Provision users & roles using HCP Identity Provisioning service
HANA Cloud Platform Identity Provisioning Service (HCP-IPS) is a new service which was recently made available in HCP. Donka Dimitrova had earlier posted on its announcement where she described the value that this service brings to an organization.
This new service provides an identity lifecycle management in the cloud. In today’s world we have systems in a heterogeneous landscape and there is a need to be able to manage user identities and roles across such a landscape. HCP-IPS provides a way to automate the entire identity lifecycle management by providing an instant update of user, roles and authorizations from a source system to the relevant target systems.
Just to clarify, there is also an existing service called SAP HANA Cloud Platform Identity Authentication Service (HCP-IAS) (formerly known as “SAP Cloud Identity”). This is a service which provides single sign-on/authentication capabilities to the platform. For example, if there is an application which is built and hosted on HCP, this service can be used to handle the authentication of this cloud application. If you have an on-premise LDAP or any IdP, it can integrate with them and allow users to continue using their on-premise credentials to login to the cloud application. It also provides a feature where customers can create and manage user entities within HCP-IAS. A good example is when you have an application which you are exposing to external vendors who are not in your corporate LDAP, you might consider managing their user identity within HCP-IAS. Both these services together offer an end-to-end solution for identity and access management as a service from SAP.
Currently with the initial release, HCP-IPS supports the following systems.
- SAP Application Server ABAP
- SAP HANA Cloud Platform Identity Authentication service
- SAP SuccessFactors
- Microsoft Active Directory
- SAP HANA Cloud Platform Identity Authentication service
- SAP Jam
- SAP Hybris Cloud for Customer
- Any System for Cross-domain Identity Management (SCIM) System
In the last few months, I have been engaging with customers who already have HCP-IAS and are using it to authenticate their users when they access an application (say Fiori Apps on HCP which integrate with their backend ERP system). These customers either do not have a corporate LDAP or for some reason just manage their SAP users within ERP system (using CUA). Hence, to enable their users to be able to access these Fiori Apps, the admin would have to manually upload/update user identities maintained in HCP-IAS and then enable principal propagation. This is not a big task, especially when the user base is small and the number of applications are few. However, once the user base/application count in HCP starts to increase, it would slowly turn out to me a nightmare managing all the user roles and authorizations manually.
In this blog, I am going to focus on a scenario where the users are maintained in SAP ABAP system and going to show how these users can be replicated to HCP-IAS.
Setting up SAP HANA Cloud Connector
As a prerequisite, you would need to install and setup your SAP HANA Cloud Connector (SCC). There are lot of tutorial on this. Create an entry for your ABAP system which uses RFC as protocol. Under resources, enable access to BAPI_USER and select Prefix naming policy.
Once the connection setup is complete, you should be able to see the status of your connector from the HCP Cockpit.
Setting up HANA Cloud Platform account
In your HCP Cockpit, you should be able to see the HANA Cloud Connector linked to this account.
In your HCP account, you would need HCP-IPS service provisioned. You can confirm this by looking for the below subscribed Java application in your account.
HCP-IPS will use oAuth to communicate with HCP account. Click on “Register New Client” to add a new client.
Provide the values for the oAuth client as shown below
You could need to create destinations in your HCP cockpit. In the below screenshot, I have created a destination for my ABAP system. The destination properties are important and they refer to the client/SID/instance number.
You would also need to provide a destination for your HCP-IAS. Provide the system user details of HCP-IAS.
HCP-IPS menu is integrated with HCP-IAS. Hence, when I launch the service, I will be able to access both these services from the same screen. In the below screen capture, “Identity Provisioning” constitutes all the functionality delivered by HCP-IPS.
Configuring the HANA Cloud Platform Identity Provisioning Service
Under connection settings, you would need to provide details of your account and the oAuth client details (generated in the earlier step)
Navigate to source systems and click on the “+ Add” button. Select the source system as “SAP Application Server ABAP”.
Keep the name of the source system same as the one provided for the destination in HCP cockpit.
Click on the “Transformations” tab. This is where you can write rules and conditions. Data from the source system is extracted in a JSON format and stored in an intermediate JSON data according to System for Cross-domain Identity Management (SCIM) specifications. The provisioning framework will then write this data to a target system which again understands JSON format. In the below example, I am only fetching ABAP user’s who have first name Harry (defined in SU01 transaction).
Navigate to target systems and click on “+ Add” button. Select “SAP HCP Identity Authentication Service”.
Again, keep the name same as the one provide for the destinations in HCP cockpit.
Click on “Transformations” tab. Since my target system needs email and family name, I am putting in a condition to make sure I only write these user identities in my target system.
Navigate to the Source systems menu and select the ABAP system and from the Jobs tab, select “Run now”.
This will trigger a job and you can see it under the “Job execution log”
You can go into the details of the job and look at how many entries were read from the source system and how many were actually written to the target system.
From the above logs, I can see that 200 ABAP users were read and only three were written to HCP-IAS.
Now if I navigate to the User Management menu (which is part of HCP-IAS), I would be able to see those three users who contain the first name Harry.
In the next example, I have created a role called “ZHR_MANAGER” in PFCG transaction and assigned this role to a user called Jack Sparrow.
Now, I navigate back to the Source Systems and modify the transformation ( for ABAP system). This time, I apply a condition to only replicate users who have roles “ZHR_MANAGER”.
Once I have saved my transformation, I navigate to the Jobs tab and use the “Resync”option and hit the “Run now” button.
This will now create a new job as shown below
I can drill down to the details of the job to find more details. Since I am performing a resync, the service will first create an entry for Jack Sparrow and remove those three users (with first name Harry) as they don’t have this new ABAP role.
I can confirm this by navigating to the User Management screen.
You can see how simple it is to setup your source and target systems and schedule jobs to manage automate the management of user identities along with roles and authorizations. I think this service is a great addition to the platform and will make it easier to manage identities across a heterogeneous landscape.
You can read more about this service at SAP Help.