Introduction
We would like to introduce the SuccessFactors Configuration Center for moving configuration changes through the SF HXM tenant landscape instead of doing it manually. The more tenants one have the more interesting Configuration Center gets.
During setup we got different requirements to define permissions for different functions:
- downloading configurations
- create bundles and initiate transports
- import transports
In addition there was a requirement to separate permissions for configuration center in SF productive instance. There should be a quality gate with a small dedicated group of users that transports to PROD only after CAB meeting.
As configuration center was new to us we wanted to check the granularity of permissions to control configuration center and segregation of duties. This is what we have observed:
Permission Research
Starting point for setting up Configuration Center permissions was the List of Role-Based Permissions. The search gives the following result:
Configuration Center Permissions
Configuration Center Basic Permissions
What we see is that two different permissions are availabe. One for downloading configurations (Access to view and download configuration) and another for transporting configuration to other tenanst (Access to compare and transport configurations)
Remark: List of Role-Based Permissions is always a good starting point but does not provide detailed information about dependent permissions that transactions like Configuration Center might have.
Findings: The permission Access to compare and transport configurations itself does not even allow to open the transaction Configuration Center in SuccessFactors. At least the Access to view and download configuration is required for being able to find the transaction in the search bar and open it.
View and Download Permission
Granting Access to view and download configuration permission will give the expected result in configuration center:
The user is allowed only to download configuration(s) and see the according download requests. The following menu items are accessible:
- Configuration Activities (download only)
- Download Requests
Transport Configuration Permission
Having granted both permissions Access to compare and transport configurations and Access to view and download configuration in one role
Configuration Center Permissions
Configuration Center will give more menu items.
- Configuration Activities (incl. Transport Mode)
- Download Requests
- Transport Routes
- Transport Requests (incl. Exports | Imports | Import History)
- Bundle Management
Potential Errors
Instance Pair RBP Permission Error
Transport Routes Error
Finding: Transport Routes menu item requires additional permission. Although visible it will give an error accessing it.
The same error message (INSTANCE_PAIR_RBP_PERMISSION_ERROR) can appear when initiating a transport out of the Bundle (Save and Initiate Transport)
Solution: For pairing the tenants with each other the following permissions are required:
- Configuration Center – Access to view and download configurations
- Configuration Center – Access to compare and transport configurations
- Manage Instance Synch – Select All
- Metadata Framework – Admin access to MDF OData API
Remark: For our use case it seems sufficient to select only those entries in “Manage Instance Synch”
- Manage Instance Synch-> Synch Data Model
- Manage Instance Synch-> Sync MDF Object Definitions
- Manage Instance Synch-> Sync MDF Data
to prevent the error appearing, but there is no further information available if there are any sideeffects not giving access to all objects.
Import History Report Failed
Executing the import history report leads to the following error.
Import History Report Error
Solution: We observed that mainly the permission Metadata Framework -> Admin access to MDF OData API controls the ability to successfully run the report. Access to configuration center is obvioulsy prerequisite.
False friend:
It seemed quite reasonable that those two permissions are required for Configuration Center.
- Miscellaneous Permissions -> ImportConfigRequest
- Miscellaneous Permissions -> TransportConfigRequest
Configuration Center worked well without. We didn’t find a use case where those permissions were required.
Separate Importing from Exporting Permission
There was no successful setup to separate import permissions from export permissions. Even setting all permissions under “Miscellaneous Permissions” to View, there was no change in funtionality, means im- and exporting were still allowed.
I did a comparison of the required permission for both scenarios, Import and Export.
Comparison Importing / Exporting
As per my understanding importing bundles should not be allowed in case permission “Import Permission on Metadata Framework” is missing. This assumption was wrong. Import succeeded.
As mentioned before, setting the permissions to “View” under “Miscellaneous Permissions” allows to export bundles and initiate transport. Being fair, it was not tested for each object. But on the other hand I didn’t found a scenario where those permission were required.
Cause: I’m not sure about the cause. Might be I’ve changed RBP to quickly or our SF is not behaving as it should. Please let me know your experiences and findings in this area and share your comments below.
Conclusion
With the available RBP permissions it is possible to differentiate for viewing and downloading configuration and creating bundles. We were not able to find a way to define permissions more granular to segregate exporting from importing permission for Configuration Center. It is also not possible to distinguish to which receiving tenant a bundle can be transported.
“Transport Routes” and “Initiate Bundle transport” both require the Manage Instance Synch permission which makes it mandatory. From my point of view the definition of transport routes could have been separated.
In general it is quite difficult and complex to understand the dependencies behind to get the configuration center roles defined as per requirement. Therefore I could imagine a permission trace functionality would be beneficial for all making heavy use of RBP:
https://influence.sap.com/sap/ino/#/idea/285996/
Result
With the analysis taken this will be starting point with two different roles. One for viewing and downloading the other for for exporting and importing incl. bundle maintenance.
Role for Viewing / Downloading Configuration
- Access to view and download configurations
Role for Im-/Exporting configurations:
- Routing Maps
- Rating Scales
- Configure Object Definitions
- Import Permission on Metadata Framework
- Admin access to MDF OData API
- Sync Data Model
- Sync MDF Object Definitions
- Sync MDF Data
- Access to view and download configurations
- Access to transport configurations
-
ConfigBundleDefinition.pathEntries (BundleDefinitionConfigNode)View/Import/Export
-
ConfigBundleDefinitionView/Import/Export
-
ImportBundleView/Import/Export
-
ImportBundle.expandedPathEntries (ImportBundleExpandedConfigNodes)
Next steps:
It will be interesting to see if other object permissions will be required when selecting configurations from the configuration areas:
- Directory Search
- Employee Central
- People Profile
- Talent
