Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Provision only specific users from Identity Authentication to SAP Jam via IPS transformation

florian_buech
Product and Topic Expert
Product and Topic Expert
‎10-29-2018 7:17 AM

Introduction to the problem


SAP Jam customers who are using the SuccessFactors-based version can control access to SAP Jam (i.e. which users should get provisioned over to SAP Jam and hence should be able to login) via role-based permissions (RBP) in the SuccessFactors platform. The "stand-alone" version of SAP Jam based on SAP Cloud Platform Identity Authentication (IAS) and SAP Cloud Platform Identity Provsioning Service (IPS) does not have RBP, hence as a default, all users from IAS are provisioned over to SAP Jam and can login. This can be problematic, given that IAS is used for various internal and external applications and not all of the users should be provisioned to SAP Jam.

In the next section I will show you how you can restrict / configure which users from IAS should be provisioned to SAP Jam by IPS.



Solution


Create IAS Group for all Jam users

In order to provide a filter for IPS, the best approach is using a user group in IAS. As the first step, you have to create a group and then assign the individual users afterwards:



After the group has been created, users can be assigned to this group. This can be achieved either manually (IAS UI) or programmatically (IAS SCIM API). Details on creating such groups and assigning users to them can be found in the official documentation: Link

As a result, you should have an IAS user group and all users you would like to provision / grant access to SAP Jam assigned to this group.

IPS Filter & Properties


As the final step, we have to adjust the IPS transformation in order to only provision users from this IAS user group to SAP Jam. In order to achieve this, please adjust the IPS source transformation (for IAS) as follows:

{


    "user": {


        "condition": "$.groups[?(@.value == 'SAP_JAM_USERS')] EMPTY false",


        "mappings": [


[…]

Now, only users in the IAS group "SAP_JAM_USERS" are provisioned to SAP Jam. In case you have multiple groups or more complex scenarios, you can also include multiple groups in the filter and/or use "contains" rather than an exact match like in the following example:

{


    "user": {


        "condition": "($.groups[*].value contains 'C4C_ALL') || ($.groups[*].value contains 'JAM_ALL')",


        "mappings": [


[…]



In case you had already provisioned users over to SAP Jam, add the following property to your target system for SAP Jam in IPS: ips.delete.existedbefore.entities = true



Summary


Following the steps above you can restrict which users from IAS are provisioned to SAP Jam Collaboration.
8 Comments
Labels in this area
Popular Blog Posts