Screen shot from very last SAP SF IAS IPS open office hour
It was with a fair bit of sadness that this week I was part of the end of something that I think was a bit special.
The SAP SuccessFactors IAS/IPS open office hour has been running for what I think was 2 years now, and for many of those Thursday evenings (it ran at 6:30pm to 7:30pm my local time) I would join, sometimes with a beer or wine in hand and would sit, listen and contribute.
I think Richard Feynman the American Nobel Laureate and Physic Professor once said :
“If you want to master something, teach it. The more you teach, the better you learn.”
Richard P. Feynman
Well, I think that’s what happened to me! By spending so much time in this call, trying to help other people figure out how to solve their IAS and IPS issues, I’ve learnt so much! I’m waiting for an IAS/IPS certification to come out and nice easy one to pass!
During this journey, I’ve developed some great relationships with SAP teams in this space. I’ve presented at SAP TechEd on the topic, had multiple influence requests turned into reality and been involved in beta testing new functionality. And more importantly, made some good friends.
There is still so much more to learn, but this opportunity to gather weekly to help out other SAP customers that were stuck in a tight spot is now over. It probably had run its time and it was time to focus the support efforts elsewhere, but whilst it was there I really did enjoy it.
How awesome was it to be back to see all the wonderful SAP SuccessFactors people in person. I now can actually recognise Ankur (CTO SuccessFactors) when I see him! Had some great conversations there. So impressed with all the work he and his teams have done on the migration to “next-gen” cloud – aka the hyper-scaler move. Throughly friendly chap – a new favourite for the Confidants group! We all enjoyed his frank and open discussions.
Finally met Meg in person!
The energy was amazing – and I’m not just talking about the party at TAO beach club which went OFF!
But even cooler was the clear message from SuccessFactors about returning value to their customers.
After many years of getting bad screen caps/photos of Amy I decided a video would be safest, and got her to vet the selfie! – shame I got the “old” model ,in video but still, the details are clear – a single employee talent/skill/competency model for use across the platform. And what is even better, no additional cost to customers. This is returning value for having a subscription.
Okay – my flight back to Aus boarding in 5 mins, where I’ll be off to SAUG Summit to present as soon as I get off the plane – think I’ve just about got the preso decks ready!
That’s not a title to any piece about AI or ML that I’ve heard for quite some time, especially not something out of any HXM vendor’s keynote!
If you haven’t already – please listen (watch too if you like) to this really short – less than one minute, clip of Meg Bear talking about Artificial Intelligent and Machine Learning as part of the executive open Q&A at the last SuccessConnect conference (2021).
I’ve included the transcript (as I could make out) below:
“So what we know deeply, is that machine learning and AI are great tools but they are not sufficient conditions for the overall experience that we are trying to drive. It needs to be bringing that technology in concert with people, in concert with who I am and what I want to add to it. To create something that is truly powerful.
And, so, while we are absolutely putting machine learning and artificial intelligence inside our data model. We’re talking about it in a much broader way. Because we know that just saying that you have machine learning is not sufficient. It needs to be about what is the outcome for me as an individual and what is the outcome for the business, and it needs to be grounded in deep reality and pragmatism.”
Meg Bear – SuccessConnect Executive Keynote 2021
Okay firstly, hats off to Meg! When she gets going on a topic that she’s enthused about, there isn’t anyone that’s going to stop her. I think if you listen carefully you can hear some of the the rest of the the team giggling slightly in awe of Meg doing her thing. It was a completely passionate geek-out that was by far the highlight of the whole conference for me. Mainly because I couldn’t agree harder and would have had trouble articulating it more eloquently, especially if I were on a live Q&A in front of thousands of people. Thanks Meg for following up on my request to get that video. (I’ll not include the link to the original request because Amy Wilson might not ever speak to me again if I reposted that particular screen grab!) (oh to be able to retrospectively edit the photos in livestream tweeting)
The current state of ML in people management is pretty basic and some of the uses that have been attempted are pretty bad. For an interesting take on what not to use ML for – check out Thomas Otter’s piece on flight risk indicators. Just looking at what SAP have managed to deliver in this space recently and we haven’t got much more exciting than the Amazon “other shoppers who purchased a course in first aid also purchased a course in CPR”. It’s not inspiring (which is probably why some organisations try to do things like flight risk.
So, Meg turning the conversation around from a technology bang-whizz smoke and mirrors magic show to instead focus on the objective that we are trying to achieve of great employee experience is very important. We need to realise that there is very much a “human” in HXM and attempts to remove it will fail.
I watched a demo, in the same conference (eek), of a chat bot that had been put in place to help gather more details about how people were coping during lockdown due to COVID 19. What was very interesting to me (other than I manage to stop myself from screaming at the screen) was that there were quite a range of opinions in the session I was in about whether this was good or bad. Let’s just say I was in the “You have got to be f’ing kidding me” side of the opinion poll, whilst others were more on the “That’s a cool way to get feedback” side. The reason I think this is terrible is because if your outreach to people who are suffering because of isolation is to throw a bot at them then you’ve completely missed the H bit of HXM. And that bit is important to me (and Josh Greenbaum it seems.)
There's a lot of things that need care especially in a people focused environment. People are supported by people tech, not replaced by it. #SuccessConnecthttps://t.co/VXiUMquVqO
And so, why is Meg’s focus on HXM and not technology so important? Because if you give techies technology -> they will build with it, and scarily enough, they will also believe what they are doing is good. I know, I’ve fallen into this hole so many times that I have a ladder purpose built for climbing out of tech for tech’s sake holes (it’s called a phone call to my good friend who has no issues in telling me I’m an idiot and to stop being stupid.)
So, I look forward to what comes next. I would really like to be able to make ML models that could help recognise things like which managers are helping their teams perform better so we can all learn what human interaction driving better experience. I want ML to send me alerts when thresholds of leave liability are likely to be exceeded so that I can send dashboard to managers who can then use their on-the-ground relationships with their staff to check those numbers and have person-to-person conversations with them. But I want all of it in a supporting, not supplanting role. Tech to help people interact with people, not replace that interaction.
We are getting (slowly, oh so slowly) to a state where we have platforms that can build these types of experience enhancing solutions. But as Meg says only when “grounded in deep reality and pragmatism”.
Okay – that’s enough SAP SuccessFactors love for one evening.
SuccessFactors team, remember all these nice things I said when I start complaining (again) about the Reimagined Home Page Migration! 😉
Quick one today. Whilst I’m getting over (actually I’m not) my disappointment that Analytics Cards (Stories in People Analytics widgets) are very unlikely to be available as part of the 1H2022 release, and therefore dashboard tiles will not be part of the new SAP SuccessFactors homepage when it is forcibly pushed to all customers next year, I thought I’d write quickly about a different take.
Recently, I asked a senior non-HR exec what they wanted from their HR analytics dashboards. Any guess what they wanted?
“Don’t show me any dashboards. “
Senior Exec.
They didn’t want to be required to look at a dashboard. This is an extension of the themes I expounded on in my last post. This person wasn’t going to ever action anything based on glancing at a dashboard – mainly because they didn’t have the time to look at a dashboard. What they wanted instead was a prompt to investigate.
You might be devious and say – but I could just build a dashboard that only showed prompts where there was a need to investigate. But what this manager wanted, was external prompts. I.e. an email or a notification that then linked to dashboards and analytics pieces.
Good thing is that this 2H2021 release just enabled the possibility to deep-link to a given SiPA story. What we need now is some way to actually ping links to relevant analytical stories when they are needed.
This would be a super simple thing to do for some situations. Bets on SAP SuccessFactors tooling being introduced in next few years that allows for the configuration of ML based triggers that can then be linked to custom designed dashboards.
Then I can throw a link to custom dashboard at my exec when they have a huge spike in leave liability and people not taking leave. Then they only look at the dashboard when there is a need for them to take action.
So if I wrote an SAP BTP extension that enabled you to email links to specific dashboards to your managers based on certain thresholds being met (or not), would that help you get over not having dashboard tiles on the home page?
I recently presented at Mastering SAP Africa around my thoughts on HXM and SAP SuccessFactors People Analytics. I tried my best to “Timo Elliott” it but I’m just not that polished, and I like that, it’s authentically me!. My daughter says that it can be watched at 2x speed and still makes sense, but has no idea what all those SuccessFactors words I used mean…
Hello! Time for me to go on a bit of rant again. So far, these little rants have been very successful! With support from the community (and demonstrating this to the SAP SuccessFactors leadership group), we’ve pushed the dial a few times in the right direction (well, I thought it was the right direction anyway!) Although, I’m perhaps not as optimistic about this one… let’s see!
The “Reimagined” Home Page (a naming that is going to get tired very quickly!)
A little while ago (quite some time actually – end of 2020) SAP announced that it was going to retire the existing Fiori Launchpad style homepage and move to a new “reimagined” home page. The reimagined home page had been demo’d during a few SuccessFactors conferences and looked quite exciting. The new home page is pretty cool. The whole concept of having the things that are important to you right now highlighted and brought to the front is a good one. Show me what I need to act on right now! Make me do it quickly!
