...
The first step is to create a SuccessFactors API user that the PowerConnect Cloud agent can use to connect to the SuccessFactors API and retrieve data. The instructions to do this are located in the following SAP KB article under the section Create API User account for Successfactors Odata API:
https://userapps.support.sap.com/sap/support/knowledge/en/2956021Make note of the User ID, Company ID and API Server
The next step is to create an OAuth 2.0 token based authentication flow documented here - Oauth2.0 Odata API Token Based authentication and How-To configure and outlined below
Assigning permissions to the SuccessFactors API User
To restrict the access of the API user to only the required APIs perform the following steps:
Login to the SuccessFactors UI
Click 'Admin Center'
Under Tools search for permissions and click 'Manage Permission Groups'
Create a new Group called PowerConnect
Assign the API user to the PowerConnect Group
...
After creating the group go to 'Manage Permission Roles'
...
Create a new role called PowerConnect
Add the required roles for each API
For ODATA Audit Log access check ‘Access to OData API Audit Log’
For EMEvent access check ‘Read Execution Manager Events’ and ‘Read Execution Manager Event Payload or Event Report’:
For Payroll related APIs check ‘View - Data Replication Configuration’ ‘View - Data Replication Proxy’ ‘View Current, View History - Employee Payroll Run Results’ ‘View - Employee Payroll Run Results.employeeRunResultsItems’ :
For Replication related APIs check ‘Employee Central Foundation OData API (read-only), Employee Central HRIS OData API (read-only), Employee Central Compound Employee API (restricted access), Admin access to MDF OData API, Access to Data Replication Monitor
Mass Export from Data Replication Monitor’
Click ‘Grant this role to…’
...
Choose the PowerConnect Group
...
Click 'Done'
Creating an OAuth 2.0 Token flow
Login to the SuccessFactors UI
Click 'Admin Center'
Under Tools search for oauth and click 'Manage OAuth2 Client Applications' > Select 'Register Client Application'
Under Application Name use powerconnect (or some recognisable name)
Under Application URL use any valid url e.g. https://www.powerconnect.io
...
Optionally tick the Bind to Technical User and enter the api username in the text box (otherwise default is sfadmin)
Click “Generate X.509 Certificate”
Enter the “Common Name (CN)” (e.g. powerconnect). Leave the rest of the fields blank:
Click Generate. The X.509 Certificate field will now be populated:
...