Unit 2 - Sap Successfactors Employee Central - Security- Role Based Permissions 4i3h3r
This document was ed by and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this report form. Report 2z6p3t
Overview 5o1f4z
& View Unit 2 - Sap Successfactors Employee Central - Security- Role Based Permissions as PDF for free.
More details 6z3438
- Words: 4,591
- Pages: 33
THR81 SAP SuccessFactors Employee Central Academy
. .
PARTICIPANT HANDBOOK INSTRUCTOR-LED TRAINING . Course Version: 74 Course Duration: 10 Day(s) e-book Duration: 3 Hours 20 Minutes Material Number: 50141493
SAP Copyrights and Trademarks
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or ed trademarks of SAP SE (or an SAP affiliate company) in and other countries. Please see http://global12.sap.com/ corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Typographic Conventions American English is the standard used in this handbook. The following typographic conventions are also used.
This information is displayed in the instructor’s presentation
Demonstration
Procedure
Warning or Caution
Hint
Related or Additional Information
Facilitated Discussion
interface control
Example text
Window title
Example text
© Copyright. All rights reserved.
iii
Contents vi
Course Overview
1
Unit 1:
2
SAP SuccessFactors Employee Central Permissions
Exercise 1: Determine Access Lesson: Managing Security Using Role-Based Permissions (RBP)
8
Exercise 2: Examine RBP
13 17
Role-Based
Lesson: Managing Access
4 7
Security
Exercise 3: Create a Custom Group and Role Lesson: Implementing Data Changes and Reviewing Audit Trails
19
© Copyright. All rights reserved.
Exercise 4: Modify an Employee Record
v
Course Overview
TARGET AUDIENCE This course is intended for the following audiences: ●
Application Consultant
© Copyright. All rights reserved.
vi
UNIT 1
SAP SuccessFactors Employee Central Security Role-Based Permissions
Lesson 1 Managing Access
2
Exercise 1: Determine Access
4
Lesson 2 Managing Security Using Role-Based Permissions (RBP)
7
Exercise 2: Examine RBP
8
Exercise 3: Create a Custom Group and Role
13
Lesson 3 Implementing Data Changes and Reviewing Audit Trails
17
Exercise 4: Modify an Employee Record
19
UNIT OBJECTIVES ●
Determine the different types and the role of proxies
●
Track changes and insertions in EC records
●
Examine RBP
●
Set up RBP
●
Modify an employee record
●
Explain the function and location of the EC audit trail
© Copyright. All rights reserved.
1
Unit 1 Lesson 1 Managing Access
LESSON OVERVIEW In this lesson, you learn how to determine the different types and role of proxies in EC. You also learn how to track changes and insertions in EC records. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Determine the different types and the role of proxies
●
Track changes and insertions in EC records
Types
Employee Central (EC) has several types of s as shown in the figure, Types. The smallest role is a Local . A Local is an optional level that is set up using RBP. The Local has access to istrative functionality for a specific group of s. For example, you can set up a USA who resets s for s in the USA. The next level is an . An has access to functionality on the page. For example, you can set up an who manages the performance and goals functionality for a company.
© Copyright. All rights reserved.
2
Lesson: Managing Access
The third level is a Security . A Security is responsible for managing security using roles and permission groups in the RBP framework. A Security has access to Manage Permission Roles and Manage Permission Groups . The fourth and highest level is a Super . The Super is set up using Provisioning or by another Super in Center. A Super can grant an employee the permission to operate at any level. A Super has access to Manage RoleBased Permission Access .
Proxy Roles
Figure 2: Proxy Roles
Proxies are useful in EC. There are typically two roles in proxy. However, EC introduces a third. The Holder owns the and has the rights to view and edit information. A who has Proxy rights for an Holder can choose Proxy and open, view, edit, or send any item in the modules for which the has permissions. In EC, managers use proxy functionality as a delegation tool. When Private Data For Proxy Holder is deselected, the proxy does not have access to potentially sensitive information such as home address or compensation. Hint: System s control how proxies are assigned and who can assign them. The Help & Resources section in Center provides further information about proxies and proxy management.
© Copyright. All rights reserved.
3
Unit 1 Exercise 1 Determine Access
Business Example ACE Corporation has several s in the system. You must explore the different granted permissions to determine the level of each . levels are separate from RBP roles. Your level determines what ability you have to manage RBP. 1. Use Proxy to explore Access. Table 1: Ace Corp Access Super (s) Security (s) (s)
© Copyright. All rights reserved.
4
Unit 1 Solution 1 Determine Access
Business Example ACE Corporation has several s in the system. You must explore the different granted permissions to determine the level of each . levels are separate from RBP roles. Your level determines what ability you have to manage RBP. 1. Use Proxy to explore Access. Table 1: Ace Corp Access Super (s) Security (s) (s) a) to your instance as , Emily Clark. b) In the Set Permissions section, determine Emily Clark’s level based on her abilities. Note: You will not be able to tell in View Permission . c) Proxy as 1, 2, and 3 to determine the other roles. Note: Security : Emily Clark (), (s): 1, 2, Super : 3
© Copyright. All rights reserved.
5
Unit 1: SAP SuccessFactors Employee Central Security Role-Based Permissions
EC Historical Change Tracking
Figure 3: EC Historical Change Tracking
The EC platform is effective-dated across many of the Foundation Objects (FO) and employee records, which means that EC stores records and changes in a global system. When a new record is inserted, the previous record is closed. How do you know who is making those changes and when? For most effective-dated entities in the system, EC provides a high-level overview of changes in the History section of the instance. Permissioned s can also access Audit Reports for a more in-depth look at changes. LESSON SUMMARY You should now be able to: ●
Determine the different types and the role of proxies
●
Track changes and insertions in EC records
© Copyright. All rights reserved.
