Configuring Role-Based Permissions

Objective

After completing this lesson, you will be able to identify permission role types and granted and target populations.

Role-Based Permissions

Role-Based Permissions (RBP) is a security model that allows you to restrict and grant access to your SAP SuccessFactors HCM Suite. RBP control access to the applications and data that employees can see and edit.

Watch the video to get an overview of Role-based Permissions.

RBP is a dynamic method of assigning permissions. Role-Based Permission is comprised of several elements.

  • Permission Roles: Contain a set of permissions and role assignments
  • Permissions: A set of transactions or tasks that employees perform in your organization (e.g., edit job title, create reports, reset passwords)
  • Role Assignment: A relationship containing the granted and target population assigned to a permission role
  • Granted Population Group: Users who are granted the permissions
  • Target Population Group: Users whose data can be accessed or managed by the granted group
he diagram shows the different elements of Role-Based Permissions.

You can group employees with similar tasks to perform and create a Granted Population Group. This group typically consists of employees who share certain attributes, such as Job Code, and require access to similar tasks in the system.

For some permissions, you need to define a Target Population. A Target Population is a group of users that need tasks to be performed on their behalf.

For example, you could group all US-based HR Talent Managers as the granted population who will manage the employment records of US-based employees – the target population.

Role-Based Permissions are designed so that users will match more than one role. As a best practice, we recommend configuring roles by starting with the most generic role, as in All Employees Role, and casting the net as wide as possible to include all of the permissions given to everyone.

Permission Roles

A Permission Role is a collection of specific permissions that determine what actions a person can perform. For example, the HR-Talent Manager Role consists of the following permissions:

  • Edit Compensation
  • Edit Job Title
  • Hire Employee
  • Reset Passwords
  • Terminate Employee

This set of permissions can be assigned to different groups using Role Assignment.

The diagram shows how permissions are assigned using Role Assignment.

Administrators can define the permission roles by navigating to Manage Permission Roles using the Action Search.

The screenshot shows how assignments and permissions are managed in Manage Permission Roles.

In Manage Permission Roles, you can review, copy, and edit existing roles or create new roles. You can review and edit the list of permissions and the assignment for each role.

Note

For permission role changes that impact a large number of access users, you can enable double-confirmation popups and e-mail notifications for RBP administrators. Go to Manage Role-Based Permission Access to set the notification settings.

Standard Role Types

SAP SuccessFactors delivers standard role types. These are default roles that are similar across all organizations.

  • Employee – all employees that work for an organization
  • Manager – an employee that has employees directly reporting to them
  • Matrix Manager – dotted-line manager; a larger manager group that spans similar groups, like managers within the same department.
  • HR Manager – a human resources representative with direct reports
  • Custom Manager – additional special manager relationship
  • Second Manager – alternate manager used for salary planning
Shows the standard role types available when defining role assignment.

These standard role types can be used when assigning permission roles. For example, when assigning the Manager Self-Service Role, you won't need to group all the managers to create a Manager Permission Group; the standard role type Manager is used instead.

Permission Level for Different Administrator Roles

Not all administrator roles are created equal. Even admins have different levels of permissions.

An image showing the level of permission according to the type of admin, from Local Admin to Super Admin

The lowest administrator role level is a Local Admin. A local admin is an optional level that is set up using RBP. The local admin typically has access to administrative functionality for a specific group of users. For example, you can set up a USA administrator who resets passwords for users in the USA.

The next level is an Admin User. An admin user is anyone with access to any administrator tool. For example, you can set up an admin user who just launches forms.

The third level is a Security Admin. A security admin manages permission roles and groups in the RBP framework. A security admin has access to Manage Permission Roles and Manage Permission Groups.

The fourth and highest level is a Super Admin. The super admin is set up in Provisioning or added to the system by another super admin. A super admin creates security admins in the Manage Role-Based Permission Access page. Super admins are typically created by consultants at the beginning of implementation so they can log in to the front-end and starts the configuration.

To learn more about Role Based Permissions, visit the Explore SAP SuccessFactors Platform course.

EXERCISE: Create a Permission Group and Role

In this exercise, you will create a new IT Manager Group and create the access role for them.

Note

This exercise is a standalone activity and is not required for completing other hands-on exercises for this course.

Watch the video to learn how to assign permissions to groups.

Steps

    Create a Permission Group

  1. Use Action Search to navigate to the Manage Permission Groups tool.

  2. Use Action Search to navigate to the Manage Permission Groups tool.

  3. Choose Create NewGroup Name enter "Granted: IT Manager ".

  4. Under Choose Group MembersPick a categoryJob CodeIT Manager (IT-MGR)Done.

  5. In the upper right box, Active Group MembershipUpdateClick the Number.

  6. Select a user for your testing and click Done.

    7. Create a Permission Role. Go to Manage Permission Role to create an IT Manager Access RBP Role. Use the RBP group from the previous step as the granted group and assign the correct permissions for the business example.

  7. Navigate to Manage Permission Roles.

  8. Select Create. Provide a name for the role. Select Next to add the permissions.

  9. Choose Employee Views → Personal Information.

  10. Choose Employee DataHR InformationPersonal ContactsEdit.

  11. Choose Next and Save.

  12. Select Yes to assign the role.

  13. Provide a name of the assignment. Select Next.

  14. Choose the group you created in the previous step. Select Next.

  15. Select Everyone as the target population. Don't allow IT managers to have access to themselves.

  16. Review and save.

  17. Log out.

    18. Proxy as one of the IT - Managers and test if they have access to the Personal Contacts of any user.

  18. Log in to the instance.

  19. Proxy as Tammy Aberts

  20. Go to Robert Allen's profile. You should see the Personal InformationPersonal Contacts.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn