End-to-End Implementation of People Analytics – Techno-Functional
In this blog post you will have an opportunity to understand the activities required to upgrade to SuccessFactors People Analytics Embedded Edition that I have gained after 3 upgrades (2 completed and 1 is in progress). Moreover, you will be able to relate the challenges that you are facing or may face during the upgrade phase. Since I work as functional consultant on SuccessFactors talent modules and on Reporting, therefore, my blog post will help you to find answers to many functional and technical aspects of upgrade to People Analytics.
So, let’s begin with some introduction of People Analytics – powered by SAP Analytics Cloud (SAC). The term powered by SAC means it’s based on the integration of SAP SuccessFactors HXM Suite with SAC which is a separate reporting tool. People Analytics enable a new type of reporting called as ‘Stories. ‘ Story Report offers table reporting, insights, dashboards, with a presentation-style report that uses charts, visualizations, text, images, and pictograms to describe data. Additionally, it enables you to perform cross-suite reporting based on live transactional data across the SAP SuccessFactors HXM suite effectively removing the need to create multiple reports.
Throughout the blog post, I have mentioned many KBAs and documents that will cater different type of scenarios. Moreover, I have shared some tips and tricks that helped me completing the implementation of People Analytics. This blog post aims to share end to end process from technical and functional point and consolidate numerous documents which are available for the upgrade to People Analytics.
- Before applying any changes to SuccessFactors instance, note that this requires manual implementation on at least 3 different systems and that it will not be a simple upgrade only on Upgrade Center
- There is a dedicated page on SuccessFactors Community which is helpful and is very much active. You can access the blog post from here. The blog post covers details of People Analytics, its integration with IAS and its implementation. It has How-to videos (under Getting Started Section) that demonstrates the step to integrate SF and IAS. You can also go through to this video to get the understanding of the integration exercise.
- The integration between SuccessFactors and IAS will disable Partial SSO (that is enabled in Provisioning) and password-based users will need to login through a different URL. To use partial SSO, once IAS is integrated with SuccessFactors, lease follow this link which helps with transformation (change in coding) required in IPS system to enable partial SSO.
- Following are the systems that will be required to run Embedded Edition of People Analytics in SuccessFactors.
- SuccessFactors preview/test instance
- Identity Authentication System (IAS)
- Identity Provisioning System (IPS)
- I personally have worked on multiple modules of SuccessFactors but worked on IAS and IPS for the first time to successfully complete the implementation 🙂
- You can check with your Basis/System/Technology team to confirm if your client has IAS tenant. The link for IAS tenant starts with https:// and usually end on ondemand.com. In case if you are not sure about the existing IAS, during 1st step, SuccessFactors will ask you to enter the link and S-user credentials.
- Please consider that Partner Managed Cloud (formerly BPO) is not currently supported for SAP Cloud Identity Authentication Services (which is a pre-requisite for People Analytics)
- The Identity Authentication Service (IAS) is a prerequisite to the Embedded Edition of People Analytics. Please note that the IAS related upgrades are currently not made available to instances using Global Assignment /Concurrent Employment features. It is by-design, due to GA/CE users having multiple user accounts maintained in SuccessFactors for the same identity, which IAS does not allow.
- By default, every client can have two IAS tenants; one to the production instance and other to the preview instance
- For system requirements, click here
- Tip: IAS and IPS are different system so relevant team should be involved to ensure correct implementation. Also, there are many optional settings which suffice client’s requirement so taking IAS/IPS team onboard will help a successful upgrade.
- This upgrade will change the access link for SuccessFactors users once you complete the integration between SAP SuccessFactors and SAP Cloud Platform IAS Integration (step # 4 mentioned in the Overview of step of the blog post.
- Unless designed otherwise, for password-based user, Identity Authentication Service login page will become SuccessFactors login page.
- IAS tenant will be using as an authentication platform so technically authentication architect is going to be IAS instead of SuccessFactors. You can understand in a simple manner that currently to reset the user password, one needs to go to SuccessFactors Admin Center. But with IAS integrated, password reset is handled in IAS tenant.
- If client is using IAS as a proxy system where (for example) Microsoft Azure or ADFS is integrated, users’ profile should exist in IAS if they need to access Story Report (type of report in People Analytics).
- Identity Provisioning System runs a sync job to integrated users from SuccessFactors to IAS tenant. Check the datacenter and adhere to data policies of your client
These are the impacts that I have learnt during the implementation exercise. Please add your learning in the comment section.
All the limitations are listed here.
