Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
dirk_jenrich
Product and Topic Expert
Product and Topic Expert
2,503

285323_iStock-909695714.jpg

Introduction

You are using SAP Cloud ALM – the cloud-based application lifecycle management tool to facilitate and streamline the implementation, operation, and continuous improvement of SAP solutions. In SAP Cloud ALM, SAP Cloud Identity Services - Identity Authentication assumes the role of the identity provider. This means that business users log on to SAP Cloud ALM with the mechanisms and credentials defined in the corresponding Identity Authentication tenant.

If the Identity Authentication service is serving as authenticating identity provider or as a proxy to your corporate identity provider, it is quite obvious that you might also want to centralize the authorization management of SAP Cloud ALM there. This blog presents a method for doing this using SAP Cloud Identity Services - Identity Provisioning – a service that automates identity lifecycle processes and helps you provision identities and their authorizations to various cloud and on-premise business applications.

In this method, the SAP Cloud ALM roles with the respective users are modeled as groups in the Identity Authentication tenant. Communication between these participants is done via the Identity Provisioning service, where they are defined as source and target systems.

Prerequisites

To provision groups from Identity Authentication with their members as roles with users assigned to them in SAP Cloud ALM, the following requirements must be met:

How to do it

  1. In your Identity Authentication tenant, define the role collections from your BTP subaccount as groups.

    It makes sense to use a common prefix for the display name, like CloudALM_– so use CloudALM_ + <Role Collection Name> as the display name of the group. You can use any prefix you like as long as it does not include an & – such a value would not work as a filter value (see below).

    There are two reasons for using a common prefix:

    • When you browse through all groups, you can better distinguish these groups representing the role collections.

    • Later you create filters ensuring that only groups representing the role collections and their members are provisioned to the BTP subaccount. And a common prefix for the group name makes it much easier to define which groups are to be provisioned.

  2. Add users to these groups according to the authorizations they require for SAP Cloud ALM.

    1-2.IAS source groups prefix and members assigned_Blurred.png

     

  3. In your Identity Provisioning tenant, navigate to your Identity Authentication source system, tab Transformation, and ensure that the group section of the transformation is enabled – which means that it does not have an entry "ignore": true.

    3.source system group transformation enabled_Blurred.png

     

  4. In your Identity Provisioning tenant, navigate to your Identity Authentication source system, tab Properties, and define filters containing your prefix you used above so that only groups relevant for SAP Cloud ALM and their members are provisioned via Identity Provisioning to the BTP subaccount:

    • ias.user.filter=groups.display sw "CloudALM_"

    • ias.group.filter=displayName sw "CloudALM_"

    Note
    To provision all users from Identity Authentication to the BTP subaccount, you can skip the ias.user.filter.

    4.source system filter properties_Blurred.png

  5. In your Identity Provisioning tenant, navigate to your SAP BTP XS Advanced UAA target system, tab Transformation, and ensure that the group section of the transformation is enabled and it is not ignored.

    5.target system default group transformation_Blurred.png

  6. In your Identity Provisioning tenant, navigate to your SAP BTP XS Advanced UAA target system, tab Properties, and define the group prefix you used for the display name. In our example, this is: xsuaa.group.prefix= CloudALM_.

    6.target system xsuaa.group.prefix property_Blurred.png

  7. After your source and target systems are configured and enabled, you can now execute the Read Job. To do so, in your Identity Provisioning tenant, navigate to your Identity Authentication source system, tab Jobs.

    Usually you want to schedule this job permanently so that later changes to the groups and their members are provisioned to your BTP subaccount and thus also to SAP Cloud ALM.

    7.source system run job_Blurred.png

  8. Check the result of the provisioning job. If any errors occur, investigate them and fix them. Some users or groups might not be provisioned, if they are reported as failed. To have them provisioned to SAP BTP XS Advanced UAA with proper authorizations, you have to fix the errors first.

    8.provisioning job finished_Blurred.png

  9. Go to the SAP BTP Cockpit of your BTP subaccount, and select Security -> Role Collections in the navigation bar. The members of the role collection you’ve just created as a group in your Identity Authentication tenant are updated.

    9.subaccount role collection updated_Blurred.png

That’s it! If you now create groups in your Identity Authentication tenant with your chosen prefix and the name of a role collection, assign users to these groups and wait for the next scheduled provisioning job, then the role collections and their members are updated in your BTP subaccount and SAP Cloud ALM, respectively.

There’s just one thing you should keep in mind: If you delete such a group from your Identity Authentication tenant, the lastly provisioned users in the corresponding role collection in the BTP subaccount are preserved as members of the role collection. So better don't delete such a group at all.

However, if you must, first remove all its members, then let the next job run provision the group to the target system, so that it is updated. Make sure that the role collection has no more members in the BTP subaccount, before you remove the group from Identity Authentication tenant.

3 Comments