Accessing Workforce Analytics via Permissions

Functional permission in RBP Roles are the same as Action Restrictions in WFA Roles.

Functional permissions are a common configuration that needs to be applied to roles. Therefore, in this lesson we will look closer at the functional permissions that are available.

A consolidated table of functional permissions and their corresponding action restriction is located in the previous section.

Certain permissions are similar to others in the actions and /or purpose. Therefore, the permissions can be discussed in categories of their purpose.

One of the fundamental permission management is to control which collection of users have access to tools designed for users of the WFA system. For example, who can create reports using report center, or who can use query tools such as Query Workspace.

Action restrictions provide the ability to limit or hide the tool from the user when accessing the analytics tab or functionality embedded in canvas reports. Restricting the action simply remove the tools availability.

The steps to change the action restrictions for a role were covered in the previous lesson.

An organization may want to delegate some administrative functions to different users. For example, allow users to set targets for certain measures or import report templates into the instance.

Functional permissions provide the ability to limit access to the administrative tools. Typically a user would access these tools from the Admin link on the analytics page. Restricting the action hides the tool from the list when entering the admin page.

The action restrictions in this category are the following:

A Target is a desired level of performance for a measure that can be achieved through proactive management. Targets can be configured by WFA administrators. A variety of query and report components can utilize configured targets. Targets are defined for measure utilizing a time, structural dimension and optionally an analysis dimension. For example, you can set termination rate targets for Organizational Units for the years 2020 and 2021.

Targets can be single value or a range.

You can use thresholds to display a close to target/near range. They can be configured as a number or percentage above/below a value. Additionally, they can be set for one side of a target, or both.

Measure Overrides and Dimension Overrides tools allow an administrator to adjust the labels and translations that appear for the measure or dimension in the WFA application. To assign an override to a measure or dimension, perform the following steps:

1. Navigate to WFA admin.
2. Select the appropriate tool: Measure Overrides or Dimension Overrides.
3. Select Add New.
4. Select the appropriate measure or dimension.
5. Enter the new information:
   1. Enter the override label.
   2. If you want to enter translations, select the appropriate flag icon and enter the translated label.
   3. If entering a measure override, you can override the measure description as well.
6. Select Save.

The report management permissions provide varying actions and permissions that pertain to reports, including the default measure views. By managing these actions to different roles, you can limit actions like creating canvas reports or utilizing drill-to-detail to see the underlying data behind the consolidated numbers.

The edit footnotes permission allows editing of footnotes. The footnotes appear on each measure view and could allow for customer specific commentary about a particular measure. Changing the action restriction limits whether the Edit button is available.

Drill to Detail allows a user to access the data behind summarized data on reports or measure views. Restricting this action disallows the user to click on the contents of a table to get to drill to detail view.

For systems utilizing Data Subject Information Reports, an administrator must set the purpose for each field in WFA. This is completed in the Data Subject Information tool. The administrator must configure up to 3 searchable fields. The Data Subject Info Report will contain all rows from the fact table for the user. For every date-effective change of any field there is a new full row of data. This will typically make the report quite large.

To configure the data subject fields, perform the following steps:

1. Go to Admin Center → Data Subject Information.

2. In the tool, go to the Configuration tab.

3. Select Analysis in the sub-tab.

4. Select a starting entity from the list on the left-hand side. Selecting a starting entity will display a preview of the starting entity fields.

5. Ensure that the checkbox is selected for any fields that you want to appear in the report, and that you've specified a purpose for each one.

   Note

   The purpose informs the user why you've stored this particular item of personal data. By default, the purpose simply states the module in which the data is stored, for example, Employee Central, so we strongly recommend that you configure a purpose that more clearly states the specific business reason at your company.

6. Select Save.

For complete details on Data Subject Information Reports, review the Data Privacy and Protection information on the SAP Help Portal.

You might be tasked with controlling access to reports, even if the reports are created by other users. Therefore it is important to understand the options for managing access to reports.

Reports can be accessed in the following ways:

1. Via the Report Center - the audience is Report Designers and Report Consumers.

2. Via a hyperlink on a report page- the audience is Report Consumers who do not need to create/edit reports.

Tree security allows you to control what data a user in this role is permitted to see when navigating the portal. The Tree Security functionality is the most important part in determining which users are permitted access to which areas of company data. When using this functionality, multiple security pathways may be defined that restrict and define user access based on structural dimensions within the site.

To configure the structural dimension (tree) security:

1. Navigate to Manage Permission Roles.
2. Create a new role, or select the appropriate existing role.
3. Enable the security setting.
   1. On the Permissions tab, select Edit.
   2. Choose Next to navigate to the Add Permissions tab.
   3. Select the Permission Group Analytics Permissions.
   4. Enable the Configure Structural Dimensions checkbox.
   5. Choose Next to navigate to the Preview tab.
   6. Select Save.
   
