Introducing Identity Provisioning

The Identity Provisioning service automates identity lifecycle processes. It helps you provision identities and their authorizations to various cloud and on-premise business applications.

Identity Provisioning tenants run on the infrastructure of SAP Cloud Identity Services and the SAP BTP, Neo environment.

User and Group Provisioning

Provision users and groups between multiple supported cloud and on-premise systems, both SAP and non-SAP.

User and Group Filtering

Configure default transformations or filtering properties to control what data to be provisioned and what to be skipped.

Full and Delta Read Mode

Run a provisioning job in full mode to read all entities from a source system, or in delta read mode - to read only the modified data.

Job Logging

View and export job logs from the Identity Provisioning administration console. Logs display details about the job status and the provisioned entities.

Notifications

Subscribe to a source system to receive notifications for the status of provisioning jobs.

Identity Provisioning supports the following use cases:

• Provisioning from Source to Target Systems

  The main use case of Identity Provisioning is to read users and groups from a source system and provision them to a target system. Filtering and/or mapping are applied during job execution.

• Hybrid Integration with Identity Management Systems

  Identity Provisioning can be used for integrating cloud solutions with on-premise or cloud identity management systems that support SCIM 2.0 standard, such as SAP Identity Management and SAP Cloud Identity Access Governance.

  In a hybrid integration scenario, Identity Provisioning acts as a proxy between a cloud solution and an on-premise or cloud system. This means the Identity Provisioning is used for configuring and exposing the cloud solution as a proxy system and connect it to the external identity management system without making a direct connection between them.

• Real-Time Provisioning from Identity Authentication

  Identity Provisioning can be used for immediate, real-time provisioning of Identity Authentication users to any target system. Unlike the standard provisioning, where reading and writing of users is triggered by jobs, real-time provisioning is triggered by events (such as, user self-registration or user modification in Identity Authentication).

• Storing Users and Groups in Local Identity Directory

  Identity Provisioning is mainly used for provisioning users and groups. However, it can also be used for storing users and groups when a specific type of system - Local Identity Directory, is configured. In a typical use case, the Local Identity Directory is first configured as a target system, where users and groups are provisioned to, and then configured as a source system, from where users and groups are read and provisioned to target systems.

  The identity directory provides a System for Cross-domain Identity Management (SCIM) 2.0 REST API for managing resources (users, groups, and custom schemas).

Local Identity Directory is not available in bundle tenants.

To use Identity Provisioning, you need to obtain a tenant. The service provides two types of tenants - bundle and standalone.

You can access Identity Provisioning administration console as an HTML5 application. Depending on your Identity Provisioning tenant type, you can do this as follows:

• Access Identity Provisioning UI of Bundle Tenants
• Access Identity Provisioning UI of Standalone Tenants

Caution

Effective October 20, 2020, Identity Provisioning is offered bundled with SAP cloud solutions. You can obtain and use it, along with Identity Authentication, as part of a bundled SAP cloud solution that you need to purchase. The service is no longer sold as a standalone product. Existing customers of standalone Identity Provisioning can use it as-is until the end of their contracts.

You can access Identity Provisioning tenants on the infrastructure of SAP Cloud Identity Services and the SAP BTP, Neo environment.

SAP Cloud Identity Services – Identity Provisioning provides two types of tenants - bundle and standalone.

Although bundle and standalone tenants differ in various aspects: pricing (in bundle tenants, Identity Provisioning is free of charge), connectors availability and level of access to SAP BTP cockpit, the provisioning functionality remains the same.

Both type of tenants can run on SAP Cloud Identity Services infrastructure and SAP BTP, Neo Environment.

A bundle tenant is an instance of Identity Provisioning that comes with a set of pre-configured provisioning systems relevant to one or more bundled SAP cloud solutions.

Caution

Effective March 15, 2022, new Identity Provisioning bundle tenants are created on the infrastructure of SAP Cloud Identity Services only. Existing customers of bundle tenants on Neo environment can continue using them as-is.