- Email is maintained in SuccessFactors
- Report Center
- Role-Based Permissions
- Have access to customer S-User credentials (Partner S-Users are not allowed to trigger the upgrade)
Stories in People Analytics require the use of IAS for user authentication between SuccessFactors & SAP Analytics Cloud. Through IAS, we connect to many applications like SAC which needs a separate login. So, with this SSO settings, we login to SuccessFactors that create an IAS session in background and then we can directly access all the applications which are configured in it like Career Site Builder and People Analytics.
For end-to-end implementation of People Analytics upgrade, please follow the steps in sequence.
- Run an upgrade job in SuccessFactors Upgrade Center. Job name is “Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration”
- Configure IAS tenant
- Configure IPS tenant. Setup target and source system and sync users via IPS and perform transformation, if required.
- Run an upgrade job in SuccessFactors Upgrade Center. Job name is “Activate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration”
- Note: Once this job is completed, you cannot undo this setup
- Run upgrade job “Stories in People Analytics” in SuccessFactors Upgrade Center to complete the upgrade activities.
- Configure Role-based Permission
These are just overview and within these steps, there are multiple tasks (specially for IAS setup, IPS sync job and RBP) which need to be completed for successful upgrade to People Analytics.
1. Run an upgrade job in SuccessFactors Upgrade Center. Job name is “Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration”
This is the first step in configurating People Analytics. This job creates SuccessFactors instance in IAS and perform some standard configuration in IAS tenant.
- Access to SuccessFactors Upgrade Center
- Customer S-User credentials
- Go to Admin Center
- Open the Upgrade Center; If you don’t find Upgrade Center, check your RBP
- Search for upgrade “Initiate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration” and click Learn More & Upgrade Now;
Note: If you don’t find the upgrade then just check the same name under the Completed Upgrades. If it’s not found then your instance must have one of the not supported features mentioned on the Community Page.
- Click Upgrade Now
- Enter customer S-User credentials. Ensure this user has correct email in the system.
- Click Create to initiate the integration process.
- If you are not sure about the mapping of email in user data, then maintain a Single Email recipient in Provisioning. By this, you can ensure that even if email is not mapped in, the email mapped in provisioning receives the system notification.
- If you face any issues or errors on the authentication of your S-User Credentials, please refer to this KBA 2944990.
- In case if you already have an IAS tenant, you will be asked for the IAS tenant URL. The URL should start with https:// and ends at ondeman.com; Here you need to provide the URL for the tenant matching the BizX Instance type (BizX Prod with IAS Prod and BizX Test/Dev/Preview with IAS Test).
- Tip: Clients have separate team for IAS system so if you are unsure about your tenant URL, check internally with your company’s admin. If that is not possible then reach out to SAP Representative and they can search in SAP’s internal tool Cloud Reporting. Last resort is to find the IAS tenant URL or get the access of IAS is to create a support incident with component BC-IAM-IDS
- The process can take over 2 hours to be completed
- When the job is in progress, you can track it form the upgrade center
- If you don’t have IAS, an IAS tenant will be created and within it, you can find SuccessFactors instance.
- If you already have IAS tenant, you can find SuccessFactors instance added in IAS tenant with standard configuration.
- If you do not have an IPS prior to the upgrade, you should know when it is completed by receiving an email with your IPS tenant link. The user will be the same which is used to run the upgrade job in SuccessFactors Upgrade Center.
- IPSADMIN user will be created
Once you receive a system generated email that mentions the IPS URL, click on the URL to check the access. If you receive an error message “User is not assigned to IPS_ADMIN role,“ it means user has been added to IPS, but access is missing.
- Tip: If this is the first time that you will be logging into IPS, you will need access within IPS to complete the sync related activities. Now, you need to find out who is the super admin of IPS who can grant you access because SAP support team does not grant access permission in IPS instance. Usually, any new SuccessFactors tenant has a super admin whose name is mentioned in contract. Else you can raise a ticket with SAP if you are unsure about the super admin.
2. Complete the setup in IAS and ensure Integration of SuccessFactors with SAP Cloud Identity Authentication:
I consider this very important step that should be performed after complete analysis of its impacts. This is the second step in configurating People Analytics that integrates SuccessFactors Bizx with IAS. This integration is required to run Story Reports in SuccessFactors at least for those users who will be using Story Reports.
- This step is about getting your Users setup in the IAS tenant and integrate IAS with your corporate SSO (if applicable)
- Upgrade center job is completed successfully
- You have admin access to both IPS and IAS tenants (if you do not have the tenants before the previous steps, you should receive an email with the credentials for IPS and IAS tenants)
- If you want to add admin use in IPS, follow the document
- Have already read the Admin Guide on Integrating IAS with SuccessFactors as multiple configurations on this step is viable and defined by business case.
