cancel
Showing results for 
Search instead for 
Did you mean: 

IAS/IPS: Automatically assign Role in SAC

tskwin
Participant
0 Kudos
151

Dear Experts,

I am trying to automatically assign roles to SAC users using this code. The users are provisioned to SAC with IPS, and the groups SAC_ADMIN and SAC_MODELER are visible in SAC (with the users).

However, when the users log into SAC, the roles are not automatically assigned to them.

What might be wrong with the code?

{
    "user": {
        "condition": "($.emails[0].value EMPTY false) && isValidEmail($.emails[0].value)",
        "mappings": [
            {
                "constant": [
                    "urn:sap:params:scim:schemas:extension:sac:2.0:user-custom-parameters",
                    "urn:ietf:params:scim:schemas:core:2.0:User",
                    "urn:sap:params:scim:schemas:extension:enterprise:2.0:User"
                ],
                "targetPath": "$.schemas"
            },
            {
                "sourceVariable": "entityIdTargetSystem",
                "targetPath": "$.id"
            },
            {
                "sourcePath": "$.emails[0].value",
                "targetPath": "$.userName"
            },
            {
                "condition": "$.emails[?(@.primary == true)].value != []",
                "sourcePath": "$.emails[?(@.primary == true)].value",
                "preserveArrayWithSingleElement": false,
                "optional": true,
                "targetPath": "$.userName"
            },
            {
                "sourcePath": "$.userName",
                "optional": true,
                "targetPath": "$.userName"
            },
            {
                "sourcePath": "$.name.givenName",
                "optional": true,
                "targetPath": "$.name.givenName"
            },
            {
                "sourcePath": "$.name.middleName",
                "optional": true,
                "targetPath": "$.name.middleName"
            },
            {
                "sourcePath": "$.name.familyName",
                "optional": true,
                "targetPath": "$.name.familyName"
            },
            {
                "sourcePath": "$.displayName",
                "optional": true,
                "targetPath": "$.displayName"
            },
            {
                "sourcePath": "$.externalId",
                "optional": true,
                "targetPath": "$.externalId"
            },
            {
                "sourcePath": "$.active",
                "optional": true,
                "targetPath": "$.active"
            },
            {
                "sourcePath": "$.emails",
                "preserveArrayWithSingleElement": true,
                "targetPath": "$.emails"
            },
            {
                "condition": "$.emails[0].length() > 0",
                "constant": true,
                "targetPath": "$.emails[0].primary"
            },
            {
                "sourcePath": "$.groups[*].value",
                "preserveArrayWithSingleElement": true,
                "optional": true,
                "targetPath": "$.groups[?(@.value)]",
                "functions": [
                    {
                        "function": "resolveEntityIds",
                        "entityType": "group"
                    }
                ]
            },
            {
                "sourcePath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:user-custom-parameters']",
                "optional": true,
                "targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:user-custom-parameters']"
            },
            {
                "sourcePath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:user-custom-parameters']['idpUserId']",
                "optional": true,
                "targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:user-custom-parameters']['idpUserId']"
            },
            {
                "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']",
                "optional": true,
                "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']",
                "functions": [
                    {
                        "function": "resolveEntityIds"
                    }
                ]
            }
        ]
    },
    "group": {
        "condition": "('%sac.group.prefix%' === 'null') || ($.displayName =~ /%sac.group.prefix%.*/)",
        "mappings": [
            {
                "constant": [
                    "urn:ietf:params:scim:schemas:core:2.0:Group",
                    "urn:sap:params:scim:schemas:extension:sac:2.0:group-roles",
                    "urn:sap:params:scim:schemas:extension:sac:2.0:group-custom-parameters"
                ],
                "targetPath": "$.schemas"
            },
            {
                "sourcePath": "$.displayName",
                "targetPath": "$.id",
                "functions": [
                    {
                        "function": "replaceFirstString",
                        "condition": "('%sac.group.prefix%' !== 'null') && (@ =~ /%sac.group.prefix%.*/)",
                        "regex": "%sac.group.prefix%",
                        "replacement": ""
                    }
                ]
            },
            {
                "sourcePath": "$.displayName",
                "targetPath": "$.displayName",
                "functions": [
                    {
                        "function": "replaceFirstString",
                        "condition": "('%sac.group.prefix%' !== 'null') && (@ =~ /%sac.group.prefix%.*/)",
                        "regex": "%sac.group.prefix%",
                        "replacement": ""
                    }
                ]
            },
            {
                "sourcePath": "$.externalId",
                "optional": true,
                "targetPath": "$.externalId"
            },
            {
                "sourcePath": "$.roles",
                "preserveArrayWithSingleElement": true,
                "optional": true,
                "targetPath": "$.roles"
            },
            {
                "sourcePath": "$.members[*].value",
                "preserveArrayWithSingleElement": true,
                "optional": true,
                "targetPath": "$.members[?(@.value)]",
                "functions": [
                    {
                        "function": "resolveEntityIds",
                        "entityType": "user"
                    }
                ]
            },
            {
                "sourcePath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']",
                "optional": true,
                "targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']"
            },
            {
                "sourcePath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-custom-parameters']",
                "optional": true,
                "targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-custom-parameters']"
            },
            {
                "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['description']",
                "optional": true,
                "targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-custom-parameters']['description']"
            },
            {
                "condition": "$.displayName == 'SAC_MODELER'",
                "constant": "PROFILE:sap.epm:Modeler",
                "targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']['roles'][0]['value']"
            },
            {
                "condition": "$.displayName == 'SAC_MODELER'",
                "constant": "Modeler",
                "targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']['roles'][0]['display']"
            },
            {
                "condition": "$.displayName == 'SAC_ADMIN'",
                "constant": "PROFILE:sap.epm:Admin",
                "optional": true,
                "targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']['roles'][1]['value']"
            },
            {
                "condition": "$.displayName == 'SAC_ADMIN'",
                "constant": "Admin",
                "optional": true,
                "targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']['roles'][1]['display']"
            }
        ]
    }
}

 

 

Thank you very much!

View Entire Topic
MatthiasL
Explorer
0 Kudos

Did you set the sac.group.prefix property?

https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/list-of-properties?locale=...

https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/target-sap-analytics-cloud...

PS If you also use the IAS part, you can skip provisioning the groups/roles and just the users as they will always be picked up when logging in. Keeping license use more in check and better security wise likely.