Streamlining Employee Grouping in SAP SuccessFactors: Leveraging Custom Attributes from SAP SuccessFactors via Identity Provisioning for Identity Authentication User Store Management.
In this blog, the focus is on streamlining employee grouping in SAP SuccessFactors using custom attributes. For an example we are using custom15 from the User Data file is utilized to determine the appropriate group for employees in the Identity Authentication user store.
There could be different conditions that can be used to check a particular field value and update the employee in a specific group.
The custom attribute (custom15) is utilized as a key factor for grouping employees in SAP SuccessFactors. By checking the value of this field, employees are dynamically assigned to different groups. If the value is set to "Yes", they are directed to the 'MFAGROUP' group in Identity Authentication. On the other hand, if the value is set to anything other than "Yes" (e.g. "No" or left blank), the employees are directed to the 'NO_MFA' group.
By utilizing the "Is MFA?" (Custom15) field, employee grouping in Identity Authentication is streamlined, ensuring that employees are accurately placed in the appropriate groups based on the value of this custom attribute. This approach simplifies user store management and enhances the overall identity and access management process in SAP SuccessFactors.
Step 1- Identity Provisioning Source System - SAP SuccessFactors
The Custom15 value can be added to the sf.user.attributes property in the Identity Provisioning configuration. This allows Identity Provisioning to read and load this user attribute from SAP SuccessFactors during the provisioning process. It is important to ensure that the extra attribute, in this case Custom15, is appropriately separated by a comma to ensure accurate data processing.

sf.user.attributes
Step 2 - Mapping the data in Source System
Add the following code to the source system transformation into the User mapping section. I am updating the value of Custom15 from SF into CustomAttribute2 in IAS:
{
"sourcePath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['custom15']",
"optional": true,
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][1]['value']"
},
{
"condition": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['custom15'] EMPTY false",
"constant": "customAttribute2",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][1]['name']"
},
{
"sourcePath": "$.custom15",
"targetPath": "$.custom15"
}

Transformation - Source Code - UserMapping
Step 3 - Identity Provisioning Target System - Identity Authentication
Add the following code to the Identity Authentication target system transformation into the User mapping Section:
{
"sourcePath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['custom15']",
"optional": true,
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][1]['value']"
},
{
"constant": "customAttribute2",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][1]['name']"
},

Transformation - Target Code - UserMapping
Step 4 - Create the two User Groups
In Identity Authentication Administration Console, create the two user groups to update the employees:

User Groups
Step 5 - Add Condition for employees to get auto updated in User groups created in Identity Authentication
These mappings will assign the user groups to the users who are fits with the given condition.
{
"condition": "($.custom15 == 'Yes')",
"constant": "MFAGROUP",
"targetPath": "$.groups[0].value"
},
{
"condition": "($.custom15 != 'Yes')",
"constant": "NO_MFA",
"targetPath": "$.groups[0].value"
},

Transformation - Target Code - UserMapping - Groupingcode
Step 6- Run Read Job Identity Provisioning
Run a new Read job from Identity Provisioning from SAP SuccessFactors source system, and monitor in Identity Authentication that the employees are getting updated to the desired groups as per the condition we mentioned in step 5.
For Inital Testing, use filter for specific group of employees and once job is successfully; remove the filter and run the job for all active employees.

Custom Attribute 2 = Yes

User Group updated in User Profile
Finally, remove the employee specific filters and run the job for all active employees. The job should read the value from SF and accordingly update the details in IAS via IPS jobs.

Group 1, Custom Attribute == Yes

Group 2, Custom Attribute != Yes
In summary, by using custom attributes from SAP SuccessFactors via Identity Provisioning, employee grouping can be streamlined in SAP SuccessFactors. The steps outlined in this blog provide a straightforward approach to implementing this solution. By mapping the custom attribute field to a target attribute in Identity Authentication, and using conditions to assign employees to specific user groups, the overall identity and access management process in SAP SuccessFactors can be enhanced.
I hope you found this blog post informative and helpful. I would love to hear your thoughts and feedback on this topic, so please feel free to leave a comment below. Feedback, suggestions will help me to continue improving the content and providing with more valuable insights and learn more.
Thank you for reading! Happy Learning!
Thank you
🙂