6
Unit 1 Lesson 2 Managing Security Using Role-Based Permissions (RBP)
LESSON OVERVIEW In this lesson, you learn how to examine and set up RBP. You also practice how to create a custom group and role. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Examine RBP
●
Set up RBP
RBP Overview
Figure 4: RBP
RBP is a customizable method of managing permissions in your company. Traditionally, HR managers are assigned the same permissions. However, you can use RBP to grant control at a granular level based on the specific work that a person does. You can define roles based on job codes, locations, relationships, and more. This granularity allows the groups to be both targeted and dynamic. For example, you can create permissions for HR managers in the USA that enable them to view and edit person and employment data for all of their employees in the USA.
© Copyright. All rights reserved.
7
Unit 1 Exercise 2 Examine RBP
Business Example You must view and troubleshoot permissions. 1. Use Center to view Permissions. Use the Search box to answer the following questions in the table, RBP Exploration. Table 2: RBP Exploration Question
Answer
What roles are granted to Managers like Carla Grant? What are some of her permissions? What roles are granted to s like Emily Clark? What are some of her permissions? What roles are granted to Employees like Roberto Kent? What are some of his permissions?
© Copyright. All rights reserved.
8
Unit 1 Solution 2 Examine RBP
Business Example You must view and troubleshoot permissions. 1. Use Center to view Permissions. Use the Search box to answer the following questions in the table, RBP Exploration. Table 2: RBP Exploration Question
Answer
What roles are granted to Managers like Carla Grant? What are some of her permissions? What roles are granted to s like Emily Clark? What are some of her permissions? What roles are granted to Employees like Roberto Kent? What are some of his permissions? a) to your instance as an . b) Navigate to Center→ Set Permissions→ View Permissions . c) Use the Search box to answer the following questions in the table, RBP Exploration.
© Copyright. All rights reserved.
9
Unit 1: SAP SuccessFactors Employee Central Security Role-Based Permissions
Permission Groups
Figure 5: Permission Groups
Permission Groups allow you to define employees in the Granted Population and Target Population roles. You can create these groups based on single or multiple parameters. For example, you can create a group of IT managers based on the job code IT-MGR. You can also create a group of IT managers in the USA based on job code and location. Permission Groups are an integral part of RBP. However, they might not be necessary if you are working with general conditions such as All Employees or Manager’s Direct Reports , which are predefined roles in the system. .
Best Practices for Naming Permission Groups
Figure 6: Best Practice for Naming Permission Groups
As a best practice, when creating permission groups use a prefix to help you to identify which group to use in your permission role. If you are creating a permission group that is receiving the permissions (a granted group), use the prefix Granted: for the name of the group. For example, if you are creating a permission group for IT managers, use the name Granted: IT Managers. Similarly, if you are creating a target permissions group, use the prefix Target. For example, if you want the IT managers to have access to all employees in the USA, you must create a target permission group based on location and use the name Target: Employees in USA.
© Copyright. All rights reserved.
10
Lesson: Managing Security Using Role-Based Permissions (RBP)
Permission Roles
Figure 7: Permission Roles
Permission Roles control the access rights in the system and involve the process of defining access to data and application functionality. To create and manage permission roles, choose Center→ Set Permissions→ Manage Permission Roles . After you add a name and description, choose Permission to go to Permission Settings , as shown in the figure, Permission Roles. You can see permission categories such as Employee Data and Employee Central Effective Dated Entities . When you select one of these categories, the permissions or fields for the category display on the right. Managers and employees in EC use the following permission categories: Employee Data, Employee Central Effective Dated Entities , and Employee Views. Some s also need access to Reports Permissions. If a customer chooses to use customizable fields in any of these categories, they must also receive permissions for the relevant roles.
Additional RBP Resources
Figure 8: Additional RBP Resources
© Copyright. All rights reserved.
11
Unit 1: SAP SuccessFactors Employee Central Security Role-Based Permissions
For more information on RBP, the Role-Based Permissions Handbook and EC Implementation Handbook from the SAP Help Portal (http://help.sap.com/cloud4hr).
© Copyright. All rights reserved.
12
Unit 1 Exercise 3 Create a Custom Group and Role
Business Example ACE Corporation wants IT managers to be able to update all employees’ social s information.
Note: What group(s) will you need? How will you determine the groups? What data do they need to access and where is it located?
Hint: The different areas on the drop down list of an employee’s file are called Employee Views. For example, Employment Information, Pending Requests , Scorecard , and so on. EC uses Personal Information and not Personal Info . Create a Custom Group and Role 1. Create the IT Manager Group. 2. Test your current permissions. 3. Create the IT Manager Access Role: 4. Test your configuration.
© Copyright. All rights reserved.
13
Unit 1 Solution 3 Create a Custom Group and Role
Business Example ACE Corporation wants IT managers to be able to update all employees’ social s information.
Note: What group(s) will you need? How will you determine the groups? What data do they need to access and where is it located?
