Human Capital Management Blogs by Members
Gain valuable knowledge and tips on SAP SuccessFactors HCM suite and human capital management market from member blog posts. Share your insights with a post of your own.
cancel
Showing results for 
Search instead for 
Did you mean: 
shrutithakkar
Active Participant
2,633
Streamlining Employee Grouping in SAP SuccessFactors: Leveraging Custom Attributes from SAP SuccessFactors via Identity Provisioning for Identity Authentication User Store Management.

In this blog, the focus is on streamlining employee grouping in SAP SuccessFactors using custom attributes. For an example we are using custom15 from the User Data file is utilized to determine the appropriate group for employees in the Identity Authentication user store.

There could be different conditions that can be used to check a particular field value and update the employee in a specific group.

The custom attribute (custom15) is utilized as a key factor for grouping employees in SAP SuccessFactors. By checking the value of this field, employees are dynamically assigned to different groups. If the value is set to "Yes", they are directed to the 'MFAGROUP' group in Identity Authentication. On the other hand, if the value is set to anything other than "Yes" (e.g. "No" or left blank), the employees are directed to the 'NO_MFA' group.

By utilizing the "Is MFA?" (Custom15) field, employee grouping in Identity Authentication is streamlined, ensuring that employees are accurately placed in the appropriate groups based on the value of this custom attribute. This approach simplifies user store management and enhances the overall identity and access management process in SAP SuccessFactors.

 

Step 1- Identity Provisioning Source System - SAP SuccessFactors

The Custom15 value can be added to the sf.user.attributes property in the Identity Provisioning configuration. This allows Identity Provisioning to read and load this user attribute from SAP SuccessFactors during the provisioning process. It is important to ensure that the extra attribute, in this case Custom15, is appropriately separated by a comma to ensure accurate data processing.


sf.user.attributes


Step 2 - Mapping the data in Source System

Add the following code to the source system transformation into the User mapping section. I am updating the value of Custom15 from SF into CustomAttribute2 in IAS:
 {
"sourcePath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['custom15']",
"optional": true,
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][1]['value']"
},
{
"condition": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['custom15'] EMPTY false",
"constant": "customAttribute2",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][1]['name']"
},
{
"sourcePath": "$.custom15",
"targetPath": "$.custom15"
}


Transformation - Source Code - UserMapping


 

Step 3 - Identity Provisioning Target System - Identity Authentication

Add the following code to the Identity Authentication target system transformation into the User mapping Section:
{
"sourcePath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['custom15']",
"optional": true,
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][1]['value']"
},
{
"constant": "customAttribute2",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][1]['name']"
},

 


Transformation - Target Code - UserMapping


 

Step 4 - Create the two User Groups

In Identity Authentication Administration Console, create the two user groups to update the employees:

  • MFAGROUP

  • NO_MFA



User Groups


 

Step 5 - Add Condition for employees to get auto updated in User groups created in Identity Authentication

These mappings will assign the user groups to the users who are fits with the given condition.
{
"condition": "($.custom15 == 'Yes')",
"constant": "MFAGROUP",
"targetPath": "$.groups[0].value"
},
{
"condition": "($.custom15 != 'Yes')",
"constant": "NO_MFA",
"targetPath": "$.groups[0].value"
},


Transformation - Target Code - UserMapping - Groupingcode


 

Step 6- Run Read Job Identity Provisioning

Run a new Read job from Identity Provisioning from SAP SuccessFactors source system, and monitor in Identity Authentication that the employees are getting updated to the desired groups as per the condition we mentioned in step 5.

For Inital Testing, use filter for specific group of employees and once job is successfully; remove the filter and run the job for all active employees.


Custom Attribute 2 = Yes



User Group updated in User Profile


 

Finally, remove the employee specific filters and run the job for all active employees. The job should read the value from SF and accordingly update the details in IAS via IPS jobs.


Group 1, Custom Attribute == Yes


 


Group 2, Custom Attribute != Yes


 

In summary, by using custom attributes from SAP SuccessFactors via Identity Provisioning, employee grouping can be streamlined in SAP SuccessFactors. The steps outlined in this blog provide a straightforward approach to implementing this solution. By mapping the custom attribute field to a target attribute in Identity Authentication, and using conditions to assign employees to specific user groups, the overall identity and access management process in SAP SuccessFactors can be enhanced.

I hope you found this blog post informative and helpful. I would love to hear your thoughts and feedback on this topic, so please feel free to leave a comment below. Feedback, suggestions will help me to continue improving the content and providing with more valuable insights and learn more.

Thank you for reading! Happy Learning!

Thank you 🙂
12 Comments
Divya_Tiwari
Product and Topic Expert
Product and Topic Expert
Nice and very straight forward blog Shruti! Thanks a lot for sharing!
shrutithakkar
Active Participant
0 Kudos
Thank you so much Divya 🙂
willianlima
Explorer
Great work Shruti, thanks for sharing.

Which api version did you use?

Thanks in advance.

Willian

 
shrutithakkar
Active Participant
0 Kudos
Hi Willian,

Thank you 🙂

I am using API version 1. The code will get tweaked if you are using API version 2.

I have that code and can share if you need it but not sure if thats in working condition or not. I do not have version 2 in any of our system and hence could not test it.

Please let me know if I can help!

 

Good day!

 

Thanks

Shruti
willianlima
Explorer
Hi Shruti,

Yes, please. It would be very welcome. 🙂

 
Hi Shruti,

 

 

Should the below mapping part be added in User mappings or Group mapping:

{
“condition”: “($.customAttribute2 == ‘Yes’)”,
“constant”: “MFAGROUP”,
“targetPath”: “$.groups[0].value”
},

 

Regards,

Vivek DM
shrutithakkar
Active Participant
0 Kudos
Hi Vivek,

It should be under User mappings.

Also, the field highlighted should be the field from SF and not IAS. so depends on which field are using whether its a custom field or standard, add the fieldID here.

{
“condition”: “($.customAttribute2 == ‘Yes’)”,
“constant”: “MFAGROUP”,
“targetPath”: “$.groups[0].value”
},

 

Thanks

Shruti
shrutithakkar
Active Participant
Hi Willian,

 

If you are using Version 2, then you might have to use a different code something like this as below, Condition will depend upon business requirement and the one highlighted in Blue if Group ID
{
"condition":"($.custom 15 == Yes)",
"constant":[
{
"id":"00f8ab94-a732-48fa-9169-e51f87b8dcd5"
},
{
"id":"01231139-4711-4a28-8f9d-6745843ef716"
}
],
"targetVariable":"assignGroup"
}

This is just an example of assigning, we can have different codes with different conditions.
You can refer this area of implementation guide for more details- https://help.sap.com/docs/identity-provisioning/identity-provisioning/enabling-group-assignment

Hope this helps 🙂

Thanks!

fjjvazquez
Participant
shrutithakkar.sap first of all thanks for this! I have a doubt with a previous step, maybe you or someone can give me a hand on this. I need to read a custom field and then record in within a customattribute, but it is not working. (API 2)

I have successfully read and written in "customattribute1" and "customattribute2" values from fields like "perPersonUuid" and "loginMethod" and they are working, values are read and writen, but there is a third "custom2" field which is not working that way. (I ensured the identifier of this field is "custom02" and previously included within the filter.

I leave you source and path codes just in case anyone can help me out, "perPersonUuid" and "loginMethod" are working fine, "custom02" is the one not been read or/and "written":

Source:

{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:successfactors:2.0:User']['perPersonUuid']",
"targetPath": "$['urn:ietf:params:scim:schemas:extension:successfactors:2.0:User']['perPersonUuid']",
"optional": true
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:successfactors:2.0:User']['loginMethod']",
"targetPath": "$['urn:ietf:params:scim:schemas:extension:successfactors:2.0:User']['loginMethod']",
"optional": true
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:successfactors:2.0:User']['custom02']",
"targetPath": "$['urn:ietf:params:scim:schemas:extension:successfactors:2.0:User']['custom02']",
"optional": true
},

 

Target:

{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:successfactors:2.0:User']['perPersonUuid']",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][0]['value']",
"optional": true
},
{
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][0]['name']",
"condition": "$['urn:ietf:params:scim:schemas:extension:successfactors:2.0:User']['perPersonUuid'] EMPTY false",
"constant": "customAttribute1"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:successfactors:2.0:User']['loginMethod']",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][1]['value']",
"optional": true
},
{
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][1]['name']",
"condition": "$['urn:ietf:params:scim:schemas:extension:successfactors:2.0:User']['loginMethod'] EMPTY false",
"constant": "customAttribute2"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:successfactors:2.0:User']['custom02']",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][2['value']",
"optional": true
},
{
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][2]['name']",
"condition": "$['urn:ietf:params:scim:schemas:extension:successfactors:2.0:User']['custom02'] EMPTY false",
"constant": "customAttribute3"
},
shrutithakkar
Active Participant
0 Kudos
Hello Francisco,

Can you please try to update your source code.

Please make sure you are updating under user mapping under both codes.

Source:

{
“sourcePath”: “$.custom02”,
“targetPath”: “$.custom02”
}

 

Target:

 {
"sourcePath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['custom02']",
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][2]['value']",
"optional": true
},
{
"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][2]['name']",

},

 

This will help to read and write the value. Do this as first step and try to update all values from SF to IAS. Please note this code is applicable only for V1.

Once data is updated, try to put some conditions and validations around it.

 

Please check and let me know if this helps!

 

Thanks

Shruti
fjjvazquez
Participant
0 Kudos

Hi Shruti!

I change source transformation into API v1. I am trying to bring values again from fields to customattributes.... 2 out 3 worked, as you can see within the picture "custom02" values are not shown in customattribute1, the rest are working fine. What do you think could it be?

Also, how should I  try to update all values from SF to IAS?

API Ver 1

Source:

{

"sourcePath": "$.loginMethod",

"targetPath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['loginMethod']"

},

{

"sourcePath": "$.custom02",

"targetPath": "$.custom02"

},

{

"sourcePath": "$.personKeyNav.perPersonUuid",

"targetPath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['personGUID']"

},

Target:

{

"sourcePath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['custom02']",

"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][0]['value']",

"optional": true

},

{

"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][0]['name']",

"condition": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['custom02'] EMPTY false",

"constant": "customAttribute1"

},

{

"sourcePath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['loginMethod']",

"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][0]['value']",

"optional": true

},

{

"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][0]['name']",

"condition": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['loginMethod'] EMPTY false",

"constant": "customAttribute2"

},

{

"sourcePath": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['personGUID']",

"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][2]['value']",

"optional": true

},

{

"targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:User']['attributes'][2]['name']",

"condition": "$['urn:sap:cloud:scim:schemas:extension:sfsf:2.0:User']['personGUID'] EMPTY false",

"constant": "customAttribute3"

},

MauricioMiao
Contributor
0 Kudos
Hi shrutithakkar.sap,

Excellent blog, thanks very much.

Do you know it it is possible to concatenate 2 source attributes into one target attribute in the write transformation?

Regards

Mauricio
Labels in this area