Assigning Employee Central Role-Based Permissions (RBP)

Objective

After completing this lesson, you will be able to Assign Employee Central Role-Based Permissions (RBP).

Employee Central Role-Based Permissions (RBP) Assignment

Employee Central Permissions

The role-based permission framework is vast and encompasses permissions for all SAP SuccessFactors solutions. For this course, we'll focus on the common permissions for Employee Central.

Note

The permissions mentioned in this section are not the complete list used in Employee Central. Additional Resources are included at the end of this unit.

Permission Roles control the access permissions in the system and define the overall access to data and application functionality. To create and manage permission roles, complete the following steps:

1. Choose Manage Permission Roles.

2. Use Create to add a new role or use the menu in the Actions column to manage the existing roles.

3. Select next to manage the permissions for the role.

Managers and employees in EC use the following permission categories: Employee Data, Employee Central Effective Dated Entities, and Employee Views. Customers who use custom fields in these categories must also receive permissions for the relevant roles.

In this lesson, we will cover the following permissions:

  • Employee Views
  • Employee Central Effective-Dated Entities
  • Employee Data
  • Employee Central Import Entities
  • Manage Foundation Object Types
  • Manage Foundation Objects
  • MDF Foundation Objects

Employee Views 

The Employee Views permission defines whether you can see the sections configured in People Profile. This permission is only visible once People Profile has been initially configured during the implementation. Relevant Employee Central sections include:

  • Personal Information
  • Employment Information
  • Total Rewards

Employee Central Effective-Dated Entities

The Employee Central Effective-Dated Entities permission grants field-level access for effective-dated elements and fields. These objects can keep track of historical and future changes. This permission is only available when the succession data models have been initially uploaded during implementation. Employee Central comes with standard effective dated elements, such as the following:

  • Personal Information (personalInfo)
  • Addresses (homeAddress)
  • Dependents (personRelationshipInfo)
  • Job Information (jobInfo)
  • Compensation Information (compInfo)
  • Job Relationships (jobRelationsInfo)

There are several layers of permission to consider when you grant permissions to effective-dated blocks. The first layer is the basic understanding of the different field permission types, such as View Current, View History, Edit/Insert, Correct, and Delete.

Additionally, there are permissions for button options when you want to view and edit data. This section will detail the differences between each of the following permission:

  1. Block Actions Permissions,
  2. Edit (Pencil) Link Permissions,
  3. Field Level Permissions

Block Actions Permissions

Select the block action permissions to set access to effective-dated blocks.

Block Actions control the user access level to the effective-dated block overall and block buttons.

PermissionsDescription
View CurrentMakes the block visible in the profile
View HistoryMakes the clock icon appear and allows access to history window
Edit/InsertAllows the use of the Insert New Record button in the history window
CorrectAllows the use of the Edit button in the history window
DeleteAllows the use of the Delete button in the history window

Note

Having Edit/Insert available allows someone to bypass event reason derivation and workflows. This does not make the Edit (pencil icon) button appear on the block.

Edit (Pencil) Link Permission

For Edit Link, the edit/insert is the only permisssion that works. The view current, history, correct and delete don't work.

The Edit Link controls whether the Edit (pencil icon) function is available on the block for the users. The only level of access that matters is the Edit/Insert. The rest are ignored.

The permission allows the users to open and edit the block to initiate transactions in People Profile.

You can also perform the edit action from the Actions Menu in People Profile. Just add the Update Employment Records permission as seen on the screenshot.

Set the permission to initiate changes from the Actions menu in People Profile

Field-Level Permissions

Select the permission for each field

Field-level permissions control each field’s specific ability to be maintained. Each field can be controlled on its level of visibility and editability.

Permission LevelDescription
View CurrentView current value of the field
View HistoryView historical values of the field if accessed in the History view of the block
Edit/InsertUpdate the value of the field using Insert New Record in the History view of the block (allows updating a field when creating a new record)
CorrectUpdate the value of the field using the Correct Button, which is available in the History view
DeleteNot applicable to individual fields, entire records are deleted

Employee Data Permissions

The permissions for non effective-dated entities are in a separate category, the Employee Data permissions.

