Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
yogananda
Product and Topic Expert
Product and Topic Expert
1,132

Managing user groups efficiently is crucial for maintaining security and ensuring that users have the appropriate access within your organization. SAP Cloud Identity Services, specifically the Identity Provisioning Service (IPS), offers robust capabilities to automate and streamline this process. In this blog post, we’ll explore how to assign default groups to users and unassign groups based on specific conditions using IPS Transformtion logic.

Below is the scenario or example
Untitled (8).png

Assigning Default Groups

Assigning default groups to users can be essential for ensuring that active users have the necessary permissions from the moment they are onboarded or access to the certain applications.

Here’s a step-by-step guide to achieve this:

  1. Assign "DefaultGroup" in IPS Configuration:
    Navigate to the Identity Services - Identity Provisioning tab and to your Target System.
    Under the Transformation tab, modify according to your condition in transformation rule.

    Note : below JSON is sample with having 1 group

 

{
  "condition": "$.userType == 'employee'",
  "constant": "DefaultGroup",
  "targetPath": "$.groups[0].value"
}

 

Note : below JSON is sample which is good practice to define your multiple groups having Target Variable

 

            {
                "condition": "$.active == true",
                "constant": [
                    {
                        "id": "SAP Build Apps"
                    },
                    {
                        "id": "SAP Build Code"
                    }
                ],
                "targetVariable": "assignGroup"
            },
            {
                "condition": "$.active == false",
                "constant": [
                    {
                        "id": "SAP Build Apps"
                    },
                    {
                        "id": "SAP Build Code"
                    }
                ],
                "targetVariable": "unassignGroup"
            }

 

Apply the Transformation:

  • Save the transformation rule and apply
  • Go to the relevant source system.
  • Run the provisioning job to ensure that all active users are assigned to the default group upon creation/modification and Inactive Users are unassigned from the default group defined.

2024-12-21_11-33-54.gif

Best Practices

  • Regularly Review and Update Rules: Ensure that your transformation rules are up-to-date with your organization’s policies and structure.
  • Test in a Sandbox Environment: Before applying any new rules to your production environment, test them in a sandbox to avoid unintended access issues.
  • Monitor Provisioning Jobs: Regularly monitor the results of your provisioning jobs to ensure that groups are being assigned and unassigned as expected.

By leveraging the capabilities of SAP Cloud Identity Services - IPS, you can automate the management of user groups, ensuring that your users always have the appropriate access based on their roles and conditions. This not only enhances security but also improves operational efficiency.

3 Comments
ThomasRauen
Explorer
0 Kudos

Hi Yogananda,
the "targetVarible": "assignGroup" is apparently currently not extendable. 
If i want to fill the list based on multiple conditions I'd have to write a JSON block for each possible scenario to have an exact match, like:
if X -> Group A 
if Y -> Group B
if Z -> Group C
if YZ -> Group B,C
if ZX > Group A,C
Instead of beeing able to fill a list like the groups[] or BusinessRoles[] for other system types, do you know about any other solution here?

regards

Thomas

yogananda
Product and Topic Expert
Product and Topic Expert
0 Kudos

@ThomasRauen 

I didn't get your exact match from your above example described, what is X, Y, Z, YZ represents ?? 

Have you tried valueMappings?? please have a look at the sample expressions documented 

 

normann
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello community,

if your scenarios require more complicated rules I can recommend our SAP Best Practices Cloud Identity Lifecycle Service, which allows you to assign groups dynamically based on user information like organisational data.

Best Regards

 Norman