Business Process Procedures - SAP Service …sapidp/... · Web viewUser_SAPapi (a new sap api user id can be created otherwise the original sap api user created as part of SAP ERP

SuccessFactors Recruiting 1311

June 2014

English

SuccessFactors Recruiting: Role Based Permission (FC7)

SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermany

Building Block Configuration Guide

SAP Best Practices SuccessFactors Recruiting: Role Based Permission (FC7): Configuration Guide

Copyright

© 2014 SAP AG or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

© SAP AG Page 2 of 18


Icons

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Typographic Conventions

Type Style Description

Example text Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths and options.

Cross-references to other documentation.

Example text Emphasized words or phrases in body text, titles of graphics and tables.

EXAMPLE TEXT Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE.

Example text Screen output. This includes file and directory names and their paths, messages, source code, names of variables and parameters as well as names of installation, upgrade and database tools.

EXAMPLE TEXT Keys on the keyboard, for example, function keys (such as F2) or the ENTER key.

Example text Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.

<Example text> Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries.



Contents

1 Purpose.................................................................................................................................. 5

1.1 Using the Configuration Guide........................................................................................5

2 Basic Settings.........................................................................................................................5

3 Prerequisites..........................................................................................................................5

3.1 Activating RBP in Provisioning........................................................................................6

3.1.1 Manage Permission Groups and Role for Admin User.............................................6

3.1.2 Managing Employee Import.....................................................................................8

3.1.3 Managing Permission Groups..................................................................................9

3.1.4 Managing Permission Roles...................................................................................10

3.1.5 Creating User IDs...................................................................................................14



SuccessFactors Recruiting: Role Based Permission

1 Purpose

This document describes the configuration steps that have to be done in SuccessFactors to implement Role Based Permissions (RBP) for Recruiting. Role-based permission management is a way of managing your permissions. The role-based permission framework allows you to have as many roles in the system as your company requires, at the same time granting each role a different level of permission granularity.RBP grants permissions to assigned roles. Following roles are delivered in this Packaged Solution:

Recruiter

Manager

SuperiorManager

Employee

System Administrator

1.1 Using the Configuration GuideThis document is set up to support SAP Talent Hybrid customers who are implementing SuccessFactors Recruiting integrated with SAP ERP HCM.

Note: Role Based Permissions (RBP) should only be activated once all configuration guides have been fully completed.

Please note the configurations included in this guide are based on the US country version. To include other country requirements the country specific configurations will need to be added.

2 Basic Settings

In this section of the document, the steps to set up RBP are detailed for this Packaged Solution.

3 Prerequisites

Before you start installing this scenario, you must install the prerequisite building blocks. For more information, see the Building Block Prerequisites Matrix for this Packaged Solution. You will find this document in the content library, attached to the Step-by-Step Guide.

Further in order to complete this CFG ensure all the activities in the Quick Guide have been completed.



It is important to note that in order to perform some of the steps within this guide; the implementer is required to have completed the SuccessFactors Intro to Mastery and the SuccessFactors Recruiting Management Mastery training. Thus, this documentation is written with an assumption that its audience is familiar with the SuccessFactors Recruiting Management solution. Additionally, the consultant must also have access to the Provisioning environment for the customer. Follow the procedures from SuccessFactors in order to obtain provisioning access to the Customer’s system according to the Partner Portal site.

3.1 Activating RBP in Provisioning

UseIn this activity, the RBP is activated in the SuccessFactors Provisioning system.

To access the provisioning system:

To access the SuccessFactors provisioning system see the example link below. The link will differ based on the server name for the customer system.

https:// performancemanager8.successfactors.com/provisioning_login

Procedure1. Select the company name for which RBP should be activated.

2. Select Company Settings

3. Activate Role Based Permissions by selecting a check box for Role-based Permission (This will disable Administrative Domains)

4. Select the “Save Feature” button to save the setting for activating RBP.

3.1.1 Manage Permission Groups and Role for Admin User

UseOnce RBP is activate the Admin user permissions created initially as part of the Quick Guide are no longer valid. The Admin user must be reset with RBP permissions in order to complete the remaining steps.

Procedure1. Go to Administration Tools. In the Manage Employees portlet, select. Set User

Permissions .