When an SAP cloud solution bundles with SAP Cloud Identity Services, you are entitled to receive Identity Authentication and Identity Provisioning tenants without additional costs on the purchase of the corresponding SAP cloud solution's license. These Identity Authentication and Identity Provisioning tenants come pre-configured with the SAP cloud solution.

You obtain Identity Provisioning bundle tenant with a set of provisioning systems (source, target and proxy) for which you have a license. Those systems are pre-configured in your tenant. For example, when SAP SuccessFactors is bundled with Identity Provisioning, the bundle tenant is pre-configured with SAP SuccessFactors (source system), SAP Analytics Cloud (target system) and Identity Authentication, SAP AS ABAP and SAP S/4HANA on-premise (source and target systems). All source and target systems are also available as proxy systems.

The set of provisioning systems in Identity Provisioning bundle tenant is restricted. The only exception is SAP Cloud Identity Access Governance bundle, which includes all supported provisioning systems by Identity Provisioning, except for Local Identity Directory.

A bundle tenant can be extended when you purchase more bundled SAP cloud solutions. In this case, you don't get additional tenants.

Regardless of how many SAP cloud solutions you have purchased, you are entitled to two Identity Provisioning bundle tenants – one for testing and one for productive purposes.

Depending on the infrastructure or the environment your bundle tenant runs on, you can access and operate it as follows:

SAP Cloud Identity Services Infrastructure

Bundle tenants created after March 15, 2022 run on SAP Cloud Identity Services infrastructure.

The Identity Provisioning admin access is fully controlled and configured in the administration console of Identity Authentication. This access is based on roles which are assigned to admin users in the Users and Authorizations screen of the Identity Authentication administration console.

SAP BTP, Neo Environment

Bundle tenants created before March 15, 2022 run on SAP BTP, Neo environment.

Administrators of bundle tenants can only access their Identity Provisioning subaccount in SAP BTP cockpit to register OAuth clients, create connectivity destinations and configure Cloud Connector connections. This access is based on roles which are assigned to admin users in the Authorization tile of the Identity Provisioning administration console.

Standalone Tenant

A standalone tenant allows you to use Identity Provisioning as a separate (standalone) product.

Note

Effective October 20, 2020, Identity Provisioning is offered bundled with SAP cloud solutions. You can obtain and use it, along with Identity Authentication, as part of a bundled SAP cloud solution that you need to purchase. The service is no longer sold as a standalone product. Existing customers of standalone Identity Provisioning can use it as-is until the end of their contracts.

To check the list of SAP cloud solutions that bundle Identity Provisioning.

The scope of the standalone tenant is not restricted. It can be used for provisioning of users and groups to and from all supported systems by Identity Provisioning service.

Depending on the infrastructure or the environment your standalone tenant runs on, you can access and operate it as follows:

SAP Cloud Identity Services Infrastructure

Identity Provisioning service purchased between September 1, 2020 and October 20, 2020 runs on the infrastructure of SAP Cloud Identity Services.

You use a tenant that provides you access to both Identity Provisioning and Identity Authentication. You can access Identity Provisioning in all regions and data centers where the Identity Authentication is running.

SAP BTP, Neo Environment

Identity Provisioning service purchased before September 1, 2020 runs on SAP BTP, Neo environment.

You access Identity Provisioning admin console by using SAP Business Technology Platform subaccounts using the SAP BTP cockpit. You can access Identity Provisioning in all regions available for SAP BTP, Neo environment. 

Identity Provisioning bundle tenants can run on the infrastructure of SAP Cloud Identity Services and the SAP BTP, Neo environment.

Delivering bundle tenants on the infrastructure of SAP Cloud Identity Services improves the integration between the group of services that provide cloud identity capabilities: Identity Authentication, Identity Provisioning, and Identity Directory. The Identity Provisioning admin access is fully controlled and configured in the administration console of Identity Authentication, where customers can easily benefit from its numerous features, such as setting up single sign-on for corporate identity providers, enabling two-factor authentication and others.

