Managing Security

Objectives

After completing this lesson, you will be able to:
  • Manage security for Global Benefits.
  • Manage permissions for benefit objects.

Security in Global Benefits

As we saw in the previous topic, Employee Central requires the use of role-based permissions. SAP SuccessFactors uses these role-based permissions to set security in Employee Central.

Role-based permissions use permission groups and roles to grant permissions to users. You, as an administrator, can also grant permission to standard role types. When granting these permissions, an administrator can limit the permissions to specific target groups of users.

This is a dynamic method of assigning permissions. For example, when an employee is promoted to a manager role, once the change is made in the user data (either imported or manually), the employee is automatically assigned all the special permissions a manager has.

Role-based permissions are designed so that users match more than one role. As a best practice, we recommend configuring roles by starting with the most generic role as in All Employee Role, and casting the net as wide as possible to include all permissions that must be given to everyone.

When creating more roles, include only the unique extra permissions that the role must have beyond other roles. This practice helps reduce the number of roles in the system, which is easier to maintain, and helps improve system performance.

Permission Roles

A permission role defines a set of permissions and grants them to permission groups or role types, such as employees or managers. A single role can have multiple sets of permissions.

Employee Central contains a set of default roles. You can use these roles or create new ones.

Some default permission roles include:

  • System Admin
  • Employee Self Service
  • Compensation Admins
  • Manager Role

A screenshot displays the Manage Permission Roles section, which includes a table of permission roles listing role names, user types, descriptions, modification dates, and actions such as edit and delete for each role.

The permissions that control Global Benefits are:

  • For system administrators, select all permissions under Manage Benefits.
  • For employee self-service, select the Benefits permissionEmployee Viewsand select all permissions under Manage Benefits.

Administrators define permission roles in Administration Tools by navigating to Manage Permission Roles.

In Manage Permission Roles, you can review, copy, and edit existing roles, or create new roles. By selecting the name of the role, you can review and edit the list of permissions granted. The permission button displays the different permission sections that a role can have. For example, the manager role can grant managers the ability to change the standard hours for one of their direct reports (Employee Central Effective Dated Entities previously shown) and can run ad-hoc reports on their team.

For a permission role to take effect, you must grant the role to a permission group or select from existing default role types.

Permission Groups

A permission group defines groups of employees that have a set group of permissions. An administrator can define a group by:

  • Standard elements in the Employee Data File such as gender, location, or marital status.

  • Employee Central fields such as Company or Pay Grade.

Target Groups

Target Groups refer to a specific group of users identified for a particular function or activity. It can include groups based on employee location, department, level, job function, or other demographic information.

For example, if a company wants to implement a new benefit for a certain department or level of employee, they can define a Target Group for this benefit.

You can also assign a permission group a permission role that applies to another permission group. For example, if an organization wants all USA HR Managers to be able to administer changes to all USA Employees, they can create a USA HR permission group and a USA Employees permission group.

You can grant permissions through the roles and groups in Administration Tools by navigating to Manage Permission RolesManage Permission Groups. If an organization wants to allow all employees to edit their personal information, they must allow the role of employee to have edit permissions in personal information, which is in the permission section titled Employee Central Effective Dated Entities.

Administrator Permissions

As an administrator, you can grant employees access to all or some of the administrative tools by granting full or partial administrative permissions. For example, if your company has remote offices, you can allow the regional on-site manager to reset employee passwords. There are several permission sections, and each section has a set of permissions. You can grant administrative permissions for the entire section to multiple employees. Manage User is an example of an Administrator Permissions section.

Employees with any administrative privileges have the Admin Tools option in the Welcome message dropdown menu. The Administration Tools page only shows active links to administrative features for which the employee has permission.

Administrator Levels

You can also use administrative permissions to set granular control over administrator access to users. This feature is ideal for companies with independent business structures where administrators are generally responsible for managing the system at only the region or division level. You can assign administrators to manage only a selected user population and only a selected group of administrator functions.

Using this approach creates three levels of administrators: Super Administrator, Security Administrator, and Administrator.

Super Administrator
A super administrator generally acts like a global administrator for your SAP SuccessFactors system, with full access to administrator activities and full access to manage role-based permissions. Only a super administrator can make other users security administrators.
Security Administrators
Security administrators are also global administrators who are responsible for managing all security through roles and permission groups. These administrators can grant users access to functionality in the Administration Tools page or general user pages.
Administrators
An administrative user in Employee Central is a local user who has access to the Administration Tools page and the functions therein.

Groups and their corresponding permissions are automatically updated when changes occur. For example, if you have assigned an administrator to oversee all departments in the company, and next month, the company adds a new department (Department X), your administrator automatically gains access to Department X because it is within his assigned group. (Previously, changes like this would have to be manually updated, meaning that you would have to manually give each administrator permission to access the new Department X.)

Role Based Permissions (RBP)

Using Role Based Permissions, you can control the permissions assigned to users for using benefits. For example, while an employee does not have the permissions to create a benefit or a benefit program, an administrator will.

Administrators can determine which benefits objects have security control. The following benefits objects must have the Security field set to Yes. This displays the benefit object in the Permission Roles definition.

  • Benefit Program Enrollment

  • Benefit Program Enrollment Details

  • Benefit Enrollment

  • Benefit Employee Claim

Set Up Permissions for Benefit Objects

Let's see how we can set up security for the Benefit Enrollment object.

Steps

  1. Use the Action Search and navigate to the Configure Object Definitions tool.

  2. In the Search, select Object Definition from the dropdown.

  3. In the search field input, enter BenefitEnrollment as shown in the image below.

    The Configure Object Definitions interface displays Object Definition and Benefit Enrollment in the search fields. The screen displays the title Object Definition: Benefit Enrollment, and under this, there is a list including code, effective dating, API visibility, status, MDF version history, default screen, label, description, and API subversion, each with a help icon.

  4. Select Take ActionMake Correction.

  5. Scroll to the Security section and do the following:

    • Set the Secured field to Yes.

    • Set the Permission Category to Miscellaneous Permissions.

    The screenshot of the Security section shows Yes in the Secured field and Miscellaneous Permissions in the Permission Category field.

  6. Select Save.

  7. Use Manage Permission Roles to allow members of the system admin role to access and modify the Benefits Enrollment screen.

    1. Use the Action Search to open the Manage Permission Roles tool.

    2. Select the System Admin role.

    3. Select Edit.

    4. Select Next.

    5. Scroll to User PermissionsMiscellaneous Permissions.

    6. Under Benefit Enrollment, select the Insert, Correct, and Delete checkboxes in Actions.

    7. Set Field Level Overrides to Benefit.

    8. In the Permission field, select No Access.

      The screenshot shows the Add Permission section, where Miscellaneous Permissions is selected from the permission options panel. The main screen displays Field-Level Overrides, and under this, there are options to select several actions for Benefit Enrollment. The checkboxes are selected for Insert, Correct, and Delete.

  8. Use Manage Permission Roles to allow members of the system admin role to create scheduled jobs.

    1. Scroll to Administrator PermissionsAdmin Center Permissions

    2. Enable Monitor Scheduled Jobs.

    3. Enable Manage Scheduled Jobs.

    4. Select Next.

    5. Select Save.

  9. Allow access to Benefit Enrollment for employee self-service.

    1. Select Employee Self-Service from the Permission Role List.

    2. Select Edit.

    3. Select Next.

    4. Scroll to User PermissionsMiscellaneous Permissions.

    5. Scroll to Benefit Enrollment.

    6. Choose Create.

    7. Select Next.

    8. Select Save.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn