Skip to Content

Introduction to the problem

SAP Jam customers who are using the SuccessFactors-based version can control access to SAP Jam (i.e. which users should get provisioned over to SAP Jam and hence should be able to login) via role-based permissions (RBP) in the SuccessFactors platform. The “stand-alone” version of SAP Jam based on SAP Cloud Platform Identity Authentication (IAS) and SAP Cloud Platform Identity Provsioning Service (IPS) does not have RBP, hence as a default, all users from IAS are provisioned over to SAP Jam and can login. This can be problematic, given that IAS is used for various internal and external applications and not all of the users should be provisioned to SAP Jam.

In the next section I will show you how you can restrict / configure which users from IAS should be provisioned to SAP Jam by IPS.

Solution

Create IAS Group for all Jam users

In order to provide a filter for IPS, the best approach is using a user group in IAS. As the first step, you have to create a group and then assign the individual users afterwards:

After the group has been created, users can be assigned to this group. This can be achieved either manually (IAS UI) or programmatically (IAS SCIM API). Details on creating such groups and assigning users to them can be found in the official documentation: Link

As a result, you should have an IAS user group and all users you would like to provision / grant access to SAP Jam assigned to this group.

IPS Filter & Properties

As the final step, we have to adjust the IPS transformation in order to only provision users from this IAS user group to SAP Jam. In order to achieve this, please adjust the IPS source transformation (for IAS) as follows:

{

    "user": {

        "condition": "$.groups[?(@.value == 'SAP_JAM_USERS')] EMPTY false",

        "mappings": [

[…]

Now, only users in the IAS group “SAP_JAM_USERS” are provisioned to SAP Jam. In case you have multiple groups or more complex scenarios, you can also include multiple groups in the filter and/or use “contains” rather than an exact match like in the following example:

{

    "user": {

        "condition": "($.groups[*].value contains 'C4C_ALL') || ($.groups[*].value contains 'JAM_ALL')",

        "mappings": [

[…]

In case you had already provisioned users over to SAP Jam, add the following property to your target system for SAP Jam in IPS: ips.delete.existedbefore.entities = true

Summary

Following the steps above you can restrict which users from IAS are provisioned to SAP Jam Collaboration.

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. prodyot sen

    Thanks for the nice blog Florian.

    I’m working on a scenario where I’m doing a connection of Azure AD -> IPS -> SAP Jam.

    For the same I’ve added Azure as source system in IPS (following SAP help link) and have put a transformation logic as below –

    “user”: {
    “condition”: “$.groups[?(@.value == ‘SAP_Jam_Group’)] EMPTY false”,
    “mappings”: [

    Where ‘SAP_Jam_Group’ is the Azure group name. But I’m still of no luck. When I’m running the job, user is not getting filtered. It would be great if you can please suggest..!!

    Cheers,

    Sen

    (0) 

Leave a Reply