Application-specific groups, one of the most anticipated features in SAP Cloud Identity Services, can be created in the Identity Directory by running provisioning jobs or directly via the administration console UI. Afterwards, users can be assigned to or unassigned from these groups – a step that brings us closer to the ultimate goal: user assignments or unassignments will trigger automatic group provisioning to the target systems.
What is so special about the application-specific groups?
They help you distinguish in the Identity Directory which group comes from which application (referred to as provisioning system in the context of Identity Provisioning). Previously, this was achieved by configuring prefixes for the groups in the respective provisioning system property. For example, setting sf.group.prefix= SF_ for SAP SuccessFactors.They serve as a link between applications (consumers of Identity Authentication as identity provider) and provisioning systems (connectors to those applications) within SAP Cloud Identity Services. Each application-specific group provisioned by Identity Provisioning (IPS) contains information about the application it belongs to through the application ID.They are classified into three types: User Group, Authorization and Deep Link Activation Permission.User Group: Represents a collection of users based on common characteristics, such as department.Authorization: Refers to application-specific objects related to permissions, such as business roles and policies.Deep Link Activation Permission: Refers to a set of permissions that enable users to access specific areas of an application via URL or hyperlink. For more information, see Application-Specific Groups.
Based on your starting point, choose one of the following approaches:
Creating Groups (Greenfield Approach)
In this approach, you are starting from scratch. You have no applications or provisioning systems set up in the SAP Cloud Identity Services admin console, and no groups have been provisioned yet.
1. Log in to SAP Cloud Identity Services admin console.
2. Create an application. Navigate to Applications & Resources -> Applications -> Create and fill in the details in the Create Application dialog. For example:
For Display Name, enter SFSF For Type, select SAP SuccessFactors solution.For Protocol Type, select what’s appropriate.
An application ID is generated for the newly-created application.
3. Create a source system. Navigate to Identity Provisioning -> Source Systems -> Add and create a source system of the same type as the application type in step 2. For more information, see SAP SuccessFactors.
For Display Name, enter a name of your choice, for example ABC.For Type, select SAP SuccessFactors.(Optionally) Provide a description.
4. Open the Properties tab and configure the mandatory and optional properties. Add the SFSF application ID as a value of the ips.application.id property, that is:
ips.application.id= 35bda01a-2f76-47bd-97df-94444cea6f12
5. Open the Transformations tab. If the following attribute mappings for the group entity are missing in the read transformation, choose Edit, add them and save your changes:
{
“condition”: “‘%ips.application.id%’ !== ‘null'”,
“constant”: “%ips.application.id%”,
“targetPath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘applicationId’]”
},
{
“sourcePath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘type’]”,
“optional”: true,
“targetPath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘type’]”
},
{
“sourcePath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘supportedOperations’]”,
“optional”: true,
“targetPath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘supportedOperations’]”
}
This will ensure that IPS will provision the SAP SuccessFactors groups with the given application ID, the type and supported operation. For more information, see Application-Specific Groups.
Note: Currently only SAP Advanced Financial Closing and SAP BTP Platform Members (Cloud Foundry) source systems provide such attribute mappings in their default read transformations. These mappings are gradually being implemented for other supported provisioning systems.
6. Create the target system. Navigate to Identity Provisioning -> Target Systems -> Add and create the identity directory as a target system. For more information, see Local Identity Directory.
For Display Name, enter a name of your choice, for example IdDS.For Type, select Local Identity Directory.(Optionally) Provide a description.For Source Systems, select ABC – the name of the SAP SuccessFactors source system.
7. Navigate back to your source system and run the Read Job.
8. Verify that the application-specific groups are created in the identity directory. Navigate to Users & Authorizations -> Groups.
Let’s search for a specific group that we know exists in SAP SuccessFactors, for example: ‘HR Administrators’.
Notice that the application name SFSF is displayed, as it is internally mapped to the application ID of the SFSF application. Additionally, Read is returned as supported operations and User Group as the type.
Creating Groups (Brownfield Approach)
In this approach, you have your applications and provisioning systems set up in the SAP Cloud Identity Services admin console, and groups have already been provisioned.
For example, you have created an application and a source system for MS Entra ID and you have provisioned the ‘Development’ group to the identity directory. The group has been created as a user group. Although it is provisioned from MS Entra ID, the admin console UI does not indicate that the group is associated with this specific system (application). As a result, the Application Name field is empty.
1. Log in to SAP Cloud Identity Services admin console.
2. Select the MS Entra ID application that you have created, and copy its application ID.
3. Select the MS Entra ID source system, open the Properties tab, choose Edit and add the property ips.application.id= 7f187cce-2f51-4efd-9bf4-9a8aabdd1c9c
4. Open the Transformations tab. If the following attribute mappings for the group entity are missing in the read transformation, choose Edit, add them and save your changes:
{
“condition”: “‘%ips.application.id%’ !== ‘null'”,
“constant”: “%ips.application.id%”,
“targetPath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘applicationId’]”
},
{
“sourcePath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘type’]”,
“optional”: true,
“targetPath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘type’]”
},
{
“sourcePath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘supportedOperations’]”,
“optional”: true,
“targetPath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘supportedOperations’]”
}
5. Run a provisioning job from the MS Entra ID source system to the IdDS target.
After a successful provisioning, you will get the following result:
The group is updated with the application name (linked to the application ID), its respective type, the supported operation, and its sole member, Mary Wilson.
With both approaches, you now have every ingredient in place while awaiting the cherry on top: triggering the real-time provisioning of groups when user assignment changes occur.
Stay tuned!
