In this section, you will learn about setting up internal access controls using Role-Based Permissions (RBP).
The SAP SuccessFactors Security and Access Management can be broken down into these areas:
- Role-Based Permissions
- Purpose: Controls access within the SAP SuccessFactors system
- How it works: Assigns permissions based on user role (e.g., employees, managers, HR admins).
- Example: An HR admin can view all employee records, while a manager can only see their direct reports.
- Single Sign-On (SSO)
- Purpose: Provides seamless user login without requiring multiple passwords.
- How it works: Uses authentication protocols (e.g., SAML 2.0) to allow users to log in once and access multiple systems.
- Example: A user logs into their corporate portal and gains access to SAP SuccessFactors without entering another password.
- Identity Authentication Service (IAS)
- Purpose: Serves as an authentication hub for SAP cloud solutions, enhancing security
- How it works: Manages user authentication centrally and integrates with SSO. Can enforce multi-factor authentication (MFA).
- Example: Before accessing SAP SuccessFactors, a user is verified through IAS, which checks credentials and applies security policies.
IAS and SSO are out of scope in this guide. We only cover Role-Based Permissions, which control who can access which features/data in SAP SuccessFactors Employee Central.
Role-Based Permissions Main Concepts
RBP is a dynamic method of assigning permissions. Role-Based Permissions are comprised of several elements.
- Permission Roles: Contain a set of permissions and role assignments
- Permissions: A set of transactions or tasks that employees perform in your organization (e.g., edit job title, create reports, reset passwords)
- Role Assignment: A relationship containing the granted and target population assigned to a permission role
- Granted Population Group: Users who are granted the permissions
- Target Population Group: Users whose data can be accessed or managed by the granted group
You can group employees with similar tasks to perform and create a Granted Population Group. This group typically consists of employees who share certain attributes, such as Job Code, and require access to similar tasks in the system.
For some permissions, you need to define a Target Population. A Target Population is a group of users that need tasks to be performed on their behalf.
For example, you could group all US-based HR Talent Managers as the granted population who will manage the employment records of US-based employees – the target population.
Role-Based Permissions are designed so that users will match more than one role. As a best practice, we recommend configuring roles by starting with the most generic role, as in All Employees Role, and casting the net as wide as possible to include all of the permissions given to everyone.
