Designing a Security Domain Structure and Security Domain Groups

Objectives

After completing this lesson, you will be able to:
  • Create a Security Domain Structure
  • Create a Security Domain Group

Security Model Overview

SAP SuccessFactors Learning security differs from the core SAP SuccessFactors Human Capital Management (HCM) Role-Based Permissions (RBP) model. Consequently, security in SAP SuccessFactors Learning needs a separate configuration.

With RBP, users can be granted access to the Learning system menu option to launch the system as a user. RBP can also be used to grant access to Admin Center for Learning Administration so that administrators can launch the administration side of the system. Once they launch the SAP SuccessFactors Learning module, their permissions within the user-side and/or administrator- side of the system will be controlled entirely by the Learning security model.

In SAP SuccessFactors Learning, the security model is a combination of Security Domains, Security Domain Groups, Permissions, and Roles.

Security Domains

Security domains are organized to reflect the structure of a company, whether by department, team, or geographic location. Different departments or teams within an organization may have their own security domains, tailored to their specific data access needs and security requirements. Similarly, regional branches can establish individual security domains to manage data and access to their locations. This approach enables more precise control over security policies and data access, allowing them to be customized for the unique needs of various parts of the organization.

Once a security domain entity is added to the Learning system, you can still change the security domain description, as well as the hierarchical structure between security domains. Selecting a different parent security domain will move your security domain and build a new relationship between security domains.

Hint

As a best practice, do not create more levels of security domains than are needed.

Public Security Domain

The Public Security Domain is automatically added to every security domain group and cannot be removed. Any entities saved in the Public Security Domain are accessible to any administrator whose role allows them to work with those entities. Since the Learning Security Model dictates that all data should be stored in specific security domains with controlled access through security domain groups, administrators are advised not to use the Public Security Domain. Instead, they should always save entities in more appropriate security domains.

Security Domain Groups

A security domain group consists of one or more security domains that determine the locations where an administrator can exercise their permissions. For example, a group called Europe-All may include countries such as France, the UK, and Germany. When this group is linked to the permissions associated with a user role, it restricts the administrator to performing those permissions only within the specified European security domains.

Role

A role consists of a set of permissions that are bundled together and assigned to entities like Instructors, Users, and Administrators. These permissions determine access to various menus, links, and tiles.

  • Administrator Roles: For administrator roles, specific security domain groups can be added to these permissions. This ensures that access is limited to certain security domains related to the entities.
  • User Role: When users are imported from SAP SuccessFactors HCM or another HR Management System, they are assigned specific security roles within the Learning system, such as Administrator, User, or Instructor. This assignment can be completed through various methods, including:
    • Connector job
    • Assignment profile
    • Import tool
    • Manual update

Role Permissions

A permission is a function that can be combined with an entity to create specific actions. Functions include options such as add, delete, copy, edit, or search. Entities can refer to users, items, classes, curriculums, instructors, or assignment profiles. For example, an administrator may have the ability to Add User, Search Item, Edit Curriculum, or Copy Assignment Profile.

Each role has its own set of permissions that define what actions users can perform. Organizations can create customized roles to meet their unique needs and assign these roles to different entities for access to Learning system tools and features.

Administrator Data Access Control

The Learning Security model also allows organizations to control what data administrators can access. To limit access to specific data (e.g., data for certain regions), security domains and groups can be created and assigned to the appropriate permissions in administrator roles.

Security Domains Structure

Security domains are crucial for maintaining a secure and well-organized learning system. Think of security domains as containers for different types of data in your learning system. When you add new elements like Items, Curricula, or Assignment Profiles, you assign them to a specific security domain. This helps to:

  • Organize Data: Keep similar information grouped together for easy management.
  • Control Access: Determine which administrators have access to specific data based on their assigned security domain groups.

Key Considerations for Designing Security Domain Structure

When designing your security domain structure, consider the following factors:

  1. Complexity of Data: Assess how many different types of data you have and evaluate the sensitivity of each type.
  2. Delegation of Administrative Tasks: Determine the number of administrators you have and define their specific roles and responsibilities.
  3. Distribution of Data Access: Identify which administrators require access to certain types of data in order to perform their jobs effectively.

Visual Mapping for Enhanced Security

To enhance your company's security, it's crucial to visually map out its organizational structure. This graphical representation will provide a clear understanding of departments, roles, and information flow, enabling you to make informed decisions about segmenting access and responsibilities to strengthen security measures.

The security domain level starts from 0, which corresponds to the root-level security domain. The system increments each subsequent security subdomain by one. A Public domain is also accessible by all administrators regardless of the security domain or security domain restrictions associated with their role.

Below is an example of a security domain structure or security domain tree for an organization (Company XYZ) with two geographical locations (Europe and North America) and two departments (Sales and HR) per location.