This said – it seems that it’s still a bit of a journey to parity with the old home page. (which may never happen, given the different idea that we’re working with – some things just wouldn’t make sense in a one-to-one mapping.) However, relatively important pieces of functionality, like to-do notifications, manager team tiles and ability to use with onboardees is still being added. There’s also the minor/major issue that you can’t do a refresh to or from any system that has the reimagined home page implemented using the instance refresh tool, you have to request SAP to do it. The plan is that by end of 2H2021 release, everything that is needed to go live with the new home page will be added and these issues fixed. (And hopefully we’ll be able to have that text in the middle of the top panel in some colour other than white).
The (forced) migration to the reimagined home page
There was a plan to push all customers to the new home page by 2H2021. (I just can’t manage to keep typing reimagined… it’s so going to get renamed to “Home Page” as soon as it’s the only option. Can I chalk up another product renaming before it even happens?) But then due to some functionality not going to be available until then, there was this strange idea to push the release universally to all customer’s preview instances 2H2021 and then production 1H2022.
So, I had a bit of a rant about how it really didn’t make sense to push the new home page to all customers’ preview instance before all of the fixes were rolled out and customers had some time to test them. (It wasn’t just me that had this rant – lots of community support for that idea). SAP have now pushed back that idea, we should instead get the universal push in 1H2022 for all customers. So, you’d better get ready for it! Cos it’s coming!
Okay… so what’s the problem?
Well, see the thing is, the main reason that we need the new home page experience, is also the main reason why the existing experience is so useful.
Note how there’s a lot of content on the old layout compared to the new one… well that screen shot is pretty minimalistic compared to some customer instances I’ve come across. (And, I’ll admit, helped implement.)
Here’s a screen shot of one of our demo systems there is a LOT here.
Screen shot of a system that’s using a lot of Fiori Launchpad tiles
The original idea of the Fiori Launchpad was that a user would be able to see all their important information in one place and drill down to bits that stood out. Of course, that doesn’t work because having pages of stuff means people don’t look at any of it. So the idea of using machine learning to figure out which bits to surface for a person to look at, makes great sense.
The problem is that in many cases SuccessFactors doesn’t know what’s important.
This is especially the case for extension use cases and the “We don’t use just SAP SuccessFactors for all our people processes” use case.
Here’s a couple of examples from one customer I work with:
“My Team” tiles: approve leave requests and Leave balance for my team
These two existing home page tiles, “Legacy” I believe the terminology is now, link off to BTP Cloud Portal, which then uses SAP Cloud Connector to tunnel through to an on-premise SAP ECC instance and display Fiori based apps showing leave balances and approval apps that are based on data still stored in SAP Payroll, not in SAP SuccessFactors.
It is exactly the same with these tiles:
Employee Self Service links to payroll (non ECP) applications
The customer also has additional BTP based extension applications – here’s one example:
SAP SuccessFactors Extension running on SAP BTP
All managers get the team leave balance tiles/applications and all employees (not contingent workers/contractors) get the leave and payslips apps. And everyone gets the Network Compliance App (it’s really cool btw, if you need something like this, please give me a shout!)
In the new home page these would ideally be part of the leave management quick links or approval tiles that popped up as needed, payslip tiles that appeared when payroll has been sent to bank (dreaming here about next gen payroll, but you get the idea). However, because all these tiles are just links out to other systems/application, they can’t be part of the “intelligent” framework and instead must be part of the “Organisational Updates” section of the homepage. And take up about twice as much screen real-estate. There’s also a limit on the number of tiles that will show in this section, so you’d better hope you don’t have too many custom applications/extensions that you want to link to. (Originally the SAP team had thought to limit the number of “cards” in this section much more, but fortunately a few more are allowed now. (Feedback works!)
New Home Page “Cards” – graphic is required. Sizing approx 1.5-2 times larger than existing tiles
Managing Sections with Permissions
So, whilst I would argue that custom cards look really bad in this new experience (they are big, chunky and not sorted into any meaningful categorisation, certainly they are not “Organisational Updates”! – but that’s a topic of a different set of feedback!), we’re only just now getting into the crux of this particular rant, which involves figuring out how to limit who gets which tiles/cards. In the “legacy” home page there is functionality which allows an administrator to create “Sections” on the home page. These sections can then be shown/hidden based upon Role Base Permission (RBP) roles and groups.
Capture of the “Sections” area of legacy home page configuration – access via “Manage Home Page”
It’s as easy as creating a section and then using the drop down to pick as many roles/groups as you want to allow to see that section.
Multi-select list of all permission roles and groups.
One particularly useful thing is that you can choose the system generated roles used by compensation, but any role can be used and this can can be one that is assigned to a population of “Managers” for example:
Standard role assignment screen, where a role can be assigned to a permission group or also to a set of automatically determined user populations. Very useful!
