Managing Security

Objective

After completing this lesson, you will be able to manage permissions for Benefit Objects.

Overview of Security in SAP SuccessFactors Global Benefits

Employee Central uses role-based permissions to control user access to data and functionality throughout the solution. Role-based permissions use permission groups and roles to grant permissions to users. Administrators, can also grant permission to standard role types. When granting these permissions, an administrator can limit the permissions to specific target groups of users.

This is a dynamic method of assigning permissions. For example, when an employee is promoted to a manager role, once the change is made in the user data (either imported or manually), the employee is automatically assigned all the special permissions held by all managers.

Role-based permissions are designed to allow users to hold more than one role. As a best practice, we recommend configuring roles by starting with the most generic role as in All Employee Role, and casting the net as wide as possible to include all permissions that must be given to everyone.

When creating more roles, include only the unique extra permissions that the role must have beyond other roles. This practice helps reduce the number of roles in the system, which is easier to maintain, and helps improve system performance.

Permission Roles

A permission role defines a set of permissions and grants them to permission groups or role types, such as employees or managers. A single role can have multiple sets of permissions.

Employee Central contains a set of default roles. You can use these roles or create new ones.

Some default permission roles include:

System Admin
Employee Self Service
Compensation Admins
Manager Role

A screenshot displays the Manage Permission Roles section, which includes a table of permission roles listing role names, user types, descriptions, modification dates, and actions such as edit and delete for each role.

To manage permissions for Global Benefits, keep in mind that some permissions, such as the ability to configure a benefit, are granted to the system administrators, while others, such as the ability to enroll in a benefit, are assigned to the Employee Self-Service role. Some specific steps to assign the correct permissions include the following:

For employee self-service, select the Benefits permission→Employee Views and select all permissions under Manage Benefits.
For system administrators, select all permissions under Manage Benefits.
For system administrators, many permissions needed for benefits are under Miscellaneous Permissions. To ensure that you are able to perform all tasks, select all permissions under Miscellaneous Permissions.

To define permission roles, use the Admin Search to open the Manage Permission Roles page.

In Manage Permission Roles, you can review, copy, and edit existing roles, or create new roles. By selecting the name of the role, you can review and edit the list of permissions granted. The permission button displays the different permission sections that a role can have. For example, the manager role can grant managers the ability to change the standard hours for one of their direct reports (Employee Central Effective Dated Entities previously shown) and can run ad-hoc reports on their team.

For a permission role to take effect, grant the role to a permission group or select from existing default role types.

Permission Groups

A permission group defines groups of employees that have a set group of permissions. An administrator can define a group by:

Standard elements in the Employee Data File such as gender, location, or marital status.
Employee Central fields such as Company or Pay Grade.

Target Groups

Target Groups refer to a specific group of users identified for a particular function or activity. It can include groups based on employee location, department, level, job function, or other demographic information.

For example, Ace USA wants to provide free cafeteria lunches for the office staff. To do this, they can create a Target Group called Office Staff and assign all eligible employees to the group.

You can also assign a permission group to a permission role that applies to another permission group. For example, if Ace wants all USA HR Managers to be able to administer changes to all USA Employees, they can create a USA HR permission group and a USA Employees permission group.

To grant permissions using groups, use the Admin Search to open the Manage Permission Groups page.

Administrator Permissions

As an administrator, you can grant employees access to all or some of the administrative tools by granting full or partial administrative permissions. For example, if your company has remote offices, you can allow the regional on-site manager to reset employee passwords.

There are several permission sections, and each section has a set of permissions. You can grant administrative permissions for the entire section to multiple employees. Manage User is an example of an Administrator Permissions section.

Employees with any administrative privileges have the Admin Tools option in the Welcome message dropdown menu. The Administration Tools page only shows active links to administrative features for which the employee has permission.

Administrator Levels

You can also use administrative permissions to set granular control over administrator access to users. This feature is ideal for companies with independent business structures where administrators are generally responsible for managing the system at only the region or division level. You can assign administrators to manage only a selected user population and only a selected group of administrator functions.

This approach creates three levels of administrators: Super Administrator, Security Administrator, and Administrator.