For this activity, I will be referring to admin guide “Setting Up SuccessFactors with SAP Cloud Platform Identity Authentication Service” for most of the steps as it has all the necessary information mentioned there.
Following are the important configuration that is required to complete this step successfully:
- Define permission for IPSADMIN: On SuccessFactors, provide API permissions and employee export permission for IPSADMIN user as referred on step 7.2 of the guide
- User need to receive the below permissions to everyone as target population
- Manage Users -> Employee Export
- Manage Users -> User Account OData entity
- Manage Integration Tools -> Allow Admin to Access OData API through Basic Authentication;
- On SuccessFactors, setup API Exception Login for IPS IP addresses on Password & Login Policy Settings as referred on step 7.2.1 of the guide
- For API Exception login, there are 2 important consideration. First, username of newly created user is IPSADMIN. I suggest avoiding changing the username for IPSADMIN.
- You will need to add IP range for which you refer the below table.
- Tip: If you are not aware of the region of, then go to IPS tenant and follow the screenshot.
|Region||Host URL||IP Range|
|Brazil (São Paulo)||br1.hana.ondemand.com||184.108.40.206-220.127.116.11|
|Kingdom of Saudi Arabia (Riyadh)||sa1.hana.ondemand.com||18.104.22.168-22.214.171.124|
|US East (Ashburn)||us1.hana.ondemand.com||126.96.36.199-188.8.131.52,184.108.40.206-220.127.116.11,18.104.22.168-22.214.171.124,126.96.36.199-188.8.131.52|
|US West (Chandler)||us2.hana.ondemand.com||184.108.40.206-220.127.116.11,18.104.22.168-22.214.171.124,126.96.36.199-188.8.131.52,184.108.40.206-220.127.116.11,18.104.22.168-22.214.171.124|
|US East (Sterling)||us3.hana.ondemand.com||126.96.36.199-188.8.131.52,184.108.40.206-220.127.116.11|
|US West (Colorado Springs)||us4.hana.ondemand.com||18.104.22.168-22.214.171.124|
|Europe (Rot) – Trial||hanatrial.ondemand.com||126.96.36.199-188.8.131.52|
- On SuccessFactors, reset IPSADMIN password and take note of the password for later setup on IPS
- Tip: once you change the password, you don’t need to login with IPSADMIN credentials and change the initial password. However, if you do try to login to validate the password, it will be good as one may faces sync job error because of incorrect password error or Permission error. So, one can validate that IPSADMIN has the required permission mentioned above and password is working.
- Now login to IPS URL and in source system, find your SF Instance. On IPS, update password field for SuccessFactors as a source system as referred on step 7.1 with the password that you have maintained in SuccessFactors. On IPS, update user.filter field as this is a filter of the users that will be read by IPS on SuccessFactors. This is very important because this filter will determine which users should be picked from SuccessFactors by IPS sync job and created in IAS. As part of standard system, this field will come with value status eq ‘active’ and username in ‘sf_username1_placeholder’, ‘sf_username2_placeholder’; this means that only active users that are on the list will be synced. You need to change the filter to sync usernames that exist on your instance. But for initial testing, I will suggest testing with a few usernames.
- Tip: To specify the username of your system, replace “sf_username1_placeholder” with actual username maintained in SuccessFactors.
- There are many optional configurations that can help transforming IPS rules. You can refer to step 6.2 onwards in the guide
- In the source system (SuccessFactors) all users must have unique emails to avoid provisioning issues. However, if you don’t want to maintain actual emails then unique and dummy emails will work fine. You can follow guided answer here to have the users created with different dummy emails, this would be a change on transformation rules in IPS.
- Before creating dummy emails, consider IAS uses email to login, so users would need to login with their emails and there should be a communication to users who need to login into SuccessFactors.
- Schedule the IPS sync job as referred on Step 7.2;
- Confirm that IPS sync job is running successfully on IPS;
- Login into your IPS
- Go to Job Logs
- Click on the last execution of the job
- Confirm that the job is reading the users and if it is facing some issue on the writing of the user on IAS
- Login to your IAS tenant;
- Confirm if the users on your IAS match the number of users that you have on SuccessFactors; IAS will only have the active users or the users that you have maintained in user.filter field in IPS system
- As mentioned above, unique emails are required for successful sync so users that have duplicate email will not be created on IAS (unless there was a change on transformation rules). There is a possibility that you find additional users in IAS. Those can be IAS Admin users that only exist on IAS.
