Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
normann
Product and Topic Expert
Product and Topic Expert
1,668

Why You Should Jump On Board!

Picture this: You're using SAP Cloud Identity Services (SCI), but there's a hitch. You can't whip out your magic wand and conjure up some custom logic for any event in the Identity Directory Service (IDDS). What a downer, right?

Well, wipe that frown away! The SAP Best Practices Identity Lifecycle Service (IDLS) is here to save the day. It's like your personal superhero, giving you the power to inject your own custom wizardry into the SCI. Whether there's a tiny tweak or a mammoth modification in the IDDS, IDLS is ready to execute your custom logic, written in the language of the internet - JavaScript!

Three Fabulous Feats You Can Perform:

    1. Abra-cadabra! Change a name and the email address recalculates automatically!
    2. Have a new hire? Or a sudden termination? No worries! Activate or deactivate identities based on data in the IDDS.
    3. Organize a coup! Automatically assign groups based on juicy info like cost center.

How This Magic Works:

    1. IDLS acts like a busy bee, frequently buzzing around the IDDS to gather user information. You decide how often it buzzes.
    2. Detects any changes in the user data and neatly stacks them up in a queue in the Event Mesh service.
    3. Voila! It executes your custom logic.
    4. Writes back the modification into the IDDS, like a diligent scribe.

The service comes with a treasure chest of predefined JavaScript functions. It's nostalgia-inducing, just like good old SAP IdM. Use these to perform certain operations inside IDDS.

Peek Into A Sample Spellbook:

Here's a sneak peek at a script that covers two of the scenarios mentioned above: Recalculating an email address (including checking for uniqueness) and assigning a group based on the user's cost center.

function eventTriggered(value, event) {
    if (event.getValue() == "Changed") {
        if (value instanceof Java.type("com.sap.openapi.idds.model.User")) {
            let changesMap = new Map(Object.entries(JSON.parse(changes)));
            changesMap.forEach((valueAttr, key) => {
                print(`Changes: ${value.getUserName()} : ${key} `); 
                if (key == 'familyName' || key == 'givenName') {
                    handleUserNameChanged(value);
                }

                if (key == 'costCenter') {
                    addUserToGroupByCC(value);
                }
            });
            utils.patchValues('user', value);
        }
    }
}

function handleUserNameChanged(user) {
    let name = user.getName();
    var familyName = name.getFamilyName();
    var givenName = name.getGivenName();
    var emailList = [];
    var email = `${givenName}.${familyName}@company.com`;
    email = deleteUmlauts(email);
    var index = 1;

    while (utils.getValueByEntry("email", email)) {
        email = `${givenName}.${familyName}${index}@company.com`;
        index++;
    }

    user.getEmails().forEach(element => {
        element.setValue(email);
        element.display(email);
        element.setPrimary(true);
        element.setType(utils.getEmailType('work'));
        emailList.push(element);
    });

    print(emailList);
    user.setEmails(emailList);
    user.setUserName(email);
}



function addUserToGroupByCC(user) {
    if (user.isActive()) {
        var listGroups = utils.getGroups();
        listGroups.forEach((group) => {
            let name = group.getGroupExentsion().getName();
            print(`Cost Center Name: ${name}`);
            if(name.indexOf("_") > -1) {
                let cc_number = name.substring(name.indexOf("_") + 1)
                print(`Cost Center Number: ${name}`);
                if (cc_number == (user.getEnterpriseUser().getCostCenter())) {
                    utils.addUserToGroup(user.getId(), group.getId());
                }
            }
        });
    }   
}

function deleteUmlauts(value) {
    value = value.replace(/\u00e4/g, "ae");
    value = value.replace(/\u00fc/g, "ue");
    value = value.replace(/\u00f6/g, "oe");
    value = value.replace(/\u00df/g, "ss");
    value = value.replace(/\u00dc/g, "Ue");
    value = value.replace(/\u00c4/g, "Ae");
    value = value.replace(/\u00d6/g, "Oe");
    return value;
}

The function "eventTriggered" is like the red carpet rolled out for every modification the IDSL detects. This function sorts out the modifications ("Created", "Changed", "Deleted") and provides all the juicy details related to the event (like the modified name). This function is your VIP pass into the IDSL.

The functions "handleUserNameChanged" and "addUserToGroupByCC" jump into action when the name or cost center are tweaked, and perform the necessary operations. Think of them as your trusty sidekicks, ready to perform more feats as you add them.

So, buckle up and get ready to automate your user administration in the Cloud with SAP's IDLS!

Predefined Script Functions

This is a list of the predefined script functions available as of now:

patchValues

    • Input Parameters:<entryType>,<JSONEntry>
    • Updating the entry in the IDDS

getValueByEntry

    • Input Parameters: <searchAttribute>,<searchValue>
    • Return Value: Boolean (true if entry was found in the IDDS)
    • Search for an entry in IDDS by attribute name and value

addUserToGroup

    • Input Parameters: <userScimId>,<groupScimId>
    • Adding a user as member of a group inside the IDDS

deleteUserFromGroup

    • Input Parameters: <userScimId>,<groupScimId>
    • Removing a user as member from a group inside the IDDS

deleteUser

    • InputParameters: <userScimId>
    • Delete a user form IDDS

deleteGroup

    • InputParameters: <groupScimId>
    • Delete a group form IDDS

getGroups

    • Returning a List of all groups inside the IDDS

Prerequisites

The following BTP Services are required to be available to be able to use this SAP Best Practices Service:

    • SAP Cloud Identity Services
    • SAP Cloud Foundry Runtime Environment
    • SAP Event Mesh Service
    • SAP Object Store Service

The Inside Scoop

If your curiosity is piqued and you're itching to know more about this service and how to roll it out, don't be shy! Reach out to me directly or shoot an email to security.consulting@sap.com. We're all ears!

__PRESENT

3 Comments