Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert
This blog post introduces you to the recently published SuccessFactors Implementation Design Principle (SFIDP) document: SAP SuccessFactors Onboarding Role-Based Permission Guidance


Link to the Document 









A good security design ensures that an organization can manage the proper authorization, data privacy, data integrity, etc. Role-based permission is essential for the good security design of SAP SuccessFactors Onboarding solution. In this module special care must be given to roles since the target population is external users of the system. The external users of the company will be internal users from their hire date. The onboarding process involves a lot of participants. The participants like Hiring Manager, Onboarding Administrator, Buddy, IT persons who are required to provide equipment, etc.

This document (Link) covers the common set of permissions that are required for each of these participants to perform their role effectively, and in line with the standard functionality of the system and without giving more permissions than required.


Solution Overview

The specific aspects of onboarding are the difference in “Target population” – especially in the Onboarding process. The new hires who are going to join the company are technically external users. The external user has a specific user status and does not have the same authorization as that of a regular employee. Keeping this into consideration we can understand a few basic concepts.

Creating a Permission group with External user population

When creating a group of External user populations. Apart from the regular method of selecting the people pool. You would also need to select the user type as “External Onboarding User”


Figure 1 Creating permission groups with user Type: External onboarding user


Creating a role for the External User

In manage permission roles, you could use “Create New Role for External User” for creating a new role for the new hires (“Onboardee”).

This is for creating a role for new hires. This should not be used for internal users.

Figure 2: creating a new permission role for external user

Defining a target Population for a role


Select the appropriate Grant role/Grant Group and then choose the Target population as Everyone or based on the Department/Division/Location.


The target decides for which group of employees the Role (From the granted group) can view/edit data.

It is recommended to always keep the target limited so that data privacy and segregation of work and be well established.

Figure 3: Target population of external user



Solution in Detail


The permissions of the key personas in onboarding are listed below. Though the permissions may vary from customer to customer the below will give a baseline. The goal is to give the minimum number of permissions for a role that could make processes work.

These baseline roles and permission can be extended or modified based on customer requirements and the responsibility of the roles.

Key Personas required in Onboarding and their roles

Persona: Hiring Manager
Persona: New hire
Persona: Onboarding Admin
Persona: Rehire Coordinator
Persona: Onboarding BPE Admin
Persona: Onboarding Participants
Persona: IT Participants


The document has all the details of the permission for all the roles. As a snapshot of the document you can see below the table of permission for  IT participants


Permission Location Permission Name Permission Description
General User Permission Company Indo -> User Search Restricts Users searches for the target population defined when granting role.
Employee Data First Name, Last Name, Status – View Access only This makes sure to show the names of the new hires when the participants click on the To-Do tile.
Onboarding or Offboarding Object Permissions Process Enables participants to access new hire's details on the Dashboard
Onboarding or Offboarding Object Permissions ONB2ProcessResponsible Required to show it in the dashboard.
Onboarding or Offboarding Object Permissions Equipment Task Equipment Task Object Permission

For all the other roles/personas please read the document 

Key challenges and solutions

The document also lists the potential problems that implementation partners face during the RBP setup and their corresponding reason for the issue as well as a suggested solution. This would act as a quick guide for consultants if they are having similar issues on what they can do to fix the issues from a permission perspective. It also lists some of the leading ways to configure role-based permission.


One such example is

  1. Dashboard is not visible



The onboarding dashboard is not available for certain roles.



  1. Check the important permission for the user


General User Permission:

  • Company Info Access > User Search

Onboarding or Offboarding Object Permissions:

  • ONB2Process


Employee Data:

  • First Name

  • Last Name

  • Status

  • Location

Employee Central Effective Dated Entities:

  • Job Information > Location

  • Job Information > Job Classification



  1. Target Population of the end-users should be external users


  1. At least one user the onboarding process needs to be started

If there are no employees who have an onboarding process running currently then the dashboard is not visible.

Process has errors, Check the BPE monitor


Another Example would be

2.Future Dated Employee access for internal hires




During internal hire, future-dated managers of these internal hires cannot perform tasks like” Schedule meetings”, “Recommended” people, etc.




The future manager can perform new hire tasks such as Schedule Meetings, Recommend People, and Recommend Links among others before the internal hire's start date. The internal hire manager relationship is applicable for internal hires from SAP SuccessFactors Recruiting, SAP SuccessFactors Employee Central, and external Applicant Tracking System. The below screenshot shows how this can be configured.



Other Scenarios in the document 

  • Names are showing for some and not for others in the dashboard

  • Defining the target group based on location/division etc.

  • Future dated access of new hires to admins based on Legal entity

  • Managers access to only Direct Reports

  • Viewing profile after MPH before the start date

  • Manage Pending Hires

  • Hiding fields for new hires based on country.

  • National ID getting empty after EC

  • Payment information – Users can add currency

  • Offboarding tasks not getting shown to the Manager

  • Unable to see compliance form data.

  • Employee Export

  • Employee Export works with onboarding Dashboard

  • New EC Fields Not Available in RBP for ONB External User

  • Offboarding: No Permission error

Conclusion/Key Takeaways:

We hope this blog post helped you get acquainted with the basic understanding of the concepts & use cases defined and discussed in the SFIDP.  We recommend you to further explore the document for a full-fledged discussion that will aid you in better product implementation as well as help you align with the industry leading practices. We look forward to your valuable comments/feedback/queries on this blog post.

New Updates Dec 2022

This IDP has been enhanced to reflect the latest changes released as part of the 2H 2022 release. It includes enhancements for rehire feature with new permission to enable Rehire with New Employment and cancel the Onboarding process with the enhanced user interface.

For a complete list of published Implementation Design Principles for SAP SuccessFactors Solutions, visit SAP SuccessFactors Customer Community page.