4. Configure the Tree Security:
   1. Select the Assignments tab.
   2. Add or Edit an Assignment.
   3. Navigate to the Define Tree Security tab.
   4. In the Define Tree Securitysection, assign each dimension to All, Hidden, or Restricted.
      • All: If selected, users assigned to this role will have full access to the entire structural dimension. For example, if the Structural dimension is Organizational Unit, users assigned to the role will by default have unrestricted access to the entire Organizational Unit structure starting at the highest point in the tree.
      • Hidden: If selected for a particular structural dimension, users assigned to this role will not be able to view the respective structure.
      • Restricted: Allows specific structural paths to be defined for the role in question. User’s accessibility to the structural dimension will depend on the way these paths are constructed.
   5. For each dimension set to All, enable or disable drill to detail.
   6. If a dimension is restricted:
      1. Select either an Include or Exclude entry.
      2. Select Add New to create a new entry.
      3. Create the individual include and exclude entries to specify the level of access to that dimension.
   7. Navigage to the Preview tab.
   8. Select Save.

To apply restricted access to structural dimensions, select the restricted selector against the appropriate structure and then select Edit Access.

The Includes and Excludes panel allows users to define which parts of the structural dimension should be accessible for the selected role. The Include function allows users to define sections of the structure that can be viewed on the site, while the Exclude function specifies sections of the structure that should be hidden.

To add path restrictions under either Include or Exclude, select Add New. Three types of security paths are available. The path type you define will directly determine what part of the structural dimension tree a user role may view.

There are three types of security path that may be defined within role based security: Open Ended, Horizontal and Vertical. The choice of path type will directly determine what part of the structural dimension tree a user role may view. Each of these types suit varying and specific security requirements and the choice of path type will align closely to company requirements matching the way that users attached to roles need to work and also the way that the company wishes varying users to have access to site information. Bear in mind that any structural dimension can be thought of as a top-down hierarchy or upside-down tree, where the top level is the most significant point in the structural dimension:

The Open Ended model will be by far the most commonly used path type. A point (node) in the structural dimension is chosen and the user role will be permitted access to the defined node and all nodes below that point in the structural dimension. This can be thought of as cutting off or isolating a branch in the tree. A well-organized structural dimension will allow companies to easily align role access to user roles under this model.

If the top node is set to ‘All Organizational Units’, it provides access to all data.

To define a Horizontal path type, a point (node) in the structural dimension is chosen and the user role will be permitted access to the defined node and any node that is an immediate descendant or child of that node. This can be thought of as cutting off or isolating a branch in the tree and then pruning branches off at the bottom until only the starting node level and a single level below remain. This model suits an aggregated view of a structural dimension where the ability to drill down needs to be restricted and extraneous detail at lower levels removed.

If the top node is set to ‘All Organizational Units’, it provides access to the All Organizational Units node and all business unit nodes.

To define a Vertical path type, a top point (node) and a bottom point (node) in the structural dimension are chosen. The user role will be permitted access to the defined top node, the defined bottom node and any node that exists directly in the pathway that connects these two nodes. This can be thought of as connecting a string line between the top and bottom nodes and includes any node that is required to complete the connection between these two nodes. This model suits a very restricted slice of a structural dimension and would be typically used in conjunction with an Open Ended or Horizontal security model to selectively expand the view of an individual user role.

If the top node is set to ‘All Organizational Units’ and the bottom node was set to ‘Dept 5’, it provides access to only 3 nodes.

An entry point is the topmost level of information that is presented to a user when they access the site. Typically this is the main page, however the application of role-based security to a user via the user’s associated role will change this as determined by the security paths that have been defined for the user role. For example, if a single Open Ended path is defined for a role, the node defined as the Top Node for this security path will be the entry point presented when a user assigned to this role logs on to the site. Similarly, if a Horizontal or Vertical path type was defined, the entry point for the user assigned to the role would be determined by the defined Top Node for the path.

If a user role has more than one security path defined for it then it is possible that defining these paths will cause multiple entry points into the structural dimension to be established. In the example a role called ‘Healthcare’ has been established with two open ended paths: one pointing to the Corporate Services level within Healthcare and the second pointing to the Customer Services level within Healthcare. Note that the Corporate Services node and the Customer Services node are at the same level in the company structure.

This example has given this role two entry points into the company structure that are at the same level in the hierarchy. When logging into the site, the default entry point for the user will be determined by which is the first entry node in cube structure order.

To enable the user to see alternate entry points, in the Filters tile select the structural dimension you wish to conduct analyses. In this instance, you can select between Corporate Services and Customer services, and their descending sub-units. However, you cannot select Organizational Unit or Healthcare as an analysis dimension.