration Tools. In the Manage Employees portlet, select. Update User Information.

7. In the Update User Information section, select Employee Import. The Employee Import opens.

8. In the choose file button select the user ID CSV file you have created

9. Under the new user default format, select Use the Username and the password and username will be sent to the user’s email address.

10. Press Validate Import File Data to check the user ID CSV file.

11. In the choose file button. Select the user ID CSV file you have created. Note – you may need to ‘browse’/’select’ the file twice

12. Choose the Import user file button to import the user ID CSV file.

2.3 SuccessFactors Proxy Settings 2.3.1 UseThis section describes the set up steps necessary to activate proxy management in SuccessFactors.

2.3.2 Procedure1. Log on to Provisioning for the company instance

2. Select Company Settings

3. Select checkbox for Enable Proxy Feature

4. Choose Save.

5. Log on to the SuccessFactor as Admin user

6. Navigate to Admin Tools > Manage Employees Porlet, Select Proxy Management

7. Under Change the proxy settings for the company select checkbox for Enable Advanced Proxy Management (Proxy Now and Proxy Import)

8. Select the Save Proxy Settings button

© SAP SE of 16