SuccessFactors LMS – Configuring Item Level Domain Restriction for Administrators
In Learning Management system there are scenarios where Administrators only need access to items & schedule offerings in their region or country.
In SuccessFactors LMS many times Ownership of data is with the LMS Administrators & is dependent on domain Structure, Domain Restrictions & Roles. This blog describes how to configure this structure within SAP SuccessFactors LMS. After reading this article you will be able to tell what are domains, Domain Restrictions, Roles & different types of administrators & how to configure these in SAP SuccessFactors LMS. This Article also focuses on defining & configuring various workflow & entity restrictions so only restricted (Country specific) items & schedule offerings are visible.
Setting up Item level domain restrictions in LMS require decision making on following-
1)Domain Structure: Domains are the foundation of SAP SuccessFactors Learning Admin security structure. Domains sometimes represent the organization hierarchy & defined to control the edit, view & delete authorizations of administrators. Most of the entities defined in SuccessFactors LMS are domain able & Administrator security is managed via giving access to only required domains.
Example, an organization ABC Corp has its presence in North America Region. Within North America resides two countries like Canada & USA. Within the USA exists ABC USA HR & ABC USA Marketing. Now the Business wants that Administrators from USA domain should not be able to Edit, view & delete data (Items, Schedule Offerings) from ABC Canada domain.
Another requirement is that Admin from ABC –USA HR & ABC-USA-MARKETING should only be able to search & view users in their respective domain.
ABC Corp North America will be at the Root level. System Administrators who have access to domains, roles, Create Admins, etc. can be defined in this domain.
ABC Canada & ABC USA will be at level 1 & all the items, Curricula, Schedule offerings, content, tasks Management & Programs can be defined in these two domains.
Level2 Domains administrators will only view the User Records.
All Administrators will have access to create, edit & view Public domain entities.
Now let’s create this domain tree in SuccessFactors LMS.
To create a domain, go to login to SuccessFactors LMS & Go to System Admin Tab –> Security–>Domains. Click on Add New
Enter Domain ID & Description in add root level domain then click add & Apply Changes.
Root Level Domain ABC Corporation is created. Click on domain types & select all.
All entities will be added to this domain as administrator should be able to create, edit & view all entities.
Now create Subdomains. Select Add subdomains & choose parent domain. Provide subdomain id ABC Canada & description ABC Canada. Click add.
Assign the following Domain Types to these two subdomains ABC Canada & ABC USA.
Similarly, create other three Level 2 Sub Domains ABC-USA-HR & ABC-USA-Marketing.
Assign following domain types to Level 2 Domains.
Domain Structure is now ready. Let’s Assign Domain restrictions as per the given requirement.
2) Domain Restrictions – A domain restriction restricts the administrator access to the list of domains. For Example, in the given scenario ABC Corp North America Admin will have access to all domains defined (typically system admin Role – Yellow line). ABC USA Admin will have restriction & will have access to above define entities plus ABC USA & Sub-domains ABC-USA-HR domain & ABC-USA-Marketing Domains (Green line). ABC Canada & ABC USA will have similar roles with restriction to ABC Canada & ABC USA Domain restriction. ABC-USA-HR ABC-USA-Marketing (Red Line) will have same similar role with domain restriction and will view only users
To create domain restriction, Go to System Admin–>Security–>Domain Restrictions –>Add New.
The following screen will appear. Enter Domain Restriction Id, Description & Choose domain.
Now Select the domains for ABC USA (Same as USA Canada) & Add. Similarly, create domain restriction for other domains. Following Domains Restrictions are added.
3) Role Management – A security role is a collection of rules, restrictions, workflows, and domains that you can assign to administrators. Roles are created for a group which shares same domain, entities, workflow & domain restrictions. For Example, ABC Corp North America admin can add programs to ABC Canada & ABC USA. According to the scenario we need to create the following Roles.
- ABC CORP North America System Administrator Role (ABC Corp North America -Access to all domains & Workflows)
- ABC- Canada Administrator Role (Domain restriction -Canada)
- ABC –USA Administrator Role (Domain Restriction – ABC-USA & all Sub Domains)
- ABC-USA-HR & ABC-USA-Marketing Admin User Role (Domain Restriction – ABC-USA-HR & ABC-USA-Marketing)
- ABC CORP North America System Administrator Role – To create this Role go to System Admin–>Security–>Role Management–>Add New.
The following screen will appear. Enter Role ID, Description, Select Domain as ABC Corp & Role type as admin. Click Add.
As per the scenario, this role will have access to all domains & all workflows. Select all workflows & click add
3) Admin Role ABC-USA-HR Role – Create role with ABC-USA-HR Domain & ABC-USA-Marketing Domain
Select Search User, View User Workflows & view User Background jobs.
Apply Domain Restriction
Similarly, create ABC-USA-Marketing Role & apply domain restriction
4)Admin Management – After creating & applying domain restriction administrators need to be created. As per the scenario, Following administrators should be created –
- System Administrator ABC-North America
- Administrator ABC-USA
- Administrator ABC-USA-HR
- Administrator ABC-USA-Marketing
To create Admins, go to System Admin –>Application Admin–>Admin Management –>ADD
Enter Admin ID, Last Name, First Name, Domain & password.
The next step is to apply roles Go to Assigned Roles & select ABC Corp North America System Administrator & click add.
Admin Role is assigned to User. Let’s log in to see if this admin has all accesses.
ABC Corp North America system administrator has access to all Tabs.
Let’s check for Administrator ABC-USA. He has limited access to System Administration & no access to performance tabs. This will be similar in case of Administrator ABC-Canada.
Let’s check for Administrator ABC-USA-HR. Admin has access to only search & view Users.
Now let’s see ABC-USA Administrator can see the items in domain ABC-USA & ABC-USA-HR.
ABC-North America Sys admin can see items from other domains.
Admin-USA-HR can only search & view user records from Public & ABC-USA-HR Domain.
To conclude here If the organization is small then defining one domain can serve the purpose (apart from PUBLIC Domain). The key is to keep the domain structure simple. After reading this you can easily map Domain structure, Domain Restrictions, Roles, different type of Administrators.