Assigning Permissions to Employee Central Administrators

Objective

After completing this lesson, you will be able to assign permissions to Employee Central administrators.

Employee Central Role-Based Permissions (RBP) Assignment

Role-Based Permissions (RBP) is the security model used to manage access within the SAP SuccessFactors HCM Suite. It allows you to control which applications and data employees can view or edit. As a suite-wide authorization model, RBP applies to most SAP SuccessFactors products.

Employee Central Permissions

The Role-Based Permissions (RBP) framework is extensive and covers all SAP SuccessFactors solutions. This course focuses specifically on the common permissions used in SAP SuccessFactors Employee Central. To review general RBP concepts, please refer to the Exploring SAP SuccessFactors Platform learning journey.

Note

The permissions mentioned in this section are not the complete list used in Employee Central. Additional Resources are included at the end of this unit.

In this lesson, we will cover the following permissions:

Employee Central Effective-Dated Entities
Employee Data
Employee Central Import Entities
Manage Foundation Object Types
Manage Foundation Objects
MDF Foundation Objects

When granting permissions, you must consider multiple levels of access. This includes category, card, and field-level permissions.

The latest People Profile categories are also controlled in RBP. To view data in a category, users need permission to access the category and permission to access at least one card in the category.

If users do not have access to a category, the category and everything inside it are hidden, even if they have card or field permissions.
If users have access to a category but not to any of its cards, the category appears empty.
If users have access to a category and to one or more cards, only those permitted cards and fields are shown.

Employee Central Effective-Dated Entities

The Employee Central Effective-Dated Entities permission provides access to elements and fields that track historical and future changes. This permission becomes available once the succession data models are uploaded during the initial implementation. SAP SuccessFactors Employee Central includes several standard effective-dated entities, including the following:

Personal Information (personalInfo)
Addresses (homeAddress)
Dependents (personRelationshipInfo)
Job Information (jobInfo)
Compensation Information (compInfo)
Job Relationships (jobRelationsInfo)

Block Actions Permissions

Block actions control user access levels for effective-dated cards and their associated buttons.

Select the block action permissions to set access to effective-dated cards.

Permissions	Description
(1) View Current	Makes the card visible in the profile category
(2) View History	Makes the clock icon appear and allows access to the history window
(3) Edit/Insert	Allows the use of the "Create" button in the history window
(4) Correct	Allows the use of the "Correct" button in the history window
(5) Delete	Allows the use of the "Delete" button in the history window

Note

The create, correct, and delete actions in history do not trigger workflows, even if workflow derivation rules are implemented.

Edit (Pencil) Link Permission

The Edit Link controls whether the Edit (pencil icon) function is available on the card for the users. The only level of access that matters is the Edit/Insert. The rest are ignored.

For Edit Link, the edit/insert is the only permission that works. The view current, history, correct and delete don't work.

The permission allows the users to open and edit the card to initiate transactions in People Profile.

You can also perform the edit action from the Actions Menu in People Profile. Just add the Update Employment Records permission as seen on the screenshot.

Field-Level Permissions

Field-level permissions control each field’s specific ability to be maintained. Each field can be controlled on its level of visibility and editability.

Permission Level	Description
View Current	View current value of the field
View History	View historical values of the field if accessed in the History view of the block
Edit/Insert	Update the value of the field using "Create" in the History view of the card
Correct	Update the value of the field using the "Correct" in the History view
Delete	Not applicable to individual fields, entire records are deleted

Employee Data Permissions

The permissions for non effective-dated entities are in a separate category, the Employee Data permissions.

Use the interaction below to learn the relevant Employee Data permissions used in Employee Central.

Employee Central Import Entities

This allows you to perform or restrict imports to Person and Employment objects and ensure imports are performed for the users within the target population of the logged-in user.

Manage Foundation Object Types

These are admin permissions that define the actions allowed for XML-based corporate data found in Manage Organization, Pay, and Job Structures. This permission is only available when the Corporate Data models have been initially uploaded during implementation.

Manage Foundation Objects

This enables the admin permissions that set the actions for importing foundation data, translations, and corporate data models.

