Skip to Content
Author's profile photo vidushi kaushal

SuccessFactors LMS – Configuring Item Level Domain Restriction for Administrators

In Learning Management system there are scenarios where Administrators only need access to items & schedule offerings in their region or country.

In SuccessFactors LMS many times Ownership of data is with the LMS Administrators & is dependent on domain Structure, Domain Restrictions & Roles. This blog describes how to configure this structure within SAP SuccessFactors LMS. After reading this article you will be able to tell what are domains, Domain Restrictions, Roles & different types of administrators & how to configure these in SAP SuccessFactors LMS. This Article also focuses on defining & configuring various workflow & entity restrictions so only restricted (Country specific) items & schedule offerings are visible.

Setting up Item level domain restrictions in LMS require decision making on following-

1)Domain Structure

2)Domain Restriction




1)Domain Structure: Domains are the foundation of SAP SuccessFactors Learning Admin security structure. Domains sometimes represent the organization hierarchy & defined to control the edit, view & delete authorizations of administrators. Most of the entities defined in SuccessFactors LMS are domain able & Administrator security is managed via giving access to only required domains.


Example, an organization ABC Corp has its presence in North America Region. Within North America resides two countries like Canada & USA. Within the USA exists ABC USA HR & ABC USA Marketing. Now the Business wants that Administrators from USA domain should not be able to Edit, view & delete data (Items, Schedule Offerings) from ABC Canada domain.

Another requirement is that Admin from ABC –USA HR & ABC-USA-MARKETING should only be able to search & view users in their respective domain.

ABC Corp North America will be at the Root level. System Administrators who have access to domains, roles, Create Admins, etc. can be defined in this domain.

ABC Canada & ABC USA will be at level 1 & all the items, Curricula, Schedule offerings, content, tasks Management & Programs can be defined in these two domains.

Level2 Domains administrators will only view the User Records.

All Administrators will have access to create, edit & view Public domain entities.

Now let’s create this domain tree in SuccessFactors LMS.

To create a domain, go to login to SuccessFactors LMS & Go to System Admin Tab –> Security–>Domains. Click on Add New

Enter Domain ID & Description in add root level domain then click add & Apply Changes.



Root Level Domain ABC Corporation is created. Click on domain types & select all.


All entities will be added to this domain as administrator should be able to create, edit & view all entities.

Now create Subdomains. Select Add subdomains & choose parent domain. Provide subdomain id ABC Canada & description ABC Canada. Click add.

Assign the following Domain Types to these two subdomains ABC Canada & ABC USA.

Similarly, create other three Level 2 Sub Domains ABC-USA-HR & ABC-USA-Marketing.


Assign following domain types to Level 2 Domains.

Domain Structure is now ready. Let’s Assign Domain restrictions as per the given requirement.


2) Domain Restrictions – A domain restriction restricts the administrator access to the list of domains. For Example, in the given scenario ABC Corp North America Admin will have access to all domains defined (typically system admin Role – Yellow line). ABC USA Admin will have restriction & will have access to above define entities plus ABC USA & Sub-domains ABC-USA-HR domain & ABC-USA-Marketing Domains (Green line). ABC Canada & ABC USA will have similar roles with restriction to ABC Canada & ABC USA Domain restriction. ABC-USA-HR ABC-USA-Marketing (Red Line) will have same similar role with domain restriction and will view only users


To create domain restriction, Go to System Admin–>Security–>Domain Restrictions –>Add New.



The following screen will appear. Enter Domain Restriction Id, Description & Choose domain.

Now Select the domains for ABC USA (Same as USA Canada) & Add. Similarly, create domain restriction for other domains. Following Domains Restrictions are added.

3) Role Management – A security role is a collection of rules, restrictions, workflows, and domains that you can assign to administrators. Roles are created for a group which shares same domain, entities, workflow & domain restrictions. For Example, ABC Corp North America admin can add programs to ABC Canada & ABC USA. According to the scenario we need to create the following Roles.

  1. ABC CORP North America System Administrator Role (ABC Corp North America -Access to all domains & Workflows)
  2. ABC- Canada Administrator Role (Domain restriction -Canada)
  3. ABC –USA Administrator Role (Domain Restriction – ABC-USA & all Sub Domains)
  4. ABC-USA-HR & ABC-USA-Marketing Admin User Role (Domain Restriction – ABC-USA-HR & ABC-USA-Marketing)


  1. ABC CORP North America System Administrator Role – To create this Role go to System Admin–>Security–>Role Management–>Add New.

The following screen will appear. Enter Role ID, Description, Select Domain as ABC Corp & Role type as admin. Click Add.

As per the scenario, this role will have access to all domains & all workflows. Select all workflows & click add



3) Admin Role ABC-USA-HR  Role – Create  role with ABC-USA-HR Domain & ABC-USA-Marketing Domain

Select Search User, View User Workflows & view User Background jobs.

Apply Domain Restriction

Similarly, create ABC-USA-Marketing Role & apply domain restriction

4)Admin Management – After creating & applying domain restriction administrators need to be created. As per the scenario, Following administrators should be created –


  • System Administrator ABC-North America
  • Administrator ABC-USA
  • Administrator ABC-USA-HR
  • Administrator ABC-USA-Marketing


To create Admins, go to System Admin –>Application Admin–>Admin Management –>ADD


Enter Admin ID, Last Name, First Name, Domain & password.


The next step is to apply roles Go to Assigned Roles & select ABC Corp North America System Administrator & click add.

Admin Role is assigned to User. Let’s log in to see if this admin has all accesses.


ABC Corp North America system administrator has access to all Tabs.

Let’s check for Administrator ABC-USA. He has limited access to System Administration & no access to performance tabs. This will be similar in case of Administrator ABC-Canada.

Let’s check for Administrator ABC-USA-HR.  Admin has access to only search & view Users.

Now let’s see  ABC-USA Administrator can see the items in domain ABC-USA & ABC-USA-HR.

ABC-North America Sys admin can see items from other domains.



Admin-USA-HR can only search & view user records from Public & ABC-USA-HR Domain.

To conclude here If the organization is small then defining one domain can serve the purpose (apart from PUBLIC Domain). The key is to keep the domain structure simple. After reading this you can easily map Domain structure, Domain Restrictions, Roles, different type of Administrators.


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Venkatesh Balina
      Venkatesh Balina

      Hi Vidushi , Thanks for the detailed and informative blog . Is this security architecture based on the new RBP (Role based Permissions) in success factors ? Please confirm

      Author's profile photo vidushi kaushal
      vidushi kaushal
      Blog Post Author

      Role Based permission Architecture is different from LMS Security Architecture. For LMS RBP is ONLY used to define the LMS ADMIN Access / LMS User Access. To get more clarity on RBP please refer to RBP Admin guide.