Getting Started with Administration

Objectives

After completing this lesson, you will be able to:

  • Identify Administrator Tasks
  • Troubleshoot User Login Issues
  • Ensure that consultants and customers use the same SAP SuccessFactors common terms
  • Maintain Superadmin, security admin, and module admins

Roles and responsibilities of a typical SAP SuccessFactors System Administrator

Reset passwords

As an administrator, it is likely that resetting passwords will be part of your role. There are three types of password resets available in SAP SuccessFactors.

The following interaction walks you through the different between those three:

Reset locked user accounts

Resetting user accounts is only applicable if your company allows users a specific number of unsuccessful login attempts before locking their account. The system automatically locks the user account when the user exceeds the number of allowable unsuccessful login attempts.

This means that once the account is locked, the user will not be able to log in again until an administrator resets the account. When you reset an account, you're only reactivating the account so that the user can login again; no other changes are made.

As an administrator, you can easily and quickly reset locked user accounts.

  1. From the Admin Center, select Reset User Account.

  2. You will be directed to a page in which you can filter employees by division, department, group, or location, or simply enter their name or job code. Enter search criteria and select Search Users.

  3. The system generates a list of users that match your criteria. A locked out user is displayed on the list with a red X in the Status column.

  4. Choose the users that you would like to reset by selecting the checkbox next to their name.

  5. Select Reset Selected Users to reset and unlock their user accounts.

Single Sign-On (SSO)

What is Single Sign-On?

Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property, a user logs in once and gains access to all systems without being prompted to log into each of them. SuccessFactors offers a number of SSO options to allow users to access the application without entering their SuccessFactors username and password.

Access an SSO Enabled Instance

When customers enable SSO, we can no longer log into their instance. The steps below will allow you to use Secondary Login/Secure Access to log into the instance. This is the recommended method to access these instances. You do not need to enable Partial Organization SSO or ask the customer for a login through their SSO portal.

Steps to Follow to Enable Secondary Login Access (Manage Support Access)

  1. Go into Provisioning for the company ID you need to access.

  2. Go to Company Settings.

  3. Check on the box for Enable Secondary Login Feature and choose Save.

  4. Login as an Admin or guide a customer Admin through the following steps to enable Manage Support Access:

    Note
    If you make the changes yourself, you should still make sure the customer's Admin is aware of the process. They may want to disable this access in the future.
  5. Access the role you want to add the Manage Support Access permission to.

  6. Go to Manage Employees.

  7. Set User Permissions.

  8. Manage Permission Roles and select the role.

    Note
    Best practice is to add this permission to the customer’s System Administrator role.
  9. Select Permission Settings.

  10. Select Admin Permissions.

  11. Select Manage User.

  12. Select Manage Support Access.

  13. Select Done.

  14. Save changes.

Enable login access to a specified user

When the customer uses single sign-on (SSO), Professional Services consultants or support representatives will need to enable login access for their users from Admin Center before SSO is enabled.

From the Action Search, go to Manage Support Access: Find the user. Check the box for user, define when the access expires and select Grant a Support Administrator access to the account.

If enabled, a Support Administrator may have unrestricted login access to a user account until the access expires or until the customer disables the support access. The customer can follow the same process but select Disable Support Access to deny us access to the user.

Once the user has been granted Support Administrator access, they can go to Provisioning, select their customer's instance, and under the section Customer Instance Access, they can choose Log in to customer instance.

On the Secondary Logon page, they type their username and select Login.

Note
You must have Provisioning Access for this to work.

Show Users with Valid Support Access in Manage Support Access

You can grant or remove support access using the Manage Support Access admin tool. In this tool, there is also an option to filter user accounts that have support access called: Show Users with Valid Support Access. With this option you can quickly filter all user accounts that have support access.

For further information check: Managing Instance Access Guide

Platform Feature Settings

Several platform options and features can be enabled or disabled from Platform Feature Settings. To have access to this area of the tool, users need to have the permission Platform Feature Settings in RBP under the Manage System Properties category.

Tenant Preferred Time Zone

On Platform feature setting you can change the tenant preferred time zone when the tenant provisioned time zone doesn't match your preferred time zone. The changes to Tenant Preferred Time Zone is allowed only once and can’t be reverted after you set it.

For further information check: Tenant Preferred Time Zone.

SAP SuccessFactors common terms

TermsDefinitions
Enable Secondary Login FeatureIf this feature is enabled, partners can access the instance directly from the provisioning, if also enabled with the tool "Manage Support Access".
Enable Upgrade Center PermissionIf this feature is enabled, users can use the tool "Upgrade Center" if the according permissions are enabled.
Hide Username in the UIIf this feature is enabled, username won’t be displayed in the Global Header and the employee quickcard. You cannot run a username search or see the username in the search results in the areas that have adopted People Search, which include the Global Header, Org Chart, People Profile, Change Audit, and others.
Security Scan of User Inputs

If this feature is enabled, user input that contains the following content will be validated and harmful content will be filtered, and relevant API requests will fail.

