SAP SuccessFactors Connector

SAP SuccessFactors provides cloud-based software for human capital management. Using the software as a Service model. 

OvalEdge uses the REST APIs to connect to the data source, allowing users to crawl and profile data objects (Tables, Table Columns). 

Connector Capabilities

The following is the list of objects and data types supported by the SAP SuccessFactors connector.

Functionality	Supported Data Objects
Crawler	Tables, Table Columns
Profiler	1. Table Profiling: Row count, Columns count, and View sample data 2. Column Profiling: Min, Max, Null count, distinct, top 50 values 3. Full Profiling

Prerequisite

The following are the prerequisites required for establishing a connection between the connector and the OvalEdge application.

1. API details.
2. Set up a Service account with proper permissions to the Rest APIs of SAP Success Factor.
3. Configure Environment variables (Optional).

REST API Details

OvalEdge uses REST API to connect to SAP SuccessFactors:

API	Version	Details
Rest API	Okhttp client, the latest version is 4.10.0.	https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/4.10.0

Service Account with Minimum Permissions 

The following are the minimum privileges required for a service account to crawl and profile the data.

Operation	Minimum Access Permission
Connection Validation	Read Access to the metadata API
Crawling	Read Access to the metadata API
Profiling	Read Access to the Entities' data

Establish Environment Variables (Optional)

This section describes the settings or instructions that you should be aware of prior to establishing a connection. If your environments have been configured, skip this step.

Configure Environment Names

The Environment Names allow you to select the environment configured for the specific connector from the dropdown list in the Add Connector pop-up window.
You might want to consider crawling the same schema in both stage and production environments for consistency. The typical environments for crawling are PROD, STG, or Temporary, and may also include QA or other environments. Additionally, crawling a temporary environment can be useful for schema comparisons, which can later be deleted, especially during application upgrade assistance.

Steps to Configure the Environment

1. Navigate to Administration | Configuration.
2. Select the Connector tab.
3. Find the Key name “connector.environment”.
4. Enter the desired environment values (PROD, STG) in the value column. 
5. Click ✔ to save.

Establish a connection

To establish an SAP SuccessFactors Connection:

1. Log into the OvalEdge application
2. In the left menu, click on the Administration module name, and click on the Connectors sub-module name. The Connectors Information page is displayed.
3. Click on + New Connector. The Add Connector pop-up window is displayed.
4. Select the connection type as SAP SuccessFactors. The Add Connector with  SAP Success Factors specific details are displayed. 
   
   
   

   Fields	Details
   Connection Type*	The selected connection type ‘SAP Success Factor’ is displayed by default. If required, the dropdown menu allows you to change the connector type and based on the selection of the connection type, the fields associated with the selected connection type are displayed.
   Authentication	SAP SuccessFactors security supports two forms of authentication mechanisms.  i.Basic Authentication: The simplest form of authentication to validate a connection using API Keys. ii. OAuth2.0 Token Access: The OAuth2.0 authentication is an alternative to basic authentication.  For more information, refer to the Section SAP SuccessFactors Authentication document.
   License Add-Ons*	All the connectors will have a Base Connector License by default that allows you to crawl and profile to obtain the metadata and statistical information from a datasource.  OvalEdge supports various License Add-Ons based on the connector’s functionality requirements. Select the Auto Lineage Add-On license that enables the automatic construction of the Lineage of data objects for a connector with the Lineage feature.  Select the Data Quality Add-On license to identify, report, and resolve the data quality issues for a connector whose data supports data quality, using DQ Rules/functions, Anomaly detection, Reports, and more. Select the Data Access Add-On license that will enforce connector access via OvalEdge with Remote Data Access Management (RDAM) feature enabled
   Connection Name*	Enter a connection name for the SAP SuccessFactors. You can specify a connection name to identify SAP SuccessFactors in the OvalEdge application. Example: successfactors_db
   Environment	The environment dropdown menu allows you to select the environment configured for the connector from the dropdown list. For example, PROD, or STG. The purpose of the environment field is to help you understand that the new connector is established in an environment available at the  Production, STG, and QA. Note: The steps to set up environment variables in explained in the prerequisite section.
   Server*	Enter the Database instance URL (on-premises/cloud-based) of the SAP SuccessFactors.
   API Key*	Based on the authentication type, provide the API Key.
   Default Governance Roles*	You can select a specific user or a  team from the governance roles (Steward, Custodian, Owner) that get assigned for managing the data asset.  Note: The dropdown list displays all the configurable roles (single user or a team) as per the configurations made in the OvalEdge Security | Governance Roles section.
   Admin Roles	Select the required admin roles for this connector. To add Integration Admin Roles, search for or select one or more roles from the Integration Admin options, and then click on the Apply button.  The responsibility of the Integration Admin includes configuring crawling and profiling settings for the connector, as well as deleting connectors, schemas, or data objects. To add Security and Governance Admin roles, search for or select one or more roles from the list, and then click on the Apply button.  The security and Governance Admin is responsible for: Configure role permissions for the connector and its associated data objects. Add admins to set permissions for roles on the connector and its associated data objects. Update governance roles. Create custom fields. Develop Service Request templates for the connector. Create Approval workflows for the templates.
   Select Bridge	With the OvalEdge Bridge component, any cloud-hosted server can connect with any on-premise or public cloud data sources without modifying firewall rules. A bridge provides real-time control that makes it easy to manage data movement between any source and destination. For more information, refer to Bridge Overview.