Hint: The different areas on the drop down list of an employee’s file are called Employee Views. For example, Employment Information, Pending Requests , Scorecard , and so on. EC uses Personal Information and not Personal Info . Create a Custom Group and Role 1. Create the IT Manager Group. a) to your instance as an . b) Navigate to Center→ Set Permissions→ Manage Permission Groups . c) Choose Create New → Group Name→ Granted: IT Manager Group . d) Under Choose Group → Pick a category→ Job Code→ IT Manager(ITMGR)→ Done. e) In the upper right box, click Active Group hip → Update→ Click the Number. f) Select a for your testing. Click Done. 2. Test your current permissions. a) Proxy as an IT Manager. b) Navigate to Robert Allen’s Employee File. c) Can you see Robert Allen’s Personal Information → Social s Information ? Why or why not? 3. Create the IT Manager Access Role: a) Become Self and Navigate to Center→ Set Permissions→ Manage Permission Roles . b) Choose Create New → Role Name→ IT Manager Access.
© Copyright. All rights reserved.
14
Lesson: Managing Security Using Role-Based Permissions (RBP)
c) Under Step 2→ Permission. d) Choose Employee Data→ HR Information→ Social s Information → View + Edit. e) Choose Employee Views→ Personal Information → Done. f) Under Step 3→ Add. g) Under Grant role to: Permission Group → Select. h) Search for Granted→ Check Granted: IT Manager Group → Done. i) Under Target Population → Everyone→ Done→ Save Changes. 4. Test your configuration. a) Proxy as an IT manager. b) Navigate to Robert Allen’s Employee File → Personal Information . c) Can you see and edit the employee’s social s? Why or why not?
© Copyright. All rights reserved.
15
Unit 1: SAP SuccessFactors Employee Central Security Role-Based Permissions
LESSON SUMMARY You should now be able to: ●
Examine RBP
●
Set up RBP
© Copyright. All rights reserved.
16
Unit 1 Lesson 3 Implementing Data Changes and Reviewing Audit Trails
LESSON OVERVIEW In this lesson, you learn how to modify an employee record and explain the function and location of the EC audit trail. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Modify an employee record
●
Explain the function and location of the EC audit trail
Effective Dating for New Records
Figure 9: Effective Dating
In a previous lesson, you learned that it is possible to make changes using transactions and corrections. In this lesson, you learn how those updates and changes are made by an . Many of the records in EC are effective-dated. Each time you insert a new record for one of these items, the system prompts you to provide the effective date. It is important to understand and to maintain accurate effective dates because they enable you to create historical, present, and future records. For example, if Marcus is moving in January, you can add his new address with an effective date in the future. However, Marcus will not see that change in effect until January.
© Copyright. All rights reserved.
17
Unit 1: SAP SuccessFactors Employee Central Security Role-Based Permissions
istration Records Management
Figure 10: istration Records Management
There are several ways to alter employee files in the People Profile layout. Please note, you will only see these options if they are permissioned to you in Role Based Permissions. Clicking on the Pencil Icon allows you to insert a new dated entry into the Employee's file. If Event Reason Derivation is enabled, then they will be determined based on the change being made. Each new record added to the employee's file must be connected to a date in the past, present or future. This action can trigger an approval process, which will need to be completed before the record is active in the system. If you navigate to the history of a portlet and click on a dated record, you will see a variety of options. Edit enables an or permissioned to make changes to the historical record. For example, Marcus Hoff moved on January 5, 2010, but accidentally entered the incorrect ZIP code. To make changes to the historical record, choose History →Edit . This record will show corrected zip code only, however, you can still see the change was made in an audit report. This change will not trigger an approval process. Insert New Record is located under History (Clock Button) in the top-right corner. An event and event reason are required to insert a new record. Therefore, it is important for s with this privilege to be familiar with Events and Event Reasons in their system. Navigating this way will not trigger an approval process. Approval processes are only triggered through the Pencil Icon or Take Action --> Change Job and Compensation Information.
© Copyright. All rights reserved.
18
Unit 1 Exercise 4 Modify an Employee Record
Business Example Jane Millers’ address records are incorrect. Her manager has asked HR to correct and update these records with changes. Note: Where will you navigate to make the changes in Jane’s record? How will you correct the historical record? How will you know if the new address is in the system?
1. Correct your current address. Use the table, Changes, to make the required corrections. Table 3: Changes Address Correction (As of Hire Date)
New Address (As of April 01, 2018)
Jane Millers
Jane Millers
74 W Fernando St
4122 21st Road N
Apt 24
Arlington, VA 22207
Arlington, VA 22205 2. Insert a new address.
© Copyright. All rights reserved.
19
Unit 1 Solution 4 Modify an Employee Record
Business Example Jane Millers’ address records are incorrect. Her manager has asked HR to correct and update these records with changes. Note: Where will you navigate to make the changes in Jane’s record? How will you correct the historical record? How will you know if the new address is in the system?
1. Correct your current address. Use the table, Changes, to make the required corrections. Table 3: Changes Address Correction (As of Hire Date)
New Address (As of April 01, 2018)
Jane Millers
Jane Millers
74 W Fernando St
4122 21st Road N
Apt 24
Arlington, VA 22207
Arlington, VA 22205
a) to your instance as an . b) Navigate to Jane Millers→ Personal Information → Address Information → History. c) Click on the clock icon (History) in the Address Information section d) On the right of the screen, choose Edit. e) Use the table, Changes, to make the required corrections in the “Address Correction” side. Click Save. 2. Insert a new address. a) Navigate to Jane Millers→ Personal Information → Address Information → History. b) On the left of the screen, choose Insert New Record . c) Use the effective date: April 01, 2018. d) Use the table, Changes, to update the address based on the "New Address" section. Click Save. e) Close the history window using the X on the right of the screen. f) that the address change is pending in the Address Information section.
