Skip to main content
All CollectionsAuthentication GuidesHRIS
SAP SuccessFactors - Service User set up for HRIS
SAP SuccessFactors - Service User set up for HRIS

Creating a Service User with limited HRIS permissions in order to Link

Updated over 6 months ago

In this article, we will be covering the steps needed to create a new User in SAP SuccessFactors, and limiting the permissions / scope to what is required for the use case of the company you are linking to!

Step 1: Create a new Super Admin User that will be used to link

Follow these steps from SAP SuccessFactors to create a Super Admin user in your system that will have limited permissions / scope for the use case you are linking for.

Step 2: Create a new Permission Group

Search up "Manage Permission Groups" in your search bar to navigate to the Permission Groups page.

You will need to click "Create New" to create a new Permission Group for the linking flow.

You can name the "Group Name" something along the lines of "Integrations Linking" to track that this Permission Group is for this specific connection.

The User Type needs to be "Employee", and the "Choose Group Members" should include the User you created in Step 1.

You do not need to input anything in regards to the Exclude Section, or the Granted Permission Roles at this time.

Click "Done" to create and save this Permission Group.

Step 3: Create Permission Role with Proper Permissions

Search up "Manager Permission Roles" in your search bar to navigate to the Permission Role page.

Part 1: Name the Permission Group

Part 2: Identify and Select the Permissions that matter for the use case you are trying to achieve

Click "Permissions" to open available User and Admin Privileges available.

REQUIRED for General Authentication:

Manage Integration Tools - Access to "Manage OAuth2 Client Applications", "Manager OData API Basic Authentication", and all API + OData related pieces

This will be category agnostic, and just required for the general API authentication.

General User Permission - User Login is required to ensure that you're able to login to integrate

HRIS Permissions:

Employee Data - this allows for View Access to Employee Information

Employee Central API, Employee Central Import Settings,

Part 3: Granting Permission Role to the created Permission Group

Click "Add" to add the Permission Group created in Step 2. You can search for the name of that Group, select it, and then press "Done"

Now you should save these changes as you're all set! You just need to login into the User's SAP account and generate the Client Credentials, which is described below.


Now we will go through the full Linking Flow from within the Service User's Account!

Step Four: Find your SAP SuccessFactors API Server URL

1.) To find your API Server URL, go to this link.

2.) In the listed API Server URLs, search for the environment that matches your subdomain. For example, if your domain was https://salesdemo4.successfactors.com, search for salesdemo4.

If you are unsure what your API Server URL is, or are having trouble connecting, we recommend reaching out to your SAP Support team to obtain your API Server URL.

**If you are using the Merge sandbox, please enter: api68sales.successfactors.com**

3.) Copy the entire URL.

In this example, it would be: apisalesdemo4.successfactors.com

4.) Enter your SAP SuccessFactors API Server URL into the integration authorization component as shown below:


Step Five: Find your SAP Username and Company ID

1.) To find your SAP SuccessFactors username, go to the upper right hand side and click on your profile image to view your username.

This will be the Username for the Service User you created in the first part of this guide!

2.) To find your SAP SuccessFactors Company ID, in the same dropdown menu, click "Show version information." Locate Company ID in the modal that pops up:

3.) Once you obtain your username (not email) and company ID, enter them in the linking flow as shown:


Step Six: Find your SAP SuccessFactors Client ID and Secret

1.) In your Admin Center, go to Tools, and search Manage OAuth2 Client Applications (If your page looks different, search for Manage OAuth2Client Applications in the search tool on your homepage).

2.) Click Register Client Application.

3.) Fill out Application Name & Application URL (what actually goes in these fields is not important, except that the URL has to begin with https://).

4.) Click Generate X.509 Certificate. Fill out Common Name (name doesn't matter) and hit Generate.

5.) Once the certificate populates, download and save it. You will have downloaded a file called Certificate.pem.

6.) Click Register (it will have replaced the Generate button).

7.) Back on your Manage OAuth2 Client Applications, go to the application you just created and click Edit.

8.) You will now see an API key listed - this is your Client ID. Copy and save this Key.

9.) Open up the "Certificate.pem" file that you downloaded previously in a text editor. The string between ——BEGIN ENCRYPTED PRIVATE KEY——- and —-END ENCRYPTED PRIVATE KEY——- is your Client Secret. Copy the Client Secret and save.

10.) Enter your Client ID and Secret into the integration authorization component as shown below:

If you have any questions, please feel free to reach out to us at [email protected]

Did this answer your question?