Application-specific groups, one of the most anticipated features in SAP Cloud Identity Services, can be created in the Identity Directory by running provisioning jobs or directly via the administration console UI. Afterwards, users can be assigned to or unassigned from these groups - a step that brings us closer to the ultimate goal: user assignments or unassignments will trigger automatic group provisioning to the target systems.
What is so special about the application-specific groups?
Based on your starting point, choose one of the following approaches:
In this approach, you are starting from scratch. You have no applications or provisioning systems set up in the SAP Cloud Identity Services admin console, and no groups have been provisioned yet.
1. Log in to SAP Cloud Identity Services admin console.
2. Create an application. Navigate to Applications & Resources -> Applications -> Create and fill in the details in the Create Application dialog. For example:
An application ID is generated for the newly-created application.
3. Create a source system. Navigate to Identity Provisioning -> Source Systems -> Add and create a source system of the same type as the application type in step 2. For more information, see SAP SuccessFactors.
4. Open the Properties tab and configure the mandatory and optional properties. Add the SFSF application ID as a value of the ips.application.id property, that is:
ips.application.id= 35bda01a-2f76-47bd-97df-94444cea6f12
5. Open the Transformations tab. If the following attribute mappings for the group entity are missing in the read transformation, choose Edit, add them and save your changes:
{ "condition": "'%ips.application.id%' !== 'null'", "constant": "%ips.application.id%", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['applicationId']" }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['type']", "optional": true, "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['type']" }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['supportedOperations']", "optional": true, "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['supportedOperations']" }
This will ensure that IPS will provision the SAP SuccessFactors groups with the given application ID, the type and supported operation. For more information, see Application-Specific Groups.
Note: Currently only SAP Advanced Financial Closing and SAP BTP Platform Members (Cloud Foundry) source systems provide such attribute mappings in their default read transformations. These mappings are gradually being implemented for other supported provisioning systems.
6. Create the target system. Navigate to Identity Provisioning -> Target Systems -> Add and create the identity directory as a target system. For more information, see Local Identity Directory.
7. Navigate back to your source system and run the Read Job.
8. Verify that the application-specific groups are created in the identity directory. Navigate to Users & Authorizations -> Groups.
Let’s search for a specific group that we know exists in SAP SuccessFactors, for example: 'HR Administrators'.
Notice that the application name SFSF is displayed, as it is internally mapped to the application ID of the SFSF application. Additionally, Read is returned as supported operations and User Group as the type.
In this approach, you have your applications and provisioning systems set up in the SAP Cloud Identity Services admin console, and groups have already been provisioned.
For example, you have created an application and a source system for MS Entra ID and you have provisioned the ‘Development’ group to the identity directory. The group has been created as a user group. Although it is provisioned from MS Entra ID, the admin console UI does not indicate that the group is associated with this specific system (application). As a result, the Application Name field is empty.
1. Log in to SAP Cloud Identity Services admin console.
2. Select the MS Entra ID application that you have created, and copy its application ID.
3. Select the MS Entra ID source system, open the Properties tab, choose Edit and add the property ips.application.id= 7f187cce-2f51-4efd-9bf4-9a8aabdd1c9c
4. Open the Transformations tab. If the following attribute mappings for the group entity are missing in the read transformation, choose Edit, add them and save your changes:
{ "condition": "'%ips.application.id%' !== 'null'", "constant": "%ips.application.id%", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['applicationId']" }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['type']", "optional": true, "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['type']" }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['supportedOperations']", "optional": true, "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['supportedOperations']" }
5. Run a provisioning job from the MS Entra ID source system to the IdDS target.
After a successful provisioning, you will get the following result:
The group is updated with the application name (linked to the application ID), its respective type, the supported operation, and its sole member, Mary Wilson.
With both approaches, you now have every ingredient in place while awaiting the cherry on top: triggering the real-time provisioning of groups when user assignment changes occur.
Stay tuned!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
33 | |
13 | |
11 | |
11 | |
10 | |
9 | |
9 | |
9 | |
8 | |
7 |