Provision only specific users from Identity Authen...

florian_buech · ‎10-29-2018

Introduction to the problem

SAP Jam customers who are using the SuccessFactors-based version can control access to SAP Jam (i.e. which users should get provisioned over to SAP Jam and hence should be able to login) via role-based permissions (RBP) in the SuccessFactors platform. The "stand-alone" version of SAP Jam based on SAP Cloud Platform Identity Authentication (IAS) and SAP Cloud Platform Identity Provsioning Service (IPS) does not have RBP, hence as a default, all users from IAS are provisioned over to SAP Jam and can login. This can be problematic, given that IAS is used for various internal and external applications and not all of the users should be provisioned to SAP Jam.

In the next section I will show you how you can restrict / configure which users from IAS should be provisioned to SAP Jam by IPS.

Solution

Create IAS Group for all Jam users

In order to provide a filter for IPS, the best approach is using a user group in IAS. As the first step, you have to create a group and then assign the individual users afterwards:

After the group has been created, users can be assigned to this group. This can be achieved either manually (IAS UI) or programmatically (IAS SCIM API). Details on creating such groups and assigning users to them can be found in the official documentation: Link

As a result, you should have an IAS user group and all users you would like to provision / grant access to SAP Jam assigned to this group.

IPS Filter & Properties

As the final step, we have to adjust the IPS transformation in order to only provision users from this IAS user group to SAP Jam. In order to achieve this, please adjust the IPS source transformation (for IAS) as follows:

{

"user": {

"condition": "$.groups[?(@.value == 'SAP_JAM_USERS')] EMPTY false",

"mappings": [

[…]

Now, only users in the IAS group "SAP_JAM_USERS" are provisioned to SAP Jam. In case you have multiple groups or more complex scenarios, you can also include multiple groups in the filter and/or use "contains" rather than an exact match like in the following example:

{

"user": {

"condition": "($.groups[*].value contains 'C4C_ALL') || ($.groups[*].value contains 'JAM_ALL')",

"mappings": [

[…]

In case you had already provisioned users over to SAP Jam, add the following property to your target system for SAP Jam in IPS: ips.delete.existedbefore.entities = true

Summary

Following the steps above you can restrict which users from IAS are provisioned to SAP Jam Collaboration.

former_member218672 · ‎10-29-2018

Thanks for the nice blog Florian.

I'm working on a scenario where I'm doing a connection of Azure AD -> IPS -> SAP Jam.

For the same I've added Azure as source system in IPS (following SAP help link) and have put a transformation logic as below -

"user": {
"condition": "$.groups[?(@.value == 'SAP_Jam_Group')] EMPTY false",
"mappings": [

Where 'SAP_Jam_Group' is the Azure group name. But I'm still of no luck. When I'm running the job, user is not getting filtered. It would be great if you can please suggest..!!

Cheers,

Sen

SubbuIyer · ‎10-24-2022

Thanks Florian.

Is this different from using the property ias.group.filter on the IAS source system?

Regards,

Subbu Iyer

florian_buech · ‎10-24-2022

You would rather user ias.user.filter as you are trying to filter the SCIM User entity based on group membership. The ias.group.filter is for filtering the SCIM Group entity.

SubbuIyer · ‎10-24-2022

Thanks again Florian.

One last question, is there a risk with the condition on the transformation that IPS might delete the users in the target application, who do not have this group membership in IAS? Do we need to modify the transformation to prevent it?

florian_buech · ‎10-25-2022

This is applicable to both transformation & property-based conditions. You will want to use a mechanism like "scope" to prevent the delete and instead for example disable a user. Examples: Transformation Expressions | SAP Help Portal

            {

                "sourceVariable": "entityIdTargetSystem",

                "targetPath": "$.id",

                "scope": "deleteEntity"

            },

            {

                "constant": false,

                "targetPath": "$.active",

                "scope": "deleteEntity"   



            },

Animatron56 · ‎11-04-2022

Hello florian.buech ,

we are currently implementing your blogpost for on-premise systems with small adjustments to the code.

Unfortunately we are facing the same issue Iyer mentioned above, that the IPS is trying to delete users who do not have the role assigned.

We therefore tried to implement your suggestion with specifying the scope for each attribute.

But this has not change our ips behaviour.

Our transformation looks like this:

{

    "user": {

        "condition": "$.groups[?(@.value IN ['7596dd49-b071-4447-b3d1-2d23226d4daf'])] EMPTY false",

        "mappings": [

            {

                "sourceVariable": "entityIdTargetSystem",

                "targetPath": "$.USERNAME",

                "scope": "deleteEntity"

            },

            {

                "sourcePath": "$.userName",

                "targetPath": "$.USERNAME",

                "scope": "deleteEntity"

            }

...

Do you know how we can tell the ips that he should not delete the users who do not have the role but just skip them?

Thank you very much in advance!

Best regards,

Benjamin

florian_buech · ‎11-04-2022

You could also try the "skipOperations" expression for the entire user entity:

{

   "user": {

	"skipOperations": [

		"create", "delete"

	],

	"mappings": [

	  {

See here: Transformation Expressions | SAP Help Portal

Animatron56 · ‎11-08-2022

Thank you for the feedback ! That did the trick!