MDF Foundation Objects

This sets the admin permissions that define the actions allowed for MDF-based corporate data.

Proxy rights

Proxy Management is a platform feature introduced in SAP SuccessFactors Platform Introduction Academy. Proxies are useful in verifying configuration and permissions in Employee Central. While completing exercises for this course, you will be asked to use proxy for validating configurations. Use proxy access to quickly test how the system behaves for different users and roles without manually logging in and out of different user accounts.

When Private Data For Proxy Account Holder is deselected, the proxy doesn't have access to potentially sensitive information, such as home address or compensation.

Note

Revisit the SAP SuccessFactors Platform Introduction Academy to review the concept of Proxy Management.

The default admin user, Emily Clark, in the practice system can proxy as any user in the system.

Exercise: Assign Employee Central permissions to a group of users

Business Example

The ACE Corporation wants its IT managers to be able to update all their employees’ contact information. This information is stored in the Personal Contacts card of the Personal Information section of the People Profile. You will create a new IT manager permission group and role to meet the requirement.

Note

This exercise is a standalone activity and is not required to complete other hands-on exercises for this course.

Watch the video on how to create permission roles.

Enroll or access the Practice System. to complete the exercise steps.

Task 1: Verify the current permission of an IT Manager

Steps

Proxy as Tammy Aberts, an IT Manager. Open Robert Allen's profile to verify if you can change an employee's contact information.
1. Log in to your instance as an administrator.
2. Proxy as Tammy Aberts, an employee who has the job classification of IT Manager (IT-MAN).
3. Use the Action Search to go to Robert Allen's profile.
4. The current permission doesn't allow Tammy to see Robert's personal contacts.
5. Switch back to your administrator account with the user menu → become self.

Task 2: Create a permission group

Steps

Go to Manage Permission Groups to create the "IT Managers" RBP Group. Include all employees with the Job Code: IT-MGR. Verify that Tammy Aberts is included in the group.
1. Navigate to Manage Permission Groups.
2. Choose Create New→In Group Name, add Granted: IT Managers.
3. Under Choose Group Members, choose Pick a category→Job Code→IT Manager (IT-MGR)→Done.
4. In the upper-right box, select Active Group Membership→Update.
5. Choose the number in the Active Group Membership bubble.
6. Verify Tammy Aberts is a group member. Select Close.
7. Choose Done.

Task 3: Create a permission role

Steps

Go to Manage Permission Roles to create the "IT Manager Access" RBP Role. Use the RBP Group from the previous step as the granted group and assign the correct permissions based on the business example. Select everyone as the target population. Don't allow IT managers to have access to themselves.
1. Navigate to Manage Permission Roles.
2. Select Create. Provide a name for the role. Select Next to add the permissions.
3. Choose Employee Data→HR Information→Personal Contacts→Edit.
4. Choose Next and Save.
5. Select Yes to assign the role.
6. Provide a name to the assignment. Select Next.
7. Grant access to the "IT Managers" group. Select Next.
8. Select "Everyone" in the target population. Exclude granted users from having the same access to themselves.
9. Review and Save.
10. Log out and log in.

Task 4: Verify the permission

Steps

Proxy as Tammy Aberts to verify if you can see and edit the Personal Contacts of Robert Allen's.
1. Proxy into the system as Tammy Aberts.
2. Navigate to Robert Allen’s profile and choose Personal Data.
3. Can you see the Personal Contacts card?
4. Can you add or edit personal contacts?
5. Switch back to your user account by selecting the user menu → become self.

Summary

Here are the key takeaways from the lesson:

Employee Central permissions is segregated between effective dated and non-effective dated entities.
There are separate permissions for legacy and MDF Foundation Objects.
Block Actions control the user access level to the effective-dated cards.
Employment Information is the only non-effective dated entity that supports field-level permissions.
Proxies are useful in verifying configuration and permissions in Employee Central.

Supplemental Resources

The Employee Central Academy course provides the foundation to gain the knowledge needed to implement Employee Central Core and pass the certification exam. Its content is based on multiple implementation guides.

Each unit includes a resources section with links to relevant references for those who want to explore further.

Note

Links may require SAP Universal ID.

Go to Course