- (Optional) Setup a corporate SSO integrated with IAS; follow step 5.6 Corporate Identity Provider in IAS on the guide. You can watch a video to follow the configuration steps.
- This will also require to setup a new application on your Corporate IdP (SSO) using metadata exported from IAS.
- Make sure to use NameID-format as Unspecified on your IdP for IAS and to send as NameID a match with SuccessFactors username.
- Partial SSO: If you had Partial SSO implemented or you have non-SSO users that will need to login with username and password, you need to implement the feature by following KBA 2954556)
- Your PWD users will login directly into an IAS URL;
- For additional scenarios, please follow steps from Chapter 5 of Admin Guide; Identity Authentication Service Administration Console Tasks.
- Link to access SuccessFactors is changed
- IAS is going to authenticate users that means if user exists in SuccessFactors but not in IAS, user is not able to login (assuming IAS is not the proxy system)
- Partial SSO in provisioning is disabled
- IPS system has completed the user sync
The purpose of this is to get SuccessFactors users authenticated via IAS.
- Your SAP SuccessFactors system is integrated with the SAP Cloud Platform Identity Authentication service by completing the step 2 successfully.
- You are ready to begin using IAS to authenticate users in your system.
- You have confirmed that the user sync between SAP SuccessFactors and Identity Authentication is successful
- You cannot undo this upgrade after it is completed;
- For non-SSO enabled instances, performing the integration upgrade will automatically turn the SSO on with IAS as your SSO;
- For SSO-enabled instances, another asserting party for IAS will to be created in Provisioning, while others will be disabled as well as Partial SSO;
- Demo instances aren’t covered by the automatic upgrade via Upgrade Center. For such environment kind, the configuration must be carried out manually by following the KBA 2674232.
- Note that OData API access will not be impacted by IAS implementation.
- Go to Admin Center
- Access Upgrade Center
- Find the upgrade job “Activate SuccessFactors SAP Cloud Platform Identity Authentication Service Integration;”
- Click Learn More & Upgrade Now
- Click Upgrade
- Note: Once this upgrade is completed, as an admin, you will need to login via different link and your password will be same as of IAS tenant’s. SuccessFactors password is no longer valid. However, you can migrate the password from SuccessFactors to IAS by following this KBA:
- Tip: To find the new link of SuccessFactors instance; login to IAS tenant, click on Application and then find SuccessFactors instance, click on Conditional Authentication and under allow users stored in Identity Authentication service to log on, you can find logon link.
IAS Conditional Authentication
- After the upgrade, your instance will be integrated with IAS and your users will be redirected to login through IAS
- If after running this upgrade, you face any login issue, please refer to this KBA 2954188 before opening an incident with Support;
This job is to enable the Story Report option in Reporting Center.
- SuccessFactors and IAS are integrated, and you can login to SuccessFactors via SSO or IAS credentials.
- Go to Admin Center
- Access Upgrade Center
- Find the upgrade “Stories in People Analytics”
- Click Learn More & Upgrade Now
- Click Upgrade Now
Story reports are controlled by role-based permission so once it is enabled, one can find multiple schemas in manager permission role.
- Go to Admin Center
- Manage Permission Role
- Select the role
- In Report Permission tab; enable Create Story
- In Manage Dashboard; enable Story Admin
- Save the role
- Create Story: This permission allows you to create, edit, delete, share, import, export, duplicate, and add labels to Story reports. Simply all those buttons that you can find under Action menu in Reporting. Story report provides you the flexibility to control schema’s level permission. The Create Story permission allows you to select the schemas that you can use in a story, but you can access the data from the schemas only after you enable the schema-related permissions within each module or domain.
- Story Admin: Allows you to manage all reports of type “Story”. This permission also enables the “All Reports” tab in Report Center.
- Schedule Reports: Allows you to schedule “Story” type of reports. You can find this permission under Reports Permission tab.
Story Report is enabled and can be accessed from Report Center
In conclusion, I suggest to going through the blog post, “Setting up SuccessFactors and IAS Integration” admin guide and SAP KBAs even before starting its implementation. It helps understand the business case and impact on your the SuccessFactors’ landscape. Also, if possible, try implementing all the possible and useful scenarios for your client in test environment before starting with production instance.
After reading and understanding this blog post, you should feel assertive and kick-start the implementation and add value to your HR teams and drop your questions in comments section 🙂 More importantly, do feel free to share your feedback and learnings 😉
If you find this post helpful. feel free to share it across.
Looking forward to your feedback in the comments section!
Muhammad Yousuf Shaikh