2. In the Set User Permissions section, select Manage Role-Based Permission Access. The Manage Role-Based Permission Access page opens.

3. Choose Add User

4. In the username field enter the Admin user name and press search.

5. Select the admin username in the Search User portlet and press the Grant Permissions button. Your Admin user now has access to maintain role based permissions.



6. Go to Administration Tools. In the Manage Employees portlet, select. Set User Permissions .

7. In the Set User Permissions section, select Manage Permission Groups. The Manage Permission Groups page opens.

8. Choose the Create New button to create a new Permission Group. The Permission Group page opens.

9. In the Group Name field, provide a name for the following Permission Groups: .

a. Admin

10. In the Choose Group Members section, choose the Pick a Category dropdown menu and select a category if further categories are required. These categories help you define the group. For a list of categories, check out the section Permission Group Categories

11. Select Username and enter the Admin user name

12. Choose the Done button after making your selection.

13. The Permission Group is now listed along with other existing Permission Groups on the Manage Permission Groups page described in step1

14. Go to Administration Tools. In the Manage Employees portlet, select. Set User Permissions.

15. In the Set User Permissions section, select Manage Permission Roles. The Manage Permission Roles page opens

16. Choose the Create New button to add a permission role. The Permission Role Detail page opens.

17. In the Role Name field, type a name describing what the role allows you to do.

18. Create the following roles:

a. Administrators

19. In the Description field provide a statement describing what the role allows. When thinking of a name for the role, think about what the role allows the group

20. In the Permission Settings section, choose the Permission button to specify the permission you want to assign to the role.

21. The Permission Settings window opens.

22. On the left side of the page, you'll see the different permission categories. Choose a permission category to reveal the different permissions. Make the following selections and select the “Select All” check box for the following user permissions in the table below:

23. Select the Done button when all the permissions have been completed

24. Choose the “Add” button under 3. Grant this role to specify the permission group to be granted the role and specify the target population:



25. From the Grant Role to dropdown list, select Permission Group.

26. Choose the Select button to specify the permission group to be granted the role.

27. The Select Groups page opens. In the permission group field, type the name of the permission group to be granted. Choose the Search icon (magnifying lens) to search for the group. The page gets updated with the search results. Assign to the Admin group created in the permissions group step above.

28. Select the checkbox against the group name and choose Done. The group name gets added to the Selected Groups column.

29. Select “Everyone” for the Target population.

30. Choose the Done button to assign this role to the permission group as listed in the table below.

31. You are taken back to the Permission Role Detail page.

32. Choose the Save Changes button to complete creating the role. If you choose Cancel at this stage, the role will not be created.

33. Once this role is successfully created, the new role will be listed on the Permission Role List.

Role User Permissions Administrator Permissions

Permission Groups

Target Population

Administrator

Objectives – Select All

Career Development – Select All

Compensation – Select All

Employee Data – Select All

Employee views – Select All

General User Permission – Select All

Recruiting Permissions – Select All

Reports Permissions – Select All

Succession Planners – Select All

Manage Career Development – Select All

Manage Compensation – Select All

Manage Competencies and Skills – Select All

Manage Dashboards/Reports – Select All

Manage Documents – Select All

Manage Form Templates – Select All

Manage integration tools – Select All

Manage Recruiting - Select All

Manage Succession – Select All

Manage system properties – Select All

Manage User – Select All

Admin Everyone



Metadata Framework – Select All

Manage Business Configuration - Select All

Manage Talent Card – Select All



3.1.2 Managing Employee Import

UseIn this activity, permissions for the System Administrator user to import employee data into the SuccessFactors system must be set in order to import employee data.

Ensure the Admin user is assigned to the correct job code. You can use the Admin created as part of the Quick guide initial steps. If you wish to create a new Admin as part of RBP then step 3.1.4 Create User IDs will need to created first prior to this step.

Please note- If using the SAP ERP HCM and SuccessFactors integration rapid deployment solution the SAP API user permissions to import employee data needs to be set.


