PUBLIC2018-01-02 SAP Cloud Platform Identity Provisioning Service Content 1 SAP Cloud Platform Identity Provisioning Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 1.1 What's New. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Release Notes – 2017. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Release Notes – 2016. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 1.2 Product Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 1.3 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Access the Identity Provisioning Service (Productive). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Access the Identity Provisioning Service (Trial). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 1.4 Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Transformations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Manage Jobs and Job Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Manage Job Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Reset Identity Provisioning Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 1.5 Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Local Identity Directory (Source and Target). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 SAP Analytics Cloud – Beta (Source and Target). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 SAP Application Server ABAP (Source). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 SAP Cloud Platform Identity Authentication (Source and Target). . . . . . . . . . . . . . . . . . . . . . . . . . 101 SAP Cloud Platform Java/HTML5 Apps (Target). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 SAP Document Center (Target). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 SAP HANA Database – Beta (Target). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 SAP Hybris Cloud for Customer (Target). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 SAP Identity Management Hybrid Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 SAP Jam (Source or Target). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 SAP SuccessFactors (Source). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Concur (Source or Target). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 CloudFoundry UAA Server (Target). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Microsoft Active Directory (Source). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Microsoft Azure Active Directory (Source and Target). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Google G Suite (Source and Target). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 SSH Server – Beta (Source and Target). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 SCIM (Source and Target). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 LDAP Server (Source). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 1.6 Identity Directory (Beta). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 SAP Cloud Platform Identity Provisioning Service 2 PUBLIC Content Enabling Identity Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Managing Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Requesting Audit Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 1.7 Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 1.8 Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 SAP Cloud Platform Identity Provisioning Service Content PUBLIC 3 1 SAP Cloud Platform Identity Provisioning Service Table 1: Get Started What's New Product Overview [page 20] Release Notes – 2017 [page 6] Getting Started [page 23] Release Notes – 2016 [page 17] Scenarios Resources SAP Cloud Platform Identity Provisioning Service 4 PUBLIC SAP Cloud Platform Identity Provisioning Service Local Identity Directory (Source and Tar Identity Directory (Beta) [page 172] get) [page 89] Operations [page 28] SAP Analytics Cloud – Beta (Source and Security [page 204] Target) [page 92] Support [page 207] SAP Application Server ABAP (Source) [page 95] Disclaimer SAP Cloud Platform Identity Authentica Legal Disclosure tion (Source and Target) [page 101] Copyright and Trademarks SAP Cloud Platform Java/HTML5 Apps (Target) [page 108] SAP Document Center (Target) [page 110] SAP HANA Database – Beta (Target) [page 112] SAP Hybris Cloud for Customer (Target) [page 118] SAP Identity Management Hybrid Sce nario [page 124] SAP Jam (Source or Target) [page 126] SAP SuccessFactors (Source) [page 131] Concur (Source or Target) [page 133] CloudFoundry UAA Server (Target) [page 139] Microsoft Active Directory (Source) [page 142] Microsoft Azure Active Directory (Source and Target) [page 146] Google G Suite (Source and Target) [page 152] SSH Server – Beta (Source and Target) [page 159] SCIM (Source and Target) [page 163] LDAP Server (Source) [page 167] SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 5 . command ● SCIM properties.users. See: SAP Analytics Cloud – Beta (Source and Target) [page 92] Properties New Four new properties have been created.groups. You can also check the release notes for this SAP Cloud Platform service from the last year (2016). as follows: ● SSH properties for read ing users and groups in SSH Server (Beta) source systems: ssh.1.comman d and ssh. Related Information Release Notes – 2017 [page 6] Release Notes – 2016 [page 17] 1.1 What's New Find out the latest news about the Identity Provisioning service.csrf.read.api.path See: List of Properties [page 56] SAP Cloud Platform Identity Provisioning Service 6 PUBLIC SAP Cloud Platform Identity Provisioning Service .protection and csrf. cur rently applicable only to SAP Analytics Cloud (Beta) source systems: scim.read.1.token.1 Release Notes – 2017 Table 2: Date Function Type of Change Description 2017 – 12 – 28 SAP Analytics Cloud (beta) New A new provisioning system is available for both reading and writing entities. See: Manage Jobs and Job Logs [page 83] SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 7 . or replace it with the new one.members. allows you to re quest additional attributes while reading groups from an Identity Authentication source system. 14 or 30 days) for your pro visioning job logs.addition al. See: SSH Server – Beta (Source and Target) [page 159] SAP Hybris Cloud for Cus Enhancement SAP Hybris C4C connector tomer has a new API. scim. See: SAP Hybris Cloud for Customer (Target) [page 118] 2017 – 11 – 24 Job logs New You can now export job execu tion logs. See: Manage Jobs and Job Logs [page 83] 2017 – 11 – 09 Properties New A new SCIM property. Find this property on page: List of Properties [page 56] Job logs New You can set a retention period (7. which requires a new transformation in the Identity Provisioning UI. Date Function Type of Change Description SSH Server (beta) Enhancement You can now use the SSH Server (Beta) connector for both reading and writing enti ties. your logs are kept for 7 days.group. You can either use the old trans formation (which is default). By default.attributes. configuring two additional properties. Date Function Type of Change Description Identity Authentication (sys Enhancement You can now read and write tem) groups in the Identity Au thentication system using SCIM API. you could provision users and groups only through the Iden tity Authentication UI. Previously. See: SAP Cloud Platform Identity Authentication (Source and Target) [page 101] SAP Cloud Platform Identity Provisioning Service 8 PUBLIC SAP Cloud Platform Identity Provisioning Service . Cases: ○ Installed on-prem ise – you need to configure an SSH tunnel and the Cloud Connector control access. Once you ac cess this port. ○ Installed on SAP Cloud Platform (Neo) – you can make a direct con nection. group update. ● SAP HANA Database – Beta (Target) [page 112] – It helps you connect to an SAP HANA Database that is installed on a re mote system (cloud or on-premise). You have to configure this target connector accord ing to the location where SAP HANA Database is installed. you can provision entities (users and user assignments). The configuration allows you to attach separate scripts per entity lifecycle callback (such as user create. and so on). You can reach its JDBC SQL port either directly or via an SSH tunnel. Date Function Type of Change Description 2017 – 10 – 18 Target systems (beta) New The following new target sys tems (connectors) are availa ble in the Identity Provisioning UI: ● SSH Server – Beta (Source and Target) [page 159]– It helps you execute bash scripts through SSH connection. ○ Installed on SAP Cloud Platform (Cloud Foundry) – SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 9 . See: Local Identity Directory (Source and Target) [page 89] SAP Cloud Platform Identity Provisioning Service 10 PUBLIC SAP Cloud Platform Identity Provisioning Service . See: Manage Job Notifica tions [page 86] 2017 – 09 – 25 Identity Directory (beta New Identity Directory is a beta service) service in SAP Cloud Platform cockpit and depends on the Identity Provisioning service. It provides organizations with a directory for securely stor ing and managing users and groups in SAP Cloud Platform. Job notifications Enhancement You can now receive e-mail notifications for successful provisioning jobs that have previously failed. we rec ommend that you do not use them in enterprise ac counts.Date Function Type of Change Description you have to open an SSH tunnel to a run ning application con tainer. See: Identity Directory (Beta) [page 172] Local Identity Directory (sys New You can use the Identity tem) Directory as your local source or target system. You also need the Space Developer role. and have to configure a security group that allows the applications in this space to access the JDBC SQL port. Remember As these connectors are still in beta state. you can take user attributes country + city and map them to a target attribute timezone. See: JSON Expressions and Functions [page 31] → value Mapping Target SCIM systems Enhancement As you know.support. valueMapping. To do this. See: SAP Document Center (Target) [page 110] SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 11 . For this aim.patch. use the new system property scim. you need to use the deleteEntity scope in the default target system transformations. Find this property on page: List of Properties [page 56] See also: JSON Expressions and Functions [page 31] → deleteEntity 2017 – 09 – 07 SAP Document Center New You can now use SAP Docu ment Center as a target sys tem to provision users from other systems. Date Function Type of Change Description Value mappings New A new JSON expression. allows mul tiple entity attributes from a source system to be mapped to a single custom attribute in the target.operation. setting it to false. For example. Now you can disable such en tities in generic SCIM systems which don't support PATCH operations. in a target sys tem you can disable (deacti vate) entities if they are de leted in the source system. or if there is a condition for them not to be read anymore. retry.attempts ● ips.failed. delete) that have failed due to timeout or rate limit: ● ips.retry. See: ● SAP Identity Manage ment Hybrid Scenario [page 124] ● Export and Import Sys tems [page 53] SAP Cloud Platform Identity Provisioning Service 12 PUBLIC SAP Cloud Platform Identity Provisioning Service . Date Function Type of Change Description 2017 – 08 – 10 Properties New Use the following new proper ties to retry entity operations (create. interval Find these properties on page: List of Properties [page 56] Target systems Enhancement Google G Suite and Micro soft Azure AD now support writing both users and groups.attempts.reques t.failed. update. See: ● Google G Suite (Source and Target) [page 152] ● Microsoft Azure Active Directory (Source and Target) [page 146] 2017 – 07 – 26 Hybrid scenario Enhancement You can now export a created proxy system and then import it as a SCIM repository in SAP Identity Management.reques t. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 13 . Date Function Type of Change Description Concur system Enhancement Concur offers three types of edition sites. Available operations: ● Concur supports reading and writing users. see: Concur (Source or Target) [page 133] 2017 – 07 – 07 Hybrid scenario New You can now provision entities from a cloud to an on-premise system (and the other way around) without making a di rect connection between them. as well as reading groups. The Identity Provisioning service supports the Standard one. For this aim. See: SAP Identity Management Hybrid Scenario [page 124] Note Currently. Source systems Enhancement Concur and Google G Suite. which you could previously use only as target systems. To learn how. ● Google G Suite supports reading and writing users. used as the on-premise system. you need to add some extra JSON code lines into your target transfor mation. you can use a proxy system. this hybrid sce nario is only applicable to SAP Identity Management. are now available also as sour ces. If your Concur site requires grouping of users. which al lows you to provision users without grouping them into organization units. See: Manage Job Notifica tions [page 86] SAP Cloud Platform Identity Provisioning Service 14 PUBLIC SAP Cloud Platform Identity Provisioning Service . See: JSON Expressions and Functions [page 31] → dele teEntity Job notifications New You can now subscribe to re ceive e-mail notifications about provisioning jobs that finish with error. use the skipOperations scope. See: List of Properties [page 56] → ips.en tity.http. set the deleteEntity scope.header. See: List of Properties [page 56] → ips.Date Function Type of Change Description 2017 – 06 – 19 Custom HTTP headers New You can pass additional infor mation with the HTTP re quests.trace. See: JSON Expressions and Functions [page 31] → JSON Path Expressions → skipOper ations Log personal content New Choose whether to enable or disable logging of personal data for provisioned entities.<header_na me> 2017 – 05 – 31 Skip operations New If you want the provisioning job to not execute create or delete operations on entities of a certain type.failed.content 2017 – 05 – 05 deleteEntity New If an entity is no longer exist ing or read from the source system. and you want to not delete it but only change its status in the target system. Date Function Type of Change Description SCIM properties Enhancement You can use the following SCIM properties to search for particular entities: ● scim.user.filter (source systems) – the service will read only the users matching a set filter ex pression. ● scim.user.unique.attrib ute (target systems) – if the service tries to recre ate an existing user, this property will find the user by a specific attribute, and will only update it. ● scim.group.unique.at tribute (target systems) – if the service tries to re create an existing group, this property will find the group by a specific attrib ute, and will only update it. See: SCIM (Source and Tar get) [page 163] 2017 – 04 – 03 Source/Target system New A new system, Microsoft Azure Active Directory, has been added to the Identity Provisioning user interface. You can use Azure AD as both a source and a target system for provisioning users. See: Microsoft Azure Active Directory (Source and Target) [page 146] Delta read Enhancement You can now optimize the amount of data retrieved from SCIM and Identity Authentication source sys tems, during a provisioning job. See: Full and Delta Read [page 81] SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 15 Date Function Type of Change Description 2017 – 02 – 23 Entity deletion New For previously existing and provisioned entities, if they have been recently deleted from the source system, you can now decide whether to delete them from the target system or not. See: Manage Deleted Entities [page 80]. 2017 – 02 – 09 Combo box controls New ● When adding or editing a system, you no longer need to manually enter the destination but you can select it from a combo box. ● When adding or editing a target system, you no longer need to manually enter a string of source systems. You can now se lect the relevant one(s) from a combo box. See: Systems [page 46] Delta read New You can now optimize the amount of data retrieved from Microsoft AD and SAP SuccessFactors source sys tems during a provisioning job. See: Full and Delta Read [page 81] 2017 – 01 – 19 Import and export New You can now import and ex port source and target sys tems. See: Systems [page 46] SAP Cloud Platform Identity Provisioning Service 16 PUBLIC SAP Cloud Platform Identity Provisioning Service Date Function Type of Change Description Trial use Announcement You can now test the trial ver sion of the Identity Provisioning service. To open the user interface, go to the Services section in the SAP Cloud Platform cockpit. See: Access the Identity Provi sioning Service (Trial) [page 26] Related Information Release Notes – 2016 [page 17] 1.1.2 Release Notes – 2016 Table 3: Date Function Type of Change Description 2016 – 12 – 21 User interface New You can now access the Iden tity Provisioning service as a separate HTML5 application. To open the user interface, go to the Services section in SAP Cloud Platform cockpit. See: Access the Identity Provi sioning Service (Productive) [page 24] Source system New A new source system, LDAP Server, has been added to the Identity Provisioning user in terface. See: LDAP Server (Source) [page 167] SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 17 Date Function Type of Change Description 2016 – 11 – 23 Target system New A new target system, CloudFoundry UAA Server, has been added to the Iden tity Provisioning user inter face. You can use this system to write identity and authori zation data, such as user ac counts and groups. See: CloudFoundry UAA Server (Target) [page 139] Transformations Enhancement Three additional features are now available: ● ignore - this expression allows you to disable parts of the transforma tion mapping during pro visioning ● createEntity - you can set this scope to an enti ty's attribute to ensure that it is only processed during creation. ● randomPassword - a function for generating random passwords, using standard and special characters. See: Manage Transformations [page 30] Entities Enhancement You can now provision ABAP roles and transform them as SCIM groups in a target sys tem. See: SAP Application Server ABAP (Source) [page 95] 2016 – 11 – 09 Source system New A new source system, SCIM System, has been added to the Identity Provisioning user interface. You can use this system to provision identity and authorization data. See: SCIM (Source and Tar get) [page 163] SAP Cloud Platform Identity Provisioning Service 18 PUBLIC SAP Cloud Platform Identity Provisioning Service You can use this sys tem to read identity data. SAP Cloud Platform Java/HTML5 Apps. See: Manage Jobs and Job Logs [page 83] Target system New A new target system. has been added to the Identity Provisioning user in terface. See: SAP Cloud Platform Java/HTML5 Apps (Target) [page 108] 2016 – 09 – 15 Identity Provisioning (serv New SAP Cloud Platform Identity ice) Provisioning service allows customers to provision the centrally managed identities and their access across the enterprise. See: Manage Transformations [page 30] Target systems New You can use the following tar get systems to read provi sioned identity data: ● Google G Suite (Source and Target) [page 152] ● Concur (Source or Tar get) [page 133] 2016 – 10 – 12 Job Execution Details Enhancement The function Job Execution Details has now been en hanced to help you investigate any failed entities. Date Function Type of Change Description 2016 – 10 – 26 Transformations New New functions are available for transformations of all source and target systems. See: Product Overview [page 20] SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 19 . 2 Product Overview SAP Cloud Platform Identity Provisioning service (in short. groups and other enti ties between heterogeneous systems. Source systems New You can use the following source systems to provision identity and authorization data: ● SAP Application Server ABAP (Source) [page 95] ● Microsoft Active Direc tory (Source) [page 142] ● SAP SuccessFactors (Source) [page 131] ● SAP Cloud Platform Iden tity Authentication (Source and Target) [page 101] Target systems New You can use the following tar get systems to write identity data: ● SAP Cloud Platform Iden tity Authentication (Source and Target) [page 101] ● SAP Hybris Cloud for Customer (Target) [page 118] ● SCIM (Source and Tar get) [page 163] ● SAP Jam (Source or Tar get) [page 126] 1. enabling a high level of security. Identity Provisioning service) offers a comprehensive approach to identity lifecycle management in the cloud. there is a new section – Identity Provisioning. This cloud service allows SAP Cloud Platform Identity Provisioning Service 20 PUBLIC SAP Cloud Platform Identity Provisioning Service . Its purpose is to provide easy provisioning of users.Date Function Type of Change Description Identity Provisioning (UI) New In SAP Cloud Identity Admin istration Console. create. and then the proxy connector executes provisioning operations (read. and adjust it to your business needs. ● The automation of identity lifecycle management enables the instant roll-out of updates for user accounts. you need to run an initial load of entities from the cloud to the on-premise system. etc. groups. which can be a cloud or an on-premise system.) requested by the on-premise system. Software Capabilities ● The Identity Provisioning is delivered as a service on SAP Cloud Platform (in short. based on your business needs. you can choose from the available system types. roles). and dynamically updated authorizations. ● The Identity Provisioning service offers a quick setup of new business applications with user accounts and authorizations. groups and business roles. update. ● Target system – this is the cloud system that you want to populate with entities from your source system. You can provision entities from a cloud to an on-premise system (and the other way around) without making a direct connection between them. or proxy system. ● Proxy system – this is a special connector used for "hybrid" scenarios. You also have the option to extend the transformation logic. you can also schedule jobs to run the provisioning on a regular basis. It delivers an intuitive cloud environment for identity lifecycle management that is convenient to use and maintain. When setting up these systems in the Identity Provisioning service user interface. in order to automate the provisioning process and keep the target system up to date. The systems are three types: ● Source system – this is usually the existing corporate user store of the company (like the central user administration (CUA) of AS ABAP or Microsoft Active Directory).customers to provision the centrally managed identities and their access across the enterprise. target. defined for your source. It can provision users to the Identity Authentication service. First. the platform) and offers a simple identity lifecycle management for heterogeneous system landscapes. Besides running the initial provisioning of entities (users. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 21 . helping companies to easily enable strong authentication for their business solutions. Identity Provisioning requires some settings (properties) to be configured – either in the SAP Cloud Platform cockpit or in the Identity Provisioning service user interface. Technical System Landscape As a service delivered on the cloud. Supported Systems The Identity Provisioning service supports the following system types: Table 4: Source Systems Target Systems Proxy Systems SAP Jam SAP Jam SAP Jam SAP Cloud Platform Identity SAP Cloud Platform Identity SAP Cloud Platform Identity Authentication Authentication Authentication SAP Analytics Cloud (Beta) SAP Analytics Cloud (Beta) SAP Analytics Cloud (Beta) Microsoft Azure Active Directory Microsoft Azure Active Directory Microsoft Azure Active Directory Local Identity Directory Local Identity Directory Local Identity Directory Google G Suite Google G Suite Google G Suite Concur Concur Concur SCIM SCIM SCIM SAP SuccessFactors SAP Cloud Platform Java/HTML5 Apps SAP Application Server ABAP SAP Hybris Cloud for Customer Microsoft Active Directory SAP HANA Database (Beta) LDAP Server SAP Document Center CloudFoundry UAA Server SSH Server (Beta) Tip Proxy systems support both reading and writing entities. 2. target or a proxy system in the Identity Provisioning user interface. For every supported system. 5. Add the necessary properties to configure the connection between the systems. 3. Define your transformation logic (or leave the default one). How to use the service? To configure the Identity Provisioning service and start provisioning entities from a source to a target system. which you can adapt to your company business rules. you have to: 1. there is a specific default transformation logic. SAP Cloud Platform Identity Provisioning Service 22 PUBLIC SAP Cloud Platform Identity Provisioning Service . Run a provisioning job. 4. Set up a source. (Optional) Create a destination in SAP Cloud Platform cockpit. 2. See: Signing Up for a Trial Account Access the Identity Provisioning Service (Trial) [page 26] Productive Use 1. enter SAP Cloud Platform cockpit. choose your region and your account. or purchase it to use it productively. Note This is only needed if you want to use the local identity directory for provisioning and managing users. After you purchase the Identity Provisioning service. see SAP Cloud Platform Connector. Trial Use You need to have a SAP Cloud Platform trial account. For more information. Purchase the Identity Provisioning service. (Optional) Install and configure SAP Cloud Platform cloud connector. Then. You will need it later to create system mappings for your source systems. See: Identity Directory (Beta) [page 172] 3. For more information. you can access the Identity Provisioning service from the platform cockpit. enable Beta Features for your subaccount. with URL: https://ips<global_account>. Your account should be subscribed to the following provider applications: ● Java application. see Using Beta Features in Subaccounts. You will receive administration rights for the tenant. Note This is only needed when you provision entities from LDAP-based systems and SAP ABAP.3 Getting Started Before you start using the service.Related Information Operations [page 28] Scenarios [page 88] Properties [page 54] 1. You can choose whether to only try it out for testing purposes.<region_host>/ips SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 23 . (Optional) In the cockpit. you need to complete the steps below. and go to Subscriptions. see Purchasing an Enterprise Account. Then. The Overview section is displayed by default. To learn how. For more information. Prerequisites ● (Optional) You have an SAP Cloud Platform enterprise account. For more information. ● You have purchased the Identity Provisioning service and have administration rights for the tenant.1 Access the Identity Provisioning Service (Productive) Use this page to access the Identity Provisioning user interface so as to productively provision entities from and to various systems. For more information. with URL: https://ipsui5<global_account>. see: Access the Identity Provisioning Service (Productive) [page 24] 1. Select your region and then – your global account. see Creating Subaccounts. Create and save your new subaccount. Procedure 1. It appears in the Subaccounts list.3. Context You can access the Identity Provisioning service as a separate HTML5 application and perform the system provisioning tasks you need. This will prevent configuration conflicts and will help you independently work with the Identity Provisioning service. Note For the next steps. we recommend that you create a subaccount. you have to enable and access the Identity Provisioning tile in the platform cockpit. SAP Cloud Platform Identity Provisioning Service 24 PUBLIC SAP Cloud Platform Identity Provisioning Service . see Cloud Cockpit and Regions and Hosts. 3. Note If you don't have a platform account.● HTML5 application. Open the SAP Cloud Platform cockpit. you will get one by purchasing the Identity Provisioning service. 2.<region_host> These subscriptions are created by SAP during your onboarding process. 7. Note The secure communication between this HTML5 application and the platform cockpit is realized by principal propagation. Select the subaccount to open it. choose Services. The relevant user ID is added to the second table. 5. see Support [page 207]. Choose Configure Service. In the navigation area. For more information. Choose Enable to make it available for work. and then go to the Security section. Enter the user ID of the additional corporate user. On the left-side menu. see Principal Propagation. you can create an incident. proceed as follows: 1. P123456789 (case insensitive). 2. choose Roles. For example. 6. (Optional) You can assign administrator permissions to additional users from your company. 8. Next Steps In case of issues during your work with the Identity Provisioning service. Go to the second table and choose the Assign tab. 9. From the breadcrumbs path. 4. Choose Assign. The default status of the service is Not enabled. Open the Identity Provisioning Service tile. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 25 . The IPS_ADMIN role is now assigned to this user. The first table shows that the IPS_ADMIN role is assigned to you by default. The Identity Provisioning service opens as an independent HTML5 application. choose Identity Provisioning and then click Go to Service. You can also ask a question in the SAP Community. 5. For more information. To do this. 3. You can add as many additional users as you need. This process is automatically enabled by a back-end script.4. Log on to the SAP Cloud Platform cockpit: https://account. Context The trial subscription of the Identity Provisioning service is limited to non-productive testing. see Cloud Cockpit. choose the Identity Provisioning tile. ● You can add only one source system for reading identities. From the Security section.com. proceed as follows: SAP Cloud Platform Identity Provisioning Service 26 PUBLIC SAP Cloud Platform Identity Provisioning Service . Procedure 1. 6. Bear in mind the following restrictions: ● Your are granted a trial period of 30 days. Choose Neo Trial.ondemand.Related Information Systems [page 46] Manage Properties [page 79] Manage Transformations [page 30] 1. evaluation. 2. (Optional) You can also select additional users from your company and assign them administrator permissions. ● You cannot schedule jobs. ● You can add only one target system for writing identities. To do this. Choose Enable to make it available for work.hanatrial. 4.3. The default status of the service is Not enabled. ● The maximum job execution time is 2 minutes. In your personal trial account. The Overview section is displayed by default. Prerequisites You have a trial account for SAP Cloud Platform. and provisioning of identities. ● You can read a maximum of 50 identities from the source system. For more information. 3. go to the navigation area and choose Services. see Signing Up for a Trial Account.2 Access the Identity Provisioning Service (Trial) Use this page to access the trial version of the Identity Provisioning user interface to test its features and resources. 5. For more information. see Support [page 207]. For example. 3. choose Roles. Go to the second table and choose the Assign tab. 5. You can add as many additional users as you need. For more information. 7. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 27 . 1. 4. Choose the Configure Service. The first table shows that the IPS_ADMIN role is assigned to you by default. 2. From the breadcrumbs path. see Principal Propagation. The relevant user ID is added to the second table. This process is automatically enabled by a back-end script. Next Steps You can ask questions or share feedback about your experience with the trial version of the Identity Provisioning service. Choose Assign. choose Identity Provisioning and then click Go to Service. The IPS_ADMIN role is now assigned to this user. Enter the user ID of the additional corporate user. Note The secure communication between this HTML5 application and the platform cockpit is realized by principal propagation. On the left-side menu. For more information. P123456789 (case insensitive). The Identity Provisioning service opens as an independent HTML5 application. ● Provision entities from the source to the target. where the company is currently managing the corporate identities. maintain and delete job logs. ● Define mapping rules between the data models of sources and targets. You can also use proxy systems. see Getting Started [page 23]. ● View. This section describes how you can configure the required provisioning entities in order to ensure proper synchronization between source and target systems. ● Run and schedule provisioning jobs.4 Operations Learn how you. The Identity Provisioning service ensures the synchronization of the entities between two systems: ● Source – the system. ● Provide other users with admin rights for your tenant in order to let them operate the Identity Provisioning service from their subaccounts. Before triggering provisioning. as an administrator. Related Information Systems [page 46] Manage Properties [page 79] Manage Transformations [page 30] Manage Job Notifications [page 86] Manage Jobs and Job Logs [page 83] Reset Identity Provisioning Configuration [page 88] SAP Cloud Platform Identity Provisioning Service 28 PUBLIC SAP Cloud Platform Identity Provisioning Service . can set up the Identity Provisioning service so that entities from a source system are easily transferred to a target system. ● Target – the system that needs to be populated with corporate users and other entities. For more information. target and proxy systems. You can perform the following operations: ● Set up source. make sure that you have performed the required setup.Related Information Systems [page 46] Manage Properties [page 79] Manage Transformations [page 30] 1. ● Configure the frequency of the provisioning processes. The administrator of the Identity Provisioning service can change this by adapting the transformation logic to read only the entities that should be provisioned to the target system.4. You can see it on the Transformations tab when you create a new system.4. How it works The default transformation reads everything from the source system and returns a JSON structure. This filter can speed up the processing of the entities and their provisioning to the target system. What is a JSON transformation? For every system supported by the Identity Provisioning service. similar to the one of the source system. Context Two types of transformations occur before the provisioning of entities: ● Read Transformation – from the source system to the provisioning framework. You can adjust the transformation mapping rules to reflect the current setup of entities from the source or target system.1 Transformation Types Learn about the types of JSON transformations needed for the provisioning jobs.1. there is an initial (default) transformation logic. after saving it.1 Transformations Maintain the transformation logic. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 29 . ● Write Transformation – from the provisioning framework to the target system. It prepares the data to be written to the target system. see Full and Delta Read [page 81]. For more information.1. Related Information Transformation Types [page 29] Manage Transformations [page 30] JSON Expressions and Functions [page 31] 1. It reads the data in the source system and transfers it to an intermediate JSON data in the provisioning framework. The reading of entities from the source system can be complete (full read) or partial (delta read). which corresponds to the structure and logic of your systems. and adapt it to the required transformation.1. SAP Cloud Platform Identity Provisioning Service 30 PUBLIC SAP Cloud Platform Identity Provisioning Service . Related Information Manage Transformations [page 30] JSON Expressions and Functions [page 31] 1. the read transformation converts this attribute to name23 in the intermediate JSON data. Every supported system holds and requires specific JSON data. To convert the source JSON data to an intermediate JSON version (which can be used for transformation to a supported target system). To learn how. Prerequisites You have added a system (source. It appears when you create a new system in the Identity Provisioning UI and save it for the first time. Then. Example If the source JSON data contains the attribute name. see Add System [page 50]. the write transformation should use the attribute name23 (instead of name) as sourcePath attribute.Both transformations result in JSON data.2 Manage Transformations You can edit the default JSON transformation logic.4. or proxy) in the Identity Provisioning user interface. the Identity Provisioning administrator can use the suggested JSON transformation logic on the Transformations tab. target. Note All transformations from the source systems transform their specific JSON data to intermediate JSON data according to the System for Cross-domain Identity Management (SCIM) specifications. choose Edit in the bottom right corner. There is also a different transformation logic for every entity (users and groups for example). The transformation is performed in the sequence defined in the transformation logic. choose a tile – Source Systems. 3. To modify it. You can find the default one in the Identity Provisioning user interface. 5. 2. follow the steps below Procedure 1.1. For more information. Open the user interface of the Identity Provisioning service. Select a system from the left panel and go to the Transformations tab. To learn how to modify the transformations. ● Basic transformation Takes the attributes as defined in the source system and transfers them unchanged in the resulting JSON data.4. No changes are made. or Proxy Systems. 4. Target Systems. see Access the Identity Provisioning Service (Productive) [page 24]. Related Information Transformation Types [page 29] JSON Expressions and Functions [page 31] 1. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 31 . Make your changes and save the configuration.3 JSON Expressions and Functions JSON Path Expressions The transformation logic is based on JSON path expressions. From the UI home page. Below are some of the expressions you can use: Note The order of the JSON path expressions in the file is decisive for how the transformation is executed.Context The transformation logic for every supported system is specific. The default transformation logic is displayed. "sourcePath": "$. Example { "type": "remove".sn[0]" }. "targetPath": "$" }. … } SAP Cloud Platform Identity Provisioning Service 32 PUBLIC SAP Cloud Platform Identity Provisioning Service . Example { "sourcePath": "$".groups" } ● condition A condition can be set on various levels.length() > 0) && ($. Can be set or remove. "type": "set" is used by default. ○ The set type maps an attribute from the source system to an attribute in the target JSON data. ● sourcePath and targetPath Expression sourcePath denotes the path to an attribute in the source JSON data (could be the source system JSON data or the intermediate JSON data). This attribute is not present in the target JSON data. "mappings": [ { "sourcePath": "$".groups" } ○ The remove type deletes an attribute during transformation. "targetPath": "$. Example { "condition": "($. "targetPath": "$. Example { "targetPath": "$.familyName". If no type is defined.name. ● type The type of action to be performed in the mapping. Expression targetPath denotes the path where the attribute should be stored in the target JSON data (could be the intermediate JSON data or the target system JSON data).familyName EMPTY false)".emails. Example { "type": "set".name. "targetPath": "$" }. for example for the whole entry type or for a mapping entry. . You can also use schemas to organize and combine multiple constants.displayName" }. "sourcePath": "$. This is applicable for both source and target systems.memberOf contains 'group1'".sAMAccountName[0]". "mappings": [ { "sourcePath": "$.. "targetPath": "$.displayName" } ] } ● ignore Use the ignore expression if you prefer parts of the transformation to not be taken into consideration (during provisioning). Example { "mappings": [ … { "condition": "$. you can set ignore on various levels . "targetVariable": "entityIdSourceSystem" }. "targetPath": "$. . Example "group": { "ignore": true. ● constant Set a constant if the target system requires attributes that are not defined in the source system.. . { "sourcePath": "$. Similar to condition.sAMAccountName[0]". Example { "targetPath": "$. role) or for a particular mapping entry.sAMAccountName[0]". "targetPath": "$. "constant": "work" SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 33 . { "sourcePath": "$.sAMAccountName[0]". "constant": "NewDisplayName".type".for a whole entry type (user.userName" }.. "targetVariable": "entityIdSourceSystem" }.emails[0]. Example "user": { "mappings": [ { "ignore": true. You do not want to delete it but only temporary disable/deactivate it. It prevents from deleting the entity from the target system as only updating its status instead. Transformation mappings without scope are always processed. Note ○ You cannot use this scope for proxy systems. or exclude it from some corporate groups. nor deactivate it but only remove its permissions. Also. bear in mind the following: ○ For the affected entity. ● deleteEntity If an entity has been deleted from the source system or has been set a condition for it not to be read anymore. ● createEntity You can set a scope for an entity attribute . "targetPath": "$. ○ Use this scope for SCIM systems. tag the entity attribute with the createEntity scope in the system transformation.Password". The target system does not support deletion of entities. To do this. }.. You want to neither delete it.so that it is only processed during creation. as well as Concur. If you have to fulfill some of these scenarios for an entity. and SAP Jam. it will be ignored as well. "constant": "Initial1" } ] }. Microsoft Azure AD. Example Concur: The following mapping disables the user account: { "user": { "mappings": [ SAP Cloud Platform Identity Provisioning Service 34 PUBLIC SAP Cloud Platform Identity Provisioning Service . ○ If a condition exists on entity type level. this entity can "stay" in the target system for the following reasons: 1. Note Currently. { "user": { "mappings": [ { "scope": "createEntity". all transformation mappings that do not contain this scope will be ignored.. 2. 3.based on its lifecycle . use the deleteEntity scope. Identity Authentication. the createEntity scope is only applicable for entities created in the target system. Example The following mapping provides an initial password when a user is created. . . "targetPath": "$. { "scope": "deleteEntity". SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 35 . "targetPath": "$. "targetPath": "$. "scope": "deleteEntity"..Custom21" }. as well as unassigns it from all groups it used to belong to: { "user": { "mappings": [ { "constant": false.LedgerCode" }. "targetPath": "$. "scope": "deleteEntity" }. }. Example Microsoft Azure AD: The following mapping disables the user account: { "user": { "mappings": [ { "constant": false "targetPath": "$. "constant": "DEFAULT".. .. { "scope": "deleteEntity".Active".active" "scope": "deleteEntity" }. "constant": "".corporateGroups". { "constant": [].. "constant": "US". Example Identity Authentication: The following mapping disables the user account. { "scope": "deleteEntity".accountEnabled". { "constant": []. { "constant": "N".Password" }. "scope": "deleteEntity" }.groups". "targetPath": "$. "scope": "deleteEntity" }. .. "targetPath": "$. "targetPath": "$.. "mappings": [ { Even if it's set to skip the create operation. "scope": "deleteEntity" }. { "sourcePath": "$. Sample Code JSON code for retrieving group IDs: "user": { "mappings": [ { "sourcePath": "$.userName". "scope": "deleteEntity" }. you can add the following JSON code to your target system transformation.. . You can apply it when you need to avoid creating or deleting entities. it will neither be created. To get and retrieve these IDs. Sample Code The following transformation does not allow creating and deleting users in the target system: { "user": { "skipOperations": [ "create". Example SAP Jam: The following mapping disables the user account: "user": { "mappings": [ { "sourceVariable": "entityIdTargetSystem". "delete" ].id" }. You can use skipOperations only in target system transformations... ● skipOperations If you want the provisioning job to not execute operations on entities of a certain type. . SAP Cloud Platform Identity Provisioning Service 36 PUBLIC SAP Cloud Platform Identity Provisioning Service . If an entity with a retrieved ID does not exist in the target system.id".. nor updated. use the skipOperations expression.active".userName". "targetPath": "$. "targetPath": "$. "targetPath": "$. the Identity Provisioning service will still try to update new entities by their IDs. "targetVariable": "entityIdTargetSystem" }. { "constant": false. "$. For example. "functions": [ { "type": "function_name".userName".. "targetPath": "$. they are included as mappings. or an attribute. "parameter_name": String OR Number OR Boolean OR null OR "$. { "targetPath": "$. "type": "valueMapping".. Null.● valueMapping The valueMapping plays the role of a special condition that allows multiple entity attributes (read from the source system) to be mapped to a single target attribute.country". "Sofia"]. "mappedValue": "Europe/Sofia"}] } }. their values will be mapped to a new attribute – timezone. "valueMappings": [{ "key": ["BG". Integer. The type of parameters can be String. "targetPath": "$" }. Boolean.timezone". .{ "user": { "mappings": [ { "sourcePath": "$.locality"].addresses[0]. Example ● concatString Function for concatenating a string with a prefix or a suffix. Transformation Functions The transformation functions are used in entity transformations. The example below demonstrates this case with country=Bulgaria and locality=Sofia. you can set a mapping condition for user attributes country and locality.sAMAccountName[0]".attribute" } ] } ] } } Parameters: ○ (Required) type ○ (Optional) prefix ○ (Optional) suffix Example { SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 37 . Their values correspond to: timezone=Europe/Sofia Sample Code JSON code for mapping user timezone: "user": { "mappings": { "sourcePath": "$". A transformation function uses the value provided in sourcePath to generate the value for targetPath. After the provisioning job. "sourcePaths": [ "$.addresses[0]. "minutes": "+30". "years": -1. "months": "-1". "suffix": 123 } ] } ] } } ● manipulateDate Function for manipulating dates. The default set of special symbols contains the following characters: {~ ! @ # $ % ^ & * ( ) _ + SAP Cloud Platform Identity Provisioning Service 38 PUBLIC SAP Cloud Platform Identity Provisioning Service . and special symbols. "seconds": "30" } ] } ● randomPassword Function for generating a random password. "user": { "mappings": [ { "sourcePath": "$.userName". minutes.sign) the date by the specified years.ValidityPeriod. "prefix": "ips_". or when there is no sign . uppercase letters. "functions": [ { "type": "manipulateDate". days. "sourceVariable": "currentDate". "targetPath": "$. "targetDateFormat" : "yyyy-MM-dd". "days": 3.EmployeeType.digits. hours.sAMAccountName[0]". "sourceDateFormat" : "yyyy-MM-dd". or seconds Parameters: ○ (Required) type ○ (Optional) sourceDateFormat ○ (Optional) targetDateFormat ○ (Optional) years ○ (Optional) months ○ (Optional) days ○ (Optional) hours ○ (Optional) minutes ○ (Optional) seconds Example { "targetPath": "$. "hours": "1". The following main operations are supported: ○ Formatting the date by specifying the source and target format ○ Incrementing (by the + sign. lowercase letters.StartDate".can be used only with String) or decrementing (by the . months. It picks characters from four character sets . "functions": [ { "type": "concatString". the remaining characters will be randomly picked from all character sets. "specialSymbols": ". ○ If the summed up number of characters (from all sets) is less than the total password length.<>/?~`!@#" } ] } ] } } ● replaceString Function for replacing each substring of given string that matches the provided target string with the string in replacement. or constant to be specified in the mapping. Parameters: ○ (Required) type ○ (Required) passwordLength ○ (Required) minimumNumberOfLowercaseLetters ○ (Required) minimumNumberOfUppercaseLetters ○ (Required) minimumNumberOfDigits ○ (Required) minimumNumberOfSpecialSymbols ○ (Optional) specialSymbols Example { "user": { "mappings": [ { "targetPath": "$. If a value “0” is supplied for a given parameter. Parameters: ○ (Required) type SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 39 . the function execution will result in error. "minimumNumberOfSpecialSymbols": 4. no characters will be picked from the corresponding character set. "minimumNumberOfDigits": 4. "minimumNumberOfLowercaseLetters": 4.. Bear in mind the tips below: ○ The password length must be supplied along with the number of characters from each set. ○ If a custom set of special symbols is supplied. sourceVariable. "minimumNumberOfUppercaseLetters": 4. ○ If the summed up number of characters (from all sets) exceeds the total password length. "passwordLength": 16. Note The randomPassword function does not require sourcePath. ○ A custom character set is supplied by the specialSymbols parameter. the parameter minimumNumberOfSpecialSymbols cannot have a value of “0”.password". "functions": [ { "type": "randomPassword". "functions": [ { "type": "replaceAllString".sAMAccountName[0]". Parameters: ○ (Required) type ○ (Required) regex SAP Cloud Platform Identity Provisioning Service 40 PUBLIC SAP Cloud Platform Identity Provisioning Service . "replacement": "ips" } ] } ] } } ● replaceAllString Function for replacing each substring of the given string that matches the provided regex with the string in replacement.userName". "regex": "14\\d{1}". "functions": [ { "type": "replaceString". "replacement": 123 } ] } ] } } ● replaceFirstString Function for replacing the first substring of a given string that matches the provided regex with the string in replacement. "targetPath": "$. Parameters: ○ (Required) type ○ (Required) regex ○ (Required) replacement Example { "user": { "mappings": [ { "sourcePath": "$.userName". "target": "iag". "targetPath": "$. ○ (Required) target ○ (Required) replacement Example { "user": { "mappings": [ { "sourcePath": "$.sAMAccountName[0]". "targetPath": "$.user. ○ (Required) replacement Example { "user": { "mappings": [ { "sourcePath": "$. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 41 . "replacement": 123 } ] } ] } } ● replaceLastString Function for replacing the last substring of a given string that matches the provided regex with the string in replacement. For example. Parameters: ○ (Required) type ○ (Required) regex ○ (Required) replacement Example { "user": { "mappings": [ { "sourcePath": "$. "regex": "14\\d{1}". the parameter accepts its default value .sAMAccountName[0]". it can resolve the value of a source system member attribute to the ID of an existing SCIM resource that represents this member in a SCIM target system.userName".sAMAccountName[0]". Parameters: ○ (Optional) entityType If not set.userName". "functions": [ { "type": "replaceLastString". "replacement": 123 } ] } ] } } ● resolveEntityIds Function that resolves the value of a source system attribute to an existing back-end key in the target system. "regex": "14\\d{1}". "targetPath": "$. "functions": [ { "type": "replaceFirstString". member". "functions": [ { "entityType": "group" "type": "resolveEntityIds" } ] } ● substring If endIndex is not provided.userName". "targetPath": "$. this function returns a string.value)]".English Parameters: ○ (Required) type ○ (Optional) locale Example { "user": { "mappings": [ { "sourcePath": "$. "targetPath": "$. "optional": true. "preserveArrayWithSingleElement": true. Example { "sourcePath": "$.userName".1 or to the end of this string. SAP Cloud Platform Identity Provisioning Service 42 PUBLIC SAP Cloud Platform Identity Provisioning Service . "endIndex": "5" } ] } ] } } ● toUpperCaseString Function that converts all the characters in the given string to upper case. using the provided locale. "functions": [ { "type": "substring". "beginIndex": 3. Parameters: ○ (Required) type ○ (Required) beginIndex ○ (Optional) endIndex Example { "user": { "mappings": [ { "sourcePath": "$.members[?(@.sAMAccountName[0]". "targetPath": "$. or if nothing defined . It begins at the specified beginIndex and extends either to the character at index endIndex .sAMAccountName[0]". "locale": "en_EN" } ] } ] } } ● toLowerCaseString Function that converts all the characters in the given string to lower case. "givenName": ["John"].userName". "group22"]. "locale": "en_EN" } ] } ] } } JSON Transformations Here are a few examples of JSON data from the source system.com"]. "memberOf_3": ["group31". "sn": ["Smith"]. "group33"] } SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 43 .English. "memberOf": ["group1"]. "targetPath": "$. "memberOf_2": ["group21".sAMAccountName[0]". after the intermediate transformation. and after the transformation to a chosen target system. "group32". "mail": ["john. "functions": [ { "type": "toUpperCaseString". using the provided locale. Example Source JSON data (from Microsoft Active Directory) { "sAMAccountName": ["jsmith"].smith@company. or if nothing defined . Parameters: ○ (Required) type ○ (Optional) locale Example { "user": { "mappings": [ { "sourcePath": "$. "functions": [ { "type": "toLowerCaseString". memberOf_2[?(@ != 'group21')]".userName".id". "constant": "true" }. { "targetVariable": "entityIdSourceSystem".schemas[0]".value)]".groups[?(@.groups_4[?(@. "preserveArrayWithSingleElement": true }. "sourcePath": "$. { "targetPath": "$.emails[0]. { "targetPath": "$. "constant": "work" }. { "targetPath": "$. "targetPath": "$.memberOf". { "targetPath": "$.mail[0]" }.memberOf_4".groups_3[?(@.givenName[0]" }. { "targetPath": "$. { "targetPath": "$.name. { "targetPath": "$. "preserveArrayWithSingleElement": true }. "preserveArrayWithSingleElement": true }.id". { "targetPath": "$. "optional": true. "sourcePath": "$.emails[0].value)]". { "targetPath": "$.type". "sourcePath": "$.value)]". } "sourceVariable": "entityIdTargetSystem" SAP Cloud Platform Identity Provisioning Service 44 PUBLIC SAP Cloud Platform Identity Provisioning Service .name.givenName".value". "sourcePath": "$.primary". { "targetPath": "$. "sourcePath": "$.groups_2[?(@. "constant": "urn:ietf:params:scim:api:messages:2. "sourcePath": "$. "sourceVariable": "entityIdTargetSystem" }.sAMAccountName[0]" }. "sourcePath": "$.value)]".sn[0]" }.emails[0].0:User" }.familyName". "sourcePath": "$.memberOf_3". "preserveArrayWithSingleElement": true } ) { "mappings": [ {] "targetPath": "$. Example Read Transformation (for the Intermediate JSON Data) { "mappings": [ { "targetPath": "$. 0:User" ]. If the source JSON data contains the name attribute. { "value": "group33" } ] } Note Remember that every write transformation has to consider the source system details delivered with the read transformation. "givenName": "John" }. "groups_2": [ { "value": "group22" } ].com". "name": { "familyName": "Smith". "groups_3": [ { "value": "group31" }. { "value": "group32" }.userName". }. "targetPath": "$.sAMAccountName[0] Example Write Transformation (for the target system SAP Cloud Platform Identity Authentication service) { "schemas": [ "urn:ietf:params:scim:api:messages:2. "id": "P000100". "sourcePath": "$. "type": "work" } ]. The write transformation will use the name23 attribute as sourcePath. instead of name. "emails": [ { "value": "john. { "targetVariable": "entityIdSourceSystem". the read transformation converts this attribute to name23 in the intermediate JSON data.smith@company. "primary": "true". "groups": [ { "value": "group1" } ]. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 45 . "userName": "jsmith". target. Prerequisites ● (Optional) You have configured destinations in SAP Cloud Platform cockpit for the source and target systems that you want to use for the provisioning of entities. Related Information Add System [page 50] Edit System [page 51] Delete System [page 52] Enable and Disable Systems [page 52] Export and Import Systems [page 53] SAP Cloud Platform Identity Provisioning Service 46 PUBLIC SAP Cloud Platform Identity Provisioning Service . giving it a different name. see: Access the Identity Provisioning Service (Productive) [page 24] Access the Identity Provisioning Service (Trial) [page 26] Context From the user interface of the Identity Provisioning service. see Creating HTTP Destinations. For more information. you can perform the following operations: ● Add. edit and delete systems – you can add new and configure existing source and target systems. For more information. you can disable it. and proxy systems from the user interface of the Identity Provisioning service. If one of your added systems is configured and you currently do not need it. The new system will appear in the list and all configurations and transformations will be kept. For more information about each system type and the configuration steps required for the operations below. see System Types and Configurations [page 47].4. When you add a new system. ● Enable and disable systems – to use a system for provisioning purposes. ● Export and import systems – if you have added and configured a system and you need to add another one of the same type without manually entering all data again. its status has to be Enabled. Then just import it back. it is enabled by default. you can export the existing one. but would like to use it later.Related Information Manage Transformations [page 30] 1.2 Systems This section describes how to operate with source. ● You have accessed the user interface of the service. If not possible.) requested by the on-premise system. groups.4. roles). this scenario is only applicable to SAP Identity Management. the proxy application uses a SCIM 2. See: SCIM Resources For more information. SAP or non-SAP.2. Source systems can be on- premise or cloud based. the hybrid scenario uses a proxy system which executes provisioning operations (create. delete.0 protocol. The Identity Provisioning service exposes the back-end system as a "proxy". Note Currently. The provisioning is triggered from the Jobs tab of a source system. etc. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 47 . A system can act as a proxy if it supports both read and write operations. target. used as the on-premise system. update. Source Systems A source system is the connector used for reading entities (users. Target systems are usually cloud systems. You can use the custom resource type to map the back-end entities. see SAP Identity Management Hybrid Scenario [page 124]. Target Systems A target system is the connector used for writing (provisioning) entities. To achieve this. 2. see the topics listed under Scenarios [page 88].0 entities. you can provision entities from a cloud to an on-premise system (and the other way around) without making a direct connection between them. SAP Identity Management regards the proxy system as its back-end system. How a proxy system works: 1.1. where the Identity Provisioning service creates or updates the entities taken from the source system. and usually represent the corporate user store where identities are currently maintained. To provide communication between SAP Identity Management and the back-end system. The entities (users) exposed by the back-end system are mapped to SCIM 2. the SCIM standard provides a mechanism to define a new resource type with the appropriate schema. The Identity Provisioning service reads the entities from the source system and creates or updates them in the relevant target systems.1 System Types and Configurations This section defines the three types of systems you can use for provisioning identities – source. and proxy. if possible. Proxy Systems A proxy system is a special connector used for "hybrid" scenarios. That means. To check which system types are appropriate for this role. 3. SAP Cloud Platform Identity Provisioning Service 48 PUBLIC SAP Cloud Platform Identity Provisioning Service . Details Destination Name (Optional) The name of the destination configuration for the system. separated by comma (. Note This field is only mandatory for ABAP systems. You can select a particular system from the drop-down list. It will help you easily distinguish your systems in the list later. Below are the details you need to provide when setting up a source. target. Details Source Systems Note This field is only available for target systems. or proxy system: Table 5: Tab / Field Description Details Type (Mandatory) The type of the source or target system. Details Description (Optional) Enter a meaningful description. the target system receives entities from all source systems configured in the Source Systems tile for the customer tenant. The list can contain one or more source system names. (Optional) The name or list of names of the source systems that the entities should be read from and transferred to this target system.).System Configuration Details The system types have similar Identity Provisioning user interface. For more information. You define it in the Destinations editor in SAP Cloud Platform cockpit. see Creating HTTP Destinations. If no source system is specified in this field. Details System Name (Mandatory) The name of the source or target system configu ration. This name will be displayed in the job log and other re ports. Every system has specific JSON re quirements . Transformations also define how the different attributes of the entities should be mapped.these are data models for the entities that have to be synchronized using the Identity Provisioning service. Jobs Note This tab is only available for source systems. Tab / Field Description Transformations The initial transformation logic is created when saving the source or target system. The Identity Provisioning service offers default transformation settings per system. see Creating HTTP Des tinations. It appears once you have successfully configured the source system. Transformations are settings that represent the logic used to convert or filter the entities data taken from the source before sending it to the target system. From the Jobs tab. Related Information Scenarios [page 88] SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 49 . For more information. see Manage Jobs and Job Logs [page 83]. These properties overwrite the properties set in the Additional Properties section in SAP Cloud Platform cockpit Destinations . For more information. For more information. Properties (Optional) You can set properties for the source or target sys tems. which can be additionally configured. you can start or schedule the provisioning job. or to apply a filter to the data before writing it into the target system. This helps you filtering the data taken from the source system. or resynchronize the data in the target system if changes are made in the source system. see Manage Transformations [page 30]. select it from the Destination Name combo box. (Optional) Enter a description. Add a name for your system. 5. edit and save the new target system configuration. Restriction Destinations are mandatory for SAP Application Server ABAP source systems. The combo-box list contains only destinations relevant to the chosen system type. and some of these source systems had incorrect names. see Scenarios [page 88]. 3. 2.2 Add System This topic explains how you can add source and target systems to the Identity Provisioning UI. you can open the Properties tab to enter all the properties. select the ones you need from the Source Systems combo box. you can add the source systems whose data you want to read and provision. For more information.4. 7. the UI will show you an error message. Choose the Add button situated at the bottom of the left-hand panel. (Optional) If you have previously created a destination in the Cloud cockpit. SAP Cloud Platform Identity Provisioning Service 50 PUBLIC SAP Cloud Platform Identity Provisioning Service . To correct this inconsistency. or Proxy Systems. 4. 8. The new system appears in the panel. choose a tile – Source Systems.2. Make sure it doesn't duplicate another system's name in the UI. 9. needed for the your provisioning scenario. Note If you leave both the Destination Name field and the Properties tab empty. 6. select the system type you want to use. From the UI home page. Note If you had previously added a string of source systems manually (before the new combo box control took place). This destination should specify the URL and all the connection settings needed for your identity provisioning jobs. It will help you to easily distinguish your systems in the list later on. Target Systems. no actual identity provisioning will be performed. Save your changes. From the Type combo box.1. To do this. If you have skipped the Destination Name field. Context Procedure 1. (Target systems) When you create a target system. 2.3 Edit System This topic explains how you can edit source and target systems in the Identity Provisioning UI.4. 4. or Proxy Systems. From the UI home page. Choose the tab you want to edit (Details.Next Steps You can enter some additional properties and/or modify your default system transformation. Related Information Manage Properties [page 79] Manage Transformations [page 30] 1. Target Systems. select a system. From the list on the left. Transformations. Context Procedure 1. 2. Properties). 5. 3. Choose the Edit button and make the relevant configurations. Related Information Manage Properties [page 79] Manage Transformations [page 30] SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 51 . choose a tile – Source Systems. Save your changes. choose a tile – Source Systems. 3.1. Context Procedure 1.4 Delete System This topic explains how you can delete source and target systems in the Identity Provisioning UI.2. 1.5 Enable and Disable Systems This topic explains how you can enable and disable source and target systems in the Identity Provisioning UI. The system disappears from the panel. Procedure 1. At the bottom of the left-hand panel. Target Systems. select a system. select a system.2. 3. From the list on the left. If one of your added systems is configured and you currently do not need it. 6. 2. choose a tile – Source Systems. you can disable it.4. or Proxy Systems. From the UI home page. Choose the icon at the top of the left-hand panel. Context To use a system for provisioning purposes. Target Systems. confirm with OK. From the list on the left. From the UI home page. 5. but would like to use it later. choose the Delete button. 4. SAP Cloud Platform Identity Provisioning Service 52 PUBLIC SAP Cloud Platform Identity Provisioning Service . or Proxy Systems. When you add a new system. Save your changes.4. Choose the icon at the top of the left-hand panel. its status has to be Enabled. In the dialog box. it is enabled by default. 2. Importing Systems 1. you have two options: ○ Select JSON format – the system configuration will be exported as a . choose the Enable button and confirm with OK.6 Export and Import Systems This topic explains how you can export and import source. choose a section: Source Systems. Save your changes. which you can later import back in the Identity Provisioning UI.4. Choose the Export button. Target Systems. or Proxy Systems 2. Procedure Exporting Systems 1. Target Systems. ● You need to reuse an existing system in the Identity Provisioning UI but for another subaccount. From the list on the left. and you don't want to manually enter all data and configuration properties all over again. If it's a proxy one. Save the file on your local file system. 1.json file.csv file. target and proxy systems in the Identity Provisioning UI. Context If you have added and configured a system. ○ If the system is currently disabled. 3.2. select the system you want to export. ○ If the system is currently enabled. From the UI home page. The exported system configuration depends on your scenario. The export function comes handy to you in the following use cases: ● You need another system of the same type but with slightly different setup. From the UI home page. 4. choose the Disable button and confirm with OK. which you can later import in the SAP Identity Management UI as a SCIM repository. or Proxy Systems SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 53 . ○ Select CSV format – the system configuration will be exported as a . 5. If your system is a source or a target one. it will be exported as a JSON file. you can export it for further use. 4. choose a section: Source Systems. make additional configurations. In section Define from File. For example.3 Properties You need to set mandatory properties to configure the connection between your source and target systems. You can import files with extension . You can also see the imported transformations and properties of this system in the respective UI tabs. enter password(s) for authentication.2. 5. Save your changes. Change the System Name. Browse and select the file with system configuration you need on your local file system. check that the preconfigured system has mapping transformations in the compatible JSON format. otherwise an error message will appear warning you that a system with this name already exists. 8. Choose the Add button. For your system provisioning goals. 4. or the other way around. the values set in the Properties tab are taken with higher priority. SAP Cloud Platform Identity Provisioning Service 54 PUBLIC SAP Cloud Platform Identity Provisioning Service .json as well as files with no extension. 7. If needed. 3. 1. 6. you can set properties in two places: ● SAP Cloud Platform cockpit: Destinations ● Identity Provisioning UI: Source Systems or Target Systems → Properties Note If the same properties exist in both the Destinations editor (in the cockpit) and in the Properties tab (in the Identity Provisioning UI). Caution You cannot export a target system and import it back as a source.4. The system configuration is displayed in the Details editor. and that the system information corresponds to the fields of the Details editor. choose the Browse button. Note To ensure your import is successful. The new system appears in the list on the left. It is possible to delete some of them but this may cause a loss of provisioned data.page.destination.>% is replaced by the corresponding parameter's value.user.user. According to their usability. each occurrence of %<. Like the standard properties.attributes=email Default System Properties These properties depend on the particular connector type.object. They exist in the transformations by default. they can be configured in the system's Properties tab. and/or in the system's destination properties (in the platform cockpit).destination. the unique key of one of these parameters is surrounded by the percent symbol (%).r3name=PSE sf.filter=<empty> Parameterized System Transformations They use parameters taken from the system property sets.user.peak_limit=10 sf.. the system's properties have priority over the system's destination properties.pool_capacity=5 sf. For example: Table 6: Example: AS ABAP System (source) Concur System (target) jco.object. When one parameter exists in both property sets.group.attribute.filter=firstName John jco.group.user.client.mobile=mobile ldap. Parameter references without a value are left unchanged. Example: Table 7: Example: LDAP Server (source) ldap. properties can be categorized as follows: Standard System Properties Each source or target system supports specific types of properties. In the JSON data.. For example: SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 55 .size=100 jco. The parameters consist of a unique key and a value. During the transformation evaluation.Properties can help you filter which entities and entity attributes are read from the source system or written to the target system.filter=<empty> ldap.class=inetOrgPerson ldap.class=groupOfNames ldap.user. name. %ldap.attribute. Table 9: Name Description Values System Type System Role Relevance Type Protocol type for mak Possible values: All systems All ing a connection ● HTTP ● LDAP ● RFC SAP Cloud Platform Identity Provisioning Service 56 PUBLIC SAP Cloud Platform Identity Provisioning Service . "targetPath": "$.list LDAP parameters . by a word or only part of it.value".user. Related Information List of Properties [page 56] Manage Properties [page 79] 1.mapping transformation ldap. %ldap. NOTE: Nested parameters are not supported.user. "optional": true }.user.user.attribute.1 List of Properties On this page you can find all the available properties to use in the Identity Provisioning service.3.groups=memberOf { "sourcePath": "$.givenName%[0]". "All Systems". "targetPath": "$.emails[0].attribute.givenName".mail%[0]".4.mail=mail Sample Code ldap. You can filter them by system type name.Table 8: Example: LDAP parameters .attribute.attribute.user. { "sourcePath": "$.givenName=givenName /* LDAP Server (source) system: ldap. "optional": true }. Name Description Values System Type System Role Relevance URL URL needed to make an http(s):// All HTTP systems All HTTP(S) connection to <host><port> an on-premise system or a cloud service ProxyType Proxy type required for Possible values: All HTTP systems All HTTP connection ● Internet ● OnPremise Authentication Authentication type re Possible values: All HTTP systems All quired for HTTP con ● NoAuthentication nection ● BasicAuthentica tion ● ClientCertifica teAuthentication User It represents: <text_string> All HTTP systems All ● User name – used in standard desti nations ● Client ID – used for access token re trieval in OAuth HTTP destinations Password It represents: <encrypted_strin All HTTP systems All ● Password – used g> in standard desti nations ● Client secret key – used for access to ken retrieval in OAuth HTTP desti nations SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 57 . Name Description Values System Type System Role Relevance ips. delete) s fails due to a timeout or rate limit. see Manage Deleted Entities [page 80].attempt (create. in case an operation fails due to timeout or rate limit. ips.attempt (in seconds) between s. update.failed. For more information.retry.failed. ips.reque Specify a time interval Default value: 30 All systems All st. Use this property to set the number of retries. Some systems implement rate limit to avoid overloading and performance is sues. Tip Rate limit is the controlled rate of re quests sent to a sys tem. you can control whether to also delete them from the target or not.reque st.reque If an entity operation Default value: 2 All systems All st. To allow entity de letion in the target sys tem.failed.retry.exist If some of the previ Possible values: All systems ● Target edbefore. you can spec ify a number of retries for this operation.retry.delete. SAP Cloud Platform Identity Provisioning Service 58 PUBLIC SAP Cloud Platform Identity Provisioning Service . set this property to true.interval the retries.entitie ously provisioned enti ● Proxy ● true s ties are later deleted ● false from the source sys Default value: false tem. This property is related to ips.attempt s. trace. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 59 . this property will not take effect.entity. you can enable Default value: false logging and tracing for the personal data of your provisioned enti ties. If you provide cre dentials for the pro visioning system. To do this. set this property to true.http. requests.failed If a provisioning job re Possible values: All systems Source .content peatedly fails and you ● true need problem investi ● false gation.http. authorization = The provisioning sys Basic tem may override your VDAwdfhjgHGSzmfnN custom HTTP headers.header. A== if specific header set tings are implemented Note in the system. Use this property to Example for authoriza All HTTP systems Source <header_name> pass additional infor tion header: mation with the HTTP ips. in the logs you see: content = <hidden content> ips. Its value (token) will be over ridden by the token generated by the system implementa tion.header. Name Description Values System Type System Role Relevance ips. If the property is not set. see Full and Delta Read [page 81].count tor) works in delta read systems: This value results in al mode.ashos Enter the virtual host Example: abap AS ABAP Source t entry that you have server.read If this property is ena Possible values: Use it in the following All bled. jco.delta. cation For more information.client. enter the ● SAP Cloud Plat URL to the access to form ken provider service. ● Microsoft Azure AD ● Google G Suite ● SAP Jam ● SCIM jco.fo If your system (connec Example: 10 Use it in the following All rce. cation For more information. OAuth2TokenServi If you need to make <access_token_UR ● Target ● CloudFoundry UAA ceURL OAuth authentication L> ● Proxy Server to the system.hana. jco.Name Description Values System Type System Role Relevance ips.full. tors set this property to an ● Identity Authenti integer number.client. it ● disabled ● SCIM does not retrieve the ● Microsoft AD entire amount of source ● SAP SuccessFac system data but only tors the last changed enti ● Identity Authenti ties. ips. time.passw Enter the password for AS ABAP Source d the AS ABAP user.client. see Full and Delta Read [page 81]. it's recom ● SCIM ternating full reads af mended to enforce full ● Microsoft AD ter every 10 delta reads reads from time to ● SAP SuccessFac are performed. SAP Cloud Platform Identity Provisioning Service 60 PUBLIC SAP Cloud Platform Identity Provisioning Service . every time a provi ● enabled systems: sioning job is started.cloud configured in the Cloud connector → Access Control configuration. To achieve this.user Enter the user for AS AS ABAP Source ABAP.read. Name Description Values System Type System Role Relevance jco.url URL needed to make an ldap:// ● LDAP Server Source LDAP connection to an <host><port> ● Microsoft AD on-premise system or a cloud service SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 61 .destination.client.scope Enter space-separated Google G Suite ● Target Google Directory API ● Proxy authorization scopes. jco. jco.client.destination. ldap. X-ConsumerKey Enter the Concur ac Concur ● Target cess token needed for ● Proxy the connection. jwt. Represents the maxi Example: 10 AS ABAP Source peak_limit mum number of active connections that can simultaneously be cre ated for a destination.r3nam Enter the three-charac Example: WPE AS ABAP Source e ter system ID of the ABAP system to be ad dressed.mshos Represents the mes AS ABAP Source t sage server host to be used. jco.client. jwt.subject Enter the Google G Google G Suite ● Target Suite user on behalf of ● Proxy which the Google Direc tory API is called. jco.clien Enter the client to be Example: 001 AS ABAP Source t used in the ABAP sys tem.client. Represents the maxi Example: 5 AS ABAP Source pool_capacity mum number of idle connections kept open by the destination. jco. Valid format is a three-digit number.sysnr Enter the "system num Example: 42 AS ABAP Source ber" of the ABAP sys tem. group. ldap. in the inter mediate JSON data).).Name Description Values System Type System Role Relevance ldap.proxyType Proxy type for the LDAP OnPremise ● LDAP Server Source connection ● Microsoft AD ldap.password Password for the LDAP <encrypted_strin ● LDAP Server Source Server user g> ● Microsoft AD ldap.user.authenticat Authentication type for BasicAuthentication ● LDAP Server Source ion the LDAP connection ● Microsoft AD ldap. the following LDAP filter is used: (ob jectClass=user) SAP Cloud Platform Identity Provisioning Service 62 PUBLIC SAP Cloud Platform Identity Provisioning Service . Separate the attributes by comma (.user. all at ● LDAP Server Source utes tributes from the tributes are included. all at ● LDAP Server Source butes tributes from the tributes are included. in the inter mediate JSON data). ldap.class intermediate JSON ● Microsoft AD data. ● Microsoft AD source system to be in cluded in the LDAP search result (and re spectively.attrib Shows which user at If nothing is set. ● Microsoft AD source system to be in cluded in the LDAP search result (and re spectively. ldap.group.path Enter the complete ● LDAP Server Source path to the users in the ● Microsoft AD LDAP Server.object Criteria for user.user. ldap.path Enter the complete ● LDAP Server Source path to a group or ● Microsoft AD groups in the LDAP Server. In the Default value: user ● LDAP Server Source .attri Shows which group at If nothing is set.user User name for the <text_string> ● LDAP Server Source LDAP Server ● Microsoft AD ldap. the Example: ● LDAP Server Source ename.path property.attribute memberOf array in the ldap. will not be part of the resulting memberOf JSON array ldap.unique ● Microsoft AD source JSON data con name.uniqu By default.group.group.uniq Determines the value of Possible values: ● LDAP Server Source uename. In Default value: group ● LDAP Server Source t. will not be part of the resulting memberOf JSON array.objec Criteria for group.attribute the member attribute ● cn ● Microsoft AD of groups in the inter ● distinguished mediate JSON data. Name Default value: cn SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 63 .member.attribute=dis tains the CN part of the playName complete distinguished This will produce a name of the groups to memberOf array which which the entity be contains the longs.group. name to be used in stead of CN. ● Any group which does not match the ldap. Name Description Values System Type System Role Relevance ldap.group. The administra displayName attribute tor can change this de value of the groups to fault behavior and which the entity be specify an attribute longs. Note ● Any group which does not have the attrib ute specified.class the intermediate JSON ● Microsoft AD data the following LDAP filter is used: (object Class=group) ldap. For ex the property is not ample.size Use this property to Default value: 100 Concur Source configure the paging. gsuite." CN starting with 1234. the num Note ber of entities to be The maximum al read from Concur at lowed number is once. ldap.filter You can optimize the This filter is empty by ● LDAP Server Source search by excluding default. search for ev turns only users with a erything. (cn=1234*) re specified. 100. search for ev erything. the num Note ber of entities to be It is not recom read from the LDAP mended to exceed server at once.page.size Use this property to Default value: 100 Google G Suite Source configure the paging. concur. That means: "If ● Microsoft AD certain users.page.user. 500. 1000.size Use this property to Default value: 100 Source ● LDAP Server configure the paging.filte You can optimize the This filter is empty by ● LDAP Server Source r search by excluding default. That means.group. the property is not specified. ● Microsoft AD That means. That means: "If ● Microsoft AD certain groups.page. That means." ldap.Name Description Values System Type System Role Relevance ldap. SAP Cloud Platform Identity Provisioning Service 64 PUBLIC SAP Cloud Platform Identity Provisioning Service . the num Note ber of entities to be The maximum al read from Google G lowed number is Suite at once. lda Use this property if you Example: 500 ● LDAP Server Source p. This property deter <customer_ID_num Google G Suite Source id mines whether entities ber> for a particular cus For more information. For groups it will be ignored.ondemand. tempt if the server does not respond within 5 seconds.customer.lda Use this property if you Example: 5000 ● LDAP Server Source p. Name Description Values System Type System Role Relevance gsuite.domain.n Enter the URL to the https://graph.delet This property deter Possible values: Google G Suite Source ed mines whether recently ● true deleted entities should ● false be read.sun.domain This property deter Example: myac Google G Suite Source mines whether entities count.read.get.timeou want to set the timeout ● Microsoft AD This value causes the t (in milliseconds) for LDAP service provider connecting to the LDAP to abort the connection server. see Google G Suite API: This property takes precedence over User Accounts .connect. attempt if a connection cannot be established in half a second.micro Microsoft Azure AD All ame Microsoft Graph. Default value: false Note You can apply this property only for users. com.sun. soft.jndi. oauth. tomer ID to be read.com from a particular do main should be read. gsuite.timeout want to specify the read ● Microsoft AD This value causes the timeout (in millisec LDAP service provider onds) for an LDAP con to abort the read at nection.resource. com.com SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 65 . gsuite.jndi. gsuite. csrf.name Enter one of the verified Microsoft Azure AD All domain names from the corresponding Azure AD tenant.filter When specified. only Example: SCIM Source those users matching name. csrf.typ Makes the connector Example: application/ SCIM ● Target e send the specified json ● Proxy value for the Content- If the property is not Type HTTP header. the default is needed because a value is taken: applica SCIM system could po tion/scim+json tentially not implement the protocol in the specification.Name Description Values System Type System Role Relevance aad.familyName eq the filter expression will "Smith" and ad be read. This specified. which states that a system must accept applica tion/scim+json as a value of the Content- Type header.token.path Path added to the URL Default value: /api/v1/ SAP Analytics Cloud All to retrieve the CSRF to scim/Users?count=1 (Beta) ken. The Default value: enabled property is automati cally added in the sys tem.content.country eq "US" scim. dresses.api.domain. SAP Cloud Platform Identity Provisioning Service 66 PUBLIC SAP Cloud Platform Identity Provisioning Service . with default value: /api/v1/scim/ Users?count=1 scim. with default value: enabled scim.user.pr Specifies whether to Possible values: SAP Analytics Cloud All otection fetch a CSRF token ● enabled (Beta) when sending requests ● disabled to the system. The property is au tomatically added in the system. To make the search fil ter by a specific attrib ute. the existing user only needs to be up dated. This group can be found via search.attribute prop erty.group.uniqu e. the existing group only needs to be up dated.uniqu If the service tries to If the property is not SCIM ● Target e. the crea tribute: displayName tion will fail. To make the search fil ter by a specific attrib ute.user. the search ● Proxy ready exists in the tar will be done by the de get system. This user can be found via search. Name Description Values System Type System Role Relevance scim. specify this attrib ute as a value for the scim. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 67 . In this Name case. specify this attrib ute as a value for the scim.unique . the search is ● Proxy ready exists in the tar done by the default at get system.attribute create a group that al specified. based on an attribute (default or specific).attribute prop erty.attribute create a user that al specified. scim. In this case.user.unique If the service tries to If the property is not SCIM ● Target .group. based on an attribute (default or specific). the crea fault attribute: user tion will fail. use ● urn:ietf:par ams:scim:sche the GET request.wildcard.0:User:employ as a value of the URL eeNumber parameter membersAdditiona lAttributes. This header could be used by a SCIM system for entity versioning.additional. You tributes quest from an Identity can add the following Authentication source attributes: system when reading ● emails groups. scim.membe Defines additional at A coma-separated list Identity Authentication Source rs.Name Description Values System Type System Role Relevance scim.if. Add mas:extension:en the additional attrib terprise: utes (coma-separated) 2. ● userName If you read groups ● displayName through REST API.h send the If-Match HTTP ● Proxy ● true eader header with a value of ● false “*” for every request to Default value: false the target system. Makes the connector Possible values: SCIM ● Target match.group. SAP Cloud Platform Identity Provisioning Service 68 PUBLIC SAP Cloud Platform Identity Provisioning Service .include.at tributes you can re of attribute names. support.pat If an entity has been de Possible values: SCIM ● Target ch. setting it to false. it can still "stay" in the target system (it will be only disabled).pat ch.operation prop erty. you need to also use the scim. see JSON Ex pressions and Func tions [page 31]. you don't need this property. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 69 . AuthType Enter the type of au Possible values: SCIM Both thentication used for ● Basic access token retrieval ● Form for OAuth HTTP desti Default value: Basic nations. CloudConnectorLo Relevant when the Integer number ● Target ● SSH Server (Beta) cationId ProxyType property ● Proxy ● SAP HANA Data is set to OnPremise.support. Name Description Values System Type System Role Relevance scim. you need to use the deleteEntity scope. If your target system is SCIM-based and it doesn't support PATCH operations. For more infor mation. For this pur pose. or there is a ● false condition for it not to Default value: true be read anymore.operation leted from the source ● Proxy ● true system. Or you can set it to true. Note If your SCIM system supports PATCH op eration. base (Beta) Use it only if your SAP Cloud Platform account uses more than one Cloud Connector. jdbc.tunnel – It requires hana.* properties to establish an SSH tunnel to the Cloud Foundry applica tion.jdbc.jdbc.tunn el.jdbc.jdbc. ● cf.type SAP HANA access: (Beta) ● Proxy ● ssh.host (Beta) ● Proxy hana.ssh.Name Description Values System Type System Role Relevance hana.jdbc.pas (Credential) SAP HANA Database ● Target sword (Beta) ● Proxy hana.jdbc.access There are three types of SAP HANA Database ● Target ● direct .hos SAP HANA Database ● Target t (Beta) ● Proxy hana.username (Beta) ● Proxy hana.db.tunnel only hana.jdbc.ssh.tunn el.db.por 30015 SAP HANA Database ● Target t (Beta) ● Proxy hana.* and hana.use SAP HANA Database ● Target r (Beta) ● Proxy hana.port (Beta) ● Proxy SAP Cloud Platform Identity Provisioning Service 70 PUBLIC SAP Cloud Platform Identity Provisioning Service .jdbc. hana.db.app.tu SAP HANA Database ● Target nnel.ssh. from which to access the JDBC SQL port of SAP HANA.* properties ● ssh.tu 22 SAP HANA Database ● Target nnel.ssh.db.tu SAP HANA Database ● Target nnel.ssh.ssh.* properties.jdbc.jdbc.ssh.tunnel ● direct – It requires ● cf.jdbc.db.app.cf.db.tunnel – it re quires hana. tu This is the Cloud Foun SAP HANA Database ● Target nnel.tu This is the Cloud Foun SAP HANA Database ● Target nnel.ssh.type thentication types: (Beta) ● Proxy ● key ● pwd ● otp ● key+otp ● key+pwd ● pwd+otp ● key+pwd+otp hana.cf.ssh.cf.cf.jdbc. (Beta) ● Proxy hana.to (Beta) ● Proxy ken.ssh.app dry application to which (Beta) ● Proxy the SAP HANA Database (Beta) sys tem opens an SSH tun nel.auth.ssh.inst number of the Cloud (Beta) ● Proxy ance Foundry application.jdbc. see: Cloud Foun dry: Accessing Apps with SSH hana.app.jdbc.org dry organization.cf.ssh.url hana.ssh.api. Name Description Values System Type System Role Relevance hana.tu SAP HANA Database ● Target nnel.tu This is the Cloud Foun SAP HANA Database ● Target nnel.ssh. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 71 .tu Supported SSH au SAP HANA Database ● Target nnel.space dry space.jdbc.cf. It has the role (Beta) ● Proxy Developer for the space where the appli cation is deployed.username dry user.jdbc.jdbc.cf.tu SAP HANA Database ● Target nnel.jdbc.ssh.tu This is the instance SAP HANA Database ● Target nnel.jdbc.url (Beta) ● Proxy hana. For more informa tion.tu This is the Cloud Foun SAP HANA Database ● Target nnel. (Beta) ● Proxy hana.oauth. hana.cf. password word for property (Beta) ● Proxy hana.ssh.aut h.jdbc.tu (Credential) Taken into SAP HANA Database ● Target nnel.jdbc.username hana.type = pwd ● hana. That means any of the fol lowing: ● hana.ssh.ssh.Name Description Values System Type System Role Relevance hana.password account only if the au (Beta) ● Proxy thentication type in cludes pwd.jdbc.ss h.jdbc.ss h.ss h.ss h.jdbc.jdbc.aut h.cf.type = key +pwd ● hana.aut h.cf.type = pwd +otp ● hana.tunnel.tunnel.aut h.tunnel.tunnel.tu (Credential) The pass SAP HANA Database ● Target nnel.type = key +pwd+otp SAP Cloud Platform Identity Provisioning Service 72 PUBLIC SAP Cloud Platform Identity Provisioning Service .tu nnel.jdbc. jdbc.tunnel.key account only if the au (Beta) ● Proxy thentication type in cludes key.jdbc.tunnel.ss h.ss h.ss h.jdbc.jdbc.c Path to the bash com SSH Server (Beta) Source ommand mand you need to exe cute to read users.tunnel.tu (Credential) Taken into SAP HANA Database ● Target nnel. That means any of the following: ● hana.tu (Credential) Taken into SAP HANA Database ● Target nnel.aut h.ss h.aut h.aut h.tunnel.ssh.ss h.tunnel.type = pwd +otp ● hana.jdbc.users.jdbc.read.private.totp.type = key +pwd+otp hana.tunnel.secret account only if the au (Beta) ● Proxy . SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 73 .aut h.ssh.ss h.jdbc.aut h.ss h.aut h.type = key +otp ● hana.jdbc.aut h.type = key +pwd+otp ssh.type = key ● hana.jdbc. Name Description Values System Type System Role Relevance hana.aut h.tunnel.type = key +otp ● hana.type = key +pwd ● hana.ss h. That means any of the following: ● hana.tunnel.jdbc.type = otp ● hana.key thentication type in cludes otp. exists ssh. ssh.cod ● Proxy e.user.group Path to the bash com SSH Server (Beta) ● Target .exit.user. ssh.create.create.group Path to the bash com SSH Server (Beta) ● Target . An exit code number SSH Server (Beta) ● Target command.exit. ssh.delete.create.user. ssh.Name Description Values System Type System Role Relevance ssh.update.user.exist s SAP Cloud Platform Identity Provisioning Service 74 PUBLIC SAP Cloud Platform Identity Provisioning Service .co ● Proxy de.delete.create.cod ● Proxy e.group An exit code number SSH Server (Beta) ● Target .cod ● Proxy e.command mand you need to exe ● Proxy cute to update a group. An exit code number SSH Server (Beta) ● Target command.groups.delete.command mand you need to exe ● Proxy cute to create a group.exit.update.not.group Path to the bash com SSH Server (Beta) ● Target .found ssh.not. Path to the bash com SSH Server (Beta) ● Target command mand you need to exe ● Proxy cute to delete a user.found ssh. Path to the bash com SSH Server (Beta) ● Target command mand you need to exe ● Proxy cute to update a user. ssh. Path to the bash com SSH Server (Beta) ● Target command mand you need to exe ● Proxy cute to create a user.already.read.user.user.update.command. ssh. ssh.exit.command mand you need to exe ● Proxy cute to delete a group. Path to the bash com SSH Server (Beta) Source command mand you need to exe cute to read groups.already. An exit code number SSH Server (Beta) ● Target command. not.command.exit.command.group An exit code number SSH Server (Beta) ● Target .port 22 SSH Server (Beta) ● Target ● Proxy ssh.not.co ● Proxy de.delete.host SSH Server (Beta) ● Target ● Proxy ssh.type Supported SSH au SSH Server (Beta) ● Target thentication types: ● Proxy ● key ● pwd ● otp ● key+otp ● key+pwd ● pwd+otp ● key+pwd+otp ssh.group An exit code number SSH Server (Beta) ● Target .found ssh.exit. Name Description Values System Type System Role Relevance ssh.update.username SSH Server (Beta) ● Target ● Proxy SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 75 .found ssh.auth.co ● Proxy de. totp. That means any of the following: ● hana.type = pwd ● hana.ss h.type = pwd +otp ● hana.jdbc.jdbc.aut h. That means any of the fol lowing: ● hana.ss h.ss h.aut h.aut h.password (Credential) Taken into SSH Server (Beta) ● Target account only if the au ● Proxy thentication type in cludes pwd.tunnel.tunnel.tunnel.type = otp ● hana.jdbc.ss h.ss h.ss h.aut h.tunnel.type = key +pwd+otp ssh.aut h.aut h.tunnel.type = key +pwd+otp SAP Cloud Platform Identity Provisioning Service 76 PUBLIC SAP Cloud Platform Identity Provisioning Service .aut h.jdbc.jdbc. (Credential) Taken into SSH Server (Beta) ● Target key account only if the au ● Proxy thentication type in cludes otp.type = key +pwd ● hana.type = key +otp ● hana.ss h.jdbc.jdbc.tunnel.jdbc.aut h.type = pwd +otp ● hana.Name Description Values System Type System Role Relevance ssh.ss h.secret.tunnel.tunnel. A user is retrieved if creating a new user fails (when it already exists in the target sys tem).ss h.tunnel.ss h.ss h.jdbc.type = key +otp ● hana.filter specify a search filter when retrieving users from the target system. Default value: 100 SAP SuccessFactors Source SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 77 .type = key +pwd ● hana.tunnel.private. ● Proxy ● ssh-rsa ● ssh-dsa Default value: ssh-rsa scim.jdbc.type = key ● hana. That means any of the following: ● hana.type = key +pwd+otp ssh.aut h. sf.users.aut h.tunnel.searc Use this property to SAP Jam All h.aut h.key (Credential) Taken into SSH Server (Beta) ● Target account only if the au ● Proxy thentication type in cludes key.page.tunnel.key.aut h. Name Description Values System Type System Role Relevance ssh.private.ss h. The format of SSH pri Possible values: SSH Server (Beta) ● Target type vate key.jdbc.jdbc.size Defines the page size. You must not use it in custom filter statements. attributes that have to firstName. ing the delta load userId. SAP Cloud Platform Identity Provisioning Service 78 PUBLIC SAP Cloud Platform Identity Provisioning Service . other wise.user. except any statements with attrib Restriction ute You can only use at lastModifiedDate tributes supported Time. the provision ing from Success Factors will fail. ternally by the department. sf. service. Caution If you decide to set this property for only reading some of the user attributes.filter This property takes val Example value: division SAP SuccessFactors Source ues as described in the eq 'Manufacturing OData version 2 (MANU)' syntax. make sure the at tribute lastModifiedDa teTime will be al ways read. status. lastName. username.Name Description Values System Type System Role Relevance sf. Here are some Attribute of these filterable at lastModifiedDa tributes: firstName. for calculat location. from the SAP Suc cessFactors system. Identity Provisioning division. be loaded from the SAP email. lastModifiedDa SuccessFactors sys teTime tem.user. teTime is used in lastName.attribut This is a string repre Default value: all SAP SuccessFactors Source senting the comma- es separated list of user Example: username. as filterable by the SAP SuccessFactors HCM Suite OData Caution API. jobCode. attribut es = username.expand = man ager TrustAll If this property is set to Possible values: All systems All true. the server certif ● true icate will not be ● false checked for SSL con If the property is not nections. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 79 .user.2 Manage Properties You can add.user.user. the default value is Use it only for test pur false. Prerequisites You have added a system (source. enter the following configura tion in the Properties tab: sf.man ager/username sf. Name Description Values System Type System Role Relevance sf.first Name. set.expand to Example: If you need sf. delete and modify properties for a system in the Identity Provisioning UI. to be read as well. or proxy) in the Identity Provisioning user interface.4. poses (not in produc tive scenarios) since the SSL server certifi cate is not checked.attribut the username attribute es. 1.user.3. target. To learn how. and thus the server is not authenticated.lastName.attribut es. see Add System [page 50].attribut This property is related Default value: all SAP SuccessFactors Source es. after the update on 23. a provisioning job provisions all entities from the source system to the target one and updates their status. 5. If a source system entity that has been already provisioned to the target system is later deleted from the source. 3.Procedure 1.3 Manage Deleted Entities In this topic. SAP Cloud Platform Identity Provisioning Service 80 PUBLIC SAP Cloud Platform Identity Provisioning Service .3.02. or Proxy Systems. you cannot control the deletion of entities in the target system.4. see Access the Identity Provisioning Service (Productive) [page 24]. and now you delete it from the source. choose Edit in the bottom right corner. it will be deleted from the target as well. From the UI home page. Related Information List of Properties [page 56] Scenarios [page 88] 1. provisioned before the update of Identity Provisioning If an entity has existed in both the source and the target system. before and after the update of the Identity Provisioning service.02. before the update on 23.2017 When full-read mode is set. To modify the current properties. Behavior. For more information. Target Systems. a provisioning job provisions and updates the entities according to the following use cases: ● Entities. regarding deleted entities. Make your changes and save the configuration. Select a system from the left panel and go to the Properties tab. the new provisioning job will delete it from the target as well. 2. choose a tile – Source Systems. Behavior. Note In this case. you can learn about the behavior (logic) of the provisioning jobs.2017 When full-read mode is set. 4. Open the user interface of the Identity Provisioning service. if you want these entities to be deleted.existedbefore.read. For more information. the Microsoft Active Directory source system uses the uSNChanged attribute. open the relevant target system. To achieve this. For example. ● Full read – all entities are read and checked every time for provisioning to the target system(s). the new provisioning job will recognize it as "previously existed" and will not delete it from the target system. and on the Properties tab. the standard behavior of the process reads all the entities from the source system. see Microsoft: Polling for Changes Using USNChanged .count. However. However. you need to set up the following source system property: ips. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 81 . provisioned after the update of Identity Provisioning If an entity existed in both the source and the target system. In order for a source system to support delta read mode. Related Information Full and Delta Read [page 81] Scenarios [page 88] 1. Tip We recommend that you enforce full reads from time to time if the connector is in delta read mode. There must be an attribute associated with each entity.entities = true Note The default value is false. enter the following property: ips.full. properly maintained by the system when the entity is changed (created. and now you delete it from the source.4.force. its API should allow the implementation of this feature. To keep source and target systems completely synchronized. which means none of the "recognized" entities will be deleted from the target system. but sometimes might have limitations. it may take a long time for every job to be executed. you can use the Resync type of provisioning job.delete. This mode prevents data loss and always keeps your target system synchronized with the source.3.● Entities. For example. The main difference between delta and full read is: ● Delta read – only modified data is read from the source system. Delta read is a concept for optimizing the amount of data retrieved from the source system. updated or deleted) and exposed for query operations. Delta read is much faster.4 Full and Delta Read Context When you set up your systems and start a scheduled provisioning task. You can switch to delta read. and Identity Authentication Service. For more information. when performing in delta read mode. set the properties ldap. see SCIM: Filtering . which is a sub-attribute of the meta attribute. see Microsoft: Linked Attributes . bear in mind the following API requirements: ● The system API should return lastModified.group.full. SAP Cloud Platform Identity Provisioning Service 82 PUBLIC SAP Cloud Platform Identity Provisioning Service .read=enabled.force. manually triggered runs are ignored. if you set up the relevant property: ips. ● The system API has to also support filtering by the lastModified attribute. For this purpose. if you set up the relevant property: ips.user.Microsoft Active Directory. and the system should support the gt operator in filter expressions.read=enabled.read=disabled SCIM and Identity Authentication Systems The default mode for these systems is full read. ● Make sure that the service user.delta. SuccessFactors. You can switch to delta read.delta. which is used in the AD destination. if you set up the relevant property: ips. ● You need to set limitations about which particular attributes to be read. Microsoft Active Directory The default mode is full read. ● If an entity is moved outside the base path (another directory context). ips. For delta read of resources (users and groups). the connector will not recognize this change during delta read. Otherwise. see SCIM: Common Attributes . For more information. Bear in mind the following specifics and limitations: ● In order to have a notion for any deleted objects in delta read mode. For more information. Currently. see Microsoft: Enable Active Directory Recycle Bin . You can switch to full read. This property only impacts scheduled runs.count=10 will result in alternating full reads after every 10 delta reads are performed. For more information.read.attributes and add uSNChanged to the attributes list. The lastModified sub-attribute denotes the most recent date and time when the resource details were updated at the service provider. We recommend that you enforce full reads periodically in order to avoid data loss. SAP SuccessFactors The default mode is delta read mode. the provisioning job will run in full read mode. otherwise the connector will not be able to extract any data from the recycle bin.attributes and ldap. there is a limitation in the Microsoft Active Directory read connector.delta. the Active Directory Recycle Bin optional feature must be enabled. the following source systems support delta read mode . has a Domain Admin role. ● Due to the linked attributes concept of AD. The job reads all entities from the source system and provisions them to the target one.4 Manage Jobs and Job Logs You can start and stop the provisioning of entities.4. and then view and maintain the logs of the provisioning jobs. 2. The following table shows the operations you can perform on the Jobs tab: Table 10: Job Operations Job Type Operation Description Read Job Run Now Starts a read job immediately. they are not affected by the read job. For more information. For more information.Related Information SAP SuccessFactors (Source) [page 131] SCIM (Source and Target) [page 163] Microsoft Active Directory (Source) [page 142] SAP Cloud Platform Identity Authentication (Source and Target) [page 101] 1. A read job checks only for changes in the source system. see: Enable and Disable Systems [page 52] Run a Provisioning Job 1. see: Access the Identity Provisioning Service (Productive) [page 24] Access the Identity Provisioning Service (Trial) [page 26] ● You have enabled and set up a source system. Prerequisites ● You have opened the user interface of the Identity Provisioning service. schedule or resume it) ○ Resync Job – resynchronize the data in the target system if the source one has been changed. If there have been changes in the target system. There are two job types: ○ Read Job – run a provisioning job (start. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 83 . Open the enabled source system and choose the Jobs tab. press Pause. choose the Stop Job button in the Action column.Job Type Operation Description Schedule Schedules how often a read job to be run. Job Type The job type can be READ or RESYNC. After you set a schedule period. This job reads all users in the source system and overwrites all entities in the tar get system. View Job Logs 1. When the job is finished. press Resume. they are over written with the information from the source system. To continue a paused job. the entity data in the source and the target system becomes the same. choose section Job Logs. SAP Cloud Platform Identity Provisioning Service 84 PUBLIC SAP Cloud Platform Identity Provisioning Service . Table 11: Job Execution Logs Column Name Details Source System The source system that the job was triggered for. After run ning a resynchronization job. It can be immediate (if triggered with Run Now) or repeat (for a scheduled job). If there have been changes in the target system. choose section Job Logs. 2. This option sets the time period but does not start the job to run regularly. 2. Resync Job Run Now Starts a resynchronization job immediately. Trigger Type The triggering type for the job. To stop a running provisioning job. You see the list of all executed jobs and details about them. Resume/Pause To pause a manually started or a scheduled job. it will start again after the number of minutes you have set. the job starts automatically af ter 1 minute. Stop a Provisioning Job 1. From the main menu. The number must be larger than 30 (minutes). From the main menu. and timezone in UTC format when the job is started. by default. click the relevant table row. time. Start Time The date. or if a condition in the trans formation logic is not fulfilled. ○ Error Message – If the job finishes with errors. in this section you can find additional information about the first few failed entities. time. Running. It can be Read or Write. Column Name Details Status The status of the job. ○ Statistics – Shows details about the entities handled. an entity can be skipped if it could not be provi sioned due to missing transformation logic for its entity type. If the number of logs is too large. Table 12: Job Statistics Column Name Details Entity Type of the handled entity System Name of the source. you can see the error message in this field. or proxy system Action Action executed on the system. The following information appears in a new screen: ○ <System_name> – Shows the system name and the details from the previous screen. ○ Failed Entities – In case of failed entities. From the main menu. To see more details about a specific job. 3. Failed Number of entities not handled Export Job Logs 1. choose Export Logs. From the upper right corner. Action From this column. For example. Read Number of read entities Created Number of created entities Updated Number of updated entities Deleted Number of deleted entities Skipped Number of skipped entities. Finished with Error. End Time The date. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 85 . target. Each part (a ZIP archive) contains 3000 logs. and timezone in UTC format when the job is finished. or Running with Error. you can stop a running provisioning job. the execution logs will be exported in parts. 2. choose section Job Logs. It can be Success. Set a period (7. If a job is still running though. SAP Cloud Platform Identity Provisioning Service 86 PUBLIC SAP Cloud Platform Identity Provisioning Service . Even if more entities fail. 2. Related Information Systems [page 46] Manage Job Notifications [page 86] 1. 1. you will delete the logs for all finished jobs. You'll receive this e-mail only once – after the first failed entity.5 Manage Job Notifications You can subscribe to receive e-mail notifications about the status of your provisioning jobs.4.3. 3. Logs which are older than this period will be automatically deleted. Save all ZIP files on your local file system. choose Delete Logs. no additional e-mails will be sent. Delete Job Logs If you don't need your job logs anymore. 14 or 30 days). no further notifications will be sent. you can receive e-mail notifications in the following cases: ● You start or schedule a provisioning job and it fails. 3. By default. 1. You can do this manually or automatically (by setting a retention period). You can set a duration of time for which the job logs to be available for monitoring. From the main menu. job logs are kept for 7 days. From the bottom right corner. From the upper right corner. choose Configure job logs settings. 2. ● The failed job has finished. you can delete them. If you want to keep the logs longer. choose section Job Logs. You'll receive an e-mail with subject Provisioning Running with Error. you can export them (see the previous section). Caution Choosing this button. If the same job runs again and continues to fail. it will stay along with its logs. You'll receive an e-mail with subject Provisioning Finished with Error. Context When you subscribe to a source system. and then run a successful provisioning job. Note From the Recipients list. If you no longer need to be subscribed to a source system. choose Subscribe others. ○ To subscribe another user or a group (distribution list). After a new run.● The job is back to normal (the problem with the failed entities has been resolved). From the bottom right corner. You'll receive an e-mail with subject Provisioning Success. go to the Action column and choose the icon. Procedure 1. no e-mail notifications will be sent. 3. 2. you can remove existing subscribers. Note If you subscribe to a source system. the job is successfully finished. choose Subscribe. ○ To subscribe yourself. 4. 5. choose the Source Systems tile. Related Information Manage Jobs and Job Logs [page 83] SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 87 . Fill in the required fields and choose Add. choose Subscribe Unsubscribe me . From the Identity Provisioning UI home page. To do that. You can now run or schedule a provisioning job. Select the system you need to watch and choose Jobs. choose Subscribe me. suggested by the Identity Provisioning service. If you want to use the Identity Provisioning again. which can be implemented as source or target for the provisioned identities. together with the job execution logs. which you need to consider and implement when setting up the provisioning process and integrating these systems. NOTE: Destinations are only mandatory for SAP ABAP systems. and all job execution logs.4. or modify it according to your business needs. there are further details described in each scenario. The common requirements for all implementation scenarios are: ● (Optional) Create a destination for your source. SAP Cloud Platform Identity Provisioning Service 88 PUBLIC SAP Cloud Platform Identity Provisioning Service .1. ● Use the default transformation logic. See below the list of scenarios categorized by system type. you have to set up the source and target systems first.6 Reset Identity Provisioning Configuration Resetting the SAP Cloud Platform Identity Provisioning service deletes all details about the source and target system that have been set up. ● Add configuration properties to make connection between the source and the target system. Click the Reset link and confirm with OK. If you want to clean up the source and target systems that have been set up. you will have to set up these systems again. 1. Context Caution If you reset the Identity Provisioning. see Access the Identity Provisioning Service (Productive) [page 24].5 Scenarios The Identity Provisioning service supports various on-premise and cloud systems. For more information. proceed as follows: Procedure 1. 3. target. and the job execution log. you will lose all configurations that have been made for the source and target systems (including scheduled jobs). From the left-side menu. If you want to use the service afterwards. There are technical specifics for every supported system. Open the user interface of the Identity Provisioning service. 2. Apart from the common steps relevant to all systems. choose the Support section. or proxy system in the SAP Cloud Platform cockpit. Implementation Scenarios (Systems) Table 13: Source Systems Target Systems Proxy Systems SAP Jam SAP Jam SAP Jam SAP Cloud Platform Identity Authentica SAP Cloud Platform Identity Authentica SAP Cloud Platform Identity Authentica tion tion tion SAP Analytics Cloud (Beta) SAP Analytics Cloud (Beta) SAP Analytics Cloud (Beta) Microsoft Azure Active Directory Microsoft Azure Active Directory Microsoft Azure Active Directory Local Identity Directory Local Identity Directory Local Identity Directory Google G Suite Google G Suite Google G Suite Concur Concur Concur SCIM SCIM SCIM SAP SuccessFactors SAP Cloud Platform Java/HTML5 Apps SAP Application Server ABAP SAP Hybris Cloud for Customer Microsoft Active Directory SAP HANA Database (Beta) LDAP Server SAP Document Center CloudFoundry UAA Server SSH Server (Beta) 1. For more information.1 Local Identity Directory (Source and Target) Prerequisites You have enabled Beta Features in SAP Cloud Platform cockpit and have access to the Identity Directory (Beta) tile.5. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 89 . which you can find in the Identity Provisioning UI. is a SCIM-based connector. Users and groups in this directory can then be provisioned to various cloud systems (both SAP and non-SAP) supported by the Identity Provisioning service. The Local Identity Directory system. Context The identity directory is part of the Identity Provisioning service and provides organizations with a directory for storing and managing users and groups in SAP Cloud Platform. see Enabling Identity Directory [page 173]. Add Local Identity Directory as a target system. "targetPath": "$. 2.length() > 0". You don't need to configure any properties for it. Below is an exemplary scenario that includes Local Identity Directory. "constant": true. SAP SuccesssFactors and Microsoft Azure AD. For more information. you need to perform two main provisioning tasks: 1.emails[0]. { "targetPath": "$. "targetPath": "$" }. "group": { "ignore": true.schemas[1]" }. see Access the Identity Provisioning Service (Productive) [page 24]. "targetPath": "$. "targetPath": "$. For more information.primary" }. Open the user interface of the Identity Provisioning service. configure its default transformations: Code Syntax { "user": { "mappings": [ { "sourcePath": "$". "targetPath": "$. (Optional) If needed.To use the Identity Directory as a local connector. "type": "remove" } ] }. 2. 3. Add the Local Identity Directory (as a source) and provision its entities to another target system.0:User". "targetPath": "$" }. SAP Cloud Platform Identity Provisioning Service 90 PUBLIC SAP Cloud Platform Identity Provisioning Service .0:User".schemas[0]" }. { "constant": "urn:ietf:params:scim:schemas:extension:enterprise: 2. Add a source system and provision its entities to Local Identity Directory (as a target).id" }. see SAP SuccessFactors (Source) [page 131]. "mappings": [ { "sourcePath": "$". 4. { "sourceVariable": "entityIdTargetSystem". { "sourceVariable": "entityIdTargetSystem". { "constant": "urn:ietf:params:scim:schemas:core:2.meta". { "condition": "$. Add SAP SuccesssFactors as a source system. Procedure 1.emails[0]. members[?(@. { "sourcePath": "$. (Optional) If needed. 7.value)]". { "targetPath": "$.id" }.id". It already contains all the users provisioned from the SAP SuccessFactors system. configure its default transformations: Code Syntax { "user": { "mappings": [ { "sourcePath": "$". "targetVariable": "entityIdSourceSystem" }. "targetPath": "$. "functions": [ { "type": "resolveEntityIds" } ] } ] } } 5. This way. you will be notified by e- mail about eventual failed entities during the job. you can first subscribe to this system. "targetPath": "$. see Manage Job Notifications [page 86] 6. Add Local Identity Directory as a source system. Start a provisioning job for the SAP SuccesssFactors source system. "targetPath": "$" }. "targetPath": "$.id". For more information. "preserveArrayWithSingleElement": true. { "sourcePath": "$. see Manage Jobs and Job Logs [page 83]. "optional": true. "type": "remove" } ] }. Note Before starting a provisioning job.0:Group".schemas[0]" }. "mappings": [ { "sourcePath": "$".member". "targetPath": "$" SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 91 . { "targetPath": "$. { "constant": "urn:ietf:params:scim:schemas:core:2. "type": "remove" }.meta". For more information. "group": { "ignore": true. id". Add Microsoft Azure Active Directory as a target system. For more information. { "targetPath": "$. "type": "remove" } ] } } 8. 9. Note We recommend that you subscribe to receive notifications from this system. Check if everything is successfully provisioned. "targetVariable": "entityIdSourceSystem" }. and have assigned a role (IPS_ADMIN or IPS_PROXY_USER) to this OAuth client. Related Information Identity Directory (Beta) [page 172] 1.5.2 SAP Analytics Cloud – Beta (Source and Target) Follow this procedure to set up SAP Analytics Cloud (Beta) as a source or a target system. Start another provisioning job – for the Local Identity Directory source system. see: Register an OAuth Client Context After fulfilling the prerequisites. follow the procedure below to add SAP Analytics Cloud (Beta) as a source or a target system to provision users and groups. { "sourcePath": "$. SAP Cloud Platform Identity Provisioning Service 92 PUBLIC SAP Cloud Platform Identity Provisioning Service . For more information. }. Prerequisites ● You have technical credentials for SAP Analytic Cloud (Beta) and are assigned the default role. see: Creating New Users and Creating New Roles ● You have an OAuth client for the SAP Analytics Cloud application. For more information. see Microsoft Azure Active Directory (Source and Target) [page 146]. 10. too.id". 3.api. with de fault value: enabled csrf. see List of Properties [page 56]. Open the user interface of the Identity Provisioning service.protection Specifies whether to fetch a CSRF token when sending re quests to the system. in format: https:// oauthasservices- <subaccount>. the value set in the Properties tab will be considered with higher priority.ondemand. Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit. Configure the transformations.Procedure 1. Password Enter the secret key to retrieve the OAuth access token for SAP Analytics Cloud.com/ oauth2/api/v1/token Mandatory only for the target and proxy systems scim. Table 14: Mandatory Properties Property Name Description & Value Type Enter: HTTP URL Enter the URL to your SAP Analytics Cloud system.csrf. For more information. ProxyType Enter: Internet Authentication Enter: BasicAuthentication User Enter the client ID to retrieve the OAuth access token for SAP Analytics Cloud.token.hana. If one and the same property exists both in the cockpit and in the Identity Provisioning UI. This property is automatically added to the system. Add SAP Analytic Cloud (Beta) as a source or a target system. see Add System [page 50]. Choose the Properties tab to configure the connection settings for your system. as well as by "All Systems".path Path which is appended to the URL to retrieve the CSRF to ken. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 93 . see Access the Identity Provisioning Service (Productive) [page 24]. This property is automatically added in the system. For more information. You can search or filter the table by your system type name. with de fault value: /api/v1/scim/Users?count=1 To learn what additional properties are relevant to your scenario. select it from the Destination dropdown box. 4. OAuth2TokenServiceURL Enter the URL of the access token provider service for your SAP Analytics Cloud instance. 2. "type": "remove" } ] } } Default transformation for SAP Analytics Cloud (Beta) as a target system: Code Syntax { "user": { "mappings": [ { "sourcePath": "$". { "targetPath": "$. "mappings": [ { "sourcePath": "$". "targetPath": "$" }. { SAP Cloud Platform Identity Provisioning Service 94 PUBLIC SAP Cloud Platform Identity Provisioning Service . { "targetPath": "$. see Manage Transformations [page 30]. { "targetPath": "$. "targetPath": "$" }. "targetVariable": "entityIdSourceSystem" }. "targetVariable": "entityIdSourceSystem" }. "type": "remove" }. { "sourcePath": "$. { "targetPath": "$. "type": "remove" } ] }. For more information.id". "group": { "ignore": true.id". Default transformation for SAP Analytics Cloud (Beta) as a source system: Code Syntax { "user": { "mappings": [ { "sourcePath": "$". "targetPath": "$" }. You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Analytic Cloud system. { "sourcePath": "$.meta".meta".id". "type": "remove" }.id". length() > 0". you can first subscribe to the source system you use in your scenario. "targetPath": "$" }. "constant": true. you will be notified by e-mail about eventual failed entities during the job. "targetPath": "$. "sourceVariable": "entityIdTargetSystem". Prerequisites ● You have installed the SAP Cloud Platform cloud connector in your corporate environment and have done the initial configuration. Now.value)]". This way. start an identity provisioning job.id" }. "targetPath": "$. { "sourceVariable": "entityIdTargetSystem". "mappings": [ { "sourcePath": "$".value". Before starting a provisioning job. see Manage Job Notifications [page 86]. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 95 . For more information.emails[0]. { "condition": "$.primary" } ] }.3 SAP Application Server ABAP (Source) Follow this procedure to set up SAP Application Server ABAP (AS ABAP) as a source system. "targetPath": "$. 2. "functions": [ { "type": "resolveEntityIds" } ] } ] } } Next Steps 1.id" }.members[?(@. "optional": true. "targetPath": "$.emails[0]. 1.5. "preserveArrayWithSingleElement": true. { "sourcePath": "$. For more information. For more information. see SAP Cloud Platform Connector. see Manage Jobs and Job Logs [page 83].members[*]. "group": { "ignore": true. Go to Cloud To On-Premise Access Control tab and select protocol RFC SNC. ● Reuse the permission model. For more information. Create a destination for the ABAP system in SAP Cloud Platform cockpit. For more information. For example. which plays the role of a user data source. You have to configure the new destination in your SAP Cloud Platform company account. needed for the connection to the ABAP public API. 3. Add SAP Application Server ABAP as a source system. see Access the Identity Provisioning Service (Productive) [page 24]. see Create RFC Destinations. see Configuring Access Control (RFC). For more information. The destination configuration is required by the Identity Provisioning service to find the back-end system to be used for reading data. It also provides the credentials of the technical user. SAP Cloud Platform Identity Provisioning Service 96 PUBLIC SAP Cloud Platform Identity Provisioning Service . This is needed to allow the Identity Provisioning service to access AS ABAP as a back-end system on the intranet. expose the following prefixes as accessible resources: ○ PRNG ○ BAPI_USER ○ PRGN_ROLE_GETLIST ○ BAPI_USER_GETLIST ○ BAPI_USER_GET_DETAIL 2. as a permission model for cloud applications. Open the user interface of the Identity Provisioning service. Then. You can configure AS ABAP as a source system for your identity provisioning process. 4.● You have credentials of a technical user with read permissions in the AS ABAP client. Add an access control system mapping for AS ABAP in SAP Cloud Platform cloud connector. For more information. you can provision roles and permission assignments to SAP Cloud Platform. implemented in your AS ABAP client. Procedure 1. see Add System [page 50]. in the following cases: ● Use AS ABAP as a central store for the identity data of your business users. The Identity Provisioning service will use this user to call the ABAP public (business) API: BAPI_USER_GET_DETAIL ● You have the following read-only role. which provides all authorizations for read access to user data: SAP_BC_JSF_COMMUNICATION_RO Context SAP Application Server ABAP (AS ABAP) offers a user store and user administration capabilities for maintaining users and their authorizations for AS ABAP applications. passwd user.pool_capacity pacity number of idle connections kept open by the destination.user Password Enter the password for the AS ABAP jco.peak_limit The value represents the maximum jco. jco.client.mshost Represents the message server host to jco.destination. Go to the Properties tab and use the following available filters: ○ abap.sysnr ABAP system.client. 5.sysnr Provide the "system number" of the jco.destination. the ABAP public API (BAPI_USER_GET_DETAIL) is used to retrieve the identity data from the AS ABAP system. When AS ABAP is configured as a source system for the Identity Provisioning service. (Optional) Configure the transformations.client.client Provide the client to be used in the jco. For example: 10 (Optional) jco.user.filter": "(?i)^order. For example: 5 (Optional) jco. (Optional) jco. jco.mshost be used. (Optional) Use filters for users and roles as ABAP source system properties to finetune the provisioning process and the permission assignments. Type User Enter the user for AS ABAP.ashost Provide the virtual host entry that you jco. "abap. jco.filter For example. For more information.r3name Provide the three-character system ID jco.role.client.client.client. Below are the fields you have to fill in the cockpit destination before using an AS ABAP client as a source system: Table 15: Field/Property Name Value Technical Property Name Name Enter a destination name. jco.ashost have configured in the Cloud connector → Access Control configuration.r3name of the ABAP system to be addressed. jco.peak_limit number of active connections that can simultaneously be created for a desti nation.pool_ca The value represents the maximum jco.client.client. see Manage Transformations [page 30]. Name Type Select RFC. During the reading SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 97 .destination.client. "abap. ○ abap.client.*" – this filter provisions any role that starts with order (case insensitive).client. You can change the default transformation mapping rules to reflect your current setup of entities in AS ABAP.*" – this filter gets any user name that starts with capital A (case sensitive).client ABAP system.filter For example.destination. 6. Valid format is a three- digit number.role.filter": "^A.user.client. name.NO_USER_PW != 'L') && ($.FIRSTNAME attribute is used for the name.USERNAME". "targetPath": "$.USERNAME".WRNG_LOGON != 'L')". { "constant": false. is following the structure of the BAPI_USER_GET_DETAIL export parameters list and tables.GLOB_LOCK != 'L') && ($. */ { "sourcePath": "$.value" }. */ { "sourcePath": "$. "optional": true. */ { "user": { "mappings": [ { "sourcePath": "$. "optional": true.ISLOCKED. Every BAPI table is represented as a JSON array and every BAPI structure is represented as a child JSON object. "targetPath": "$.LASTNAME attribute is used for the name. "optional": true. Below are some of the statements in the default transformation described in short: Code Syntax /* The value of entityIdSourceSystem stores the unique ID of the identity. "targetPath": "$. /* The ADDRESS. "targetPath": "$. "targetPath": "$. /* The USERNAME attribute is used also as userName value for the internal JSON representation. /* The ADDRESS.ADDRESS.givenName" }. but make sure the new source attribute is unique.FIRSTNAME".ISLOCKED. { "condition": "($.ISLOCKED.E_MAIL attribute is used also as a first array value in the emails JSON array.ADDRESS. "targetVariable": "entityIdSourceSystem" }. "constant": true.schemas[0]" }.LOCAL_LOCK != 'L') && ($.ISLOCKED.0:User is required as a value for the schemas definition in the Identity Authentication SCIM REST API. /* The ADDRESS.active" }.E_MAIL".givenName value in internal JSON representation. /* The constant urn:ietf:params:scim:api:messages:2.0:User".LASTNAME". the JSON data generated by the Identity Provisioning service. Do not delete this statement! You could exchange the default attribute USERNAME that is used as source with another one. */ { "sourcePath": "$. */ { "constant": "urn:ietf:params:scim:api:messages:2.name. process.familyName" }. SAP Cloud Platform Identity Provisioning Service 98 PUBLIC SAP Cloud Platform Identity Provisioning Service .emails[0]. "targetPath": "$.familyName value in internal JSON representation.userName" }. */ { "sourcePath": "$.ADDRESS. ROLE_NAME". it is also assigned to a single or several corporate groups. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 99 .value)]". "targetPath": "$. "optional": true.members[?(@. "preserveArrayWithSingleElement": true. "targetPath": "$.groups[?(@. into corporate groups in the Identity Authentication? When you configure AS ABAP as a source and Identity Authentication as a target system in the Identity Provisioning service.value)]" } ] }.USERNAME". "group": { "ignore": true. "targetPath": "$. { "sourcePath": "$. with the same names as the names of the AS ABAP roles available for you in the AS ABAP source system. { "sourcePath": "$. "optional": true } ] } } How to transform ABAP roles. Transforming source data into the intermediate JSON representation.ROLE_NAME". "targetPath": "$. { "constant": "urn:ietf:params:scim:schemas:core:2.displayName" }. 1. "preserveArrayWithSingleElement": true. "targetVariable": "entityIdSourceSystem" }.USERLIST[*]. When a user is assigned to one or several AS ABAP roles. the technical names of these AS ABAP roles (their attribute name is called AGR_NAME in the AS ABAP systems) will become corporate groups value in the Identity Authentication. "mappings": [ { "sourcePath": "$. assigned to the users in AS ABAP.schemas[0]" }.AGR_NAME".active" }. "targetPath": "$. the default transformations offered by the solution helps you to use the ABAP roles assignment of the users as source data and to create automatically corporate group assignments for the users in the Identity Authentication.0:Group". When your account is created in the Identity Authentication.ACTIVITYGROUPS[*]. /* ACTIVITYGROUPS (SAP ABAP roles) are transformed by default into groups attribute of the SCIM internal representation: */ { "sourcePath": "$. 04. "targetPath": "$. as a result from the transformation statement: Table 16: Data read from AS ABAP user store Intermediate JSON data Sample Code Sample Code … … "ACTIVITYGROUPS": [ "groups":[ { { "AGR_TEXT": "FICO 03".05. The following is an example of how the sample roles. "value": "ZFICO_03" "AGR_NAME": "ZFICO_03".2016".9999" } ] … 2. using the transformation statement: SAP Cloud Platform Identity Provisioning Service 100 PUBLIC SAP Cloud Platform Identity Provisioning Service .corporateGroups" } 3. The mapping statement in the default transformation. "AGR_NAME": "ZCASH_01". "FROM_DAT": "16. read from the AS ABAP system.9999" "value": “ZCASH_01” }. will become groups in the intermediate JSON data. }. { "TO_DAT": "31. "TO_DAT": "31. "preserveArrayWithSingleElement": true. available when the Identity Authentication service is configured as a target system: Sample Code { "sourcePath": "$. "FROM_DAT": "27. The following is an example of how the groups from the intermediate JSON are transformed into corporate groups. "optional": true. }. { ] … "AGR_TEXT": "CASH 01".12.2016".groups".12. see Add System as Administrator. For more information. see Manage Job Notifications [page 86].4 SAP Cloud Platform Identity Authentication (Source and Target) Follow this procedure to set up SAP Cloud Platform Identity Authentication as a source or a target system.5. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 101 . }. Prerequisites You have created a technical user in the Identity Authentication service. ● You must configure the technical user with a password and assign to it the authorization roles Manage Users and Manage Groups. see Manage Jobs and Job Logs [page 83]. For more information. 1. { { "value": “ZCASH_01” "value": “ZCASH_01” }. ] … ] … Next Steps 1. you will be notified by e-mail about eventual failed entities during the job. edit and delete users and groups in the Identity Authentication user store. Table 17: Intermediate JSON Data Transformation output result Sample Code Sample Code … … "groups":[ "corporateGroups":[ { { "value": "ZFICO_03" "value": "ZFICO_03" }. This way. }. you can first subscribe to the source system you use in your scenario. 2. start an identity provisioning job. Before starting a provisioning job. Details: ● The technical user will call the SCIM REST API of the service. ● The technical users on the Identity Authentication service side are called systems. Now. For more information. This way you can create. Context The Identity Provisioning service offers a user store in the cloud platform. 3. Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit. see Access the Identity Provisioning Service (Productive) [page 24]. as well as groups. Choose the Properties tab to configure the connection settings for your system. Add SAP Cloud Platform Identity Authentication as a source or a target system. Once the users are available (self-registered.ondemand. Open the user interface of the Identity Provisioning service. For example. which could be used as a source or a target system for the Identity Provisioning service. see Add System [page 50]. Authentication Enter: BasicAuthentication SAP Cloud Platform Identity Provisioning Service 102 PUBLIC SAP Cloud Platform Identity Provisioning Service . and especially external for the company. 2. This way. The service offers self-services to help companies easily onboard all types of users. ● Identity Authentication as a target system Using the Identity Provisioning service you can read corporate users from on-premise systems or from cloud systems. If one and the same property exists both in the cockpit and in the Identity Provisioning UI. you can implement two-factor authentication and mobile SSO for SAP SuccessFactors users. partners. Table 18: Mandatory Properties Property Name Description & Value Type Enter: HTTP URL Specify the URL of the Identity Authentication service ten ant of your company. select it from the Destination dropdown box.accounts. ● Identity Authentication as a source system The user store of the Identity Authentication service can manage different type of users (employees. For example: https://mytenant. For more information. consumers). the Identity Provisioning service offers provisioning and policy-based authorization management for them to different target systems. the value set in the Properties tab will be considered with higher priority.com ProxyType Enter: Internet The Identity Authentication service is a cloud solution and is outside of your company on-premise infrastructure. and mobile SSO as a service for the Web and cloud applications of your company. single sign-on (SSO) or strong authentication. Procedure 1. or manually created) in the Identity Authentication user store. you can implement secure authentication. For more information. and provision these users to the Identity Authentication user store. imported. (Optional) Configure the transformations. 4.id". The Identity Provisioning service offers default transformations when the Identity Authentication service is used as a source or target system. as well as by "All Systems". it's not necessary for the target systems' API. see List of Properties [page 56]. which then maps the attributes to the internal SCIM representation. a user can be deleted. For more information. "type": "remove" SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 103 . To learn what additional properties are relevant to your scenario. Default transformation for Identity Authentication service as a source system: Code Syntax { "user": { "mappings": [ { "sourcePath": "$". "type": "remove" }. the default transformation logic reads all the user attributes from the Identity Authentication service user store. */ "sourcePath": "$. Password Enter the password for the Identity Authentication service technical user. Property Name Description & Value User Enter the technical user name configured for the Identity Authentication service. { /* The id is removed because. and the other way around. see Identity Authentication service SCIM REST API. Identity Authentication as a Source System When the Identity Authentication service is configured as a source system. Note When a user is deleted from Identity Authentication service. "targetVariable": "entityIdSourceSystem" }. You can search or filter the table by your system type name. or can be set to inactive. { /* The entityIdSourceSystem is used to store the unique ID of the identity. by default.companyRelationship". */ "targetPath": "$. Transformations are used to map the user attributes from the data model of a source system to the data model of the target system.id". the deletion status is considered by it during the read processes. Depending on the offboarding user handling in the target system. "targetPath": "$" }. You should not delete this statement. You can exchange the default attribute ID that is used as source with another one. { "targetPath": "$. but make sure the new source attribute is unique. The default transformation settings can be displayed under the Transformations tab after saving the initial source or target system configuration. It is provided by the Identity Authentication service SCIM REST API. { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom: 2.0:Group". { "targetPath": "$. }. { "constant": "urn:sap:cloud:scim:schemas:extension:custom: 2. it's not necessary for the target systems' API. "mappings": [ { "sourcePath": "$.0:Group']['name']". "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom: 2.groups[*]. "type": "remove" }. "targetPath": "$. "targetPath": "$. /* The groups[*]display (this is the display name of the corporate groups) is removed because. "group": { "ignore": true. "type": "remove" }. { "constant": "urn:ietf:params:scim:schemas:core:2.mailVerified". { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom: 2. "targetPath": "$. { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom: 2. "targetVariable": "entityIdSourceSystem" }.schemas[0]" }.sourceSystem".display".0:Group".displayName". "type": "remove" }. { "sourcePath": "$. "optional": true.members" }.id".passwordStatus". { "targetPath": "$.0:Group']['decription']".0:Group']['name']" }. */ { "targetPath": "$. "preserveArrayWithSingleElement": true. "targetPath": "$. SAP Cloud Platform Identity Provisioning Service 104 PUBLIC SAP Cloud Platform Identity Provisioning Service . "targetPath": "$. by default.0:Group']['name']".meta".displayName" }. "optional": true. { "targetPath": "$. "type": "remove" }. "type": "remove" } ] }. { "targetPath": "$. "type": "remove" }.schemas[1]" }.displayName EMPTY true". { "condition": "$.members". mailVerified". /* An activation e-mail will not be sent to the user. the default transformation logic: ○ reads all user attributes from the intermediate SCIM representation. "targetPath": "$.length() > 0) && ($.groups". */ { "constant": true. sent to the Identity Authentication service SCIM REST API.active" }.sendMail".0:Group']['decription']" } ] } } Identity Authentication as a Target System When the Identity Authentication service is configured as a target system. /* The user is created as active by default. "targetPath": "$.corporateGroups" }. is consistent. "targetPath": "$. the transformation logic ensures that the identity data. "preserveArrayWithSingleElement": true. "targetPath": "$.familyName EMPTY false)". "scope": "createEntity" SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 105 . "scope": "createEntity" }. { "constant": "true". ○ excludes some of the identity records.familyName is empty because this data is mandatory for the SCIM REST API of the Identity Authentication service. { /* The intermediate JSON data for groups is mapped to corporateGroups in the JSON sent to the Identity Authentication. "targetPath": "$. This way. { "sourceVariable": "entityIdTargetSystem". "targetPath": "$" }. ○ skips some of the attributes from the identity records.emails. Default transformation for Identity Authentication service as a target system: Code Syntax { "user": { /* Skip the identity records where name. and thus the user can log on to the application directly. */ { "constant": "false". "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom: 2.name. "optional": true. */ "condition": "($. because the corporateGroups attribute is the specific representation of corporate groups in the Identity Authentication */ "sourcePath": "$.id" }. "mappings": [ { "sourcePath": "$". or set its value to false.displayName". That means.displayName". "targetPath": "$.0:User']". "targetPath": "$. "targetPath": "$. "scope": "createEntity" }. "regex": "[\\s\\p{Punct}]". }. { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom: 2. "targetPath": "$.groups". the manager ID). /* By default. That's why passwordStatus has value disabled. */ { "constant": "employee". "replacement": "_" } ] }.0:Group']['name']".userType" }. The value used for the default transformation is employee.sourceSystem". To start provisioning groups. /* There will be no initial password provided by default. group is inactive (ignored) but groups are supported.*/ "group": { "ignore": true. "scope": "createEntity" }. /* The userType attribute accepts different values. { "targetPath": "$. "type": "remove" }.displayName" }. */ { "constant": "disabled". SAP Cloud Platform Identity Provisioning Service 106 PUBLIC SAP Cloud Platform Identity Provisioning Service . /* The default transformation removes schemas:extension:enterprise because it contains values that are source system dependent and could be invalid for the target system (for example. Do not delete this statement and do not change the constant! */ { "constant": "39".0:Group']['name']".passwordStatus". "mappings": [ { "sourceVariable": "entityIdTargetSystem".id" }. "type": "remove" } ] }. "functions": [ { "type": "replaceAllString". "optional": true. { "sourcePath": "$. "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom: 2. { "sourcePath": "$. /* The sourceSystem attribute shows the provisioning source of the users. "scope": "createEntity". "targetPath": "$. The supported value is 39. */ { "targetPath": "$ ['urn:ietf:params:scim:schemas:extension:enterprise:2. a corporate user is provisioned via the SCIM REST API of the Identity Authentication service. either delete the statement "ignore": true. "optional": true. For more information. see Manage Jobs and Job Logs [page 83]. { "sourcePath": "$. see Manage Job Notifications [page 86]. Now. Before starting a provisioning job.members[?(@.value)]". 2. For more information. "preserveArrayWithSingleElement": true. "functions": [ { "type": "resolveEntityIds" } ] } ] } } You can change the default transformation mapping rules depending on your setup of entities in the Identity Authentication service.members[*]. see Manage Transformations [page 30]. For more information.0:Group']['name']". you can first subscribe to the source system you use in your scenario. "scope": "createEntity" }. Related Information Identity Authentication service documentation Identity Authentication service SCIM REST API SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 107 . "targetPath": "$. you will be notified by e-mail about eventual failed entities during the job. "optional": true. "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom: 2.0:Group']['description']" }. start an identity provisioning job.value". { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom: 2.0:Group']['description']". This way. Next Steps 1. "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom: 2. 1.5.5 SAP Cloud Platform Java/HTML5 Apps (Target) Follow this procedure to set up SAP Cloud Platform Java or HTML5 applications as target systems. Prerequisites You have created a new client for the Authorization Management REST API and securely saved the Client ID and Client Secret. You will need them later when you have to create the destination for the system. For more information, see Using the Authorization Management API. Caution Do not forget to save the Client ID and Client Secret because you cannot retrieve them again later. Context The Identity Provisioning service helps companies to automatically manage the user-to-groups assignments for Java/HTML5 applications running on the SAP Cloud Platform. For this aim, the service reuses data from an existing for the company user store. For this scenario, SAP Cloud Platform (in short, the cloud platform) is the target system. The source system can be a solution supported by the Identity Provisioning service with read access for group artifacts, such as Microsoft Active Directory (user and group assignments). This provisioning scenario is based on the Authorization Management REST API of the cloud platform. For more information, see Using the Authorization Management REST API. Procedure 1. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning Service (Productive) [page 24]. 2. Add SAP Cloud Platform Java/HTML5 Apps as a target system. For more information, see Add System [page 50]. 3. Choose the Properties tab to configure the connection settings for your system. Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority. SAP Cloud Platform Identity Provisioning Service 108 PUBLIC SAP Cloud Platform Identity Provisioning Service Table 19: Mandatory Properties Property Name Description & Value Type Enter: HTTP URL Enter: https://api.hana.ondemand.com/ authorization/v1/accounts/ <cloud_account> ProxyType Enter: Internet Authentication Enter: BasicAuthentication User Enter the Client ID of the new client created for the Authori zation Management API (see the prerequisites). Password Enter the Client Secret of the new client created for the Au thorization Management API (see the prerequisites). OAuth2TokenServiceURL Enter: https://api.hana.ondemand.com/ oauth2/apitoken/v1 To learn what additional properties are relevant to your scenario, see List of Properties [page 56]. You can search or filter the table by your system type name, as well as by "All Systems". 4. Configure the transformations. You can change the default transformation mapping rules to reflect the data that is read from the source system. For more information, see Manage Transformations [page 30]. Using the default transformation, all groups that are available in the source system (for the Microsoft Active Directory, consider also the value of parameter ldap.group.path) and their respective members (as identifiers) will be created as groups in the cloud platform account. They will be configured as a target system and will be assigned to the same list of users (as identities) that are available as members for these roles in the source system. Below are some of the statements in the default transformation, described in short: Code Syntax { "group": { "mappings": [ /* Attribute entityIdTargetSystem stores the displayName attribute as a unique value of the group. Do not delete this statement! */ { "sourcePath": "$.displayName", "targetVariable": "entityIdTargetSystem" }, /* All members of a source group will be transformed, by default, into users for a new group. It will be created in the cloud platform account (the target system) when the JSON data is prepared to be sent to the target system. */ { "sourcePath": "$.members[*].value", "optional": true, "targetPath": "$.users" } ] SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 109 } } Next Steps 1. Before starting a provisioning job, you can first subscribe to the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the job. For more information, see Manage Job Notifications [page 86]. 2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 83]. 1.5.6 SAP Document Center (Target) Follow this procedure to set up SAP Document Center as a target system. Prerequisites ● You have an SAP Cloud Platform user with administration rights for the tenant. ● You have enabled the SAP Document Center service in the cockpit. Context SAP Document Center offers programs (apps) that can be downloaded and run on multiple independent devices. For more information, see SAP Document Center. It plays the role of a content service for your SAP Cloud Platform subaccount. To use it as a target system for writing users, follow the procedure below. Procedure 1. Assign your SAP Cloud Platform user admin rights for SAP Document Center. To do this, open the SAP Document Center service tile (in the cockpit), open link Assign Roles & Set Destinations, choose Administrator, and then – Assign. 2. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning Service (Productive) [page 24]. 3. Add SAP Document Center as a target system. For more information, see Add System [page 50]. SAP Cloud Platform Identity Provisioning Service 110 PUBLIC SAP Cloud Platform Identity Provisioning Service 4. Choose the Properties tab to configure the connection settings for your system. Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority. Table 20: Mandatory Properties Property Name Description & Value Type Enter: HTTP URL Enter the URL, generated in the cockpit for your subaccount in the SAP Document Center tile. You can take this URL from the Configure SAP Document Center link. Remove the last slash after ".../admin". ProxyType Enter: Internet Authentication Enter: BasicAuthentication User Enter your SAP Cloud Platform user (with administrator rights). Password Enter the password for your SAP Cloud Platform user. To learn what additional properties are relevant to your scenario, see List of Properties [page 56]. You can search or filter the table by your system type name, as well as by "All Systems". 5. (Optional) Configure the transformations. You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Document Store target system. For more information, see Manage Transformations [page 30]. Code Syntax { "user": { "condition": "$.userName EMPTY false", "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.name.givenName", "optional": true, "targetPath": "$.firstName" }, { "sourcePath": "$.name.familyName", "optional": true, "targetPath": "$.lastName" }, { "sourcePath": "$.emails[0].value", "optional": true, "targetPath": "$.email" SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 111 For more information. For more information. Prerequisites ● You have credentials for a tenant in SAP Cloud Platform.5. see Manage Job Notifications [page 86]. That includes user assignments to roles and all types of catalog and repository privileges (schema. you can first subscribe to the source system you use in your scenario. For more information. analytic. you will be notified by e-mail about eventual failed entities during the job. 2. application). start an identity provisioning job.7 SAP HANA Database – Beta (Target) Follow this procedure to set up SAP HANA Database (Beta) as a target system. ● (Optional) You have installed the SAP Cloud Platform cloud connector in your corporate environment and have done the initial configuration. For more information. 1. outside your Neo environment. You need this only when your SAP HANA DB resides in a remote on-premise system.userName". see: Using Beta Features in Subaccounts Context SAP HANA Database is a system (connector) in beta state. see: SAP HANA: GRANT Statement (Access Control) SAP Cloud Platform Identity Provisioning Service 112 PUBLIC SAP Cloud Platform Identity Provisioning Service .logonId" } ] } } Next Steps 1. see: Accounts ● You have the necessary connection settings to reach an SAP HANA database. { "sourcePath": "$. Only provisioning of entity type user is currently supported by this connector. which allows you to log into remote systems that have SAP HANA installed. This way. Note This is a beta feature available on SAP Cloud Platform. For more information about SAP HANA privileges. see Manage Jobs and Job Logs [page 83]. see Cloud Connector. For more information. "targetPath": "$. }. Now. Before starting a provisioning job. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 113 . see Add System [page 50]. 