# SAP SuccessFactors

### Overview

The Veza integration for SAP SuccessFactors connects to a SAP SuccessFactors environment to discover and map employee identities, relationships, and access permissions. The integration provides visibility into your organization's employee workforce and role-based access controls.

The integration supports:

* Employee data synchronization for Lifecycle Management and mapping of organizational structures (Cost Centers, Departments)
* Role-based permission discovery, including roles, dynamic groups, and detailed permission extraction

### Requirements

#### Prerequisites

* SAP SuccessFactors environment
* Administrator account with appropriate permissions (see [Required Permissions](#required-permissions))
* Network [connectivity](/4yItIzMvkpAvMVFAamTf/integrations/connectivity.md) from Veza to your SAP SuccessFactors instance

#### Required Permissions

**For HRIS Template:**

* Basic employee data access permissions
* Access to organizational structure data (Cost Centers, Departments)

**For Application Template (in addition to HRIS permissions):**

* **RBP role view permissions** for RBPRole and RBPRule endpoints
* **Dynamic Group Definition Report functionality** enabled for DynamicGroupDefinition access

{% hint style="warning" %}
If you encounter `[COE0020] RBP role view permission is required` errors when accessing RBPRole & RBPRule endpoints, contact your SuccessFactors administrator to grant the necessary role view permissions.
{% endhint %}

The integration utilizes the following SAP SuccessFactors API endpoints:

**HRIS Template:**

* `/odata/v2/PerPerson` - Employee data and organizational relationships

**Application Template:**

* `/odata/v2/RBPRole` - Role definitions and rule associations
* `/odata/v2/RBPRule` - Rules connecting roles to dynamic groups
* `/odata/v2/getRolesPermissions` - Detailed role permission data
* `/odata/v2/getUsersByDynamicGroup` - User assignments to groups

### Configuring SAP SuccessFactors

Veza collects information from SAP SuccessFactors by executing REST API calls to interact with the SuccessFactors instance. Before adding the integration to Veza, [register an OAuth2 client application on SuccessFactors](https://help.sap.com/docs/successfactors-platform/sap-successfactors-api-reference-guide-odata-v2/registering-your-oauth2-client-application).

1. Log in to the SAP SuccessFactors platform as an administrator.
2. Navigate to **Admin Center -> API Center -> OAuth Configuration for OData** and click **Register Client Application**.
3. Provide the following information to create an API app:
   1. **Company Name**: The name of your company (prefilled based on the instance of the company currently logged in).
   2. **Application Name**: A unique name of your OAuth client.
   3. **Application URL**: A unique URL of the page that the client wants to display to the end user. This field is required by SAP but doesn't affect the integration functionality.
   4. **X.509 Certificate**: The certificate corresponding to the private and public key used in the OAuth 2.0 authentication process.
4. Click **Register** to save the registration.
5. View the details of the registered application and securely store the **API key**.

### Configuring SAP SuccessFactors on the Veza Platform

To enable Veza to gather employee metadata and access permissions:

1. Log in to Veza as an administrator.
2. Navigate to the **Integrations** page.
3. Click **Add New** and select **SAP SuccessFactors** as the type of integration to add.
4. **Select the appropriate template:**
   * **HRIS**: For employee data and organizational structures only
   * **Application**: For role-based permissions (requires additional SuccessFactors permissions)
5. Enter the required information:
   1. **Service Url**: The URL of your SAP SuccessFactors instance (e.g., `https://api4preview.sapsf.com/`)
   2. **User ID**: The username of the administrator account.
   3. **Company ID**: The name of your company, same as the Company Name above.
   4. **Client ID**: The API key of your application.
   5. **Private Key**: The private key file for the X.509 certificate provided above.
6. Click **Save** to create the integration.

{% hint style="info" %}
**Template Selection**: The template you choose determines what data is extracted:

* **HRIS Template**: Extracts employee records, cost centers, and departments for Lifecycle Management
* **Application Template**: Extracts users, roles, permissions, and dynamic groups for access reviews

You can create separate integrations with different templates if you need both types of data.
{% endhint %}

### Verifying Integration Status

After configuring the integration:

1. Navigate to the **Integrations** page in Veza.
2. Locate the SAP SuccessFactors integration in the list.
3. Check the **Status** column to confirm the integration is connected.
4. Click on the integration to view detailed extraction status on the **Data Sources** tab.
5. After a successful extraction, check the **Integration Overview** to verify that employee data appears in Veza Graph as expected.

