SAP SuccessFactors SFAPI User

To collect data from SAP SuccessFactors for Business Process Monitoring or Exception Monitoring an endpoint needs to be created in SAP Cloud ALM. 

To create this endpoint a user is needed in SAP SuccessFactors. It is recommended to create a dedicated user in SAP SuccessFactors (e.g. SFAPI) for this purpose instead of using a personal or an admin user.


Required User Settings

Set Productive Password

After the SFAPI user is created in SAP SuccessFactors you have to log on to SAP SuccessFactors with this user once to set a productive password. 

  1. Log on to your SAP SuccessFactors tenant in the browser
  2. Provide a productive password when prompted 

Disable Password Expiration

To avoid that the password for the user expires, please create a login exception for the SFAPI user.

  1. Go to Admin Center → Password and Login Policy Settings 
  2. Click on "Set API Login Exceptions"
    1. Click the "Add" button
    2. Enter the username of the SFAPI user
    3. Set the parameter 'Maximum password age(days)' = -1
    4. Enter the IP address of your SAP Cloud ALM tenant. If you do not know this IP address you can also enter the range to cover any possible IP address.

For more information refer to SAP note 2161909 - How to enable SFAPI in SuccessFactors

Required User Permissions

To assign the required permissions to the SFAPI user please first create a new permission group and add your SFAPI user to the group:

  1. Go to Admin Center → Manage Permission Groups
  2. Create a new permission group using the "Create New..." button
  3. Enter a group name (e.g. SFAPI_CALM_USERS)
  4. Under "Choose Group Members" → "People Pool" choose "Username" 
    1. Search for your SFAPI user and add it by clicking the check box in front of it
    2. Click Done
  5. Click Done

Then create a new permission role:

  1. Go to Admin Center → Manage Permission Roles
  2. Create a new permission role using the "Create New..." button
  3. Enter a role name (e.g. SFAPI_CALM)
  4. Under "Permission Settings" click the "Permission..." button
    1. Add the permission as described below depending on the use cases you want to use in SAP Cloud ALM
  5. Under "Grant this role to..." click the "Add..." button
    1. Select "Grant role to: Permission Group"
    2. Click the "Select..." button
    3. Search for your SFAPI permission group and check the box in front of it
    4. Click Done
  6. Save your new permission role

General Permissions

The following permissions need to be assigned to the SFAPI user independent of the use case it will be used for:

  • General User Permission
    • User Login
    • SFAPI User Login
  • Manage Integration Tools
    • Allow Admin to Access OData API through Basic Authentication

Permissions for Business Process Monitoring

The following permissions are required for the Business Process Monitoring user case:

  • Manage Recruiting
    • Detailed Requisition Reporting Privileges
    • Manage Recruiting Templates
  • Manage Integration Tools
    • Access to OData API Metadata Refresh and Export
    • Access to OData API Data Dictionary
  • Recruiting Permissions
    • OData API Application Export
    • OData API Candidate Export
    • OData API Job Requisition Export
    • OData API Application Audit Export
    • OData API Job Offer Export
    • OData API Offer Letter Export

View permissions for the following MDF objects:

  • Manage MDF Recruiting Objects
    • Candidate Relationship Management Status Set
    • Campaign Limits
    • EmailBrandTemplate
    • MarketingBrand
    • Recruiting Rules Assignment Configuration
    • Candidate Relationship Management Status Map
    • Recruiting User Personalization Object Configuration.fields (Recruiting User Personalization Field Configuration)
    • Candidate Relationship Management Status
    • Pool Limits
    • Recruiting User Personalization Object Configuration
  • MDF Recruiting Permissions
    • Campaign
    • CampaignContent
    • CandidateActivity
    • Pool
    • Pool Member
    • Share Pool with User
    • Recruiting Sensitive Personal Data Field List.spdFieldList (RCMSPDField)
    • Recruiting Sensitive Personal Data Field List
    • Candidate Follow
    • CampaignRecipient
    • CampaignPool
    • Share Pool with Group

Permissions for Integration & Exception Monitoring

The following permissions are required for the Integration & Exception Monitoring user case:

  • Manage Integration Tools
    • Access to Integration Center
    • Access to Data Replication Monitor
  • Admin Center Permissions
    • Read Execution Manager Events
    • Read Execution Manager Event Payload or Event Report
    • View Read and Change Audit Configuration
    • Monitor Scheduled Jobs