© Copyright. All rights reserved.
20
Lesson: Implementing Data Changes and Reviewing Audit Trails
EC Audit Trail
Figure 11: EC Audit Trail
The final layer of EC security is a complete audit trail. The audit trail is available both in the history of a record and as an ad-hoc report for records, as shown in the figure, EC Audit Trail. The first example in this figure is the record history. To access the record history for Jane Miller, choose Personal Information → Address→ History. Then, choose the record that is effective on November 12, 2012. On the bottom right, you can see that this record was last modified on December 13, 2012 by the on behalf of Nancy Nash. The second example in this figure is an ad-hoc report. This report shows the date and time of each record change and the who made the modification. To create or view an Audit Report, you must log on and have access to Reporting/Analytics and ad-hoc reports. Audit Report Features The audit trail has the following features: ●
It returns all change history for person and employment objects for each employee
●
It is visible in History.
●
It is available as an ad-hoc report
●
It is available for -
Home/Business Address
-
Compensation
-
Emergency s
-
Email
-
Employment
-
Job Info
© Copyright. All rights reserved.
21
Unit 1: SAP SuccessFactors Employee Central Security Role-Based Permissions
-
National Id
-
Recurring/Non-Recurring Pay
-
Personal Info
-
Work Relationships
-
Person Info
-
Succession
-
Info
LESSON SUMMARY You should now be able to: ●
Modify an employee record
●
Explain the function and location of the EC audit trail
© Copyright. All rights reserved.
22
Unit 1 Learning Assessment
1. By default, any can choose his/her own proxies. Determine whether this statement is true or false. X
True
X
False
2. Proxy permissions can be turned on and off, or modified through proxy management. Determine whether this statement is true or false. X
True
X
False
3. The audit trail shows proxies. Determine whether this statement is true or false. X
True
X
False
4. RBP allows granular control of access Determine whether this statement is true or false. X
True
X
False
5. RBP is required in EC. Determine whether this statement is true or false. X
True
X
False
© Copyright. All rights reserved.
23
Unit 1: Learning Assessment
6. Setting the visibility of a field to none in the Data Models overrides RBP. Determine whether this statement is true or false. X
True
X
False
7. Setting the visibility of a custom field to none allows the field to appear for all s. Determine whether this statement is true or false. X
True
X
False
8. You should always create two permission groups before you create a permission role. Determine whether this statement is true or false. X
True
X
False
9. In which permission category would you grant a permission to view their hire date? Choose the correct answer. X
A Employee Data
X
B Employee Central Effective Dated Entities
X
C Employee Views
X
D Reports Permissions
10. In which permission category would you grant a permission to view their pay grade field in the Job Information portlet? Choose the correct answer. X
A Employee Data
X
B Employee Central Effective Dated Entities
X
C Employee Views
X
D Reports Permissions
© Copyright. All rights reserved.
24
Unit 1: Learning Assessment
11. What happens if a mapped role is deleted? Choose the correct answer. X
A Nothing.
X
B The groups and roles are removed from the instance.
X
C s can continue to access the role until they are removed from the relevant groups.
X
D The permissions are permanently removed and ungranted.
© Copyright. All rights reserved.
25
Unit 1 Learning Assessment - Answers
1. By default, any can choose his/her own proxies. Determine whether this statement is true or false. X
True
X
False
2. Proxy permissions can be turned on and off, or modified through proxy management. Determine whether this statement is true or false. X
True
X
False
3. The audit trail shows proxies. Determine whether this statement is true or false. X
True
X
False
4. RBP allows granular control of access Determine whether this statement is true or false. X
True
X
False
5. RBP is required in EC. Determine whether this statement is true or false. X
True
X
False
© Copyright. All rights reserved.
26
Unit 1: Learning Assessment - Answers
6. Setting the visibility of a field to none in the Data Models overrides RBP. Determine whether this statement is true or false. X
True
X
False
7. Setting the visibility of a custom field to none allows the field to appear for all s. Determine whether this statement is true or false. X
True
X
False
8. You should always create two permission groups before you create a permission role. Determine whether this statement is true or false. X
True
X
False
9. In which permission category would you grant a permission to view their hire date? Choose the correct answer. X
A Employee Data
X
B Employee Central Effective Dated Entities
X
C Employee Views
X
D Reports Permissions
10. In which permission category would you grant a permission to view their pay grade field in the Job Information portlet? Choose the correct answer. X
A Employee Data
X
B Employee Central Effective Dated Entities
X
C Employee Views
X
D Reports Permissions
© Copyright. All rights reserved.
27
Unit 1: Learning Assessment - Answers
11. What happens if a mapped role is deleted? Choose the correct answer. X
A Nothing.
X
B The groups and roles are removed from the instance.
X
C s can continue to access the role until they are removed from the relevant groups.
X
D The permissions are permanently removed and ungranted.
© Copyright. All rights reserved.
28
. .
PARTICIPANT HANDBOOK INSTRUCTOR-LED TRAINING . Course Version: 74 Course Duration: 10 Day(s) e-book Duration: 3 Hours 20 Minutes Material Number: 50141493
SAP Copyrights and Trademarks
© 2017 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or ed trademarks of SAP SE (or an SAP affiliate company) in and other countries. Please see http://global12.sap.com/ corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
Typographic Conventions American English is the standard used in this handbook. The following typographic conventions are also used.