This gives a particularly powerful way to assign access to sections based on system generated subsets of the employee population.
Then we can simply assign whichever tiles we want to whichever sections we want and hey-presto, we have managed to use RBP roles and groups to restrict which users have access to which tiles.
There is the downside that quite often we ended up with a section with only one or two tiles in it, but that wasn’t so bad.
So, again, where’s the problem? Well, the thing is, in the new home page, you can’t do this!
Managing custom tiles with Home Page groups
The solution that has been adopted by the new home page is one that also existed in the legacy home page, but we didn’t use because it’s (my opinion) rubbish. When you create a custom tile you can assign it to a “User Group”.
Final step of creating a custom tile (very similar when creating a custom card) – assign a user group to the tile/card
It is possible to edit these user groups:
Dynamic Group maintenance for home page tile groups. (very similar to permission group maintenance.)
You’ll hopefully be familiar with the layout of the editor as it’s the same one used in managing role-based permission groups.
However, note that you are creating and maintaining “homepage tile groups” and not RBP groups.
There are some serious restrictions here – you cannot make these groups contain all managers for example or any of the other automatically built permission role assignment groups.
If you have an extension application that relies on the end user accessing the application having a certain set of SuccessFactors role-based permissions, then you MUST ensure that any editing of the home page tile group that includes the list of people who can see the custom tile that links to the extension application MUST also update the associated role-based permission group and the two must not get out of sync.
Work Arounds
Well – if you have an extension application that you only want to display to managers as a custom card, well, you’re pretty much stuffed – you cannot use the new home page tooling as it works today. The only way would be to manually maintain the list of all employees that are managers in your organisation. And, ummmm, sorry, this ain’t happening!
I’ve considered building tooling that could automatically maintain these groups based on similar logic to the existing home page, but unfortunately the APIs for dynamic groups are all read only and cannot be used to update a group.
The only things I have so far come up with to enable effective filtering and using custom home page cards are:
an additional extension application that is launched from the home page and then provides another view of which “additional” applications a user can access. In effect, a secondary launch page which provides the functionality to filter links to applications based on permission roles and groups that the new home page does not.
An application/integration that regularly goes through all users and updates one of the custom fields to a value which can then be queried by the home page tile dynamic groups (i.e. populate a “is a manager” flag against custom field 14 or something. )
In standard configuration it is still (thankfully) possible to use permission roles and group to decide which items are available in a given user’s navigation menu. Just like the logic that allowed sections to be permissioned in the legacy home page.
Configuration of custom navigation – menu item access can be controlled by permission groups and roles.
So, it is an option to remove these applications completely from the homepage, and just have them in the custom navigation. For those customers that don’t have a crack extension development team to provide a custom tile that can handle using RBPs to provision or not a secondary launchpad, I think I’d be suggesting that they build a custom tile that explains how to find the now missing links in the user menu.
Plea for support
Okay, hopefully you can see now why I’m really worried about the forced push to the new home page in 1H2022. I have spoken at length with the product team for the reimagined home page and whilst they see the potential issue, my feedback to date has been that they do not envisage fixing this issue before the universal migration to the new experience. They actually encouraged me to write this blog post because they want to see if others believe this to be an issue! I did ask them to just run a query on any existing customer that were using the permissions in existing home page sections, but I haven’t got a response on whether that is a large number or not.
Right, this feels kinda awkward… I’m about to give Microsoft kudos and point out how I wish that some SAP processes were closer to what I’ve seen from the team from Microsoft. So bear with me if I seem a little less hyperboly than regularly…
This isn’t the Microsoft you remember
Recently I was working through the options for integrating SAP SuccessFactors personnel records into Microsoft AD, it’s something that every organisation that doesn’t have a dedicated IAM or (IdAM, however you want to make up your TLAs or FLAs) is likely to need in their environment. Have to say, I love working with new “start-up” orgs that don’t use an on-prem AD, but there’s not quite so many of those that are large enough to pick up SuccessFactors that they are probably still a minority.
Documentation is a skill that is distinct from development
Anyway, I happened to look at the Azure AD online doco about SuccessFactors integration and discovered it had been written by a developer. Well, that’s a guess, but seriously, who digs through the results of an API call to get config values out of a system when you can just use the standard tooling to do it? And then makes some poor sod document how to use Postman to do the same? So I suggested an update.
Arrrgggh!
no – just use the UI!
So, I was feeling benevolent and thought I’d offer my advice that perhaps there was a better way. I clicked the feedback button…
Shock horror – I wasn’t redirected to another site and asked to create a new user, I was asked to create a Github issue! (Okay if you don’t have a Github user, you’ll be asked to create one, but seriously, you don’t have a Github user id?)
