SAP SuccessFactors SFAPI User

To collect data from SAP SuccessFactors for Business Process Monitoring or Exception Monitoring an endpoint needs to be created in SAP Cloud ALM. 

To create this endpoint a user is needed in SAP SuccessFactors. It is recommended to create a dedicated user in SAP SuccessFactors (e.g. SFAPI) for this purpose instead of using a personal or an admin user.

 

Required User Settings

Disable Password Expiration

To avoid that the password for the user expires, please create a login exception for the SFAPI user.

  1. Go to Admin Center → Password & Login Policy Settings 
  2. Click on "Set API Login Exceptions"
    1. Click the "Add" button
    2. Enter the username of the SFAPI user
    3. Set the parameter 'Maximum password age(days)' = -1
    4. Enter the IP address of your SAP Cloud ALM tenant. 
      1. You can look for the IP range of your SAP Cloud ALM tenant here.
      2. You can also enter the range 1.1.1.1-255.255.255.255 to cover any possible IP address.

For more information refer to SAP Note 2161909 - How to enable SFAPI in SuccessFactors

Required User Permissions

Please be aware, that the proposed permission may vary based on the enabled module of functionality in your SAP SuccessFactors instance.

To assign the required permissions to the SFAPI user please first create a new permission group and add your SFAPI user to the group:

  1. Go to Admin Center → Manage Permission Groups
  2. Create a new permission group using the "Create New..." button
  3. Enter a group name (e.g. SFAPI_CALM_USERS)
  4. Under "Choose Group Members" → "People Pool" choose "Username" 
    1. Search for your SFAPI user and add it by clicking the check box in front of it
    2. Click Done
  5. Click Done

Then create a new permission role:

  1. Go to Admin Center → Manage Permission Roles
  2. Create a new permission role using the "Create New..." button
  3. Enter a role name (e.g. SFAPI_CALM)
  4. Under "Permission Settings" click the "Permission..." button
    1. Add the permission as described below depending on the use cases you want to use in SAP Cloud ALM
  5. Under "Grant this role to..." click the "Add..." button
    1. Select "Grant role to: Permission Group"
    2. Click the "Select..." button
    3. Search for your SFAPI permission group and check the box in front of it
    4. Click Done
  6. Save your new permission role

General Permissions

The following permissions need to be assigned to the SFAPI user independent of the use case it will be used for:

  • User Permissions
    • General User Permission
      • User Login
      • SFAPI User Login
    • Payroll Integration Permission
      • Data Replication Proxy (View, Edit)
      • Trigger Data Replication Proxy Status Reset (View, Edit)
  • Administrator Permissions
    • Manage Integration Tools
      • Allow Admin to Access OData API through Basic Authentication
    • Employee Central API
      • Employee Central Foundation OData API (editable)
      • Employee Central HRIS OData API (editable)
    • Metadata Framework
      • Admin access to MDF OData API

Permissions for Integration & Exception Monitoring

The following permissions are required for the Integration & Exception Monitoring user case:

  • Administrator Permissions
    • Manage Integration Tools
      • Access to Integration Center
      • Access to Data Replication Monitor
    • Admin Center Permissions
      • Read Execution Manager Events
      • Read Execution Manager Event Payload or Event Report
      • Monitor Scheduled Jobs

Permissions for Business Process Monitoring

The following permissions are required for the Business Process Monitoring user case:

  • Administrator Permissions
    • Manage Recruiting
      • Detailed Requisition Reporting Privileges
      • Manage Recruiting Templates
    • Manage Integration Tools
      • Access to OData API Metadata Refresh and Export
      • Access to OData API Data Dictionary
  • User Permissions
    • Recruiting Permissions
      • OData API Application Export
      • OData API Candidate Export
      • OData API Job Requisition Export
      • OData API Application Audit Export
      • OData API Job Offer Export
      • OData API Offer Letter Export

View permissions for the following MDF objects:

  • Administrator Permissions
    • Manage MDF Recruiting Objects
      • Candidate Relationship Management Status Set
      • Campaign Limits
      • EmailBrandTemplate
      • MarketingBrand
      • Recruiting Rules Assignment Configuration
      • Candidate Relationship Management Status Map
      • Recruiting User Personalization Object Configuration.fields (Recruiting User Personalization Field Configuration)
      • Candidate Relationship Management Status
      • Pool Limits
      • Recruiting User Personalization Object Configuration
  • User Permissions
    • MDF Recruiting Permissions
      • Campaign
      • CampaignContent
      • CandidateActivity
      • Pool
      • Pool Member
      • Share Pool with User
      • Recruiting Sensitive Personal Data Field List.spdFieldList (RCMSPDField)
      • Recruiting Sensitive Personal Data Field List
      • Candidate Follow
      • CampaignRecipient
      • CampaignPool
      • Share Pool with Group