This information is displayed in the instructor’s presentation
Demonstration
Procedure
Warning or Caution
Hint
Related or Additional Information
Facilitated Discussion
interface control
Example text
Window title
Example text
© Copyright. All rights reserved.
iii
Contents vi
Course Overview
1
Unit 1:
2
SAP SuccessFactors Employee Central Permissions
Exercise 1: Determine Access Lesson: Managing Security Using Role-Based Permissions (RBP)
8
Exercise 2: Examine RBP
13 17
Role-Based
Lesson: Managing Access
4 7
Security
Exercise 3: Create a Custom Group and Role Lesson: Implementing Data Changes and Reviewing Audit Trails
19
© Copyright. All rights reserved.
Exercise 4: Modify an Employee Record
v
Course Overview
TARGET AUDIENCE This course is intended for the following audiences: ●
Application Consultant
© Copyright. All rights reserved.
vi
UNIT 1
SAP SuccessFactors Employee Central Security Role-Based Permissions
Lesson 1 Managing Access
2
Exercise 1: Determine Access
4
Lesson 2 Managing Security Using Role-Based Permissions (RBP)
7
Exercise 2: Examine RBP
8
Exercise 3: Create a Custom Group and Role
13
Lesson 3 Implementing Data Changes and Reviewing Audit Trails
17
Exercise 4: Modify an Employee Record
19
UNIT OBJECTIVES ●
Determine the different types and the role of proxies
●
Track changes and insertions in EC records
●
Examine RBP
●
Set up RBP
●
Modify an employee record
●
Explain the function and location of the EC audit trail
© Copyright. All rights reserved.
1
Unit 1 Lesson 1 Managing Access
LESSON OVERVIEW In this lesson, you learn how to determine the different types and role of proxies in EC. You also learn how to track changes and insertions in EC records. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Determine the different types and the role of proxies
●
Track changes and insertions in EC records
Types
Employee Central (EC) has several types of s as shown in the figure, Types. The smallest role is a Local . A Local is an optional level that is set up using RBP. The Local has access to istrative functionality for a specific group of s. For example, you can set up a USA who resets s for s in the USA. The next level is an . An has access to functionality on the page. For example, you can set up an who manages the performance and goals functionality for a company.
© Copyright. All rights reserved.
2
Lesson: Managing Access
The third level is a Security . A Security is responsible for managing security using roles and permission groups in the RBP framework. A Security has access to Manage Permission Roles and Manage Permission Groups . The fourth and highest level is a Super . The Super is set up using Provisioning or by another Super in Center. A Super can grant an employee the permission to operate at any level. A Super has access to Manage RoleBased Permission Access .
Proxy Roles
Figure 2: Proxy Roles
Proxies are useful in EC. There are typically two roles in proxy. However, EC introduces a third. The Holder owns the and has the rights to view and edit information. A who has Proxy rights for an Holder can choose Proxy and open, view, edit, or send any item in the modules for which the has permissions. In EC, managers use proxy functionality as a delegation tool. When Private Data For Proxy Holder is deselected, the proxy does not have access to potentially sensitive information such as home address or compensation. Hint: System s control how proxies are assigned and who can assign them. The Help & Resources section in Center provides further information about proxies and proxy management.
© Copyright. All rights reserved.
3
Unit 1 Exercise 1 Determine Access
Business Example ACE Corporation has several s in the system. You must explore the different granted permissions to determine the level of each . levels are separate from RBP roles. Your level determines what ability you have to manage RBP. 1. Use Proxy to explore Access. Table 1: Ace Corp Access Super (s) Security (s) (s)
© Copyright. All rights reserved.
4
Unit 1 Solution 1 Determine Access
Business Example ACE Corporation has several s in the system. You must explore the different granted permissions to determine the level of each . levels are separate from RBP roles. Your level determines what ability you have to manage RBP. 1. Use Proxy to explore Access. Table 1: Ace Corp Access Super (s) Security (s) (s) a) to your instance as , Emily Clark. b) In the Set Permissions section, determine Emily Clark’s level based on her abilities. Note: You will not be able to tell in View Permission . c) Proxy as 1, 2, and 3 to determine the other roles. Note: Security : Emily Clark (), (s): 1, 2, Super : 3
© Copyright. All rights reserved.
5
Unit 1: SAP SuccessFactors Employee Central Security Role-Based Permissions
EC Historical Change Tracking
Figure 3: EC Historical Change Tracking
The EC platform is effective-dated across many of the Foundation Objects (FO) and employee records, which means that EC stores records and changes in a global system. When a new record is inserted, the previous record is closed. How do you know who is making those changes and when? For most effective-dated entities in the system, EC provides a high-level overview of changes in the History section of the instance. Permissioned s can also access Audit Reports for a more in-depth look at changes. LESSON SUMMARY You should now be able to: ●
Determine the different types and the role of proxies
●
Track changes and insertions in EC records
© Copyright. All rights reserved.
6
Unit 1 Lesson 2 Managing Security Using Role-Based Permissions (RBP)
LESSON OVERVIEW In this lesson, you learn how to examine and set up RBP. You also practice how to create a custom group and role. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Examine RBP
●
Set up RBP
RBP Overview
Figure 4: RBP
RBP is a customizable method of managing permissions in your company. Traditionally, HR managers are assigned the same permissions. However, you can use RBP to grant control at a granular level based on the specific work that a person does. You can define roles based on job codes, locations, relationships, and more. This granularity allows the groups to be both targeted and dynamic. For example, you can create permissions for HR managers in the USA that enable them to view and edit person and employment data for all of their employees in the USA.
