How Role-Based Permissions Work for docuflow Link Cards in SAP SuccessFactors

Discover docuflow for SuccessFactors

This article explains how SAP SuccessFactors Role-Based Permissions (RBP) control access to documents in docuflow using standard MDF security. Documents are stored in an external repository, while users interact only with Link Cards, which are MDF custom objects inside SuccessFactors. Role-Based Permissions determine which users can view Link Cards based on permission roles and permission groups such as employee, manager, or HR. If a user has permission to view a Link Card, they can launch the external document. If not, the Link Card is not visible and the document cannot be accessed. Below is a more detailed but succinct overview for SuccessFactors experts and consultants.

A Simple, Functional Explanation for SuccessFactors Experts

When customers ask how documents are secured in docuflow for SAP SuccessFactors, the answer is simple:

Document visibility is controlled entirely by standard SuccessFactors Role-Based Permissions (RBP).

  • No custom security framework.
  • No proprietary logic.
  • No new concepts to learn.

If you understand RBP for MDF objects, you already understand docuflow security.

Starting with the Big Picture

In docuflow:
  • Documents live outside of SuccessFactors (for example, in Microsoft SharePoint, Box or another repository)
  • SuccessFactors never stores the file itself
  • What users see instead is a Link Card
A Link Card is:
  • A custom MDF object
  • Containing metadata such as document name, category, and URL
  • Used to securely launch the external document
SuccessFactors RBP controls access to the Link Card, not the file. If you can’t see the Link Card, you can’t reach the document.

The Core Principle: MDF Object Permissions = Document Visibility

Link Cards are standard MDF Generic Objects. That means they fully support native SuccessFactors RBP, including:

  • Object-level permissions (View, Create, Edit, Delete)
  • Permission groups
  • Context-based security
  • Field-level permissions (optional)

There is no separate or custom security model introduced by docuflow.

How RBP Works for Link Cards (Functionally)

1. Link Cards Are MDF Records

Each document reference is:

  • One MDF object instance
  • Typically associated with:
    • An employee (Employee Central)
    • Or another business context (job, candidate, etc.)

Because it’s MDF, all standard SuccessFactors security rules apply.

2. Object-Level Permissions Control Visibility

In Manage Permission Roles, admins grant access to the Link Card object itself.  If a user does not have permission to view the Link Card object, then:

  • The Link Card does not appear in the UI
  • The document is effectively invisible

Simple and predictable.

3. Permission Groups Define Who Sees Which Documents

This is where most customers focus and where SuccessFactors already shines. docuflow uses standard permission groups, such as:

  • Self
  • Manager
  • HR Business Partner
  • Dynamic groups (by country, department, legal entity, etc.)

As a result:

  • Managers see documents for their direct reports
  • HR sees documents for supported populations
  • Employees see only their own documents

Exactly the same logic used for Employee Central data.

4. Context-Based Security Works the Same as Employee Central

Because Link Cards are MDF objects:

  • They inherit contextual security behavior
  • No special configuration is required

For consultants, this means:

  • No new mental model
  • No additional security training
  • No surprises during audits

5. Optional Field-Level Security

If needed, individual Link Card fields such as:

  • Document category
  • Repository reference
  • URL

can be controlled using standard MDF field permissions. This is optional but fully supported.

What Happens When a User Lacks Permission?

If a user:

  • Is not assigned the correct permission role, or
  • Is not part of the right permission group

Then:

  • The Link Card does not render
  • The document link cannot be launched
  • There is no backdoor access to the external repository

By default, docuflow takes a zero-trust approach in the repository, limiting permissions to access content to key individuals for specific use cases. In addition, when viewing, docuflow leverages short-lived expiring URLs that stream the content for viewing and never downloads. These capabilities and RBPs makes a critical compliance and privacy control point.

The Consultant Takeaway

docuflow uses standard SAP SuccessFactors Role-Based Permissions on MDF Link Cards to ensure users only see document links they are authorized to access, using the same security model already trusted for Employee Central data.

If you understand RBP for Employee Central MDF objects, you already understand docuflow security.

  • Documents remain external
  • Visibility is controlled 100% by SuccessFactors RBP
  • Link Cards behave like any other secured MDF record

No custom security model is used; all access control relies on standard SuccessFactors RBP for MDF objects.

If you are interested to learn more about docuflow for SAP products and how they may add value to your business, please reach out to me at seanf@versafile.com.

Discover docuflow for SuccessFactors

About VersaFile

VersaFile is a leader in SAP-integrated content automation. With its flagship solution, docuflow by VersaFile, the company helps enterprises automate content and data processes, modernize IT landscapes, and prepare for an AI-powered future. VersaFile supports organizations worldwide in reducing complexity, lowering total cost of ownership, and achieving measurable business outcomes. 

Have questions about docuflow + SAP? Fill out the form below, and we’ll be in touch.

Subscribe to Our Newsletter

You’ll receive updates on our latest content, including case studies, thought leadership articles, and event announcements.
Our focus is on delivering valuable insights, not just promotional material.

Follow us on LinkedIn