5. Click on the Validate button to Validate the connection details.
6. Click on the Save button to save the connection.  Alternatively, you can also directly click on the Save & Configure button that displays the Connection Settings pop-up window to configure the settings for the selected Connector. The Save & Configure button is displayed only for the Connectors for which the settings configuration is required.

In case, clicking on “Validate” gives you an error, refer to the next section for the resolution of the common validation errors.

Connection Validation Errors 

S.No.	Error Message(s)	Description
1	Failed to establish a connection, please check the credentials.	Please provide the Valid cert path or Provide the correct details which have access to the API key.

Connector Settings 

Once the connection is established successfully, various settings are provided to fetch and analyze the information from the data source. 

The connection settings include Crawler, Profiler, Access Instruction, and Others.

Connection Settings	Description
Crawler	The Crawler setting allows you to set the crawling configuration that will collect the metadata and display it in the data catalog.  Crawler Settings include: (i) Crawler Options Tables, Views & Columns Relationship (ii) Crawler Rules
Profiler	Data profiling typically involves collecting statistics about data sources such as:   Minimum value  Maximum value  Top 50 values  Distinct count  Null count
Access Instruction	Access Instruction allows the data owner to instruct other users on using the objects in the application.
Others	The Send Metadata Changes Notifications option is used to set the change notification about the metadata changes of the data objects.  You can use the toggle button to set the Default Governance Roles (Steward, Owner Custodian, etc.)   From the drop-down menu, you can select the role and team to receive the notification of metadata changes.

The Crawling of Schema(s)

You can use the Crawl/Profile option, which allows you to select the specific schemas that need to be crawled, profiled, or unprofiled. For any scheduled crawlers and profilers, the defined run date and time are displayed to set.

1. Navigate to the Connectors page, and click Crawl/Profile option.
2. Select the required Schema(s).
3. Click on the Run button that gathers all metadata from the connected source into OvalEdge Data Catalog. 

Additional Information

SAP SuccessFactors Authentication

OvalEdge supports Basic Authentication and OAuth2.0 Authentication to connect to SAP SuccessFactors.

Basic Authentication

Basic Authentication is the primary authentication process that validates the SAP Success Factor connector using API Keys. 

You can select the authentication type as ‘Basic Authentication’ from the dropdown menu in the Add Connector pop-up. Enter the API Keys. 

OAuth 2.0 Access Token

In OAuth 2.0, you do not need to provide passwords during authentication, which makes it a more secure method of securing data.

You can select the authentication type as ‘OAuth2.0’ from the dropdown menu in the Add Connector pop-up. 

This authentication method requires the following parameters:

Fields	Details
Client ID*	API Key generated when registering the OAuth2.0 application.  Example: MWJjM2IxYzBhMWRlNDRlMDRjMGYyMDhlY
Username*	Enter the SAP SuccessFactors User ID to access API        Example: svc_ovaledge
Token URL*	An authorization code is exchanged between the provider's authentication server and the access token. It is used to tag the SAML assertion.  Example: https://api12prw.sapsf.eu/
Certificate Path*	It is a self-signed X.509 certificate. It is recommended to use OpenSSL to create the certificate and place it in the OvalEdge deployed instance. Example: Volumes/OE_DATA/OE_Downloads/APIovaledge/Certificate.pem
Company ID*	User’s company id Example: ovaledge01T7

Steps to Generate Access Token

1. Register in SAP SuccessFactors to obtain an API Key.
2. Obtain a SAML assertion.
3. Pass the SAML assertion and API key (in the client_id field) along with other information to generate an OAuth token.
4. Use the generated token to call APIs.

Note: Using Client_ID, User_ID, Token_URL, and Private_key (taken from the certificate path), these parameters are used to generate a SAML assertion string. SAML assertion string is used to generate an OAuth token. This token is used to validate the connection.

 

Reference(s)

 [1] SAP Success Factor OAuth 2.0 Access Token

https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/d9a9545305004187986c866de2b66987.html?locale=en-US

 

 

 

 

 

Copyright © 2023, OvalEdge LLC, Peachtree Corners GA USA