© Copyright. All rights reserved.
7
Unit 1 Exercise 2 Examine RBP
Business Example You must view and troubleshoot permissions. 1. Use Center to view Permissions. Use the Search box to answer the following questions in the table, RBP Exploration. Table 2: RBP Exploration Question
Answer
What roles are granted to Managers like Carla Grant? What are some of her permissions? What roles are granted to s like Emily Clark? What are some of her permissions? What roles are granted to Employees like Roberto Kent? What are some of his permissions?
© Copyright. All rights reserved.
8
Unit 1 Solution 2 Examine RBP
Business Example You must view and troubleshoot permissions. 1. Use Center to view Permissions. Use the Search box to answer the following questions in the table, RBP Exploration. Table 2: RBP Exploration Question
Answer
What roles are granted to Managers like Carla Grant? What are some of her permissions? What roles are granted to s like Emily Clark? What are some of her permissions? What roles are granted to Employees like Roberto Kent? What are some of his permissions? a) to your instance as an . b) Navigate to Center→ Set Permissions→ View Permissions . c) Use the Search box to answer the following questions in the table, RBP Exploration.
© Copyright. All rights reserved.
9
Unit 1: SAP SuccessFactors Employee Central Security Role-Based Permissions
Permission Groups
Figure 5: Permission Groups
Permission Groups allow you to define employees in the Granted Population and Target Population roles. You can create these groups based on single or multiple parameters. For example, you can create a group of IT managers based on the job code IT-MGR. You can also create a group of IT managers in the USA based on job code and location. Permission Groups are an integral part of RBP. However, they might not be necessary if you are working with general conditions such as All Employees or Manager’s Direct Reports , which are predefined roles in the system. .
Best Practices for Naming Permission Groups
Figure 6: Best Practice for Naming Permission Groups
As a best practice, when creating permission groups use a prefix to help you to identify which group to use in your permission role. If you are creating a permission group that is receiving the permissions (a granted group), use the prefix Granted: for the name of the group. For example, if you are creating a permission group for IT managers, use the name Granted: IT Managers. Similarly, if you are creating a target permissions group, use the prefix Target. For example, if you want the IT managers to have access to all employees in the USA, you must create a target permission group based on location and use the name Target: Employees in USA.
© Copyright. All rights reserved.
10
Lesson: Managing Security Using Role-Based Permissions (RBP)
Permission Roles
Figure 7: Permission Roles
Permission Roles control the access rights in the system and involve the process of defining access to data and application functionality. To create and manage permission roles, choose Center→ Set Permissions→ Manage Permission Roles . After you add a name and description, choose Permission to go to Permission Settings , as shown in the figure, Permission Roles. You can see permission categories such as Employee Data and Employee Central Effective Dated Entities . When you select one of these categories, the permissions or fields for the category display on the right. Managers and employees in EC use the following permission categories: Employee Data, Employee Central Effective Dated Entities , and Employee Views. Some s also need access to Reports Permissions. If a customer chooses to use customizable fields in any of these categories, they must also receive permissions for the relevant roles.
Additional RBP Resources
Figure 8: Additional RBP Resources
© Copyright. All rights reserved.
11
Unit 1: SAP SuccessFactors Employee Central Security Role-Based Permissions
For more information on RBP, the Role-Based Permissions Handbook and EC Implementation Handbook from the SAP Help Portal (http://help.sap.com/cloud4hr).
© Copyright. All rights reserved.
12
Unit 1 Exercise 3 Create a Custom Group and Role
Business Example ACE Corporation wants IT managers to be able to update all employees’ social s information.
Note: What group(s) will you need? How will you determine the groups? What data do they need to access and where is it located?
Hint: The different areas on the drop down list of an employee’s file are called Employee Views. For example, Employment Information, Pending Requests , Scorecard , and so on. EC uses Personal Information and not Personal Info . Create a Custom Group and Role 1. Create the IT Manager Group. 2. Test your current permissions. 3. Create the IT Manager Access Role: 4. Test your configuration.
© Copyright. All rights reserved.
13
Unit 1 Solution 3 Create a Custom Group and Role
Business Example ACE Corporation wants IT managers to be able to update all employees’ social s information.
Note: What group(s) will you need? How will you determine the groups? What data do they need to access and where is it located?
Hint: The different areas on the drop down list of an employee’s file are called Employee Views. For example, Employment Information, Pending Requests , Scorecard , and so on. EC uses Personal Information and not Personal Info . Create a Custom Group and Role 1. Create the IT Manager Group. a) to your instance as an . b) Navigate to Center→ Set Permissions→ Manage Permission Groups . c) Choose Create New → Group Name→ Granted: IT Manager Group . d) Under Choose Group → Pick a category→ Job Code→ IT Manager(ITMGR)→ Done. e) In the upper right box, click Active Group hip → Update→ Click the Number. f) Select a for your testing. Click Done. 2. Test your current permissions. a) Proxy as an IT Manager. b) Navigate to Robert Allen’s Employee File. c) Can you see Robert Allen’s Personal Information → Social s Information ? Why or why not? 3. Create the IT Manager Access Role: a) Become Self and Navigate to Center→ Set Permissions→ Manage Permission Roles . b) Choose Create New → Role Name→ IT Manager Access.
© Copyright. All rights reserved.
14
Lesson: Managing Security Using Role-Based Permissions (RBP)
c) Under Step 2→ Permission. d) Choose Employee Data→ HR Information→ Social s Information → View + Edit. e) Choose Employee Views→ Personal Information → Done. f) Under Step 3→ Add. g) Under Grant role to: Permission Group → Select. h) Search for Granted→ Check Granted: IT Manager Group → Done. i) Under Target Population → Everyone→ Done→ Save Changes. 4. Test your configuration. a) Proxy as an IT manager. b) Navigate to Robert Allen’s Employee File → Personal Information . c) Can you see and edit the employee’s social s? Why or why not?
© Copyright. All rights reserved.
15
Unit 1: SAP SuccessFactors Employee Central Security Role-Based Permissions
LESSON SUMMARY You should now be able to: ●
Examine RBP
●
Set up RBP
© Copyright. All rights reserved.
16
Unit 1 Lesson 3 Implementing Data Changes and Reviewing Audit Trails
LESSON OVERVIEW In this lesson, you learn how to modify an employee record and explain the function and location of the EC audit trail. LESSON OBJECTIVES After completing this lesson, you will be able to: ●
Modify an employee record
●
Explain the function and location of the EC audit trail
Effective Dating for New Records
Figure 9: Effective Dating
In a previous lesson, you learned that it is possible to make changes using transactions and corrections. In this lesson, you learn how those updates and changes are made by an . Many of the records in EC are effective-dated. Each time you insert a new record for one of these items, the system prompts you to provide the effective date. It is important to understand and to maintain accurate effective dates because they enable you to create historical, present, and future records. For example, if Marcus is moving in January, you can add his new address with an effective date in the future. However, Marcus will not see that change in effect until January.
© Copyright. All rights reserved.
17
Unit 1: SAP SuccessFactors Employee Central Security Role-Based Permissions
istration Records Management
Figure 10: istration Records Management
There are several ways to alter employee files in the People Profile layout. Please note, you will only see these options if they are permissioned to you in Role Based Permissions. Clicking on the Pencil Icon allows you to insert a new dated entry into the Employee's file. If Event Reason Derivation is enabled, then they will be determined based on the change being made. Each new record added to the employee's file must be connected to a date in the past, present or future. This action can trigger an approval process, which will need to be completed before the record is active in the system. If you navigate to the history of a portlet and click on a dated record, you will see a variety of options. Edit enables an or permissioned to make changes to the historical record. For example, Marcus Hoff moved on January 5, 2010, but accidentally entered the incorrect ZIP code. To make changes to the historical record, choose History →Edit . This record will show corrected zip code only, however, you can still see the change was made in an audit report. This change will not trigger an approval process. Insert New Record is located under History (Clock Button) in the top-right corner. An event and event reason are required to insert a new record. Therefore, it is important for s with this privilege to be familiar with Events and Event Reasons in their system. Navigating this way will not trigger an approval process. Approval processes are only triggered through the Pencil Icon or Take Action --> Change Job and Compensation Information.
© Copyright. All rights reserved.
18
Unit 1 Exercise 4 Modify an Employee Record
Business Example Jane Millers’ address records are incorrect. Her manager has asked HR to correct and update these records with changes. Note: Where will you navigate to make the changes in Jane’s record? How will you correct the historical record? How will you know if the new address is in the system?
1. Correct your current address. Use the table, Changes, to make the required corrections. Table 3: Changes Address Correction (As of Hire Date)
New Address (As of April 01, 2018)
Jane Millers
Jane Millers
74 W Fernando St
4122 21st Road N
Apt 24
Arlington, VA 22207
Arlington, VA 22205 2. Insert a new address.
© Copyright. All rights reserved.
19
Unit 1 Solution 4 Modify an Employee Record
Business Example Jane Millers’ address records are incorrect. Her manager has asked HR to correct and update these records with changes. Note: Where will you navigate to make the changes in Jane’s record? How will you correct the historical record? How will you know if the new address is in the system?
1. Correct your current address. Use the table, Changes, to make the required corrections. Table 3: Changes Address Correction (As of Hire Date)
New Address (As of April 01, 2018)
Jane Millers
Jane Millers
74 W Fernando St
4122 21st Road N
Apt 24
Arlington, VA 22207
Arlington, VA 22205
a) to your instance as an . b) Navigate to Jane Millers→ Personal Information → Address Information → History. c) Click on the clock icon (History) in the Address Information section d) On the right of the screen, choose Edit. e) Use the table, Changes, to make the required corrections in the “Address Correction” side. Click Save. 2. Insert a new address. a) Navigate to Jane Millers→ Personal Information → Address Information → History. b) On the left of the screen, choose Insert New Record . c) Use the effective date: April 01, 2018. d) Use the table, Changes, to update the address based on the "New Address" section. Click Save. e) Close the history window using the X on the right of the screen. f) that the address change is pending in the Address Information section.
© Copyright. All rights reserved.
20
Lesson: Implementing Data Changes and Reviewing Audit Trails
EC Audit Trail
Figure 11: EC Audit Trail
The final layer of EC security is a complete audit trail. The audit trail is available both in the history of a record and as an ad-hoc report for records, as shown in the figure, EC Audit Trail. The first example in this figure is the record history. To access the record history for Jane Miller, choose Personal Information → Address→ History. Then, choose the record that is effective on November 12, 2012. On the bottom right, you can see that this record was last modified on December 13, 2012 by the on behalf of Nancy Nash. The second example in this figure is an ad-hoc report. This report shows the date and time of each record change and the who made the modification. To create or view an Audit Report, you must log on and have access to Reporting/Analytics and ad-hoc reports. Audit Report Features The audit trail has the following features: ●
It returns all change history for person and employment objects for each employee
●
It is visible in History.
