IBP Collaboration with SAP JAM via Role-Based Permissions (RBP)
In the earlier blog SAP Jam Integration to S&OP on Cloud, the configuration steps to enable the integration of S&OP 3.0/IBP 4.0 collaboration to JAM have been described using the legacy permission framework provided with SAP SuccessFactors (SF).
In addition, there is another authorization framework provided by SF which is called the Role-Based Permissions (RBP) framework. You can read up the RBP details in this blog SuccessFactors: all you need to know about Authorizations and Security. For new customer who have subscribed to the SAP IBP onDemand, it is likely that the provisioned SF instance will be delivered with this RBP framework.
In this blog, we will describe the configuration steps that you can followed to setup the JAM using this authorization framework for the IBP collaboration.
One assumption is made here – you have already received the SF Company and Administrator User information from SAP.
1. Logon your SF cloud instance using the provided SF Administrator User (i.e. SFADMIN).
2. On the SF administration top menu, select ‘Admin Center‘ and the OneAdmin screen will be displayed. The OneAdmin screen is where the user, role and permission group objects can be maintained and assigned respectively. In the event that you could not see the OneAdmin screen like below, please search on your main screen for a link which may indicated as ‘Switch back to One Admin‘ and click on that link. You should be redirected to the OneAdmin screen subsequently.
3. Check that the JAM is provisioned with the SF Instance. Click the ‘Admin Center’ top menu and expand the drop-down list to confirm the existence of the ‘Jam’ entry. If you cannot locate this entry which indicates the SFADMIN user has no access into JAM yet, please create an incident reporting to the support team under the component ‘LOD-SF-JAM’.
4. Create the SF user for JAM collaboration. Under ‘Manage Employees’ screen section, click on the ‘Update User Information’ icon and select ‘Manage Users‘ menu entry.
(a). On the Manage Users screen, there are various options (Add New User manually or the Export/Import Users) available to ease the creation of the user data information. You can use the ‘Export Users’ function to download existing user to understand how the data columns should be populated for uploading using Microsoft Excel file. The ‘Email’ field is the important one because this email address is used for the integration between the IBP and JAM system components.
5. Create a Permission Group to collate the SF user whom is required for the IBP collaboration. Under ‘Manage Employees’ screen section, click on the ‘Set User Permissions’ icon and select ‘Manage Permission Groups’ menu entry.
6. On the Manage Permission Groups screen, click on the ‘Create New’ button to add a new group.
(a). On the Permission Group screen, provide a name for the Group (e.g. JAM Access). Pick the ‘Username‘ from the pull down category to search from the People Pool. You can also used other category to search for your required SF user.
(b). On the Search and Select Items screen, use the search function (i.e. binocular icon) to find the SF user.
(c). The final result should be a completed permission group assigned with the relevant user. The Active Group membership number indicated how many user are included in the group. The ‘Granted Permission Roles’ tab is still empty at this step because no role has been assigned yet.
7. Create a JAM role for SF user assignment. The role will allows SF user to have access into the JAM instance. Under ‘Manage Employees’ screen section, click on the ‘Set User Permissions’ icon and select ‘Manage Permission Roles’ menu entry.
(a). On the Permission Role List screen, click on the ‘Create New’ button to add a new role.
(b). On the Permission Role Detail screen, provide a role name (e.g. JAM Access) and description (e.g. JAM Access for IBP User). Next, you need to select the allowable permissions for the user. For simplicity as a guide here, it is alright to select all the checkboxes under the User Permissions section (outlined in red box below) for the non-administrative SF user. Please click on each link entry to view the checkboxes,
(c). To enable JAM access, that permission is included in the General User Permission section and you need to flag the checkbox ‘JAM Access’ mandatory.
(d). Finally, you need to grant the role to the permission group you have created from Step 6.
8. Also you can now verify that the permission group has been assigned correctly with the JAM role that was previously missing in Step 6(c).
By completing all the steps above, you are ready to enable the IBP collaboration by providing the email address of the SF user ID to the corresponding IBP application user ID. For IBP release 5.0, the email address is only maintained in the SU01 user management – communication section.
Note: There is a scheduled SF system replication job for the JAM user. As such it is recommended that you check the IBP collaboration to the JAM on the next following day.