To get the SAP SuccessFactors (SF) integration up and running, we need user credentials. This means we need our customer to create a new user in SF with the minimal permissions required to fetch users.
New User
To start, go to the Admin Center and create a user (click Update User Information and Add New Employee).
The specific details don’t matter, but we recommend you set the user’s name to something like “Beekeeper Connector”.
Once the user has been created, go back to the Admin Center. We’re going to reset our new user’s password, so in the “Manage Employees” section, click “Reset User Passwords”. Search for our new user (as below), click “Search Users”.
Select the result you want (it’s an easily-missed radio bubble), and then enter in a new, secure (preferably auto-generated) password. Make sure you record the password to share with us later. You’ll also want to take note of the username of this user, which is conveniently available in the search.
If the process worked, you’ll see a message like “1 users passwords have been reset”, as below.
Permission Group
Now return to the Admin Center and click on Manage Employees > Set User Permissions > Manage Permission Groups.
Click “Create New” to make a new Permission Group. Name the permission group “Beekeeper Connector Permission Group” and assign it to the “Beekeeper Connector” user we created earlier.
Once you’re finished, click “Done” to create the Permission Group.
Permission Role
Finally, head back to the Admin Center and click on Manage Employees > Set User Permissions > Manage Permission Roles. On that page, click “Create New” and name your role “Beekeeper Connector Permission Role”, as below.
You will first need to enable API usage. To do so, click “Permission..” and grant the following permission:
Manage Integration Tools(under Administrator Permissions) > Admin access to OData API
Please note that the permission “Admin access to OData API” has a misleading name: It only enables the use of the API. It will NOT grant access to any data by itself, and you will still have to explicitly grant access to users and user profile fields to be able to fetch that data through the API, as well as to any other entities like Payroll or other. The permissions required are:
- Admin access to MDF OData API: The MDF permission allows us to track modification dates of metadata fields, which enables partial synchronization.
-
For the integration to work, you will need to grant at least “Employee Central Effective Dated Entities > Personal Information Actions (View Current) and Employee Data > Biographical Information ” permissions as access to the current values of all the fields that you would like to be synchronized to Beekeeper, for example:
- Employee Central Effective Dated Entities > Last Name (View Current)
- Employee Data > Original Start Date (View)
- Employee Central Effective Dated Entities > Last Name (View Current)
- Employee Data > Termination Date (View)
In the end, the permissions should look something like this, depending on which fields are needed:
Now, under “Grant this role to…”, click “Add…” to associate our Permission Group to our Permission Role.
Click “Select…” and select “Beekeeper Connector Permission Group”. Then hit Done on both screens.
Finally, click “Save Changes”.
Password Expiration Settings (Recommended)
This step is optional but recommended to ensure uninterrupted synchronisation. Once you have created a successful SAP user for Beekeeper, you can extend the default password expiration time.
The first step is to type "password" in the search bar.
Next click on the button "Add" in the "Set API login extensions..."
Then select the Beekeeper username created in SAP to fetch the data. In our particular case it's 103223, but in your system this should be a different number.
The parameter Maximum password age is calculated in days. Here you can type for example 365 (a year). Finally set the IP range to 1.1.1.1-255.255.255.255 (our IP range is dynamic so you should specify the entire range).
Finally, click on "Save & Close" in order to save the password settings.
And now you’re good to go!
What should I send to Beekeeper?
Beekeeper needs a few credentials to connect to SAP:
- The username of the Beekeeper Connector user
- The password for the Beekeeper Connector user
- Your SAP Company ID
- The API URL used to connect to the SuccessFactors instance (e.g. https://apisalesdemo4.successfactors.com)
Uninstalling the SAP SuccessFactors Integration
If the app is uninstalled in Beekeeper, you should also revoke the permissions of the Beekeeper Connector Permission Role that we created in SAP.
Important Notice:
Access to APIs based on HTTP Basic Authentication will reach end of maintenance on May 26, 2023 and will be deleted on November 20, 2026.
Comments
0 comments
Please sign in to leave a comment.