The Identity Provisioning service automates identity lifecycle processes. It helps you provision identities and their authorizations to various cloud and on-premise business applications.
Identity Provisioning tenants run on the infrastructure of SAP Cloud Identity Services and the SAP BTP, Neo environment.
- User and Group Provisioning
- Provision users and groups between multiple supported cloud and on-premise systems, both SAP and non-SAP.
- User and Group Filtering
- Configure default transformations or filtering properties to control what data to be provisioned and what to be skipped.
- Full and Delta Read Mode
- Run a provisioning job in full mode to read all entities from a source system, or in delta read mode - to read only the modified data.
- Job Logging
- View and export job logs from the Identity Provisioning administration console. Logs display details about the job status and the provisioned entities.
- Subscribe to a source system to receive notifications for the status of provisioning jobs.
Identity Provisioning supports the following use cases:
- Provisioning from Source to Target Systems
The main use case of Identity Provisioning is to read users and groups from a source system and provision them to a target system. Filtering and/or mapping are applied during job execution.
- Hybrid Integration with Identity Management Systems
Identity Provisioning can be used for integrating cloud solutions with on-premise or cloud identity management systems that support SCIM 2.0 standard, such as SAP Identity Management and SAP Cloud Identity Access Governance.
In a hybrid integration scenario, Identity Provisioning acts as a proxy between a cloud solution and an on-premise or cloud system. This means the Identity Provisioning is used for configuring and exposing the cloud solution as a proxy system and connect it to the external identity management system without making a direct connection between them.
- Real-Time Provisioning from Identity Authentication
Identity Provisioning can be used for immediate, real-time provisioning of Identity Authentication users to any target system. Unlike the standard provisioning, where reading and writing of users is triggered by jobs, real-time provisioning is triggered by events (such as, user self-registration or user modification in Identity Authentication).
- Storing Users and Groups in Local Identity Directory
Identity Provisioning is mainly used for provisioning users and groups. However, it can also be used for storing users and groups when a specific type of system - Local Identity Directory, is configured. In a typical use case, the Local Identity Directory is first configured as a target system, where users and groups are provisioned to, and then configured as a source system, from where users and groups are read and provisioned to target systems.
The identity directory provides a System for Cross-domain Identity Management (SCIM) 2.0 REST API for managing resources (users, groups, and custom schemas).
Local Identity Directory is not available in bundle tenants.
To use Identity Provisioning, you need to obtain a tenant. The service provides two types of tenants - bundle and standalone.
You can access Identity Provisioning administration console as an HTML5 application. Depending on your Identity Provisioning tenant type, you can do this as follows:
- Access Identity Provisioning UI of Bundle Tenants
- Access Identity Provisioning UI of Standalone Tenants
Effective October 20, 2020, Identity Provisioning is offered bundled with SAP cloud solutions. You can obtain and use it, along with Identity Authentication, as part of a bundled SAP cloud solution that you need to purchase. The service is no longer sold as a standalone product. Existing customers of standalone Identity Provisioning can use it as-is until the end of their contracts.
You can access Identity Provisioning tenants on the infrastructure of SAP Cloud Identity Services and the SAP BTP, Neo environment.