Setting up Security

Objectives

After completing this lesson, you will be able to:
  • Configure Role-Based Permissions.
  • Configure Administrative Permissions.

Permissions Overview

In this section, you will learn about setting up security in SAP SuccessFactors.

SAP SuccessFactors Employee Central Payroll requires using Role-Based Permissions (RBP). SAP SuccessFactors uses these Role-Based Permissions to set up security.

This screenshot shows 'Manage Permission Roles' in Admin Center where roles are created and permissions are granted to set up security.

Role-Based Permissions Main Concepts

RBP uses Permission Groups and Permission Roles to grant permissions to users. Administrators can also grant permission to standard roles, such as employees or managers, or specific roles, such as payroll manager or payroll administrator. When granting these permissions, an administrator can limit the permissions to specific target groups of users.

RBP is a dynamic method of assigning permissions. For example, when an employee is promoted to a manager, the change is made in the user data (either imported or manually). The employee would automatically be assigned all the special permissions a manager should have. There is a full audit history of all changes made to a group or role.

SAP SuccessFactors Employee Central can go beyond these basic roles and allow organizations to set up roles based on several criteria. Role-Based Permissions in SAP SuccessFactors Employee Central are dynamic in that you can create groups and permissions based on the characteristics of jobs and roles. For example, you could grant the Regional HR Talent Manager role to everyone in the HR department with the country set to the US and then restrict the scope of employees managed to everyone in the US.

Role-Based Permissions are designed so that users will match more than one role. As a best practice, we recommend configuring roles by starting with the most generic role, as in All Employees Role, and casting the net as wide as possible to include all of the permissions given to everyone.

This screenshot shows the 'Set User Permissions' section of Admin Center, where the Role-Based Permissions set up tools are found.

Permission Roles

A Permission Role defines a set of permissions and grants these permissions to Permission Groups or role types, such as an employee or manager. Employees can have several different sets of permissions within a single role. Administrators define permission roles by navigating to Admin CenterSet User PermissionsManage Permission Roles.

In Manage Permission Roles, you can create new roles or review, copy, and edit existing ones. You can review and edit the list of permissions granted by clicking the role name. The Permissions button displays a role's different permission sections.

For example, the payroll manager role may grant payroll managers the ability to access the Payroll Control Center user interface to run payroll processes.

If an organization wants to allow all employees to edit their personal information, such as bank account, they must allow the employee role to have edit permissions in personal information, which is in the permission section titled Employee Central Effective Dated Entities.

This screenshot shows an example of permission settings in Manage Permission Roles, in the 'Employee Central Effective Dated Entities section.

Role Types

There are default roles that are similar across all organizations.

  • Employee – all employees that work for an organization
  • Manager – an employee that has direct reports
  • Matrix Manager – larger manager group that spans across similar groups, like managers within the same department
  • HR Manager – a human resources representative with direct reports
  • Payroll Manager – an employee who is responsible for running payroll on others in the organization
  • Payroll Administrator – an employee who is responsible for evaluating and fixing payroll data

SAP SuccessFactors Employee Central allows you to use these roles or make these common roles even more granular. For example, you can break down Payroll Manager into smaller groups like US Payroll Manager & Canada Payroll Manager, each with its own administration permissions.

Target Groups

Once roles are created, groupings can be made based on specific role categories. Some of the categories can be commonly filtered groups, like regions. For instance, you can make a US Employees permission group that includes all employees with a corporate address in the US.

You can also assign a permission role to a permission group that applies to another permission group. For example, suppose an organization wants specific US Payroll Managers to be able to administer changes to all US Employees. In that case, they can create a US Payroll Manager permission group and use the US Employees permission group as the target group for the changes to be made.

Administration Levels

You can use administrative permissions to set granular control over access to payroll functionality. You can assign the payroll team access to only the functionality they need to access.

Using this approach for the payroll team creates three levels of administrators: Payroll Manager, Payroll Administrator, and Employee Central Payroll (ECP) Consultant.

Payroll Manager

A Payroll Manager runs the payroll process and ultimately signs off on the payroll. The payroll manager will run reports and view payroll statistics to ensure everything looks as expected. The Payroll Manager assigns issues and policy deviations identified to Payroll Administrators to investigate.

Payroll Administrator

A Payroll Administrator is someone who will look into specific scenarios that have been identified as payroll policy deviations (e.g., Pay Variance over 20% from the previous period) or payroll issues (e.g., Employee missing Address) to decide on what needs to be done for payroll to be processed correctly.

ECP Consultant / Support Team Member

The ECP Consultant is responsible for configuring the payroll system. The role of an ECP Consultant varies by organization. Some companies allow greater control over their HR and payroll teams, while others leverage their technical specialist to make key changes.

Payroll Control Center Permissions

Administrators can grant employees access to all or some tools by granting full or partial administrative functions. For example, if your company has specific employees who are allowed to run off-cycle payroll processes, you can allow access to this functionality.

Payroll Processing is done in SAP SuccessFactors Employee Central Payroll using the Payroll Control Center functionality and the following nine user interfaces:

  • My Alerts: UI to investigate Payroll Alerts
  • My Processes: UI for Payroll processes
  • Unassigned Alerts: UI for Admin to self-assign alerts
  • Manage Processes: UI to manage payroll processes
  • Manage Policies: UI to manage payroll policies
  • My Off-Cycles: UI for running off-cycle processes
  • Manage Teams: UI to configure teams
  • My Teams: UI to manage specific team
  • Manage Configuration Access: UI to manage configuration
This screenshot shows the permissions in the Payroll Control Center category in Manage Permission Roles.

Administrator Permissions

Role-Based Permissions are used to control access to other key payroll processes that will be talked about later, including the following:

  • Payroll Data Maintenance Tasks (Complete Payroll Tasks)
  • Payroll Data Maintenance Tasks Configuration (Payroll Unified Configuration)
  • Data Replication Monitor
This screenshot shows the Payroll Integration category of permission settings in Manage Permission Roles.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn