Authorization Framework
The new Authorization Framework allows the admins to create granular authorizations using three key aspects: User Properties, Groups, and Policies. These three interact with each other to provide a level of control that was previously missing from Strato V1.
This framework is designed to work in conjunction with existing permission systems. For example, authorizations for users are evaluated alongside their SuccessFactors Role-Based Permissions (RBP) to determine final access rights.
This article contains the following sections:
Access
Users can access User Properties, Groups, and Policies under People Settings in the Configurations page.
Authorization Settings
The Authorization Settings page enables you to set how the Authorization Framework works. This can be accessed under Admin Settings in the Configurations page.
Standard Authorization
In Standard Authorization, the Target Population parameter in Policies is disabled for a simpler and more efficient processing and evaluation. Instead, users affected by a Policy are determined through SuccessFactors Role-Based Permissions.
By default, new systems are set to Standard Authorization.
The List action in the People Tool is also unavailable when configuring Policies.
Extended Authorization
Standard Authorization provides ease of use, but Extended is recommended for complex organizational structures that SF RBP might have difficulty mapping out on its own.
Systems that existed before the implementation of Standard Authorization are automatically configured for Extended Authorization. Systems using Standard Authorization can switch to Extended Authorization by clicking the Switch to Extended Authorization button.
In Extended Authorization, the Target Population parameter is enabled. This exists on top of SF RBPs and allows for a more granular control on user access.
Components
User Properties
User Properties store user-related information into Property fields. These fields can be manually added and modified via the People Hub or an API call, or be mapped to a data source (for example, SuccessFactors).
These Properties are used to target and filter users based on specific attributes. This will be relevant when creating Groups and Policies.
Groups
Groups are a collection of users with the same attributes or responsibilities. Users can be added to a group manually, or automatically via their SuccessFactors RBPs or specific conditions based on User Properties.
Groups can also have Policies attached to them, which grants these Policies to all users within the Group.
Policies
Policies define the level of access a user or a group has over certain actions or objects within Strato. Actions of a module for selected objects and targets can be allowed or denied using Policies.
How a Policy affects users depends on the user type and Authorization Settings:
User Type / Authorization Settings | Standard Authorization | Extended Authorization |
SuccessFactors Users | Only SF RBPs are checked and applied. | The Target Population set in the Policy is checked and applied together with SF RBPs. |
External Users | Currently does not work, as Standard Authorization requires data from SF. | Only the set Target Population in the Policies is checked and applied. |
Multiple permissions can be added to a Policy.
Related articles
- Upgrade Center
- New Design - People Hub
- New Feature - Authorization Framework Integration with Configurations
- New Feature - Authorization Framework Integration with People Hub
- New Feature - Authorization Framework Integration with Storage
- User Properties
- Groups
- Policies