Scope of Work
This guide will help you integrate Grayscale with SAP SuccessFactors for seamless SMS communication within our Onboarding module.
Integration Steps
API Server URL
SAP SuccessFactors Username
Company ID
Client ID
Client Secret
1. Assign Permissions to the Integration User
To ensure Grayscale has access to the required data, assign specific permissions to the integration user in SAP SuccessFactors. You can either create a new user or if you already have a Grayscale Integration User you can add the permissions there.
Create or Select a Role:
Go to Admin Center > Manage Permission Roles.
Create a new role (e.g., “Grayscale Integration”) or select an existing one.
Assign Permissions: Within the role go to Permissions and locate the permissions under their respective categories as outlined below.
User Permissions:
Onboarding or Offboarding Object Permissions:
Select All (View & Import/Export)
Admin Permissions:
Employee Central API:
Employee Central Foundation OData API (read only)
Employee Central HRIS OData API (read only)
Metadata Framework:
Admin Access to MDF OData API
Onboarding or Offboarding Admin Object Permissions:
Select All (View & Import/Export)
Manage User:
Employee Export
Manage Integration Tools:
Access to OData API Data Dictionary
OData API Todo Export
Note: The API role should have 2 role assignments, Target populations needed:
All (Employees)
All (External Onboarding User)
2. Gather Integration Values
We'll need the following items to connect the integration.
API Server URL
SAP SuccessFactors Username
Company ID
Client ID
Client Secret
API Server URL:
Using your login URL, you can find the corresponding API Server URL by visiting this link. example: https://api4.successfactors.com
SAP Username:
You can find this under Manage Roles in the Admin center
Company ID:
This can be found in your SAP SuccessFactors profile settings under Show version information.
You can also find your SAP SuccessFactors company ID as part of your login URL, which is also sent to you in your SAP SuccessFactors welcome email (under "Company Link" - see image below)
For example, if your login URL is "https://successfactors.com/login?company=SFCPART00000", your company ID will be SFCPART000000.
Client ID and 5. Client Secret
Log into your SAP instance.
Search Manage OAuth2 Client Applications in the search bar
Click Register Client Application
Fill out Application Name (Grayscale) & Application URL (https://app.gograyscale.com) and click Generate X.509 Certificate
Fill out Common Name (Grayscale) and hit Generate.
Once the screen refreshes, click Download.
This will download a file called Certificate.pem.
Click Register.
You will now see your application listed. Click View.
You will now see an API key listed - this is your Client ID.
Open up the "Certificate.pem" file that you downloaded previously in a text editor.
Rename the Certificate.pem to Certificate.txt and double click to open
Copy the string between ——BEGIN ENCRYPTED PRIVATE KEY——- and —-END ENCRYPTED PRIVATE KEY——- this is your Client Secret
Troubleshooting
Sometimes, in order to get the above permissions and authentication adjustments to take effect, there’s a need for an “OData Metadata Refresh”.
Log into SuccessFactors
Search for refresh and select Refresh under OData API Metadata Refresh and Export?
If your organization's API has IP access restrictions in place, then an admin will need to allow our servers to speak to the SAP API. Do so by adding the values outlined in this SAP documentation.
To add the Grayscale IP Addresses:
In SuccessFactors, search and select Password & Login Policy
Click Set API Login Exceptions and expand it to find the Grayscale Admin User
Click on the Pencil Icon to Edit
Paste in these Comma-delimited IP Addresses:
44.194.126.11
44.194.4.0
3.232.227.174
3.214.125.237
54.158.121.71
44.193.163.62
Click Save and Close