Identity Authentication is used to map SAP BTP role collections to user groups and synchronize the content of IAS between IAS and SAP Cloud Identity Access Governance. This is done through a job called SCI User Group Sync. The user and group information that applies to SAP Cloud Identity Access Governance is stored in the SAP Cloud Identity (SCI) database. For example, the SCI database has information about which users are role owners and which users are mitigation control monitors. The sync job fetches such information from SCI database (IAS) and updates it in SAP Cloud Identity Access Governance.
After creating user groups in Identity Authentication and mapping role collections to them, you, as administrator, have to ensure that the groups information is synchronized between the Identity Authentication and the SAP Cloud Identity Access Governance subaccount. To do so, following activities needs to be performed:
- In the Identity Authentication, you have to set up an administrator user of type System.
- In the SAP Cloud Identity Access Governance subaccount, you have to create a destination to be able to run a sync job for user groups.
- In the SAP Cloud Identity Access Governance Fiori Launchpad, you have to schedule the sync job: SCI User Group Sync.
Maintain Administrators in Identity Authentication
- Choose Add→System to add an administrator user.
- Enter the System Display Name, for example, IAG Sync.
Note
The system name cannot be changed afterward.
The user must be assigned to Manage Users and Manage Groups roles.
In the Configure Authorizations section, assign the Manage Users and Manage Groups option to ON, and Save.
Set Password for System User
- Choose the created system user.
- In the Configure System Authentication section, choose Secretes to generate a password for the user.
- Choose Add.
- In the dialog box, enter the description and the expiration date.
Hint
The recommended entry for the expiration date is Never. - Choose Save.
The user ID is automatically generated and displayed as Client ID.
You will utilize the generated user ID and the password in the next step when you are creating the SCIUserGroup destination.
Create Destination in SAP BTP Cockpit
- Open SAP BTP cockpit.
- In your SAP Cloud Identity Access Governance subaccount, under Connectivity→Destinations.
- Choose New Destination.
- Provide the following information:
- Name: SCIUserGroup
- Type: HTTP
- Description: SCI User Group Service
- URL: https://SCI_TENANT_ID.accounts.ondemand.com/service/scim/Users
Note
Replace SCI_TENANT_ID with your Identity Authentication instance name. - Proxy Type: Internet
- Additional Properties:
Use default JDK truststore: TRUE
- Authentication: BasicAuthentication
- User: <Generated user ID for the system user in IAS tenant>
- Password: <PW generated for the system user>
- Choose Save.
Schedule a Sync Job
- Before accessing SAP Cloud Identity Access Governance Fiori Launchpad, assign your own user in Identity Authentication (IAS) to an IAS group that is mapped to a role collection with sufficient authorizations (for example, to CIAG_Super_Admin).
- Log on to the SAP Cloud Identity Access Governance Fiori Launchpad with the IAS user.
- Navigate to Administration→Job Scheduler.
- Schedule the job and provide the following information:
- Job name: <Any Job name>
Note
No spaces are allowed. - Job category: SCI User Group Sync Job
- Recurring Job: Yes or No, depending on your needs
- Start immediately: Yes or No, depending on your needs
- Job name: <Any Job name>
- Choose Schedule Job.
- Check the job status in the Job History List.
For more information, refer to the official documentation on the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/de385218e7f94ce9ad62b1c3488413dd.html