Then I resigned myself to never hearing back about it again… But I did!
Issue was triaged and assigned to the document author to review that very same day! (that’s not normal is it?)
I was – wow!
Okay – so I suggested an update to some MS Azure AD doco of #SuccessFactors integration – which directed me to raise a Github issue – and I already have a response… I mean – wat??? This is a level of ease and responsiveness I am not used to. https://t.co/Mn9GtPTXYi
Seriously Microsoft peeps are you just trying to make the rest of us look bad?! Amazing responsiveness and just check out that "above and beyond" to find my tweet and respond to it, thanks @cmmdesaihttps://t.co/IFwSU6iHvs
Not only did I have someone look at and action the feedback that I gave, they then went and found my tweet on the subject and personally responded to it! Wat?
And now, the update to the documentation is about to go live:
And hopefully that will make some poor consultant/tech support person’s life a little bit easier.
Meanwhile, back at the ranch
So let’s compare and contrast. And I know this isn’t apples – doco is different to application UI changes, but, lets compare the process at least.
I was working on the new SAP SuccessFactors IAS/IPS integration on my own company’s system when had an issue – I couldn’t figure out how to change some value in the config. Fortunately there is a partner community that SAP have set up for partners to discuss these sorts things and get some assistance from each other.
(Sidebar – Yes, I know it’s a bizarre idea, consultants helping our competing firms consultants do stuff. But in the scheme of things, the other consultants are all good people, they just aren’t lucky enough to work for my company, and helping others tends to do pretty good things for your own internal skills too.)
If you don’t know, then ask!
So I raised the issue in the forum and the really nice SAP person how has to read all my grumbles and moderate the forum raised it in the fortnightly call that SAP hosts for partners (it’s at 12:30am my local time, which makes it a bit fun, but better that than 6am!)
If you have to attend training to do something, it isn’t intuitive.
Let’s just say I wasn’t impressed with the UX and I realised why I hadn’t figured out how to do this myself! Because colouring something BLUE in an SAP UI5 app is possibly the least intuitive thing on planet to do to indicate that it is editable if you click it. Possibly the developers had played one too many games of Day of the Tentacle and thought users needing to randomly waving their mouse around the screen to see if it changes pointer shape is a good way to indicate to people that something is clickable? (Okay I doubt that was actually the case, more likely someone threw a guideline at them that didn’t make sense and they had to get inventive to work around it (been there!)). Pretty much everything in standard SAP UI5 apps are cyan or blue, and I’m not checking everyone one of them to see if it’s different.
So I gave some feedback on the forum.
I even tweeted about it. Cause that’s what you do, right? (Well it’s what I do. I mean there’s a certain type of person who stays up late at night writing blog posts about these sort of things, so what do you expect?)
Hi Fiori (or otherwise) UXers I'm seeing a lot of site using actionable "Links" that only become obvious links/clickable when you hover over. Is there a Fiori guideline that explicitly discourages this? Looks "clean" but totally anti-intuitive @jocdart@matthardingpic.twitter.com/PaXsm0kl8m
This then lead to a bit of a conversation in my DM’s with someone from SAP (since it was DM’s I’ll not share, private stays private) who suggested that I really needed to raise this with support since it was an issue, and that helps track that people have issues. Likewise in the forums I was directed to raise it formally.
To whom it may concern
So I raised a SAP Support ticket (low priority since I already had a fully working work-around.)
I would happily have bet on the response, and I’d have won!
Thanks Mike – yep, the ole “Raise an enhancement request” gambit. That place where good ideas go to die.
“Once more unto the breach, dear friends, once more; Or close the wall up with our English dead”
But by this time I was, “right whatever, lets see how far this sucker goes!” So I raised that enhancement request.
Oh – and whilst I was doing that, I came across a small issue…
The feedback site is hosted in Europe. I am not in Europe. But that’s cool because there’s this concept called CDNs, yeah, that allow large websites that are accessed around the world to be accessed in a reasonably fast manner from everywhere.
Thanks for letting us know – we have enabled SAPUI5 CDN for the Customer Influence site
Yup – CDN wasn’t enabled. It is now – so the rest of you can thank me for suffering on your behalf!
Sod it though I’m gonna get this bugger filed! Oooh flashy light on my phone…
Have to say, I'm pretty sure that this site can't always be this crap. But it's Murphy's law that it would choose to be crap when I go to log an enhancement request…. and yes, it lost the text I had entered…
I got the request raised! had to attach my diagram as an “attachment” not able to be viewed inline in the request – but hey – it was raised.
And there it sat…
Tick tock…
Three weeks later my request was “Acknowledged”.
What’s the German word for “million to one chances happen constantly”?
And in the weird way that the universe works, whilst I have been typing this up, I got a comment on the request, strangely I didn’t get a notification (yet) but keeping my fingers crossed that sometime tonight. I did just check my spam email folder too, and interesting that it’s about 30/70 banking phishing scams and webinar invites, sure it used to be far more interesting. But nothing to notify me that my request had an update.
The really nice lead designer for the product reached out and asked me what I thought about their thoughts about making some UI changes to make things easier to use!
The response was awesome! I Loved it!
they ended the message with a request for my thoughts!
“Please let us know what you think.”
YES, YES, YES!
Well – I can say I was totally stoked, so happy! And then I tried to find the button to reply….
The irony of wanting to reply to a conversation about improving UI to make things more obvious and easier for people to use and then not being able to because the UI of the tool in which the conversation is happening doesn’t facilitate it.
Anyway. I did what I always do. Tweet lots, then try to figure out what to do…
It would appear that someone thought that it would make more sense for new comments to appear at the top of the conversation, not the bottom. So by clicking on the comments “tab” at the top of the page I was navigated up the screen and saw that I could enter a new comment. I did. And I tried to be very nice in my feedback (given the amount of huffing and puffing I’d been doing seconds before.)
Two ways of doing things, both with good result
So, we have two different scenarios, both ended up (or will hopefully end up with) some change in the product as influenced and suggested by me. Two out of two is pretty good going. However, one took 3 weeks, the other, over 3 months. One was painless and easy, the other painful and frustrating. As I said earlier, we’re not comparing apples to apples – getting a product changed is much harder than getting some doco changed. And I have heard anecdotally that some areas of SAP are even faster:
Interesting to note that the area that got the same day response that Robin mentions is also using the Microsoft Github tooling to manage issues. I wonder if tooling impacts delivery approach?
Yes – AND?
So what do I want to achieve by writing all this (other than hopefully amusing a few of you with the tale)? Well, I think it’s important that it’s documented how difficult giving good and constructive feedback can be. Only by taking a look at what’s happening can we get on the right path to working together to make everything we do better and easier.
I’ll finish by just mentioning that EVERYONE that I have dealt with when providing feedback at both SAP and Microsoft have been AWESOME. Both organisations do understand and value feedback. It’s not a people problem.
So I’ll probably get hugely humiliated by writing this post – but then again, how do we learn without failing…
I today had the chance to watch DJ Adams run through one of his #HandsOnSAPDev live streams: (it start’s 3mins 30secs in if you want to watch)
It was an interesting watch and makes me long for those days when I could just play with APIs marked beta and hope to get away with not having to do a massive code re-write several months later.
Anyway – during the episode, DJ was using the “standard” OAuth Client Credentials flow and I had to ask myself – “Why is this any more secure than just using basic authentication?”
I tried to put the point to DJ – but there’s only so much one can do in a chat window, hence this post.
I have since tried to do a little research on the topic – and found this rather good Stack Exchange discussion on the topic:
Both the question and answer made a lot of sense – read if you like – but I’ll work through the points – in my own style – which is to illustrate with bad drawings.
OAuth Client Credential Flow explained with bad drawings
In the OAuth Client Credentials flow – one system (Bob, our client) gives another system (Dave, our authorisation server) his special secret key.
Bob uses his secret key to authenticate himself to the authorisation server. In the example DJ worked through authentication was in form of an authorisation header with <clientid>:<clientsecret>. (And a body that contained the user’s username and password – this is useful for API’s that need to pickup a given user’s credential.) Note that nothing here is encrypted beyond the usual transport encryption. I’ve seen many implementation of this process where the username isn’t actually needed because the particular client id and secret are associated with a particular system user. (I’ve never seen any other one where the user’s password is needed – noting these API’s are beta!).
Once Dave (our authorisation server) gets our secret, he checks it is still valid (kinda like checking a password… no wait, exactly like checking a password) and then gives us a limited lifetime token to use the API. In the example DJ worked through it also checked the username and password – strange, but hey why not? (Other than it being a TERRIBLE idea that any server should need to store a user’s password as well as client id and secret!)
Now, according to the OAuth standards, Bob could have asked for the token he picked up to be scoped to only allow certain access. But because Bob is a little bit lazy and Dave doesn’t insist that he asks for scope, Bob never does. If you got to the oauth.com website and check out the client credential flow (https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/_ you’ll even see they mention that hardly anyone ever uses scope in the flow.
Your service can support different scopes for the client credentials grant. In practice, not many services actually support this.