Permissions> Manage Employee Import

2. Select the Search Users button

3. For the Admin and/or SAP API users created make the following selections:

a. Manage employee import

b. All Divisions

c. All Departments

d. All Locations

3.1.3 Managing Permission Groups

UseIn a role-based security framework, Permission Groups are used to define groups of employees that have a set group of permissions. For example, you might have a Permission Group called US Recruiting Managers which would list all US-based managers who have access to compensation information.Groups are also used to define the target population a granted user has access to. For example, the group US Recruiting Managers might have access to the group US Employees.Permission groups allow you to group a set of employees that match a predefined condition.A condition may be determined by a single parameter or multiple parameters. For example, ifyou want to create a group of HR employees, you'd create a group where Department = HR.To make the condition even more specific, you can specify multiple conditions. For example,HR employees in the US. To create this group, you'll create a group with the followingparameters — Department = HR and Location = US..


Permissions .

2. In the Set User Permissions section, select Manage Permission Groups. The Manage Permission Groups page opens.

3. Choose the Create New button to create a new Permission Group. The Permission Group page opens.

4. In the Group Name field, provide a name for the following Permission Groups: .

a. Employee

b. Managers

c. Recruiters



d. SAP API (required to reset the permissions for the PI/HCI permissions if utilizing the integration between SAP and SuccessFactors)

5. In the Choose Group Members section, choose the Pick a Category dropdown menu and select a category if further categories are required. These categories help you define the group. For a list of categories, check out the section Permission Group Categories

6. Select Job Code for Recruiters and Username for System SAP API User

7. Choose in the field next to the selected category. Select the following:

Group Name Group Name Field

Job Code Recruiter (HR-REC)

Username apiuser,



8. Choose the Done button after making your selection.

9. If there are employees you'd like to exclude from the Permission Group definition, select them in the Exclude these people from the group section.

10. For this example, we'll skip this step since we don't need to exclude anyone.

11. Choose Done to complete the process.

12. The Permission Group is now listed along with other existing Permission Groups on the Manage Permission Groups page described in step1

3.1.4 Managing Permission Roles

UsePermission roles control the access rights an employee or a group has to the application or employee data. With the new role-based permission framework, you can choose to grant a role to a specific employee, a manager, a group or to all employees in the company.Before granting permission roles to employees, we suggest you first think about:

the different roles you have in your company the employees who should be assigned each role whose data the employees will have access to


Permissions.

2. In the Set User Permissions section, select Manage Permission Roles. The Manage Permission Roles page opens

3. Choose the Create New button to add a permission role. The Permission Role Detail page opens.

4. In the Role Name field, type a name describing what the role allows you to do.

5. Create the following roles:

a. Recruiters

b. Managers

c. Employee

d. SAP API (required to reset the permissions for the PI/HCI permissions if utilizing the integration between SAP and SuccessFactors)

6. In the Description field provide a statement describing what the role allows. When thinking of a name for the role, think about what the role allows the group

7. In the Permission Settings section, choose the Permission button to specify the permission you want to assign to the role.

8. The Permission Settings window opens.

9. On the left side of the page, you'll see the different permission categories. Choose a permission category to reveal the different permissions. Make the following selections and select the “Select All” check box for the following user permissions in the table below:

10. Select the Done button when all the permissions have been completed

11. Choose the “Add” button under 3. Grant this role to specify the permission group to be granted the role and specify the target population:

12. From the Grant Role to dropdown list, select Permission Group.



13. Choose the Select button to specify the permission group to be granted the role for example “Recruiters” group. Assign the group as per the table listed below.

14. The Select Groups page opens. In the permission group field, type the name of the permission group to be granted. Choose the Search icon (magnifying lens) to search for the group. The page gets updated with the search results.

15. Select the checkbox against the group name and choose Done. The group name gets added to the Selected Groups column.

16. Select “Everyone” for the Target population.

17. Select the Exclude Granted User if the granted user should not have permission rights to him/herself. (Please note – if the user is required to update their employee profile record then this checkbox should not be selected)

This is a very important step. If you do not select this checkbox, members of this permission group will be able to edit their own salary as well.

18. Choose the Done button to assign this role to the permission group as listed in the table below.

19. You are taken back to the Permission Role Detail page.

20. Choose the Save Changes button to complete creating the role. If you choose Cancel at this stage, the role will not be created.

