cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Handle persons leaving the organisation when provisioning with IPS

Sgemert
Explorer

on ‎2025 May 13 8:23 AM

0 Kudos
180

Dear all,

 

We are setting up provisioning from EntraID to IAS to S/4 onprem. 

When a person leaves the organisation, the useraccount might get deleted in EntraID. From audit perspective we do not want to delete the user in S/4 but lock it and assign a specific usergroup in SU01. 
I am trying to find out what the best way is to achieve this. 

I found this parameter ias.user.update.instead.delete which might be of help, but I only found a SAP help page on it and nothing else on Google, so my guess is, nobody is using it. 

 

How did other setup the handling of preventing users from being deleted in an S/4 backend when persons leave the organisation irt IPS provisioning?

Thanks for your time

Sander

SAP Cloud Identity Services SAP S/4HANA 

SAP Cloud Identity Services
SAP Cloud Identity Services
SAP Business Technology Platform
SAP S/4HANA
SAP S/4HANA
SAP S/4HANA

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
Sgemert
Explorer
‎2025 May 15 3:49 PM
0 Kudos

.

View Entire Topic
Yogananda
Product and Topic Expert
Product and Topic Expert
‎2025 May 13 9:00 AM
0 Kudos

Hi @Sgemert 

you will have to use IPS Transformation to sync Users from Entra to SAP Application Server ABAP and you will see below highlighted in screenshot having condition to set LOCK. 

https://help.sap.com/docs/identity-provisioning/identity-provisioning/target-sap-application-server-...

Yogananda_0-1747123176816.png

 

Show replies
Show replies
Sgemert
Explorer
‎2025 May 13 11:09 AM
0 Kudos

Hi Yogananda,

 

How I now set it up:
Source entra - target IAS. Read users and groups relevant for S4

Source IAS - target S/4 rfc . Read users and assign roles. Selection is done on membership of IAS group s4s_qas. If part of this group, user is created and assigned IAS groups are assigned as roles in S/4. Set ips.delete.existedbefore.entities to false, so accounts dont get deleted in S/4. 

 

What I want:

1. If user is removed from IAS group s4s_qas the user should get locked in S/4 and assigned the SU01 usergroup "inactive". 

2. If user is locked in EntraID, user needs to be locked in IAS and S/4

3. If user is added to IAS group s4s_qas again, users has to be unlocked in S/4

 

Number 2 works. 

Number 1 and 3 do not work. Can this be achieved with transformations?

 

Thanks

Sander

 

 

Ask a Question