OAuth.com
Plus Bob likes reducing his interactions with Dave to make things faster, so one token to rule them all is far easier and more generic. Bob might be a programmer (if he weren’t a system… stick with the metaphors people!)
Bob now has his limited lifetime access token he can use to authorise the API interactions. So he goes to make call to the API server.
Imagine Bob’s surprise when talking to the API server it looks very very much like Dave. But it’s not Dave, it’s Fred the API server. In DJ’s example the authentication server was accountblah.authentication.region.hana.ondemand.com and the API server was accounts-service.cfapps.region.hana.ondemand.com. Slightly different names – and actually resolve to different IP addresses too! But if I look at the SuccessFactors implementation of this similar token logic – both sit on same server (from an external view – who knows or cares what happens internally). Anyway – Bob uses his token to request some data from Fred.
Fred then goes away and checks that the token is valid. When the token is sent over to Fred, it’s not encrypted in any way or signed with a special key or anything. In DJ’s example it was just in the Authorisation header as “Bearer <access token>”. The security of this exchange was relying on the transport encryption – just like the original request to get the access token.
Fred may well be wondering if Bob is ever going to send him a request he doesn’t have scope for, might need to have a chat to Dave about that… But he validates that Bob has a token that is still valid and that is valid for the requested action (get list of sub-accounts for example.)
So what makes this more secure?
In the exchange I just documented, I cannot see how taking the extra step to pick up an access token to call Fred has made the exchange between Bob and Fred more secure… The only things I can think of are:
Conversations to Dave (the authentication server) are treated more seriously, we take extra special care to not record them or allow anyone to snoop on them because the client secret is long lived (like a password).
Possibly means that if we take less care that conversations with Fred leak then the impact will be short lived due to the token expiring sooner.
yep – that’s about it.
can’t think of anything else.
Frankly – for the increase in hassle I’m not seeing an ROI on securing my API calls. Especially as for many implementations of this sort of logic the token API runs on same server as the main application API. (Dave == Fred)
What makes this useful then?
This is different thing – and goes to identity rather than authorisation. With the client credential approach I can config my calls to the API server to be treated as if one of the system users is making the call and not a generic API user. I have one password that I use to get access tokens that allow me to “pretend” to be any user I want to be for the purpose of fetching/updating data via the API. This is something that I would use all the time in SuccessFactors* – it lets me query data using the user’s permissions. Very useful! SAPCP is set up to do this. I believe this is how, for example applications running on SAPCP can use OAuth Bearer destinations to access API calls as per the logged in user – even though the user is not logged in to that remote application. We can’t do lots of client side SSO, because browsers have gotten wise to applications doing SSO to remote system inside frames (SSO to a remote server requires JS running on different domains generally and falls foul of Single Origin restrictions). So solutions like SAP Cloud Portal and now SAP WorkZone use the SAPCP destination service to call OAuth Client Credential flows to get access tokens as per the person that is logged into their solution. Obviously this requires trust set up – which is the the client id and secret.
So Claire (an actual person, not a system for once) comes along and asks Bob (the system) for some data that’s on the system that is Fred (are you lost yet?). Bob asks Dave for an access token that will allow him to ask Fred for stuff on behalf of Claire. Dave, being ever so obliging and having verified the client id and secret, then gives Bob a temp pass to pretend to be Claire when speaking to Fred.
Okay if you’re following that, you’re doing well. But really – that’s why we use these credentials. It has nothing to do with security and everything to do with making life easier for system to system communication when pretending to be other people.
* Now to explain that aster a bit up the page. I would possibly use this logic in SuccessFactors, but I don’t because it requires that the user that “Bob” is pretending to be needs to have API access or Fred refuses the call. Giving all users API access is not a good idea at the moment in SuccessFactors because of the way that certain fields tend not to be hidden or controlled in API access compared to front end access.
Summary
So, to summarise, I cannot see any real security benefit to using OAuth Client Credential flows over Basic Auth unless you are looking to distribute your development spend on making one area of your codebase more secure than others. Even then it’s not that much better. If you’re able to intercept and abuse a basic authentication flow, you’d be just as likely to be able to intercept and abuse an OAuth Client Credential flow. Indeed because organisations tend to use the Client Credential flow as per the example DJ had (with the credential applying to a given user) or like SuccessFactors does, it actually open up a whole new security issue… It’s not just one “user” that might have their credentials breached, it’s anyone that the system is allowed to impersonate.
Okay – go at me – I’ve missed something – else we wouldn’t be using OAuth Client Credentials for the sorts of API calls that DJ was making in the video.