### Technical Notes

#### Authentication

The Veza integration for SAP SuccessFactors uses OAuth2 to authenticate to the SuccessFactors instance.

#### Data Synchronization

Data from SAP SuccessFactors is synchronized on a scheduled basis. The integration performs an initial full extraction when first configured, followed by incremental updates based on your Veza platform's configured [sync schedule](/4yItIzMvkpAvMVFAamTf/integrations/configuration/extraction.md).

Permission data is retrieved in XML format and parsed to extract detailed field permissions, object permissions, and permission units for comprehensive access analysis.

### Supported Entities and Attributes

The Veza integration for SAP SuccessFactors discovers the following entities and attributes:

#### HRIS

**Employee**

| Attribute         | Notes                                                            |
| ----------------- | ---------------------------------------------------------------- |
| Company           | The company the employee is assigned to                          |
| Cost Center       | The employee is added to a group that represents the cost center |
| Department        | The employee is added to a group that represents the department  |
| Email             | The employee's work email address                                |
| EmployeeId        | `EmployeeNumber` on the Veza platform                            |
| Employment Status | `ACTIVE` or `TERMINATED`                                         |
| Employment Type   | The employment type of the employee                              |
| First Name        | The employee's first name                                        |
| ID                | The unique identifier for the employee                           |
| Job Title         | The employee's listed job title                                  |
| Last Name         | The employee's last name                                         |
| Manager           | The managerId of the employee's manager                          |
| Name              | The employee's first and last names, joined with a space         |
| PrimaryTimeZone   | The employee's time zone                                         |
| StartDate         | The employee's start date                                        |
| TerminationDate   | The employee's termination date                                  |
| WorkLocation      | The employee's work location                                     |

**Cost Center / Department**

Cost Centers and Departments are represented as groups on the Veza platform to which employees can be assigned. This allows for powerful querying and easy visualization in the Veza Access Graph.

The Veza integration discovers the following attributes for these groups:

| Attribute | Notes                          |
| --------- | ------------------------------ |
| Code      | The numeric code of the entity |
| Name      | The name of the entity         |
| Type      | `Cost Center` or `Department`  |

#### Application

The Veza integration for SAP SuccessFactors supports permission discovery through role-based access control. When configured for Application integration, the integration extracts roles, permissions, and user assignments.

**Users**

Application users in SuccessFactors are linked to employee records from HRIS data. Users inherit group memberships through Dynamic Groups.

| Attribute      | Notes                                                     |
| -------------- | --------------------------------------------------------- |
| Employee ID    | Links to the employee record in HRIS                      |
| Dynamic Groups | Groups the user belongs to via SuccessFactors assignments |
| Display Name   | User's display name from employee data                    |
| Email          | User's email address                                      |
| Username       | SuccessFactors username                                   |

**Dynamic Groups**

Dynamic Groups represent collections of users that can be assigned roles and permissions.

| Attribute        | Notes                                          |
| ---------------- | ---------------------------------------------- |
| Group ID         | Unique identifier for the dynamic group        |
| Group Name       | Human-readable name of the group               |
| Users            | List of users assigned to this group           |
| Associated Roles | Roles assigned to this group through RBP Rules |

**Roles (RBP Roles)**

RBP (Role-Based Permissions) Roles define sets of permissions that can be assigned to Dynamic Groups.

| Attribute   | Notes                                              |
| ----------- | -------------------------------------------------- |
| Role ID     | Unique identifier for the role                     |
| Role Name   | Human-readable name of the role                    |
| Rules       | RBP Rules that connect this role to Dynamic Groups |
| Permissions | Detailed permissions granted by this role          |

**Permissions**

SuccessFactors permissions are organized into different categories and types:

**Field Permissions**

* Control access to specific data fields
* Include field target, action type, and permission settings

**Object Permissions**

* Control access to SuccessFactors objects (entities)
* Include object type, available actions, and permission settings

**Permission Units**

* Complex permission structures with multiple sub-permissions
* Include On/Off permissions and None/All/Other permission sets

| Permission Type   | Description                                   |
| ----------------- | --------------------------------------------- |
| Field Permission  | Access control for specific data fields       |
| Object Permission | Access control for SuccessFactors objects     |
| OnOff Permission  | Binary permission settings (enabled/disabled) |
| All Permission    | Broad permissions for entire categories       |
| Other Permission  | Specific permissions for individual items     |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/success-factors.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.