Skip to Content
Technical Articles
Author's profile photo Florian Buech

Provision only specific users from Identity Authentication to SAP Jam via IPS transformation

Introduction to the problem

SAP Jam customers who are using the SuccessFactors-based version can control access to SAP Jam (i.e. which users should get provisioned over to SAP Jam and hence should be able to login) via role-based permissions (RBP) in the SuccessFactors platform. The “stand-alone” version of SAP Jam based on SAP Cloud Platform Identity Authentication (IAS) and SAP Cloud Platform Identity Provsioning Service (IPS) does not have RBP, hence as a default, all users from IAS are provisioned over to SAP Jam and can login. This can be problematic, given that IAS is used for various internal and external applications and not all of the users should be provisioned to SAP Jam.

In the next section I will show you how you can restrict / configure which users from IAS should be provisioned to SAP Jam by IPS.


Create IAS Group for all Jam users

In order to provide a filter for IPS, the best approach is using a user group in IAS. As the first step, you have to create a group and then assign the individual users afterwards:

After the group has been created, users can be assigned to this group. This can be achieved either manually (IAS UI) or programmatically (IAS SCIM API). Details on creating such groups and assigning users to them can be found in the official documentation: Link

As a result, you should have an IAS user group and all users you would like to provision / grant access to SAP Jam assigned to this group.

IPS Filter & Properties

As the final step, we have to adjust the IPS transformation in order to only provision users from this IAS user group to SAP Jam. In order to achieve this, please adjust the IPS source transformation (for IAS) as follows:


    "user": {

        "condition": "$.groups[?(@.value == 'SAP_JAM_USERS')] EMPTY false",

        "mappings": [


Now, only users in the IAS group “SAP_JAM_USERS” are provisioned to SAP Jam. In case you have multiple groups or more complex scenarios, you can also include multiple groups in the filter and/or use “contains” rather than an exact match like in the following example:


    "user": {

        "condition": "($.groups[*].value contains 'C4C_ALL') || ($.groups[*].value contains 'JAM_ALL')",

        "mappings": [


In case you had already provisioned users over to SAP Jam, add the following property to your target system for SAP Jam in IPS: ips.delete.existedbefore.entities = true


Following the steps above you can restrict which users from IAS are provisioned to SAP Jam Collaboration.

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo prodyot sen
      prodyot sen

      Thanks for the nice blog Florian.

      I'm working on a scenario where I'm doing a connection of Azure AD -> IPS -> SAP Jam.

      For the same I've added Azure as source system in IPS (following SAP help link) and have put a transformation logic as below -

      "user": {
      "condition": "$.groups[?(@.value == 'SAP_Jam_Group')] EMPTY false",
      "mappings": [

      Where 'SAP_Jam_Group' is the Azure group name. But I'm still of no luck. When I'm running the job, user is not getting filtered. It would be great if you can please suggest..!!