Compare User permission in two Successfactors instances
Table of Contents
-
Introduction to RBP
-
Problem with permission out of sync
-
Tools to call OData api
-
Check permissions of a user on two instances
-
Check permissions of a role on two instances
1. Introduction to RBP
Role-Based Permissions (RBP) manage the permissions in the SuccessFactors suite. RBP controls access to the applications and what users can see and edit. It’s a suite-wide authorization concept which applies to the majority of modules. During implementations phase based on business requirement multiple roles and groups are identified. These requirements are constantly being tweaked as the implementation phase progress based on testing and needs from new business requirements.
For more information on RBP please refer to SAP help documents Role-Based Permissions – Guide
2. Problem with permission out of sync
There are situations were customer have multiple SF instances for different types of testing and other needs. During the course of implementation many times there are situations where the configurations get out of sync and cause issues where a particular feature works in one SF instance (ex: Test1) but works differently in another SF instance (ex: Test2). If there is a good change management in place where the admins maintain a log of all the changes they made to configurations then it is easy to find the root cause of such discrepancy in the systems. More often we see that no change logs are maintained by the admins and when such issues arise they tend to lose a lot of time in figuring out the configuration issue and tend to raise SAP incident to find the root cause. The leading cause of such configuration issues most of the times tend to be RBP configurations are out of sync.
To identify RBP configuration that are out of sync, the current solution is to sync RBP configuration between the two instances which might not be always feasible. The other solution is to do a manual check of the affected users roles and permissions in the affected instances which is manual and time-consuming process.
To help simplify the process of checking roles and permissions on two instances, SF has come out with a OData api. Next sections of this blog talk about perquisites and how to check roles and permissions on different instances.
3. Tools to call OData api
There are multiple OData api tool in the market that can be used to invoke and fetch data from an OData api. Few of the popular tool out there are Postman, Insomnia and others.
In this blog we are going to be using Postman from Chrome to explain how to use the OData api’s that are exposed by SF for getting roles and permissions from an instance.
For more info on OData and Postman tool please refer to the below links.
4. Check permissions of a user on two instances
OData api “getUsersPermissions” is available to fetch the roles and permissions of a user or multiple users from an instance. Once you invoke the api it returns the roles and permissions for that user or list of users. Once you get a response you can save the response to a xml file for that instance and repeat the same step on the other instance where you want to compare the roles and permissions. Once response xml files from both instances are available use a comparison tool to check the difference in roles and permissions from the two instances for that user.
Below are steps and screenshots of the same on how to invoke the OData api to getUsersPermissions for a user from Postman.
Step 1: Install Postman for Chrome from this link for the OS being used
Step 2: Screenshot and syntax to invoke “getUsersPermissions”
Step 3: Save the response to a xml file for comparison
Step 4: Compare the two xml files to find the difference in permissions for the user in two instances
Syntax to invoke getUserPermission for one user is “https://apisalesdemo4.successfactors.com/odata/v2/getUsersPermissions?locale=en-US&userIds=admin”
Syntax to invoke getUserPermission for multiple users is “https://apisalesdemo4.successfactors.com/odata/v2/getUsersPermissions?locale=en-US&userIds=’admin,admin2,admin3,….’”
Further documentation on the api can be found at the following link
5. Check permissions of a role on two instances
OData api “getRolesPermissions” is available to fetch the roles for a role or multiple roles from an instance. Once you invoke the api it returns the permissions for that role or list of roles. Once you get a response you can save the response to a xml file for that instance and repeat the same step on the other instance where you want to compare the roles. Once response xml files from both instances are available use a comparison tool to check the difference in permissions from the two instances for that role.
Below are steps and screenshots of the same on how to invoke the OData api to getRolesPermissions for a role from Postman.
Step 1: Install Postman for Chrome from this link for the OS being used.
Step 2: Screenshot of syntax to invoke “getRolesPermissions”
Step 3: Save the response to a xml file for comparison
Step 4: Compare the two xml file to find the difference in permissions for a particular role in the two instances.
Syntax to invoke getRolesPermissions for one role is “https://apisalesdemo4.successfactors.com/odata/v2/getRolesPermissions?locale=en-US&roleIds=’10′”
Syntax to invoke getRolesPermissions for multiple roles is “https://apisalesdemo4.successfactors.com/odata/v2/getRolesPermissions?locale=en-US&roleIds=’10,20,30,…’”
Further documentation on the api can be found at the following link
Please reach out to me in case there is a different scenario at a customer. This is based on an experience with a customer, in parallel SF is are working to provide more OData api’s.
New NetWeaver Information at SAP.com
Very Helpfull