a month ago
Dear Experts,
I am trying to automatically assign roles to SAC users using this code. The users are provisioned to SAC with IPS, and the groups SAC_ADMIN and SAC_MODELER are visible in SAC (with the users).
However, when the users log into SAC, the roles are not automatically assigned to them.
What might be wrong with the code?
{
"user": {
"condition": "($.emails[0].value EMPTY false) && isValidEmail($.emails[0].value)",
"mappings": [
{
"constant": [
"urn:sap:params:scim:schemas:extension:sac:2.0:user-custom-parameters",
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:sap:params:scim:schemas:extension:enterprise:2.0:User"
],
"targetPath": "$.schemas"
},
{
"sourceVariable": "entityIdTargetSystem",
"targetPath": "$.id"
},
{
"sourcePath": "$.emails[0].value",
"targetPath": "$.userName"
},
{
"condition": "$.emails[?(@.primary == true)].value != []",
"sourcePath": "$.emails[?(@.primary == true)].value",
"preserveArrayWithSingleElement": false,
"optional": true,
"targetPath": "$.userName"
},
{
"sourcePath": "$.userName",
"optional": true,
"targetPath": "$.userName"
},
{
"sourcePath": "$.name.givenName",
"optional": true,
"targetPath": "$.name.givenName"
},
{
"sourcePath": "$.name.middleName",
"optional": true,
"targetPath": "$.name.middleName"
},
{
"sourcePath": "$.name.familyName",
"optional": true,
"targetPath": "$.name.familyName"
},
{
"sourcePath": "$.displayName",
"optional": true,
"targetPath": "$.displayName"
},
{
"sourcePath": "$.externalId",
"optional": true,
"targetPath": "$.externalId"
},
{
"sourcePath": "$.active",
"optional": true,
"targetPath": "$.active"
},
{
"sourcePath": "$.emails",
"preserveArrayWithSingleElement": true,
"targetPath": "$.emails"
},
{
"condition": "$.emails[0].length() > 0",
"constant": true,
"targetPath": "$.emails[0].primary"
},
{
"sourcePath": "$.groups[*].value",
"preserveArrayWithSingleElement": true,
"optional": true,
"targetPath": "$.groups[?(@.value)]",
"functions": [
{
"function": "resolveEntityIds",
"entityType": "group"
}
]
},
{
"sourcePath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:user-custom-parameters']",
"optional": true,
"targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:user-custom-parameters']"
},
{
"sourcePath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:user-custom-parameters']['idpUserId']",
"optional": true,
"targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:user-custom-parameters']['idpUserId']"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']",
"functions": [
{
"function": "resolveEntityIds"
}
]
}
]
},
"group": {
"condition": "('%sac.group.prefix%' === 'null') || ($.displayName =~ /%sac.group.prefix%.*/)",
"mappings": [
{
"constant": [
"urn:ietf:params:scim:schemas:core:2.0:Group",
"urn:sap:params:scim:schemas:extension:sac:2.0:group-roles",
"urn:sap:params:scim:schemas:extension:sac:2.0:group-custom-parameters"
],
"targetPath": "$.schemas"
},
{
"sourcePath": "$.displayName",
"targetPath": "$.id",
"functions": [
{
"function": "replaceFirstString",
"condition": "('%sac.group.prefix%' !== 'null') && (@ =~ /%sac.group.prefix%.*/)",
"regex": "%sac.group.prefix%",
"replacement": ""
}
]
},
{
"sourcePath": "$.displayName",
"targetPath": "$.displayName",
"functions": [
{
"function": "replaceFirstString",
"condition": "('%sac.group.prefix%' !== 'null') && (@ =~ /%sac.group.prefix%.*/)",
"regex": "%sac.group.prefix%",
"replacement": ""
}
]
},
{
"sourcePath": "$.externalId",
"optional": true,
"targetPath": "$.externalId"
},
{
"sourcePath": "$.roles",
"preserveArrayWithSingleElement": true,
"optional": true,
"targetPath": "$.roles"
},
{
"sourcePath": "$.members[*].value",
"preserveArrayWithSingleElement": true,
"optional": true,
"targetPath": "$.members[?(@.value)]",
"functions": [
{
"function": "resolveEntityIds",
"entityType": "user"
}
]
},
{
"sourcePath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']",
"optional": true,
"targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']"
},
{
"sourcePath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-custom-parameters']",
"optional": true,
"targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-custom-parameters']"
},
{
"sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']",
"optional": true,
"targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-custom-parameters']['description']"
},
{
"condition": "$.displayName == 'SAC_MODELER'",
"constant": "PROFILE:sap.epm:Modeler",
"targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']['roles'][0]['value']"
},
{
"condition": "$.displayName == 'SAC_MODELER'",
"constant": "Modeler",
"targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']['roles'][0]['display']"
},
{
"condition": "$.displayName == 'SAC_ADMIN'",
"constant": "PROFILE:sap.epm:Admin",
"optional": true,
"targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']['roles'][1]['value']"
},
{
"condition": "$.displayName == 'SAC_ADMIN'",
"constant": "Admin",
"optional": true,
"targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']['roles'][1]['display']"
}
]
}
}
Thank you very much!
Request clarification before answering.
Did you set the sac.group.prefix property?
PS If you also use the IAS part, you can skip provisioning the groups/roles and just the users as they will always be picked up when logging in. Keeping license use more in check and better security wise likely.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
74 | |
29 | |
8 | |
8 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.