πŸ“„ Set Up SuccessFactors Role-Based Permissions for Strato

Set Up SuccessFactors Role-Based Permissions for Strato

Strato follows the authorizations and permissions defined in SuccessFactors's Role-Based Permissions (SF RBP).

Before users can fully utilize Strato, it is advised to verify that all required authorizations for each role are properly set up. This article serves as a guide on how to set up SF RBP for each role.

πŸ’‘

Strato respects and applies the authorizations that a user has when accessing data. If the same data exists in OData, the user should be able to generate documents containing information that they have access to.


Requirements

Your SF user should have permissions to view and edit RBP. Contact your SF administrator if you do not have access to RBP Settings.

A foundational knowledge of SF is required.


Authorizations for HR Administrators

These permissions are required for HR Administrators to gain access to data from users they manage. This is also necessary for third-party applications.

Metadata Framework

  • Admin access to MDF OData API

 

Employee Central API

  • Employee Central Foundation SOAP API
  • Employee Central HRIS SOAP API
  • Employee Central Foundation OData API (read-only): This authorization is necessary for retrieving foundation data such as DepartmentLegal Entity, and more.
  • Employee Central HRIS OData API (read-only): This authorization is necessary for retrieving Employee data. This will not grant additional permissions to the end-user, but only allows third-party applications to retrieve data that the user has access to.
  • Employee Central Foundation OData API (editable)
  • Employee Central HRIS OData API (editable)
  • Employee Central Compound Employee API (restricted access)

 

Manage User

  • Employee Export: This authorization is necessary for gaining access to Talent entities (for example, entities that start with Background_).
  • Export Extended User Information

 

Authorizations for ESS / MSS

These permissions are required for employees and managers to get their own data through API.

  • Employee Central Foundation OData API (read-only)
  • Employee Central Compound Employee API (restricted access)
  • Employment Detail MSS: Enable the View permission only, as the Edit permission is unnecessary for MSS.

 

Authorizations for Talent

Users that deal with Talent require the following RBPs:

Employee Central API

  • Employee Central Foundation SOAP API
  • Employee Central HRIS SOAP API
  • Employee Central Foundation OData API (read-only): This authorization is necessary for retrieving foundation data such as DepartmentLegal Entity, and more.
  • Employee Central HRIS OData API (read-only): This authorization is necessary Employee data. This will not grant additional permissions to the end-user, but only allows third-party applications to retrieve data that the user has access to.
  • Employee Central Foundation OData API (editable)
  • Employee Central HRIS OData API (editable)
  • Employee Central Compound Employee API (restricted access)

 

Manage User

  • Employee Export: This authorization is necessary for gaining access to Talent entities (for example, entities that start with Background_).
  • Export Extended User Information

 

Authorizations for Recruitment

Users that deal with Recruitment require specific RBPs to access and manage Application, Candidate, Job Requisition, Job Offer, and Offer Letter data.

  • OData API Application: The Export authorization is necessary for gaining access to Application information. If updating an application status is necessary, include the Update authorization as well.
  • OData API Candidate Export: This authorization is necessary for gaining access to Candidate information.
  • OData API Job Requisition Export: This authorization is necessary for gaining access to Requisition information.
  • OData API Job Offer Export: This authorization is necessary for gaining access to content of Job Offers for the Candidates.
  • OData API Offer Letter: The Export authorization is necessary for gaining access to Offer Letter information, while the Create authorization is necessary for uploading an Offer Letter back to SF

    • πŸ’‘

    When executing a Workflow in Strato Document Generation that has a Store Document Step (for example, storing generated Job Offer Letter from Strato back to SF Recruiting), the OData API Attachment Import authorization should also be enabled for the user running the Workflow.

    The OData API Attachment Import authorization can be found under the Manage Integration Tools section.

    To learn more, read the official SAP documentation on the Offer Letter entity.


Authorizations for Strato Admin and API User

For Strato Admins and API User, include all the authorizations mentioned above.

Additionally, include the following authorizations as well:

Manage Integration Tools

  • Allow Admin to Access OData API through Basic Authentication
  • Manage OData API Basic Authentication
  • Access to API Center
  • OData API Competency Rating Export
  • Access to OData API Metadata Refresh and Export: This authorization is necessary for Strato to get the list of fields available in SF, including MDF objects.
  • Access to OData API Data Dictionary
  • OData API To-Do Export
  • OData API Attachment Import: Refer back to the note under OData API Offer Letter in the Authorizations for Recruitment section for more information on this authorization.
  • OData API Attachment Export
  • OData API SAML2 Setting

 

Manage System Properties

  • Picklist Management and Picklists Mappings Set Up

 

Employee Data

  • Select Edit for every table under Employee Data. The View permission is automatically enabled if the Edit permission is enabled.

 

Access to RBP from Strato

If using RBPs in Strato is necessary (for example, automatically assigning a Strato Group to an employee by checking if they are a member of a specific SF RBP Group), Strato requires the View and Edit authorizations for both Group and Role in your SF's Manage Role-Based Permission Access page. Note that this will enable the Admin menu access for all users.

In the Strato Admin Tool, the API User defined under the SuccessFactors oData Settings panel should also have the same authorizations.

 

Optional Authorizations

These authorizations are not required, but may be useful in certain situations.

Recruiting Permissions

  • OData API Application Create and Update Validation Bypass for Required Fields: This authorization allows Strato to ignore missing or blank mandatory fields when moving a Candidate to a new status, preventing errors from stopping Workflows.

 

Errors from Missing RBPs

If your system's RBPs are incomplete, the following errors may occur:

When you encounter errors, check your RBP configurations and try again.