Super Administrator: A super administrator generally acts like a global administrator for your SAP SuccessFactors system, with full access to administrator activities and full access to manage role-based permissions. Only a super administrator can make other users security administrators.
Security Administrators: Security administrators are also global administrators who are responsible for managing all security through roles and permission groups. These administrators can grant users access to functionality in the Administration Tools page or general user pages.
Administrators: An administrative user in Employee Central is a local user who has access to the Administration Tools page and the functions therein.

Groups and their corresponding permissions are automatically updated when changes occur. For example, if you have assigned an administrator to oversee all departments in the company, and next month, the company adds a new department (Department X), your administrator automatically gains access to Department X because it is within his assigned group. (Previously, changes like this would have to be manually updated, meaning that you would have to manually give each administrator permission to access the new Department X.)

Role Based Permissions (RBP)

Using Role Based Permissions, you can control the permissions assigned to users for using benefits. For example, while an employee does not have the permissions to create a benefit or a benefit program, an administrator does.

Administrators can determine which benefits objects have security control using the Configure Object Definitions tool. The following benefits objects must have the Security field set to Yes. This displays the benefit object in the Permission Roles definition.

Benefit Program Enrollment
Benefit Program Enrollment Details
Benefit Enrollment
Benefit Employee Claim

Set Up Permissions for Benefit Objects

Task 1: Set up security for Benefit Enrollment

In this exercise, you will configure the security settings for Benefit Enrollment.

ExerciseStart Exercise

Steps

Configure security for the Benefit Enrollment object
1. Use the Action Search and navigate to the Configure Object Definitions tool.
2. In the Search, select Object Definition from the dropdown.
3. In the search field input, enter Benefit Enrollment as shown in the image below.
4. Select Take Action → Make Correction.
5. Scroll to the Security section and do the following:
  1. Set the Secured field to Yes.
  2. Set the Permission Category to Miscellaneous Permissions.
6. Select Save.

Task 2: Configure Security Permissions

In this exercise, you will configure the security permissions needed for Global Benefits.

ExerciseStart Exercise

Steps

Set user permissions to allow administrators to perform all tasks related to Global Benefits.
1. Use the Admin Search to open Manage Permission Roles.
2. Select System Admin.
3. Select Edit.
4. Select Next.
5. Find and select the Manage Benefits permission from the list.
6. Select All.
Use Manage Permission Roles to allow members of the System Admin role to access and modify the Benefits Enrollment screen.
1. Scroll to User Permissions → Miscellaneous Permissions.
2. Choose Select All.
Allow members of the System Admin role to create scheduled jobs.
1. Scroll to Administrator Permissions→Admin Center Permissions.
2. Enable Monitor Scheduled Jobs.
3. Enable Manage Scheduled Jobs.
4. Select Next.
5. Select Save.
Allow employees to view Benefits in their People Profile, and allow employees to perform certain actions related to Global Benefits.
1. Select Manage Permission Roles.
2. Select Employee Self Service.
3. Select Edit.
4. Select Next.
5. Under the User Permission section, select Employee Views.
6. Ensure that Benefits is selected.
7. Find the Benefits Management permission type.
8. Choose Select All.
9. Choose Next.
10. Choose Save.
11. Find and select the Manage Benefits permission from the list.
12. Verify that all permissions are selected:
  Permission Role Permission Type Permission
  Employee Self-Service Employee Views Benefits
  Manage Benefits Select All
  Miscellaneous Permissions Select All
Allow employees to access Benefit Enrollment for employee self-service.
1. Scroll to User Permissions → Miscellaneous Permissions.
2. Scroll to Benefit Enrollment.
3. Choose Create.
4. Select Next.
5. Select Save.

Permission Role	Permission Type	Permission
Employee Self-Service	Employee Views	Benefits
Manage Benefits	Select All
Miscellaneous Permissions	Select All

Summary

Role-based permissions allow the dynamic assignment of security privileges to users, with permissions grouped by roles such as System Admin and Employee Self-service.
Permissions can be customized based on specific roles and needs, which helps reduce system roles for improved efficiency and performance.
Benefit objects must have Security set to Yes to allow role-based permissions.

Next lesson