  • SQL injection Cross-site scripting (XSS)
  • XML external entity (XXE) injection
  • CSV injection (also referred to as formula injection, occurs when a website embeds untrusted input inside CSV files)
InstanceAn instance is the front end, or customer-facing view, of SAP SuccessFactors systems.
ProvisioningProvisioning is the key configuration tool that SAP SuccessFactors uses to control many aspects of a customer instance. In essence, Provisioning is the back end of the system. Customers do not have access to Provisioning.
Admin CenterAdmin Center is the central access point to a wide range of administrative features and tools that can be used to configure and maintain the SuccessFactors application. Admin Center can be used to monitor overall system health, manage cross-suite and third-party integrations. Unlike Provisioning, customers do have access to Admin Center.
Role-based Permission (RBP)Role-based Permissions (RBP) are used to manage users’ permissions in SAP SuccessFactors. The two main components of RBP are permission roles and permission groups. Roles contain the various permissions necessary to perform tasks in an instance. Groups, which can be static or dynamic, contain the actual users who are granted access to roles via group membership.
ProxyThe proxy function allows one employee to act on behalf of another.
Home PageThe Home Page is the default starting page of the SAP SuccessFactors HXM Suite. For employees, the Home Page is the main entry point to the SAP SuccessFactors application and is generally the first page they see after logging into the system. It shows pending tasks, highlights recent activities, and helps users access common functions or areas of an instance quickly.
Org ChartThe Org Chart provides an interactive view of the organizational hierarchy and reporting relationships, including matrix managers, for your users.
PicklistA picklist is a configurable set of options from which a user can select, typically in a dropdown menu or smart search list.
Metadata Framework (MDF)The Meta Data Framework (MDF) is a platform functionality that allows consultants and customers to extend existing SuccessFactors HXM suite capabilities. The main building blocks of these extensions are called Generic Objects (GO).
User Data File (UDF)The UDF is a comma-separated value (.csv) file and is used to add or change data for one or more employees’ records at a time. It is created manually or as an automated output from your Human Resources Information System (HRIS).
Form TemplatesThese templates contain the layout, sections and fields for each form. They are used to create individual forms for the target population.
FormsIn some areas of Admin Center, forms are referred to as documents. They are created from form templates and are used to record information, including employee performance evaluations during review cycles.
Job CodeThis is a code assigned to each employee that is often mapped to a job role. Competencies are also mapped to job roles so a user’s job code can be used to determine the correct competencies to add to a user’s performance form automatically.
Line of SightThis describes the reporting visibility of an individual within SAP SuccessFactors. For example, managers can view direct reports and those below.
Rating ScaleThis determines the values, and meanings attached to those values, that will be used during performance evaluations and other areas where ratings are required.
Role Names

Role names are used in multiple modules and control various permissions:

  • E — Employee
  • EM — Employee’s manager
  • EH — Employee’s HR representative

Data supplied in an employee import file determines EM and/or EH roles. Customers can also set their own roles using Role-Based Permissions (RBP).

Route Maps

Route maps establish the workflow and steps that employees follow during a business process.

Route maps specify the order in which a form moves from one employee to another and what employees can do during each step.

Grant Permission to manage Role Based Permissions

Business example

Your customer wants to start with Role Based Permissions (RBP) and needs access to the tools so they can manage Role-Based Permission access.

Task 1: Grant Permissions to view and manage Provisioning Access

Enter Manage Provisioning Access into Action Search and notice, that there are no search results. This is because the permission is not granted yet.

Steps

  1. Use the Action Search to navigate to Manage Permission Roles and select the Full System Administrator role.

    1. Select the Permission button.

    2. In the Administrator Permissions section select the Manage System Properties link.

  2. Give your administrator following permissions: View Provisioning Access, Control Provisioning Access.

    1. Select View Provisioning Access. This gives the ability to view users with Provisioning access.

    2. Select Control Provisioning Access. This gives the ability to control which users have Provisioning access.

    3. Select Done.

    4. Select Save Changes.

  3. Test your new access.

    1. Log out of your instance and log back in to use your new RBP permissions.

    2. In Action Search type Manage Provisioning Access to access this tool.

    3. Search for the administrator2023 you created to verify it is in this list.

Task 2: Grant Permission to manage Role-Based Permission access

Your company has enabled RBP for their instance of SAP SuccessFactors. Access to manage RBP must be granted to the company administrators.

You must search for the user admin and grant them access to manage RBP.

Steps

  1. Find the administrator2023 user.

    1. Log into the instance.

    2. Use the Action Search to navigate to Manage Role-Based Permission Access.

    3. On the Manage Role-Based Permission Access screen, verify that you see the user administrator2023 that you created from Provisioning. Otherwise, choose Add User.

  2. Grant RBP to administrator2023.

    1. Verify that the check-box Allow Access to This Page is enabled for administrator2023.

    2. Make sure that the check-boxes for Role-Based Permission Admin (view)and Role-Based Permission Admin (Edit)are enabled for the administrator2023.

Result

You have successfully searched for your admin user and granted them access to manage Role Based Permissions.

Log in to track your progress & complete quizzes