Skip to Content
Technical Articles
Author's profile photo Dmitry Chupris

How to reuse user groups from IdP as External member lists

As mentioned in SAP Help member lists could be used to invite users to workspaces. In this blog I’m covering how to reuse Groups from you Source system (eg. IAS, Azure AD) as External Member list.

There are three types of member lists:

  • Member List. Users added manually or by uploading a csv file.
  • Dynamic Member List. User added by rules. Fro example Cost center, Department or a Custom attribute.
  • External Member list. Users are uploaded from another system by IPS.

In order provision External Member lists you can use SCIM groups (as a second artifact / entity next to users) via the SCIM API, using the Work Zone target system in IPS:  

        "mappings": [
            "sourceVariable": "entityIdTargetSystem",
            "targetPath": "$.id"
            "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']",
            "targetPath": "$.displayName"
            "targetPath": "$.schemas",
            "type": "remove"
            "constant": "urn:scim:schemas:core:1.0",
            "targetPath": "$.schemas[0]"
            "targetPath": "$.members",
            "type": "remove"
            "sourcePath": "$.members[*].value",
            "preserveArrayWithSingleElement": true,
            "optional": true,
            "targetPath": "$.members[?(@.value)]",
            "functions": [
                "type": "resolveEntityIds"

*Code sample works for IAS as source system and may require changes for other source systems

After the successful IPS job completion the groups from the source system will appear in SAP Work Zone as External Member list and could be used as invitation to a workspace.

For Example:

A group “Account” in IAS contains three users:


Group in IAS

After IPS job completion the group “Account” has been created/updated in SAP Work Zone External member lists:


SAP Work Zone External member lists


And the External Member list “Account” contains the same three users as IAS group:


External Member list users


Now you know how easy it is to reuse Groups from Source system connected to SAP Work Zone system (eg. IAS, Azure AD and etc). Further External Member lists are used to control membership for Workspaces. Let me know in case a separate blog is required to cover that topic as well.


For questions on SAP Work Zone, please raise them in the forums and use the tag “SAP Work Zone”.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Desiree Pinoteau
      Desiree Pinoteau

      Hi Dmitry, really helpful! Thanks a lot for sharing =)

      Author's profile photo Luis Eusa Mendia
      Luis Eusa Mendia

      Hello Dmitry,

      We are currently looking into this and maybe you can clarify a little bit.

      We have 2 scenarios:

      • Using Azure AD as IDP (With IAS). The way it is set up is that we have enabled automatic provisioning from Azure AD to IAS, and from IAS  real-time replication to Workzone. As we are using a dynamic members list, we are in need of using the custom attributes for the different pages. We want to avoid using attributes as department or company as this may be used with real data in the organization in future, so we think custom attributes are best. The problem is that the custom attributes do not sync from IAS to Workzone, maybe you can help with what changes we need to make on the IPS transformation to get that working. All users would be external (Public) as they come from Azure.


      • Using IAS as IDP: Here We use IAS as IDP, but we wanted to use the same concept, the problem is that we use CSV to import the users, but those custom attributes do not get filled on the user's detail tab, but on the applications tab. And also the same problem with replicating those custom attributes to Workzone.

      As I read your blog, it would be great to see if we can use groups (Azure AD security groups or IAS groups) to do this automatic external members list to assign the different pages is azure.





      Update on Scenario 2: 

      We have tried using groups in IAS for external members list and seems to be working, only thing is that I have to manually kick the IPS job, real-time provisioning doesn't work on that. 

      So, going back to the question, do you know how to modify the IPS transformation to get custom attributes synced to the work zone?