21. Once this role is successfully created, the new role will be listed on the Permission Role List.

Role User Permissions Administrator Permissions

Permission Groups

Target Population

Recruiter Employee Views – Select Profile

General User Permission – Select All

Recruiting Permissions – Select All except “Delete Job Requistions” Reports Permissions – Select All

Manage Recruiting – Select All except “Restore Deleted Job Requisitions”

Recruiters Everyone

Managers Compensation – Select All

Employee Data – Select All

Employee views – Select All

General User Permission – Select the following:

Live Profile Access

Organizational Chart Navigation Permission

Company Info Access > User Search

Recruiting Permissions- Select All except “Delete Job Requistions”

Manage Recruiting – Select All except “Restore Deleted Job Requisitions

Manage system properties – Select all except “org chart configuration”

All Managers Grant User’s Direct Reports

All Direct Reports(and their reports All level(s) down



Reports Permissions- Select All



Employees

Career Development Planning – Select All

Employee Data:

The following fields should be made view only for the standard data elements being transferred from SAP HCM:

If other data elements are transferred from SAP HCM then update the necessary fields to view only.

Address

Address Line 2 and 3

Business Fax

Business Phone

Cell phone

Citizenship

City

Compensation

Country

Date in Position

Date of Birth

Date of current position

Department

Division

Email

Employee id

Ethnicity

Final job code

First name

Gender

Hire date

Home Phone

Job code, family, level, role, title

Key Position

Last name

Manager

Nickname

Suffix

Manage Career Development – Select All

Recruiting Permissions

Careers Tab Permission

Everyone Everyone



Title

User ID

Username

Zip

General user permissions – Select the following:

User login

Live Profile Access

Organizational Chart Navigation Permission

Company Info Access > User Search

Employee Views – Select All

-SAP API User

Compensation – Select All

General User Permission

- SFAPI User Login

- Permission to Create Forms

Recruiting Permissions

- Select 18 SFAPI permissions listed

-Manage Compensation – Select All

Manage Dashboards/Reports – Select All

Manage Documents – Select All

Manage Form Templates – Select All

Manage Recruiting – Select All

SAP API Everyone



Optional Security considerations

Prevent the API user from being able to login to the application UI by removing “User login permission”

When setting up the API and resolving errors it would be useful to have access to the API data dictionary and API audit log. These can be granted in the “Manager Integration Tools permissions”. Please note in the API audit log the full payload data (including sensitive data) can be visible in the log. Therefore this should only be granted to only the appropriate users.

3.1.5 Creating User IDs

UseIn this activity, you create the user IDs needed to access SuccessFactors.

Please note - If implementing the SAP ERP HCM and SuccessFactors Integration the creation of users will be transferred from the Core SAP HCM system, therefore the following steps will not be required. Please refer to the Transfer of SAP ERP HCM Basic Employee Data to SuccessFactors (SF7) Business Process Documentation (BPD) part of the SAP ERP HCM and SuccessFactors Integration rapid deployment solution

Procedure1. Go to Administration Tools. In the Manage Employees portlet, select. Update User

Information .

2. In the Update User Information section, select Employee Export. The Employee Export opens.

3. Choose the Export User File button and save the user ID CSV file to your computer.

4. Unzip the downloaded file and open the user ID CSV file in Excel.

5. Remove all rows except the first 2 header rows. Add rows for the user IDs you require including user IDs for the following :

a. User_Employee. Please include the managers username in the manager field

b. User_Manager. Please include the superior managers username in the manager field

c. User_SuperiorManager

d. User_Recruiter

e. User_SystemAdministrator (a new system administrator user id can be created otherwise the original administrator created as part of the Quick Guide can be reused)

f. User_SAPapi (a new sap api user id can be created otherwise the original sap api user created as part of SAP ERP HCM and SuccessFactors Integration RDS in configuration guide (C1H) can be reused)

6. Go to Administration Tools. In the Manage Employees portlet, select. Update User Information .

7. In the Update User Information section, select Employee Import. The Employee Import opens.

8. In the choose file button. Select the user ID CSV file you have created

9. Select the new user default format and the password and username will be sent to the user’s email address.



10. Press Validate Import File Data to check the user ID CSV file.

11. In the choose file button. Select the user ID CSV file you have created. Note – may need to to ‘browse’/’select’ the file twice

12. Choose the Import user file button to import the user ID CSV file.
