cancel
Showing results for 
Search instead for 
Did you mean: 

Provision users based on group membership

kuja
Newcomer

Hi,

We have our IPS connected to our Azure AD (source system). Now we want to provision users into different target systems based on group membership.

So let's say we have target system 1 and target system 2. All users exist in our Azure AD but we only want to provision users belonging to AD group ABC into target system 1 and users belonging to AD group XYZ have to go to target system 2.

What's the best way to do this? Our first idea was to create different source systems and using aad.group.filter to do this but then when we add more and more systems it will become more difficult to manage (and there is a limit on source systems).

Accepted Solutions (0)

Answers (2)

Answers (2)

TobiasPahlings
Participant

Hi Kurt,

i would recommend to use only one source system and then have a condition on the user provisioning part in the target transformation.

In my projects i am typically doing it like this:

{
"user": {
"condition": "$.groups[?(@.value IN [%provisioning.groups.array%])] EMPTY false",
"mappings": [
{
...

additionally you can then create a parameter called "provisioning.groups.array" with all the groups that should govern provisioning to that specific application. The parameter needs to be filled with a comma separated list of strings like this :

'<Group Name 1>','<Group Name 2>','<Group Name 3>'

BR

Tobias

rcaziraghi
Participant
0 Kudos

Hello!
Just to add to this, the "ias.api.version" property in the source system changes the payload. So if you are using "ias.api.version = 2", the rule would look like:

"condition": "$.groups[?(@.display IN [%provisioning.groups.array%])] EMPTY false",

Please note that it changes from "@.display" instead of "@.value".
After that this works without an issue. Hope this helps someone who finds this post in the future.

Best regards,
Rafael

julie_hodgson3
Explorer
0 Kudos

Hi,

I changed condition to

condition: "$.groups[?(@.value IN [\"SAC_Analytics_User\", \"SAC_Analytics_Administrator\"])] EMPTY false"

and I get ALL users that have ANY group assigned.

I would prefer to use the property sac.group.prefix (set to SAC) and test for displayName as follows

($.groups[?(@.displayName =~ /^sac.group.prefix/)])

but this also selects every user that has ANY group assigned.

can anyone help?

cheers,

Julie