SAP SuccessFactors
HRIS Service User Setup
Overview
In this article, we will be covering the steps needed to create a new User in SAP SuccessFactors, and limiting the permissions / scope to what is required for the use case of the company you are linking to!
Step 1: Create a new Super Admin User that will be used to link
Follow to create a Super Admin user in your system that will have limited permissions / scope for the use case you are linking for.
Step 2: Create a new Permission Group
Search up "Manage Permission Groups" in your search bar to navigate to the Permission Groups page.
Expand to see full image
You will need to click "Create New" to create a new Permission Group for the linking flow.
You can name the "Group Name" something along the lines of "Integrations Linking" to track that this Permission Group is for this specific connection.
The User Type needs to be "Employee", and the "Choose Group Members" should include the User you created in Step 1.
You do not need to input anything in regards to the Exclude Section, or the Granted Permission Roles at this time.
Click "Done" to create and save this Permission Group.
Step 3: Create Permission Role with Proper Permissions
Search up "Manager Permission Roles" in your search bar to navigate to the Permission Role page.
Exand to see full image
Part 1: Name the Permission Group
Expand to see full image
Part 2: Identify and Select the Permissions that matter for the use case you are trying to achieve
Click "Permissions" to open available User and Admin Privileges available.
REQUIRED FOR GENERAL AUTHENTICATION:
Manage Integration Tools - Access to "Manage OAuth2 Client Applications", "Manager OData API Basic Authentication", and all API + OData related pieces
This will be category agnostic, and just required for the general API authentication.
Exand to see full image
General User Permission - User Login is required to ensure that you're able to login to integrate
Exand to see full image
HRIS Permissions:
Employee Data - this allows for View Access to Employee Information
Exand to see full image
Employee Central API, Employee Central Import Settings,
Exand to see full image
Part 3: Granting Permission Role to the created Permission Group
Click "Add" to add the Permission Group created in Step 2. You can search for the name of that Group, select it, and then press "Done"
Exand to see full image
Now you should save these changes as you're all set! You just need to login into the User's SAP account and generate the Client Credentials, which is described below.
Now we will go through the full Linking Flow from within the Service User's Account!
Step 4: Find your SAP SuccessFactors API Server URL
1. To find your API Server URL, go to this .
2. In the listed API Server URLs, search for the environment that matches your subdomain. For example, if your domain was https://salesdemo4.successfactors.com, search for salesdemo4.
Expand to see full image
If you are unsure what your API Server URL is, or are having trouble connecting, we recommend reaching out to your SAP Support team to obtain your API Server URL.
If you are using the our sandbox, please enter: api68sales.successfactors.com
3. Copy the entire URL.
In this example, it would be: apisalesdemo4.successfactors.com
4. Enter your SAP SuccessFactors API Server URL into the integration authorization component as shown below:
Step 5: Find your SAP Username and Company ID
1. To find your SAP SuccessFactors username, go to the upper right hand side and click on your profile image to view your username.
This will be the Username for the Service User you created in the first part of this guide!
Expand to see full image
2. To find your SAP SuccessFactors Company ID, in the same dropdown menu, click "Show version information." Locate Company ID in the modal that pops up:
Expand to see full image
3. Once you obtain your username (not email) and company ID, enter them in the linking flow as shown:
Expand to see full image
Step 6: Find your SAP SuccessFactors Client ID and Secret
1. In your Admin Center, go to Tools, and search Manage OAuth2 Client Applications (If your page looks different, search for Manage OAuth2Client Applications in the search tool on your homepage).
Expand to see full image
2. Click Register Client Application.
Expand to see full image
3. Fill out Application Name & Application URL (what actually goes in these fields is not important, except that the URL has to begin with https://).
Expand to see full image
4. Click Generate X.509 Certificate. Fill out Common Name (name doesn't matter) and hit Generate.
5. Once the certificate populates, download and save it. You will have downloaded a file called Certificate.pem.
Expand to see full image
6. Click Register (it will have replaced the Generate button).
7. Back on your Manage OAuth2 Client Applications, go to the application you just created and click Edit.
Expand to see full image
8. You will now see an API key listed - this is your Client ID. Copy and save this Key.
Expand to see full image
9. Open up the "Certificate.pem" file that you downloaded previously in a text editor.
The string between:
——BEGIN ENCRYPTED PRIVATE KEY——
and
—— END ENCRYPTED PRIVATE KEY——
is your Client Secret. Copy the Client Secret and save.
Expand to see full image
10. Enter your Client ID and Secret into the integration authorization component as shown below:
Expand to see full image
Process complete! 🎉
Additional Resources
Did this article help? 
Want to print your doc?
This is not the way.
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.