2. That mostly happens when it resides in the same Neo environment as your Identity Provisioning service. which is allowed only from a particular network. execute the relevant console commands in the Cloud Foundry command line tool (see: Cloud Foundry: Accessing Apps with SSH ). You need to have the Space Developer role. Set the proxy type to OnPremise. ● Cloud Foundry landscape is accessible through SSH protocol. there are two subcases: ● Cloud Foundry landscape is publicly accessible through SSH protocol. you have the following use cases: Case 1 – The JDBC port is directly accessible by the enabled Identity Provisioning NEO account. To do this. 3. the value set in the Properties tab will be considered with higher priority. Set the proxy type to OnPremise. For more information. what you actually need is to connect to the JDBC SQL port of SAP HANA. specify the SSH host and port to reach the system that has access to the JDBC port. Procedure 1. The space configuration of the security groups allows access to the JDBC port of SAP HANA MDC. There are two subcases: ● JDBC port of SAP HANA DB is accessible by a system. Set the proxy type to Internet. When configuring the access control. Choose the Properties tab to configure the connection settings for your system. Add SAP HANA Database (Beta) as a target system. depending on your scenario. You need to enable SSH access on both space and application level. Again. For more information. Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit. Case 3 – SAP HANA DB is installed in the Cloud Foundry environment. which is reachable through SSH protocol only from an internal network. which is publicly reachable through SSH protocol. Set the proxy type to Internet.SAP HANA: Stored Procedures Used to Grant/Revoke Privileges on Activated Repository Objects When using this connector. If one and the same property exists both in the cockpit and in the Identity Provisioning UI. ● JDBC port of SAP HANA DB is accessible by a system. Case 2 – The JDBC port is not directly accessible by your Neo environment. Open the user interface of the Identity Provisioning service. select it from the Destination dropdown box. Below are listed all available SAP HANA properties. You have to create an SSH tunnel by using TCP protocol connection configuration from the Cloud Connector. see Access the Identity Provisioning Service (Productive) [page 24]. You need to have the Cloud Connector installed in that network and configure it to allow SSH connections from the Identity Provisioning service account. You need to have the Cloud Connector installed in that network and configure it to allow SSH connections from the Identity Provisioning service account. You have to configure your SAP HANA Database (Beta) connector so as to open an SSH tunnel to this system. The SAP HANA Database (Beta) connector will open an SSH tunnel to a running application container on the Cloud Foundry space. Depending on whether this port is visible or hidden. Some of them can be mandatory and others – optional. and you have to use the Cloud Connector.jdbc.password (Credential) hana.jdbc.ssh.cf.jdbc.db.ssh.port 30015 hana.db.url hana.tunnel.ssh.type=ssh.ssh.jdbc.jdbc.jdbc.host and hana.jdbc.jdbc.cf.jdbc.tunnel.cf.jdbc.user hana.tunnel.db.db.tunnel.api.token. Possible values: ○ Internet – if the SSH port is visible in your Neo environ ment ○ OnPremise – if the SSH port is not directly accessible.* and hana.type There are three types of SAP HANA access: ○ direct – It requires only hana.ssh. hana.jdbc. Table 21: Mandatory Properties Property Name Description & Value ProxyType This property is applicable if you use an SSH tunnel (hana. You have to configure TCP protocol connection to the SSH host and port (specify the configuration properties hana.oauth.jdbc.type Supported SSH authentication types: ○ key ○ pwd ○ otp ○ key+otp ○ key+pwd ○ pwd+otp ○ key+pwd+otp hana.jdbc.* properties. Use it only if your SAP Cloud Platform account uses more than one Cloud Connector.ssh.jdbc.db.url SAP Cloud Platform Identity Provisioning Service 114 PUBLIC SAP Cloud Platform Identity Provisioning Service .access.ssh.tunnel).tunnel – It requires hana. ○ cf.ssh.app.tunnel.jdbc.jdbc.port). from which to access the JDBC SQL port of SAP HANA.tunnel – it requires hana.access.ssh.host hana.jdbc.tunnel.auth.db.tunnel.tunnel.host hana.ssh. CloudConnectorLocationId Relevant when the proxy type is OnPremise.tunnel.port 22 hana.tunnel| cf. hana.tunnel.ssh.ssh.* properties to establish an SSH tunnel to the Cloud Foundry application.jdbc.username hana.app.* properties ○ ssh. ssh.jdbc.app.ssh.auth.auth.ssh.tunnel.totp.jdbc.jdbc.tunnel.tunnel.jdbc.jdbc.tunnel.type = key +pwd+otp To learn what additional properties are relevant to your scenario.password (Credential) The password for property hana.type = key +pwd+otp hana.jdbc.jdbc. see: Cloud Foundry: Accessing Apps with SSH hana.ssh.tunnel.jdbc.tunnel.username This is the Cloud Foundry user.ssh.auth.tunnel.ssh.auth.tunnel. see List of Properties [page 56]. hana.jdbc.space This is the Cloud Foundry space.app This is the Cloud Foundry application to which the SAP HANA Database (Beta) system opens an SSH tunnel.cf.cf.key (Credential) Taken into account only if the authentication type includes otp.type = key+otp ○ hana.auth.type = key +pwd ○ hana.cf.instance This is the instance number of the Cloud Foundry applica tion.auth.tunnel.ssh.ssh. That means any of the following: ○ hana.jdbc.key (Credential) Taken into account only if the authentication type includes key.auth.type = key +pwd+otp hana.jdbc.type = pwd +otp ○ hana.password (Credential) Taken into account only if the authentication type includes pwd.type = otp ○ hana.type = key ○ hana.jdbc.auth.jdbc.ssh.jdbc.tunnel.tunnel.tunnel.auth.jdbc. hana.tunnel.ssh. For more information.jdbc.type = key+otp ○ hana.ssh.type = key +pwd ○ hana.type = pwd ○ hana.private.jdbc.ssh.tunnel.tunnel.jdbc.cf.org This is the Cloud Foundry organization.cf.ssh.ssh.tunnel.ssh.ssh.cf.ssh. It has the role Developer for the space where the application is deployed.tunnel.tunnel.tunnel. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 115 .ssh.type = pwd +otp ○ hana.cf.tunnel.ssh. You can search or filter the table by your system type name.ssh.auth.jdbc.tunnel.ssh.tunnel.jdbc.auth.jdbc. hana.username hana.jdbc. Property Name Description & Value hana. That means any of the following: ○ hana.secret.auth. That means any of the following: ○ hana.ssh. hana. as well as by "All Systems". "constant": true. "targetPath": "$. { "ignore": true. "minimumNumberOfUppercaseLetters": 1. { "sourcePath": "$. "scope": "createEntity".username" }. { "constant": true. "targetPath": "$. "minimumNumberOfSpecialSymbols": 0 } ] }. Code Syntax { "user": { "condition": "$. "scope": "deleteEntity" }.userName". "minimumNumberOfDigits": 1. "mappings": [ { "sourcePath": "$. You can change the default transformation mapping rules to reflect your current setup of entities in your SAP HANA Database (Beta) target system.password_option. "passwordLength": 24. SAP Cloud Platform Identity Provisioning Service 116 PUBLIC SAP Cloud Platform Identity Provisioning Service .enable_password_lifetime" }. "targetPath": "$.username". "targetPath": "$.force_password_change" }. "minimumNumberOfLowercaseLetters": 1. { "ignore": true. "scope": "createEntity" }. { "targetPath": "$. "targetPath": "$. "targetPath": "$. "constant": true. "scope": "deleteEntity" }.password_option. "constant": true. "targetPath": "$. { "constant": true.deactivate". "functions": [ { "type": "randomPassword".userName EMPTY false". { "ignore": true. "targetPath": "$.password".reset_connect_attempts" }.userName".no_force_first_password_change". (Optional) Configure the transformations. { "constant": false.deactivate" }. { "ignore": true. For more information.4. see Manage Transformations [page 30]. { "ignore": true. { "ignore": true. { "ignore": true. "targetPath": "$. "constant": "role".valid_from" }.name" }. "targetPath": "$. { "constant": "NOW". "constant": "MONITORING".catalog_permissions[1].catalog_permissions[0]. "targetPath": "$. { "ignore": true.valid_to" }. "targetPath": "$. "targetPath": "$. "constant": "1970-01-01 00:00:00.on" }. "targetPath": "$.appcore. "targetPath": "$. "targetPath": "$.disable_client_connect" }. "constant": "SELECT CDS METADATA". { "ignore": true.valid_from" }. "targetPath": "$. "targetPath": "$. { "ignore": true.type" }.name" }. "targetPath": "$. "targetPath": "$.repository_permissions[0]. "targetPath": "$.type" }.valid_to" }. "constant": true. "constant": "object_privilege".type" }.auth. { "ignore": true. { "ignore": true.type" }.repository_permissions[0].catalog_permissions[1].0". { "ignore": true.USERS". "constant": "ADMIN". "targetPath": "$. "constant": "application_privilege".option" }. "constant": "sap.catalog_permissions[1].0". { "ignore": true. { "ignore": true. "constant": "SYS. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 117 . { "constant": "FOREVER".catalog_permissions[0]. "constant": "1970-01-01 00:00:00.catalog_permissions[0].p::select_ACCESS_VIEWS_BY_USER". "constant": "role".name" }.repository_permissions[1]. { "ignore": true. "constant": "sap.ide::Catalog". you can first subscribe to the source system you use in your scenario. depending on your tenant setup. you will be notified by e-mail about eventual failed entities during the job.8 SAP Hybris Cloud for Customer (Target) Follow this procedure to set up SAP Hybris Cloud for Customer as a target system. SAP Cloud Platform Identity Provisioning Service 118 PUBLIC SAP Cloud Platform Identity Provisioning Service . { "ignore": true. "constant": "_SYS_BI_CP_ALL". Context If you use SAP Hybris Cloud for Customer (C4C). This business user is required for the user to log into the SAP Hybris Cloud for Customer system. "constant": "analytic_privilege". Note This is only applicable when using API v. "targetPath": "$. { "ignore": true. an employee and a business user are created for every user from the source system.5. see Manage Job Notifications [page 86]. "targetPath": "$. see Manage Jobs and Job Logs [page 83].repository_permissions[2]. For more information. For more information. "constant": true. { "ignore": true. "targetPath": "$. The Identity Provisioning service uses the SAP Hybris Cloud for Customer Web Service API for the provisioning process. Now. by using the Identity Provisioning service.name" } ] } } Next Steps 1.name" }.revoke" }. you can automatically create the required business users and employee accounts.repository_permissions[2].repository_permissions[2].2) does not support user transfer to a staging area. Keep in mind that once you have provisioned the entities to SAP Hybris Cloud for Customer. start an identity provisioning job. 2.1.type" }. Before starting a provisioning job. "targetPath": "$.hana. 1. This way. Users created via Web Service API are initially transferred to a staging area and can then be replicated to the SAP Hybris C4C system manually or via a job.repository_permissions[1]. The new API (v. Save the communication arrangement and review the data – the service URL will be displayed. and define the user ID and password for the technical user. ○ Configure the communication and information exchange: Go to Business Configuration tab of your SAP Hybris Cloud for Customer system. 4. Communication scenario – select Employee Replication from SAP Business Suite. 2. 3. Configure the communication and information exchange for your SAP Hybris Cloud for Customer system. See: Create Communication Systems 1. Note To set up the SAP Hybris Cloud for Customer system in the Identity Provisioning UI. Open the user interface of the Identity Provisioning service. Add SAP Hybris Cloud for Customer as a target system. see Access the Identity Provisioning Service (Productive) [page 24]. and choose Edit Project Scope. Activate this communication system. Choose the Properties tab to configure the connection settings for your system. Go to step Questions. Since SAP Hybris is part of SAP Business Suite. Choose Internet as system access type. user ID and password defined during the setup of the arrangement. Add a new system instance. see the Related Information section at the end of this page. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 119 . 4.Procedure 1. The ID and the IDoc logical system ID should be identical (for example. the value set in the Properties tab will be considered with higher priority. Scenario details: ○ Create a communication system by filling in the mandatory fields. Business data – enter the system instance ID defined in the communication system. 3. See: Maintain Communication Arrangements 1. then expand Communication and Information Exchange Integration with External Applications and Solutions and select the checkbox next to Integration of Master Data. you need the service URL. 2. 2. 2. For more information about SAP Hybris C4C setup. 3. For more information. select it from the Destination dropdown box. then select UserID and Password for the authentication method. 4. The SAP client needs to be different than 000 (for example. For more information. If one and the same property exists both in the cockpit and in the Identity Provisioning UI. select the relevant implementation project from the list. 001). see Add System [page 50]. For more information. then expand Communication and Information Exchange Integration with External Applications and Solutions and choose Integration of Master Data. Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit. Go to step Scoping. Technical data – select Web Service as the application protocol. select the checkbox next to question Group: Employees Do you want to replicate employee data from an external application or solution to your cloud solution? ○ Create a communication arrangement. see Maintain Communication Arrangements. select the SAP Business Suite checkbox. IPS). On the right-hand side. 1. You can search or filter the table by your system type name. Table 22: Mandatory Properties Property Name Description & Value Type Enter: HTTP URL Specify the service URL of the set communication arrange ment. see Manage Transformations [page 30]. and for API v. For more information about the default transformation rules and the transformation process. SAP Cloud Platform Identity Provisioning Service 120 PUBLIC SAP Cloud Platform Identity Provisioning Service . see List of Properties [page 56]. c4c. The initial transformation logic contains the minimum required properties for successful provisioning of the users. (applicable to API v. Configure the transformations. see the Related Information section. configured for the communi cation system setting in the SAP Hybris Cloud for Customer (applicable to API v. the Identity Provisioning service uses version 1.2) For example: IPS To learn what additional properties are relevant to your scenario. For more information. You can change the default transformation mapping rules to reflect your current setup of entities before sending them to the target system. By default. you can determine the API version used by your SAP Hybris C4C system. as well as by "All Systems".1.1 is humancapitalmanagementmasterd6. If you want to extend the default transformation. ProxyType Enter: Internet Authentication Enter: BasicAuthentication User Enter the user ID of the technical user. Password Enter the password of the technical user. see the Web Service APIs Employee Master Data Replication .1) system. It's equal to the value of property RemoteSystemID from API v.2) Example: 0011SAP SenderPartyID Enter the name of the sender system name. Note After you set up the communication arrangement. RecipientPartyID Enter the recipient system name. 5. Possible values – 1 or 2. It represents the ID at the end of your gen erated URL – the name of API v. set in the commu nication arrangement for the SAP Hybris Cloud for Cus tomer user. (applicable to API v. configured for the communication arrangement in the SAP Hybris Cloud for Customer system. supported by SAP Hybris Cloud for Customer.2 is employeereplicationin2.version The version of the C4C API you use. RemoteSystemID Enter the system instance ID.api. familyName".RemoteObjectID" }. /* Statements that start with EmployeeType are supported by the SAP Hybris C4C system only for internal employees.GivenName" }. { "sourcePath": "$.version=1. a business user is created for every user. the Identity Provisioning UI uses the old C4C API (humancapitalmanagementmasterd6). "targetPath": "$.givenName".ValidityPeriod. Using the old API (version 1) By default. The value of the currentDate variable (the date when the provisioning is executed) is set as validity start date of the employee. "targetPath": "$. Respectively.PersonalDetails. { "constant": "9999-12-31". "functions": [ { "type": "manipulateDate".api. "functions": [ { "type": "manipulateDate". (Service agents are not supported as EmployeeType.ValidityPeriod. { SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 121 . { "sourcePath": "$. "targetPath": "$. "optional": true. "targetDateFormat": "yyyy-MM-dd" } ] }. "targetPath": "$. Besides replicated employees in SAP Hybris C4C. systems are created with c4c. "targetPath": "$.name. You need to use the transformation below and specify the mandatory attribute RemoteSystemID. Code Syntax /* Attribute RemoteObjectID stores the user name from the source system in the SAP Hybris C4C system. */ { "sourceVariable": "currentDate".StartDate". In the default transformation statement.EndDate" }. The following interface is used for replicating employee master data to SAP Hybris C4C: HumanCapitalManagementMasterDataReplicationEmployeeMasterDataReplicationIn. it's converted to the format required by SAP Hybris C4C via a transformation function.PersonalDetails. /* Statements that start with PersonalDetails are related to the employee created in SAP Hybris C4C.userName".StartDate". "targetPath": "$.name.FamilyName" }. The supported employee types are mandatory and relevant only to lean employees).EmployeeType. */ { "user": { "mappings": [ { "sourcePath": "$. "targetDateFormat": "yyyy-MM-dd" } ] }.ValidityPeriod. */ { "sourceVariable": "currentDate".PersonalDetails.PersonalDetails. "optional": true. "targetPath": "$. "sourcePath": "$ ['urn:ietf:params:scim:schemas:extension:enterprise:2.value".userName".version=2. "targetPath": "$. { "sourcePath": "$.type == 'mobile')]. "sourceVariable": "currentDate". "targetPath": "$. { "sourcePath": "$.ValidityPeriod.api.ValidityPeriod.phoneNumbers[?(@.value".Identity. "sourcePath": "$ ['urn:ietf:params:scim:schemas:extension:enterprise:2.employeeNumber" }.Identity. { "sourcePath": "$. { "targetPath": "$.EmployeeType. { "targetPath": "$. SAP Cloud Platform Identity Provisioning Service 122 PUBLIC SAP Cloud Platform Identity Provisioning Service . Code Syntax { "user": { "condition" : "$['urn:ietf:params:scim:schemas:extension:enterprise: 2.WorkplaceAddress.BusinessPartnerID". "targetPath": "$.MobilePhoneNumberDescription" }.WorkplaceAddress.value". { "targetPath": "$.WorkplaceAddress. and specify the two mandatory attributes – RecipientPartyID and SenderPartyID. { "constant": "false". "targetPath": "$.PhoneNumberDescription" }. "constant": "9999-12-31".0:User'].EndDate" }. "targetDateFormat" : "yyyy-MM-dd" } ] }. "targetPath": "$.0:User'].EmployeeType. "functions": [ { "type": "manipulateDate".0:User']. you have to set c4c.ValidityPeriod.EndDate". { "sourcePath": "$.employeeNumber" }. "optional": true.ID" }. change the transformation with the one below.emails[0].type == 'work')].phoneNumbers[?(@.EmailURI" } ] } } Using the new API (version 2) If you want to use the new C4C API (employeereplicationin2). "optional": true.StartDate".EmployeeType.employeeNumber EMPTY false". "mappings": [ { "targetPath": "$.UserAccountsInactiveIndicator" }.ReceiverEmployeeID". 2. { "constant": "SALES_MANAGER".type == 'work')].UserAccountsInactiveIndicator".GivenName". { "targetPath": "$.MobilePhoneNumberDescription". "targetPath": "$. "optional": true }. you can first subscribe to the source system you use in your scenario.EmailURI". { "targetPath": "$. "constant": "9999-12-31" }. "targetPath": "$. "sourcePath": "$. For more information. { "targetPath": "$.Identity.givenName".Name.FamilyName".phoneNumbers[?(@.type == 'mobile')]. { "condition": "$.name.BusinessRole[0]. you will be notified by e-mail about eventual failed entities during the job. see Manage Job Notifications [page 86]. { "targetPath": "$. { "targetPath": "$. "constant": "false" }.Identity.UserAccountsInactiveIndicator".phoneNumbers[?(@.Common.userName" }.active == false". "targetPath": "$.Identity. Now.name. Before starting a provisioning job.WorkplaceAddress.PhoneNumberDescription".value". { "targetPath": "$.Identity.emails[0]. "sourcePath": "$.WorkplaceAddress. "constant": "true" }.value". This way.Name. "optional": true }.Common.ID" } ] } } Next Steps 1. see Manage Jobs and Job Logs [page 83].WorkplaceAddress. "sourcePath": "$.Identity. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 123 .BusinessRole[1]. start an identity provisioning job. "optional": true }. For more information. { "targetPath": "$.familyName" }. "sourcePath": "$. "optional": true }.IdentityID". "sourcePath": "$. { "constant": "SALES_REP".value". "sourcePath": "$.ID" }. the hybrid scenario uses a proxy system which executes provisioning operations (read.Related Information SAP Hybris Cloud for Customer Web Service API for Employee Master Data Replication Web Service APIs in SAP Hybris Cloud for Customer Working in the Employee Staging Area 1. update. Note Currently. Procedure 1. To achieve this. That means. used as the on-premise system. Register a new OAuth client for the subscription to the ipsproxy application: SAP Cloud Platform Identity Provisioning Service 124 PUBLIC SAP Cloud Platform Identity Provisioning Service . ● You have user credentials for an SAP Identity Management system. Open your subaccount in SAP Cloud Platform cockpit. delete. create.) requested by the on-premise system. etc. 2. you will get one by purchasing the Identity Provisioning service. ● You have access to the Proxy Systems section in the Identity Provisioning service UI. with write permissions. Note If you don't have a platform account. Context A proxy system is a special connector used for "hybrid" scenarios. see Access the Identity Provisioning Service (Productive) [page 24]. Prerequisites ● You have the Identity Provisioning service enabled on your account for SAP Cloud Platform.9 SAP Identity Management Hybrid Scenario Use a proxy system to execute a hybrid scenario between SAP Identity Management and cloud systems.5. this scenario is only applicable to SAP Identity Management. you can provision entities from a cloud to an on-premise system (and the other way around) without making a direct connection between them. To do that. For more information on creating tickets. For more information. create a ticket (incident) with request to get that access. see Support [page 207] → Productive Use. You can add a proxy system (connector). You can access it in two ways: ○ Go to the Subscriptions section. From the Authorization Grant combo box. and then choose the provided application URL. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 125 . This is currently applicable only for Microsoft Azure. ○ Go to the Services section. where <client_ID> is the one from step 2. choose Subscriptions. Note The hybrid scenario supports: ● Reading and writing of users ● Reading of groups (no writing yet) from SAP Identity Management to another system. From the Subscription combo box. go to SAP Identity Management to register or import a SCIM repository. For more information. You will only need to enter your client ID and secret (AUTH_USER and AUTH_PASSWORD). Choose Register New Client. Assign role IPS_PROXY_USER to the newly created OAuth client. 4. Then start an initial load job.csv file (from step 1. choose Export → CSV format. select the Identity Provisioning tile. To do that.). To check which system types are appropriate for this role. choose ipsproxy. see SAP Identity Management: Setting up a SCIM System. Next Steps 1. You will need it later. select <provider_subaccount>/ipsproxy. 3. you will have all the fields automatically filledin. 5. for the repository configuration in SAP Identity Management. 4. Choose Assign and enter oauth_client_<client_ID>. see Add System [page 50]. select ips from the HTML5 Applications section. 7. After the initial load is done. open the Identity Provisioning UI. Now. 3. Go to Security OAuth Clients . 4. choose Roles. 3. Under the Java Applications section. Note If you decide to import the . 2. 3. 2. you can create new users or update existing ones in SAP Identity Management. select Client Credentials. and choose Go to Service. You will need it later. 1. In the Secret field. From the left-side navigation. Note A system can act as a proxy if it supports both read and write operations. Copy/paste and save (in a notepad) the generated Client ID. 2. From the left-side navigation. you can export the newly created proxy system. 6. Save the proxy system. Open the Properties tab to configure the connection settings for the proxy system. Now. enter a password (client secret) and remember it. see the topics listed under Scenarios [page 88]. For more information. 5. 6. too. Assign role IPS_PROXY_USER to the OAuth client: 1.f. Then. select it from the Destination dropdown box. Choose the Properties tab to configure the connection settings for your system. Choose Integrations OAuth Clients . For more information. Add SAP Jam as a source or a target system. 2.1. in format: https://<SAP_Jam_landscape>.sapjam. see Access the Identity Provisioning Service (Productive) [page 24]. Go to the SAP Jam admin panel. 2. an OAuth client is automatically created for it. Procedure 1.10 SAP Jam (Source or Target) Follow this procedure to set up SAP Jam as a source or a target system. choose View. with the name SCIM API Client. To find this client: 1.5. follow the procedure below to create a source or a target SAP Jam system to provision users and groups. For more information. Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit. If your SAP Jam tenant is of "SCIM provisioning" type. Save the Key and Secret values – you'll need them later while configuring your SAP Jam provisioning system.com Example: https://jam4. Table 23: Mandatory Properties Property Name Description & Value Type Enter: HTTP URL Enter the URL related to your SAP Jam database. 4. 3. For SCIM API Client. the value set in the Properties tab will be considered with higher priority. see Add System [page 50].com SAP Cloud Platform Identity Provisioning Service 126 PUBLIC SAP Cloud Platform Identity Provisioning Service . If one and the same property exists both in the cockpit and in the Identity Provisioning UI. 3.sapjam. Open the user interface of the Identity Provisioning service. Context After fulfilling the prerequisites. Prerequisites You get OAuth credentials for SAP Jam. Password Enter the OAuth client secret.id". see List of Properties [page 56]. ○ Mapping logic – The behavior of the default transformation logic is to map all attributes from the internal SCIM representation to the target entity. OAuth2TokenServiceURL Enter the URL of the access token provider service for your SAP Jam instance. 4. created for your SAP Jam ten ant (see Prerequisites). created for your SAP Jam tenant (see Prerequisites). see SCIM: Singular Attributes Default transformation for SAP Jam as a source system: Code Syntax { "user": { "mappings": [ { "sourcePath": "$". "type": "remove" }.sapjam. You can search or filter the table by your system type name. { "sourcePath": "$. "type": "remove" }. "targetPath": "$" }. { "targetPath": "$. For more information.id". You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Jam system. Property Name Description & Value ProxyType Enter: Internet Authentication Enter: BasicAuthentication User Enter the OAuth client key. For more information. in format: https:// <SAP_Jam_instance>/api/v1/auto/token Example: https://jam4. For more information. { "targetPath": "$. { "targetPath": "$. "type": "remove" SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 127 . the first entry will be marked as primary. as well as by "All Systems". "targetVariable": "entityIdSourceSystem" }.schemas". Configure the transformations. ○ User offboarding: ○ Users can be deleted from the SAP Jam system via the SCIM REST API. If the entity has e-mail addresses. see SCIM: Deleting Resources .meta". see Manage Transformations [page 30].com/api/v1/auth/token To learn what additional properties are relevant to your scenario. ○ Users can be deactivated by setting the value of their active attribute to false. "targetPath": "$. "targetPath": "$ ['urn:ietf:params:scim:schemas:extension:enterprise:2.schemas". "mappings": [ { "sourcePath": "$". "targetVariable": "entityIdSourceSystem" }. { "constant": "urn:ietf:params:scim:schemas:core:2.id".0:User'] EMPTY false".0']".id". "type": "remove" }. { "constant": "urn:ietf:params:scim:schemas:core:2. "targetPath": "$" }.0:User'] EMPTY false". "type": "remove" } ] }. { "condition": "$ ['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']" }.0']". "sourcePath": "$['urn:scim:schemas:extension:enterprise: 1.0:Group". "targetPath": "$. "group": { "ignore": true. { "condition": "$ ['urn:ietf:params:scim:schemas:extension:enterprise:2. "type": "remove" }.schemas[0]" }. "type": "remove" }.0:User". { "sourcePath": "$. SAP Cloud Platform Identity Provisioning Service 128 PUBLIC SAP Cloud Platform Identity Provisioning Service . { "targetPath": "$.meta". { "targetPath": "$. "targetPath": "$['urn:scim:schemas:extension:enterprise: 1.schemas[0]" } ] } } Default transformation for SAP Jam as a target system: Sample Code { "user": { "mappings": [ { "sourcePath": "$". }. { "targetPath": "$. "targetPath": "$" }. set version 1. which is supported by SAP Jam. "targetPath": "$. "type": "remove" }. { "condition": "$. { SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 129 . { "sourceVariable": "entityIdTargetSystem".0']" }. "constant": true.type == 'work')].0:User']".0. "targetPath": "$. written in the SAP Jam target system. "targetPath": "$. "targetPath": "$. "suffix": "_" }. { /* To get the language and country.locale".country" } ] }.locale EMPTY false) && ($. "scope": "deleteEntity" }. The value. "targetPath": "$['urn:scim:schemas:extension:enterprise: 1. For example: en_US. { "sourceVariable": "entityIdTargetSystem".locale". "optional": true. "type": "remove" }.addresses[? (@. /* Remove the enterprise user schema extension with version 2. "targetPath": "$. ja_JP */ { "targetPath": "$. */ { "sourcePath": "$ ['urn:ietf:params:scim:schemas:extension:enterprise:2.emails[0].id".0.active". /* If the enterprise user schema extension is present and its version is 2.locale".emails[0]. { "constant": false. and "BB" is the code for country.0:User']".addresses[?(@.type == 'work')]. the transformation will read the locale attribute of the user and the country attribute of the user's work address. "sourcePath": "$. { "condition": "($.id" }. { "function": "concatString". will be of type "aa_BB". "scope": "deleteEntity" }.length() > 0".primary" }.0. */ { "targetPath": "$ ['urn:ietf:params:scim:schemas:extension:enterprise:2. where "aa" is the code for language. "suffix": "$. fr_CA. "functions": [ { "function": "toLowerCaseString" }. { "function": "concatString".country EMPTY false)". "targetPath": "$.members[*]. "targetPath": "$" }.members[?(@. "targetPath": "$['urn:scim:schemas:extension:enterprise: 1. "targetPath": "$['urn:scim:schemas:extension:enterprise: 1. This ID is stored as managerId. "type": "remove" }. { "targetPath": "$. "functions": [ { "type": "resolveEntityIds" } ] } ] } } SAP Cloud Platform Identity Provisioning Service 130 PUBLIC SAP Cloud Platform Identity Provisioning Service . "type": "remove" }.schemas[0]" }.value)]". "targetPath": "$. "functions": [ { "function": "resolveEntityIds" } ] } ] }.value". "type": "remove" }. { "sourcePath": "$.0']['manager']".0']['manager']['managerId']". "optional": true. "mappings": [ { "sourcePath": "$". "preserveArrayWithSingleElement": true. { "sourceVariable": "entityIdTargetSystem". { "targetPath": "$. "optional": true. "group": { "ignore": true. { "constant": "urn:scim:schemas:core:1.schemas". */ { { "sourcePath": "$ ['urn:ietf:params:scim:schemas:extension:enterprise:2.members".id" }.0".0:User']['manager'] ['value']". /* The value of the manager attribute in the source system is resolved to the ID of the SCIM resource which represents the user's manager in the target system. "targetPath": "$. Next Steps 1. start an identity provisioning job. when you create a destination for the SAP SuccessFactors system in the SAP Cloud Platform cockpit. a user record with the employee identity data is created in the SAP SuccessFactors system and the Identity Provisioning service can use this data for the identity and authorization provisioning processes. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 131 . 1. 2. For more information. For more information. For more information. Open the user interface of the Identity Provisioning service. you can first subscribe to the source system you use in your scenario.0) SAP SuccessFactors HCM Suite OData API Context Companies that manage their employees using SAP SuccessFactors HCM Suite can use SAP Cloud Platform Identity Provisioning service to automatically create accounts for these employees and manage their permissions for the cloud applications.5.11 SAP SuccessFactors (Source) Follow this procedure to set up SAP SuccessFactors as a source system. Prerequisites You have created a technical user with permissions to call the SAP SuccessFactors HCM Suite OData API and to export employee data from the SAP SuccessFactors system. Before starting a provisioning job. This way. see: URI Conventions (OData Version 2. you will be notified by e-mail about eventual failed entities during the job. For more information. You will need the credentials for this user later. Choose the Properties tab to configure the connection settings for your system. see Manage Job Notifications [page 86]. Add SAP SuccessFactors as a source system. For more information. 3. see Access the Identity Provisioning Service (Productive) [page 24]. see Add System [page 50]. Now. Procedure 1. see Manage Jobs and Job Logs [page 83]. When the hiring process of a new employee is completed in the SAP SuccessFactors HCM solution. 2. "targetVariable": "entityIdSourceSystem" }. When the SAP SuccessFactors system is configured as a source. 4. as well as by "All Systems". configured by default as a source for this target variable. described in short: Code Syntax /* The value of entityIdSourceSystem is used to store the unique ID of the identity. You can change the default transformation mapping rules to reflect your current setup of entities in the source system. see List of Properties [page 56].com Password Enter the password for your SAP SuccessFactors technical user. Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit. If you want to extend the default transformation. the value set in the Properties tab will be considered with higher priority. use SAP SuccessFactors HCM Suite OData API.successfactors. Table 24: Mandatory Properties Property Name Description & Value Type Enter: HTTP URL Specify the URL to your SAP SuccessFactors API. */ SAP Cloud Platform Identity Provisioning Service 132 PUBLIC SAP Cloud Platform Identity Provisioning Service . select it from the Destination dropdown box. see Manage Transformations [page 30]. You should not delete this statement! You can change the attribute username. You can search or filter the table by your system type name. but make sure the new source attribute is also unique. Below are some of the statements in the default transformation.com/odata/v2 ProxyType Enter: Internet Authentication Enter: BasicAuthentication User Enter the userID of your SAP SuccessFactors technical user in the following format: <user_ID>@<company_ID> For example: sfsf_admin@mycompany. "targetPath": "$. /* The firstName value of the employee is used as name.username". The initial transformation logic contains the minimum of required properties for the successful provisioning of the users.givenName in the intermediate JSON data. To learn what additional properties are relevant to your scenario. For more information about default transformation rules and the transformation process. (Optional) Configure the transformations.userName". */ { "sourcePath": "$. the Identity Provisioning service will read all the attributes of the user records supported by the SAP SuccessFactors API. If one and the same property exists both in the cockpit and in the Identity Provisioning UI. For example: https:// apitest. schemas[0]" Next Steps 1.name.0:User is configured as a schema for intermediate JSON data. Now.value" }. /* The value of urn:ietf:params:scim:schemas:core:2. */ { "sourcePath": "$. "targetPath": "$. This way.5. */ { "sourcePath": "$. For more information. 2.familyName in the intermediate JSON data. you can first subscribe to the source system you use in your scenario. Related Information URI Conventions (OData Version 2. "targetPath": "$. "targetPath": "$. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 133 .0:User". For more information. see Manage Jobs and Job Logs [page 83].lastName". see Concur API: User Account Information . /* The email attribute is used as a first value for the emails array of the intermediate JSON data. */ { "constant": "urn:ietf:params:scim:schemas:core:2.firstName".familyName" }. start an identity provisioning job. "targetPath": "$. you will be notified by e-mail about eventual failed entities during the job.emails[0].12 Concur (Source or Target) Follow this procedure to set up Concur as a source or a target system. Prerequisites ● You have created a technical user with administrator permissions that will be used to call the Concur API for creating or updating user account information. /* The lastName value of the employee is used as name. For more information.name. see Manage Job Notifications [page 86]. Before starting a provisioning job.email". { "sourcePath": "$.givenName" }.0) SAP SuccessFactors HCM Suite OData API 1. Customers can reuse the identity data from their existing corporate identity stores. select it from the Destination dropdown box. Table 25: Mandatory Properties Property Name Description & Value Type Enter: HTTP URL Enter: https://www. You can search or filter the table by your system type name. the value set in the Properties tab will be considered with higher priority.com ProxyType Enter: Internet Authentication Enter: BasicAuthentication User Enter the user ID of the Concur technical user. Context Companies that use Concur for managing and controlling travel expenses.● You have registered a partner application in your Concur system. see Add System [page 50]. 3. Open the user interface of the Identity Provisioning service. invoices and other can use Identity Provisioning service to automate the identity and access management for the Concur solution. see Access Concur Token . Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit. and others. You need the administrator permissions to register the application. Procedure 1. as well as by "All Systems". see List of Properties [page 56]. To learn what additional properties are relevant to your scenario. Microsoft Active Directory.concursolutions. 4. Password Enter the password of the Concur technical user. SAP Cloud Platform Identity Provisioning Service 134 PUBLIC SAP Cloud Platform Identity Provisioning Service . For more informa tion. Configure the transformations. 