Configuring the Required Provisioning Entities

Objectives

After completing this lesson, you will be able to:

  • Configure the required provisioning entities.
  • Define different system types.
  • Explore different systems.
  • Understand how to use mandatory properties.
  • Use parameters taken from system property sets.

Identity Provisioning Service

The Identity Provisioning service ensures the synchronization of the entities between a source system and one or multiple target systems.

  • Source – а system, where the company is currently managing the corporate identities.
  • Target – а system that needs to be populated with corporate users and other entities.

You can configure the required provisioning entities in order to ensure proper synchronization between source and target systems. You can also use proxy systems for indirect connections between a system supported by Identity Provisioning and an external application that uses a SCIM 2.0 API to consume identities from the proxy system. For example, you can use SAP Identity Management as an external consuming application.

Properties help you to customize the way your identities are read from a source system or provisioned to the target one. They can also filter which entities and attributes to be read or skipped during the provisioning job.

For every system supported by the Identity Provisioning service, there is an initial (default) transformation logic that converts the system-specific JSON representation of the entities from/to one common JSON. You can keep the default transformation or modify the mapping rules to reflect the current setup of entities from your source or target system.

System Types

This section defines the three types of systems you can use for provisioning identities: source, target, and proxy.

Source Systems

A source system is the connector used for reading entities (users, groups, or roles). Source systems can be on-premise or cloud-based, SAP or non-SAP, and usually represent the corporate user store where identities are currently maintained. Identity Provisioning reads the entities from the source system and creates or updates them in the relevant target ones. The provisioning is triggered from the Jobs tab of a source system.

You can connect one source system to one or multiple target systems.

In the case of multiple (enabled) target systems, when you start a Read or a Resync job, this operation will trigger provisioning of entities from this source system to all relevant target ones.

Note

To check the list of all supported source systems, see Source System (the link for which is found here: https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/58033bec92124ef2a7905b37d0f50704.html).

Target Systems

A target system is the connector used for writing (provisioning) entities. Target systems are usually clouds, where Identity Provisioning creates or updates the entities taken from the source system.

A target system can be connected to a single or multiple source systems.

In the case of multiple source systems, we recommend that you run the provisioning jobs successively for each system, not simultaneously. By doing this, you will avoid incorrect overwriting or merging of entity data, and therefore failed provisioning jobs.

Note

To check the list of all supported target systems, see Target Systems (the link for which is here: https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/ab3f641552464c79b94d10b9205fd721.html).

Proxy Systems

A proxy system is a special connector used for "hybrid" scenarios. It exposes any Identity Provisioning supported backend system as a SCIM 2.0 service provider, which can be consumed by any SCIM 2.0 compatible client application, without making a direct connection between them.

To achieve this, the Identity Provisioning service uses this special proxy system to execute provisioning operations (create, update, delete, and so on) requested by the client application.

The examples in this section cover using of SAP Identity Management as a consuming client application but you can use any other SCIM-based identity management solution.

To provide communication between SAP Identity Management and the backend system, the proxy application uses a SCIM 2.0 protocol. A system can act as a proxy if it supports both read and write operations.

Proxy System - How It Works

  1. The Identity Provisioning service exposes the backend of a supported system as a "proxy".
  2. An external application (for example, SAP Identity Management) regards the proxy system as its backend system.
  3. The entities (users) exposed by the backend system are mapped to SCIM 2.0 entities, if possible. If not possible, the SCIM standard provides a mechanism to define a new resource type with the appropriate schema. You can use the custom resource type to map the backend entities.
  4. Finally, the external application can start sending REST web service requests to the proxy system in order to read identities from the backend of the SCIM 2.0 system.

Customer Managed Systems

All provisioning systems (source, target, and proxy) that you configure in the Identity Provisioning administration console are displayed under the Customer Managed category.

System Configuration Details

The system types have similar Identity Provisioning user interface. The details in the following table provide you with what you need to set up a source, target, or proxy system:

System Configuration Details

Tab / FieldDescription
Details - Type

(Mandatory) The type of the source or target system. You can select a particular system from the dropdown list.

Details - System Name

(Mandatory) The name of the source or target system configuration. This name will be displayed in the job log and other reports.

Details - Destination Name

(Optional) The name of the destination configuration for the system. You define it in the Destinations editor in SAP BTP cockpit. 

Note

This field is only mandatory for ABAP systems.

Details - Description

(Optional) Enter a meaningful description. It will help you easily distinguish your systems in the list later.

Details - Source Systems

Note

This field is only available for target systems.

(Optional) The name or list of names of the source systems that the entities should be read from and transferred to this target system. The list can contain one or more source system names, separated by comma (,).