Sharing the same infrastructure paves the way for tighter integration and common features in the future.

Bundle tenants on this infrastructure come with the following specifics:

• The Identity Provisioning tenant URL uses the host of the corresponding Identity Authentication tenant of the customer. It follows the pattern: https://<ias-host>/ips.

  An example of this is: https://best-run.accounts.ondemand.com/ips.

• The Identity Provisioning administrator authenticates to the corresponding Identity Authentication tenant of the customer with the admin user that has the Manage Identity Provisioning role enabled in the Identity Authentication admin console.
• The Identity Provisioning administrator authenticates to the corresponding Identity Authentication tenant of the customer with the admin user that has the Manage Identity Provisioning role enabled in the Identity Authentication admin console.

Further Identity Provisioning administration access, such as authorizations to access API for real-time provisioning and access API for provisioning identities using proxy systems, is granted in the Identity Authentication admin console.

Bundle tenants on this environment come with the following specifics:

• The Identity Provisioning tenant URL uses the bundle tenant ID and the region and host available for SAP BTP, Neo environment. It follows the pattern: https://ips-<consumer_account>.dispatcher.<region_host>/webapp/index.html, where <consumer_account> is the Identity Provisioning bundle tenantID.
• An example of this is: https://ips-a12345sdf678.dispatcher.ca1.hana.ondemand.com/webapp/index.html
• The Identity Provisioning administrator authenticates to the admin console of the service with his or her S-user credentials provided in the welcoming onboarding email from SAP. The admin user has the Manage Identity Provisioning role enabled in the Identity Provisioning admin console.

Further Identity Provisioning administration access, such as authorizations to register OAuth clients, create connectivity destinations and configure Cloud Connector connections, is granted on the Authorizations screen in Identity Provisioning admin console. 

You can access Identity Provisioning in all regions available for SAP BTP, Neo environment. The only exception is - standalone tenants purchased between September 1, 2020 and October 20, 2020, which you can access in all regions and data centers where the Identity Authentication is running.

Disaster recovery (DR) and high availability (HA) are based on the capabilities of the underlying infrastructure.

SAP Cloud Identity Services – Identity Provisioning is a multi-tenant system where tenants share the hardware and software and use dedicated (and isolated) database instances for persistence.

A disaster is only declared by SAP when there is a loss of utilities and services and uncertainty on whether utilities and services can be restored within a reasonable period of time. As long as the production site has power and is connected to the Internet, it will not be considered a disaster.

Emergency incidents are assessed by SAP Business Technology Platform and SAP Corporate Infrastructure Services. An SAP management member with proper authorization must officially declare a disaster in order to initiate a disaster recovery plan.

Operations from the "disaster recovery site" could last anywhere from a few weeks to many months. Initiation of the failback plan is at SAP’s sole discretion.

Your bundle or standalone tenant is running on SAP BTP, Neo Environment:

• Your bundle tenant is created before March 15, 2022.
• Your Identity Provisioning is purchased as a standalone product before September 1, 2020.

The Identity Provisioning service uses standard disaster recovery. Backups (complete data and log) are kept on a secondary location for the last 14 days, and are deleted afterward.

Note

High availability is not supported.

Your bundle or standalone tenant is running on the infrastructure of SAP Cloud Identity Services:

• Your bundle tenant is created after March 15, 2022.
• Your Identity Provisioning is purchased as a standalone product between September 1, 2020 and October 20, 2020.

Enhanced disaster recovery and high availability are fully supported for your tenants.

Disaster recovery and high availability are available only for the regions where Identity Authentication and Identity Provisioning share the same infrastructure and both services are enabled in a common tenant.

All deployments which have one data center support replication of the data between two zones within the same region.

Country/regions with two data centers operate in high availability (HA) and disaster recovery (DR) mode among the respective data centers. Tenants located in these country/regions are distributed among the data centers there.

Identity Provisioning uses Akamai GTM to route the traffic to a failover data center in case of any issues in the primary data center. This principle covers both the HA and DR setup.