Manage Thousands of Process Automation Agents with an Identity Provider
SAP Build Process Automation has always provided state-of-the-art tools for IT and administrators to monitor and manage the backend of their companies’ automation systems.
Now, with the release of agent authorization on IDP, managing thousands of desktop automation agents on your network integrates even more into your administration process. Most importantly, you can now synchronize agent access with your company’s Identity Provider (IDP) content. If IT deletes or disables access for someone in the IDP, when this person leaves the organization or changes teams, their agent’s access will be updated automatically.
- People from Finance should only receive Project B.
- People from HR should only receive Project C.
- People from IT should not receive any projects.
As a company IT administrator, I don’t want to re-configure SBPA every time an employee joins or leaves the company. People using attended agents should always have the right projects.
In addition, if an employee moves from an organization to another, their project list should be updated accordingly.
If an employee joins the Finance department, they should receive Project B without any further configuration in SBPA.
If an employee moves from Finance to HR, Project C should be replaced by Project B.
Agent authorization on IDP is a new feature in SAP Build Process Automation that lets you define the name of an agent group for any attended agent right in the user record on your own Identity Provider (IDP).
When you define this agent group for your existing users, and set up the trust relationship between your SAP subaccount and your identity provider, you won’t have to manage any other agent authorizations within the SAP Build Process Automation interface. When new users arrive or leave the organization, or if they switch departments, the changes will be reflected automatically in SAP Build Process Automation within a day.
Maintenance of departed users is also automated: any user entries that you delete from your identity provider, such as upon employee departure, will also be deleted from their SAP Build Process Automation agent groups. No more worrying about managing expired accounts to delete their access from the system.
To set up agent authorization on IDP, you trust your organization’s IDP from your SAP Business Technology Platform subaccount, then point to the attribute you want SAP Build Process Automation to check for agent authorization.
Here’s how you do it:
- In BTP, trust your organization’s IDP, if you have not done so already. This is a standard procedure in BTP that is documented here: Establish Trust and Federation Between UAA and Identity Authentication
- Go to the Role Collections view, select the agent user role template and, the “AgentUserIdp” role, add the “agent_group” attribute.
- For the value of this attribute, choose the name of the field that you want SAP Build Process Automation to check when users connect their agents.
- Your SAP Build Process Automation tenant will check this attribute for each Agent that connects, daily, to decide whether it should be authorized or not, and which Agent Group it belongs to.
For example, here is how I use the value of each user’s department to automatically authorize their agents and assign them to the appropriate agent group.
I go to BTP and trust my organization’s IDP.
Then, I go to the Role Collections view and make sure I have created a role collection from the role template IRPAAgentUser.
Now in the Roles view, for the agent_group attribute, I enter the value “department”.
(I do this because I decided to use the user’s department to decide which agent group they belong to, but if I want the user’s division to decide their agent group, I could enter the value “division” instead.)
On my IDP, my users’ departments have values like “Finance” and “HR”. These are the values that I enter for the names of my agent groups.
I go to my SAP Build Process Automation tenant, Settings, Agent Groups, and create two groups: “Finance” and “HR”. I select the type “Any” for these groups.
I’m done. When agents running on my users’ desktops connect to my tenant, their agents will be automatically sorted into the Finance group if they are in the Finance department, and the HR group if in HR.
This authorization check will be run every 12 hours, so any changes that you make to the user records in your IDP will be reflected a maximum of next day when they wake their desktop. Agents of users that have left the company will be removed from the agent groups, and users who have changed departments will automatically move from one group to the other.
You can see the full documentation on this new feature here: Map Agent Groups to an Identity Provider
Thousands of agents
Now, you have successfully configured integrated authorization for thousands of users by editing only one role collection and two agent groups. With the grouping inherent in the design of agent groups, you will only need to create as many agent groups as there are departments in your organization, probably a handful rather than then thousands or tens of thousands of user accounts that could be part of them. And, you do not have to maintain the agents separately when users move.
In this way, the standard configuration you already have on your identity provider is automatically reflected in SAP Build Process Automation without you having to do any manual mapping from one system to the other. It’s just one more example of how SAP automates your work to save you time. We hope you enjoy this new way, with less manual work on your part, to keep your SAP systems more integrated and secure.
For more information on SAP Process Automation:
- Exchange knowledge: SAP Community | Q&A| Blogs
- Explore: SAP Product Page | Product Demo
- Try SAP Process Automation For Free: Get Started | SAP Help Portal