2. see Concur Dev Guide: Registering a Partner Application in Sandbox . or the user data for internal or external users available in the user store of the Identity Authentication service. Customers can also reuse data from different SAP cloud users stores like the user data available for their employees in SAP SuccessFactors. such as SAP AS ABAP user store. For more information. X-ConsumerKey Enter the Concur Consumer Key here. Add Concur as a target system. see Access the Identity Provisioning Service (Productive) [page 24]. For more information. If one and the same property exists both in the cockpit and in the Identity Provisioning UI. For more information. Choose the Properties tab to configure the connection settings for your system. "functions": [ { "type": "concatString".LoginID". "optional": true. For more information.value" } ] } } Concur as a Target System ○ Mapping logic . { "constant": "urn:ietf:params:scim:schemas:core:2. "optional": true. { "type": "concatString". "optional": true.emails[0]. "targetPath": "$.0:User". { "sourcePath": "$.name. "targetVariable": "entityIdSourceSystem". You can change the default transformation mapping rules to reflect your current setup of entities in your Concur target system. { "sourcePath": "$. "targetPath": "$. "targetPath": "$.id".FirstName".schemas[0]" }.name.value" }.PrimaryEmail".userName" }.familyName" }. "prefix": "$. Concur as a Source System Below is the default transformation of Concur as a source system: Code Syntax { "user": { "mappings": [ { "sourcePath": "$.LastName". "prefix": ":" }. { "sourcePath": "$.CellPhoneNumber". the default transformation logic offered by the Identity Provisioning service contains the minimum of required properties for the successful provisioning of the users. You can change the default transformation mapping rules to reflect your current SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 135 .phoneNumbers[0]. "targetPath": "$. "targetPath": "$. "targetPath": "$.givenName" }. see Manage Transformations [page 30].EmployeeID" } ] }. { "sourcePath": "$. { "sourcePath": "$.When the Concur system is configured as a target.EmployeeID". "targetPath": "$. however.emails[0]. ○ User offboarding – Identity Provisioning service handles the end-to-end lifecycle of the users.FirstName" }. When a user is deleted or set with status inactive in a system configured as a source for user data provisioning to Concur.value". While the password statement is ignored. does not allow user accounts to be deleted. 2. Caution The Concur API requires an initial password setup for all newly provisioned user accounts.userName". To do this. This will securely offer an initial password to your corporate users for their newly created Concur accounts. "targetPath": "$.Active" gets a value “N”).name. { "sourcePath": "$. For some source systems. the provisioning will not be working.value". you have to get familiar with the requirements of the Concur API to avoid inconsistences. "targetPath": "$. The default transformation offers a statement with an empty string as a value for the password configuration. /* The first array value of the SCIM attribute emails will be used as an e- mail address (EmailAddress) for the user record in Concur. the deletion of a user or inactive user status is the final step of this lifecycle process.EmailAddress" }. The Concur solution.Password"). the user account in Concur will be disabled (the attribute "targetPath": "$. it is ignored in order to prevent from a default setup of a wrong initial password for your systems. setup of entities in the source system.emails[0]. */ { "sourcePath": "$. see Concur API: User Account Information . For more information. Below is the default transformation of Concur as a target system: Code Syntax { "user": { "mappings": [ { "sourcePath": "$. you have to also arrange a password reset support process in your company.LoginId" }. Before you start extending the default transformation. { "sourcePath": "$. including their offboarding. SAP Cloud Platform Identity Provisioning Service 136 PUBLIC SAP Cloud Platform Identity Provisioning Service .givenName". Set a proper statement for the password attribute value ("targetPath": "$. If you choose one of these two options and if you are not using single sign-on solution for Concur. or set it as "ignore": false. To enable the provisioning to Concur. you need to perform the following operations: 1. Enable the password statement.EmpId" }. either delete "ignore": true. { "sourcePath": "$. "targetPath": "$. For more information. see JSON Expressions and Functions [page 31] → Transformation Functions. The offboarding of Concur user accounts is always performed by setting them as disabled. However. (Optional) You can leave the default empty string. or you can use the randomPassword function to calculate a random value for the initial password of the newly created Concur accounts.familyName".name. "targetPath": "$. "targetPath": "$. { "constant": "N".LocaleName" } SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 137 . "targetPath": "$. "targetPath": "$. { "constant": "N".type == 'home')]. "targetPath": "$. { "condition": "$.LastName" }. To enable the provisioning to Concur. "constant": "Y".LedgerCode" }. "targetPath": "$. enable the statement for the Password attribute and make sure its value is not empty. { "constant": "DEFAULT".CtryCode" }.addresses[?(@.Password" }. For more information.Active" }. { "sourcePath": "$.Active" }. { "constant": "N". "targetPath": "$. "constant": "".ExpenseApprover" }. { "constant": "N". "targetPath": "$. */ { "ignore": true. { "constant": "N". "targetPath": "$. "targetPath": "$. { "constant": "DEFAULT". "targetPath": "$.active == true".InvoiceUser" }. "targetPath": "$. "targetPath": "$. { "constant": "US". { "constant": "USD".InvoiceApprover" }. see the Caution box above.IsTestEmp" }. "targetPath": "$.TripUser" }. "targetPath": "$.CrnKey" }. { "constant": "N".ExpenseUser" }. "targetPath": "$.country". { "constant": "en_US".Custom21" }. "targetPath": "$.LedgerName" }. { "constant": "N". /* An initial password setup is mandatory for all newly provisioned user accounts. ] } } Concur offers three types of edition sites: Standard, Professional and Standard-to-Professional Upgrade. The Identity Provisioning service supports the Standard one, which allows you to provision users without grouping them into organizational units. If your Concur site requires grouping of users, you'll need to enhance your target transformation. The missing JSON code lines you have to add depend on your Concur edition site. For more information, see Concur: How To Provision A Basic User Record . Below is an example of additional JSON code lines you can add if using the Professional edition: Sample Code ... { "constant": "<provided by Concur>", "targetPath": "$.LedgerCode" }, { "constant": "<obtain from Concur API>", "targetPath": "$.Custom21" }, { "constant": "<obtain from Concur API>", "targetPath": "$.OrgUnit1" }, { "constant": "<obtain from Concur API>", "targetPath": "$.OrgUnit2" } { "constant": "DEFAULT" or "<obtain from Concur API>", "targetPath": "$.LedgerKey" }, Next Steps 1. Before starting a provisioning job, you can first subscribe to the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the job. For more information, see Manage Job Notifications [page 86]. 2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 83]. Related Information Concur Dev Guide: Registering a Partner Application in Sandbox Concur API: User Account Information SAP Cloud Platform Identity Provisioning Service 138 PUBLIC SAP Cloud Platform Identity Provisioning Service Access Concur Token 1.5.13 CloudFoundry UAA Server (Target) Follow this procedure to set up a CloudFoundry UAA Server as а target system. Prerequisites ● You have installed the SAP Cloud Platform cloud connector in your corporate environment and have done the initial configuration. You need this only if the CloudFoundry UAA server is exposed in a private corporate network. For more information, see SAP Cloud Platform Connector. ● You have technical user credentials for a CloudFoundry system with write access permissions. In case OAuth is used for authentication, client ID and secret are required when creating a destination for access token retrieval. Context Procedure 1. (Optional) If the CloudFoundry UAA server is exposed in a private corporate network, add an access control system mapping in SAP Cloud Platform cloud connector. For more information, see Configuring Access Control (HTTP). 2. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning Service (Productive) [page 24]. 3. Add CloudFoundry UAA Server as a target system. For more information, see Add System [page 50]. 4. Choose the Properties tab to configure the connection settings for your system. Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit, select it from the Destination dropdown box. If one and the same property exists both in the cockpit and in the Identity Provisioning UI, the value set in the Properties tab will be considered with higher priority. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 139 Table 26: Mandatory Properties Property Name Description & Value Type Enter: HTTP URL Specify the service URL. For example: http:// <cloudfoundry_server>.com/uaa/ ProxyType Depending on your scenario, enter Internet or OnPremise. Authentication Enter: BasicAuthentication User Enter the client ID for OAuth HTTP destinations – it is used for access token retrieval. Password Enter the client secret for OAuth HTTP destinations – it is used for retrieving the access token. OAuth2TokenServiceURL If you need to make OAuth authentication to the system, en ter the URL to the access token provider service for OAuth HTTP destinations. For example: https://token-provider.com/uaa/ auth/token To learn what additional properties are relevant to your scenario, see List of Properties [page 56]. You can search or filter the table by your system type name, as well as by "All Systems". 5. (Optional) Configure the transformations. You can change the default transformation mapping rules to reflect your current setup of entities in your CloudFoundry UAA server. For more information, see Manage Transformations [page 30]. ○ Mapping logic - The behavior of the default transformation logic is to map all attributes from the internal CloudFoundry UAA representation to the target entity. ○ User offboarding - If a user has been deleted from the source system, this change is recognized and the user is deleted from the CloudFoundry UAA target system too. Below is an example of the default transformation: Code Syntax { "user": { "condition": "$.emails.length() > 0", "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "targetPath": "$.schemas", "type": "remove" }, { SAP Cloud Platform Identity Provisioning Service 140 PUBLIC SAP Cloud Platform Identity Provisioning Service "constant": "urn:scim:schemas:core:1.0", "targetPath": "$.schemas[0]" }, /* If the entity has e-mail addresses, the first entry will be marked as primary. */ { "condition": "$.emails[0].length() > 0", "targetPath": "$.emails[0].primary", "constant": true } ] }, /* By default, group is inactive (ignored) but groups are supported. To start provisioning groups, either delete the statement "ignore": true, or set its value to false.*/ "group": { "ignore": true, "mappings": [ { "sourcePath": "$", "targetPath": "$" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "targetPath": "$.schemas", "type": "remove" }, { "constant": "urn:scim:schemas:core:1.0", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.member", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]", "functions": [ { "type": "resolveEntityIds" } ] } ] } } Note If you want to apply group assignments, you have to execute the transformation in this exact order (users first, then groups). Otherwise, the resolveEntityId function will not work during a single provisioning job, and thus a second job will be needed. This behavior occurs due to the external IDs, which are not known in advance - the CloudFoundry UAA system provides them only after it has written the relevant user/group entities. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 141 Next Steps 1. Before starting a provisioning job, you can first subscribe to the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the job. For more information, see Manage Job Notifications [page 86]. 2. Now, start an identity provisioning job. For more information, see Manage Jobs and Job Logs [page 83]. Related Information CloudFoundry: Users CloudFoundry: Groups 1.5.14 Microsoft Active Directory (Source) Follow this procedure to set up Microsoft Active Directory as a source system. Prerequisites ● You have installed the SAP Cloud Platform cloud connector in your corporate environment and have done the initial configuration. For more information, see SAP Cloud Platform Connector. ● You have the credentials of a technical user in the Microsoft Active Directory, which is used to call the Microsoft Active Directory API to read the users and their attributes. Context You can configure Microsoft Active Directory as a source system to provision groups and permission assignments to cloud systems, such as SAP Cloud Platform. Procedure 1. Add an access control system mapping for the Microsoft Active Directory in the Cloud Connector. This is needed to allow the Identity Provisioning service to access Microsoft AD as a back-end system on the intranet. For more information, see Configuring Access Control (LDAP). 2. Open the user interface of the Identity Provisioning service. For more information, see Access the Identity Provisioning Service (Productive) [page 24]. SAP Cloud Platform Identity Provisioning Service 142 PUBLIC SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 143 . Depending on the offboarding process of the users in the target system.group. the attributes are in SCIM format. Choose the Properties tab to configure the connection settings for your system.user. After read transformation (in the intermediate JSON data). Table 27: Mandatory Properties Property Name Description & Value Type Enter: LDAP ldap. see Add System [page 50].user Enter the user for Microsoft Active Directory.3. It must be in the following for mat: ldap://<external_host>:<external_port> . Add Microsoft Active Directory as a source system. select it from the Destination dropdown box. see List of Properties [page 56].)).authentication Enter: BasicAuthentication ldap. For more information. Before the read transformation. the Microsoft Active Directory attributes are represented as arrays (single- element arrays. ldap. or multi-value arrays separated by comma (. the value set in the Properties tab will be considered with higher priority. the deletion status is considered by the Identity Provisioning service during the read processes. 4.path Enter the complete path to the group(s) in Microsoft Active Directory. ldap.password Enter the password for the Microsoft Active Directory user.url Specify a destination URL. For more information. (Optional) Configure the transformations. ldap. Note When a user is deleted from Microsoft Active Directory. To learn what additional properties are relevant to your scenario. Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit. If one and the same property exists both in the cockpit and in the Identity Provisioning UI. as well as by "All Systems". see the official documentation for Active Directory schema attributes in the Related Information section. You can search or filter the table by your system type name. You can change the default transformation mapping rules to reflect your current setup of entities in Microsoft Active Directory. a user can be deleted or can be set to inactive. see Manage Transformations [page 30]. ldap.path Enter the complete path to the users in Microsoft Active Di rectory. 5. For more information.proxyType Enter: OnPremise ldap. value" }. "optional": true.phoneNumbers[1].givenName[0]".name. Below are some of the statements in the default transformation.telephoneNumber. "targetPath": "$. but need to make sure the new source attribute will be also unique. "targetPath": "$. You should not delete this statement. { "sourcePath": "$.phoneNumbers[0].0:User". "targetPath": "$. { "sourcePath": "$.memberOf".emails[0]. The sAMAccountName[0] property is used also as a username for the intermediate JSON data. { "sourcePath": "$. "preserveArrayWithSingleElement": true.sAMAccountName[0]". "targetPath": "$.value" }.value)]" }.phoneNumbers[0]. { "condition": "$. { "sourcePath": "$. { "sourcePath": "$. { "condition": "$.mail[0]".mobile[0]". "targetPath": "$. "optional": true. */ { "user": { "mappings": [ { "sourcePath": "$. described in short: Code Syntax /* The entityIdSourceSystem attribute is used to store the unique ID of the identity. "targetPath": "$. "optional": true.mobile. "targetVariable": "entityIdSourceSystem" }.value" }. "constant": "mobile". SAP Cloud Platform Identity Provisioning Service 144 PUBLIC SAP Cloud Platform Identity Provisioning Service .length() > 0". "optional": true. { "constant": "urn:ietf:params:scim:schemas:core:2. which is used as a source with another one. "optional": true. "targetPath": "$.schemas[0]" }. "optional": true. "targetPath": "$. { "sourcePath": "$.length() > 0". { "sourcePath": "$.telephoneNumber[0]".userName" }. "targetPath": "$.sn[0]".sAMAccountName[0]". You can exchange the default attribute sAMAccountName[0].type" }.familyName" }.groups[?(@.name.givenName" }. . "constant": "work". { "sourcePath": "$.type" } ] }. "targetPath": "$. "targetVariable": "entityIdSourceSystem" }. { "constant": "urn:ietf:params:scim:schemas:core:2.group.attribute either in the Microsoft Active Directory read system.displayName" }.uniquename. "targetPath": "$. "memberOf": [ "groups":[ "SALES_US"..0:Group". or in the corresponding destination with a value the name of the attribute to be used instead. "optional": true.sAMAccountName[0]". { "SALES_EU" "value": "SALES_US" ] }. The administrator can change this behavior by setting the property ldap.sAMAccountName[0]". "mappings": [ { "sourcePath": "$. "targetPath": "$.group. "group": { "ignore": true. … { "value": "SALES_EU" }.members[?(@. { "sourcePath": "$.attribute=displayName SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 145 . "targetPath": "$..schemas[0]" }.member".phoneNumbers[1]. For example: ldap. . that is how the data from Microsoft Active Directory looks like before and after the read transformation: Table 28: Source JSON Data Intermediate JSON Data (as read from Microsoft Active Directory) (as a result from the transformation) Sample Code Sample Code .. "preserveArrayWithSingleElement": true.value)]" } ] } } As result of this mapping. the cn attribute is returned for every group.uniquename. ] … Note By default. This way.15 Microsoft Azure Active Directory (Source and Target) Follow this procedure to set up Microsoft Azure Active Directory (in short. Azure AD) as a source or a target system. start an identity provisioning job. To do that. Prerequisites ● You have logged on to Microsoft Azure Portal. with credentials for а user with directory role Global administrator.AccessAsUser.All ● Groups – Group. see MS Azure PowerShell: Add-MsolRole Member . For more information.ReadWrite. see Microsoft Graph permissions reference . see MS Graph: user resource type Permissions Assign the following permissions to your application. see Manage Jobs and Job Logs [page 83]. Before starting a provisioning job. This role allows you to deprovision users. ● In Azure Active Directory App registrations . For more information.All. set the accountEnabled property to false. you can only disable users. For more information. according to your scenario: ● Users – User. For more information. you will be notified by e-mail about eventual failed entities during the job. Directory. Note If this role is not assigned. Related Information Technical Documents Setting Timeout for Ldap Operations Connection Pooling Configuration 1. For more information. ● (Relevant to target systems) Your registered application is assigned the User Account Administrator role. 2.All For more information. you have registered an application with a secret key and permissions (see below) for Microsoft Graph API. Now.ReadWrite. These permissions must be consented by an administrator. see MS Graph: Users and MS Graph: Groups SAP Cloud Platform Identity Provisioning Service 146 PUBLIC SAP Cloud Platform Identity Provisioning Service .Next Steps 1. you can first subscribe to the source system you use in your scenario.5. see Microsoft: Assigning administrator roles in Azure Active Directory . For more information. see Manage Job Notifications [page 86]. resource.name Enter: https://graph. 2. 3. see Add System [page 50].microsoft. On this domain. Password Enter the secret key associated to your app registration. For more information. you can read both users and groups from Azure AD and provision them to any target system you have added in the Identity Provisioning user interface (if it supports groups).name Enter one of the verified domain names from the corre sponding Azure AD tenant. Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit. For more information. If you have successfully finished with the initial setup (described in the Prerequisites section). see Microsoft Graph . If one and the same property exists both in the cockpit and in the Identity Provisioning UI. For more information. the value set in the Properties tab will be considered with higher priority. Open the user interface of the Identity Provisioning service.Context When using it as a source system. read from any source system you have added in the Identity Provisioning user interface.com ProxyType Enter: Internet Authentication Enter: BasicAuthentication User Enter the application ID registered in your Azure AD sub scription (see the Prerequisites section). aad. oauth.domain. Choose the Properties tab to configure the connection settings for your system. Add Microsoft Azure Active Directory as a source or a target system. select it from the Destination dropdown box. continue with the procedure below.com SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 147 .microsoft. Table 29: Mandatory Properties Property Name Description & Value Type Enter: HTTP URL Enter: https://graph. The Azure AD target systems use Microsoft Graph API. Procedure 1. For more information. you will perform the provisioning operations. see Mi crosoft: Manage domain names . When using it as a target system. see Access the Identity Provisioning Service (Productive) [page 24]. you can write both users and groups. "optional": true. "constant": "mobile". "optional": true. "targetPath": "$. { "sourcePath": "$.surname". "targetPath": "$. "targetPath": "$. { "sourcePath": "$.displayName".com/{your_do main}/oauth2/token.emails[0]. "optional": true. "targetVariable": "entityIdSourceSystem" }. { "sourcePath": "$. Property Name Description & Value OAuth2TokenServiceURL Enter: https://login.mail".displayName" }. You can search or filter the table by your system type name.userPrincipalName EMPTY false".mobilePhone". "targetPath": "$.externalId" }.userName" }. see List of Properties [page 56]. (Optional) Configure the transformations. "mappings": [ { "sourcePath": "$. "targetPath": "$. "optional": true. "targetPath": "$. Default transformation for Azure AD as a source system: Code Syntax { "user": { "condition": "$.familyName" }.phoneNumbers[0]. { "sourcePath": "$.name.userPrincipalName".businessPhones.domain.length() > 0". where {your_domain} is the do main name you have set in the aad.name prop erty. { "sourcePath": "$. SAP Cloud Platform Identity Provisioning Service 148 PUBLIC SAP Cloud Platform Identity Provisioning Service .mailNickname".id". { "sourcePath": "$.microsoftonline.0:User".givenName" }.givenName". as well as by "All Systems". { "condition": "$. { "sourcePath": "$. To learn what additional properties are relevant to your scenario.schemas[0]" }. "optional": true. "targetPath": "$.name.value" }. 4. { "constant": "urn:ietf:params:scim:schemas:core:2.value" }. "targetPath": "$. displayName". "optional": true.schemas[0]" }. "optional": true. "targetPath": "$. "constant": "work".displayName" }. { "sourcePath": "$.phoneNumbers[1].businessPhones.type" }. { "condition": "$. "targetPath": "$.onPremisesImmutableId" }.length() > 0". "targetPath": "$. { "sourcePath": "$.type" } ] }.givenName". "targetPath": "$. "optional": true. "targetPath": "$.value" }.mailNickname" SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 149 . "optional": true.businessPhones[0]". "targetVariable": "entityIdSourceSystem" }. { "sourcePath": "$.accountEnabled" }.0:Group". { "sourcePath": "$. { "sourcePath": "$. { "sourcePath": "$. "targetPath": "$. "group": { "ignore": true.phoneNumbers[0].value)]" } ] } } Default transformation for Azure AD as a target system: Code Syntax { "user": { "mappings": [ { "sourcePath": "$. "optional": true.members".externalId" }. "targetPath": "$. "targetPath": "$. "targetPath": "$.onPremisesImmutableId". "targetPath": "$.mailNickname".phoneNumbers[1].id". "preserveArrayWithSingleElement": true.name.members[?(@.active". { "sourcePath": "$. "mappings": [ { "constant": "urn:ietf:params:scim:schemas:core:2. "optional": true. { "targetPath": "$.password".displayName". }.name.name%" } ] }.givenName". { "sourcePath": "$. { "sourcePath": "$. "scope": "createEntity".name. "targetPath": "$.displayName" }. "targetPath": "$. { "constant": false.city" }.givenName". "optional": true.addresses[0].passwordProfile. "optional": true. "scope": "createEntity" }.familyName".locality". "targetPath": "$.active". "targetPath": "$.country". "optional": true. { "sourcePath": "$.name. { "sourcePath": "$. "minimumNumberOfDigits": 1.domain. "targetPath": "$. "functions": [ { "type": "randomPassword". "targetPath": "$. "passwordLength": 16.displayName".userName". { "sourcePath": "$.userPrincipalName".accountEnabled". "scope": "createEntity" }. { "sourcePath": "$.displayName". "functions": [ { "type": "concatString". "targetPath": "$. "minimumNumberOfLowercaseLetters": 1. "scope": "createEntity" }. "suffix": "@%aad. "targetPath": "$. { "sourcePath": "$. { "sourcePath": "$.givenName" }. "targetPath": "$. "optional": true. SAP Cloud Platform Identity Provisioning Service 150 PUBLIC SAP Cloud Platform Identity Provisioning Service . "minimumNumberOfSpecialSymbols": 0 } ] }.surname" }. "scope": "createEntity". "optional": true.mailNickname". "minimumNumberOfUppercaseLetters": 1.country" }. { "sourcePath": "$.addresses[0]. { "sourcePath": "$. "optional": true. "optional": true. { "constant": true. "targetPath": "$. "targetPath": "$.displayName" }. "optional": true. { "sourcePath": "$. "optional": true.visibility" }.mailNickname".mailEnabled" }. "scope": "createEntity" }.isSubscribedByMail" }. "targetPath": "$.description" }. "targetPath": "$.id" }. "targetPath": "$.autoSubscribeNewMembers" }.mailEnabled". "targetPath": "$.externalId". "scope": "createEntity" }. "targetPath": "$.securityEnabled" }. "optional": true.allowExternalSenders". { "sourcePath": "$. "optional": true. { "sourcePath": "$. "optional": true.autoSubscribeNewMembers". "scope": "createEntity" }. { "sourcePath": "$.isSubscribedByMail".displayName". { "sourcePath": "$.description". "targetPath": "$. "scope": "createEntity" } ] }. "targetPath": "$.forceChangePasswordNextSignIn". { "sourcePath": "$. "targetPath": "$. "optional": true. "targetPath": "$. { SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 151 . { "sourcePath": "$.mailEnabled". { "sourcePath": "$. "group": { "mappings": [ { "sourceVariable": "entityIdTargetSystem". "targetPath": "$.passwordProfile.allowExternalSenders" }.displayName". { "sourcePath": "$.visibility". "targetPath": "$.securityEnabled".displayName". 16 Google G Suite (Source and Target) Follow this procedure to set up Google G Suite as a source or a target system. see Manage Jobs and Job Logs [page 83]. you can set it later. For more information. you will be notified by e-mail about eventual failed entities during the job. We recommend that you select Enable G Suite Domain-wide Delegation during the creation. Now.com/ auth/admin. 3. 2. Prerequisites 1. it will have access to the Google Admin SDK on behalf of your user.google. Note When specifying the scopes. Log on to the Google API console (https://console.googleapis. Create a service account for your project. see Creating a service account .google. "targetPath": "$.com ) and create a project. a user with Super Admin role can delegate domain-wide authority to your service account.developers.5. start an identity provisioning job. in the Google admin console (https://admin. you can first subscribe to the source system you use in your scenario. For more information. Enable the Admin SDK. 4.user.com/auth/admin.googleapis.directory. "scope": "createEntity" } ] } } Next Steps 1. "scope": "createEntity" }. To do this. 1. For more information. "constant": false. 2. see Manage Job Notifications [page 86]. Before starting a provisioning job.directory. go to Dashboard ENABLE API Admin SDK ENABLE . This way.com ). If you skip this option.group SAP Cloud Platform Identity Provisioning Service 152 PUBLIC SAP Cloud Platform Identity Provisioning Service .securityEnabled". Then. the administrator has to enter the following: https://www. This way. { "constant": "Unified". https://www. For more information. see Delegating domain-wide authority . "targetPath": "$.groupTypes[0]". you can write both users and groups. select it from the Destination dropdown box. Table 30: Mandatory Properties Property Name Description & Value Type Enter: HTTP URL Specify the service URL: https://www. For more information. see Directory API . If you have successfully finished with the initial setup (described in the Prerequisites section). which is accessible by the domain administrator.googleapis. For more information. Procedure 1. see Add System [page 50]. 3. Caution You can only provision users whose e-mails are from verified domains. Choose the Properties tab to configure the connection settings for your system. read from any source system you have added in the Identity Provisioning user interface. Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit. For more information. The private key is encoded in PKCS8 format and is in the private_key field of the JSON data.0 protocol with JSON Web Token (JWT). The Identity Provisioning service performs this operation by using Google Directory API. continue with the procedure below. The private key for the signature is distributed by Google via one-time downloadable JSON data. see Access the Identity Provisioning Service (Productive) [page 24]. see JSON Web Token (JWT) . ● When using it as a target system. Google G Suite can automatically create accounts for your users in the Google Cloud Datastore. 2. Open the user interface of the Identity Provisioning service. the value set in the Properties tab will be considered with higher priority. For more information. If one and the same property exists both in the cockpit and in the Identity Provisioning UI. ● When using it as a source system. you can read both users and groups from Google G Suite and provision them to any target system you have added in the Identity Provisioning user interface.Context A Google service account with delegated domain-wide authority is required for authentication and authorization of the Identity Provisioning Service to G Suite domain.com/admin/ directory ProxyType Enter: Internet SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 153 . Add Google G Suite as a target system. The authentication is based on OAuth 2. You can take it from the "private key" field in the JSON data.gserviceaccount.com/auth/admin.0 to Access Google APIs .ondemand.googleapis. OAuth2TokenServiceURL To make OAuth authentication to the Google G Suite sys tem.directory. Property Name Description & Value Authentication Enter: BasicAuthentication The authentication type in use is actually OAuth with JWT. User Enter the service account’s ID. For more information.scope=https://www. But for any provisioning system based on OAuth. see Using OAuth 2. Table 31: Exemplary Configuration: Name=MyGGSDestination URL=https://www..com Password=-----BEGIN PRIVATE KEY-----\n123ABCDEFG123456789. which represents a long string in PKCS8 format. This property corresponds to “sub” claim in JWT being gen erated during access token request: JWT: "sub" (Subject) Claim To learn what additional properties are relevant to your scenario. Password Enter the service account’s private key. enter the URL to the access token provider service.com # jwt. BasicAu thentication is used along with the OAuth2TokenServiceURL additional property. This user has been assigned the role User Management Admin. downloaded during the setup of Google service account. jwt.googleapis. as well as by "All Systems". downloaded during the setup of Google service account.googleapis.smith@myaccount. You can take it from the "client_email" field in the JSON data.subject Enter the Google G Suite user on behalf of which the Google Directory API is called.com/admin/directory ProxyType=Internet Type=HTTP Authentication=BasicAuthentication
[email protected]/oauth2/v4/token jwt. … /123456789ABCDEFG123=\n-----END PRIVATE KEY-----\n OAuth2TokenServiceURL=https://www.subject=john. see List of Properties [page 56].. You can search or filter the table by your system type name.user 4. (Optional) Configure the transformations. SAP Cloud Platform Identity Provisioning Service 154 PUBLIC SAP Cloud Platform Identity Provisioning Service . name" }. When a required attribute is missing. "targetPath": "$.Identity Provisioning service is handling the deletion status of the users.id". this deletion will be enforced into the Google G Suite system as well.The provisioning framework reads all attributes from the intermediate JSON data and tries to create consistent records in the Google G Suite target system.emails[0]. "targetPath": "$. Default transformation for Google G Suite as a source system: Code Syntax { "user": { "mappings": [ { "sourcePath": "$. "targetVariable": "entityIdSourceSystem" }. Bear in mind the following: ○ Make sure that the JSON data sent by the source system is consistent with the configuration template of the target.userName" }. Caution An initial password setup is mandatory for all newly provisioned users. This may cause crucial data loss. the Google Directory API will not accept any changes on the user attributes. { "sourcePath": "$. The constant value that you see as configuration for the password attribute in the default transformation is generated by SAP. the default transformation is designed with a condition that will exclude the inconsistent records. ○ User offboarding . SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 155 . { "sourcePath": "$.primaryEmail".primaryEmail". "targetPath": "$.schemas[0]" }. { "sourcePath": "$. if the source system contains mandatory fields and the target one does not support such kind of data.active" }. { "constant": true. { "constant": "urn:ietf:params:scim:schemas:core:2.0:User". This is required by the Google G Suite API and must be provided when new accounts are created. Any source or target transformation should produce JSON data. For example. "targetPath": "$. all attribute changes pending for the account will be successfully provisioned with the next provisioning job.name". using all the available attributes accepted by the Google Directory API. Transformation principles for the system integration are: ○ Mapping logic . Once the suspended user is restored by the administrator. When the status of the user account is changed to suspended. before starting to use the Identity Provisioning service for creating users in your corporate Google G Suite system automatically.value" }. known only by the representatives of your company. When a user is deleted from the source system. ○ There is a special user status type called suspended (temporarily blocks a user without deleting any account data) for the Google directory accounts. then the target system skips these fields. You have to change the constant value with another one. "targetPath": "$. which is required by Google Directory API . active" } ] }. { "sourcePath": "$.etag".schemas[0]" }. "mappings": [ { "constant": "urn:ietf:params:scim:schemas:core:2.kind".members" }.displayName" }.members[*].0:Group". "targetPath": "$.members[*]. "targetPath": "$.name".members[*]. "targetPath": "$.role". { "targetPath": "$. { "condition": "$.id". "optional": true. { "targetPath": "$. "targetPath": "$. "type": "rename" }.email". { "constant": "value". "type": "rename" }. "type": "remove" }. "targetPath": "$. "constant": false. { "targetPath": "$.members[*]. "type": "remove" }. "type": "remove" } ] } } Default transformation for Google G Suite as a target system: Code Syntax { "user": { SAP Cloud Platform Identity Provisioning Service 156 PUBLIC SAP Cloud Platform Identity Provisioning Service .members[*]. { "sourcePath": "$. "targetVariable": "entityIdSourceSystem" }. "group": { "ignore": true.id".suspended == true". "type": "remove" }.members[?((@.status == 'ACTIVE'))]".type == 'USER') && (@. "preserveArrayWithSingleElement": true. "targetPath": "$.status". { "sourcePath": "$. { "targetPath": "$.members[*]. { "constant": "display". familyName EMPTY false)". */ SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 157 . "functions": [ { "type": "randomPassword".active == false". "minimumNumberOfDigits": 1.emails[0]. { "constant": "false". "group": { "ignore": true. "minimumNumberOfLowercaseLetters": 1. "targetPath": "$. { "constant": "true".suspended" }.changePasswordAtNextLogin" } ] }. { "sourcePath": "$. "targetPath": "$. /* Google G Suite requires a group e-mail.displayName".name" }. By default. "targetPath": "$.name" }. { "sourcePath": "$. or concatenate displayName with your domain. "optional": true. "condition": "($. "targetPath": "$. { "sourceVariable": "entityIdTargetSystem". { "sourcePath": "$.emails.id" }. If group's Display Name does not contain an e-mail.id" }. "minimumNumberOfUppercaseLetters": 1. { "sourcePath": "$.value".length() > 0) && ($.suspended" }. you can either map email to another attribute. see the Note below.phoneNumbers". "targetPath": "$. "targetPath": "$. the email attribute is mapped to displayName. "targetPath": "$. "mappings": [ { "sourceVariable": "entityIdTargetSystem". To learn how.primaryEmail" }.name. "passwordLength": 16. "targetPath": "$. { "targetPath": "$. "scope": "createEntity". "targetPath": "$.password". "targetPath": "$.schemas[0]" }. "mappings": [ { "constant": "urn:ietf:params:scim:schemas:core:2.phones" }.0:Group".name". "constant": true. { "condition": "$. "minimumNumberOfSpecialSymbols": 0 } ] }. For more information.com" } ] } Next Steps 1. you can first subscribe to the source system you use in your scenario. SAP Cloud Platform Identity Provisioning Service 158 PUBLIC SAP Cloud Platform Identity Provisioning Service . ○ Concatenate the displayName attribute with your domain.value". you can modify the transformation the following ways: ○ Map email to another attribute that contains a unique group e-mail. "preserveArrayWithSingleElement": true.displayName". "targetPath": "$. see Manage Job Notifications [page 86]. Now.members[?(@. { "sourcePath": "$.email". Before starting a provisioning job. "scope": "createEntity". you will be notified by e-mail about eventual failed entities during the job.type == 'User')]. "functions": [ { "entityType": "user". For more information. This way. "scope": "createEntity" }. 2.members[?(@.displayName".ondemand. "optional": true.myaccount. "functions": [ { "type": "concatString". start an identity provisioning job. see Manage Jobs and Job Logs [page 83]. "type": "resolveEntityIds" } ] } ] } } If the displayName attribute in the source system transformation does not provide group e-mails. "suffix": "@test. "targetPath": "$. "targetPath": "$.email".id)]". { "sourcePath": "$. For example: Sample Code { "sourcePath": "$. group create/ update. If one and the same property exists both in the cockpit and in the Identity Provisioning UI. see: Using Beta Features in Subaccounts Context SSH Server is a system (connector) in beta state.userName $. depending on whether the SSH port is visible or not. see Add System [page 50].17 SSH Server – Beta (Source and Target) Follow this procedure to set up an SSH server (Beta) as a source or a target system. Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit. the value set in the Properties tab will be considered with higher priority. and so on). see Access the Identity Provisioning Service (Productive) [page 24]. select it from the Destination dropdown box. Some of them can be mandatory and others – optional. For more information. For more information. The configuration allows you to attach separate scripts per entity lifecycle callback (such as user create. 3.email Procedure 1. outside your Neo environment. It helps you execute bash scripts through SSH connection. Note This is a beta feature available on SAP Cloud Platform. For example: sudo su - vcap /home/myscript. Add SSH Server (Beta) as a source or a target system. Prerequisites ● You have credentials for a tenant in SAP Cloud Platform. This system helps you connect to remote machines via SSH tunnel. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 159 . see Cloud Connector. For more information. Below are listed all available SSH Server properties. Choose the Properties tab to configure the connection settings for your system. depending on your scenario. 2.sh $. For more information. For more information. with or without use of the Cloud Connector. The bash scripts can take as parameters fields that are coming from the entity JSON data.5. Open the user interface of the Identity Provisioning service. see: Accounts ● (Optional) You have installed the SAP Cloud Platform cloud connector in your corporate environment and have done the initial configuration.1. You need this only when your SSH server resides in a remote system. code.delete.alrea An exit code number dy. ssh.exists ssh. ssh.command Path to the bash command you need to execute to update a group.not.command Path to the bash command you need to execute to update a user. Table 32: Mandatory Properties Property Name Description & Value ProxyType Possible values: ○ Internet – if the SSH port is visible in your Neo environ ment ○ OnPremise – if the SSH port is not directly accessible.port).not.user.command Path to the bash command you need to execute to delete a user. ssh. ssh.create.group.exit.group.exit. ssh.update.command.command.f An exit code number ound ssh.f An exit code number ound SAP Cloud Platform Identity Provisioning Service 160 PUBLIC SAP Cloud Platform Identity Provisioning Service .not.group. You have to configure TCP protocol connection to the SSH host and port (specify the configuration properties ssh.not.user.update.command.host and ssh.group.user.fo An exit code number und ssh.code. ssh.create.code.delete.create.update.alread An exit code number y.group.user.command.exists ssh.create.command.update.command Path to the bash command you need to execute to create a group.fo An exit code number und ssh.delete.exit.user.exit.code.code.user. CloudConnectorLocationId Relevant when the proxy type is OnPremise.command Path to the bash command you need to execute to create a user.group.exit.command Path to the bash command you need to execute to delete a group.exit.code.command. Use it only if your SAP Cloud Platform account uses more than one Cloud Connector.delete. and you have to use the Cloud Connector. ssh. type = pwd +otp ○ hana.type = key +pwd+otp ssh.auth.jdbc.type = key +pwd+otp ssh. Possible values: ○ ssh-rsa ○ ssh-dsa Default value: ssh-rsa SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 161 .auth.auth.tunnel.port 22 ssh.auth.auth.tunnel.type = key ○ hana.type = key +pwd+otp ssh.tunnel.password (Credential) Taken into account only if the authentication type includes pwd.jdbc.totp.ssh.secret.type = otp ○ hana.type The format of SSH private key.jdbc.jdbc.jdbc.ssh. That means any of the following: ○ hana.host ssh.auth. That means any of the following: ○ hana.type = key +pwd ○ hana.auth.auth.tunnel.tunnel.key (Credential) Taken into account only if the authentication type includes otp.tunnel.type = key +pwd ○ hana.ssh.tunnel.type = pwd +otp ○ hana.private.ssh.type Supported SSH authentication types: ○ key ○ pwd ○ otp ○ key+otp ○ key+pwd ○ pwd+otp ○ key+pwd+otp ssh.auth.auth.tunnel.jdbc. Property Name Description & Value ssh.username ssh.jdbc.ssh.type = pwd ○ hana.ssh.tunnel.tunnel.jdbc.ssh.auth.ssh.key.type = key+otp ○ hana. That means any of the following: ○ hana.tunnel.auth.jdbc.auth.tunnel.ssh.ssh.private.key (Credential) Taken into account only if the authentication type includes key.type = key+otp ○ hana.jdbc.jdbc.ssh.jdbc.ssh. userName".command Path to the bash command you need to execute to read users. see List of Properties [page 56]. You can change the default transformation mapping rules to reflect your current setup of entities in your SSH Server (Beta) target system. as well as by "All Systems". For more information. Property Name Description & Value Mandatory only for source systems ssh. "targetVariable": "entityIdSourceSystem" } ] }. 4. "targetPath": "$" }. You can search or filter the table by your system type name. (Optional) Configure the transformations. "mappings": [ { "sourcePath": "$". ssh. "targetVariable": "entityIdSourceSystem" } ] } } Default transformation for SSH Server (Beta) as a target system: Code Syntax { "user": { "mappings": [ { "sourcePath": "$.read. SAP Cloud Platform Identity Provisioning Service 162 PUBLIC SAP Cloud Platform Identity Provisioning Service . { "sourcePath": "$. Default transformation for SSH Server (Beta) as a source system: Code Syntax { "user": { "mappings": [ { "sourcePath": "$". see Manage Transformations [page 30]. "group": { "ignore": true.command Path to the bash command you need to execute to read groups.groups.id".users. { "sourcePath": "$. To learn what additional properties are relevant to your scenario.read. "targetPath": "$" }.id". 2. client ID and secret are required when creating a destination for access token retrieval. You need this only if the SCIM system is exposed in a private corporate network. depending on the scenario you want to implement. For more information. Now.userName" } ] } } Next Steps 1. add an access control system mapping in SAP Cloud Platform cloud connector. Procedure 1. with read/write access permissions. For more information. Prerequisites ● You have installed the SAP Cloud Platform cloud connector in your corporate environment and have done the initial configuration. see Add System [page 50]. "targetPath": "$. see Manage Jobs and Job Logs [page 83]. see Manage Job Notifications [page 86].5. For more information. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 163 . This way. Choose the Properties tab to configure the connection settings for your system. For more information. 1. 4. Add SCIM System as a source or a target system. ● You have technical user credentials for a SCIM system. see Configuring Access Control (HTTP). Before starting a provisioning job. 3. For more information. (Optional) If the SCIM system is exposed in a private corporate network.18 SCIM (Source and Target) Follow this procedure to set up a SCIM system as а source or a target system. 2. For more information. Open the user interface of the Identity Provisioning service. In case OAuth is used for authentication. see SAP Cloud Platform Connector. see Access the Identity Provisioning Service (Productive) [page 24]. you will be notified by e-mail about eventual failed entities during the job. start an identity provisioning job. you can first subscribe to the source system you use in your scenario. The user will be either deleted or set as inactive. Authentication Enter: BasicAuthentication User You can specify one of the following: ○ Technical user ID ○ Client ID for OAuth HTTP destinations. If one and the same property exists both in the cockpit and in the Identity Provisioning UI. Table 33: Mandatory Properties Property Name Value Type Enter: HTTP URL Specify the service URL. en ter the URL to the access token provider service for OAuth HTTP destinations. You can change the default transformation mapping rules to reflect your current setup of entities in your SCIM system. Password You can enter one of the following: ○ Technical user password ○ Client secret for OAuth HTTP destinations.com/api/auth/ token To learn what additional properties are relevant to your scenario. The ID is removed by default. For example: http:// <cloudfoundry_server>. the deletion status is considered and depends on the user status handling of the target system. and then map them to the internal SCIM representation. SCIM as a Source System ○ Mapping logic – the behavior of the default transformation logic is to read all user attributes from the source SCIM system. When a user is deleted from the SCIM system. For example: https://token-provider. OAuth2TokenServiceURL If you need to make OAuth authentication to the system. the value set in the Properties tab will be considered with higher priority. 5. select it from the Destination dropdown box. ○ User offboarding – it depends on the target system API. see List of Properties [page 56]. You can search or filter the table by your system type name. It uses entityIdSourceSystem to store the unique ID of the identity. because it is specific for the source system. It is used for retrieving of the access token. It is used for re trieving of the access token. (Optional) Configure the transformations. SAP Cloud Platform Identity Provisioning Service 164 PUBLIC SAP Cloud Platform Identity Provisioning Service . see Manage Transformations [page 30].com/api/uaa/ ProxyType Enter Internet or OnPremise. Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit. For more information. as well as by "All Systems". the first entry will be marked as primary. { "sourcePath": "$. "type": "remove" } ] }. Users could be deactivated. "type": "remove" }. { "targetPath": "$.id". see SCIM: Singular Attributes Below is the default transformation of SCIM as a target system: Code Syntax { SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 165 .id". Depending on the implementation. "type": "remove" } ] } } SCIM as a Target System ○ Mapping logic – The behavior of the default transformation logic is to map all attributes from the internal SCIM representation to the target entity. If the entity has e-mail addresses. whose definition depends on the service provider. { "targetPath": "$. Below is the default transformation of SCIM as a source system: Code Syntax { "user": { "mappings": [ { "sourcePath": "$".id". "targetVariable": "entityIdSourceSystem" }. { "targetPath": "$. "targetPath": "$" }. "targetPath": "$" }.id". "type": "remove" }.meta". this could be done through a user interface (if such exists) or the SCIM REST API. { "sourcePath": "$. For more information. "group": { "ignore": true. "targetVariable": "entityIdSourceSystem" }. depending on the SCIM system implementation. The SCIM core schema defines an attribute “active”. ○ User offboarding – Users can be deleted from the target system.meta". "mappings": [ { "sourcePath": "$". { "targetPath": "$. emails[0].value".id" }.members[*]. "preserveArrayWithSingleElement": true. { "targetPath": "$ ['urn:ietf:params:scim:schemas:extension:enterprise:2.members[?(@. "user": { "mappings": [ { "sourcePath": "$". "targetPath": "$. "mappings": [ { "sourcePath": "$". "targetPath": "$. 2.0:User']". "targetPath": "$" }. SAP Cloud Platform Identity Provisioning Service 166 PUBLIC SAP Cloud Platform Identity Provisioning Service . "functions": [ { "type": "resolveEntityIds" } ] } ] } } Next Steps 1. { "sourceVariable": "entityIdTargetSystem". "targetPath": "$. "targetPath": "$. { "condition": "$. start an identity provisioning job. This way. you can first subscribe to the source system you use in your scenario.value)]". { "sourceVariable": "entityIdTargetSystem". "constant": true.id" }.primary" }. { "sourcePath": "$. For more information. Before starting a provisioning job. "targetPath": "$" }. For more information. "group": { "ignore": true.length() > 0". "type": "remove" } ] }. Now. "optional": true.emails[0]. see Manage Jobs and Job Logs [page 83]. you will be notified by e-mail about eventual failed entities during the job. see Manage Job Notifications [page 86]. which is used to call the LDAP Server API to read the users and their attributes. For more information. Note If you have already created a connectivity destination for this system in SAP Cloud Platform cockpit. It must be in the following for mat: ldap://<external_host>:<external_port> ldap. ● You have the credentials of a technical user in the LDAP Server. Procedure 1. see Configuring Access Control (LDAP).19 LDAP Server (Source) Follow this procedure to set up LDAP Server as a source system. 3.proxyType Enter: OnPremise SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 167 . Add an access control system mapping for the LDAP Server in the Cloud Connector.url Specify the destination URL. see Access the Identity Provisioning Service (Productive) [page 24]. the value set in the Properties tab will be considered with higher priority. Choose the Properties tab to configure the connection settings for your system. 4. select it from the Destination dropdown box. Open the user interface of the Identity Provisioning service. This is needed to allow the Identity Provisioning service to access the LDAP server as a back-end system on the intranet. see Add System [page 50]. For more information. Prerequisites ● You have installed the SAP Cloud Platform cloud connector in your corporate environment and have done the initial configuration.5. 2. For more information. see SAP Cloud Platform Connector.1. Table 34: Mandatory Properties Property Name Description & Value Type Enter: LDAP ldap. If one and the same property exists both in the cockpit and in the Identity Provisioning UI. For more information. Add LDAP Server as a source system. telephoneNumber=telephoneNumber ldap. ldap.attribute. The LDAP Server source system is created by default with the properties listed below: Table 35: Default LDP Properties ldap.filter= ldap.user.uniquename.attribute.filter= ldap.user. But for any provisioning system based on OAuth. ldap.id=uid ldap.class=groupOfNames ldap.givenName=givenName ldap.group.surname=sn ldap.member=member SAP Cloud Platform Identity Provisioning Service 168 PUBLIC SAP Cloud Platform Identity Provisioning Service . BasicAu thentication is used along with the OAuth2TokenServiceURL additional property.user Enter the user for LDAP Server.attribute.groups=memberOf ldap.user. as well as by "All Systems". ldap.user.path Enter the complete path to the group or groups in LDAP Server.group.attribute.user.group.attributes= ldap. You can search or filter the table by your system type name.attribute.attribute.uniquename.attribute.path Enter the complete path to the users in LDAP Server.group.page.group.authentication Enter: BasicAuthentication The authentication type in use is actually OAuth with JWT. ldap.attribute=uid ldap.group.mobile=mobile ldap.user.user.user.id=cn ldap.member.attribute=cn ldap. Property Name Description & Value ldap.user.attribute.class=inetOrgPerson ldap.password Enter the password for the LDAP Server user.size=100 ldap.object.user.group.mail=mail ldap.attributes= ldap.attribute. see List of Properties [page 56]. To learn what additional properties are relevant to your scenario.object.user. * properties are used in the parameterized default LDAP read transformation. or multi-value arrays separated by comma (.attribute.attribute. "targetVariable": "entityIdSourceSystem" }. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 169 . "targetPath": "$. */ { "sourcePath": "$.0:User is required as a value for the schemas definition in the Identity Authentication service SCIM REST API.id%[0]".%ldap.user. the LDAP Server attributes are represented as arrays (single-element arrays. You can change the default transformation mapping rules to reflect your current setup of entities in LDAP Server. Depending on the offboarding handling of the users in the target system. described in short: Code Syntax { "user": { "mappings": [ /* The value of entityIdSourceSystem is used to store the unique ID of the identity. For more information. /* The value of the attribute resolved from ldap.0:User".id%[0]". */ { "constant": "urn:ietf:params:scim:schemas:core:2. see the official documentation for LDAP Server schema attributes in the Related Information section. (Optional) Configure the transformations. the user can be deleted. You could exchange the default attribute.attribute. Note The ldap.attribute.mail system property is used also as a first array value in the emails JSON array. "targetPath": "$. Below are some of the statements in the default transformation.)). resolved from ldap. see Manage Transformations [page 30].id system property is used also as userName value for the internal JSON representation.%ldap.%ldap. the deletion status is considered by the Identity Provisioning service during the read processes. /* The constant urn:ietf:params:scim:api:messages:2. or can be set to inactive.user. Note When a user is deleted from LDAP Server. */ { "sourcePath": "$. 5. Before the read transformation. the attributes are in SCIM format.attribute. You should not delete this statement. For more information.user. */ { "sourcePath": "$.user. After read transformation (in the intermediate JSON data).id system property (which is used as a source) with another one but make sure the new source attribute is unique as well.user.user. /* The value of the attribute resolved from ldap.userName" }.attribute.attribute.schemas[0]" }.mail%[0]". "targetVariable": "entityIdSourceSystem" }. */ { "sourcePath": "$.group. /* The attribute resolved from ldap. { "sourcePath": "$.attribute. "targetPath": "$.attribute.mobile%.surname%[0]".length() > 0".attribute. "targetPath": "$.length() > 0".telephoneNumber%.telephoneNumber%[0]".mobile%[0]". "targetPath": "$.%ldap. "targetPath": "$.type" }. "optional": true }.attribute. { "sourcePath": "$.user.groups%[0]".phoneNumbers[1]. { "sourcePath": "$.user.attribute. "optional": true.%ldap. "optional": true.id%[0]". "targetPath": "$.value".%ldap.groups[?(@.user.emails[0]. "optional": true }.name. "targetPath": "$.id%[0]". /* The value of the attribute resolved from ldap.surname system property is used for the name. "group": { "ignore": true. { "condition": "$.type" } ] }. "optional": true }.value" }.%ldap. /* The value of the attribute resolved from ldap.value)]" }.name.user. "targetPath": "$. "preserveArrayWithSingleElement": true.%ldap.phoneNumbers[1].phoneNumbers[0].givenName". SAP Cloud Platform Identity Provisioning Service 170 PUBLIC SAP Cloud Platform Identity Provisioning Service . "mappings": [ { "sourcePath": "$.attribute.givenName%[0]". "targetPath": "$.phoneNumbers[0].user.givenName system property is used for the name.%ldap. "constant": "work".attribute.attribute.user.user.%ldap.%ldap. "constant": "mobile".attribute.user.groups system property is transformed by default into groups attribute of the SCIM internal representation: */ { "sourcePath": "$.familyName".group.familyName value in internal JSON representation.user.givenName value in internal JSON representation.attribute. { "condition": "$.user. "optional": true. */ { "sourcePath": "$.value" }.attribute.attribute.%ldap. "memberOf": [ "groups":[ "SALES_US".group.members[?(@. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 171 . "optional": true. 2.attribute. For more information. { "SALES_EU" "value": "SALES_US" ] }.uniquename. you will be notified by e-mail about eventual failed entities during the job.schemas[0]" }. This way.0:Group".. For example: ldap.attribute either in the LDAP Server read system or in the corresponding destination with value the name of the attribute to be used instead. see Manage Job Notifications [page 86]. ] … Note By default. this is how the data from LDAP Server looks like before and after the read transformation: Table 36: Source JSON Data Intermediate JSON Data (as read from LDAP Server) (as result from the transformation) Sample Code Sample Code .attribute=displayName Next Steps 1. "targetPath": "$. "targetPath": "$.group. see Manage Jobs and Job Logs [page 83].value)]" } ] } } As result of this mapping.. Before starting a provisioning job. The administrator can change this by setting the property ldap. you can first subscribe to the source system you use in your scenario. . For more information. the cn attribute is returned for every group. { "sourcePath": "$. start an identity provisioning job. "preserveArrayWithSingleElement": true.%ldap.uniquename..displayName" }. { "constant": "urn:ietf:params:scim:schemas:core:2. "targetPath": "$.member%". … { "value": "SALES_EU" }.. Now.group. according to the System for Cross-Domain Identity Management (SCIM) 2. The supported attributes are defined in the SCIM core SAP Cloud Platform Identity Provisioning Service 172 PUBLIC SAP Cloud Platform Identity Provisioning Service . The identity directory in the SAP Cloud Platform Identity Provisioning service provides organizations with a directory for storing and managing users and groups in the SAP Cloud Platform. The users and groups in this directory can be provisioned to and read from various cloud systems (both SAP and non-SAP) supported by the Identity Provisioning service.0 standard. The identity directory stores resources (users and groups) with a set of attributes. The figure below shows an example of a system landscape you can use for a provisioning scenario with the identity directory.Related Information Technical Documents Setting Timeout for Ldap Operations Connection Pooling Configuration 1.6 Identity Directory (Beta) Note The identity directory is a beta functionality that is available in the SAP Cloud Platform Identity Provisioning service. users and groups are provisioned to the identity directory from the defined source systems. Scenarios You can use the identity directory in the following scenarios.6. See Systems ● Reading and Storing Resources In the Identity Provisioning service. This will create their own identity vault into the identity directory. delete (CRUD) operations on users and groups. Based on this configuration. You see the list of subscriptions and the corresponding application URLs to access them in the Subscriptions pane in the cockpit. you can configure the identity directory as a target system. For example: https://<idds><a1111b222>-<c333d4e5f>. Every organization obtains a tenant that is identified with a <consumer subaccount> (tenant) and stores tenant data in a separate database schema. users and groups are provisioned to the defined corresponding target systems.1 Enabling Identity Directory Prerequisites ● You have a license to use the Identity Provisioning service. You can use it to manage your own resources in the directory. Based on this configuration. you can configure the identity directory as a source system.com>.<host>.ondemand. depending on your business needs and your system landscape. ● Managing Resources The identity directory provides a SCIM REST API for create. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 173 . read. update. Custom attributes are also supported through a schema extension. See Systems 1. See Managing Resources [page 174] ● Provisioning Resources In the Identity Provisioning service. What this means is that every SAP Cloud Platform customer can enable the Identity Provisioning service and thus subscribe its customer tenant to it. ● You have enabled the Identity Provisioning service. You can access the identity directory using dedicated URL for a consumer subaccount in the format https:// <application name><provider subaccount>-<consumer subaccount>.<hana. The identity directory ensures strong security for corporate data by tenant isolation and secure programming.schema and the Enterprise user resource schema. You can now perform provisioning of entities between SAP identity directory and other systems. 9. All examples in this document are based on the Content-Type application/scim+json. For more information. A SCIM resource is represented in JavaScript Object Notation (JSON) format. 4. Find the Identity Directory (Beta) tile and open it. 3. groups and custom schemas). Choose Save. Open your subaccount tile.0 REST API for managing resources (users. On your subaccount tile.2 Managing Resources The identity directory provides a System for Cross-domain Identity Management (SCIM) 2. From the left-side navigation. 7. choose Services. see System for Cross-domain Identity Management: Protocol . Next Steps Scenarios Adding Systems Managing Transformations 1. For Beta Features. navigate to your global account. choose Go to Service. 2. select the Enable checkbox. SAP Cloud Platform Identity Provisioning Service 174 PUBLIC SAP Cloud Platform Identity Provisioning Service .6. proceed as follows: Procedure 1. 6. In the SAP Cloud Platform cockpit. Choose Enable. Consumers of this REST API should be familiar with System for Cross-domain Identity Management Protocol before managing their own resources.Context To enable the identity directory. 8. When the service is successfully enabled. choose Edit. The UI of the Identity Provisioning service is open. 5. 0:User user resource. LETE urn:ietf:params:scim:schemas:exten sion:enterprise:2. DE 2. POST. create. LETE SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 175 .0:Group group resource.6. modify and delete a PUT. urn:ietf:params:scim:schemas:core: Retrieve.1 Resources and Operations The identity directory SCIM REST API supports the following resources and operations: Table 38: Resource Endpoint Operation Schema URI Description User /Users GET. urn:ietf:params:scim:schemas:core: Retrieve. POST. DE 2.0:<Name> Group /Groups GET.2. modify and delete a PUT. create.Table 37: To Learn About See Supported resources and operations Resources and Operations [page 175] Supported attribute types Attributes [page 176] Examples for SCIM REST API usage Search Users with Filtering [page 177] Search Users with Paging [page 180] Create User [page 184] Update User [page 186] Delete User [page 189] Search Groups with Paging [page 190] Create Group [page 193] Update Group [page 194] Delete Group [page 196] Create Custom Schema [page 197] Delete Custom Schema [page 201] 1.0:User urn:sap:cloud:scim:schemas:exten sion:custom:2. SCIM schema defines the data type. ● Multi-valued attributes .6. ● Simple attributes .or multi-valued attribute whose value is primitive. urn:ietf:params:scim:schemas:core: Retrieve. for example: userName and members ● Enterprise User Schema Extension . for example: employeeNumber and manager.0:<Name> urn:ietf:params:scim:schemas:core: 2. for example: displayName. Attribute Values The identity directory supports the following types of SCIM schema attributes: ● Single-valued attributes . ● Custom Schema Extension .a single.a collection of attributes representing a user that belongs to an enterprise. figuration Config For more information about the SCIM specification.an attribute that contains one value. POST.0:Group Service Pro /Service GET urn:ietf:params:scim:schemas:core: Retrieve the service provider's configura vider Con Provider 2. SAP Cloud Platform Identity Provisioning Service 176 PUBLIC SAP Cloud Platform Identity Provisioning Service . For each attribute. An attribute consists of the attribute name and at least one simple or complex value. Simple attributes do not contain sub-attributes. SCIM Schemas The identity directory supports the following SCIM schemas: ● Core Schema .0:ServiceProviderConfig tion.0:User urn:sap:cloud:scim:schemas:exten sion:custom:2.2. Resource Endpoint Operation Schema URI Description Schema /Schemas GET. urn:ietf:params:scim:schemas:exten sion:enterprise:2. roomNumber. for example: String.a collection of core attributes for users and groups.2 Attributes A resource is a collection of attributes identified by one or more schemas. create and delete a resource's DELETE 2. for example: equipment.an attribute that contains more than one value. see System for Cross-domain Identity Management: Protocol 1.0:User schema. for example: emails.a collection of custom attributes defined through a schema extension. a simple attribute that is contained within a complex attribute.a single.647.147. decimal decimal(38. the addresses attribute for example contains the following sub-attributes: streetAddress. ● Sub-attributes . reference varchar(255) A reference value is validated as a string value.● Complex attributes .483. boolean smallint A boolean value should be true or false. you need to send an HTTP GET request to the resource endpoint. and append the id of the user. and country. Attribute Data Types The identity directory supports the following data types of SCIM schema attributes: Table 39: SCIM Data Type DB Type Valid Values string varchar(255) A string value should not exceed 2000 bytes (UTF-8 encoding). For more information about the SCIM schema.648 to 2.483.3 Search Users with Filtering To search for a user resource. It should not exceed 5000 bytes. postalCode. you can search for a number of users by specifying the filter parameter in the request. in this case / Users. Note Complex custom attributes are not supported. In addition to search for a single user. integer int (4 byte) An integer value should be in the range of -2.SSSZ) binary varchar(5000) Base64 encoded binary data. only those users matching the filter expression (attribute names and values) are SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 177 . locality.6.or multi-valued attribute that contains one or more simple attributes.18) A decimal value should be a floating point number with precision 38 and scale 18. datetime datetime Dates are in ISO 8601 UTC timezone (yyyy-MM-ddTHH:mm:ss. for example: postalCode is a sub-attribute within the addresses complex attribute. see System for Cross-domain Identity Management: Core Schema 1. When specified.147.2. and Logical and The filter is only a match if both expressions eval uate to true.locality addresses.postalCode addresses. Supported Operators Table 40: Operator Description Behavior eq equal The attribute and operator values must be identi cal for a match. Attribute names and attribute operators that are used in filters are case insensitive. The identity directory SCIM REST API supports filtering by core schema attributes.region addresses.value SAP Cloud Platform Identity Provisioning Service 178 PUBLIC SAP Cloud Platform Identity Provisioning Service . Supported User Search Attributes Table 41: SCIM Schema Attributes Core schema username active emails addresses.returned.country groups roles Enterprise user resource schema employeeNumber costCenter organization division department manager. enterprise schema attributes and custom schema attributes. hana.com/idds/scim/Users?filter=<attribute name> eq <"attribute value"> URI for retrieving users with filtering by custom schema attributes: https://<tenant ID>. Response Example { "totalResults": 2.locality eq "San Francisco" Response Response Status and Error Codes Table 42: Code Reason Description 200 OK Indicates that the user is retrieved.ondemand.com/idds/scim/Users?filter=<fully qualified attribute name> eq <"custom attribute value"> HTTP Method: GET Content-Type: application/scim+json Authorization: OAuth 2.0 Request Example GET /Users?filter=addresses.ondemand.0:User and the attribute name.hana.com/idds/scim/Users/<id> URI for retrieving users with filtering: https://<application name><provider subaccount>-<consumer subaccount>. For example. "itemsPerPage": 2.CustomString Request URI for retrieving a single user: https://<application name><provider subaccount>-<consumer subaccount>.0:User:costCenter Custom schema All custom schema defined attributes by using fully qualified attribute name. For example: urn:ietf:params:scim:schemas:extension:enterprise: 2.0:MyCustomSchema.ondemand. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 179 . urn:sap:cloud:scim:schemas:ex tension:custom:2.hana. SCIM Schema Attributes All Enterprise user resource schema attributes by using the schema URI urn:ietf:params:scim:schemas:extension:enter prise:2. "lastModified": "2017-06-08T14:01:52.660Z". "userName": "Denise Smith".626666666Z".com/idds/scim/Users/6c47a304-a3b1-433e-9a72-494abe69387d".946666666Z". "resourceType": "User" }.6.0:User" ]. you can combine paging with filtering.0 standard . "schemas": [ "urn:ietf:params:scim:api:messages:2. "addresses": [ { "locality": "San Francisco". "schemas": [ "urn:ietf:params:scim:schemas:core:2. "meta": { "created": "2017-06-08T13:44:29. "lastModified": "2017-06-08T14:00:52. "version": "3fe1d07d-d848-4b94-8318-4d746cac09b9". page through users by specifying startIndex parameter. "addresses": [ { "locality": "San Francisco".2.4 Search Users with Paging You can search for users by specifying paging parameters in the HTTP GET request to page through large number of resources.hana. "schemas": [ "urn:ietf:params:scim:schemas:core:2.hana. there are two approaches when searching for users with paging: ● Index-Based paging as defined in the SCIM 2.550Z". "meta": { "created": "2017-06-08T13:43:22.ondemand. SAP Cloud Platform Identity Provisioning Service 180 PUBLIC SAP Cloud Platform Identity Provisioning Service .that is. "location": "https://<application name><provider subaccount>-<consumer subaccount>.0:ListResponse" ]. page through users by specifying startId parameter. "country": "USA" } ] }.that is.0:User" ].ondemand. "userName": "Isabel Dupont". "startIndex": 1.com/idds/scim/Users/4af5b1a1-38bd-44f8-8a21-ff108a9d126c". "version": "4bb12863-b6dd-47bf-856f-31133e0888a6". "location": "https://<application name><provider subaccount>-<consumer subaccount>. { "id": "6c47a304-a3b1-433e-9a72-494abe69387d". "resourceType": "User" }. ● Id-Based paging . "resources": [ { "id": "4af5b1a1-38bd-44f8-8a21-ff108a9d126c". When searching for users. Depending on the specified paging parameters. "country": "USA" } ] } ] } 1. itemsPerPage Specifies the number of query results returned in a query re sponse page. count Default value: 100 Specifies the required maximum number of query results per page. A value of 0 indicates that no resource results are to be returned except for totalResults. startIndex The 1-based index of the first result in the current set of query results. the user with this user id is returned as the first entry of the query result. Id-Based paging startId Default value: None The first entry of the query result. A value of 0 indicates that no resource results are to be returned except for totalResults. If <user id> value is specified. for example: 100. the following paging attributes are returned in the response: Paging Attributes Table 44: Approach Attribute Description Index-Based paging totalResults Specifies the total number of results matching the query. A negative value is interpreted as 0. A negative value is interpreted as 0. for example: 3. Possible values: If no value is specified. itemsPerPage Specifies the number of query results returned in a query re sponse page. for example 10. for example 10. A value less than 1 ing is interpreted as 1. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 181 . for example: 3. Id-Based paging totalResults Specifies the total number of results matching the query. ● initial If initial value is specified. the Index-based paging is used. for example: 100. for example: 1. Depending on the paging approach you choose. the initial user is returned as ● <user id> the first entry of the query result. count Default value: 100 Specifies the required maximum number of query results per page.You can use the following paging parameters in the request: Paging Parameters Table 43: Approach Parameter Value Description Index-Based pag startIndex Default value: 1 The 1-based index of the first query result. the count to 3 and the filter to userName equal to "Hristo". "externalId": "Hristo". Response Example { "Resources": [ { "id": "00896434-aa00-40a4-b012-a316e2a067fa". the id of the first user on the next page).ondemand. The <end> value indicates that the last user of the total number of users matching the query is returned. to retrieve 3 users starting with the initial one as the first query result and matching a filter expression (attribute names and values). nextId Specifies the next user id (that is. set the startId to initial.com/idds/scim/Users?startId=<value>&count=<value> URI for retrieving users with paging and filtering: https://<application name><provider subaccount>- <consumer subaccount>. Response Response Status and Error Codes Table 45: Code Reason Description 200 OK Indicates that the users are retrieved.hana.0 Request Example GET /Users?startId=initial&count=3&filter=userName eq "Hristo" In this example.Approach Attribute Description startId Specifies the first entry of the query result.com/idds/scim/Users? startId=<value>&count=<value>&filter=<attribute name> eq <"attribute value"> HTTP Method: GET Content-Type: application/scim+json Authorization: OAuth 2.ondemand. for example: initial or <user id>. "meta": { SAP Cloud Platform Identity Provisioning Service 182 PUBLIC SAP Cloud Platform Identity Provisioning Service . Request URI for retrieving users with paging: https://<application name><provider subaccount>-<consumer subaccount>. For example: <user id> or <end>.hana. "schemas": [ "urn:ietf:params:scim:schemas:core:2. "version": "93cb00c8-ec02-4ca4-8968-cc3794613dda".666666666Z". "userName": "Hristo".666666666Z". "urn:ietf:params:scim:schemas:extension:enterprise:2. "version": "d7707201-143d-4542-a75b-365618dba464".ondemand. Test Borisov". "lastModified": "2017-07-05T07:53:39. { "id": "26ed19d4-d68c-427f-abb8-4cb4a7f37f54". "location": "https://<application name><provider subaccount>- <consumer subaccount>. "userName": "Hristo". "familyName": "Borisov".com/idds/scim/Users/26ed19d4-d68c-427f- abb8-4cb4a7f37f54".0:User" ]. "externalId": "Hristo". "givenName": "Hristo" }. "name": { "formatted": "Mr. "location": "https://<application name><provider subaccount>- <consumer subaccount>. "resourceType": "User" }. "lastModified": "2017-07-05T07:53:44.0:User". "costCenter": "4130".0:User": { "employeeNumber": "701984". "familyName": "Borisov". "name": { "formatted": "Mr. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 183 .833333333Z". "division": "IdDS".ondemand. "created": "2017-07-05T07:55:26.com/idds/scim/Users/097bfceb-b67a-4079- bdaf-27f5efd8949e". "urn:ietf:params:scim:schemas:extension:enterprise:2. "division": "IdDS". "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User". "displayName": "Hristo".0:User" ]. "urn:ietf:params:scim:schemas:extension:enterprise:2.hana.hana. "version": "9f648fe3-63a1-4d4e-9741-399795dd63a7".046666666Z".com/idds/scim/Users/00896434-aa00-40a4-b012- a316e2a067fa". "organization": "IdDStore". "givenName": "Hristo" }. "externalId": "Hristo". "meta": { "created": "2017-07-05T07:53:44. "department": "Development" } }. "resourceType": "User" }.0:User": { "employeeNumber": "701984". "department": "Development" } }. Test Borisov". "displayName": "Hristo".ondemand. "organization": "IdDStore".833333333Z". "lastModified": "2017-07-05T07:55:26. "schemas": [ "urn:ietf:params:scim:schemas:core:2. "meta": { "created": "2017-07-05T07:53:39.046666666Z".hana. "costCenter": "4130". { "id": "097bfceb-b67a-4079-bdaf-27f5efd8949e". "location": "https://<application name><provider subaccount>- <consumer subaccount>. "startId": "initial". Test Borisov".com/idds/scim/Users HTTP Method: POST Content-Type: application/scim+json Authorization: OAuth 2. "displayName": "Hristo". "costCenter": "4130".0:User". "organization": "IdDStore". Request URI: https://<application name><provider subaccount>-<consumer subaccount>. "nextId": "464cba30-0479-4c4c-b7f9-dba3a29c3098".hana. you need to send an HTTP POST request to the resource endpoint.ondemand. "familyName": "Borisov". "itemsPerPage": 3. "totalResults": 12. When creating a user. "schemas": [ "urn:ietf:params:scim:api:messages:2.6.0:ListResponse" ] } 1. "name": { "formatted": "Mr. "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "employeeNumber": "701984". "schemas": [ "urn:ietf:params:scim:schemas:core:2. in this case /Users. Note A user is only created with an existing schema. "resourceType": "User" }.2. "division": "IdDS".5 Create User To create a user resource. "userName": "Hristo".0 Request Example { SAP Cloud Platform Identity Provisioning Service 184 PUBLIC SAP Cloud Platform Identity Provisioning Service . "department": "Development" } } ]. schemas and userName attributes are required. "givenName": "Hristo" }. "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" ]. "userType":"Employee". "locale": "en-US". "givenName":"Julie". "version": "90e8e05f-ffde-4f11-bfbc-b683453b6148". "userName":"jarmstrong". "middleName":"Jane" }. "schemas":[ "urn:ietf:params:scim:schemas:core:2. Response Example { "id": "c76d2fce-5759-45c0-8e09-ffd3e59dcabe".0:User":{ "employeeNumber":"751988". "organization":"Manufacturing company". "urn:ietf:params:scim:schemas:extension:enterprise:2. "urn:sap:cloud:scim:schemas:extension:custom:2.hana.0:User".0:User". "country":"USA" } ].204Z". "costCenter":"4130". Julie Jane Armstrong". "manager":{ "value":"d478473e-af5f-45dc-977c-8447313216dc". "lastModified": "2017-06-15T10:04:30. "urn:ietf:params:scim:schemas:extension:enterprise:2.ondemand. "department":"Marketing". "schemas": [ SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 185 .204Z". "preferredLanguage": "en-US". "name":{ "formatted":"Ms. "urn:sap:cloud:scim:schemas:extension:custom:2. "displayName":"Julie Armstrong".com/idds/scim/Users/c76d2fce-5759-45c0-8e09-ffd3e59dcabe".0:MyCustomSchema" ]. "location": "https://<application name><provider subaccount>-<consumer subaccount>. "division":"Luxury vehicle". "resourceType": "User" }.0:MyCustomSchema":{ "CustomString":[ "MyValue" ] } } Response Response Status and Error Codes Table 46: Code Reason Description 201 Created Indicates that the user is created. "familyName":"Armstrong". "displayName":"John Smith" } }. "meta": { "created": "2017-06-15T10:04:30. "addresses":[ { "locality":"New York". "familyName": "Armstrong". note that the update is asynchronous. Julie Jane Armstrong". The HTTP PUT request is used to replace a resource's attributes.0:MyCustomSchema": { "CustomString": [ "MyValue" ] }.0:User".2. "displayName": "Julie Armstrong". "middleName": "Jane" }.6. a manager user is referenced by an employee user).0:User": { "employeeNumber": "751988". "locale": "en-US". and append the id of the user. "urn:ietf:params:scim:schemas:extension:enterprise:2. "division": "Luxury vehicle". Note If you update the displayName attribute of a user that is referenced by another user (for example. you need to send an HTTP PUT request to the resource endpoint. "urn:ietf:params:scim:schemas:extension:enterprise:2.com/idds/scim/Users/<id> HTTP Method: PUT SAP Cloud Platform Identity Provisioning Service 186 PUBLIC SAP Cloud Platform Identity Provisioning Service . "manager": { "value": "d478473e-af5f-45dc-977c-8447313216dc". Request URI: https://<application name><provider subaccount>-<consumer subaccount>. "preferredLanguage": "en-US".ondemand.0:User" ]. "urn:sap:cloud:scim:schemas:extension:custom:2. in this case /Users.6 Update User To update a user resource. "country": "USA" } ].0:MyCustomSchema". "displayName": "John Smith" } } } 1. "urn:ietf:params:scim:schemas:core:2. "urn:sap:cloud:scim:schemas:extension:custom:2.hana. "userType": "Employee". "locality": "New York". "name": { "formatted": "Ms. "organization": "Manufacturing company". "department": "Marketing". "addresses": [ { "primary": false. "userName": "jarmstrong". "costCenter": "4130". "givenName": "Julie". "urn:sap:cloud:scim:schemas:extension:custom:2.0 Request Example In this example. "urn:ietf:params:scim:schemas:core:2. "locale": "en-US".0:User". "givenName": "Julie" }.ondemand. "country": "USA" } ]. "familyName": "Brown". "department": "Customer Suport". the middleName attribute is removed. "lastModified": "2017-06-15T10:04:30. "schemas": [ "urn:sap:cloud:scim:schemas:extension:custom:2. "meta": { "created": "2017-06-15T10:04:30. "version": "90e8e05f-ffde-4f11-bfbc-b683453b6148". "userName": "jarmstrong". "location": "https://<application name><provider subaccount>-<consumer subaccount>. costCenter and department attributes of a user are replaced (updated).204Z".0:MyCustomSchema": { "CustomString": [ "MyValue" ] }. "urn:ietf:params:scim:schemas:extension:enterprise:2. "userType": "Employee". "name": { "formatted": "Ms. "primary": false. "displayName": "Julie Armstrong". "costCenter": "6100". Julie Jane Armstrong".com/idds/scim/Users/c76d2fce-5759-45c0-8e09-ffd3e59dcabe".0:MyCustomSchema". "resourceType": "User" }. the familyName. "locality": "New York".Content-Type: application/scim+json Authorization: OAuth 2. "division": "Luxury vehicle". "addresses": [ { "streetAddress":"51 MyStreet".hana. "preferredLanguage": "en-US".0:User": { "employeeNumber": "751988". "displayName": "John Smith" } } } SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 187 . and a new streetAddress attribute is added.204Z".0:User" ]. { "id": "c76d2fce-5759-45c0-8e09-ffd3e59dcabe". "manager": { "value": "d478473e-af5f-45dc-977c-8447313216dc". "organization": "Manufacturing company". "urn:ietf:params:scim:schemas:extension:enterprise:2. "preferredLanguage": "en-US". "organization": "Manufacturing company".071Z". Response Example { "id": "c76d2fce-5759-45c0-8e09-ffd3e59dcabe". "division": "Luxury vehicle". "urn:ietf:params:scim:schemas:core:2. "resourceType": "User" }.0:User". "locality": "New York". "name": { "formatted": "Ms. "givenName": "Julie" }. "streetAddress": "51 MyStreet". Julie Jane Armstrong". "urn:ietf:params:scim:schemas:extension:enterprise:2.0:MyCustomSchema".hana. "meta": { "created": "2017-06-15T10:04:30. "manager": { "value": "d478473e-af5f-45dc-977c-8447313216dc".ondemand.0:User": { "employeeNumber": "751988". "displayName": "John Smith" } } } SAP Cloud Platform Identity Provisioning Service 188 PUBLIC SAP Cloud Platform Identity Provisioning Service . "country": "USA" } ]. "costCenter": "6100". "urn:sap:cloud:scim:schemas:extension:custom:2. "displayName": "Julie Armstrong".Response Response Status and Error Codes Table 47: Code Reason Description 200 Updated Indicates that the user is updated. "userType": "Employee". "version": "30fb5e69-f2db-4525-9aaa-cfa978b059b5".com/idds/scim/Users/c76d2fce-5759-45c0-8e09-ffd3e59dcabe". "userName": "jarmstrong". "familyName": "Brown". "urn:ietf:params:scim:schemas:extension:enterprise:2. "lastModified": "2017-06-15T10:17:05.0:MyCustomSchema": { "CustomString": [ "MyValue" ] }. "schemas": [ "urn:sap:cloud:scim:schemas:extension:custom:2. "locale": "en-US".204Z".0:User" ]. "addresses": [ { "primary": false. "location": "https://<application name><provider subaccount>-<consumer subaccount>. "department": "Customer Suport". note that the update is asynchronous. in this case / Users.hana. Request URI: https://<application name><provider subaccount>-<consumer subaccount>. "schemas": [ "urn:ietf:params:scim:api:messages:2. and append the id of the user. a manager user is referenced by an employee user). Response Example { "status": "404". When you try to retrieve the deleted user with HTTP GET request.2.6.0:Error" ] } SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 189 .7 Delete User To delete a user resource.0 Request Example DELETE /Users/e5817e9d-03b4-4336-8d9a-6b5fe3e16e1d Response Response Status and Error Codes Table 48: Code Reason Description 204 No Content Indicates that the user is deleted.com/idds/scim/Users/<id> HTTP Method: DELETE Content-Type: application/scim+json Authorization: OAuth 2. Note If you delete a user that is a member of a group or is referenced by another user (for example. you get status: 404 Not Found. "detail": "User e5817e9d-03b4-4336-8d9a-6b5fe3e16e1d not found".1. you need to send an HTTP DELETE request to the resource endpoint.ondemand. for example: 3. for example 10.that is.0 standard . for example 10. Depending on the specified paging parameters. itemsPerPage Specifies the number of query results returned in a query re sponse page. count Default value: 100 Specifies the required maximum number of query results per page. ● Id-Based paging . for example: 100. the group with this group id is returned as the first entry of the query result. there are two approaches when searching for groups with paging: ● Index-Based paging as defined in the SCIM 2. A negative value is interpreted as 0. SAP Cloud Platform Identity Provisioning Service 190 PUBLIC SAP Cloud Platform Identity Provisioning Service . You can use the following paging parameters in the request: Paging Parameters Table 49: Approach Parameter Value Description Index-Based pag startIndex Default value: 1 The 1-based index of the first query result. A value of 0 indicates that no resource results are to be returned except for totalResults. If <group id> value is specified. the Index-based paging is used.1. page through groups by specifying startIndex parameter. the initial group is returned as ● <group id> the first entry of the query result.6. the following paging attributes are returned in the response: Paging Attributes Table 50: Approach Attribute Description Index-Based paging totalResults Specifies the total number of results matching the query.8 Search Groups with Paging You can search for groups by specifying paging parameters in the HTTP GET request to page through large number of resources. Depending on the paging approach you choose. A value less than 1 ing is interpreted as 1. A negative value is interpreted as 0.2. page through groups by specifying startId parameter. A value of 0 indicates that no resource results are to be returned except for totalResults. Possible values: If no value is specified. Id-Based paging startId Default value: None The first entry of the query result.that is. ● initial If initial value is specified. count Default value: 100 Specifies the required maximum number of query results per page. for example: 3. nextId Specifies the next group id (that is. set the startId to <group id> and the count to 3.hana.ondemand. the id of the first group on the next page). to retrieve 3 groups starting with a <group id> as the first query result. For example: <group id> or <end>. for example: 100. you retrieve only 2 groups in the response. for example: initial or <group id>. Response Response Status and Error Codes Table 51: Code Reason Description 200 OK Indicates that the groups are retrieved. itemsPerPage Specifies the number of query results returned in a query re sponse page.com/idds/scim/Groups?startId=<value>&count=<value> HTTP Method: GET Content-Type: application/scim+json Authorization: OAuth 2. Approach Attribute Description startIndex The 1-based index of the first result in the current set of query results. startId Specifies the first entry of the query result. Id-Based paging totalResults Specifies the total number of results matching the query. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 191 . for example: 1. Since the <group id> is the id of the 4th group out of a total of 5 groups. The <end> value indicates the last group of the total number of groups matching the query is returned. Request URI for retrieving users with paging: https://<application name><provider subaccount>-<consumer subaccount>.0 Request Example GET /Groups?startId=a9653e66-bc3d-47bb-9d3b-7bdf0aa40633&count=3 In this example. hana. "location": "https://<application name><provider subaccount>- <consumer subaccount>.973333333Z". "lastModified": "2017-07-07T09:28:16.hana.hana.866666666Z".ondemand. "members": [ { "value": "e11970fb-95be-4c3d-935c-a9d2b761b370".866666666Z". "meta": { "created": "2017-07-07T09:28:16. "type": "USER" } ] }. "schemas": [ "urn:ietf:params:scim:schemas:core:2. "display": "Hristo". "resourceType": "Group" }.Response Example { "Resources": [ { "id": "a9653e66-bc3d-47bb-9d3b-7bdf0aa40633". "version": "813d7ff7-aa5c-4648-94b2-2125a0164c1a".973333333Z". "displayName": "DemoGroup2" } ].0:Group" ]. "nextId": "end".ondemand.com/idds/scim/Groups/a9653e66- bc3d-47bb-9d3b-7bdf0aa40633". "$ref": "https://<application name><provider subaccount>- <consumer subaccount>.com/idds/scim/Users/e11970fb-95be-4c3d-935c- a9d2b761b370".com/idds/scim/Groups/ d4b00b11-9cdb-46fa-9b77-6cd8c170454f".0:ListResponse" ] } SAP Cloud Platform Identity Provisioning Service 192 PUBLIC SAP Cloud Platform Identity Provisioning Service .0:Group" ]. "lastModified": "2017-07-07T09:27:51. "schemas": [ "urn:ietf:params:scim:api:messages:2. "totalResults": 5. "meta": { "created": "2017-07-07T09:27:51. "schemas": [ "urn:ietf:params:scim:schemas:core:2. "version": "ed2dc84f-cce4-4110-97b1-d60a46b7de0b". "displayName": "DemoGroup3". "location": "https://<application name><provider subaccount>- <consumer subaccount>.ondemand. "itemsPerPage": 2. "resourceType": "Group" }. "startId": "a9653e66-bc3d-47bb-9d3b-7bdf0aa40633". { "id": "d4b00b11-9cdb-46fa-9b77-6cd8c170454f". 1.0:Group"]. { "value": "a2f5518f-5dd5-48c2-9b1a-28b88b152885". { "value": "d478473e-af5f-45dc-977c-8447313216dc". "display": "Julie Armstrong" }. "members": [ { "value": "eff4f49c-aeb4-4203-8f6a-979ecf9d2320".com/idds/scim/Groups HTTP Method: POST Content-Type: application/scim+json Authorization: OAuth 2. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 193 . you need to send an HTTP POST request to the resource endpoint.9 Create Group To create a group resource.6.2. "displayName": "TestGroup". "display": "John Smith" }. while all other attributes of the member are optional. When creating a group. the value attribute of the member is required. schemas and displayName attributes are required. in this case / Groups. Request URI: https://<application name><provider subaccount>-<consumer subaccount>.hana.ondemand. If you add members to the group.0 Request Example { "schemas": ["urn:ietf:params:scim:schemas:core:2. A group can contain users or other groups. "display": "MyFavoriteGroup" } ] } Response Response Status and Error Codes Table 52: Code Reason Description 201 Created Indicates that the group is created. { "value": "eff4f49c-aeb4-4203-8f6a-979ecf9d2320".com/idds/scim/Groups/5a028516-0538-4af3- b69d-18be92decef9".0:Group" ]. "schemas": [ "urn:ietf:params:scim:schemas:core:2. "display": "John Smith" } ] } 1. note that in both cases groups will be updated asynchronously. you need to send an HTTP PUT request to the resource endpoint. The HTTP PUT request is used to replace a resource's attributes. "resourceType": "Group" }.143Z".0 SAP Cloud Platform Identity Provisioning Service 194 PUBLIC SAP Cloud Platform Identity Provisioning Service .ondemand. "meta": { "created": "2017-06-08T12:40:10. "displayName": "TestGroup". in this case / Groups and append the id of the group.hana. Request URI: https://<application name><provider subaccount>-<consumer subaccount>. "lastModified": "2017-06-08T12:40:10.Response Example { "id": "5a028516-0538-4af3-b69d-18be92decef9".143Z".com/idds/scim/Groups/<id> HTTP Method: PUT Content-Type: application/scim+json Authorization: OAuth 2. "members": [ { "value": "a2f5518f-5dd5-48c2-9b1a-28b88b152885". "location": "https://<application name><provider subaccount>-<consumer subaccount>.hana.6. "display": "Julie Armstrong" }.2. Note If you update group members (users or other groups) or the displayName attribute of group members. { "value": "d478473e-af5f-45dc-977c-8447313216dc".10 Update Group To update a group resource. "display": "MyFavoriteGroup" }.ondemand. "version": "529410f3-dee0-4721-991d-6a4b2e145b8b". Request Example In this example.com/idds/scim/Users/ 895c338a-8a75-4650-b56b-d4eec9b77dc0". "displayName": "TestGroup".hana.hana. "meta": { "created": "2017-06-08T12:40:10. "members": [ { "value": "d478473e-af5f-45dc-977c-8447313216dc". "resourceType": "Group" }. "$ref": "https://<tenant ID>. "$ref": "https://<application name><provider subaccount>-<consumer subaccount>.ondemand. "version": "529410f3-dee0-4721-991d-6a4b2e145b8b". "schemas": [ "urn:ietf:params:scim:schemas:core:2.hana. "$ref": "https://<application name><provider subaccount>-<consumer subaccount>.ondemand. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 195 . "display": "MyFavoriteGroup". "lastModified": "2017-06-08T12:40:10. "display": "John Smith".hana.0:Group" ]. { "value": "a2f5518f-5dd5-48c2-9b1a-28b88b152885".com/idds/scim/Groups/ a2f5518f-5dd5-48c2-9b1a-28b88b152885". { "id": "5a028516-0538-4af3-b69d-18be92decef9". { "value": "895c338a-8a75-4650-b56b-d4eec9b77dc0". "type": "User" } ] } Response Response Status and Error Codes Table 53: Code Reason Description 200 Updated Indicates that the group is updated. "$ref": "https://<application name><provider subaccount>-<consumer subaccount>. "type": "User" }.ondemand.com/idds/scim/Groups/5a028516-0538-4af3- b69d-18be92decef9". "location": "https://<application name><provider subaccount>-<consumer subaccount>. "type": "User" }.hana.com/idds/scim/Users/eff4f49c-aeb4-4203-8f6a-979ecf9d2320".143333333Z". "display": "Donna Moore".143333333Z". a group is updated with a new group member (user). "type": "Group" }.com/idds/scim/Users/d478473e-af5f-45dc-977c-8447313216dc".ondemand. "display": "Julie Armstrong".ondemand. { "value": "eff4f49c-aeb4-4203-8f6a-979ecf9d2320". hana. "display": "John Smith". note that the parent group is updated asynchronously. "schemas": [ "urn:ietf:params:scim:schemas:core:2. "resourceType": "Group" }. "lastModified": "2017-06-08T12:45:10.com/idds/scim/Groups/ a2f5518f-5dd5-48c2-9b1a-28b88b152885".Response Example { "id": "5a028516-0538-4af3-b69d-18be92decef9". "$ref": "https://<application name><provider subaccount>-<consumer subaccount>. "display": "Julie Armstrong". { "value": "eff4f49c-aeb4-4203-8f6a-979ecf9d2320".com/idds/scim/Users/eff4f49c-aeb4-4203-8f6a-979ecf9d2320".ondemand.hana. "$ref": "https://<application name><provider subaccount>-<consumer subaccount>. "display": "Donna Moore".2. "$ref": "https://<application name><provider subaccount>-<consumer subaccount>. { "value": "895c338a-8a75-4650-b56b-d4eec9b77dc0".11 Delete Group To delete a group resource. "version": "c81d2038-f2e2-4b2f-93d6-ac7c5a7b5ae9".0:Group" ]. "displayName": "TestGroup". "type": "User" }.6.ondemand.143333333Z".hana. "location": "https://<application name><provider subaccount>-<consumer subaccount>.ondemand.688Z". "display": "MyFavoriteGroup". in this case / Groups and append the id of the group.com/idds/scim/Groups/5a028516-0538-4af3- b69d-18be92decef9".ondemand.ondemand.com/idds/scim/Users/895c338a-8a75-4650-b56b-d4eec9b77dc0".com/idds/scim/Users/d478473e-af5f-45dc-977c-8447313216dc". "type": "Group" }. "type": "User" } ] } 1. "$ref": "https://<application name><provider subaccount>-<consumer subaccount>. "type": "User" }.hana. you need to send an HTTP DELETE request to the resource endpoint. { "value": "a2f5518f-5dd5-48c2-9b1a-28b88b152885". SAP Cloud Platform Identity Provisioning Service 196 PUBLIC SAP Cloud Platform Identity Provisioning Service . "meta": { "created": "2017-06-08T12:40:10.hana. Note If you delete a nested group (a group that is a member of another group). "members": [ { "value": "d478473e-af5f-45dc-977c-8447313216dc". 12 Create Custom Schema To create a custom schema.hana.ondemand. You can create up to 20 custom schemas. Response Example { "status": "404".2. When you try to retrieve the deleted group with HTTP GET request. "detail": "Group 82af6531-1491-4438-a8ee-68cc9ff19576 not found". The id of the custom schema and the name of the custom attributes should not exceed 20 characters (alphanumeric and underscore) without counting the prefix of the custom schema. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 197 .6. "schemas": [ "urn:ietf:params:scim:api:messages:2. you get status: 404 Not Found.Request URI: https://<application name><provider subaccount>-<consumer subaccount>.0:Error" ] }] 1.0 Request Example DELETE /Groups/82af6531-1491-4438-a8ee-68cc9ff19576 Response Response Status and Error Codes Table 54: Code Reason Description 204 No Content Indicates that the group is deleted. you need to send an HTTP POST request to the resource endpoint. in this case / Schemas.com/idds/scim/Groups/<id> HTTP Method: DELETE Content-Type: application/scim+json Authorization: OAuth 2. Complex custom attributes are not supported. each of it containing a maximum number of 20 custom attributes based on the supported data types. "multiValued": false. "type": "integer". "name": "MyCustomSchema". "returned": "default". "referenceTypes" : [ "external". "mutability": "readWrite". REQUIRED.com/idds/scim/Schemas HTTP Method: POST Content-Type: application/scim+json Authorization: OAuth 2.0 Request Example { "id": "urn:sap:cloud:scim:schemas:extension:custom:2. "description": "Super secret internal system id". "required": false. "multiValued": false. "mutability": "readWrite". "required": false. "caseExact": true. { "name": "CustomIinteger". "caseExact": false. "multiValued": false.0:Schema" ]. "description": "A human-readable name. "description": "Super secret internal system id". "type": "boolean". "uniqueness": "none". "required": false. "uniqueness": "server" }.hana. { "name": "CustomDecimal". "description": "Super secret internal system id". "caseExact": true.Request URI: https://<application name><provider subaccount>-<consumer subaccount>. "description": "MyCustomSchema description!". "type": "decimal". "multiValued": false. "type": "string". "mutability": "readWrite".". "required": false. "attributes": [ { "name": "CustomString". SAP Cloud Platform Identity Provisioning Service 198 PUBLIC SAP Cloud Platform Identity Provisioning Service . { "name": "CustomBoolean". "caseExact": true. "uri" ] }. "schemas": [ "urn:ietf:params:scim:schemas:core:2. "mutability": "readWrite".0:MyCustomSchema". "uniqueness": "server" }. "returned": "default".ondemand. "returned": "default". "description": "Super secret internal system id".030Z".hana. { "name": "CustomReference". "location": "https://<application name><provider subaccount>-<consumer subaccount>. "lastModified": "2017-06-07T13:02:39. { "name": "CustomDatetime". "type": "reference". "multiValued": false. "type": "datetime". "returned": "default". "type": "binary". "description": "Super secret internal system id". "multiValued": false. "required": false.com/idds/scim/Schemas/ urn:sap:cloud:scim:schemas:extension:custom:2. "uniqueness": "server" }. "required": false. "returned": "default". "resourceType": "Schema" }. "caseExact": true. "uniqueness": "server" } ] } Response Response Status and Error Codes Table 55: Code Reason Description 201 Created Indicates that the custom schema is created. "returned": "default".ondemand. "uniqueness": "server" }. "meta": { "created": "2017-06-07T13:02:39. "mutability": "readWrite". "uniqueness": "server" }. "description": "Super secret internal system id". "mutability": "readWrite". "returned": "default".0:MyCustomSchema". "version": "84dd1ae5-f031-48f7-9d96-f53928401f2e". "multiValued": false.0:MyCustomSchema". "mutability": "readWrite".030Z". "caseExact": true. "required": false. { "name": "CustomBinary". "schemas": [ SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 199 . Response Example { "id": "urn:sap:cloud:scim:schemas:extension:custom:2. "caseExact": true. "description": "Super secret internal system id". "uniqueness": "server" }. { "name": "CustomBoolean". REQUIRED. "required": false. "mutability": "readWrite". "multiValued": false. { "name": "CustomIinteger". "uniqueness": "server" }. "required": false. "mutability": "readWrite". "mutability": "readWrite". "type": "decimal".0:Schema" ]. "description": "Super secret internal system id". "returned": "default". "caseExact": true. "uniqueness": "none". "description": "Super secret internal system id". "required": false. "type": "boolean". { "name": "CustomDatetime". "attributes": [ { "name": "CustomString". "caseExact": true. "mutability": "readWrite". "referenceTypes": [ "external". "urn:ietf:params:scim:schemas:core:2. "multiValued": false. "type": "integer". "returned": "default". "caseExact": true. "type": "string". "mutability": "readWrite". "required": false. "uri" ] }. "uniqueness": "server" }. "description": "Super secret internal system id". "description": "A human-readable name. { "name": "CustomDecimal". "caseExact": false. "multiValued": false. { "name": "CustomBinary". "returned": "default". "returned": "default". "type": "binary". "multiValued": false. SAP Cloud Platform Identity Provisioning Service 200 PUBLIC SAP Cloud Platform Identity Provisioning Service .". "multiValued": false. "multiValued": false. "description": "MyCustomSchema description!". "type": "datetime". "name": "MyCustomSchema". "uniqueness": "server" }. "caseExact": true. "returned": "default". "required": false. 0 Request Example DELETE /Schemas/urn:sap:cloud:scim:schemas:extension:custom:2. "mutability": "readWrite". "uniqueness": "server" }.ondemand. "multiValued": false. "caseExact": true. in this case / Schemas. "required": false.com/idds/scim/Schemas/<id> HTTP Method: DELETE Content-Type: application/scim+json Authorization: OAuth 2.2. "uniqueness": "server" } ] } 1. "returned": "default". "description": "Super secret internal system id". Request URI: https://<application name><provider subaccount>-<consumer subaccount>. you need to send an HTTP DELETE request to the resource endpoint. { "name": "CustomReference".13 Delete Custom Schema To delete a custom schema.0:MyCustomSchema SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 201 . "mutability": "readWrite". "required": false. "returned": "default". "description": "Super secret internal system id". "type": "reference". and append the id of the custom schema. Note You can only delete an existing custom schema.hana. "caseExact": true.6. 2.object={"objectID":"4b7b2 be8-cd9b-4a4a-87ff-450aa76af061". you get status: 404 Not Found.6. you need to request them by creating a BCP incident.Response Response Status and Error Codes Table 56: Code Reason Description 204 No Content Indicates that the custom schema is deleted. Response Example { "status": "404". Provide the following information: Landscape .3 Requesting Audit Logs The audit log displays information about who (user) performed what (action) and when (precise time stamp).218+0000"}.for example idds SAP Cloud Platform Identity Provisioning Service 202 PUBLIC SAP Cloud Platform Identity Provisioning Service . "detail": "Schema urn:sap:cloud:scim:schemas:extension:custom:2. The request ID is also displayed for detailed traceability."objectName":"Users"}.0:MyCustomSchema not found". When you try to retrieve the deleted custom schema with HTTP GET request. "schemas": [ "urn:ietf:params:scim:api:messages:2.0:Error" ] } 1. Create a BCP incident on component BC-NEO-MON.for example avatar Application Name .custom={"request- id":"a5c95242-7ff9-4697-a605-ac91d1688888"} To view your Audit logs. Context For example: {"action":"POST".for example Factory Account . Procedure 1."timestamp":"2017-04-19T09:40:47. The header value is provided as follows: Bearer <access token>.0 Every request must include an Authorization request header. That is. you can send only an HTTP GET request to the resource endpoint and HEAD methods. proceed as follows: 1. where <client_ID> is the one that is generated when you register your OAuth client. 1. 5. In the User ID field.for example 1st to 3rd May Results The audit logs are exported. choose Subscriptions. /Groups. For more information on how to configure it.6. choose Roles Assign . Time frame . you need to register an OAuth client and assign the following roles to it: ● SCIM_READ – Gives read-only access to all operations in the identity directory. 4. Authorization To access all resources endpoints (/Users. Open your subaccount in the SAP Cloud Platform cockpit. see Configuring OAuth 2. provide the OAuth client in the following format: oauth_client_<client_ID>. archived and uploaded to a password protected mdoc share with an expiry date of two weeks from today's date. From the left-side navigation. From the left-side navigation. /Schemas). 3. you need an OAuth Client Credentials Grant authentication. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 203 . 2. To assign the roles to your OAuth client.4 Security Authentication To authenticate to the identity directory SCIM REST API. choose idds. ● SCIM_MANAGE – Gives write access to all HTTP requests. Under the Java Applications section. reset the tenant.7 Security Before You Start You can choose whether to only try out the Identity Provisioning service for testing purposes. For more information. you need to obtain an OAuth token. or by the user interface (UI). in the Roles section. Authentication The Identity Provisioning service can be consumed either directly through its APIs. use API for configuration. Protection categories: ● APIs are protected with OAuth2.1.0. view and maintain job logs. You can manage proxy. See: Register an OAuth Client ● UIs are protected with SAML2. assign new users. You can do this in the platform cockpit → Applications Subscriptions . and also grant other users permissions to Identity Provisioning systems. Only if a particular proxy system does not have its own UI. SAP Cloud Platform Identity Provisioning Service 204 PUBLIC SAP Cloud Platform Identity Provisioning Service . Note We recommend that you configure the proxy systems in the Identity Provisioning UI. target and proxy systems. see: Getting Started [page 23] Roles You can provide additional users with admin rights for your consumer (sub)account. It provides you with access to all Identity Provisioning systems and features. ● IPS_PROXY USER – this role allows you to configure proxy systems. To call an API. or purchase it to use it productively.0 authentication against the trusted identity provider configured for SAP Cloud Platform. run and schedule jobs. The available roles are: ● IPS_ADMIN – this is the main administrator role. Choose your Java application and then. see Managing Java EE Roles and Creating Roles (HTML5 Applications). To learn how. or grant other users with permissions to work with proxy scenarios. Still. If a job is unsuccessful. you decide (define) what the communication channel to be. export them to your local system. Cleanup: Job logs are automatically deleted on a defined retention period. You can set this period to be 7. Also. Job Logs Execution: Job logs show important information about the state of your jobs. when connecting to customer systems. Secure Communication By default. For more information. jobs. execution logs). or just need to have them available offline. Export: If you need to keep your job logs longer than the retention period. By default. no session cookies are generated. Session Management The Identity Provisioning service uses the session management principles of SAP Cloud Platform. see: Manage Jobs and Job Logs [page 83] SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 205 . see Handling Session Timeout. For more information. or in the Identity Provisioning UI → Properties tab). 14 or 30 days. the Identity Provisioning service uses secure communication channels. Reset Customer Data If you need to clear all you customer data (systems. logs are kept for 7 days. the logs will display how many entities have failed and the first few of them. always set credentials (such as passwords and OAuth secrets) as Credential properties. Note We recommend that you always use secure protocols when specifying your connection details (in the cockpit → Destinations section. choose Reset from the Support section in the UI.Encryption When configuring a system. Run again the provisioning job. you receive only one Identity Provisioning DB schema. as administrator. If a provisioning job repeatedly fails and you need problem investigation. 4. In this case. If you cannot resolve the problem yourself.trace. SAP Cloud Platform Identity Provisioning Service 206 PUBLIC SAP Cloud Platform Identity Provisioning Service . which means other trial customers cannot see your data. You. Note The operators may need the full trace content. you can enable logging and tracing for the personal data of your provisioned entities.entity. you need to do the following: 1. In your source system. This guarantees that your provisioned data is stored separately. Note Logs can contain any customer data depending on what kind of information is provisioned (general or private). Data Isolation Trial Use – all trial users subscribed to the Identity Provisioning application share a common database schema but their data is written in separate DB columns. Data Storage Security In the Identity Provisioning service. a new dedicated database schema is created for you. can control this by the transformation logic of the systems.content to true. 2. see Support [page 207]. Productive Use – after you subscribe to the productive Identity Provisioning application. set property ips. no personal or sensitive information about the provisioned entities is saved. contact the Identity Provisioning operators. The Identity Provisioning service is not responsible for the content of the provisioned data. 3. For more information. Open the Job Logs section. Note Even if you have more than one account. the Identity Provisioning uses strong hashed algorithm for the provisioned entities. so they can ask you to set the property in your target system as well and once again run the provisioning job. This guarantees that your provisioned entities are stored separately. which means it's isolated from other productive customer data. choose an entity and find the log information about it. select your job. and under Failed Entities.failed. To check whether any changes have been made to an entity after the initial provisioning. SAP Cloud Platform Identity Provisioning Service SAP Cloud Platform Identity Provisioning Service PUBLIC 207 . Open the SAP Support Portal page. Fill in the rest mandatory fields. For the primary tag. 2. 7. If you want to receive e-mail notifications from your feedback page.8 Support If you experience issues with the Identity Provisioning service. choose Follow. On this page. 4. If you cannot find any incidents related to your problem. enter: BC-IAM-IPS 5. choose Submit your Question.sap.com/questions/ask. Perform a search to check if your problem has already been reported. A page dedicated to your feedback is created. you can check for answers from SAP developers and other users. 6. 3.html 2. 3. 4. Trial Use Ask a question: 1. depending on the version you use (trial or productive). create your own incident. Enter the short and full text of your question or feedback. For Component. Open URL: https://answers. Enter your SAP trial user name and password. Productive Use Report an incident: 1. A page with title Ask a Question is displayed. enter: SAP Cloud Platform Identity Provisioning 5. Once you have finished. follow the procedures below. and choose Next.1. These hyperlinks are intended to serve as a hint about where to find related information. SAP Cloud Platform Identity Provisioning Service 208 PUBLIC Important Disclaimers and Legal Information . This is to ensure that the documentation remains comprehensible.Important Disclaimers and Legal Information Coding Samples Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system environment. the third-person singular cannot be avoided or a gender-neutral noun does not exist.com/viewer/disclaimer). or a gender-neutral noun (such as "sales person" or "working days") is used. SAP does not warrant the correctness and completeness of the Code given herein. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. the reader is addressed directly with "you". SAP shall not be liable for any damages caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see: https://help. unless damages were caused by SAP intentionally or by SAP's gross negligence. Internet Hyperlinks The SAP documentation may contain hyperlinks to the Internet. SAP reserves the right to use the masculine form of the noun and pronoun. SAP does not warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. however. Depending on the context. and SAP shall not be liable for errors or damages caused by the usage of the Code.sap. SAP documentation is gender neutral. If when referring to members of both sexes. Gender-Neutral Language As far as possible. SAP Cloud Platform Identity Provisioning Service Important Disclaimers and Legal Information PUBLIC 209 . com/registration/ contact.go. without representation or warranty of any kind.com/corporate/en/legal/copyright. All rights reserved. The information contained herein may be changed without prior notice. All other product and service names mentioned are the trademarks of their respective companies. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only. Please see https://www. and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.sap. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services. National product specifications may vary. if any. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. . Nothing herein should be construed as constituting an additional warranty.html for additional trademark information and notices. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries.sap.html © 2017 SAP SE or an SAP affiliate company. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.