This blog post introduces you to the recently published SuccessFactors Implementation Design Principle (SFIDP) document: SAP SuccessFactors Onboarding Role-Based Permission Guidance

 

Link to the Document 

Introduction

 

 

 

 

 

 

 

A good security design ensures that an organization can manage the proper authorization, data privacy, data integrity, etc. Role-based permission is essential for the good security design of SAP SuccessFactors Onboarding solution. In this module special care must be given to roles since the target population is external users of the system. The external users of the company will be internal users from their hire date. The onboarding process involves a lot of participants. The participants like Hiring Manager, Onboarding Administrator, Buddy, IT persons who are required to provide equipment, etc.

This document (Link) covers the common set of permissions that are required for each of these participants to perform their role effectively, and in line with the standard functionality of the system and without giving more permissions than required.

 

Solution Overview

The specific aspects of onboarding are the difference in “Target population” – especially in the Onboarding process. The new hires who are going to join the company are technically external users. The external user has a specific user status and does not have the same authorization as that of a regular employee. Keeping this into consideration we can understand a few basic concepts.

Creating a Permission group with External user population

When creating a group of External user populations. Apart from the regular method of selecting the people pool. You would also need to select the user type as “External Onboarding User”

 

Figure 1 Creating permission groups with user Type: External onboarding user

 

Creating a role for the External User

In manage permission roles, you could use “Create New Role for External User” for creating a new role for the new hires (“Onboardee”).

This is for creating a role for new hires. This should not be used for internal users.

Figure 2: creating a new permission role for external user

Defining a target Population for a role

 

Select the appropriate Grant role/Grant Group and then choose the Target population as Everyone or based on the Department/Division/Location.

 

The target decides for which group of employees the Role (From the granted group) can view/edit data.

It is recommended to always keep the target limited so that data privacy and segregation of work and be well established.

Figure 3: Target population of external user

 

 

Solution in Detail

 

The permissions of the key personas in onboarding are listed below. Though the permissions may vary from customer to customer the below will give a baseline. The goal is to give the minimum number of permissions for a role that could make processes work.

These baseline roles and permission can be extended or modified based on customer requirements and the responsibility of the roles.

Key Personas required in Onboarding and their roles

Persona: Hiring Manager
Persona: New hire
Persona: Onboarding Admin
Persona: Rehire Coordinator
Persona: Onboarding BPE Admin
Persona: Onboarding Participants
Persona: IT Participants

 

The document has all the details of the permission for all the roles. As a snapshot of the document you can see below the table of permission for  IT participants

 

Permission Location	Permission Name	Permission Description
General User Permission	Company Indo -> User Search	Restricts Users searches for the target population defined when granting role.
Employee Data	First Name, Last Name, Status – View Access only	This makes sure to show the names of the new hires when the participants click on the To-Do tile.
Onboarding or Offboarding Object Permissions	Process	Enables participants to access new hire’s details on the Dashboard
Onboarding or Offboarding Object Permissions	ONB2ProcessResponsible	Required to show it in the dashboard.
Onboarding or Offboarding Object Permissions	Equipment Task	Equipment Task Object Permission

For all the other roles/personas please read the document 

Key challenges and solutions

The document also lists the potential problems that implementation partners face during the RBP setup and their corresponding reason for the issue as well as a suggested solution. This would act as a quick guide for consultants if they are having similar issues on what they can do to fix the issues from a permission perspective. It also lists some of the leading ways to configure role-based permission.

 

One such example is

1. Dashboard is not visible

 

Problem

The onboarding dashboard is not available for certain roles.

 

Reasons

1. Check the important permission for the user

 

General User Permission:

• Company Info Access > User Search

Onboarding or Offboarding Object Permissions:

• ONB2Process

 

Employee Data:

• First Name
• Last Name
• Status
• Location

Employee Central Effective Dated Entities:

• Job Information > Location
• Job Information > Job Classification

 

 

2. Target Population of the end-users should be external users

 

3. At least one user the onboarding process needs to be started

If there are no employees who have an onboarding process running currently then the dashboard is not visible.

Process has errors, Check the BPE monitor

 

Another Example would be

2.Future Dated Employee access for internal hires

 

Problem

 

During internal hire, future-dated managers of these internal hires cannot perform tasks like” Schedule meetings”, “Recommended” people, etc.

 

Solution

 

The future manager can perform new hire tasks such as Schedule Meetings, Recommend People, and Recommend Links among others before the internal hire’s start date. The internal hire manager relationship is applicable for internal hires from SAP SuccessFactors Recruiting, SAP SuccessFactors Employee Central, and external Applicant Tracking System. The below screenshot shows how this can be configured.

 

 

Other Scenarios in the document 

• Names are showing for some and not for others in the dashboard
• Defining the target group based on location/division etc.
• Future dated access of new hires to admins based on Legal entity
• Managers access to only Direct Reports
• Viewing profile after MPH before the start date
• Manage Pending Hires
• Hiding fields for new hires based on country.
• National ID getting empty after EC
• Payment information – Users can add currency
• Offboarding tasks not getting shown to the Manager
• Unable to see compliance form data.
• Employee Export
• Employee Export works with onboarding Dashboard
• New EC Fields Not Available in RBP for ONB External User
• Offboarding: No Permission error

Conclusion/Key Takeaways:

We hope this blog post helped you get acquainted with the basic understanding of the concepts & use cases defined and discussed in the SFIDP.  We recommend you to further explore the document for a full-fledged discussion that will aid you in better product implementation as well as help you align with the industry leading practices. We look forward to your valuable comments/feedback/queries on this blog post.

New Updates Dec 2022

This IDP has been enhanced to reflect the latest changes released as part of the 2H 2022 release. It includes enhancements for rehire feature with new permission to enable Rehire with New Employment and cancel the Onboarding process with the enhanced user interface.

For a complete list of published Implementation Design Principles for SAP SuccessFactors Solutions, visit SAP SuccessFactors Customer Community page.