Symptom
- What is Support Access, and how do I give Support Access to the SAP SuccessFactors Support team?
- How to Show Granted Users Only in Manage Support Access?
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
Environment
SAP SuccessFactors HCM Suite
Resolution
What is Support Access?
Support Access is a secure way for you to provide an authorized technical support person temporary access to a user account within your company in order to diagnose a problem or troubleshoot an issue. Using Support Access, no employee passwords or personal information are required or forwarded to the technical support person, making this a secure access point for your company.
When you call or log a case with SAP Technical Support and there is a need for the SAP Technical Support to log into your instance, you will enable Support Access for a specific username (preferably an admin account with full permissions) and provide just the username of that account to the agent so they can login to your instance.
- You need to set the expiration date for the Support Access by configuring the Date and Time in the Time-bound access column in the Manage Support Access page or Expires On field. The expiration date can't exceed two years, and it cannot be a past date (effective on 2H 2023).
- You have the ability to turn off Secure Access for that user when you have no more need for SAP Technical Support to access your site.
- This provides you with a very high level of security and access control.
As of 2H 2023 Release, it is now possible to check and restrict the RBP admin access for the accounts. Further information can be found on WNV Redesigned Experience of Manage Support Access | SAP Help Portal.
As of 1H 2024 Release, We improved some messages that appear on several user interfaces (UIs) of Manage Support Access. For more details, please refer to WNV: UI Text Improvements in Manage Support Access | SAP Help Portal
How to Enable Secondary Login Feature in Your Instance
It is required that the feature "Enable Secondary Login" is turned on in the instance for you to grant Support Access for a user.
This is done as follows:
Via Admin Center > Platform Feature Settings
1. Ensure that you have permissions to Platform Feature Settings. Please refer to KBA 2251324 - How to enable Platform Feature Settings for more details.
2. Navigate to Admin Center > Platform Feature Settings > Check Enable Secondary Login Feature.
Once you have enabled Enable Secondary Login Feature using the instructions mentioned above, you will need to grant permissions to make the Manage Support Access page available from the Admin Center page.
NOTE: In case Enable Secondary Login is already turned on and the option can still not be seen from Provisioning, please disable it, save, and re-enable again to trigger a database change.
Granting RBP (Role Based Permissions)
- Go to “Manage Permission Roles”.
- Select the role the user belongs to > Select “Permissions”.
- Click “Manage Users”.
- Check Manage Support Access.
- Click Finished, then Save.
NOTE: Please ensure that the user providing the Support Access is also granted the permission "User Search", which is found under "General User Permission".
Granting Support Access for a Specific User Account
SAP Note: make sure the General Permission: "search users" is granted to the user using the "Manage Support Access" feature, else the user will be able to access the manage support access but not search for users to grant access to.
- Go to Admin Center.
- Search for Manage Support Access.
- Go to Add option, and search for the user account that you will be granting access to.
- Select if the user will have RBP admin access, and set an expiration date (effective on 2H 2023).
Note: Expiration date cannot exceed two years and cannot be a past date.
After granting it, inform SAP Technical Support of the account username that you enabled so they can login to provide support.
Valid and Invalid Users List
The valid and invalid support accounts are listed in two separate tabs: Valid List and Expired List which you can easily access.
- Previously, support access revoked using the old page "Manage Support Access," would show the expired support users in the Expired List in the new Manage Support Access page with a future date
- To address this issue, in the update made in 2405, we standardized the expiration date for such users to the production date of 1H 2024 (UTC)
- With the introduction of "Manage Support Access," when you remove support users, the expiry time of these users is now consistently set to the time they are actually removed. This ensures clarity and accuracy in managing support access.
Enhanced Expired List in Manage Support Access | SAP Help Portal
Messages that appear on Several UI of Manage Support Access has been improved in 1H 2024 release. New text that appears now is - The user identified has Role-Based Permission Admin (Edit)/ ( View )/ (No) access in Admin Center > Manage Role-Based Permission Access.
Ex:
Note:
- It's recommended you enable a user account with full administrative permissions to allow SAP Technical Support to investigate the issue thoroughly without hindrance.
- If the account used is restricted in scope and permission, it is possible you will be requested to provide additional information such as screenshots or replication steps, or data files, and any other content that they might be unable to view due to the restrictions of the account.
- Not having administrator permissions is likely to result in slower resolve time as well as your active participation in providing additional information.
- It is suggested you change the username and/or make sure username is complex.
- Avoid using common usernames like admin, adminsf, sfadmin, csadmin, admincs, etc.
- Always ensure that Expires on date is set in the future.
- If it is set on a past date, SAP Technical Support will be unable to log in with it.
- Conversely, we also advise against setting it for longer than needed by SAP Technical Support. It should not exceed two years of the expiration date.
- Support access usernames are case sensitive.
- To minimize back-and-forth with SAP Technical Support, be sure to provide your us with the exact spelling and capitalization of your Support Access username.
Additional Information:
The Support Access application has double-layered security, meaning SAP Technical Support must first log into a secure interface before logging into any instance. Each agent providing support first logs into this interface with a unique username and password. Only then will they be able to select an instance and log into it using the username provided.
- For security reasons, Support Access information should not be provided in the text area of cases. Instead, it should be added to the Logon Depot area.
- Refer to section 1A of KBA 1773689 – How to add log on credentials securely to an case in order to add your Support Access username to the Logon Depot.
- Please note that when accessing the "Manage Support Access" page, the browser tab now shows the URL instead of the page title "SuccessFactors: Admin Centre"
See Also
Keywords
sf, success factors, username, passwordless, support, access, grant, staff, how, enable, account, permission, Expired List, , KBA , support access , sf platform , LOD-SF-PLT , Platform Foundational Capabilities , How To