If no source system is specified in this field, the target system receives entities from all source systems configured in the Source Systems tile for the customer tenant.

Transformations

The initial transformation logic is created when you are saving the source or target system. Every system has specific JSON requirements - these are data models for the entities that have to be synchronized using the Identity Provisioning service. Transformations are settings that represent the logic used to convert or filter the entities data taken from the source before sending it to the target system. Transformations also define how the different attributes of the entities should be mapped. The Identity Provisioning service offers default transformation settings per system, which can be additionally configured. 

Properties

(Optional) You can set properties for the source or target systems. This helps you to filter the data taken from the source system, or to apply a filter to the data before writing it into the target system.

These properties overwrite the properties set in the Additional Properties section in SAP BTP cockpit Destinations.

Jobs

Note

This tab is only available for source systems. It appears once you have successfully configured the source system.

From the Jobs tab, you can start or schedule the provisioning job, or resynchronize the data in the target system if changes are made in the source system.

Properties

You need to set mandatory properties to configure the connection between your source and target systems.

For your system provisioning goals, you can set properties in two places:

  • SAP BTP cockpit: Destinations
  • Identity Provisioning UI: Properties

If the same properties exist in both the Destinations editor (in the cockpit) and in the Properties tab (in the Identity Provisioning UI), the values set in the Properties tab are taken with higher priority.

Properties help you to customize the way your identities are read from a source system or provisioned to the target one. They can also filter which entities and attributes are going to be read or skipped during the provisioning job. According to their usability, properties can be categorized in the following way:

  • Standard
  • Credential
  • Default
  • Parameterized
  • Internal

Property Types

Properties can help you filter which entities and entity attributes are read from the source system or written to the target system. According to their usability, properties can be categorized as follows:

Standard System Properties

Each source, target, and proxy system support specific types of properties - for example:

Examples

AS ABAP SystemSAP SuccessFactors
jco.client.r3name=PSEsf.page.size=100
jco.destination.peak_limit=10sf.user.filter=firstName John
jco.destination.pool_capacity=5sf.user.attributes=email

Credential Properties

The values of these properties contain sensitive information that must not be displayed as plain text. The default credential property name is Password, which can represent standard passwords, private keys, or OAuth client secrets. When you add a credential property, its value is displayed as an encrypted string. For better security, the encrypted string is always displayed as 40 characters, irrespective of the length of your password.

Examples

SAP HANA DatabaseSSH Server
hana.jdbc.db.password=********************ssh.password=********************
hana.jdbc.ssh.tunnel.cf.password=********************ssh.private.key=********************
hana.jdbc.ssh.tunnel.private.key=********************ssh.totp.secret.key=********************

Default System Properties

These properties depend on the particular connector type. They exist in the transformations by default. It is possible to delete some of them, but this may cause a loss of provisioned data – for example:

Examples

LDAP Server
ldap.group.object.class=groupOfNames
ldap.user.object.class=inetOrgPerson
ldap.attribute.user.mobile=mobile
ldap.group.filter=<empty>
ldap.user.filter=<empty>

Parameterized System Transformations

They use parameters taken from the system property sets. The parameters consist of a unique key and a value. Like the standard properties, they can be configured in the system's Properties tab, and/or in the system's destination properties (in the platform cockpit). When one parameter exists in both property sets, the system properties have priority over the system destination properties.

In the JSON data, the unique key of one of these parameters is surrounded by the percent symbol (%). During the transformation evaluation, each occurrence of %<...>% is replaced by the corresponding parameter's value. Parameter references without a value are left unchanged – for example:

Examples

LDAP parameters – listLDAP parameters – mapping transformation
ldap.attribute.user.mail=mail

Sample Code

Code Snippet
Copy code
Switch to dark mode
123456789101112131415161718

/* LDAP Server (source) system: */

{
 "sourcePath": "$.%ldap.attribute.user.mail%[0]",
 "targetPath": "$.emails[0].value",
 "optional": true
 },



 {
 "sourcePath": "$.%ldap.attribute.user.givenName%[0]",
 "targetPath": "$.name.givenName",
 "optional": true
 },
ldap.attribute.user.givenName=givenName
ldap.attribute.user.groups=memberOf

Note

Nested parameters are not supported.

Internal Properties

Note

Identity Provisioning uses internal properties in various cases. Internal properties must not be used by customers.

An example of this is shown in the following table:

Example

Property NameValue
destinationNameThe name of the destination created in SAP BTP cockpit.

Note

A detailed list of properties is available on List of Properties | SAP Help Portal (the link for which is available here: https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/d6f3577f30ec4af98e734b0126a60e37.html).

Consider that the links in the Online Documentation change frequently.

Editing System Properties

ExerciseStart Exercise

Log in to track your progress & complete quizzes