cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Manage group to team assignments for SAC within Identity Provisioning

Go to solution
renejurmann
Participant

a week ago

0 Kudos
335

Hi experts,

For our BTP landscape and SAP Cloud we have set up a central Cloud Identity Service (CIS) tenant to centralize the user management.

Now, for SAP Analytics Cloud (SAC) we have configured our central CIS tenant as bundled Cloud Identity Service tenant based on SAP help link:
Authentication Options | SAP Help Portal

Following this procedure a source and target system in the Identity Provisioning are automatically created. We just adapted the properties of the source system to include "idds.group.filter" and "idds.user.filter". On the target system we set the user and password according to the OAuth client created in SAC and added properties "ips.delete.threshold.groups" and "ips.delete.threshold.users".

Within the CIS we have following groups maintained for SAC:

CIS GroupSAC team

Technical name:
sac_dev_admin

Display name:
SAC Administrators (on Dev)

sac_admin

Technical name:
sac_dev_planning_user

Display name:
SAC Planning User (on Dev)

sac_planning_user

Technical name:
sac_dev_reporting_user

Display name:
SAC Reporting User (on Dev)

sac_reporting_user

Now, we want to adapt the transformation within the target system for SAC to ensure that all users assigned to the CIS groups will be assigned to the according SAC teams (example: users in group "sac_dev_reporting_user" should be assigned to the "sac_reporting_user" team in SAC)

We tried following:

{
	"user": {
		"condition": "isValidEmail($.emails[0].value) && (('%sac.group.prefix%' === 'null') || ($.groups[?(@.display =~ /%sac.group.prefix%.*/)] empty false))",
		"mappings": [
			...,
			{
				"sourcePath": "$.groups[*].value",
				"preserveArrayWithSingleElement": true,
				"optional": true,
				"targetPath": "$.groups[?(@.value)]",
				"functions": [
					{
						"function": "replaceString",
						"target": "sac_dev_admin",
						"replacement": "sac_admin"
					},
					{
						"function": "replaceString",
						"target": "sac_dev_planning_user",
						"replacement": "sac_planning_user"
					},
					{
						"function": "replaceString",
						"target": "sac_dev_reporting_user",
						"replacement": "sac_reporting_user"
					}
				]
			},
			...
		]
	},
	"group": {
		...
	}
}

Unfortunately, this was not working. Instead all team and role assignments were removed from all users.

How can we handle CIS group to SAC team assignments within the Identity Provisioning when group and team name differ?

It must be ensured that not only the initial assignment can be handled via Identity Provisioning but updates as well (such as changes in the CIS group assignments as well as removal from CIS groups).

 

regards

René

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

dyaryura
Contributor
a week ago
0 Kudos

Hi @renejurmann

We're using SAML mapping for Teams and works perfectly fine. I don't see any issue with that. Currently SAC does not support OIDC, so you might have configured IAS to Entra as a proxy with OIDC, but in SAC the trust configuration to IAS can be done only using SAML. I have not seen any other option there.
The array is perfeclty fine, you then map each group. In our case we're using the groups from Entra. sample below:

dyaryura_1-1764771196428.png

Then the mapping in SAC, in this case we're using groups from entra (Entra as a proxy in IAS getting the Groups ID in the groups attribute using OIDC)

dyaryura_0-1764771155866.png

 

Show replies
Show replies
renejurmann
Participant
Friday

Hi @dyaryura ,

thanks for the screenshots - that helped a lot. And now it si working on our side as well.

Just as a remark, if you follow the SAP Help on adding a bundled Cloud Identity Service tenant to SAC the application in the Cloud Identity Service tenant is created using OIDC.

renejurmann_0-1764935146462.png

However, even if the application is created using OIDC the rest of the configuration is the same. Meaning, we created an attribute "custom1" and mapped it to "All Groups" within the Cloud Identity Services

renejurmann_1-1764935293499.png

Then we edited the "SAML Team Mapping" in the SAC for the corresponding teams. Just we used the (technical) name of the group in Cloud Identity Service rather the "group ID" as in you case.

So, SAML attribute mapping is also working even if the Cloud Identity Service tenant is connected via OIDC to the SAC.

dyaryura
Contributor
Friday
0 Kudos
I see what you mention is a pretty new feature wich I'll like to explore. Very good info! This is supposed to be released this week actually as per the documentation you shared in the DC we use, so I'll have a look next week. Is great to know SAC and DS now support OIDC!!

Answers (2)

Answers (2)

dyaryura
Contributor
a week ago
0 Kudos

.

Show replies
Show replies
dyaryura
Contributor
a week ago
0 Kudos

Hi @renejurmann 

We have discussed this earlier in the community and I think is much easier to configure the group assignments via SAML this is explained in detail in the learning with some AS Java system, but the idea is the same using CIS. This is much simpler than provisioning the users via IPS.

As a general rule for IPS to avoid overwriting users or assignments we usually have a PATCH operation available as part of the SCIM protocol. If you check in the documentation https://help.sap.com/docs/identity-provisioning/identity-provisioning/target-sap-analytics-cloud you'll see a note refering to the parameter "sac.support.patch.operation" and the exact issue you're facing with role removals.

In terms fo the transformation if the groups only differ beacause of the value "_dev_"  I'd look for just one replace string function to alwas replace "_dev" with "" (empty value)

Show replies
Show replies
renejurmann
Participant
a week ago
0 Kudos

Hi @dyaryura ,

I first explored the SAML attribute mapping. But following the guidelines to set up a Bundled Cloud Identity Service tenant the SAC is connected to the Cloud Identity Service tenant using the OpenID protocol. Furthermore the groups are sent as an array in attribute "teams". A simple attribute mapping will not work anyway as you can't use "equals" on an array comparing with a simple string.

Our first approach was to just replace "_dev" with an empty string - but this did not work. Not sure if "groups.value" as source attribute takes the group display name or technical name...

So, any hints on that?

Ask a Question