Some new features lend more flexibility and control to how you grant access to APIs. As is always the case, I cannot include every single update, but the following covers the most notable new additions.
Employee Central Payroll Integration
A new integration framework has been created to replicate data from the Onboarding Compliance form in SuccessFactors to the infotypes 0065 (Tax Data) and 0070 (Court Orders) in Employee Central Payroll.
The introduction of this new framework removes the need for manual effort to rekey this information into the Employee Central system.
Note that Synchronization Support Package EA-HR SP99 in your Employee Central Payroll system is required to use this new functionality.
Figure 1- The new integration framework for Onboarding Compliance forms replicates data to the Employee Central Payroll infotypes 0065 and 0070.
You’ll also notice that Onboarding Compliance formshave been added as a content type that you can select in the Data Replication Monitor.
ERP Integration
As I have mentioned in my notes for previous releases, HTTP Basic Authentication will become unavailable for use in November 2022 for OData API and SFAPI.
Accordingly, the SAP Cloud Integration packages for the following objects have been adapted to use X.509 based authentication from the middleware to the Employee Central APIs:
- Employee and Organisational Data
- Cost Centre
- Employee Time for Payroll
X.509 authentication is more secure in that it does not require the password to be provided.
This release also brings a minor change, but one that’s worth noting if you are replicating employee data from EC to ERP. Previously, two separate queries would be generated when running the employee integration:
- Last Modified Query- to pick up employees that have changed
- Data Replication Monitor Query – to pick up employees who are due for replication (e.g., those who have failed in previous runs)
These two queries are now combined into a single Last Modified Query, as of support pack 32 of the integration add-on for ERP and SAP SuccessFactors Employee Central (SFSF EC INTEGRATION 1210).
This change is not just in aid of neatness. Under the previous system with two queries, conflicting errors could occur if the ERP payroll area was in the correction phase – with the Last Modified Query reporting an error, but the Data Replication Monitor query finishing successfully for the same employee. This possible source of confusion has now been eliminated.
Time Data Replication
When configuring time data replication, you sometimes have to switch the target replication system. For example, if you have the back-end ERP Development and Test systems integrated into the same SuccessFactors system. This configuration has required you to delete the Data Replication proxies for the old system. This task was cumbersome, requiring you to export, mark for deletion and re-import the proxies you no longer needed.
There is now a simple Data Replication Proxy delete job that you can trigger to clear out unneeded proxies, based on some simple criteria:
Figure 2 – Deletion of Data Replication Proxies that are no longer linked to active configuration, now done in one click
This feature can be enabled by granting permission to the Trigger Data Replication Proxy Deletion object, under the Payroll Integration Permission category.
Meanwhile, obsolete Data Replication Proxies, having failed 150 attempts to replicate (indicating that the target system is probably no longer active, will now be set not to replicate again. This automated change in status will reduce the load on the system, which can be a factor in scenarios where very large numbers of proxies are being generated.
API
The focus of 2H 2021 changes for APIs is security and control.
You can now restrict API access through OAuth 2.0 for technical and business users by binding user IDs to a client application. Furthermore, you can now restrict the access to /oauth/token and /oauth/validate APIs by specifying allowed IP addresses for individual users. This addition gives you more targeted control of which API users can access which APIs.
In Roles and Permissions, additional permission control is now possible for the Compound Employee API. You can now restrict API access to individual segments of the employee data. For example, you can grant access to employee job information but blocking access to the compensation information segment.
Data Import and Export
In recent releases, SAP have been extending the use of Centralized Services when importing data into SuccessFactors, either via the Import Data transaction or by API. In practice, this means improved error handling, identical record suppression, and support for Business Rules to run during the import process. These features are always introduced as an admin opt-in to allow you to test the functionality and make sure there are no adverse effects on your existing import processes.
In the 2H 2021 release, Centralized Services can be activated by opt-in for the following imports:
- Compensation info.
- Global Assignment info.
- Recurring Pay Components.
- Job History.
- Job Relationships.
Bear in mind too that the following imports now use Centralized Services universally. That is, it is no longer possible to opt-out:
- Address.
- Work Permit.
- Social Accounts Information.
Conclusion
It is always good to see security and control being a point of focus. Many of the updates discussed above relate to the need to secure connections between SuccessFactors and other systems. On this subject, please make sure you keep in mind the November 2022 deadline for the removal of basic HTTP authorisation for API calls – look instead to use certificate-based authentication.