SF Configuration Center RBP setup


Introduction

We would like to introduce the SuccessFactors Configuration Center for moving configuration changes through the SF HXM tenant landscape instead of doing it manually. The more tenants one have the more interesting Configuration Center gets.

During setup we got different requirements to define permissions for different functions:

  • downloading configurations
  • create bundles and initiate transports
  • import transports

In addition there was a requirement to separate permissions for configuration center in SF productive instance. There should be a quality gate with a small dedicated group of users that transports to PROD only after CAB meeting.

As configuration center was new to us we wanted to check the granularity of permissions to control configuration center and segregation of duties. This is what we have observed:

Permission Research

Starting point for setting up Configuration Center permissions was the List of Role-Based Permissions. The search gives the following result:Configuration%20Center%20Permissions

Configuration Center Permissions

Configuration Center Basic Permissions

What we see is that two different permissions are availabe. One for downloading configurations (Access to view and download configuration) and another for transporting configuration to other tenanst (Access to compare and transport configurations)

Remark: List of Role-Based Permissions is always a good starting point but does not provide detailed information about dependent permissions that transactions like Configuration Center might have.

Findings: The permission Access to compare and transport configurations itself does not even allow to open the transaction Configuration Center in SuccessFactors. At least the Access to view and download configuration is required for being able to find the transaction in the search bar and open it.

View and Download Permission

Granting Access to view and download configuration permission will give the expected result in configuration center:

The user is allowed only to download configuration(s) and see the according download requests. The following menu items are accessible:

  • Configuration Activities (download only)
  • Download Requests

Transport Configuration Permission

Having granted both permissions Access to compare and transport configurations and Access to view and download configuration in one role

Configuration%20Center%20Permissions

Configuration Center Permissions

Configuration Center will give more menu items.

  • Configuration Activities (incl. Transport Mode)
  • Download Requests
  • Transport Routes
  • Transport Requests (incl. Exports | Imports | Import History)
  • Bundle Management

Potential Errors

Instance Pair RBP Permission Error

Transport%20Routes%20Error

Transport Routes Error

Finding: Transport Routes menu item requires additional permission. Although visible it will give an error accessing it.

The same error message (INSTANCE_PAIR_RBP_PERMISSION_ERROR) can appear when initiating a transport out of the Bundle (Save and Initiate Transport)

Solution: For pairing the tenants with each other the following permissions are required:

  • Configuration Center – Access to view and download configurations
  • Configuration Center – Access to compare and transport configurations
  • Manage Instance Synch – Select All
  • Metadata Framework – Admin access to MDF OData API

Remark: For our use case it seems sufficient to select only those entries in “Manage Instance Synch

  • Manage Instance Synch-> Synch Data Model
  • Manage Instance Synch-> Sync MDF Object Definitions
  • Manage Instance Synch-> Sync MDF Data

to prevent the error appearing, but there is no further information available if there are any sideeffects not giving access to all objects.


Import History Report Failed

Executing the import history report leads to the following error.

Import%20History%20Report%20Error

Import History Report Error

Solution: We observed that mainly the permission Metadata Framework -> Admin access to MDF OData API controls the ability to successfully run the report. Access to configuration center is obvioulsy prerequisite.


False friend:

It seemed quite reasonable that those two permissions are required for Configuration Center.

  • Miscellaneous Permissions -> ImportConfigRequest
  • Miscellaneous Permissions -> TransportConfigRequest

Configuration Center worked well without. We didn’t find a use case where those permissions were required.

Separate Importing from Exporting Permission

There was no successful setup to separate import permissions from export permissions. Even setting all permissions under “Miscellaneous Permissions” to View, there was no change in funtionality, means im- and exporting were still allowed.

I did a comparison of the required permission for both scenarios, Import and Export.

Comparison%20Importing%20/%20Exporting

Comparison Importing / Exporting

As per my understanding importing bundles should not be allowed in case permission “Import Permission on Metadata Framework” is missing. This assumption was wrong. Import succeeded.

As mentioned before, setting the permissions to “View” under “Miscellaneous Permissions” allows to export bundles and initiate transport. Being fair, it was not tested for each object. But on the other hand I didn’t found a scenario where those permission were required.

Cause: I’m not sure about the cause. Might be I’ve changed RBP to quickly or our SF is not behaving as it should. Please let me know your experiences and findings in this area and share your comments below.

Conclusion

With the available RBP permissions it is possible to differentiate for viewing and downloading configuration and creating bundles. We were not able to find a way to define permissions more granular to segregate exporting from importing permission for Configuration Center. It is also not possible to distinguish to which receiving tenant a bundle can be transported.

“Transport Routes” and “Initiate Bundle transport” both require the Manage Instance Synch permission which makes it mandatory. From my point of view the definition of transport routes could have been separated.

In general it is quite difficult and complex to understand the dependencies behind to get the configuration center roles defined as per requirement. Therefore I could imagine a permission trace functionality would be beneficial for all making heavy use of RBP:

https://influence.sap.com/sap/ino/#/idea/285996/

Result

With the analysis taken this will be starting point with two different roles. One for viewing and downloading the other for for exporting and importing incl. bundle maintenance.

Role for Viewing / Downloading Configuration

Configuration Center

  • Access to view and download configurations

Role for Im-/Exporting configurations:

Manage Form Templates

  • Routing Maps
  • Rating Scales

Metadata Framework

  • Configure Object Definitions
  • Import Permission on Metadata Framework
  • Admin access to MDF OData API

Manage Instance Synchronization

  • Sync Data Model
  • Sync MDF Object Definitions
  • Sync MDF Data

Configuration Center

  • Access to view and download configurations
  • Access to transport configurations

Miscellaneous Permissions

  • ConfigBundleDefinition.pathEntries (BundleDefinitionConfigNode)View/Import/Export

  • ConfigBundleDefinitionView/Import/Export

  • ImportBundleView/Import/Export

  • ImportBundle.expandedPathEntries (ImportBundleExpandedConfigNodes)

Next steps:

It will be interesting to see if other object permissions will be required when selecting configurations from the configuration areas:

  • Directory Search
  • Employee Central
  • People Profile
  • Talent

Please share your comments, solutions, additions and improvements.