Thank you @lambert-giese for your suggestion to use the sample scripts and resources on my 'main' SCIM blog. 😉
One of the many related blogs mentions a problem when updating users and teams when using version 1 of the API. This related blog talks about the benefits of using version 2 of the API and this blog will help answer a few other questions you might have.
The problem with version 1, is that you have to do a 'GET', to read all the contents of the user or group, then update the user or group, before then issuing a PUT of the entire user or group definition. User provisioning tools don't like this, they prefer to issue a single 'PATCH' request to just 'add', 'remove' or 'replace' property in a user or group (a group is a Team in SAC). I talk about considerations for user provisioning tools in my best practices article, but it only covers version 1 of the API at the moment.
So, in short, you need to use version 2 of the SCIM API which then means you can use a 'PATCH' method to just 'add', 'remove' or 'replace' a user in a team whilst still respecting all the roles that team is a member of. You can also use a PATCH to 'add', or 'remove' a role in a user, whilst still respecting all the roles that user is a member of. It means that PATCH is wonderful for user provisioning tools and it means things like roles don't get dropped just because you've made a change.
If you wanted to stick with version 1 of the API and use SAP Provisioning Services, then you could consider SAP KBA 3027079 but I'm not so keen on that solution, though it work.
The documentation also mentions this here, though it should make it clearer this is for version 1 (cut and paste from IPS doc😞
Caution
When provisioning users and groups between a source system and SAP Analytics Cloud, groups are mapped to teams in SAP Analytics Cloud. Those teams can then get role assignments in SAP Analytics Cloud.
If you then run another provisioning job (Read or Resync), role assignments of SAP Analytics Cloud teams will be removed as a result of an update operation being executed. This behavior (causing permission issues for users) is expected, as SAP Analytics Cloud role assignments are not available as group parameters in some source systems, for example – Identity Authentication. To avoid this, you need to change the transformation of the SAP Analytics Cloud target system, as described in SAP Note 3027079
Instead, I would recommend using version 2 of the API and IPS does support that. The documentation and steps to do this are on the same documentation page here.
Hope this helps you and others.
All the best, Matthew
(when creating a question, feel free to @ me so I get an email notification and I can then answer!)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.