This blog post introduces you to the recently published SuccessFactors Implementation Design Principle (SFIDP) document: SAP SuccessFactors Onboarding Role-Based Permission Guidance
Link to the Document
A good security design ensures that an organization can manage the proper authorization, data privacy, data integrity, etc. Role-based permission is essential for the good security design of SAP SuccessFactors Onboarding solution. In this module special care must be given to roles since the target population is external users of the system. The external users of the company will be internal users from their hire date. The onboarding process involves a lot of participants. The participants like Hiring Manager, Onboarding Administrator, Buddy, IT persons who are required to provide equipment, etc.
This document (Link) covers the common set of permissions that are required for each of these participants to perform their role effectively, and in line with the standard functionality of the system and without giving more permissions than required.
The specific aspects of onboarding are the difference in “Target population” – especially in the Onboarding process. The new hires who are going to join the company are technically external users. The external user has a specific user status and does not have the same authorization as that of a regular employee. Keeping this into consideration we can understand a few basic concepts.
When creating a group of External user populations. Apart from the regular method of selecting the people pool. You would also need to select the user type as “External Onboarding User”
In manage permission roles, you could use “Create New Role for External User” for creating a new role for the new hires (“Onboardee”).
This is for creating a role for new hires. This should not be used for internal users.
Select the appropriate Grant role/Grant Group and then choose the Target population as Everyone or based on the Department/Division/Location.
The target decides for which group of employees the Role (From the granted group) can view/edit data.
It is recommended to always keep the target limited so that data privacy and segregation of work and be well established.
The permissions of the key personas in onboarding are listed below. Though the permissions may vary from customer to customer the below will give a baseline. The goal is to give the minimum number of permissions for a role that could make processes work.
These baseline roles and permission can be extended or modified based on customer requirements and the responsibility of the roles.
Key Personas required in Onboarding and their roles
Persona: Hiring Manager
Persona: New hire
Persona: Onboarding Admin
Persona: Rehire Coordinator
Persona: Onboarding BPE Admin
Persona: Onboarding Participants
Persona: IT Participants
The document has all the details of the permission for all the roles. As a snapshot of the document you can see below the table of permission for IT participants
For all the other roles/personas please read the document
The document also lists the potential problems that implementation partners face during the RBP setup and their corresponding reason for the issue as well as a suggested solution. This would act as a quick guide for consultants if they are having similar issues on what they can do to fix the issues from a permission perspective. It also lists some of the leading ways to configure role-based permission.
One such example is
Problem
The onboarding dashboard is not available for certain roles.
Reasons
General User Permission:
Onboarding or Offboarding Object Permissions:
Employee Data:
Employee Central Effective Dated Entities:
If there are no employees who have an onboarding process running currently then the dashboard is not visible.
Process has errors, Check the BPE monitor
Another Example would be
2.Future Dated Employee access for internal hires
Problem
During internal hire, future-dated managers of these internal hires cannot perform tasks like” Schedule meetings”, “Recommended” people, etc.
Solution
The future manager can perform new hire tasks such as Schedule Meetings, Recommend People, and Recommend Links among others before the internal hire's start date. The internal hire manager relationship is applicable for internal hires from SAP SuccessFactors Recruiting, SAP SuccessFactors Employee Central, and external Applicant Tracking System. The below screenshot shows how this can be configured.
Other Scenarios in the document
We hope this blog post helped you get acquainted with the basic understanding of the concepts & use cases defined and discussed in the SFIDP. We recommend you to further explore the document for a full-fledged discussion that will aid you in better product implementation as well as help you align with the industry leading practices. We look forward to your valuable comments/feedback/queries on this blog post.
This IDP has been enhanced to reflect the latest changes released as part of the 2H 2022 release. It includes enhancements for rehire feature with new permission to enable Rehire with New Employment and cancel the Onboarding process with the enhanced user interface.
For a complete list of published Implementation Design Principles for SAP SuccessFactors Solutions, visit SAP SuccessFactors Customer Community page.
Link to the Document
Introduction
A good security design ensures that an organization can manage the proper authorization, data privacy, data integrity, etc. Role-based permission is essential for the good security design of SAP SuccessFactors Onboarding solution. In this module special care must be given to roles since the target population is external users of the system. The external users of the company will be internal users from their hire date. The onboarding process involves a lot of participants. The participants like Hiring Manager, Onboarding Administrator, Buddy, IT persons who are required to provide equipment, etc.
This document (Link) covers the common set of permissions that are required for each of these participants to perform their role effectively, and in line with the standard functionality of the system and without giving more permissions than required.
Solution Overview
The specific aspects of onboarding are the difference in “Target population” – especially in the Onboarding process. The new hires who are going to join the company are technically external users. The external user has a specific user status and does not have the same authorization as that of a regular employee. Keeping this into consideration we can understand a few basic concepts.