Application-specific groups, one of the most anticipated features in SAP Cloud Identity Services, can be created in the Identity Directory by running provisioning jobs or directly via the administration console UI. Afterwards, users can be assigned to or unassigned from these groups – a step that brings us closer to the ultimate goal: user assignments or unassignments will trigger automatic group provisioning to the target systems.What is so special about the application-specific groups?They help you distinguish in the Identity Directory which group comes from which application (referred to as provisioning system in the context of Identity Provisioning). Previously, this was achieved by configuring prefixes for the groups in the respective provisioning system property. For example, setting sf.group.prefix= SF_ for SAP SuccessFactors.They serve as a link between applications (consumers of Identity Authentication as identity provider) and provisioning systems (connectors to those applications) within SAP Cloud Identity Services. Each application-specific group provisioned by Identity Provisioning (IPS) contains information about the application it belongs to through the application ID.They are classified into three types: User Group, Authorization and Deep Link Activation Permission.User Group: Represents a collection of users based on common characteristics, such as department.Authorization: Refers to application-specific objects related to permissions, such as business roles and policies.Deep Link Activation Permission: Refers to a set of permissions that enable users to access specific areas of an application via URL or hyperlink. For more information, see Application-Specific Groups.Based on your starting point, choose one of the following approaches: Creating Groups (Greenfield Approach)In this approach, you are starting from scratch. You have no applications or provisioning systems set up in the SAP Cloud Identity Services admin console, and no groups have been provisioned yet.1. Log in to SAP Cloud Identity Services admin console.2. Create an application. Navigate to Applications & Resources -> Applications -> Create and fill in the details in the Create Application dialog. For example:For Display Name, enter SFSF For Type, select SAP SuccessFactors solution.For Protocol Type, select what’s appropriate. An application ID is generated for the newly-created application.3. Create a source system. Navigate to Identity Provisioning -> Source Systems -> Add and create a source system of the same type as the application type in step 2. For more information, see SAP SuccessFactors.For Display Name, enter a name of your choice, for example ABC.For Type, select SAP SuccessFactors.(Optionally) Provide a description.4. Open the Properties tab and configure the mandatory and optional properties. Add the SFSF application ID as a value of the ips.application.id property, that is:ips.application.id= 35bda01a-2f76-47bd-97df-94444cea6f12 5. Open the Transformations tab. If the following attribute mappings for the group entity are missing in the read transformation, choose Edit, add them and save your changes: {
“condition”: “‘%ips.application.id%’ !== ‘null'”,
“constant”: “%ips.application.id%”,
“targetPath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘applicationId’]”
},
{
“sourcePath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘type’]”,
“optional”: true,
“targetPath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘type’]”
},
{
“sourcePath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘supportedOperations’]”,
“optional”: true,
“targetPath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘supportedOperations’]”
} This will ensure that IPS will provision the SAP SuccessFactors groups with the given application ID, the type and supported operation. For more information, see Application-Specific Groups.Note: Currently only SAP Advanced Financial Closing and SAP BTP Platform Members (Cloud Foundry) source systems provide such attribute mappings in their default read transformations. These mappings are gradually being implemented for other supported provisioning systems. 6. Create the target system. Navigate to Identity Provisioning -> Target Systems -> Add and create the identity directory as a target system. For more information, see Local Identity Directory.For Display Name, enter a name of your choice, for example IdDS.For Type, select Local Identity Directory.(Optionally) Provide a description.For Source Systems, select ABC – the name of the SAP SuccessFactors source system.7. Navigate back to your source system and run the Read Job.8. Verify that the application-specific groups are created in the identity directory. Navigate to Users & Authorizations -> Groups.Let’s search for a specific group that we know exists in SAP SuccessFactors, for example: ‘HR Administrators’. Notice that the application name SFSF is displayed, as it is internally mapped to the application ID of the SFSF application. Additionally, Read is returned as supported operations and User Group as the type. Creating Groups (Brownfield Approach)In this approach, you have your applications and provisioning systems set up in the SAP Cloud Identity Services admin console, and groups have already been provisioned.For example, you have created an application and a source system for MS Entra ID and you have provisioned the ‘Development’ group to the identity directory. The group has been created as a user group. Although it is provisioned from MS Entra ID, the admin console UI does not indicate that the group is associated with this specific system (application). As a result, the Application Name field is empty. 1. Log in to SAP Cloud Identity Services admin console.2. Select the MS Entra ID application that you have created, and copy its application ID. 3. Select the MS Entra ID source system, open the Properties tab, choose Edit and add the property ips.application.id= 7f187cce-2f51-4efd-9bf4-9a8aabdd1c9c4. Open the Transformations tab. If the following attribute mappings for the group entity are missing in the read transformation, choose Edit, add them and save your changes: {
“condition”: “‘%ips.application.id%’ !== ‘null'”,
“constant”: “%ips.application.id%”,
“targetPath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘applicationId’]”
},
{
“sourcePath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘type’]”,
“optional”: true,
“targetPath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘type’]”
},
{
“sourcePath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘supportedOperations’]”,
“optional”: true,
“targetPath”: “$[‘urn:ietf:params:scim:schemas:extension:sap:2.0:Group’][‘supportedOperations’]”
} 5. Run a provisioning job from the MS Entra ID source system to the IdDS target.After a successful provisioning, you will get the following result: The group is updated with the application name (linked to the application ID), its respective type, the supported operation, and its sole member, Mary Wilson. With both approaches, you now have every ingredient in place while awaiting the cherry on top: triggering the real-time provisioning of groups when user assignment changes occur.Stay tuned! Read More Technology Blogs by SAP articles
#SAP
#SAPTechnologyblog
