SAP Knowledge Base Article - Public

2434120 - Report Table Report Row/Field/Cell Permissions for Employee Profile

Symptom

This document explains how the Row/Field/Cell Permissions applies to Report Table reports on Employee Profile domain.

Environment

  • SAP SuccessFactors HCM Suite
  • Report Table (Ad Hoc Report) on Employee Profile domain

Resolution

Important Remarks:

  • Cell level permissions only apply to output data, not filter values.
  • The cell/field level permission applies only to Employee Profile fields. E.g. for Compensation domain (e.g. Compensation Planning) the cell/field level permission applies only for the first & last name (EP data) but not to compensation fields (e.g. Current Salary).
  • The employee profile data is depending on what is configured in the data model for employee profile.

There are three types of permissions applied to Report Table reports

  • Row Level Permission (Implicit based on Report Scope)
  • Field Level Permission (Must be enabled via Provisioning)
  • Cell Level Permission (Must be enabled via Provisioning)

Row Level Permission

Row Level Permission determines which records of data a user has access to. This is generally defined by the Target Population of RBP, though there are other sharing concepts (such as Public Goals) which define this access. If a user is determined to have no access to a Row then when viewing an Ad Hoc report the row will not appear.

NOTE: Row Level Permission is implicitly applied to Ad Hoc reports based on the Scope defined in the report definition.

For example, in this role the Target Population is defined as the “Regular Employees” group.

Grant this role to.jpg

Any reports run by users who are assigned this role will contain records for all employees in the “Regular Employees” group.

Row report result.jpg

Field Level Permission

Field Level Permission defines whether a field is accessible for reporting. This is defined by the User View Permissions in RBP. A user is defined as not having permission to a particular field if a union of all their roles has no view access for a given field to any target population.

If a user is determined to have no access to a Field then:

  • When creating a Report Table report the field is greyed out, and cannot be selected (Note: This is the key difference between Field & Cell Level Permissions)
  • When viewing a Report Table report the field is visible, however no data is shown

NOTE: Field Level Permission is only applied if the appropriate “Enable Field Level Permission” setting is enabled via Provisioning (and then it only applies to supported Report Table reports)

For example, in this role the User Permission is defined to Exclude access to the Gender field.

 Permission settings.jpg

Any user who is assigned this role (and has no other role granting Gender access) will:

  • See the Gender field greyed out (not selectable) when creating Report Table reports

    New Report created after EP field switch is turned on1.jp
  • Won’t see any data within the field when running Report Table reports which contain Gender (field will be in report, but empty)
    • Report result for report created before EP field switch i

Cell Level Permission

Cell Level Permission defines whether a particular cell (intersection of Row/Field) is accessible for reporting. This is defined by a combination the User View Permissions and Target Population in RBP. A user is defined as not having permission to a particular cell if a union of all their roles has no view access for the given field to the specific population. If a user is determined to have no access to a Cell then when viewing an Report Table report the field is visible, however no data is shown in the cell.

NOTE: Cell Level Permission is only applied if the appropriate “Enable Cell Level Permission” setting is enabled via Provisioning (and then it only applies to supported Report Table Domains)

For example, in this case the Users assigned the two Roles below (Role1 & Role2) will see Gender data for their Direct Subordinates Only based on the combination of the selection done via the User View Permissions and Target Population in RBP.

  • Role 1: Exclude Gender access to Regular Employees via the User View Permissions and Target population to regular employees.

Exclude Gender access to Regular Employees.jpg

  • Role 2: Include Gender access via the User View Permissions and Target population to All Direct Reports.

Cell level permission.jpg

  • Any user who is assigned these two roles will see Gender data for their Direct Reports Only. (e.g. in this case the Manager has 7 direct reports)

    Cell level permission result.jpg

The below provisioning switches will enable the functions for the respective domains.

Employee Profile

  • Enable Ad Hoc Field Level Permission (Employee Profile Only)
    • By enabling this switch; A user is defined as not having permission to a particular field if a union of all their roles has no view access for a given field to any target population. 
  • Enable Ad Hoc Cell Level Permission (Employee Profile Only)
    • By enabling this switch; A user will only see the data for which they have permission to see based on a union of all of their roles and only their target population. For example, if role A does not have permission to Gender with a target population of "All" and role B does have permission to Gender with a target population of "Direct Reports"; then the report will only show data for Gender where the results are direct reports.

All Sub domain Schemas

  • Enable Field Level Permission for data model elements (in all Sub domain schemas)
    • By enabling this switch; a user is defined as not having permissions to a particular EP field that may appear in another domain (e.g. Performance Management, Compensation Planning) if a union of their roles has no view access for a given field to any target population. N.B. The Enable Report Table Field Level Permission (Employee Profile Only) also needs to be turned on.  
  • Enable Cell Level Permission for data model elements (in all Sub domain schemas)
    • By enabling this switch; a user will only see the EP data in other schemas (e.g. Performance Management, Compensation Planning) for which they have permission to see based on their view permissions and target population. N.B. The Enable Report Table Cell Level Permission (Employee Profile Only) also needs to be turned on.  

Note:

  • For the tick boxes that say “Employee Profile Only” this means that only the EP schema will have field/cell level permissions applied.
  • For the one with “All Sub Domain Schemas” means when the EP fields appear in other schemas, such as opening the Performance Domain and seeing User Information that is coming from EP, the field & cell level permissions will also be applied there too.

N.B. Our recommendation is that the four options above are used so that the decided restriction is reflected on the EP fields across all Report Table Report Domains.

Further information is also available from the Permissions applied to Report Table reports guide available on the Help Portal.

See Also

Cell Level permission for Person and Employment Info (as of date)

If you would like to restrict Cell Level permission for Person and Employment Info (as of date) domain, including compensation information, please refer the Role-Based Permissions > Cell Level Permissions section of the KBA 2080162 - Employee Central: Ad Hoc Report Types Explained

Keywords

Report Table, Row, Field, Cell, Permissions, rbp, role based permission, role-based, Field Level Permission, Cell Level Permission , KBA , LOD-SF-ANA-RBP , Roles & Permissions , LOD-SF-EP-REP , Ad Hoc Report (Employee Profile) , LOD-SF-EC-REP , Reporting Data (EC core only) , LOD-SF-GM-REP , Reporting and Data Imports Exports , LOD-SF-PM-REP , Reporting & Analytics, Data Imports & Exports , LOD-SF-CMP-REP , Reporting & Analytics, Data Imports & Exports , LOD-SF-RCM-REP , Reporting & Analytics, Data Imports & Exports , LOD-SF-SCM-REP , Reporting and Data Imports Exports , How To

Product

SAP SuccessFactors HXM Suite all versions