Dear SAP Community,
We are currently building a business application in Entra ID that provisions users into the Identity Directory of the SAP Cloud Identity Services. At this stage, we are not using source or target transformations; instead, we are pushing users and attributes directly from Entra ID into the Identity Directory of our SAP Cloud Identity Services tenant.
In SAP Cloud Identity Services, we have several groups that were created either by SAP Support or by various SAP applications. For example, SAP Joule for Consultants requires a license group called SAP_JOULE_PREMIUM_CONSULTANT, which is created by SAP Support.
Users should be added to these groups automatically based on their group membership in Entra ID. Using the SCIM API, it should be possible to add members to an existing SAP Cloud Identity Services group.
Our target scenario looks like that: A user requests permissions for a specific (SAP-)application via our Entra ID Service Portal. After approval by the user’s manager, the user is added to an Entra ID group. During the next provisioning cycle, the transformation should work as follows: If the user is a member of Entra ID group “X”, then they should be added to group “Y” in SAP Cloud Identity Services. If they are no longer part of this group, they should be removed from it again.
Has anyone successfully implemented a similar setup and can share how they approached it?
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.