●
It is available as an ad-hoc report
●
It is available for -
Home/Business Address
-
Compensation
-
Emergency s
-
-
Employment
-
Job Info
© Copyright. All rights reserved.
21
Unit 1: SAP SuccessFactors Employee Central Security Role-Based Permissions
-
National Id
-
Recurring/Non-Recurring Pay
-
Personal Info
-
Work Relationships
-
Person Info
-
Succession
-
Info
LESSON SUMMARY You should now be able to: ●
Modify an employee record
●
Explain the function and location of the EC audit trail
© Copyright. All rights reserved.
22
Unit 1 Learning Assessment
1. By default, any can choose his/her own proxies. Determine whether this statement is true or false. X
True
X
False
2. Proxy permissions can be turned on and off, or modified through proxy management. Determine whether this statement is true or false. X
True
X
False
3. The audit trail shows proxies. Determine whether this statement is true or false. X
True
X
False
4. RBP allows granular control of access Determine whether this statement is true or false. X
True
X
False
5. RBP is required in EC. Determine whether this statement is true or false. X
True
X
False
© Copyright. All rights reserved.
23
Unit 1: Learning Assessment
6. Setting the visibility of a field to none in the Data Models overrides RBP. Determine whether this statement is true or false. X
True
X
False
7. Setting the visibility of a custom field to none allows the field to appear for all s. Determine whether this statement is true or false. X
True
X
False
8. You should always create two permission groups before you create a permission role. Determine whether this statement is true or false. X
True
X
False
9. In which permission category would you grant a permission to view their hire date? Choose the correct answer. X
A Employee Data
X
B Employee Central Effective Dated Entities
X
C Employee Views
X
D Reports Permissions
10. In which permission category would you grant a permission to view their pay grade field in the Job Information portlet? Choose the correct answer. X
A Employee Data
X
B Employee Central Effective Dated Entities
X
C Employee Views
X
D Reports Permissions
© Copyright. All rights reserved.
24
Unit 1: Learning Assessment
11. What happens if a mapped role is deleted? Choose the correct answer. X
A Nothing.
X
B The groups and roles are removed from the instance.
X
C s can continue to access the role until they are removed from the relevant groups.
X
D The permissions are permanently removed and ungranted.
© Copyright. All rights reserved.
25
Unit 1 Learning Assessment - Answers
1. By default, any can choose his/her own proxies. Determine whether this statement is true or false. X
True
X
False
2. Proxy permissions can be turned on and off, or modified through proxy management. Determine whether this statement is true or false. X
True
X
False
3. The audit trail shows proxies. Determine whether this statement is true or false. X
True
X
False
4. RBP allows granular control of access Determine whether this statement is true or false. X
True
X
False
5. RBP is required in EC. Determine whether this statement is true or false. X
True
X
False
© Copyright. All rights reserved.
26
Unit 1: Learning Assessment - Answers
6. Setting the visibility of a field to none in the Data Models overrides RBP. Determine whether this statement is true or false. X
True
X
False
7. Setting the visibility of a custom field to none allows the field to appear for all s. Determine whether this statement is true or false. X
True
X
False
8. You should always create two permission groups before you create a permission role. Determine whether this statement is true or false. X
True
X
False
9. In which permission category would you grant a permission to view their hire date? Choose the correct answer. X
A Employee Data
X
B Employee Central Effective Dated Entities
X
C Employee Views
X
D Reports Permissions
10. In which permission category would you grant a permission to view their pay grade field in the Job Information portlet? Choose the correct answer. X
A Employee Data
X
B Employee Central Effective Dated Entities
X
C Employee Views
X
D Reports Permissions
© Copyright. All rights reserved.
27
Unit 1: Learning Assessment - Answers
11. What happens if a mapped role is deleted? Choose the correct answer. X
A Nothing.
X
B The groups and roles are removed from the instance.
X
C s can continue to access the role until they are removed from the relevant groups.
X
D The permissions are permanently removed and ungranted.
© Copyright. All rights reserved.
28
Related Documents c2h70
Unit 2 - Sap Successfactors Employee Central - Security- Role Based Permissions 4i3h3r
December 2019 185
Sap Successfactors Training_ Successfactors C_thr81_1502 Employee Central Certification Questions 6v5m64
November 2019 153
Deep-dive-into-successfactors-employee-central-and-employee-central-payroll-daniela-lange.pdf 1xp60
October 2019 167
Role-based Access Control - Ccna Security 2op4o
April 2020 26
Sap Successfactors Lms Sample Resume 2 3b67t
December 2021 0
Sap Security Sap Security Essentials 4ds3s
December 2019 94More Documents from "Erwin Neiman" 164h4g
Unit 2 - Sap Successfactors Employee Central - Security- Role Based Permissions 4i3h3r
December 2019 185
Consideraciones Y Transformaciones Logicas 2i1y1w
November 2019 27
Sop ihkan Kamar Mandi 286q3f
April 2020 50
Perda No.2 Tahun 2014 Rtrwk Muna 2p3f3o
May 2020 18
Quantitative Risk Assessment For 32" Lng Pipeline yf4s
December 2020 0