2316798 - How to restrict API access to specific Employee Central Entities and Fields

This KBA explains on how to restrict API access to specific Employee Central entities/portlets (effective and non-effective dated) via Role Based Permission.

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."  

SuccessFactors Employee Central

We need to follow below steps to restrict access to certain data.

1. Login to SFSF Instance
2. Navigate to 'Admin Center' -> 'Manage Permission Roles'
3. Select the role assigned to the sfapi user
   
   
   
4. Click on 'Permission...'
   
   
   
5. Search for 'Employee Central API' and remove all permissions under Employee Central API, apart from Employee Central Compound Employee API related permissions. (Note that if you want to have access to all Employee Central data and records, then a simpler way to achieve this is by providing the admin permissions we are about to remove)
   
   
   
6. Once done, navigate to section "Manage Integration Tools" and provide the user admin access to "Allow Admin to Access OData API throught Basic Autentication".
   
   
   
7. To provide access to specific EC entities, you should give the user permissions to it's corresponding entities. When it comes to entities, you might find Effective Dated Entities and Non-Effective Dated Entities:
   
   
• Non-Effective Dated Entities. On the example below I have granted permission to a few fields from Employment Details (EmpEmployment):
  
  
  
• Effective Dated Entities. On the example below I have provided permission to Job Information (EmpJob) fields such as Company and Business Unit:
  

Restrict field level API access, disable field level permissions, Restrict API access, employee central api, effective dated, non effective dated, permissions Employee Central, odata, SFAPI , KBA , LOD-SF-INT-API , API & Adhoc API Framework , LOD-SF-INT , Integrations , How To