Skip to Content
Technical Articles
Author's profile photo Yogananda Muthaiah

Top-Down User Provisioning Process – SAP IPS


What is Top-Down User Sync ?

Topdown user sync is a process that allows user data from an external system to be synchronized with a user directory in an organization.

This process can be used for directory synchronization, provisioning, and user access control. The topdown user sync process begins by gathering user data from an external source and then mapping the data to the user directory. The mapped data is then used to create user accounts, update existing user accounts, and delete user accounts as needed. This process can be automated using SAP Identity Provisioning Service(IPS) or manual processes (not recommended).

The process is beneficial as it allows administrators to quickly and easily manage user access and user data across multiple platforms with complete automated way.

Bring all your Users from External IAM System to SAP IAS

The challenge of bringing users from an external IAM(Identity Authentication Management) system to SAP IAS(Identity Authentication Services) can be daunting. It requires an understanding of both systems and a complete workflow to ensure the process is seamless and secure.

The first step is to determine the data needed to be transferred from the external system. This will depend on the use case and the specific requirements of SAP IAS.

Once the data is identified, the next step is to create a Standard or SCIM connector for the external system. This connector will be used to transfer the data from the external system into SAP IAS. The connector will need to be tested thoroughly to ensure that the data is transferred accurately and securely before it is used in SAP IAS.

Once the SCIM connector is tested and approved, it can be used to move the data from the external system into SAP IAS. When the data is in SAP IAS, it needs to be mapped to the appropriate fields within SAP IAS.

This is done by creating custom mappings within the system. Once the mappings are complete, the data can be imported into SAP IAS and the users can be added to the system.

Below is the typical flow of User Provisioning Sync  

In this example, User is been synced from Microsoft Azure Active Directory to SAP Identity Authentication Services (IAS) through Identity Provisioning Service Job.

Distributing Users from SAP IAS to other SAP Applications

Once your organization has decided to implement SAP IAS, you must then decide how to distribute yours users from SAP IAS to other SAP applications. This is a critical step for ensuring that the users have access to the right role and are able to access the information they need.

The first step in user distribution is to create user groups in SAP IAS. This allows the company to control who has access to what application, and to ensure that the users have the appropriate level of access. Once the groups are created, they can be assigned to the appropriate users in SAP IAS.

Once the user groups are set up, the next step is to distribute the users to the other applications. This is done using the Source & Target System connectors in SAP IPS. With this tool, the Administrator can distribute the users to the appropriate applications with the appropriate role. The tool also allows the Administrator to control which users have access to which applications, and to determine the level of access each user has.

Once the users have been distributed, it is important to monitor and review the user groups and access levels regularly. This ensures that the users have the appropriate level of access to the applications, and that the Administrator is able to maintain security.

Current Flow of User Sync Process


In SAP Identity Provisioning Service –  In Source & Target System as you can see other SAP Applications where you can enable the User Sync process.

General Process for User Provisioning

External IAM systems can be used to bring users onto a platform. This can be done by integrating the external IAM system with the platform and then allowing users to access the platform with the credentials they use to access the external IAM system. This can enable a single signon experience for users, where they can access the platform with the same credentials they use to access the external IAM system. Additionally, user details and other attributes stored in the external IAM system can be pulled in to the platform to create and manage user profiles in the platform.
If a user is moving from one user group to another, the user must first be removed from the existing user group. The user should then be added to the new user group and given the appropriate permissions and access levels within that group. Depending on the system or application, the user may also need to be given with same username and password to access the new user group. It is important to ensure that the user has the correct permissions and access levels within the new user group, as this will impact their ability to use the system.
A user with multiple applications can access them by logging into their account and selecting the desired application from the list of applications. The user will use a single signon feature to access multiple applications at once. This allows the user to log in to one application and be automatically logged into all other applications as well.
Inactive users in an IAM system refer to users who have not logged in or used the system for some period of time. These users may have had their accounts deactivated due to inactivity or policy violation. Identifying and managing inactive users is an important security practice as it helps ensure that only authorized users are able to access system resources. To manage inactive users, administrators should regularly review accounts to identify those that have not been active for some period of time and take appropriate action.
User Sync is a scheduled process that synchronizes user data between two systems. It can be used to ensure that all user data is up to date and consistent across multiple systems. This process can be used to keep user data synchronized in order to ensure that users have access to the same information in both systems. Additionally, user data can be updated or deleted in one system and the change will be reflected in the other system as well. User Sync can be used to ensure that user data is secure and accurate across all systems.
A user signing in through SSO (single signon) is generally quite simple. The user logs in with the same credentials they use for other services and then is granted access to the desired service or application. The user experience for SSO is often seamless, meaning that the user does not need to remember multiple passwords or go through multiple login pages. SSO also offers increased security, since the user‘s credentials are verified only once instead of being shared with multiple services.
Available Sign in Methods in IAS

  • Password-based authentication
  • Social media authentication:
  • Twofactor authentication:
  • Biometric authentication:
  • Single signon (SSO):






Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo julia romanenko
      julia romanenko

      Thanks for the article!

      Can you advise how SSO integration and method would look like in this setup?

      Author's profile photo Andreas Würstle
      Andreas Würstle

      It is not clear to me why I should bring all users to IAS. IAS with over 90% of the customers a flow heater. Almost all SAP customers use a different identity provider for authentication. The majority of customers certainly use Microsoft Entra for IAM. IAS is therefore used almost exclusively as a proxy. I would wish much more, one could connect all SAP Cloud applications directly to Microsoft Entra and IPS would have a Real-Time Provisioning in connection with Microsoft Entra.

      Author's profile photo Norman Nuernberger
      Norman Nuernberger

      Hi Andreas,

      there is 2 reasons why you should have all users in IAS:

      1. The User UID (UUID) will be owned by IAS. UUID will bring many enhancements like being immutable and that it can not directly be referred back to a natural person by its value (GDPR / CCPA, ...).
      2. BTP apps do not require an own user store. They can utilise the XSUAA or AMS (as part of Cloud Identity Services) and the user store for these apps will be the IDDS - which is the user database of the IAS.



      Author's profile photo Andreas Würstle
      Andreas Würstle

      Hello Norman,

      unfortunately I can't really agree with both points.

      1. Most companies have a lifetime unique ID that is generated for an employee. This is also the reason why over the years many customers wished that the P-number in IAS should be changeable. You did this yourself, but did not offer the function to the customers for years.

      2. If you really use a lot of applications on the SAP BTP and use IAS as user store for these applications, then you constantly run into IAS rate limits. This is one of the reasons why some customers have developed a user store on the SAP BTP itself. IAS and IPS are assigned to the BTP, but technically they run on one platform.

      We use IAS and IPS since the beginning.

      IPS a product that after years is not where it could be, at least it is now largely free. IAS has developed functions that most customers do not use, because they are forced to use IAS as a flow heater.