Uploaded by heinz.albrecht

HR862 EN Col2205 5 v1 Security

advertisement
www.sap.com
Administrator Training Guide
SAP SuccessFactors
Learning – Security
www.sap.com
SAP SE Copyrights and Trademarks
© 2022 SAP SE. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP SE. The information contained herein may be changed without prior notice.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other
software vendors.
• Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
• IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z,
System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,
S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture,
POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2,
Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are
trademarks or registered trademarks of IBM Corporation.
• Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
• Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of
Adobe Systems Incorporated in the United States and/or other countries.
• Oracle is a registered trademark of Oracle Corporation
• UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
• Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or
registered trademarks of Citrix Systems, Inc.
• HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology.
• Java is a registered trademark of Sun Microsystems, Inc.
• LabNetscape.
• SAP, SAP Fiori, SAP SAPUI5, R/3, SAP Fiori, SAP NW Gateway, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries.
• Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web
Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is
an SAP company.
• Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services
mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc.
Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in
this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP SE and its
affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any
kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only
warranties for SAP Group products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
SAP SUCCESSFACTORS LEARNING – SECURITY
3
SAP SuccessFactors Learning – Security
ABOUT THIS HANDBOOK............................................................................................................................... 5
Course Introduction ........................................................................................................................................ 6
Overview ........................................................................................................................................................... 6
Course Objectives ........................................................................................................................................... 6
Target Audience ............................................................................................................................................... 6
Assumptions ...................................................................................................................................................... 6
Administrator Role and Permissions ............................................................................................................ 6
Using this Guide .............................................................................................................................................. 7
SAP SuccessFactors Community .................................................................................................................. 8
Additional Resources ...................................................................................................................................... 8
LESSON 1 – SAP SUCCESSFACTORS LEARNING SECURITY MODEL OVERVIEW ................................ 9
Lesson Overview ............................................................................................................................................. 9
Lesson Objectives ........................................................................................................................................... 9
Security Model Overview ................................................................................................................................... 9
Lesson Summary ........................................................................................................................................... 11
Knowledge Check .......................................................................................................................................... 11
LESSON 2 – SECURITY DOMAINS ............................................................................................................... 12
Lesson Overview ........................................................................................................................................... 12
Lesson Objectives ......................................................................................................................................... 12
Security Domains Overview............................................................................................................................. 12
Exercise 2.1: Create a Security Domain Structure .......................................................................................... 13
Security Domain Connector ............................................................................................................................. 16
Working with Security Domain Type Entities ................................................................................................... 17
Exercise 2.2: Associate a Security Domain Type Entity to a Security Domain ............................................... 18
Lesson Summary ........................................................................................................................................... 20
Knowledge Check .......................................................................................................................................... 20
LESSON 3 – SECURITY DOMAIN GROUPS ................................................................................................ 21
Lesson Overview ........................................................................................................................................... 21
Lesson Objectives ......................................................................................................................................... 21
Security Domain Groups.................................................................................................................................. 21
Exercise 3.1: Create a Security Domain Group .............................................................................................. 23
Public Security domain .................................................................................................................................... 25
Lesson Summary ........................................................................................................................................... 26
Knowledge Check .......................................................................................................................................... 26
LESSON 4 – ROLE MANAGEMENT .............................................................................................................. 27
Lesson Overview ........................................................................................................................................... 27
Lesson Objectives ......................................................................................................................................... 27
Role Management Overview ........................................................................................................................... 27
Admin Role Management ................................................................................................................................ 28
Basic guidelines for creating an Admin role: ................................................................................................... 29
Sections of Permissions .................................................................................................................................. 30
References ...................................................................................................................................................... 31
Connector Administration ................................................................................................................................ 32
Exercise 4.1: Create a Template Admin Role ................................................................................................. 32
Exercise 4.2: Apply Security Domain Groups.................................................................................................. 35
Exercise 4.3: Create an Admin Entity .............................................................................................................. 38
Lesson Summary ........................................................................................................................................... 42
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
4
Knowledge Check .......................................................................................................................................... 42
LESSON 5 – USER ROLES AND INSTRUCTOR ROLES ............................................................................ 43
Lesson Overview ........................................................................................................................................... 43
Lesson Objectives ......................................................................................................................................... 43
User Role Management ................................................................................................................................... 43
Exercise 5.1: Create a New User Role ............................................................................................................ 44
Exercise 5.2: Create a User Entity .................................................................................................................. 47
Assigning a User Role to a User ..................................................................................................................... 49
User Role with Manager Permissions ............................................................................................................. 49
User Proxy Role ............................................................................................................................................... 50
Instructor Role Management ........................................................................................................................... 51
Exercise 5.3: Create an Instructor Role ........................................................................................................... 52
Exercise 5.4: Create an Instructor Account ..................................................................................................... 55
Lesson Summary ........................................................................................................................................... 59
Knowledge Check .......................................................................................................................................... 59
APPENDIX A – USING THE EXPORT DATA TOOL FOR PERMISSIONS .................................................. 60
APPENDIX B – USING THE IMPORT DATA TOOL ...................................................................................... 64
APPENDIX C – LEGACY PERMISSIONS...................................................................................................... 67
APPENDIX D – KNOWLEDGE CHECK ANSWERS ..................................................................................... 68
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
5
About this Handbook
This handbook is intended to complement the instructor-led presentation of this course,
and serve as a source of reference. American English is the standard used in this
handbook. The following typographic conventions are also used:
Use
Example / Visualization
Demonstration by Instructor
A hint or advanced detail is shown or
clarified by the instructor – please indicate
reaching any of these points to the
instructor.
Warning or Caution
A word of caution – generally used to point
out limitations or actions with potential
negative impact that need to be considered
consciously.
Hint
A hint, tip or additional detail that helps
increate performance of the solution or
help improve understanding of the solution.
Additional information
An indicator for pointing to additional
information or technique beyond the scope
of the exercise but of potential interest to
the participant.
Discussion/Group Exercise
Used to indicate that collaboration is
required to conclude a given exercise.
Collaboration can be a discussion or a
virtual collaboration.
User Interface Text
Find the Flavor Gallery button
Solution or SAP Specific term
E.g. Flavors are transaction specific screen
personalization created and rendered
using SAP Screen Personas.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
6
Course Introduction
Overview
Through discussion, demonstration, and hands-on computer exercises, this course
teaches you how to create and manage the Security Model in SAP SuccessFactors
Learning.
Certain features covered in this guide may not be enabled in your company’s
environment. If you see screenshots in this guide that do not match your
company’s configuration, please skip the feature/lesson.
Course Objectives
Upon completion of this unit, you will be able to:
•
•
•
Describe the SAP SuccessFactors Learning Security model
Create Domains and Domain Restrictions
Build Admin, User, and Instructor Roles
Target Audience
This course is intended for SuccessFactors administrators (admins) responsible for
creating and maintaining the security system in SAP SuccessFactors Learning.
Assumptions
Administrator Role and Permissions
This training assumes that your SAP SuccessFactors Learning administrator role is
associated with all available permissions in the system. If your role does not include
certain permissions, those tabs and pages will be grayed out and/or inaccessible.
Some screenshots and certain features covered in this guide may not be
enabled in your company’s environment. Please note that major configuration
changes will need to go through Professional Services, as System
Administrators do not have access to enable certain features.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
7
Using this Guide
This handbook is intended to complement the instructor-led presentation of this course,
and serve as a source of reference. American English is the standard used in this
handbook. The following typographic conventions are also used:
Use
Example / Visualization
Demonstration by Instructor
A hint or advanced detail is shown or
clarified by the instructor – please
indicate reaching any of these points to
the instructor
Warning or Caution
A word of caution – generally used to
point out limitations or actions with
potential negative impact that need to be
considered consciously
Hint
A hint, tip or additional detail that helps
increate performance of the solution or
help improve understanding of the
solution
Additional information
An indicator for pointing to additional
information or technique beyond the
scope of the exercise but of potential
interest to the participant
Discussion/Group Exercise
Used to indicate that collaboration is
required to conclude a given
exercise. Collaboration can be a
discussion or a virtual collaboration.
User Interface Text
Solution or SAP Specific term
Find the Flavor Gallery button
E.g. Flavors are transaction specific screen
personalization created and rendered using
SAP Screen Personas.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
8
SAP SuccessFactors Community
Customer Community is your one-stop shop for support, quick answers, product training
and quarterly release updates. You may also post ideas for enhancements on productspecific Q&A boards, and "Kudo" other ideas that you like. Enhancement ideas with the
most kudos often become part of the product roadmap for future releases.
https://community.successfactors.com/
Additional Resources
For more information about SAP SuccessFactors, refer to these resources:
SAP SuccessFactors Help
Portal
https://help.sap.com/viewer/product/SAP_SUCCESSFAC
TORS_HXM_SUITE
SAP SuccessFactors Release
Information
https://help.sap.com/viewer/product/SAP_SUCCESSFAC
TORS_RELEASE_INFORMATION
SAP SuccessFactors
Community
SAP Roadmap Explorer
https://community.successfactors.com/
SAP Training Shop
https://training.sap.com
https://roadmaps.sap.com/
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
9
Lesson 1 – SAP SuccessFactors Learning
Security Model Overview
Lesson Overview
The goal of this lesson is to establish a general understanding of the concepts and
terminology associated with the Security Model in SAP SuccessFactors Learning.
Lesson Objectives
Upon completion of this lesson, you will be able to:
•
•
Describe the SAP SuccessFactors Learning Security model
List the steps used to implement the SAP SuccessFactors Learning Security model
Security Model Overview
SAP SuccessFactors Learning security works differently from the core SAP
SuccessFactors Human Experience Management (HXM) Role Based Permissions (RBP)
model. Therefore security within SAP SuccessFactors Learning needs to be configured
separately. With RBP, Users can be granted access to the Learning system menu option
to launch the system as a User. RBP may also be used to grant access to the Admin
Center tool for Learning Administration so that Admins may launch the administration side
of the system. Once they launch the SuccessFactors Learning module, their permissions
within the user-side and/or admin-side of the system will be controlled entirely by the
Learning security model.
In the SAP SuccessFactors Learning, the Security model is a combination of Roles,
Permissions, Security Domains, and Security Domain Groups.
Term
Definition
An area in our security structure where entities are placed when
we need to restrict access to them for some admins and not
others.
Security Domain
One example may be a Corporate security domain which may
contain Libraries, Assignment Profiles, Admin and other securityrelated entities. Another example may be regional security
domains that contain the learning entities such as Items,
Curricula, Programs, and Classes that are specific to the admins
in that region.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
Term
10
Definition
A group of one or more security domains that, when applied to
the permissions in an admin role, will control where the admin
may perform those permissions.
Security Domain
Groups
Permission
Role
For example, a security domain group called “Europe-All” may
include the security domains of France, UK, and Germany (as
well as others). When applied to the permissions in a role that
pertain to user entities, the admin will only be able to perform
those permissions for user entities in the Europe security
domains.
A combination of a function (add, delete, copy, edit, search, etc.)
and an entity (user, item, class, curriculum, instructor,
assignment profile, etc.) that determines what an Admin may do
in the LMS. Examples: Add User, Search Item, Edit Curriculum,
Copy Assignment Profile.
A list of permissions that are grouped together and associated to
the instructor, user, and admin entities. These permissions allow
access to menus, links, and tiles. For admin roles, security
domain groups may be applied to permissions in the role to
permit access only to certain security domains of entities.
Once the users are imported from SAP SuccessFactors system (or any other HR
Management System), they are assigned to a security Role that is specific to the Learning
system (Admin, User, Instructor). The admin, user and/or instructor role assignment can
be accomplished during a connector job, an assignment profile, import tool, or manual
update in the admin, user or instructor entity.
Each type of Role contains a list of Permissions that determine what functions that
particular role can perform. Depending on the organization, different Admin, User or
Instructor roles may be created to meet their specific requirements. These roles can be
copied, customized and applied to the Admin, User, or Instructor entity for access to the
Learning system tools and features, depending on the needs.
In addition, the Learning Security model allows customers to control Admin access to a
specific data stored in the Learning system. If the customer would like to restrict Admins to
be able to work with certain data only (for example, Admins working in North America
should have access to data created for the North America region only), they would need to
build security domains and security domain groups, and assign the security domain groups
to Admin roles accordingly.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
11
Lesson Summary
In this lesson, you were introduced to the concepts and terminology associated with the
Security Model in SAP SuccessFactors Learning.
You should now be able to:
•
•
Describe the SAP SuccessFactors Learning Security model
List the steps used to implement the SAP SuccessFactors Learning Security model
Knowledge Check
Use what you learned in this Module to answer the following questions.
1. True or false: Role Based Permissions (within HXM) only grants access to the
Learning module but does not determine what users may do within SAP
SuccessFactors Learning.
True
False
2. Which of the following are entities in the system that are part of the security model?
A. Roles
B. User Groups
C. Security domains and security domain groups
D. Categories
E. Permissions
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
12
Lesson 2 – Security Domains
Lesson Overview
The goal of this lesson is to understand the use of Security Domains in SAP
SuccessFactors Learning security.
Lesson Objectives
Upon completion of this lesson, you will be able to:
•
•
•
Explain Security Domains and their purpose
Create a Security Domain structure in SAP SuccessFactors Learning
Describe the purpose of Security Domain Type entities and how they are used
Security Domains Overview
The use of security domains is an important part of the security strategy. When a new entity
(i.e. Item, Curricula, Assignment Profile, etc.) is added to the Learning system, an Admin
has to select a security domain where that entity will reside. This will allow you to keep the
data organized, and more importantly it will help to determine which Admins can access
what data elements (with the use of security domain groups – more information in Lesson
3).
The Security domain structure should be complex enough to meet security needs but not so
complex that it is difficult to maintain. A security domain structure should primarily be
determined by the complexity, delegation, and distribution of administrators.
NOTE: As a best practice, do not create more levels of security domains than are actually
needed.
Typical security domain structures may represent the organization or regional structure of
a company or agency.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
13
Exercise 2.1: Create a Security Domain Structure
1. Navigate to System Administration > Security > Security Domains
Note: It is a best practice to search for an existing entity before adding a new one in order
to avoid duplication.
2. Click Add New link to create a new security domain
3. Select the Add Root (Top) Level Security Domain radio button to create a parent
Security Domain. Enter values into the Security Domain ID and Description fields. (e.g.
user your initials and a number) Click the Add button.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
14
4. Once a security domain entity is added to the Learning system, you can still change
the security domain description, as well as the hierarchical structure between security
domains. Selecting a different parent security domain will move your security domain and
build a new relationship between security domains
NOTE: Information about the Security Domain Types tab can be found in Lesson 2-2.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
15
5. Repeat the exercise to create a security subdomain: from the Security domain entity
click the Add New link
6. Choose “Add Security Subdomain” and select a security domain that you want to be
the Parent Security Domain. Complete the Subdomain ID and Description fields
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
16
7. Once you create a security domain structure, you can review it from the Parent
security domain entity. Find the Parent security domain and expand the view under
security domain ID
NOTE: The security domain Level starts from 0 which corresponds to the root-level
security domain. The system increments each subsequent security subdomain by one.
Security Domain Connector
SAP SuccessFactors Learning allows Security Domains to be added to the system as part
of the Security Domain Connector job. First, an Admin would need to download the
Security Domain template (System Administration > Connectors > Download Connector
Template and select Security Domain Connector as a TXT file) and complete it. There are
three types of information that the Security Domain template supports: Security Domain
ID, Security Domain Description, and Parent Security Domain ID. This allows the Admin to
create multiple Security Domains, as well as build the relationship between them by
assigning Parent Security Domains. For example, when a Customer acquires six new
security domains of employees, the new security domains may be added to the system
through the User Connector. However, the User Connector does not put the security
domains into a security domain tree. Therefore, it might be necessary to use the Security
Domain Connector.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
17
Working with Security Domain Type Entities
When a new security domain is added to SAP SuccessFactors Learning, that Security
domain is automatically associated with all available security domain type entities. A
security domain type entity is a type of entity that can be stored into security domains (e.g.
Item, Equipment, Assignment Profile, Role, etc.). There are two kinds of entities in the
system: Global references are entities that are not stored in security domains but are
available as part of a global list; security domain types are entities that are saved into
specific security domains.
The PUBLIC Security Domain allows all of these entities to be created and saved in it.
Current list of existing Security Domain Types:
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
18
Note: The database names are used for the Security Domain Type entities from when they
were originally created. Therefore, you can use this list as a lookup table for old terms and
current terms. For example, QUAL, STUD, SCHD, CLASS, CTLG, and CPNT are now
called Curriculum, User, Class, Cohort, Library, and Item respectively. Legacy Plateau
Performance entities will be sunset – such as PLAN, PPG, ASSESSMENT
PROCESS/SURVEY, GOAL, POSITION, and FORUM. Additionally, Brand is legacy in the
LMS (as branding is now part of Themes in HXM) and Question is legacy due to PQE
being sunset. USRPRFL is the old name for the Admin entity.
By specifying which Security Domain Types are allowed to be created/moved to this
security domain, we can create a more complex security model. Some security domains
may contain certain specific security domain types that others will not allow. For example,
the Corporate security domain may permit security domain types such as assignment
profiles and roles. These security domain types may not be permitted to be stored at lower
level security domains.
Exercise 2.2: Associate a Security Domain Type Entity
to a Security Domain
1. Navigate to System Administration > Security > Security Domains and create a new
Security Domain (example “North-AM-Users”).
2. Select the Security domain types tab and remove all security domain types except
the one for STUD (User). Click on Apply Changes.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
19
3. This will remove all security domain types from the security domain except the User
security domain type.
NOTE: The purpose of security domain types is to allow or not allow certain entities to
exist in certain security domains. For example: we can have a user-only security domain or
a security domain that contains assignment profiles, libraries, and admin accounts but no
learning entities or users.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
20
The security domain “North-AM-Users” will remain invisible to Admins as they work with
other type of entities, i.e. items, programs, classes, etc. since the security domain types for
those entities are no longer listed for this security domain.
Lesson Summary
In this lesson, you were introduced to the use of Security Domains in SAP SuccessFactors
Learning security.
You should now be able to:
•
•
•
Explain Security Domains and their purpose
Create a Security Domain structure in SAP SuccessFactors Learning
Describe the purpose of Security Domain type entities and how they are used
Knowledge Check
Use what you learned in this Module to answer the following questions.
1. True or false: When an Item is saved in the PUBLIC Security Domain, all Users will
be able to find it.
True
False
2. Typical security domain structures represent the ___________ or ___________
structure.
3. When the Item security domain type is removed from the list of security domain types
for the North-America security domain:
A. Admins cannot add items to any security domain
B. Admins cannot add items to North-America security domain
C. Admins cannot run a report on items saved in North-America security domain
D. Admins cannot run a report on any item
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
21
Lesson 3 – Security Domain Groups
Lesson Overview
The goal of this lesson is to understand what security domain groups are and how to
implement them in the SAP SuccessFactors Learning security model.
Lesson Objectives
Upon completion of this lesson, you will be able to:
•
•
Describe Security Domain Groups and how they are used
Create a Security Domain Group
Security Domain Groups
Security domain groups (formerly known as Domain Restrictions) are entities that determine
in which security domains an Admin may perform permissions. For example, if the security
domain group North-America contains the North-Am, North-Am-Sales, and North-Am-HR
security domains, Admins with roles with the North-America security domain group applied
can access entities that reside in North-Am, North-Am-Sales, and North-Am-HR security
domains (plus the PUBLIC security domain which is automatically added to every security
domain group).
NOTE: If there are no security domain groups applied to an Admin Role, the Admin may
perform all permissions in the role in all security domains.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
22
Security domain groups can contain one or more security domains. The security domains
selected for the security domain group do not have to be connected in the hierarchical
structure, but there are some patterns to customer implementations of security domain
groups:
•
•
•
•
Family branch – an Admin is responsible for the entities in the Europe region, which
means access to the entities in the Europe security domain and its security
subdomains (Europe-Sales and Europe-HR security domains)
Sibling – an Admin is responsible for siblings on the same branch. For example, an
Admin has access to the entities in Europe-Sales and Europe-HR but not in the
parent security domain (Europe)
Parent-child – an Admin is responsible for parent security domain and one or more
child but not the entire branch. For example, an Admin has access to the entities in
the Europe security domain and the Europe-HR security domain
Mix-and-match – in this pattern, any security domains may be included in a security
domain group (from different parts of the same security domain tree or even different
trees).
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
23
Exercise 3.1: Create a Security Domain Group
Note: It is a best practice to search for an existing entity before adding a new one in order
to avoid duplication.
1. Navigate to System Administration > Security > Security Domain Group and click the
Add New link.
2. Complete the Security Domain Group ID and Description fields (e.g. use your initials
and a number), then select in which Security domain you want to save the entity (e.g.
the CORP domain).
3. Click the Add button.
4. Once the entity is added, select the Security Domain tab to add security domains to
your security domain group.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
24
NOTE: When a Parent Security domain is selected, you will have an option to include or
remove security subdomains. The Security Subdomain option results in a security domain
group for the parent and child security domain(s). Remember to click Apply Changes.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
25
Public Security domain
The Public security domain is added to every security domain group automatically and
cannot be removed. Any entities that have been saved in the Public security domain will
be accessible by any Admin whose role permits them to work with those entities.
Therefore, since the Learning security model specifies that all data should reside in
specific security domains and access to them should be controlled through security
domain groups, Admins should not use the PUBLIC security domain and should always
save entities into more appropriate security domains.
Once a security domain group has been created, it can be applied to permissions in an
Admin role in order to restrict the Admin’s access to the data in only those specific security
domains. This process will be described in Lesson 4.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
26
Lesson Summary
In this lesson, you were introduced to Security domain groups and how to implement them
in SAP SuccessFactors Learning.
You should now be able to:
•
•
Describe Security domain groups and how they are used
Create a Security domain group
Knowledge Check
Use what you learned in this Module to answer the following questions.
1. True or false: The PUBLIC domain can be removed from a security domain group..
True
False
2. What are the patterns to customer implementations of security domain groups?
A. Sibling
B. Family branch
C. Mix-and-match
D. Parent-Child
E. All of the above
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
27
Lesson 4 – Role Management
Lesson Overview
The goal of this lesson is to establish a general understanding of Role Management in
SAP SuccessFactors Learning.
Lesson Objectives
Upon completion of this lesson, you will be able to:
•
•
•
•
Explain Role Management in the SAP SuccessFactors Learning system
List three types of Roles in the SAP SuccessFactors Learning system
Create an Admin role and apply Security domain groups
Create and assign an Admin account
Role Management Overview
As described in Lesson 1, the SAP SuccessFactors HXM Role Based Permission model
only grants access to the Learning module to Users and only allows access to the Learning
Administration tool to Admins. Their permissions within the Learning system are fully
controlled by permissions which are unique for each type of Role. The SAP SuccessFactors
Learning system currently supports three type of Roles: Admin, User, and Instructor. When
creating a new role template, an Admin has an option to choose which type of Role (s)he
wants to create, and then to define their access within the Learning system by
adding/removing permissions. permissions are combinations of functions (actions) and
entities and each Role contains a set of permissions that are specific for that Role.
This security model permits a Customer to create multiple roles for each type of Role and
assign each a different set of permissions. For example, if the customer needs to support
multiple types of users (full time, contractors, vendors, customers, etc.), they might want to
create a role for each type of user and provide them different access to the user-side tiles,
menus, and links. e.g. vendors or external users will not need access to internal links or the
Curriculum Status tile.
The instructor type of role contains permissions that allow certain abilities on the instructor
view of the user side (the My Classes tab). User and Instructor role types are discussed
more in Lesson 5.
Admin roles may be created with different security domain groups applied to the permissions
in the role. This permits admins with the same basic function the ability to perform their role
only in their areas of responsibility (security domain groups). Each permission can be
restricted only by one security domain group, however, as mentioned in Lesson 3, the
security domain group may contain multiple security domains.. As shown in Figure 3,
Security domain group “North-Am” has been applied to the permission “Add Users” which
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
28
means that the Admin with this role will be able to create user entities in the North-Am,
North-Am-Sales, North-Am-HR, and Public security domains only (see Lesson 3 Security
domain groups, Figure 2).
To conclude, the security model within SAP SuccessFactors Learning allows the customer
to build multiple roles from three types of Roles (Admin, User, Instructor), use permissions
to determine which features and functionality an admin with the role may access and apply
security domain groups to Admin roles in order to limit an Admin’s access to certain data
only.
Admin Role Management
Admins can have different types of responsibilities depending on the organization
requirements (internal factors) and the enterprise environment (external factors). A typical
Admin structure is built from Super Admin that has an unrestricted access to the entire
Learning system, and other Admins that access is determined by the split of roles and
responsibilities within the organization.
There are several System Default Admin Roles:
•
•
ALL - Default Role with all permissions
ALL_CONNECTOR - Role with connectors permissions
These system default roles are preconfigured with permissions and may be overwritten
with a new release that adds new features. Due to this fact, it is recommended to create a
customer-specific copy of each of these rather than using the system default ones. The
copied roles allow the customer to control the exact permissions for each of their roles.
The SAP SuccessFactors Learning system allows customers to create multiple Admin
Roles, and as necessary, apply Security domain groups. When admin accounts are added
to the Learning system (either manually or through the Admin Connector), one or multiple
Admin roles can be assigned to an admin account. This way you can fully control what an
admin is able to perform in the system and add a new role or unassign any unnecessary
one(s).
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
29
When creating a new Admin role, it is a best practice recommendation to create a template
role and test it for all the necessary permissions before applying security domain groups.
Basic guidelines for creating an Admin role:
1. Always identify and create a template role. In the description for this role, repeat
back the customer requirements for what this role is allowed to do and what the role
is specifically not permitted to do.
2. Add permissions from each section carefully as appropriate. Follow the guidelines
below to include permissions for add/edit/view/copy/delete those entities that the role
needs to work with. Remember that some entities in the system require access to
other entities. For example, if you are adding items to a library, you will probably
need permissions that permit you to search items and libraries as well as add library
item and add item library.
3. Remove (or don’t add) permissions that are typically locked down to only the system
admin role such as the ability to add/edit/delete reference entities. If you are not sure
what references are, you should familiarize yourself by viewing the lists under each
reference menu.
4. If this role will be running reports, make sure to include the reports themselves, full
searching ability, and the critical View User Background Job permission from the
System Administration category of permissions.
5. Once the template role has been created and tested by the customer, it may be
copied and security domain groups may be applied to each copy of the role.
6. Remember that there are several ways to apply security domain groups to
permissions in a role: a. by function, b. by entity, and c. by permission. There may be
different security domain groups applied to different permissions – so for example,
an admin may need to search for items from anywhere in the security domain tree,
but may only create classes in one specific security domain.
7. Test each role by creating an Admin and assigning them just one role. Login as the
Admin and note what the role permits them to do, what they are not allowed to do,
and if security domain groups have been applied, where can they view records or
add records.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
30
NOTE: In the integrated environment, first the designated Learning administrator will need
to exist as a user within the SAP SuccessFactors HXM application. From within SAP
SuccessFactors HXM, admin permissions to access Learning Administration must be
granted to those users who will be Admins in SuccessFactors Learning. After this step, an
admin account within the SAP SuccessFactors Learning instance can be created. It is
important to make sure that the SAP SuccessFactors HXM user ID is the same as the
admin ID created in SAP SuccessFactors Learning.
Sections of Permissions
Permissions permit access to certain menu options, links, buttons, and tools in the system
in order for the Admin to do what they need to do.
The permissions that may be assigned to an Admin role exist in different sections which
are primarily based on the main menu options of the Admin screen. When considering
which permissions to add to a role, customers will need to decide exactly what entities an
Admin with this role will need to work with and specifically what functions will they need to
perform on those entities.
Choosing an entire section of permissions is usually NOT going to be a good idea – with
the possible exceptions of the Search category (for most roles) and the System
Administration category for only the highest level System Admin, ALL, or similar role.
Basic Learning Records - If a role is creating records in the system such as Items,
Curricula, and Programs, many of the necessary permissions will be found in the Learning
Activities section. This role is likely to need the ability to add/edit/copy/delete and view all
of these entities. The ability to search for these entities will be found in the Search section
of permissions. This role would not be the one likely to add/edit references so permissions
that relate to reference values would likely only contain Search and possibly View.
Working with Users – any role that assigns learning needs to users, enters the user
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
31
record in either view or edit mode, records learning, or any similar function with users, will
need to include some of the permissions in the People Management section. Again, this
role is not likely to add or edit reference values that pertain to users, so only Search and
possibly View for reference entities.
Searching - The permissions in the Search categories are relatively safe to use in most
admin roles. If the role will need to search for most entities including learning records,
users, and references, the Search permissions should be included. If there are entities that
a company doesn’t use at all (such as for legacy Plateau Performance or Commerce for
example) those Search permissions should be removed from the role(s).
Report running versus Report designing – The permissions in the Reports category
include all of the out of the box reports as well as some permissions that would be specific
to only those admins who will be working with Report Designer (PRD) and custom reports.
These special permissions include Import/Export Reports, Publish/Unpublish Reports, and
Add/Edit Report Group. As custom reports are created and imported, an admin role may
be edited to include the new permission created in the system that’s specific to that
custom report. While most permissions from the System Administration category are not
usually assigned to roles other than the most powerful (System Admin, ALL, or similar)
there is one that is critical for any role in order to run reports. The View User Background
Job permission must be added to any role that will be running reports in SAP
SuccessFactors Learning. Most admin roles should include the ability to run reports that
pertain to their responsibilities. For example, an admin that will be creating items and
curricula will likely need to run the Item Data and Curriculum Data reports. An admin that is
assigning curricula to users will likely need to run the Curriculum Item Status report. As
most reports require searching for entities, any admin role that is running reports will also
need most search permissions. A special role called REPORT_DEVELOPER is available
(by request from Support) for any Admin who will be using SAP SuccessFactors Report
Designer (also called PRD or BIRT). This role does not contain any permissions but is
necessary for the Admin in order to access a private screen with additional information and
tools to use BIRT/PRD with the staging environment to test their reports. More information
about this may be found in the training guide for SAP SuccessFactors Report Designer
(HR868).
References
Because references are entities whose values are shared globally across the entire
company, (and not security domain type entities) most customers restrict which roles are
permitted to add/edit/delete and copy references. While other admin roles may need the
Search (and sometimes View) permissions for these entities, usually only the System
Administrator role (or some version of the ALL role) is permitted to create and edit
references. Values for some references may be populated as a result of the connectors or
import data tool, but others may be entered manually.
Examples of references include: Item Types, Completion Statuses, Assignment Types,
Categories (formerly Subject Areas), Employee Statuses, Employee Types, and Job
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
32
Codes. When you are adding permissions to an Admin role (that is not the System Admin)
from a section of permissions (e.g. People Management or Learning Activities) it is a best
practice to avoid adding those that would allow the admin to Add/Edit the reference. Be
sure that all/most Admin roles have the ability to search for references as this will be
necessary when they are searching for other entities. For example, searching for users
should allow searching by job codes and searching for items should allow searching by
item type.
Connector Administration
While other Admin roles may have the need to view the Connector APMs, (to see when
they are scheduled to run) only a few high-level Admins will likely need to actually
schedule them to run. There is a default role called ALL_CONNECTORS which has the
Edit permissions from this section. Only those admins who will actually need to schedule
connectors will need the ALL_CONNECTORS role.
Exercise 4.1: Create a Template Admin Role
1. Navigate to System Administration > Security > Role Management and click Add
New link.
2. Complete the Role ID, Description, and Security Domain fields and select Admin in
the Role Type. (For example, enter XXX-TC-TEMP and use your initials in place of
XXX to create the Training Coordinate Template role. Use CORP for the security
domain.)
3. Click the Add button.
4. Select the Permissions tab and click Add one or more from list in the Add
Permissions to the Role section.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
33
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
34
5. Expand each section of permission by clicking the red plus sign (
) next to it.
Check each checkbox for the permissions you want to add to this role. Click the Add
button to add the selected permissions to the role.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
35
6. If you want to remove a permission that was previously added, expand the section of
permission in the Remove Permissions from the Role area, check the Remove checkbox
for the permission(s) to be removed, and click the Apply Changes button.
Exercise 4.2: Apply Security Domain Groups
Once a new Admin role has been created and the specific permissions have been
added/removed from it, a security domain group may be applied. Each permission in the
role can have a unique security domain group applied, however the typical approach is
one security domain group applied across several permissions in a role by either function,
entity, or individual permission.
NOTE: It is recommended that a “template” version of each role should be created and
then tested before copying it and applying security domain groups to each copy of the role
as appropriate. In case of issues with the role, such as permissions that should be added
or removed, this recommendation would allow us to be sure that the role contained all the
appropriate permissions before we copy it. If we later find we need to add or remove a
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
36
permission, it will be less efficient to have to do this for each of the copies of the role.
Therefore, the leading practice when working with new roles in the SAP SuccessFactors
Learning is to create a template role first, assign it to an account and test it. once you are
certain it contains all the necessary permissions, copy the template role and apply the
appropriate security domain groups to each of the copies.
1. Navigate to System Administration > Security > Role Management and find the role
you have previously created.
2. Select the Entity Restr. tab, expand the appropriate section of permissions (by
clicking the red plus sign
) and choose the Security Domain Group ID that you
want to use to apply to these permissions for a certain entity. For example, we could
apply the PCW security domain group to the Items entity so that all permissions in
this role related to Items may only be performed in the security domains contained in
the PCW security domain group.
Note: A security domain group that has been applied to one entity may be applied to all
other entities (if desired) by selecting the Apply to All Entities radio button.
3. Click Apply Changes.
Example: Training Coordinators should be able to perform Learning Management related
tasks in the PCW security domain and all its subdomains The security domain group PCW
has been created to include PCW, all subdomains, and the PUBLIC domain. We would
create the template role for Training Coordinators first and test it without any security
domain groups. Then we would copy the template to the TC-PCW role and apply the PCW
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
37
security domain groups to the item entity. An Admin with this example role would be able
to create items only in one of the PCW domains, but they could work with libraries from
any security domains.
NOTE: For some of the permissions it is possible to apply State Restrictions which refer to
the entity state: active, inactive and both. This allows us to specify what state of the
entities an Admin can work with. If no State Restriction is selected, the Admin is allowed to
work with both active and inactive entities.
4. Select the Permission Restriction tab, expand the appropriate section of permissions
(by clicking the red plus sign
) Verify that the security domain groups have been
applied correctly or make any changes necessary so that all permissions have the
appropriate security domain groups.
5. If you make any changes on this tab, click the Apply Changes button.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
38
Exercise 4.3: Create an Admin Entity
In this activity you will learn how to create an Admin entity.
NOTE: For the integrated environment, remember to check the user ID in SAP
SuccessFactors HXM, and use that ID when creating an admin account.
1. Navigate to System Administration > Security > Administrators and click the Add
New link.
Note: It is a best practice to search for an existing entity before creating a new one – to
avoid creating a duplicate.
2. Complete all the necessary fields, including Admin ID, Last Name, First Name, Email
Address, and Password fields.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
39
NOTE: By adding a User in the Related User field, the Admin entity will be associated to
the User entity.
3. Click Add button.
4. Select the Assigned Roles tab > click Add one or more from the list link. From here
select role(s) you want to assign to the admin account. (For example, adding the ALL role
will give this Admin the ability to perform all permissions without restriction (no security
domain groups applied).
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
40
NOTE: An administrator account can have multiple administrator roles assigned to their
account. In case one role is less restrictive than the other assigned to the same admin
account, the SAP SuccessFactors Learning system will give the priority to the less
restrictive role. Therefore, a good understanding of roles and permissions, as well as
security domain groups that have been created in the system for the use of admin roles is
necessary.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
41
5. Select the Preferences tab to select Locale and Time Zone.
6. Log out from the Learning system, and login with the new Admin credentials. If your
Admin account has been associated with a User, the Home tab should display as well.
NOTE: The procedure may change once the ability for Native Login has been sunset.
Also, the Admin Connector (System Administration > Connectors) allows us to mass
import admin accounts into the SAP SuccessFactors Learning system. It requires you to
prepare the Admin Connector data file and upload it into the Learning system through the
Connector file upload.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
42
Lesson Summary
In this lesson, you were introduced to Role Management in SAP SuccessFactors Learning.
You should now be able to:
•
•
•
•
Explain the Role Management model in the SAP SuccessFactors Learning system
List three types of Roles in the SAP SuccessFactors Learning system
Create an Admin role and apply Security Domain Groups
Create and assign an Admin account
Knowledge Check
Use what you learned in this Module to answer the following questions.
1. True or false: It is a best practice to create a template role and test that all the
necessary permissions have been added and then copy the role before applying
security domain groups to the permissions in the copied roles.
True
False
2. How many security domain groups can be assigned to a single permission?
A. One
B. Maximum two
C. Unlimited
D. None
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
43
Lesson 5 – User Roles and Instructor Roles
Lesson Overview
The goal of this lesson is to establish an understanding of User roles and Instructor roles
in SAP SuccessFactors Learning.
Lesson Objectives
Upon completion of this lesson, you will be able to:
•
•
•
Create a User role in the SAP SuccessFactors Learning system
Identify the area of the user role that pertains only to Managers
Create an Instructor role in the SAP SuccessFactors Learning system
User Role Management
A user is any person for which a user entity has been created, including employees,
contractors, and others for whom you wish to maintain learning history records and to
register for courses. Typically there is only one User role applied to all Users in the SAP
SuccessFactors Learning system. However, if there is a need to grant different level
access to Learning menus, multiple user roles can be created and assigned to Users
accordingly (but only one user role can be assigned to a user).
There are two system default user roles, and like default admin roles, it is recommended
that customers create new user roles as the default ones have the preconfigured
permissions and may be updated with new releases. If a customer would like to decide
whether to enable new functionality and not automatically “opt-in” to new features on the
user side, they will want to use their own role(s) instead of the default.
•
•
DEFAULT USER - System Default User Role
LEARNING_USER - System Default Learning User Role
Since the DEFAULT USER role contains every possible permission, it is usually a best
practice to copy this role to create the customer-specific User role. After copying the role,
the Admin may remove any permissions that they do not want the users to have. For
example, if a customer has decided that they are not using certain features like
Commerce, User-created content, or peer-to-peer recommendations, the permissions that
allow these may be removed from their User role.
NOTE: In the integrated environment, first the user data will need to exist within the SAP
SuccessFactors HXM application. From within SAP SuccessFactors HXM, user
permissions to access the Learning module must be granted. In the last step, the User
Connector SF runs and feeds the user data from HXM into SAP SuccessFactors Learning.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
44
As a result, user entities are added to the SAP SuccessFactors Learning system and
based on the permissions from SAP SuccessFactors HXMHXM, are given access to the
Learning module from the dropdown menu. This guide will only focus on the configuration
settings that need to be performed within the SAP SuccessFactors Learning system. More
information about Role Based Permissions can be found in the THR80 course.
Exercise 5.1: Create a New User Role
1. Navigate to System Administration > Security > Role Management, search for the
DEFAULT USER role, and click the Edit icon (
).
2. Click the Copy Role button.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
45
3. Enter a new Role ID, check the checkbox for Copy Assigned Permissions, and click
the Copy button.
4. Enter the Security domain (e.g. CORP) and click Apply Changes.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
46
5. Click the Permissions tab and the Expand All link to view the existing permissions in this role.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
47
6. To remove permissions, check the checkbox in the Remove column for each
permission to be removed and click Apply Changes. To add permissions to the role, If click
the add one or more from list link.
Exercise 5.2: Create a User Entity
Typically, users will be added to the SAP SuccessFactors Learning system through a
regularly scheduled connector. Some customers may permit external users to add
themselves to the system, while other customers may add some users manually.
In this activity you will learn how to create a User manually.
1. Navigate to People > Users
Note: It is always a best practice to search for entities before creating them in order to
avoid duplicates. Search for a user by name and look for both active and inactive users to
be sure this user is not already in the system.
