In the earlier blog SAP Jam Integration to S&OP on Cloud, the configuration steps to enable the integration of S&OP 3.0/IBP 4.0 to JAM collaboration have been described using the old permission framework provided with SAP SuccessFactors (SF).
In addition, there is another authorization framework provided by SF which is called the Role-Based Permission (RBP) framework. You can read up the RBP details in this blog SuccessFactors: all you need to know about Authorizations and Security. For new customer who have subscribed to the SAP IBP on Cloud, it is likely that the provisioned SF instance may be delivered with this RBP framework.
In this blog, I will describe the configuration steps that you can followed to setup the SF using this authorization framework for the IBP collaboration with JAM.
One assumption is made here – you have already received the SF Company and Administrator User information from SAP.
1. Logon your SF cloud instance using the SF Administrator User ID (SFADMIN).
2. On the SF administration top menu, select ‘Admin Center‘ and the OneAdmin screen will be displayed. The OneAdmin screen is where the user, role and permission objects will be created and maintained.
3. Check that the JAM is provisioned with the SF Instance. Click the ‘Admin Center’ top menu and expand the drop-down list to confirm the existence of the ‘Jam’ entry. If you cannot locate this entry (i.e. the SFADMIN user has no access into JAM yet), please create an incident reporting to the JAM support team under the component ‘LOD-SF-JAM’.
4. Create the SF user for JAM collaboration. Under ‘Manage Employees’ screen section, click on the ‘Update User Information’ icon and select ‘Manage Users‘ menu entry.
(a). On the Manage Users screen, there are various options (Add New User manually or the Export/Import Users) available to ease the creation of the user data. You can use the ‘Export Users’ function to download existing user to understand how the data file should be populated for uploading. The ‘Email’ column is the important one because the email address is used for the integration between the IBP and JAM.
5. Create a Permission Group to include the SF user whom is required for the IBP collaboration. Under ‘Manage Employees’ screen section, click on the ‘Set User Permissions’ icon and select ‘Manage Permission Groups’ menu entry.
6. On the Manage Permission Groups screen, click on the ‘Create New’ button to add a new group.
(a). On the Permission Group screen, provide a name for the Group (e.g. JAM Access). Pick the ‘Username‘ from the pull down category to search from the People Pool. You can also used other category to search for the required user.
(b). On the Search and Select Items screen, use the search function to include the user name that are required.
(c). The final result should be a completed permission group assigned with relevant username. The Active Group membership number indicated how many user are included in the group. The Granted Permission Roles tab is still empty at this step because no role has been assigned yet.
7. Create a JAM role for SF user assignment. The role will allows SF user to have access into the JAM instance. Under ‘Manage Employees’ screen section, click on the ‘Set User Permissions’ icon and select ‘Manage Permission Roles’ menu entry.
(a). On the Permission Role List screen, click on the ‘Create New’ button to add a new role.
(b). On the Permission Role Detail screen, provide a role name (e.g. JAM Access) and description (e.g. JAM Access for IBP User). Next, you need to select the allowable permissions for the user. For simplicity as a guide here, it is alright to select all the checkboxes under the User Permissions section (outlined in red box below) for the non-administrative SF user.
(c). To enable JAM access, that permission is included in the General User Permission section and you need to flag the checkbox ‘JAM Access’ mandatory.
(d). Finally, you need to grant the role to the permission group you have created from Step 6.
8. You can verify the permission group has been assigned correctly with the JAM role that was previously missing in Step 6(c).
By completing all the steps above, you are ready to enable the IBP collaboration by providing the email address of the SF user ID to the corresponding IBP application user ID. For IBP release 5.0 and higher, the email address is maintained in the SU01 user management – communication section.