Use the interaction below to learn the relevant Employee Data permissions used in Employee Central.

Employee Central Import Entities

This allows you to perform or restrict imports to Person and Employment objects.

Manage Foundation Object Types

These are admin permissions that define the actions allowed for XML-based corporate data found in Manage Organization, Pay, and Job Structures. This permission is only available when the Corporate Data models have been initially uploaded during implementation.

Manage Foundation Objects

This enables the admin permissions that set the actions for importing foundation data, translations, and corporate data models.

MDF Foundation Objects

This sets the admin permissions that define the actions allowed for MDF-based corporate data.

Exercise: Assign Employee Central permissions to a group of users

Business Example

The ACE Corporation wants its IT managers to be able to update all their employees’ contact information. This information is stored in the Personal Contacts block of the Personal Information section of People Profile. You will create a new IT manager permission group and role to meet the requirement.

Note

This exercise is a standalone activity and is not required for completing other hands-on exercises for this course.

Watch the Assign Employee Central Permissions to a Group of Users video on how to create permission roles.

Steps

  1. Proxy as Tammy Aberts, an IT Manager, to verify if you can change any employee's contact information.

    1. Login to your instance as an administrator.

    2. Proxy as Tammy Aberts, an employee that has the job classification of IT Manager (IT-MAN).

    3. Go to View my Profile quick action card

    4. in the profile, select the arrow beside Tammy's name. Type Robert Allen to navigate to his profile.

    5. The current permission doesn't allow Tammy to see Robert's personal contacts.

    6. Switch back to your administrator account with the user menu → become self.

  2. Go to Manage Permission Group to create an IT Manager RBP Group. Include all employees with the Job Code: IT- MGR. Verify that Tammy Aberts is included in the group.

    1. Navigate to Manage Permission Groups.

    2. Choose Create NewIn Group Name, add Granted: IT Managers.

    3. Under Choose Group Members, choose Pick a categoryJob CodeIT Manager (IT- MGR)Done.

    4. In the upper-right box, select Active Group MembershipUpdate.

    5. Choose the number in the Active Group Membership bubble.

    6. Verify Tammy Aberts is a group member.  Select Close.

    7. Choose Done.

  3. Go to Manage Permission Role to create an IT Manager Access RBP Role. Use the RBP Group from the previous step as the granted group and assign the correct permissions for the business example.

    1. Navigate to Manage Permission Roles.

    2. Select Create. Provide a name for the role. Select next to add the permissions.

    3. Choose Employee Views → Personal Information.

    4. Choose Employee DataHR InformationPersonal ContactsEdit.

    5. Choose Next and Save.

    6. Select Yes, to assign the role.

    7. Provide a name of the assignment. Select next.

    8. Choose the group you created in the previous step. Select next.

    9. Select the Everyone as the target population. Don't allow IT managers to have access to themselves.

    10. Review and Save.

    11. Logout and Log in.

  4. Proxy as Tammy Aberts to verify if you can see the new section and blocks on Robert Allen's profile.

    1. Proxy into the system as Tammy Aberts.

    2. Navigate to Robert Allen’s Employee File and choose Personal Information

    3. Can you see the People Profile Section Personal Information? Why or why not?

      Can you see the block personal contact in Personal Information? Why or why not?

      Is there an edit button on the block personal contacts? Why or why not?

    4. Choose the Edit (pencil icon) on Personal Information.

      Can you edit the add/edit personal contacts? Why or why not? 

    5. To close the Edit screen, choose Cancel.

    6. Switch back to your user account by selecting the user menu → become self.

Additional role-based permission resources

For more information on Role-Based Permissions, refer to the following documents in the SAP Help Portal:

Log in to track your progress & complete quizzes