Creating a Permission group with External user population
When creating a group of External user populations. Apart from the regular method of selecting the people pool. You would also need to select the user type as “External Onboarding User”
Figure 1 Creating permission groups with user Type: External onboarding user
Creating a role for the External User
In manage permission roles, you could use “Create New Role for External User” for creating a new role for the new hires (“Onboardee”).
This is for creating a role for new hires. This should not be used for internal users.
Figure 2: creating a new permission role for external user
Defining a target Population for a role
Select the appropriate Grant role/Grant Group and then choose the Target population as Everyone or based on the Department/Division/Location.
The target decides for which group of employees the Role (From the granted group) can view/edit data.
It is recommended to always keep the target limited so that data privacy and segregation of work and be well established.
Figure 3: Target population of external user
Solution in Detail
The permissions of the key personas in onboarding are listed below. Though the permissions may vary from customer to customer the below will give a baseline. The goal is to give the minimum number of permissions for a role that could make processes work.
These baseline roles and permission can be extended or modified based on customer requirements and the responsibility of the roles.
Key Personas required in Onboarding and their roles
Persona: Hiring Manager
Persona: New hire
Persona: Onboarding Admin
Persona: Rehire Coordinator
Persona: Onboarding BPE Admin
Persona: Onboarding Participants
Persona: IT Participants
The document has all the details of the permission for all the roles. As a snapshot of the document you can see below the table of permission for IT participants
| Permission Location | Permission Name | Permission Description |
| General User Permission | Company Indo -> User Search | Restricts Users searches for the target population defined when granting role. |
| Employee Data | First Name, Last Name, Status – View Access only | This makes sure to show the names of the new hires when the participants click on the To-Do tile. |
| Onboarding or Offboarding Object Permissions | Process | Enables participants to access new hire's details on the Dashboard |
| Onboarding or Offboarding Object Permissions | ONB2ProcessResponsible | Required to show it in the dashboard. |
| Onboarding or Offboarding Object Permissions | Equipment Task | Equipment Task Object Permission |
For all the other roles/personas please read the document
Key challenges and solutions
The document also lists the potential problems that implementation partners face during the RBP setup and their corresponding reason for the issue as well as a suggested solution. This would act as a quick guide for consultants if they are having similar issues on what they can do to fix the issues from a permission perspective. It also lists some of the leading ways to configure role-based permission.
One such example is
- Dashboard is not visible
Problem
The onboarding dashboard is not available for certain roles.
Reasons
- Check the important permission for the user
General User Permission:
- Company Info Access > User Search
Onboarding or Offboarding Object Permissions:
- ONB2Process
Employee Data:
- First Name
- Last Name
- Status
- Location
Employee Central Effective Dated Entities:
- Job Information > Location
- Job Information > Job Classification
- Target Population of the end-users should be external users
- At least one user the onboarding process needs to be started
If there are no employees who have an onboarding process running currently then the dashboard is not visible.
Process has errors, Check the BPE monitor
Another Example would be
2.Future Dated Employee access for internal hires
Problem
During internal hire, future-dated managers of these internal hires cannot perform tasks like” Schedule meetings”, “Recommended” people, etc.
Solution
The future manager can perform new hire tasks such as Schedule Meetings, Recommend People, and Recommend Links among others before the internal hire's start date. The internal hire manager relationship is applicable for internal hires from SAP SuccessFactors Recruiting, SAP SuccessFactors Employee Central, and external Applicant Tracking System. The below screenshot shows how this can be configured.
Other Scenarios in the document
- Names are showing for some and not for others in the dashboard
- Defining the target group based on location/division etc.
- Future dated access of new hires to admins based on Legal entity
- Managers access to only Direct Reports
- Viewing profile after MPH before the start date
- Manage Pending Hires
- Hiding fields for new hires based on country.
- National ID getting empty after EC
- Payment information – Users can add currency
- Offboarding tasks not getting shown to the Manager
- Unable to see compliance form data.
- Employee Export
- Employee Export works with onboarding Dashboard
- New EC Fields Not Available in RBP for ONB External User
- Offboarding: No Permission error
Conclusion/Key Takeaways:
We hope this blog post helped you get acquainted with the basic understanding of the concepts & use cases defined and discussed in the SFIDP. We recommend you to further explore the document for a full-fledged discussion that will aid you in better product implementation as well as help you align with the industry leading practices. We look forward to your valuable comments/feedback/queries on this blog post.
New Updates Dec 2022
This IDP has been enhanced to reflect the latest changes released as part of the 2H 2022 release. It includes enhancements for rehire feature with new permission to enable Rehire with New Employment and cancel the Onboarding process with the enhanced user interface.
For a complete list of published Implementation Design Principles for SAP SuccessFactors Solutions, visit SAP SuccessFactors Customer Community page.
- SAP Managed Tags:
