Is it possible to lock and unlock users in SAP BTP more specifically in IAS tenant? We are already using SAP BTP and phase1 of the project is already live. We are now going live with phase 2 and We would like to lock users in BTP during the cutover activity.
I've looked at the SAP business accelerator hub and did not find any APIs which could be used for the above requirement. Is there any other options I may have missed?
In IAS, User Management - you will have status ACTIVE and INACTIVE to control user authentication process.
If you're using IPS to sync users from IAS to BTP, you can control it automatically to manage who gets what access from IAS. you can automate in IAS to update every user by integrating from Azure or Sailpoint or Successfactors or any IDM solutions through bring users information to IAS automatically via IPS again.
Also you can use IAS APIs to update the user status.
I appreciate the thoughtful question posed. Clarifying the term "BTP User" is essential—whether it pertains to Platform (Cockpit Admin - Platform IdP) or Business Users (Application IdP). Disabling the "available for user login" option in the Trust Configuration of the respective BTP Subaccount may not be a prudent choice. Disabling the IAS user is also not a good idea, given the fact this user still needs access to other applications.
Consideration has been given to the notion of temporarily deactivating an application in IAS, thereby restricting logins to the associated BTP Subaccount. It would be advantageous if IAS could support a customizable message, such as a maintenance page, for enhanced user communication.
Regrettably, the current state of affairs does not align with this vision. One plausible workaround involves implementing a robust group concept. By employing Risk-Based Authentication Rules, a rule can be formulated to deny access to specific groups. Ideally, these groups should be predefined and configured beforehand. This approach facilitates the creation of a DENY rule tailored to specific applications, which can be activated within a specified time frame. Also allowing a RBA rule in IAS to be scheduled would be a cool feature. These groups need to be integrated into the IdDS, with the IdDS API serving as a mechanism to dynamically manage group membership through a suitable tool.
These are but a few musings, and with a bit more brainpower, who knows what other scenarios might unfold?