I note there are many other OAuth flows and some of them are much more secure – they use PPK encryption to ensure that messages are signed and headers never could leak credentials like Basic Authentication can. But the client credential flow – hmmm this one, in the use case where it’s a single user, not “impersonating” anyone – there’s no benefit over Basic Auth and another communication round trip to have to deal with.
Okay – so I’m supposed to be doing something else right now, but a) I’m procrastinating, b) I just got off a call with a whole bunch of SuccessFactors integration “experts” and I want to show that I haven’t completely lost touch! And c) I’ve finished Witcher 3 Wild Hunt and all the add ons and played far too much Civ6 so I really needed to do something else (which wasn’t the thing I was avoiding doing in part a).
So, I thought I’d share a teeny tiny simple integration that I helped a customer build the other day. Yep – I didn’t build it – I helped the customer do it (a functional SuccessFactors admin) via a web meeting.
Updating data in SF WITHOUT using a workflow just simple integration
It came about because we had just updated from old and honestly less than perfect Boomi integrations to newer (and still not perfect, but better) SAP Cloud Platform Integration based integrations. One of the things that was “fixed” was that leave records in SF and SAP were now being kept in sync. So an old process that they had running in SAP that was updating SAP leave records without updating the SF record was no longer working. Well, truthfully, it did work, right up until the next sync run happened and then the record got updated back to the SF state.
Requirement(ish)
The functional requirement was based on a process this customer has. They allow managers to enter a “unexplained” absence type for employees into SuccessFactors in the case that an employee is a no-show for a given day. When the employee returns to work, they have the option to change that absence type to a personal leave (sick leave or carers leave) or mark it as annual leave, or however it needs to be handled. But if they don’t update the record within 14 days the leave type is automatically changed to personal leave without medical certificate.
Design
On the basis that “Any sufficiently advanced technology is indistinguishable from magic”
I present how we got it to work again in my bad whiteboard drawing style. NB payroll is shown as a little black box because you really don’t want to look in there, and I clearly do not have enough skills with drawing to represent Pandora’s box.
So I’d like to take the time to explain how we got the “Magic aka Integration Center” bit to work. (Yes I know that there are two spellings for Centre/Center and really I don’t mind. If I did I would blame the US, but they’re in a world of hurt right now, so let’s be nice).
Making the Magic happen
In Integration Center we created a new integration:
Chose the “more integration types”
And then chose Scheduled SuccessFactors to SuccessFactors OData v2
Chose the Employee Time entity
Then simply dragged and dropped the external code from source to destination, fixed the time type to 0200 (Personal Leave)
And set the operation to “Update/Merge” (which is a personal bugbear of mine since the HTTP operation should really by “Patch” not “Merge” but that’s OData v2… <sigh>)
Now if we were to run this now it would transform all leave record in the system to time type 0200 – which would be bad… (with great power comes great responsibility Peter!)
So next up let’s restrict which records should be selected…
I’ve only set up one “Unexplained” absence in the system – has time type of 6666
Now we only want to update entries that are time type 6666 and creation date is 14 days in past (I’ve used 14 minutes for this example because waiting 14 days seems a bit excessive for such an unpolished blog post)
Note that date filters have a very useful “relative date” option.
Now jumping back to the configure fields screen and you should see only one entry… (NB if you choose created DATE rather than created DATETIME, just taking 1 min off actually takes you to previous day so be careful what you choose!)
Now if I wanted, I could schedule the job to run daily:
Then just set the schedule and go for it!
But to be sure it’s working, I can actually just run it in preview:
And it works!
Entry updated to personal leave
So simple, yet so powerful!
Usual disclaimers apply – and especially so given the whole Spidey superpower unleashed here. You can really muck up your data doing stuff like this… DO NOT TEST IN PRODUCTION!
Enjoy. Don’t be afraid to give it a go! I’d advise, just go out try it. You learn so much more that way rather than asking other people to figure things out for you!
With many thanks to Meg Bear for listening and engaging and tweeting this video to question about how soon will the unofficial-official announcement that SuccessFactors customers will get more than one non-prod IAS instance.
So I was staying up late (12:30am online meeting) to join a partner IAS/IPS Q&A/briefing session, when I looked through the latest doco that SAP SuccessFactors had released about the connection of SuccessFactors and IAS tenants and I found something that I swear wasn’t there before…
I did quickly check with Meg Bear that I wasn’t dreaming and this was real and she confirmed – yes this is now “public” and was real.
So yes Chris you can have “one more”
It’s really heartening when you go to the effort to put a case for a change of position to an organisation like SAP SuccessFactors and they listen, engage and then implement change. I’m really happy that customers are going to get another IAS for their non-prod environment, it makes so much sense. However, I’m even happier that this clearly shows how the team at SuccessFactors are willing to listen and work with the community to make the product better.