Flow diagram showing the levels of security domains for Company XYZ.

Create a Security Domain Structure

Business Example

In this exercise, you will design a security domain structure for ABC Company, which operates in two primary locations: Europe and North America. Create a security domain that allows administrators to manage access and permissions for these geographical areas effectively.

Task 1: Create the Corporate (Root) Domain

Steps

  1. Navigate to System AdministrationSecuritySecurity Domains.

  2. Select Add New to create a new Security Domain.

  3. Select the Add Root (Top) Level Security Domain radio button to create a parent Security Domain.

  4. Enter these values into these fields:

    • Security Domain ID: YourInitials-ABC
    • Description field: Your Initials - ABC Corporate Domain

  5. Select Add.

Task 2: Create the Subdomains

Steps

  1. Select Add New to create a new Security Domain.

  2. Choose Add Security Subdomain radio button.

  3. Search for and select the Parent Security Domain you created (YourInitials-ABC.

  4. Enter a Security Subdomain ID: YourInitials-EUR.

  5. Enter a Description: Your Initials - Europe Subdomain.

  6. Select Add.

  7. Repeat steps 1-6 to create a Security Subdomain for North America.

Security Domain Types

Security Domain Types are entities that administrators and users are allowed to use on a Security Domain. When a new Security Domain is created in the system, it is automatically associated to all available Security Domain Types. These entity types include: Items, Curricula, Classes, Equipment, Assignment Profiles, Roles, Programs, etc.

Entities added to the system fall into two categories:

  • Global References: These are entities that are not stored within any specific Security Domain. Instead, they exist in a global list accessible throughout the system.
  • Security Domain Types: These entities are specifically stored within designated Security Domains.

Note

The PUBLIC Security Domain allows for the creation and storage of all these entity types.

Security Domain Customization

You can customize a security domain by adding or removing specificSecurity Domain Types for entities that you want to control. For instance, if you want to prevent users in the Europe domain from accessing programs, the administrator can follow these steps:

  1. Open the Europe Security Domain.
  2. Navigate to Security Domain Type tab.
  3. Remove Unwanted Domain Types: Locate the program domain type and remove it. Additionally, if the administrator wants to add new Security Domain Types, they can use the Add One or More from a List option to include additional types in the security domain.

Security Domain Types tab, add one or more from list link, and Remove column are highlighted.

Security Domain Groups

Security Domain Groups (formerly known as Domain Restrictions) are entities that determine in which security domains an administrator may perform permissions. For example, if the North-America Security Domain Group contains the North-Am, North-Am-Sales, and North-Am-HR security domains, administrators with roles with the North-America Security Domain Group applied can access entities that reside in North-Am, North-Am-Sales, and North-Am-HR security domains (plus the PUBLIC Security Domain which is automatically added to every security domain group).

If there are no security domain groups applied to permissions in an Administrator Role, the Administrator may perform all permissions in the role in all security domains.

Flow diagram showing Company XYZ at the top and the security domain groups for its European and North American organizations below.

Security domain groups can contain one or more security domains. The security domains do not need to be connected in the hierarchical structure, but there are patterns to how customers implement security domain groups:

  • Family branch: An administrator is responsible for the entities within the Europe region, which includes access to the entities in the Europe Security Domain and its subdomains, Europe-Sales and Europe-HR.
  • Sibling: An administrator is responsible for managing siblings within the same branch. For example, an administrator has access to the entities in Europe-Sales and Europe-HR, but not in the parent security domain (Europe).
  • Parent-child: An administrator is responsible for a parent security domain and one or more child domains, but not the entire branch. For example, an administrator has access to entities in the Europe Security Domain and the Europe-HR Security Domain.
  • Mix-and-match: Any security domains can be included in a security domain group, whether they are from different parts of the same security domain tree or even from different trees.

Create a Security Domain Group

Business Example

In this exercise, you will first create a Security Domain Group for the European domain and then create a Security Domain Group for the North American domain.

Steps

  1. Navigate to System AdministrationSecuritySecurity Domain Group.

  2. Select Add New.

  3. Enter the Security Domain Group ID: YourInitials-EU.

  4. Enter a Description: EU_Your Initials_SDG.

  5. Select ACME-CORP Security Domain to save the Security Group Domain entity.

  6. Select the Security Domains tab to add security domains to your Security Domain Group.

  7. Select Add one or more from list to add the security domains.

  8. Select the Europe Subdomain.

  9. Select Apply Changes.

  10. Repeat steps 1-8 to create a security domain group for North America. For step #3 enter YourInitials-NA. For step 4, enter NA_Your Initials_SDG. For step 8, select the North America Subdomain.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn