www.sap.com Administrator Training Guide SAP SuccessFactors Learning – Security www.sap.com SAP SE Copyrights and Trademarks © 2022 SAP SE. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. • Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. • IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. • Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. • Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. • Oracle is a registered trademark of Oracle Corporation • UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. • Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. • HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. • Java is a registered trademark of Sun Microsystems, Inc. • LabNetscape. • SAP, SAP Fiori, SAP SAPUI5, R/3, SAP Fiori, SAP NW Gateway, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other countries. • Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. • Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP SE and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP SUCCESSFACTORS LEARNING – SECURITY 3 SAP SuccessFactors Learning – Security ABOUT THIS HANDBOOK............................................................................................................................... 5 Course Introduction ........................................................................................................................................ 6 Overview ........................................................................................................................................................... 6 Course Objectives ........................................................................................................................................... 6 Target Audience ............................................................................................................................................... 6 Assumptions ...................................................................................................................................................... 6 Administrator Role and Permissions ............................................................................................................ 6 Using this Guide .............................................................................................................................................. 7 SAP SuccessFactors Community .................................................................................................................. 8 Additional Resources ...................................................................................................................................... 8 LESSON 1 – SAP SUCCESSFACTORS LEARNING SECURITY MODEL OVERVIEW ................................ 9 Lesson Overview ............................................................................................................................................. 9 Lesson Objectives ........................................................................................................................................... 9 Security Model Overview ................................................................................................................................... 9 Lesson Summary ........................................................................................................................................... 11 Knowledge Check .......................................................................................................................................... 11 LESSON 2 – SECURITY DOMAINS ............................................................................................................... 12 Lesson Overview ........................................................................................................................................... 12 Lesson Objectives ......................................................................................................................................... 12 Security Domains Overview............................................................................................................................. 12 Exercise 2.1: Create a Security Domain Structure .......................................................................................... 13 Security Domain Connector ............................................................................................................................. 16 Working with Security Domain Type Entities ................................................................................................... 17 Exercise 2.2: Associate a Security Domain Type Entity to a Security Domain ............................................... 18 Lesson Summary ........................................................................................................................................... 20 Knowledge Check .......................................................................................................................................... 20 LESSON 3 – SECURITY DOMAIN GROUPS ................................................................................................ 21 Lesson Overview ........................................................................................................................................... 21 Lesson Objectives ......................................................................................................................................... 21 Security Domain Groups.................................................................................................................................. 21 Exercise 3.1: Create a Security Domain Group .............................................................................................. 23 Public Security domain .................................................................................................................................... 25 Lesson Summary ........................................................................................................................................... 26 Knowledge Check .......................................................................................................................................... 26 LESSON 4 – ROLE MANAGEMENT .............................................................................................................. 27 Lesson Overview ........................................................................................................................................... 27 Lesson Objectives ......................................................................................................................................... 27 Role Management Overview ........................................................................................................................... 27 Admin Role Management ................................................................................................................................ 28 Basic guidelines for creating an Admin role: ................................................................................................... 29 Sections of Permissions .................................................................................................................................. 30 References ...................................................................................................................................................... 31 Connector Administration ................................................................................................................................ 32 Exercise 4.1: Create a Template Admin Role ................................................................................................. 32 Exercise 4.2: Apply Security Domain Groups.................................................................................................. 35 Exercise 4.3: Create an Admin Entity .............................................................................................................. 38 Lesson Summary ........................................................................................................................................... 42 © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 4 Knowledge Check .......................................................................................................................................... 42 LESSON 5 – USER ROLES AND INSTRUCTOR ROLES ............................................................................ 43 Lesson Overview ........................................................................................................................................... 43 Lesson Objectives ......................................................................................................................................... 43 User Role Management ................................................................................................................................... 43 Exercise 5.1: Create a New User Role ............................................................................................................ 44 Exercise 5.2: Create a User Entity .................................................................................................................. 47 Assigning a User Role to a User ..................................................................................................................... 49 User Role with Manager Permissions ............................................................................................................. 49 User Proxy Role ............................................................................................................................................... 50 Instructor Role Management ........................................................................................................................... 51 Exercise 5.3: Create an Instructor Role ........................................................................................................... 52 Exercise 5.4: Create an Instructor Account ..................................................................................................... 55 Lesson Summary ........................................................................................................................................... 59 Knowledge Check .......................................................................................................................................... 59 APPENDIX A – USING THE EXPORT DATA TOOL FOR PERMISSIONS .................................................. 60 APPENDIX B – USING THE IMPORT DATA TOOL ...................................................................................... 64 APPENDIX C – LEGACY PERMISSIONS...................................................................................................... 67 APPENDIX D – KNOWLEDGE CHECK ANSWERS ..................................................................................... 68 © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 5 About this Handbook This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. American English is the standard used in this handbook. The following typographic conventions are also used: Use Example / Visualization Demonstration by Instructor A hint or advanced detail is shown or clarified by the instructor – please indicate reaching any of these points to the instructor. Warning or Caution A word of caution – generally used to point out limitations or actions with potential negative impact that need to be considered consciously. Hint A hint, tip or additional detail that helps increate performance of the solution or help improve understanding of the solution. Additional information An indicator for pointing to additional information or technique beyond the scope of the exercise but of potential interest to the participant. Discussion/Group Exercise Used to indicate that collaboration is required to conclude a given exercise. Collaboration can be a discussion or a virtual collaboration. User Interface Text Find the Flavor Gallery button Solution or SAP Specific term E.g. Flavors are transaction specific screen personalization created and rendered using SAP Screen Personas. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 6 Course Introduction Overview Through discussion, demonstration, and hands-on computer exercises, this course teaches you how to create and manage the Security Model in SAP SuccessFactors Learning. Certain features covered in this guide may not be enabled in your company’s environment. If you see screenshots in this guide that do not match your company’s configuration, please skip the feature/lesson. Course Objectives Upon completion of this unit, you will be able to: • • • Describe the SAP SuccessFactors Learning Security model Create Domains and Domain Restrictions Build Admin, User, and Instructor Roles Target Audience This course is intended for SuccessFactors administrators (admins) responsible for creating and maintaining the security system in SAP SuccessFactors Learning. Assumptions Administrator Role and Permissions This training assumes that your SAP SuccessFactors Learning administrator role is associated with all available permissions in the system. If your role does not include certain permissions, those tabs and pages will be grayed out and/or inaccessible. Some screenshots and certain features covered in this guide may not be enabled in your company’s environment. Please note that major configuration changes will need to go through Professional Services, as System Administrators do not have access to enable certain features. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 7 Using this Guide This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. American English is the standard used in this handbook. The following typographic conventions are also used: Use Example / Visualization Demonstration by Instructor A hint or advanced detail is shown or clarified by the instructor – please indicate reaching any of these points to the instructor Warning or Caution A word of caution – generally used to point out limitations or actions with potential negative impact that need to be considered consciously Hint A hint, tip or additional detail that helps increate performance of the solution or help improve understanding of the solution Additional information An indicator for pointing to additional information or technique beyond the scope of the exercise but of potential interest to the participant Discussion/Group Exercise Used to indicate that collaboration is required to conclude a given exercise. Collaboration can be a discussion or a virtual collaboration. User Interface Text Solution or SAP Specific term Find the Flavor Gallery button E.g. Flavors are transaction specific screen personalization created and rendered using SAP Screen Personas. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 8 SAP SuccessFactors Community Customer Community is your one-stop shop for support, quick answers, product training and quarterly release updates. You may also post ideas for enhancements on productspecific Q&A boards, and "Kudo" other ideas that you like. Enhancement ideas with the most kudos often become part of the product roadmap for future releases. https://community.successfactors.com/ Additional Resources For more information about SAP SuccessFactors, refer to these resources: SAP SuccessFactors Help Portal https://help.sap.com/viewer/product/SAP_SUCCESSFAC TORS_HXM_SUITE SAP SuccessFactors Release Information https://help.sap.com/viewer/product/SAP_SUCCESSFAC TORS_RELEASE_INFORMATION SAP SuccessFactors Community SAP Roadmap Explorer https://community.successfactors.com/ SAP Training Shop https://training.sap.com https://roadmaps.sap.com/ © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 9 Lesson 1 – SAP SuccessFactors Learning Security Model Overview Lesson Overview The goal of this lesson is to establish a general understanding of the concepts and terminology associated with the Security Model in SAP SuccessFactors Learning. Lesson Objectives Upon completion of this lesson, you will be able to: • • Describe the SAP SuccessFactors Learning Security model List the steps used to implement the SAP SuccessFactors Learning Security model Security Model Overview SAP SuccessFactors Learning security works differently from the core SAP SuccessFactors Human Experience Management (HXM) Role Based Permissions (RBP) model. Therefore security within SAP SuccessFactors Learning needs to be configured separately. With RBP, Users can be granted access to the Learning system menu option to launch the system as a User. RBP may also be used to grant access to the Admin Center tool for Learning Administration so that Admins may launch the administration side of the system. Once they launch the SuccessFactors Learning module, their permissions within the user-side and/or admin-side of the system will be controlled entirely by the Learning security model. In the SAP SuccessFactors Learning, the Security model is a combination of Roles, Permissions, Security Domains, and Security Domain Groups. Term Definition An area in our security structure where entities are placed when we need to restrict access to them for some admins and not others. Security Domain One example may be a Corporate security domain which may contain Libraries, Assignment Profiles, Admin and other securityrelated entities. Another example may be regional security domains that contain the learning entities such as Items, Curricula, Programs, and Classes that are specific to the admins in that region. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY Term 10 Definition A group of one or more security domains that, when applied to the permissions in an admin role, will control where the admin may perform those permissions. Security Domain Groups Permission Role For example, a security domain group called “Europe-All” may include the security domains of France, UK, and Germany (as well as others). When applied to the permissions in a role that pertain to user entities, the admin will only be able to perform those permissions for user entities in the Europe security domains. A combination of a function (add, delete, copy, edit, search, etc.) and an entity (user, item, class, curriculum, instructor, assignment profile, etc.) that determines what an Admin may do in the LMS. Examples: Add User, Search Item, Edit Curriculum, Copy Assignment Profile. A list of permissions that are grouped together and associated to the instructor, user, and admin entities. These permissions allow access to menus, links, and tiles. For admin roles, security domain groups may be applied to permissions in the role to permit access only to certain security domains of entities. Once the users are imported from SAP SuccessFactors system (or any other HR Management System), they are assigned to a security Role that is specific to the Learning system (Admin, User, Instructor). The admin, user and/or instructor role assignment can be accomplished during a connector job, an assignment profile, import tool, or manual update in the admin, user or instructor entity. Each type of Role contains a list of Permissions that determine what functions that particular role can perform. Depending on the organization, different Admin, User or Instructor roles may be created to meet their specific requirements. These roles can be copied, customized and applied to the Admin, User, or Instructor entity for access to the Learning system tools and features, depending on the needs. In addition, the Learning Security model allows customers to control Admin access to a specific data stored in the Learning system. If the customer would like to restrict Admins to be able to work with certain data only (for example, Admins working in North America should have access to data created for the North America region only), they would need to build security domains and security domain groups, and assign the security domain groups to Admin roles accordingly. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 11 Lesson Summary In this lesson, you were introduced to the concepts and terminology associated with the Security Model in SAP SuccessFactors Learning. You should now be able to: • • Describe the SAP SuccessFactors Learning Security model List the steps used to implement the SAP SuccessFactors Learning Security model Knowledge Check Use what you learned in this Module to answer the following questions. 1. True or false: Role Based Permissions (within HXM) only grants access to the Learning module but does not determine what users may do within SAP SuccessFactors Learning. True False 2. Which of the following are entities in the system that are part of the security model? A. Roles B. User Groups C. Security domains and security domain groups D. Categories E. Permissions © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 12 Lesson 2 – Security Domains Lesson Overview The goal of this lesson is to understand the use of Security Domains in SAP SuccessFactors Learning security. Lesson Objectives Upon completion of this lesson, you will be able to: • • • Explain Security Domains and their purpose Create a Security Domain structure in SAP SuccessFactors Learning Describe the purpose of Security Domain Type entities and how they are used Security Domains Overview The use of security domains is an important part of the security strategy. When a new entity (i.e. Item, Curricula, Assignment Profile, etc.) is added to the Learning system, an Admin has to select a security domain where that entity will reside. This will allow you to keep the data organized, and more importantly it will help to determine which Admins can access what data elements (with the use of security domain groups – more information in Lesson 3). The Security domain structure should be complex enough to meet security needs but not so complex that it is difficult to maintain. A security domain structure should primarily be determined by the complexity, delegation, and distribution of administrators. NOTE: As a best practice, do not create more levels of security domains than are actually needed. Typical security domain structures may represent the organization or regional structure of a company or agency. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 13 Exercise 2.1: Create a Security Domain Structure 1. Navigate to System Administration > Security > Security Domains Note: It is a best practice to search for an existing entity before adding a new one in order to avoid duplication. 2. Click Add New link to create a new security domain 3. Select the Add Root (Top) Level Security Domain radio button to create a parent Security Domain. Enter values into the Security Domain ID and Description fields. (e.g. user your initials and a number) Click the Add button. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 14 4. Once a security domain entity is added to the Learning system, you can still change the security domain description, as well as the hierarchical structure between security domains. Selecting a different parent security domain will move your security domain and build a new relationship between security domains NOTE: Information about the Security Domain Types tab can be found in Lesson 2-2. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 15 5. Repeat the exercise to create a security subdomain: from the Security domain entity click the Add New link 6. Choose “Add Security Subdomain” and select a security domain that you want to be the Parent Security Domain. Complete the Subdomain ID and Description fields © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 16 7. Once you create a security domain structure, you can review it from the Parent security domain entity. Find the Parent security domain and expand the view under security domain ID NOTE: The security domain Level starts from 0 which corresponds to the root-level security domain. The system increments each subsequent security subdomain by one. Security Domain Connector SAP SuccessFactors Learning allows Security Domains to be added to the system as part of the Security Domain Connector job. First, an Admin would need to download the Security Domain template (System Administration > Connectors > Download Connector Template and select Security Domain Connector as a TXT file) and complete it. There are three types of information that the Security Domain template supports: Security Domain ID, Security Domain Description, and Parent Security Domain ID. This allows the Admin to create multiple Security Domains, as well as build the relationship between them by assigning Parent Security Domains. For example, when a Customer acquires six new security domains of employees, the new security domains may be added to the system through the User Connector. However, the User Connector does not put the security domains into a security domain tree. Therefore, it might be necessary to use the Security Domain Connector. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 17 Working with Security Domain Type Entities When a new security domain is added to SAP SuccessFactors Learning, that Security domain is automatically associated with all available security domain type entities. A security domain type entity is a type of entity that can be stored into security domains (e.g. Item, Equipment, Assignment Profile, Role, etc.). There are two kinds of entities in the system: Global references are entities that are not stored in security domains but are available as part of a global list; security domain types are entities that are saved into specific security domains. The PUBLIC Security Domain allows all of these entities to be created and saved in it. Current list of existing Security Domain Types: © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 18 Note: The database names are used for the Security Domain Type entities from when they were originally created. Therefore, you can use this list as a lookup table for old terms and current terms. For example, QUAL, STUD, SCHD, CLASS, CTLG, and CPNT are now called Curriculum, User, Class, Cohort, Library, and Item respectively. Legacy Plateau Performance entities will be sunset – such as PLAN, PPG, ASSESSMENT PROCESS/SURVEY, GOAL, POSITION, and FORUM. Additionally, Brand is legacy in the LMS (as branding is now part of Themes in HXM) and Question is legacy due to PQE being sunset. USRPRFL is the old name for the Admin entity. By specifying which Security Domain Types are allowed to be created/moved to this security domain, we can create a more complex security model. Some security domains may contain certain specific security domain types that others will not allow. For example, the Corporate security domain may permit security domain types such as assignment profiles and roles. These security domain types may not be permitted to be stored at lower level security domains. Exercise 2.2: Associate a Security Domain Type Entity to a Security Domain 1. Navigate to System Administration > Security > Security Domains and create a new Security Domain (example “North-AM-Users”). 2. Select the Security domain types tab and remove all security domain types except the one for STUD (User). Click on Apply Changes. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 19 3. This will remove all security domain types from the security domain except the User security domain type. NOTE: The purpose of security domain types is to allow or not allow certain entities to exist in certain security domains. For example: we can have a user-only security domain or a security domain that contains assignment profiles, libraries, and admin accounts but no learning entities or users. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 20 The security domain “North-AM-Users” will remain invisible to Admins as they work with other type of entities, i.e. items, programs, classes, etc. since the security domain types for those entities are no longer listed for this security domain. Lesson Summary In this lesson, you were introduced to the use of Security Domains in SAP SuccessFactors Learning security. You should now be able to: • • • Explain Security Domains and their purpose Create a Security Domain structure in SAP SuccessFactors Learning Describe the purpose of Security Domain type entities and how they are used Knowledge Check Use what you learned in this Module to answer the following questions. 1. True or false: When an Item is saved in the PUBLIC Security Domain, all Users will be able to find it. True False 2. Typical security domain structures represent the ___________ or ___________ structure. 3. When the Item security domain type is removed from the list of security domain types for the North-America security domain: A. Admins cannot add items to any security domain B. Admins cannot add items to North-America security domain C. Admins cannot run a report on items saved in North-America security domain D. Admins cannot run a report on any item © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 21 Lesson 3 – Security Domain Groups Lesson Overview The goal of this lesson is to understand what security domain groups are and how to implement them in the SAP SuccessFactors Learning security model. Lesson Objectives Upon completion of this lesson, you will be able to: • • Describe Security Domain Groups and how they are used Create a Security Domain Group Security Domain Groups Security domain groups (formerly known as Domain Restrictions) are entities that determine in which security domains an Admin may perform permissions. For example, if the security domain group North-America contains the North-Am, North-Am-Sales, and North-Am-HR security domains, Admins with roles with the North-America security domain group applied can access entities that reside in North-Am, North-Am-Sales, and North-Am-HR security domains (plus the PUBLIC security domain which is automatically added to every security domain group). NOTE: If there are no security domain groups applied to an Admin Role, the Admin may perform all permissions in the role in all security domains. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 22 Security domain groups can contain one or more security domains. The security domains selected for the security domain group do not have to be connected in the hierarchical structure, but there are some patterns to customer implementations of security domain groups: • • • • Family branch – an Admin is responsible for the entities in the Europe region, which means access to the entities in the Europe security domain and its security subdomains (Europe-Sales and Europe-HR security domains) Sibling – an Admin is responsible for siblings on the same branch. For example, an Admin has access to the entities in Europe-Sales and Europe-HR but not in the parent security domain (Europe) Parent-child – an Admin is responsible for parent security domain and one or more child but not the entire branch. For example, an Admin has access to the entities in the Europe security domain and the Europe-HR security domain Mix-and-match – in this pattern, any security domains may be included in a security domain group (from different parts of the same security domain tree or even different trees). © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 23 Exercise 3.1: Create a Security Domain Group Note: It is a best practice to search for an existing entity before adding a new one in order to avoid duplication. 1. Navigate to System Administration > Security > Security Domain Group and click the Add New link. 2. Complete the Security Domain Group ID and Description fields (e.g. use your initials and a number), then select in which Security domain you want to save the entity (e.g. the CORP domain). 3. Click the Add button. 4. Once the entity is added, select the Security Domain tab to add security domains to your security domain group. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 24 NOTE: When a Parent Security domain is selected, you will have an option to include or remove security subdomains. The Security Subdomain option results in a security domain group for the parent and child security domain(s). Remember to click Apply Changes. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 25 Public Security domain The Public security domain is added to every security domain group automatically and cannot be removed. Any entities that have been saved in the Public security domain will be accessible by any Admin whose role permits them to work with those entities. Therefore, since the Learning security model specifies that all data should reside in specific security domains and access to them should be controlled through security domain groups, Admins should not use the PUBLIC security domain and should always save entities into more appropriate security domains. Once a security domain group has been created, it can be applied to permissions in an Admin role in order to restrict the Admin’s access to the data in only those specific security domains. This process will be described in Lesson 4. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 26 Lesson Summary In this lesson, you were introduced to Security domain groups and how to implement them in SAP SuccessFactors Learning. You should now be able to: • • Describe Security domain groups and how they are used Create a Security domain group Knowledge Check Use what you learned in this Module to answer the following questions. 1. True or false: The PUBLIC domain can be removed from a security domain group.. True False 2. What are the patterns to customer implementations of security domain groups? A. Sibling B. Family branch C. Mix-and-match D. Parent-Child E. All of the above © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 27 Lesson 4 – Role Management Lesson Overview The goal of this lesson is to establish a general understanding of Role Management in SAP SuccessFactors Learning. Lesson Objectives Upon completion of this lesson, you will be able to: • • • • Explain Role Management in the SAP SuccessFactors Learning system List three types of Roles in the SAP SuccessFactors Learning system Create an Admin role and apply Security domain groups Create and assign an Admin account Role Management Overview As described in Lesson 1, the SAP SuccessFactors HXM Role Based Permission model only grants access to the Learning module to Users and only allows access to the Learning Administration tool to Admins. Their permissions within the Learning system are fully controlled by permissions which are unique for each type of Role. The SAP SuccessFactors Learning system currently supports three type of Roles: Admin, User, and Instructor. When creating a new role template, an Admin has an option to choose which type of Role (s)he wants to create, and then to define their access within the Learning system by adding/removing permissions. permissions are combinations of functions (actions) and entities and each Role contains a set of permissions that are specific for that Role. This security model permits a Customer to create multiple roles for each type of Role and assign each a different set of permissions. For example, if the customer needs to support multiple types of users (full time, contractors, vendors, customers, etc.), they might want to create a role for each type of user and provide them different access to the user-side tiles, menus, and links. e.g. vendors or external users will not need access to internal links or the Curriculum Status tile. The instructor type of role contains permissions that allow certain abilities on the instructor view of the user side (the My Classes tab). User and Instructor role types are discussed more in Lesson 5. Admin roles may be created with different security domain groups applied to the permissions in the role. This permits admins with the same basic function the ability to perform their role only in their areas of responsibility (security domain groups). Each permission can be restricted only by one security domain group, however, as mentioned in Lesson 3, the security domain group may contain multiple security domains.. As shown in Figure 3, Security domain group “North-Am” has been applied to the permission “Add Users” which © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 28 means that the Admin with this role will be able to create user entities in the North-Am, North-Am-Sales, North-Am-HR, and Public security domains only (see Lesson 3 Security domain groups, Figure 2). To conclude, the security model within SAP SuccessFactors Learning allows the customer to build multiple roles from three types of Roles (Admin, User, Instructor), use permissions to determine which features and functionality an admin with the role may access and apply security domain groups to Admin roles in order to limit an Admin’s access to certain data only. Admin Role Management Admins can have different types of responsibilities depending on the organization requirements (internal factors) and the enterprise environment (external factors). A typical Admin structure is built from Super Admin that has an unrestricted access to the entire Learning system, and other Admins that access is determined by the split of roles and responsibilities within the organization. There are several System Default Admin Roles: • • ALL - Default Role with all permissions ALL_CONNECTOR - Role with connectors permissions These system default roles are preconfigured with permissions and may be overwritten with a new release that adds new features. Due to this fact, it is recommended to create a customer-specific copy of each of these rather than using the system default ones. The copied roles allow the customer to control the exact permissions for each of their roles. The SAP SuccessFactors Learning system allows customers to create multiple Admin Roles, and as necessary, apply Security domain groups. When admin accounts are added to the Learning system (either manually or through the Admin Connector), one or multiple Admin roles can be assigned to an admin account. This way you can fully control what an admin is able to perform in the system and add a new role or unassign any unnecessary one(s). © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 29 When creating a new Admin role, it is a best practice recommendation to create a template role and test it for all the necessary permissions before applying security domain groups. Basic guidelines for creating an Admin role: 1. Always identify and create a template role. In the description for this role, repeat back the customer requirements for what this role is allowed to do and what the role is specifically not permitted to do. 2. Add permissions from each section carefully as appropriate. Follow the guidelines below to include permissions for add/edit/view/copy/delete those entities that the role needs to work with. Remember that some entities in the system require access to other entities. For example, if you are adding items to a library, you will probably need permissions that permit you to search items and libraries as well as add library item and add item library. 3. Remove (or don’t add) permissions that are typically locked down to only the system admin role such as the ability to add/edit/delete reference entities. If you are not sure what references are, you should familiarize yourself by viewing the lists under each reference menu. 4. If this role will be running reports, make sure to include the reports themselves, full searching ability, and the critical View User Background Job permission from the System Administration category of permissions. 5. Once the template role has been created and tested by the customer, it may be copied and security domain groups may be applied to each copy of the role. 6. Remember that there are several ways to apply security domain groups to permissions in a role: a. by function, b. by entity, and c. by permission. There may be different security domain groups applied to different permissions – so for example, an admin may need to search for items from anywhere in the security domain tree, but may only create classes in one specific security domain. 7. Test each role by creating an Admin and assigning them just one role. Login as the Admin and note what the role permits them to do, what they are not allowed to do, and if security domain groups have been applied, where can they view records or add records. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 30 NOTE: In the integrated environment, first the designated Learning administrator will need to exist as a user within the SAP SuccessFactors HXM application. From within SAP SuccessFactors HXM, admin permissions to access Learning Administration must be granted to those users who will be Admins in SuccessFactors Learning. After this step, an admin account within the SAP SuccessFactors Learning instance can be created. It is important to make sure that the SAP SuccessFactors HXM user ID is the same as the admin ID created in SAP SuccessFactors Learning. Sections of Permissions Permissions permit access to certain menu options, links, buttons, and tools in the system in order for the Admin to do what they need to do. The permissions that may be assigned to an Admin role exist in different sections which are primarily based on the main menu options of the Admin screen. When considering which permissions to add to a role, customers will need to decide exactly what entities an Admin with this role will need to work with and specifically what functions will they need to perform on those entities. Choosing an entire section of permissions is usually NOT going to be a good idea – with the possible exceptions of the Search category (for most roles) and the System Administration category for only the highest level System Admin, ALL, or similar role. Basic Learning Records - If a role is creating records in the system such as Items, Curricula, and Programs, many of the necessary permissions will be found in the Learning Activities section. This role is likely to need the ability to add/edit/copy/delete and view all of these entities. The ability to search for these entities will be found in the Search section of permissions. This role would not be the one likely to add/edit references so permissions that relate to reference values would likely only contain Search and possibly View. Working with Users – any role that assigns learning needs to users, enters the user © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 31 record in either view or edit mode, records learning, or any similar function with users, will need to include some of the permissions in the People Management section. Again, this role is not likely to add or edit reference values that pertain to users, so only Search and possibly View for reference entities. Searching - The permissions in the Search categories are relatively safe to use in most admin roles. If the role will need to search for most entities including learning records, users, and references, the Search permissions should be included. If there are entities that a company doesn’t use at all (such as for legacy Plateau Performance or Commerce for example) those Search permissions should be removed from the role(s). Report running versus Report designing – The permissions in the Reports category include all of the out of the box reports as well as some permissions that would be specific to only those admins who will be working with Report Designer (PRD) and custom reports. These special permissions include Import/Export Reports, Publish/Unpublish Reports, and Add/Edit Report Group. As custom reports are created and imported, an admin role may be edited to include the new permission created in the system that’s specific to that custom report. While most permissions from the System Administration category are not usually assigned to roles other than the most powerful (System Admin, ALL, or similar) there is one that is critical for any role in order to run reports. The View User Background Job permission must be added to any role that will be running reports in SAP SuccessFactors Learning. Most admin roles should include the ability to run reports that pertain to their responsibilities. For example, an admin that will be creating items and curricula will likely need to run the Item Data and Curriculum Data reports. An admin that is assigning curricula to users will likely need to run the Curriculum Item Status report. As most reports require searching for entities, any admin role that is running reports will also need most search permissions. A special role called REPORT_DEVELOPER is available (by request from Support) for any Admin who will be using SAP SuccessFactors Report Designer (also called PRD or BIRT). This role does not contain any permissions but is necessary for the Admin in order to access a private screen with additional information and tools to use BIRT/PRD with the staging environment to test their reports. More information about this may be found in the training guide for SAP SuccessFactors Report Designer (HR868). References Because references are entities whose values are shared globally across the entire company, (and not security domain type entities) most customers restrict which roles are permitted to add/edit/delete and copy references. While other admin roles may need the Search (and sometimes View) permissions for these entities, usually only the System Administrator role (or some version of the ALL role) is permitted to create and edit references. Values for some references may be populated as a result of the connectors or import data tool, but others may be entered manually. Examples of references include: Item Types, Completion Statuses, Assignment Types, Categories (formerly Subject Areas), Employee Statuses, Employee Types, and Job © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 32 Codes. When you are adding permissions to an Admin role (that is not the System Admin) from a section of permissions (e.g. People Management or Learning Activities) it is a best practice to avoid adding those that would allow the admin to Add/Edit the reference. Be sure that all/most Admin roles have the ability to search for references as this will be necessary when they are searching for other entities. For example, searching for users should allow searching by job codes and searching for items should allow searching by item type. Connector Administration While other Admin roles may have the need to view the Connector APMs, (to see when they are scheduled to run) only a few high-level Admins will likely need to actually schedule them to run. There is a default role called ALL_CONNECTORS which has the Edit permissions from this section. Only those admins who will actually need to schedule connectors will need the ALL_CONNECTORS role. Exercise 4.1: Create a Template Admin Role 1. Navigate to System Administration > Security > Role Management and click Add New link. 2. Complete the Role ID, Description, and Security Domain fields and select Admin in the Role Type. (For example, enter XXX-TC-TEMP and use your initials in place of XXX to create the Training Coordinate Template role. Use CORP for the security domain.) 3. Click the Add button. 4. Select the Permissions tab and click Add one or more from list in the Add Permissions to the Role section. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 33 © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 34 5. Expand each section of permission by clicking the red plus sign ( ) next to it. Check each checkbox for the permissions you want to add to this role. Click the Add button to add the selected permissions to the role. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 35 6. If you want to remove a permission that was previously added, expand the section of permission in the Remove Permissions from the Role area, check the Remove checkbox for the permission(s) to be removed, and click the Apply Changes button. Exercise 4.2: Apply Security Domain Groups Once a new Admin role has been created and the specific permissions have been added/removed from it, a security domain group may be applied. Each permission in the role can have a unique security domain group applied, however the typical approach is one security domain group applied across several permissions in a role by either function, entity, or individual permission. NOTE: It is recommended that a “template” version of each role should be created and then tested before copying it and applying security domain groups to each copy of the role as appropriate. In case of issues with the role, such as permissions that should be added or removed, this recommendation would allow us to be sure that the role contained all the appropriate permissions before we copy it. If we later find we need to add or remove a © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 36 permission, it will be less efficient to have to do this for each of the copies of the role. Therefore, the leading practice when working with new roles in the SAP SuccessFactors Learning is to create a template role first, assign it to an account and test it. once you are certain it contains all the necessary permissions, copy the template role and apply the appropriate security domain groups to each of the copies. 1. Navigate to System Administration > Security > Role Management and find the role you have previously created. 2. Select the Entity Restr. tab, expand the appropriate section of permissions (by clicking the red plus sign ) and choose the Security Domain Group ID that you want to use to apply to these permissions for a certain entity. For example, we could apply the PCW security domain group to the Items entity so that all permissions in this role related to Items may only be performed in the security domains contained in the PCW security domain group. Note: A security domain group that has been applied to one entity may be applied to all other entities (if desired) by selecting the Apply to All Entities radio button. 3. Click Apply Changes. Example: Training Coordinators should be able to perform Learning Management related tasks in the PCW security domain and all its subdomains The security domain group PCW has been created to include PCW, all subdomains, and the PUBLIC domain. We would create the template role for Training Coordinators first and test it without any security domain groups. Then we would copy the template to the TC-PCW role and apply the PCW © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 37 security domain groups to the item entity. An Admin with this example role would be able to create items only in one of the PCW domains, but they could work with libraries from any security domains. NOTE: For some of the permissions it is possible to apply State Restrictions which refer to the entity state: active, inactive and both. This allows us to specify what state of the entities an Admin can work with. If no State Restriction is selected, the Admin is allowed to work with both active and inactive entities. 4. Select the Permission Restriction tab, expand the appropriate section of permissions (by clicking the red plus sign ) Verify that the security domain groups have been applied correctly or make any changes necessary so that all permissions have the appropriate security domain groups. 5. If you make any changes on this tab, click the Apply Changes button. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 38 Exercise 4.3: Create an Admin Entity In this activity you will learn how to create an Admin entity. NOTE: For the integrated environment, remember to check the user ID in SAP SuccessFactors HXM, and use that ID when creating an admin account. 1. Navigate to System Administration > Security > Administrators and click the Add New link. Note: It is a best practice to search for an existing entity before creating a new one – to avoid creating a duplicate. 2. Complete all the necessary fields, including Admin ID, Last Name, First Name, Email Address, and Password fields. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 39 NOTE: By adding a User in the Related User field, the Admin entity will be associated to the User entity. 3. Click Add button. 4. Select the Assigned Roles tab > click Add one or more from the list link. From here select role(s) you want to assign to the admin account. (For example, adding the ALL role will give this Admin the ability to perform all permissions without restriction (no security domain groups applied). © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 40 NOTE: An administrator account can have multiple administrator roles assigned to their account. In case one role is less restrictive than the other assigned to the same admin account, the SAP SuccessFactors Learning system will give the priority to the less restrictive role. Therefore, a good understanding of roles and permissions, as well as security domain groups that have been created in the system for the use of admin roles is necessary. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 41 5. Select the Preferences tab to select Locale and Time Zone. 6. Log out from the Learning system, and login with the new Admin credentials. If your Admin account has been associated with a User, the Home tab should display as well. NOTE: The procedure may change once the ability for Native Login has been sunset. Also, the Admin Connector (System Administration > Connectors) allows us to mass import admin accounts into the SAP SuccessFactors Learning system. It requires you to prepare the Admin Connector data file and upload it into the Learning system through the Connector file upload. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 42 Lesson Summary In this lesson, you were introduced to Role Management in SAP SuccessFactors Learning. You should now be able to: • • • • Explain the Role Management model in the SAP SuccessFactors Learning system List three types of Roles in the SAP SuccessFactors Learning system Create an Admin role and apply Security Domain Groups Create and assign an Admin account Knowledge Check Use what you learned in this Module to answer the following questions. 1. True or false: It is a best practice to create a template role and test that all the necessary permissions have been added and then copy the role before applying security domain groups to the permissions in the copied roles. True False 2. How many security domain groups can be assigned to a single permission? A. One B. Maximum two C. Unlimited D. None © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 43 Lesson 5 – User Roles and Instructor Roles Lesson Overview The goal of this lesson is to establish an understanding of User roles and Instructor roles in SAP SuccessFactors Learning. Lesson Objectives Upon completion of this lesson, you will be able to: • • • Create a User role in the SAP SuccessFactors Learning system Identify the area of the user role that pertains only to Managers Create an Instructor role in the SAP SuccessFactors Learning system User Role Management A user is any person for which a user entity has been created, including employees, contractors, and others for whom you wish to maintain learning history records and to register for courses. Typically there is only one User role applied to all Users in the SAP SuccessFactors Learning system. However, if there is a need to grant different level access to Learning menus, multiple user roles can be created and assigned to Users accordingly (but only one user role can be assigned to a user). There are two system default user roles, and like default admin roles, it is recommended that customers create new user roles as the default ones have the preconfigured permissions and may be updated with new releases. If a customer would like to decide whether to enable new functionality and not automatically “opt-in” to new features on the user side, they will want to use their own role(s) instead of the default. • • DEFAULT USER - System Default User Role LEARNING_USER - System Default Learning User Role Since the DEFAULT USER role contains every possible permission, it is usually a best practice to copy this role to create the customer-specific User role. After copying the role, the Admin may remove any permissions that they do not want the users to have. For example, if a customer has decided that they are not using certain features like Commerce, User-created content, or peer-to-peer recommendations, the permissions that allow these may be removed from their User role. NOTE: In the integrated environment, first the user data will need to exist within the SAP SuccessFactors HXM application. From within SAP SuccessFactors HXM, user permissions to access the Learning module must be granted. In the last step, the User Connector SF runs and feeds the user data from HXM into SAP SuccessFactors Learning. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 44 As a result, user entities are added to the SAP SuccessFactors Learning system and based on the permissions from SAP SuccessFactors HXMHXM, are given access to the Learning module from the dropdown menu. This guide will only focus on the configuration settings that need to be performed within the SAP SuccessFactors Learning system. More information about Role Based Permissions can be found in the THR80 course. Exercise 5.1: Create a New User Role 1. Navigate to System Administration > Security > Role Management, search for the DEFAULT USER role, and click the Edit icon ( ). 2. Click the Copy Role button. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 45 3. Enter a new Role ID, check the checkbox for Copy Assigned Permissions, and click the Copy button. 4. Enter the Security domain (e.g. CORP) and click Apply Changes. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 46 5. Click the Permissions tab and the Expand All link to view the existing permissions in this role. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 47 6. To remove permissions, check the checkbox in the Remove column for each permission to be removed and click Apply Changes. To add permissions to the role, If click the add one or more from list link. Exercise 5.2: Create a User Entity Typically, users will be added to the SAP SuccessFactors Learning system through a regularly scheduled connector. Some customers may permit external users to add themselves to the system, while other customers may add some users manually. In this activity you will learn how to create a User manually. 1. Navigate to People > Users Note: It is always a best practice to search for entities before creating them in order to avoid duplicates. Search for a user by name and look for both active and inactive users to be sure this user is not already in the system. 2. Click the Add New link and complete all the necessary fields, including User ID, Last Name, First Name, Email Address, security domain, and any other fields © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 48 3. Select the appropriate Role from the dropdown 4. Click the Add button © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 49 Assigning a User Role to a User There are multiple ways of assigning a role to the user entity: 1. User entity: This is a manual method of assigning or changing a User Role from the user entity (Choose a role from the Role dropdown on the User Details tab). 2. Connector: When importing users into the SAP SuccessFactors Learning system through the Connector job, it is possible to assign a Role ID for to user entities. If the Role ID is invalid or there is no role assigned to user, then the connector defaults to the value in the configuration file (System Administration > Configuration > System Configuration > CONNECTORS > sfuser.connector.defaultValue.studentRoleID) 3. Import Tool: When importing users through Import Tool, the Role field is required. Therefore, it is not possible to import the users without specifying the Role ID. 4. Assignment Profile: This is an automated method of assigning a Role to users. Assignment Profiles allows us to create dynamic groups of users based on their HR attributes, and assign them a specific User Role. User Role with Manager Permissions A User’s primary Manager is identified in the Primary Manager field (from within the user entity). The process of assigning the Primary Manager can be done either manually by an Admin (User entity > User Details tab> Primary Manager field) or by the connector(s). There are no separate roles specifically for managers (the way there are roles for Admins, Users, and Instructors). Once a user is selected as a Primary Manager, the SAP SuccessFactors Learning system automatically makes available the Manager permissions that are in the My Team section of the user’s User Role. The My Team section contains the permissions for the actions the Primary Manager can perform. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 50 NOTE: Manager permissions are also controlled by the User Assumption Restriction Rules specified in the LEARNER_SECURITY configuration file. . User Proxy Role The User Proxy Role controls what actions a delegate manager can perform in the SAP SuccessFactors Learning system. When a manager selects a user to act as delegate, the manager can decide what rights to grant the delegate (Selected Permissions) or use the globally defined set of rights (Predefined Permissions) which is controlled by the permissions contained in the USER PROXY ROLE. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 51 Instructor Role Management An Instructor can be any user in the SAP SuccessFactors Learning that delivers training. An Instructor entity may be created simply as a resource in the system to indicate who will be delivering training for one or more time slots of a class. If the instructor will also need to perform certain functions within the system, they should be granted access to the instructor interface. This is accessed from the user-side of the Learning module on the My Classes tab. Currently, the functions an instructor may be able to perform is limited to the following permissions: © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 52 There is one Default Instructor Role, and like any System Default Role, it is recommended that this role be copied to a new Instructor role since the default one has all of the available permissions and may be overwritten with a new release. • DEFAULT INSTRUCTOR - Default Instructor Role Once a customer has identified which permissions they want an instructor to have, they can edit the instructor role, so it only includes those permissions and other permissions have been removed. To give a user access to the instructor interface (My Classes): 1. 2. 3. 4. Create an Instructor entity for them and assign the desired instructor role Select the user in the Related User field of the Instructor entity. Add the instructor as a resource to the time slot(s) of one or more classes. Authorize the instructor for one or more items (if they will be adding history records for ad hoc classes). Exercise 5.3: Create an Instructor Role In this activity you will learn how to create a new Instructor role by copying from an existing one. 1. Navigate to System Administration > Security > Role Management and search for the DEFAULT INSTRUCTOR ROLE. Click the edit icon ( ). © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 53 2. Click the Copy Role button and enter the new Role ID, check the checkbox for Copy Assigned Permissions, and click the Copy button. 3. Edit the Security Domain field (e.g. CORP) and Apply Changes. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 54 4. Select the Permissions tab and click Expand All to view a list of permissions that are currently assigned to the role. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 55 5. By selecting the check box in the Remove column and clicking Apply changes, you can remove any permission(s) from the role. If you want to add permissions to the role, click the add one or more from list link. Exercise 5.4: Create an Instructor Account In this activity, you will learn how to create Instructor account and assign a user to it. 1. Navigate to People > Instructors > click Add New link. Note: It is always a best practice to search for an entity before adding it to avoid duplication. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 56 2. Complete all the necessary fields, including Instructor ID, Last Name, First Name, Email Address, and Security domain.Choose which Instructor Role you want to assign to the instructor. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 57 3. At this point, you can associate an existing user to this instructor entity and this user will be granted access to the instructor interface (My Classes). This may also be done later, either from the instructor entity or directly from the user entity. NOTE: It is also possible to associate one or more items here that this instructor will be authorized to teach. This serves two purposes: 1) A search of instructors from the Time Slot of a class may be filtered by just those instructors that are authorized, and 2) if the instructor role permits it, authorized instructors may add history records for “ad hoc” (unscheduled) training for their authorized items. This may also be determined later from the Authorized to Teach tab of the instructor entity or from the Instructors tab of the Item entity. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 58 4. Click Add button to create a new instructor account. If necessary, you may now complete the instructor entity with other information. If you make any changes, click Apply Changes. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 59 Lesson Summary In this lesson, you were introduced to User roles and Instructor roles in SAP SuccessFactors Learning. You should now be able to: • • • Create a User role in the SAP SuccessFactors Learning system Identify the area of the user role that pertains only to Managers Create an Instructor role in the SAP SuccessFactors Learning system Knowledge Check Use what you learned in this Module to answer the following questions. 1. How many System Default User Role(s) are there in the SAP SuccessFactors Learning system? A. One B. Two C. Four 2. List all available methods of assigning a role to the user entity. 3. Fill in the blank: A user’s primary Manager is identified in the __________ field. 4. The User Proxy Role controls what actions: D. An Admin can perform when proxying as a user E. A Delegate can perform F. A Primary Manager can perform 5. Which one of the following categories of permissions in a user role determines the functions of a Manager? 1. Personal 2. Learning 3. My Team 4. Library 6. Match the step number with the process for giving a user access to the Instructor interface (My Classes). Add the instructor as a resource to the Step 1 time slot(s) of one or more class Create an Instructor entity for them and Step 2 assign the desired instructor role Authorize the instructor for one or more Step 3 items (if they will be adding history records for ad hoc classes) Select the user in the Related User field Step 4 of the Instructor entity. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 60 Appendix A – Using the Export Data Tool for Permissions The most recent list of Admin, User, User Proxy and Instructor permissions can be found in the Configuration Workbook. One way to learn about available permissions for each of the SAP SuccessFactors Learning roles is to check the system default roles. In addition to that, the SAP SuccessFactors Learning system allows an admin to export the Admin roles which will display all the permissions (including any security domain groups that have been applied). This method may be used to view all the permissions for existing Admin roles as well as to prepare to move them to another instance (e.g. from the staging or test instance into the production instance). The Export Data Tool: 1. Navigate to System Administration > System Management Tools > Export Data. 2. In the Record type dropdown select Admin Role and click Next. 3. On the next screen click the Add one or more from list link to search for an Admin role. This might be any role since the goal is to download the Admin permission reference. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 61 4. Once you have one or more roles listed in the Selected Admin Roles section, click Next. 5. Select when you want the system to run the job, uncheck the checkbox for Notify via Email (unless you also enter an email address) and then click Finish. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 62 6. When the status changes to Succeeded, go back to Export Data to download your report. 7. Once you have download the file, on the second worksheet tab, you will find the Available Permissions Reference. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 63 NOTE: In the database, the older terminology has not been changed (e.g. Permissions were known as Workflows, Security Domain Groups were called Domain Restrictions, and workflow IDs for many entities may use the legacy terms). © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 64 Appendix B – Using the Import Data Tool The Import Data tool allows an admin to mass upload different types of entities. In this Appendix, we will describe the process only for those types of entities that are connected to the Security model: 1. User: typically, the user entities are added or updated with the Connector job. This is an automated method which regularly feeds the data from the core HR system into the Learning module, and this allows to limit the amount of incorrect data. The Import Tool is another option to mass create (or update) user entities. However, since it requires working with an excel file, it may cause the risk of incomplete or erroneous data. Moreover, the user template does not support certain fields that the Connector template does, for instance HR Business Partner information. 2. Instructor: the Import Tool is the only method which allows admins to create instructor accounts from a batch file. Instead of manually adding instructor accounts from People > Instructors, an Admin may simply download the template, complete it with the necessary data and import the data to the system. 3. Admin Roles: same as with the instructor accounts, the Import Tool is the only method that allows creating and/or adding admin role templates in a batch mode. This is especially useful for moving Admin roles and permissions from one instance to another (such as from the staging/test instance to production). To upload data with the use of Import Tool: 1. Navigate to System Administration > System Management Tools > Import Data. 2. Select Download Template and in the Record Type select the type of entity you want to download. Click Submit. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 65 3. The file (.csv) will download on your computer. 4. Open the file and complete it with the data you want to import for the respective type of entity. For the Required fields, check the comments to verify whether this field is referenced (if the field is referenced, it means that the data generally needs to exist prior to the import). 5. When the file is ready, navigate to Import Tool > select Import Data. In the Record Type select what type of record you want to import. In the Import Options choose if you want to only add the entities, update or add and update. Then select a file and click Submit. 6. Select when you want the system to run the job, uncheck the checkbox for Notify via Email, (unless you also add an email address) and then click Finish. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 66 7. You can check the status of the import from the Import Tool. © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 67 Appendix C – Legacy Permissions Appendix C – Legacy Permissions The following permissions refer to legacy functionality that will be removed from the system shortly: Category Permission ID Permission Label Connector Administration Edit OrganizationOwnerConnector APM Edit Organization Owner Connector Connector Administration Content Content Content Content Content Content Learning Learning Learning Learning Learning Reports Reports Search Search Student Student View Organization Owner Connector Delete Exam Object (Legacy) Edit Exam Object (Legacy) Edit Printed Exam Template (Legacy) Edit Question (Legacy) View Exam Object (Legacy) View Printed Exam Template (Legacy) Access Community Add Community Delete Community Edit Community Move Community Run Exam Objects (Legacy) Report Run Exam Item Analysis Legacy Report Search Exam Object (Legacy) Search Community Edit Organization Dashboard Ownership View Organization Dashboard Ownership View OrganizationOwnerConnector APM Delete Exam Object Edit Exam Object Edit Printed Exam Template Edit Question View Exam Object View Printed Exam Template Access Forum Add Forum Delete Forum Edit Forum Move Forum Run Exam and Survey Objects Report Run Exam Item Analysis Report Search Exam Object Search Forum Edit Org Dashboard Ownership View Org Dashboard Ownership © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 68 Appendix D – Knowledge Check Answers Lesson 1 1. True or false: Role Based Permissions (within HXM) only grants access to the Learning module but does not determine what users may do within SAP SuccessFactors Learning. True False 2. Which of the following are entities in the system that are part of the security model? A. Roles B. User Groups C. Security domains and security domain groups D. Categories E. Permissions Lesson 2 1. True or false: When an Item is saved in the PUBLIC Security Domain, all Users will be able to find it. True False 2. Typical security domain structures represent the organizational or regional structure. 3. When the Item security domain type is removed from the list of security domain types for the North-America security domain: A. Admins cannot add items to any security domain B. Admins cannot add items to North-America security domain C. Admins cannot run a report on items saved in North-America security domain D. Admins cannot run a report on any item Lesson 3 1. True or false: The PUBLIC domain can be removed from a security domain group. True False 2. What are the patterns to customer implementations of security domain groups? A. Sibling B. Family branch C. Mix-and-match © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 69 D. Parent-Child E. All of the above Lesson 4 Use what you learned in this Module to answer the following questions. 1. True or false: It is a best practice to create a template role and test that all the necessary permissions have been added and then copy the role before applying security domain groups to the permissions in the copied roles. True False 2. How many security domain groups can be assigned to a single permission? A. One B. Maximum two C. Unlimited D. None Lesson 5 Use what you learned in this Module to answer the following questions. 1. How many System Default User Role(s) are there in the SAP SuccessFactors Learning system? A. One B. Two (DEFAULT USER and LEARNING_USER) C. Four 2. List all available methods of assigning a role to the user entity. On the User Entity, using a connector, with the Import Data tool, and through an Assignment Profile. 3. Fill in the blank: A user’s primary Manager is identified in the Primary Manager field. 4. The User Proxy Role controls what actions: A. An Admin can perform when proxying as a user B. A Delegate can perform C. A Primary Manager can perform 5. Which one of the following categories of permissions in a user role determines the functions of a Manager? A. Personal B. Learning C. My Team D. Library © Copyright. All rights reserved. SAP SUCCESSFACTORS LEARNING – SECURITY 70 6. Match the step number with the process for giving a user access to the Instructor interface (My Classes). Step 3 Step 1 Step 4 Step 2 Add the instructor as a resource to the time slot(s) of one or more class Create an Instructor entity for them and assign the desired instructor role Authorize the instructor for one or more items (if they will be adding history records for ad hoc classes) Select the user in the Related User field of the Instructor entity. © Copyright. All rights reserved.