Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
ivelinakiryakov
Product and Topic Expert
Product and Topic Expert
2,136

When it comes to provisioning identities with SAP Cloud Identity Services, unintentional or accidental mass deletion of users or groups could be quite disruptive and frustrating.

The good news is that it is preventable. All you need to do is add the standard property ips.delete.threshold.users  (or ips.delete.threshold.groups for groups) to your target system configuration before running a provisioning – read or resync job. And that’s pretty much it for using this optional but highly recommended property.

It will help you in various cases like:

  • wrong filters and conditions
  • problems with source system configuration
  • unintentional execution of parallel jobs for the same combination of source-target system

Overview

Remember: To be on the safe side, always configure the threshold property in your target systems.

This is how it works: You define a threshold to control the number of entities to be deleted. If this number is lower or equal to the threshold value, the Identity Provisioning continues with the deletion. If the number is greater than the threshold value, the service does not delete anything. The entities are marked as failed in the job statistics and you get an error explaining that users or groups cannot be deleted because the threshold is exceeded.

What’s the proper value for the threshold? You must consider the amount of data you provision and decide on a number that works for you. For more information, see List of Properties.

Example Scenarios

Scenario 1: The threshold is not configured.
  • Microsoft Azure AD is configured as a source system for provisioning users to Identity Authentication target system.
  • A filter for reading only users from New York is defined on the source (aad.user.filter = City eq 'New York')
  • Ten users matching the filter are provisioned to the target. The screenshot below shows 11 users because the tenant administrator also counts.

Thr1.png

Proceed as follows:

  1. In Microsoft Azure AD source system, change the filter for reading users from City eq 'New York' to userPrincipalName eq 'Mary@example.com'
  2. Run a Read job and check the job Statistics.

thr2.png

As a result of changing the filter value, all 10 existing users in Identity Authentication are deleted and a new one matching the new filter is created. Again, the screenshot below shows one more user - the tenant administrator.

thr3.png

Scenario 2: The threshold is configured.

This is what will happen if we have the same configuration as scenario 1 above, plus adding the threshold property.

  • Microsoft Azure AD is configured as a source system for provisioning users to Identity Authentication target system.
  • A filter for reading only users from New York is defined on the source (aad.user.filter = City eq 'New York')
  • Ten users matching the filter are provisioned to the target.
  • The ips.delete.threshold.users is set to 5 on the target system.

threshold.png

Proceed as follows:

  1. In Microsoft Azure AD source system, change the filter for reading users from City eq 'New York' to userPrincipalName eq 'Mary@example.com'
  2. Run a Read job and check the job Statistics.

threshold1.png

As a result, one user matching the new filter is created and 10 users matching the changed filter are marked as failed and not deleted. The screenshot below shows 12 users (one newly created user, 10 failed users and one tenant administrator).

thr6.png

Remember: Whenever you get an error telling you that entities cannot be deleted because the defined threshold is exceeded, take it as a warning that these entities are most probably not meant to be deleted and something went wrong.

Always configure thresholds in your target systems because the effort to fix issues later is incomparable to the effort of adding a single property in the Identity Provisioning UI.

As in life, prevention is better than cure.