2. Click the Add New link and complete all the necessary fields, including User ID, Last
Name, First Name, Email Address, security domain, and any other fields
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
48
3. Select the appropriate Role from the dropdown
4. Click the Add button
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
49
Assigning a User Role to a User
There are multiple ways of assigning a role to the user entity:
1. User entity: This is a manual method of assigning or changing a User Role from the
user entity (Choose a role from the Role dropdown on the User Details tab).
2. Connector: When importing users into the SAP SuccessFactors Learning system
through the Connector job, it is possible to assign a Role ID for to user entities. If the
Role ID is invalid or there is no role assigned to user, then the connector defaults to
the value in the configuration file (System Administration > Configuration > System
Configuration > CONNECTORS > sfuser.connector.defaultValue.studentRoleID)
3. Import Tool: When importing users through Import Tool, the Role field is required.
Therefore, it is not possible to import the users without specifying the Role ID.
4. Assignment Profile: This is an automated method of assigning a Role to users.
Assignment Profiles allows us to create dynamic groups of users based on their HR
attributes, and assign them a specific User Role.
User Role with Manager Permissions
A User’s primary Manager is identified in the Primary Manager field (from within the user
entity). The process of assigning the Primary Manager can be done either manually by an
Admin (User entity > User Details tab> Primary Manager field) or by the connector(s).
There are no separate roles specifically for managers (the way there are roles for Admins,
Users, and Instructors). Once a user is selected as a Primary Manager, the SAP
SuccessFactors Learning system automatically makes available the Manager permissions
that are in the My Team section of the user’s User Role. The My Team section contains
the permissions for the actions the Primary Manager can perform.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
50
NOTE: Manager permissions are also controlled by the User Assumption Restriction Rules
specified in the LEARNER_SECURITY configuration file.
.
User Proxy Role
The User Proxy Role controls what actions a delegate manager can perform in the SAP
SuccessFactors Learning system. When a manager selects a user to act as delegate, the
manager can decide what rights to grant the delegate (Selected Permissions) or use the
globally defined set of rights (Predefined Permissions) which is controlled by the
permissions contained in the USER PROXY ROLE.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
51
Instructor Role Management
An Instructor can be any user in the SAP SuccessFactors Learning that delivers training.
An Instructor entity may be created simply as a resource in the system to indicate who will
be delivering training for one or more time slots of a class.
If the instructor will also need to perform certain functions within the system, they should
be granted access to the instructor interface. This is accessed from the user-side of the
Learning module on the My Classes tab.
Currently, the functions an instructor may be able to perform is limited to the following
permissions:
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
52
There is one Default Instructor Role, and like any System Default Role, it is recommended
that this role be copied to a new Instructor role since the default one has all of the
available permissions and may be overwritten with a new release.
•
DEFAULT INSTRUCTOR - Default Instructor Role
Once a customer has identified which permissions they want an instructor to have, they
can edit the instructor role, so it only includes those permissions and other permissions
have been removed.
To give a user access to the instructor interface (My Classes):
1.
2.
3.
4.
Create an Instructor entity for them and assign the desired instructor role
Select the user in the Related User field of the Instructor entity.
Add the instructor as a resource to the time slot(s) of one or more classes.
Authorize the instructor for one or more items (if they will be adding history records
for ad hoc classes).
Exercise 5.3: Create an Instructor Role
In this activity you will learn how to create a new Instructor role by copying from an existing
one.
1. Navigate to System Administration > Security > Role Management and search for
the DEFAULT INSTRUCTOR ROLE. Click the edit icon (
).
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
53
2. Click the Copy Role button and enter the new Role ID, check the checkbox for Copy
Assigned Permissions, and click the Copy button.
3. Edit the Security Domain field (e.g. CORP) and Apply Changes.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
54
4. Select the Permissions tab and click Expand All to view a list of permissions that are
currently assigned to the role.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
55
5. By selecting the check box in the Remove column and clicking Apply changes, you
can remove any permission(s) from the role. If you want to add permissions to the role,
click the add one or more from list link.
Exercise 5.4: Create an Instructor Account
In this activity, you will learn how to create Instructor account and assign a user to it.
1. Navigate to People > Instructors > click Add New link.
Note: It is always a best practice to search for an entity before adding it to avoid
duplication.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
56
2. Complete all the necessary fields, including Instructor ID, Last Name, First Name,
Email Address, and Security domain.Choose which Instructor Role you want to assign to
the instructor.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
57
3. At this point, you can associate an existing user to this instructor entity and this user
will be granted access to the instructor interface (My Classes). This may also be done
later, either from the instructor entity or directly from the user entity.
NOTE: It is also possible to associate one or more items here that this instructor will be
authorized to teach. This serves two purposes: 1) A search of instructors from the Time
Slot of a class may be filtered by just those instructors that are authorized, and 2) if the
instructor role permits it, authorized instructors may add history records for “ad hoc”
(unscheduled) training for their authorized items. This may also be determined later from
the Authorized to Teach tab of the instructor entity or from the Instructors tab of the Item
entity.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
58
4. Click Add button to create a new instructor account. If necessary, you may now
complete the instructor entity with other information. If you make any changes, click Apply
Changes.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
59
Lesson Summary
In this lesson, you were introduced to User roles and Instructor roles in SAP
SuccessFactors Learning.
You should now be able to:
•
•
•
Create a User role in the SAP SuccessFactors Learning system
Identify the area of the user role that pertains only to Managers
Create an Instructor role in the SAP SuccessFactors Learning system
Knowledge Check
Use what you learned in this Module to answer the following questions.
1. How many System Default User Role(s) are there in the SAP SuccessFactors
Learning system?
A. One
B. Two
C. Four
2. List all available methods of assigning a role to the user entity.
3. Fill in the blank: A user’s primary Manager is identified in the __________ field.
4. The User Proxy Role controls what actions:
D. An Admin can perform when proxying as a user
E. A Delegate can perform
F. A Primary Manager can perform
5. Which one of the following categories of permissions in a user role determines the
functions of a Manager?
1. Personal
2. Learning
3. My Team
4. Library
6. Match the step number with the process for giving a user access to the Instructor
interface (My Classes).
Add the instructor as a resource to the
Step 1
time slot(s) of one or more class
Create an Instructor entity for them and
Step 2
assign the desired instructor role
Authorize the instructor for one or more
Step 3
items (if they will be adding history
records for ad hoc classes)
Select the user in the Related User field
Step 4
of the Instructor entity.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
60
Appendix A – Using the Export Data Tool for
Permissions
The most recent list of Admin, User, User Proxy and Instructor permissions can be found
in the Configuration Workbook.
One way to learn about available permissions for each of the SAP SuccessFactors
Learning roles is to check the system default roles.
In addition to that, the SAP SuccessFactors Learning system allows an admin to export
the Admin roles which will display all the permissions (including any security domain
groups that have been applied). This method may be used to view all the permissions for
existing Admin roles as well as to prepare to move them to another instance (e.g. from the
staging or test instance into the production instance).
