SAP Knowledge Base Article - Public

2783879 - Configuring Item Level Domain Restriction for Administrators

Symptom

  • In SuccessFactors Learning Management System (LMS) there are scenarios in which administrators only need access to items and schedule offerings in their region or country.
  • Many times ownership of data is with the LMS Administrators and is dependent upon Domain Structure, Domain Restrictions & Roles.
    • This KB article describes how to configure this structure within SAP SuccessFactors LMS.
    • After reading this article you will be able to tell what are domains, Domain Restrictions, Roles and different types of administrators, as well as how to configure these in LMS.
    • This article also focuses on defining and configuring various workflow and entity restrictions so only restricted (Country specific) items and schedule offerings are visible.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

SAP SuccessFactors Learning Management System

Resolution

Setting up Item level domain restrictions in LMS require decision making on following-

  1. Domain Structure
  2. Domain Restriction
  3. Roles
  4. Admin 

Domain Structure

Domains are the foundation of SAP SuccessFactors Learning Admin security structure. Domains sometimes represent the organization hierarchy & defined to control the edit, view & delete authorizations of administrators. Most of the entities defined in SuccessFactors LMS are domain able & Administrator security is managed via giving access to only required domains.

Example: an organization ABC Corp has its presence in North America Region. Within North America resides two countries like Canada & USA. Within the USA exists ABC USA HR & ABC USA Marketing. Now the Business wants that Administrators from USA domain should not be able to Edit, view & delete data (Items, Schedule Offerings) from ABC Canada domain. Another requirement is the Admin from ABC –USA HR & ABC-USA-MARKETING should only be able to search & view users in their respective domain.

1.png

  • ABC Corp North America will be at the Root level. System Administrators who have access to domains, roles, Create Admins, etc. can be defined in this domain.
  • ABC Canada & ABC USA will be at level 1 & all the items, Curricula, Schedule offerings, content, tasks Management & Programs can be defined in these two domains.
  • Level2 Domains administrators will only view the User Records.
  • All Administrators will have access to create, edit & view Public domain entities.

Now create this domain tree in SuccessFactors LMS

  1. To create a domain, go to login to SuccessFactors LMS & Go to System Admin Tab > Security >Domains.
  2. Click on Add New:

2.png

  1. Enter Domain ID & Description in add root level domain then click add & Apply Changes.

3.png

4.png

  1. Root Level Domain ABC Corporation is created.
  2. Click on domain types & select all:

5.png

  1. All entities will be added to this domain as administrator should be able to create, edit & view all entities.

Now create Subdomains

  1. Select Add subdomains & choose parent domain.
  2. Provide subdomain id ABC Canada & description ABC Canada.
  3. Click add.

6.png

  1.  Assign the following Domain Types to these two subdomains ABC Canada & ABC USA.

7.png

  1. Similarly, create other three Level 2 Sub Domains ABC-USA-HR & ABC-USA-Marketing.

8.png

  1. Assign following domain types to Level 2 Domains.

9.png

Domain Restrictions

A domain restriction restricts the administrator access to the list of domains. For Example, in the given scenario ABC Corp North America Admin will have access to all domains defined (typically system admin Role – Yellow line). ABC USA Admin will have restriction & will have access to above define entities plus ABC USA & Sub-domains ABC-USA-HR domain & ABC-USA-Marketing Domains (Green line). ABC Canada & ABC USA will have similar roles with restriction to ABC Canada & ABC USA Domain restriction. ABC-USA-HR ABC-USA-Marketing (Red Line) will have same similar role with domain restriction and will view only users

10.png

To create domain restriction

  1. Go to System Admin > Security > Domain Restrictions > Add New:

11.png

  1. The following screen will appear. Enter Domain Restriction Id, Description & Choose domain.

12.png

  1. Now Select the domains for ABC USA (Same as USA Canada) & Add.
  2. Similarly, create domain restriction for other domains. Following Domains Restrictions are added.

13.png

Role Management

A security role is a collection of rules, restrictions, workflows, and domains that you can assign to administrators. Roles are created for a group which shares same domain, entities, workflow & domain restrictions. For Example, ABC Corp North America admin can add programs to ABC Canada & ABC USA. According to the scenario we need to create the following Roles.

  • ABC CORP North America System Administrator Role (ABC Corp North America -Access to all domains & Workflows)
  • ABC- Canada Administrator Role (Domain restriction -Canada)
  • ABC –USA Administrator Role (Domain Restriction – ABC-USA & all Sub Domains)
  • ABC-USA-HR & ABC-USA-Marketing Admin User Role (Domain Restriction – ABC-USA-HR & ABC-USA-Marketing)
  • ABC CORP North America System Administrator Role – To create this Role go to System Admin > Security > Role Management > Add New. 

14.png

The following screen will appear

  1. Enter Role ID, Description, Select Domain as ABC Corp & Role type as admin.
  2. Click Add.

15.png

  1. As per the scenario, this role will have access to all domains & all workflows.
  2. Select all workflows & click add.

16.png

ABC –USA Administrator Role

 17_new.png

18.png

 19.png

Admin Management

After creating & applying domain restriction administrators need to be created. As per the scenario, Following administrators should be created:

  • System Administrator ABC-North America
  • Administrator ABC-USA
  • Administrator ABC-USA-HR
  • Administrator ABC-USA-Marketing

To create Admins:

  1. Go to System Admin > Application Admin > Admin Management > ADD
  2. Enter Admin ID, Last Name, First Name, Domain & password.

20.png

  1. The next step is to apply roles Go to Assigned Roles > select ABC Corp North America System Administrator, then click add.

21.png

22.png

  1. ABC Corp North America system administrator has access to all Tabs.

23.png

  1. Let’s check for Administrator ABC-USA. He has limited access to System Administration & no access to performance tabs. This will be similar in case of Administrator ABC-Canada.

24.png

  1. Let’s check for Administrator ABC-USA-HR. Admin has access to only search & view Users. 

25.png

  1. Now let’s see  ABC-USA Administrator can see the items in domain ABC-USA & ABC-USA-HR.

26.png

  1. ABC-North America Sys admin can see items from other domains.

27.png

  1. Admin-USA-HR can only search & view user records from Public & ABC-USA-HR Domain.

28.png

  • In conclusion, if the organization is small, then defining one domain can serve the purpose (apart from PUBLIC Domain). The key is to keep the domain structure simple.
  • After reading this you can easily map Domain structure, Domain Restrictions, Roles, different type of Administrators. 

Keywords

SF, success factors, LMS, Configuring Item Level Domain Restriction, Roles, Administrators, Admin, Structure , KBA , LOD-SF-LMS-ADM , Admin Tools , How To

Product

SAP SuccessFactors Learning all versions