SAP Knowledge Base Article - Public

2088892 - How to Grant Support Access to SuccessFactors Support Staff

Symptom

  • What is Support Access and how do I give Support Access to the SuccessFactors Support team?
  • How to Show Granted Users Only in Manage Support Access

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

SAP SuccessFactors HXM Suite

Resolution

What is Support Access?

Support Access is a secure way for you to provide an authorized technical support person (like SuccessFactors Customer Success) temporary access to a user account within your company in order to diagnose a problem or troubleshoot an issue. Using Support Access, no employee passwords or personal information are required or forwarded to the technical support person, making this a secure access point for your company.

When you call or log a case with Customer Support, and there is a need for the Customer Support Agent to log into your instance, you will enable Support Access for a specific username (preferably an admin account with full permissions) and provide just the username of that account to the agent so they can login to your instance.

  • You need to set the expiration date for the support access by configuring the Date and Time in the Time-bound access column in Manage Support Access page.
  • You have the ability to turn off Secure Access for that user when you have no more need for them to access your site.
  • This provides you with a very high level of security and access control
     

How to Enable Secondary Login Feature in Your Instance

It is required that the feature "Enable Secondary Login" is turned on, in the instance for you to grant support access for a user.

This is done as follows:

Via Admin Center > Platform Feature Settings 

      1. Ensure that you have permissions to Platform Feature Settings. Please refer to KBA 2251324 - How to enable Platform Feature Settings for more details.

      2. Navigate to Admin Center > Platform Feature Settings > Check 'Enable Secondary Login Feature'.

          enable support access.png

Once you have enabled "Enable Secondary Login Feature" using the instructions mentioned above, you will need to grant permissions to make "Manage Support Access" page available from Admin Center page.

Granting RBP (Role Based Permissions)

  1. Go to “Manage Permission Roles”  
  2. Select the role the user belongs to > Select “Permissions”
  3. Click on “Manage Users”
  4. Check Manage Support Access
  5. Click Finished, then Save

    5. Manage Support Access - RBP.png

NOTE: Please ensure that the user providing the support access is also granted the permission "User Search", which found under "General User Permission"

Granting "Support Access" for a Specific User Account

SAP Note: make sure the General Permission: "search users" is granted to the user using the "manage support access" feature else the user will be able to access the manage support access but not search for users to grant access to.

  1. Go to Admin Center
  2. In the Tool Search or Search Tools box, type Manage Support Access
    • 1. Manage Support Access - Tool Search or Search Tools.png
  3. Search for the user account that you will be granting access to > click Search
  4. Under the Create Permission column, if there is a check mark then the account already has support access enabled.
  5. If there is a red X then check the box for that user
    1. 3. Manage Support Access - Enable or Enable.png
  6. You must set "Time Bound Access expires on:" to a date that gives your support engineer sufficient time to access your instance and investigate your issue thoroughly. 

    1. Support Access Time Bound Only 2.png
  7. Click the Grant button
  8. Search for that same user again to confirm you now see the check mark indicating secure access is now enabled for that account
  9. Inform the Support person of the account username that you enabled so they can login to provide support 

Show Granted Users Only in Manage Support Access

  • As per 1H 2023 release Now, a new option, Show Users with Valid Support Access, is added to the page to help you filter user accounts that have support access.You can now quickly filter all user accounts that have support access. Help guide : Link

    KBA 2088892 manage support access 1.png

  • In Manage Support Access, after you enter user searching criteria and choose the Search Users button, the Show Users with Valid Support Access checkbox and the result table display. You can select this checkbox to see only granted users in the result table.

  • Once clicked on Show Users with Valid Support access check box, it displays the granted users in the result table as below.

KBA 2088892 manage support access 2.png

Note:

  • It's recommend you enable a user account with full administrative permissions to allow support staff to investigate the issue thoroughly without hindrance
    • If the account used is restricted in scope and permission, it is possible you will be requested to provide additional information such as screenshots or replication steps, or data files, and any other content that they might be unable to view due to the restrictions of the account
    • Not having administrator permissions is likely to result in slower resolve time as well as your active participation in providing additional information
  • It is suggested you change the username and/or make sure username is complex
    • Avoid using common usernames like admin, adminsf, sfadmin, csadmin, admincs etc.
  • Always ensure Time Bound Access expires on a date that is set in the future
    • If it is set on a past date, your support engineer will be unable to log in with it
    • Conversely, we also advise against setting it for longer than needed by Product Support
  • Support access usernames are case sensitive
    • To minimize back-and-forth with Product Support, be sure to provide your support engineer with the exact spelling and capitalization of your support access username

Additional Information:

The Support Access application has double-layered security, meaning SucessFactors Support Staff must first log into a secure interface before logging into any instance. Each agent providing support first logs into this interface a unique username and password. Only then will they be able to select an instance and log into it using the username provided

  • For security reasons, Support access information should not be provided in the text area of cases. Instead it should be added to the Logon Depot area
  • Refer to section 1A of KBA 1773689 – How to add log on credentials securely to an case in order to add your support access username to the Logon Depot

Keywords

sf, success factors, username, passwordless, support, access, grant, staff, how, enable, account, permission , KBA , support access , sf platform , LOD-SF-PLT , Platform Foundational Capabilities , How To

Product

SAP SuccessFactors HXM Suite all versions