- In SuccessFactors LMS, many times Ownership of data is with the LMS Administrators and is dependent on domain Structure, Domain Restrictions and Roles.
- This KB article will help to resolve issues with configuring Domain Security.
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
SAP SuccessFactors Learning Management System
LMS Security Model
- Domains and Domain Restrictions
- Roles and Permissions
Ensure the ‘local’ approach to learning is as strong as the global approach
- Local admin and governance
- Provide learning administration, not only centrally but also locally to other parts of the organisation
- Domains and Domain Security
- Organization Structure
- Regional Catalogs
- Assignment Profiles
- Local Programs
Domains – Required for Administration
Domains are for Admins --- Catalogs are for Users
- Domains: Domains are the foundation of SAP SuccessFactors Learning because they define the security structure.
- Domain Restriction: A domain restriction is a list of domains that you want to open to a group of administrators.
- Entities: Entities are things in the system that can be attached to a domain (user, account code, learning item, and so on).
- Functions: Functions are actions that can be performed on an entity, like adding, deleting, or editing.
- Permissions: Permissions are a combination of entities and function (adding a user or deleting an account code).
- Role: Roles are groups of users have the same domain, permissions, and domain restrictions settings (for example, American Learning Administrators can Add Learning Items in the North American and South American domains).
- Each record is stored in a domain– user, item, instructor, scheduled offering
- Domain stores one or more types of records
- Admins have access to one or more domains
- Access can include sub domains
Every implementation has a PUBLIC security domain, which is available to all administrators.
- When implementing SuccessFactors Learning you start with a security domain called PUBLIC.
- This domain is available to all administrators and all administrators are responsible for the security of data in the PUBLIC domain.
- It exists outside any other domains or hierarchy that you create.
- A common practice is to use PUBLIC like a network share.
- Imagine a North American learning administrator and a South American learning administrator. Each has access to his or her regional domain (North American domain or South American domain).
- If the North American administrator wanted a copy of the South American administrator's learning item, the South American administrator could copy it and place the copy in the PUBLIC domain.
- The North American administrator, then, just needs to change the learning item's Domain field to North American and take ownership of the security for that learning item.
Domain Restrictions – Govern Admin Access
- Domain restrictions are records that determine in which domains administrators may operate.
- If an Admin has unrestricted access, they may perform tasks for records in all domains.
- If restricted, the Admin may only perform tasks records in domains included in the domain restriction.
- Domain restrictions may contain any combination of domains.
- There should be at least one domain restriction for every unique combination of domains in which a group of administrators must be able to perform tasks.
Learning Administration & Support
Administrators access the system in order to manage learning requirements and assignments to users, make learning content available (online and scheduled learning offerings), and manage learning resources.
- The LMS contains role definitions that contain a collection of permissions that grant access to functionality.
- Users are assigned a single role whereas administrators may be assigned multiple roles.
- For administrators, each role defines data object access using domain restrictions and grants workflow capabilities to administrative functions.
- One or more of these roles can be assigned to an administrator.
- In addition, domains restrict some of the roles in by limiting access to the domain's LMS entities.
Domain Security Model
- Centralized Control > Distributed Control
- Few Dedicated Admins > Large Admin Base
Domain structure should primarily be determined by the complexity, delegation and distribution of administrators. You only need more than one domain if you have a need to restrict some Admins from seeing a different entity set to others.
Admin Role Management - Permissions (Workflows)
Roles defines what an Admin can do to the data stored in the domain that the admin has access to. They consist of workflows – the combinations of functions (actions) and entities that grant system rights.
Admin Roles - Putting it Together
Admin is the WHO.
Restrict by Function or by Entity
Domain restrictions can be applied to workflows by function or by entity.
Multiple Admin Roles
The Admin Security Implementation Process
Learning Administration - Centralized Roles (No domain restrictions)
- System Admin: This role provides access to system administrative permissions necessary to set application configuration and security management. There are no domain restrictions.
- Report Designer: This role can import and export reports in order to create custom reports. There are no domain restrictions.
- Support Desk: This role provides view access to users in order to provide end user assistance. There are no domain restrictions.
- Location Admin: This role allows an administrator to create and edit the details for training locations. There are no domain restrictions.
- Quality Manager: This role provides ability for quality management and assignment profile propagation. There are no domain restrictions.
- Survey Admin: This role allows an administrator to add, edit and delete survey questionnaires. There are no domain restrictions.
- Instructor Admin: This role allows an administrator to add, edit and delete the information about instructors. There are no domain restrictions.
- Subject Area Admin: This role allows an administrator to add, edit and delete subject areas. There are no domain restrictions.
- Assignment Profile Coordinator: This role defines and propagates assignment profiles. There are no domain restrictions. User Needs Management Admin: This role allows assigning training only. There are no domain restrictions.
Learning Administration - Distributed Roles (Domain restrictions)
Training Coordinator: A training coordinator adds items and curricula into the LMS. This role also assigns training needs to users and can add a curriculum to a defined assignment profile to automate learning assignments. This role can record learning events. This role is domain restricted.
- Scheduler: A scheduling training coordinator adds scheduled offerings to support users fulfilling training requirements. This role can record learning events for schedule offerings. This role is domain restricted.
- Reports: This role provides ability to run selected user oriented reports useful for metrical data. This role is not domain restricted because all users are in a single domain.
- Exam Coordinator: This role sets up exams using the internal LMS exam functionality. This role is domain restricted.
- Exam Reporter: This role provides the ability to run selected reports related to exams. This role is not domain restricted because all users are in a single domain.
- Financial Coordinator: This role allows an administrator to review financial transactional records. This role is not domain restricted.
- Workers Council: These roles (WoC SE and WoC LGD) provide the ability to run selected custom reports, have been created according to specific and agreed report requirements of the WoC. This role is not domain restricted. Report results are restricted to German employees only (CC 0001 and CC0023).
- Program Admin: The program admin add, edit or delete programs in the LMS. This role is domain restricted.
Learning Domain Governance
- Can an administrators modify learning objects outside of their domain?
- Items, Schedules, Curricula, Online Content
- Can an administrator create a schedule offering for items outside of their domain?
- Can an administrator add register users into a schedule offering outside of their domain?
- Can an administrator add their items to any catalog?
- Will locations and facilities (i.e. classroom, buildings) remain in a central domain?
- Can administrators access any location (i.e. classroom) to use in a scheduled offering?
- Will equipment remain in a central domain?
- Will instructors remain in a central domain?
- Can admins add authorized items to any instructors?
- Will all materials remain in a central domain?
- Do you need to add new users manually?
- Do you need to assign learning to ANY user or only to DOMAIN users?
- Do you need to register ANY user?
- Do you need to record learning event for ANY user or only to DOMAIN users?
- Do you need to record learning event for ANY item or only to DOMAIN items?
- Do you need to record learning event for ANY scheduled offering or only to DOMAIN schedules?