2434120 - Ad Hoc Report Row/Field/Cell Permissions

SAP Knowledge Base Article - Public

2434120 - Ad Hoc Report Row/Field/Cell Permissions

Symptom

This document explains how the Row/Field/Cell Permissions applies to Ad Hoc Reports.

There are three types of permissions applied to Ad Hoc reports

  • Row Level Permission (Implicit based on Report Scope)
  • Field Level Permission (Must be enabled via Provisioning)
  • Cell Level Permission (Must be enabled via Provisioning)

Row Level Permission

Row Level Permission determines which records of data a user has access to. This is generally defined by the Target Population of RBP, though there are other sharing concepts (such as Public Goals) which define this access.

If a user is determined to have no access to a Row then when viewing an Ad Hoc report the row will not appear.

NOTE: Row Level Permission is implicitly applied to Ad Hoc reports based on the Scope defined in the report definition.

For example, in this role the Target Population is defined as the “Regular Employees” group.

Grant this role to.jpg

Any reports run by users who are assigned this role will contain records for all employees in the “Regular Employees” group.

Row report result.jpg

Field Level Permission

Field Level Permission defines whether a field is accessible for reporting. This is defined by the User View Permissions in RBP. A user is defined as not having permission to a particular field if a union of all their roles has no view access for a given field to any target population.

If a user is determined to have no access to a Field then:

  • When creating an Ad Hoc report the field is greyed out, and cannot be selected (Note: This is the key difference between Field & Cell Level Permissions)
  • When viewing an Ad Hoc report the field is visible, however no data is shown

NOTE: Field Level Permission is only applied if the appropriate “Enable Field Level Permission” setting is enabled via Provisioning (and then it only applies to supported Ad Hoc Domains)

For example, in this role the User Permission is defined to Exclude access to the Gender field.

 Permission settings.jpg

Any user who is assigned this role (and has no other role granting Gender access) will:

  • See the Gender field greyed out (not selectable) when creating Ad Hoc reports
    • New Report created after EP field switch is turned on1.jp
  • Won’t see any data within the field when running Ad Hoc reports which contain Gender (field will be in report, but empty)
    • Report result for report created before EP field switch i

Cell Level Permission

Cell Level Permission defines whether a particular cell (intersection of Row/Field) is accessible for reporting. This is defined by a combination the User View Permissions and Target Population in RBP. A user is defined as not having permission to a particular cell if a union of all their roles has no view access for the given field to the specific population.

If a user is determined to have no access to a Cell then when viewing an Ad Hoc report the field is visible, however no data is shown in the cell.

NOTE: Cell Level Permission is only applied if the appropriate “Enable Cell Level Permission” setting is enabled via Provisioning (and then it only applies to supported Ad Hoc Domains)

For example, in this case the Users assigned the two Roles below (Role1 & Role2) will see Gender data for their Direct Subordinates Only based on the combination of the selection done via the User View Permissions and Target Population in RBP.

  • Role 1: Exclude Gender access to Regular Employees via the User View Permissions and Target population to regular employees.

Exclude Gender access to Regular Employees.jpg

  • Role 2: Include Gender access via the User View Permissions and Target population to All Direct Reports.

Cell level permission.jpg

  • Any user who is assigned these two roles will see Gender data for their Direct Reports Only. (e.g. in this case the Manager has 7 direct reports)
    • Cell level permission result.jpg

Important Remarks:

  • Cell level permissions only apply to output data, not filter values.
  • The cell/field level permission applies only to Employee Profile fields. E.g. for Compensation domain the cell/field level permission applies only for the first & last name (EP data) but not to salary (compensation data).
  • The employee profile data is depending on what is configured in the data model for employee profile.

Environment

  • SAP SuccessFactors HCM Core
  • Ad Hoc Report
  • Analytics & Reporting

See Also

The below provisioning switches*, if selected, will enable the functions for the respective domains.

  • Enable Ad Hoc Field Level Permission (Employee Profile Only)
  • Enable Ad Hoc Cell Level Permission (Employee Profile Only)
  • Enable Field Level Permission for data model elements (in all Sub domain schemas)
  • Enable Cell Level Permission for data model elements (in all Sub domain schemas)

Note:

  • For the tick boxes that say “Employee Profile Only” this means that only the EP schema will have field/cell level permissions applied.
  • For the one with “All Sub Domain Schemas” means when the EP fields appear in other schemas, such as opening the Performance Domain and seeing User Information that is coming from EP, the field & cell level permissions will also be applied there too.

Our recommendation is that the option “All Sub Domain Schemas” is used so that the decided restriction is reflected on the EP fields across all Ad hoc Report Domains.

*switches available from Provisioning - Company Settings

Further information is also available from the Permissions applied to Ad Hoc reports guide available on the Help Portal.

Keywords

Ad Hoc Report, adhoc, Row, Field, Cell, Permissions, rbp, role based permission, role-based, Field Level Permission, Cell Level Permission , KBA , LOD-SF-ANA-RBP , Roles & Permissions , LOD-SF-EP-REP , Reporting , LOD-SF-EC-REP , Reporting Data , LOD-SF-GM-REP , Reporting and Data Imports Exports , LOD-SF-PM-REP , Reporting & Analytics, Data Imports & Exports , LOD-SF-CMP-REP , Reporting & Analytics, Data Imports & Exports , LOD-SF-RCM-REP , Reporting & Analytics, Data Imports & Exports , LOD-SF-SCM-REP , Reporting and Data Imports Exports , How To

Product

SAP SuccessFactors HCM Core all versions