The Export Data Tool:
1. Navigate to System Administration > System Management Tools > Export Data.
2. In the Record type dropdown select Admin Role and click Next.
3. On the next screen click the Add one or more from list link to search for an Admin
role. This might be any role since the goal is to download the Admin permission reference.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
61
4. Once you have one or more roles listed in the Selected Admin Roles section, click
Next.
5. Select when you want the system to run the job, uncheck the checkbox for Notify via
Email (unless you also enter an email address) and then click Finish.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
62
6. When the status changes to Succeeded, go back to Export Data to download your
report.
7. Once you have download the file, on the second worksheet tab, you will find the
Available Permissions Reference.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
63
NOTE: In the database, the older terminology has not been changed (e.g. Permissions
were known as Workflows, Security Domain Groups were called Domain Restrictions, and
workflow IDs for many entities may use the legacy terms).
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
64
Appendix B – Using the Import Data Tool
The Import Data tool allows an admin to mass upload different types of entities. In this
Appendix, we will describe the process only for those types of entities that are connected
to the Security model:
1. User: typically, the user entities are added or updated with the Connector job. This is
an automated method which regularly feeds the data from the core HR system into
the Learning module, and this allows to limit the amount of incorrect data. The Import
Tool is another option to mass create (or update) user entities. However, since it
requires working with an excel file, it may cause the risk of incomplete or erroneous
data. Moreover, the user template does not support certain fields that the Connector
template does, for instance HR Business Partner information.
2. Instructor: the Import Tool is the only method which allows admins to create
instructor accounts from a batch file. Instead of manually adding instructor accounts
from People > Instructors, an Admin may simply download the template, complete it
with the necessary data and import the data to the system.
3. Admin Roles: same as with the instructor accounts, the Import Tool is the only
method that allows creating and/or adding admin role templates in a batch mode.
This is especially useful for moving Admin roles and permissions from one instance
to another (such as from the staging/test instance to production).
To upload data with the use of Import Tool:
1. Navigate to System Administration > System Management Tools > Import Data.
2. Select Download Template and in the Record Type select the type of entity you want
to download. Click Submit.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
65
3. The file (.csv) will download on your computer.
4. Open the file and complete it with the data you want to import for the respective type
of entity. For the Required fields, check the comments to verify whether this field is
referenced (if the field is referenced, it means that the data generally needs to exist
prior to the import).
5. When the file is ready, navigate to Import Tool > select Import Data.
In the Record Type select what type of record you want to import. In the Import Options
choose if you want to only add the entities, update or add and update. Then select a file
and click Submit.
6. Select when you want the system to run the job, uncheck the checkbox for Notify via
Email, (unless you also add an email address) and then click Finish.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
66
7. You can check the status of the import from the Import Tool.
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
67
Appendix C – Legacy Permissions
Appendix C – Legacy Permissions
The following permissions refer to legacy functionality that will be removed from the
system shortly:
Category
Permission ID
Permission Label
Connector
Administration Edit OrganizationOwnerConnector APM
Edit Organization Owner Connector
Connector
Administration
Content
Content
Content
Content
Content
Content
Learning
Learning
Learning
Learning
Learning
Reports
Reports
Search
Search
Student
Student
View Organization Owner Connector
Delete Exam Object (Legacy)
Edit Exam Object (Legacy)
Edit Printed Exam Template (Legacy)
Edit Question (Legacy)
View Exam Object (Legacy)
View Printed Exam Template (Legacy)
Access Community
Add Community
Delete Community
Edit Community
Move Community
Run Exam Objects (Legacy) Report
Run Exam Item Analysis Legacy Report
Search Exam Object (Legacy)
Search Community
Edit Organization Dashboard Ownership
View Organization Dashboard Ownership
View OrganizationOwnerConnector
APM
Delete Exam Object
Edit Exam Object
Edit Printed Exam Template
Edit Question
View Exam Object
View Printed Exam Template
Access Forum
Add Forum
Delete Forum
Edit Forum
Move Forum
Run Exam and Survey Objects Report
Run Exam Item Analysis Report
Search Exam Object
Search Forum
Edit Org Dashboard Ownership
View Org Dashboard Ownership
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
68
Appendix D – Knowledge Check Answers
Lesson 1
1. True or false: Role Based Permissions (within HXM) only grants access to the
Learning module but does not determine what users may do within SAP
SuccessFactors Learning.
True
False
2. Which of the following are entities in the system that are part of the security model?
A. Roles
B. User Groups
C. Security domains and security domain groups
D. Categories
E. Permissions
Lesson 2
1. True or false: When an Item is saved in the PUBLIC Security Domain, all Users will
be able to find it.
True
False
2. Typical security domain structures represent the organizational or regional
structure.
3. When the Item security domain type is removed from the list of security domain types
for the North-America security domain:
A. Admins cannot add items to any security domain
B. Admins cannot add items to North-America security domain
C. Admins cannot run a report on items saved in North-America security domain
D. Admins cannot run a report on any item
Lesson 3
1. True or false: The PUBLIC domain can be removed from a security domain group.
True
False
2. What are the patterns to customer implementations of security domain groups?
A. Sibling
B. Family branch
C. Mix-and-match
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
69
D. Parent-Child
E. All of the above
Lesson 4
Use what you learned in this Module to answer the following questions.
1. True or false: It is a best practice to create a template role and test that all the
necessary permissions have been added and then copy the role before applying
security domain groups to the permissions in the copied roles.
True
False
2. How many security domain groups can be assigned to a single permission?
A. One
B. Maximum two
C. Unlimited
D. None
Lesson 5
Use what you learned in this Module to answer the following questions.
1. How many System Default User Role(s) are there in the SAP SuccessFactors
Learning system?
A. One
B. Two (DEFAULT USER and LEARNING_USER)
C. Four
2. List all available methods of assigning a role to the user entity. On the User Entity,
using a connector, with the Import Data tool, and through an Assignment Profile.
3. Fill in the blank: A user’s primary Manager is identified in the Primary Manager field.
4. The User Proxy Role controls what actions:
A. An Admin can perform when proxying as a user
B. A Delegate can perform
C. A Primary Manager can perform
5. Which one of the following categories of permissions in a user role determines the
functions of a Manager?
A. Personal
B. Learning
C. My Team
D. Library
© Copyright. All rights reserved.
SAP SUCCESSFACTORS LEARNING – SECURITY
70
6. Match the step number with the process for giving a user access to the Instructor
interface (My Classes).
Step 3
Step 1
Step 4
Step 2
Add the instructor as a resource to the time
slot(s) of one or more class
Create an Instructor entity for them and
assign the desired instructor role
Authorize the instructor for one or more
items (if they will be adding history records
for ad hoc classes)
Select the user in the Related User field of
the Instructor entity.
© Copyright. All rights reserved.
Related documents
Download