SAP SuccessFactors

Overview

SAP SuccessFactors is a cloud based HCM software application that supports core HR and payroll, talent management, HR analytics and workforce planning, and employee experience management.

The PowerConnect SuccessFactors input monitors job executions (scheduled + integrations), employee data replication errors, security audit logs, payroll run results and onboarding events for operational, business analytics and security use cases.

Data Collected

Job metadata - status, attributes, process id, process state, process type

Replication errors - error code, error messages, replication status, replication processing time

OData API audit log

Payroll Run Results

Onboarding Process

APIs Used

Status

Available

Configuration

Creating a SuccessFactors API User

The first step is to create a SuccessFactors API user that the PowerConnect Cloud agent can use to connect to the SuccessFactors API and retrieve data. The instructions to do this are located in the following SAP KB article under the section Create API User account for Successfactors Odata API:
https://userapps.support.sap.com/sap/support/knowledge/en/2956021
Make note of the User ID, Company ID and API Server
The next step is to create an OAuth 2.0 token based authentication flow documented here - Oauth2.0 Odata API Token Based authentication and How-To configure and outlined below

Assigning permissions to the SuccessFactors API User

To restrict the access of the API user to only the required APIs perform the following steps:

Login to the SuccessFactors UI
Click 'Admin Center'
Under Tools search for permissions and click 'Manage Permission Groups'
Create a new Group called PowerConnect
Assign the API user to the PowerConnect Group

After creating the group go to 'Manage Permission Roles'

Create a new role called PowerConnect
Add the required roles for each API
- For ODATA Audit Log access check ‘Access to OData API Audit Log’
- For EMEvent access check ‘Read Execution Manager Events’ and ‘Read Execution Manager Event Payload or Event Report’:
- For Payroll related APIs check ‘View - Data Replication Configuration’ ‘View - Data Replication Proxy’ ‘View Current, View History - Employee Payroll Run Results’ ‘View - Employee Payroll Run Results.employeeRunResultsItems’ :
Click ‘Grant this role to…’

Choose the PowerConnect Group

Click 'Done'

Creating an OAuth 2.0 Token flow

Login to the SuccessFactors UI
Click 'Admin Center'
Under Tools search for oauth and click 'Manage OAuth2 Client Applications' > Select 'Register Client Application'
Under Application Name use powerconnect (or some recognisable name)
Under Application URL use any valid url e.g. https://www.powerconnect.io

Optionally tick the Bind to Technical User and enter the api username in the text box (otherwise default is sfadmin)
Click “Generate X.509 Certificate”
Enter the “Common Name (CN)” (e.g. powerconnect). Leave the rest of the fields blank:
Click Generate. The X.509 Certificate field will now be populated:

Click Download and save a copy of the certificate
Click Register
On the newly created Application click View:

Note down the API Key:

Open the downloaded Certificate.pem file in a text editor and make note of the private key (excluding the BEGIN ENCRYPTED PRIVATE KEY and END ENCRYPTED PRIVATE KEY lines):

Adding the SuccessFactors Input to PowerConnect Cloud

Login to the PowerConnect Cloud web UI
Click on the Inputs link in the menu bar
Click the + button to add a new Input
Choose execution-manager under sap-successfactors:

Fill in the form with the details you noted down when creating the powerconnect OAuth client (api server, api key, private key, user id, company id).
Fill in the System ID (this maps to the source field in Splunk)
Choose the Splunk output you wish to send the SuccessFactors data to
Click Save
The Input is now created