Help
SAP SuccessFactors Learning Life Sciences User Group Discussions
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User domains by country to control LMS admin access to users

may_thang
Galactic 6
Galactic 6

‎07-09-2019 5:51 PM

0 Kudos

Has other companies set up their user domain by function by country?  As the company has grown, we are expanding LMS admin access to local users within the country and are looking to limit their access to users in their local country as it seems the only way is through domains. 

Thanks,

May

7 REPLIES 7

MaryKatherineJ
Galactic 6
Galactic 6

‎07-19-2019 10:02 PM

May,

Yes, we did something similar.  In Employee Central (EC), we assigned each employee a geographic region such as North America, Europe/Middle East, Asia, Latin America, etc.  Then in the LMS connector configuration file, in the SF User connector section, we mapped the user Domain field to the Region field within EC.  You could do something similar using Country if your Regions don't meet the need.  When the SF User Connector adds a new user, it puts the user into the appropriate Domain.  Then in the LMS System Admin menu, we created domain restrictions for each regional domain, and then assigned those domain restrictions to the workflows within the admin security role.  We specifically restricted the workflows for Assign and Unassign Item and Curricula and Edit Item/Curriculum Assignments based on user domain.  We chose not to domain-restrict the Search workflows, however.  In our company, our admins can view the records of users outside their domain restriction, but they cannot edit the assignments for those users. 

One good thing about domain restrictions is that a single Domain Restriction can contain multiple Domains if desired.  If you are creating Domains based on Country, you have the option to create a Domain Restriction for only users in Country A and a different Domain Restriction for both users in Country A and users in Country B.  If you have administrators who need access to users in more than one country, you can create a security role that contains the Domain Restriction "Countries A and B".  On the other hand, if you prefer single-country Domain Restrictions, you can create different versions of the same security role, each with a different country restriction, and you can give multiple versions of the same role to an administrator who has responsibility for multiple countries.  You decide what strategy meets your needs best.  We have used both strategies at our company.

Good luck,

Mary Katherine Johnson

ScottVinkemulde
Galactic 2
Galactic 2
In response to MaryKatherineJ

‎07-20-2019 2:35 AM

0 Kudos
I concur. Domains mapped to Organizational structures have the most use in the clients I've worked with.

may_thang
Galactic 6
Galactic 6
In response to MaryKatherineJ

‎07-20-2019 2:46 AM

0 Kudos

We do not have EC.  Our user data is coming from another HR system.  As we expand to create domains by country, my concern is updating the existing AP's.  Has anyone restructured the domains and had to update all of their APs?  I'm hoping there is an easy way to update the AP's.  Thanks!

Alan_Yang
Galactic 4
Galactic 4
In response to may_thang

‎07-22-2019 2:30 PM

0 Kudos

Hi May,

Unfortunately there isn't a way to mass update AP's. They must be updated manually.

ScottVinkemulde
Galactic 2
Galactic 2
In response to Alan_Yang

‎07-22-2019 8:58 PM

0 Kudos
Alan, have you ever opened a ticket to see if SF can do it on the backend? Of course, if they could, it wouldn't be fast or free.

Dhruv
Galactic 3
Galactic 3
In response to may_thang

‎07-22-2019 9:40 PM

0 Kudos

We have used similar approach that Mary entailed, assigning multiple roles with similar workflows and restrictions based on Organization (not to confuse with Org ID). We have utilized custom columns for Functions, for instance each user in our organization has at least one Org Level value (= Function, HR), which sits under root level on the hierarchy chart (example, Eisai->HR). This prevents updating domains at AP level however when the company re-strategies,  meaning change Org Levels conduct detailed analysis and execute change so that assignments are not lost. This happens in partnership with HR (Source) team.

This is a downside of automation I suppose.

Eric_Thayer
Galactic 3
Galactic 3

‎07-22-2019 10:05 PM

0 Kudos

Hi May,

We took this approach at Securitas when we set up domains. We set up portions of the US into regions (for example: north, south east and west) along with international domains by country. This made targeting learners by region by AP easy, as well as domain restrictions for Admins. We can talk later....