Assign users to specific group in SAP IAS via transformation based on SAP SF User attribute

While provisioning users to SAP Identity Authentication (IAS) system, there is a need to automatically assign users to specific group in target system based on user attribute.  

We can read user attribute from source system and can update user to SAP Identity Authentication (IAS) system and assign groups.

This feature is supported for SCIM-based target systems that support PATCH operations, like Identity Authentication version 2. This will help to keep existing group assignments of user in place while assigning new groups.

Prerequisites

If we are using IAS API version 1 then kindly upgrade to IAS API version 2.

Step to update connector version: – Updating a connector version to allow your provisioning system to use a new API.

Change property “ias.api.version ” – “2” – Identity Directory SCIM API Reset the system to clear the operational data.Replace the transformation with the default transformation provided for the respective API version 2.

Context :-

To enable the group assignment, we need to modify the target system transformation by adding a mapping under the user resource containing the following configuration parts:

Condition – Defines for which users the condition will apply. For example, all users with emails.Constant – Holds the IDs of the groups in the target system. Currently, we can only identify groups by ID.targetVariable – Specifies whether we want to assign users to groups or unassign users from groups.

Use Case Scenario: –

We are managing users in SAP SuccessFactors (SFSF) and synchronizing them to Identity Authentication service. We’ll show as scenario to assign a specific group to users based on user email domain “abc.com” and “xyz.com”.

Assign user group: – “ABC” to users with email domain as “abc.com”Assign user group: – “XYZ” to users with email domain other than “abc.com ”

Steps: –

Create Source system as SAP SuccessFactors (SFSF).Create target system as SAP Identity Authentication (IAS).In Identity Authentication, create two groups ABC and XYZ once created please note the respective group id. ABC Group ID is bb6cc84e-4587-4031-8045-0ba11f2dff9f and XYZ Group id is 646f00e5-8572-4831-a5c8-a83851b01747.

The group ID that should be specified in the transformation mapping is the SCIM ID of the group resource in IAS SCIM v2 API which is also visible in the SAP Cloud Identity Services administration console under Users & Authorizations -> User Groups -> details of the group

   Group:- ABC 

Group :- XYZ

4. Open the Identity Authentication system, select the Transformations tab and choose Edit and add the following transformations:-

Detail for above transformation

condition 1 mapping:

“condition” – Apply this mapping to all users with email domain in SuccessFactors as “ abc.com”“constant” – Assign all the users matching the condition to the given group “ABC” by specifying its group ID.“targetVariable” – Execute assign operation.

condition 2 mapping:

“condition” – Apply this mapping to all users with email domain in SuccessFactors as “not equal to abc.com”“constant” – Assign all the users matching the condition to the given group “XYZ” by specifying its group ID.“targetVariable” – Execute assign operation.                                                                                                                                                                                                                                           5. Finally, run a provisioning job.

Result :-                    

User with email domain abc.com falling under “condition 1 mapping” gets group “ABC” assigned and user with email domain xyz.com falling under “condition 2 mapping ” gets group “XYZ” assigned in SAP IAS.

Group:- ABC

Group:- XYZ

For more information, see

https://help.sap.com/docs/identity-provisioning/identity-provisioning/update-connector-version

https://help.sap.com/docs/identity-provisioning/identity-provisioning/enabling-group-assignment

​ While provisioning users to SAP Identity Authentication (IAS) system, there is a need to automatically assign users to specific group in target system based on user attribute.  We can read user attribute from source system and can update user to SAP Identity Authentication (IAS) system and assign groups.This feature is supported for SCIM-based target systems that support PATCH operations, like Identity Authentication version 2. This will help to keep existing group assignments of user in place while assigning new groups.PrerequisitesIf we are using IAS API version 1 then kindly upgrade to IAS API version 2.Step to update connector version: – Updating a connector version to allow your provisioning system to use a new API.Change property “ias.api.version ” – “2″ – Identity Directory SCIM API Reset the system to clear the operational data.Replace the transformation with the default transformation provided for the respective API version 2.Context :- To enable the group assignment, we need to modify the target system transformation by adding a mapping under the user resource containing the following configuration parts:Condition – Defines for which users the condition will apply. For example, all users with emails.Constant – Holds the IDs of the groups in the target system. Currently, we can only identify groups by ID.targetVariable – Specifies whether we want to assign users to groups or unassign users from groups.Use Case Scenario: -We are managing users in SAP SuccessFactors (SFSF) and synchronizing them to Identity Authentication service. We’ll show as scenario to assign a specific group to users based on user email domain “abc.com” and “xyz.com”.Assign user group: – “ABC” to users with email domain as “abc.com”Assign user group: – “XYZ” to users with email domain other than “abc.com ”Steps: -Create Source system as SAP SuccessFactors (SFSF).Create target system as SAP Identity Authentication (IAS).In Identity Authentication, create two groups ABC and XYZ once created please note the respective group id. ABC Group ID is bb6cc84e-4587-4031-8045-0ba11f2dff9f and XYZ Group id is 646f00e5-8572-4831-a5c8-a83851b01747.The group ID that should be specified in the transformation mapping is the SCIM ID of the group resource in IAS SCIM v2 API which is also visible in the SAP Cloud Identity Services administration console under Users & Authorizations -> User Groups -> details of the group   Group:- ABC Group :- XYZ4. Open the Identity Authentication system, select the Transformations tab and choose Edit and add the following transformations:-Detail for above transformationcondition 1 mapping:“condition” – Apply this mapping to all users with email domain in SuccessFactors as “ abc.com”“constant” – Assign all the users matching the condition to the given group “ABC” by specifying its group ID.“targetVariable” – Execute assign operation.condition 2 mapping:“condition” – Apply this mapping to all users with email domain in SuccessFactors as “not equal to abc.com”“constant” – Assign all the users matching the condition to the given group “XYZ” by specifying its group ID.“targetVariable” – Execute assign operation.                                                                                                                                                                                                                                           5. Finally, run a provisioning job.Result :-                    User with email domain abc.com falling under “condition 1 mapping” gets group “ABC” assigned and user with email domain xyz.com falling under “condition 2 mapping ” gets group “XYZ” assigned in SAP IAS.Group:- ABCGroup:- XYZFor more information, seehttps://help.sap.com/docs/identity-provisioning/identity-provisioning/update-connector-versionhttps://help.sap.com/docs/identity-provisioning/identity-provisioning/enabling-group-assignment    Read More Technology Blogs by Members articles 

#SAP

#SAPTechnologyblog