To get the SAP SuccessFactors (SF) integration up and running, you need the client application credentials along with an integration user who will act as Resource Owner (defining what resources and entities can be accessed). This means you need to register a new OAuth2 Client Application and create a dedicated user with access permissions to the individual fields you want Beekeeper to synchronize.
New OAuth2 Client Application
To start, log in to SAP Success Factors:
Go to the Admin Center
Search for "Manage OAuth2 Client Applications"
Click "Register Client Application".
Fill in these fields:
- Application Name: Beekeeper Integration
- Description: Some information about the purpose of the application.
- Application URL: https://www.beekeeper.io
Click on "Generate x.509 Certificate"
In order to generate the certificate, complete at least the mandatory fields marked with a " * ".
Please note that you can specify the certificate validity. We recommend that you set the number of days, in line with the contract value of the SAP connector purchased to Beekeeper.
Once the fields have been filled, click "Generate".
You will then return to the previous menu with a X.509 Certificate.
Click on "Download" in order to save the private part of the certificate that you will later be sharing with Beekeeper. It is required to download the certificate now, since SuccessFactors does not store this part of the certificate.
You will return to the recently created "OAuth Client Application" to access the Company and API Key. Please take note of these values, since you will need to share them with Beekeeper later.
Create an Integration User
Together with the app details, Beekeeper will need a technical user which will be used to make the OData API requests to SuccessFactors. This user needs to have the permission to make these kinds of requests and to access the employee data we want to import into Beekeeper.
A new user should be created for this purpose through the Add New Employee wizard.
The ID of this user will be requested by Beekeeper for the integration.
The way we can make the user grants the required permissions is:
Assigning the user to a Permission Group who is assigned to a Permission Role where the necessary permissions are set.
New Permission Group
Now return to the Admin Center and click on Manage Employees > Set User Permissions > Manage Permission Groups.
Click “Create New” to make a new Permission Group. Name the permission group “Beekeeper Connector Permission Group” and assign it to the “Beekeeper Connector” user we created earlier.
Once you’re finished, click “Done” to create the Permission Group.
New Permission Role
The second step is about creating a new permission role with the required permissions. Access the Permission Role List menu by searching for "Permission Role List".
Click "Create New". This will take us into the "Permission Role Detail", where you can provide a role name and description.
Here we are going to add the permission required by the integration user for communicating with SAP SF in the way we expect. The permissions required are:
- Admin access to MDF OData API: The MDF permission allows us to track modification dates of metadata fields, which enables partial synchronization. It will NOT grant access to any data by itself, and you will still have to explicitly grant access to the data through other permissions.
- For the integration to work, you will need to grant at least “Employee Central Effective Dated Entities > Personal Information Actions (View Current)” permission as well as access to the current values of all the fields that you would like to be synchronized to Beekeeper. The minimum field permissions required are:
* Employee Data > Biographical Information
* Employee Data > Termination Date
* Employee Data > Employment Details MSS
Here is an example on how to add permissions: Click on the button "Permission" in section 2 for Permission settings, and select the options shown here:
In the end, the permissions should look something like this, depending on which fields are needed:
The last step is to grant this role to the group we previously created containing the technical user. Go in section 3 and click "Add". Select the permission group by clicking "Select..."￼
Save the changes. The final configuration should look like this:
Click on "Save Changes" and your new permission role will be listed in the menu.
Now you’re good to go!
What should I send to Beekeeper?
Beekeeper needs a few credentials to connect to SAP:
- Client ID – API key from a OAuth app (in this case the beekeeper integration app) previously subscribed in SAP SF.
- User ID – ID of the technical user to make the token request with.
- Private key – Private key of the certificate added or generated for the integration app (beekeeper integration app) previously subscribed in SAP SF.
- Company ID – Company ID that represents the company in SAP SF.
- Base URL – URL for the SAP instance (e.g., https://apisalesdemo4. successfactors.com/odata/v2/)
Uninstalling the SAP SuccessFactors Integration
If the app is uninstalled in Beekeeper, you should also uninstall or simply disable the app registered in SAP SF and revoke the permissions of the Beekeeper Connector Permission Role that we created.
Thank you Steven, a very neat and complete article.
Please sign in to leave a comment.