Introduction to the problem
SAP Jam customers who are using the SuccessFactors-based version can control access to SAP Jam (i.e. which users should get provisioned over to SAP Jam and hence should be able to login) via role-based permissions (RBP) in the SuccessFactors platform. The “stand-alone” version of SAP Jam based on SAP Cloud Platform Identity Authentication (IAS) and SAP Cloud Platform Identity Provsioning Service (IPS) does not have RBP, hence as a default, all users from IAS are provisioned over to SAP Jam and can login. This can be problematic, given that IAS is used for various internal and external applications and not all of the users should be provisioned to SAP Jam.
In the next section I will show you how you can restrict / configure which users from IAS should be provisioned to SAP Jam by IPS.
Create IAS Group for all Jam users
In order to provide a filter for IPS, the best approach is using a user group in IAS. As the first step, you have to create a group and then assign the individual users afterwards:
After the group has been created, users can be assigned to this group. This can be achieved either manually (IAS UI) or programmatically (IAS SCIM API). Details on creating such groups and assigning users to them can be found in the official documentation: Link
As a result, you should have an IAS user group and all users you would like to provision / grant access to SAP Jam assigned to this group.
IPS Filter & Properties
As the final step, we have to adjust the IPS transformation in order to only provision users from this IAS user group to SAP Jam. In order to achieve this, please adjust the IPS source transformation (for IAS) as follows:
"condition": "$.groups[?(@.value == 'SAP_JAM_USERS')] EMPTY false",
Now, only users in the IAS group “SAP_JAM_USERS” are provisioned to SAP Jam. In case you have multiple groups or more complex scenarios, you can also include multiple groups in the filter and/or use “contains” rather than an exact match like in the following example:
"condition": "($.groups[*].value contains 'C4C_ALL') || ($.groups[*].value contains 'JAM_ALL')",
In case you had already provisioned users over to SAP Jam, add the following property to your target system for SAP Jam in IPS: ips.delete.existedbefore.entities = true
Following the steps above you can restrict which users from IAS are provisioned to SAP Jam Collaboration.