Exploring Identify Provisioning

Objectives

After completing this lesson, you will be able to:
  • Get to know the environment and the infrastructure of SAP Identity Services and SAP BTP.
  • Summarize the features of Identity Provisioning.
  • Understand the features.
  • Learn how to use prerequisites, tools, and regional availability.
  • Understand the basics of the tenant model.
  • Understand the basics of the bundle tenant.
  • Understand the basics of the standalone tenant.

Identity Provisioning

Disclaimer: The SAP Business Technology Platform (SAP BTP) is evolving permanently and frequently. Therefore, there might be some differences between the screenshots and simulations in this course and the actual environment. Some changes are due to the strategy of SAP, which is to harmonize the user experience across platforms while others bring new features.

The Identity Provisioning service automates identity lifecycle processes. It helps you to provision identities and their authorizations to various cloud and on-premise business applications.

Environment

Identity Provisioning tenants run on the infrastructure SAP Business Technology Platform (SAP BTP).

Features

User and Group Provisioning
Provision users and groups between multiple supported cloud and on-premise systems (for both SAP and non-SAP).
User and Group Filtering
Configure default transformations or filtering properties to control what data is going to be provisioned and what is going to be skipped.
Full and Delta Read Mode
Run a provisioning job in full mode to read all entities from a source system, or in delta read mode - to read only the modified data.
Job Logging
View and export job logs from the Identity Provisioning administration console; log display details about the job status and the provisioned entities.
Notifications
Subscribe to a source system to receive notifications for the status of provisioning jobs.
The diagram shows identity provisioning: The User Store is the source system to read entities, which are then transferred via Identity Provisioning Service to the SaaS Business Application. This application is the target system for populating entities.

How to Navigate the Identity Provisioning Service

The administration console for Cloud Identity Services aggregates the functionality for Authentication Services and Provisioning Services. At this stage, we will focus on the main options available for the Provisioning Service.

In this demonstration you will learn where to locate the main functions on Identity Provisioning. From the available menu options, you will see where to create or configure a source, target, or intermediate (proxy) system. You will access the logs that report the success or failure of your provisioning operations, and finally access an administrative set of links that allow you to explore documentation, request support, or reset the existing tenant content, something that can be handy in the case of development/tenant/trial environments.

How to Explore User Manual Definition

This demonstration shows how to manually create or review a user in the Identity Provisioning Tenant. The user and authorizations options allows you to create or manage users, and can be useful to see if the user attributes are being populated correctly. Depending on the characteristics of source and target systems, not all details will be relevant for all possible systems. An e-mail might be relevant in most common scenarios, but company relationship not so often will be needed. This functionality is common across Identity Authentication and Identity Provisioning.

How to Explore Group Manual Definition

This demonstration shows how to manage groups in the Identity Provisioning Services tenant. Groups can appear as a result of a provisioning job execution, but can also be manually defined or imported by simple upload processes. Like for the User entity, a Group and its management functions are a common point between Identity Authentication and Identity Provisioning Services.

How to Explore Mass Import/Export

This demonstration shows the available functions to manually import and export users into the Identity Services tenant. The export/import process or, if you prefer, the upload/download process uses CSV files. For the import step, carefully review if the file content matches the required attributes for the involved entities. As an example, in different systems, a Firstname, Lastname or FullName might be required or not.

Use Cases

Identity Provisioning supports the following use cases:

  • Provisioning from Source to Target Systems:

    The main use case of Identity Provisioning is to read users and groups from a source system and provision them to a target system. Filtering and/or mapping are applied during job execution.

  • Hybrid Integration with Identity Management Systems:

    Identity Provisioning can be used for integrating cloud solutions with on-premise or cloud identity management systems that support SCIM 2.0 standard, such as SAP Identity Management and SAP Cloud Identity Access Governance.

    In a hybrid integration scenario, Identity Provisioning acts as a proxy between a cloud solution and an on-premise or cloud system. This means the Identity Provisioning is used for configuring and exposing the cloud solution as a proxy system and connecting it to the external identity management system without making a direct connection between them.

  • Real-Time Provisioning from Identity Authentication:

    Identity Provisioning can be used for immediate, real-time provisioning of Identity Authentication users to any target system. Unlike the standard provisioning, where reading and writing of users is triggered by jobs, real-time provisioning is triggered by events (such as user self-registration or user modification in Identity Authentication).

  • Storing Users and Groups in Local Identity Directory:

    Identity Provisioning is mainly used for provisioning users and groups. However, it can also be used for storing users and groups when a specific type of system, Local Identity Directory, is configured. In a typical use case, the Local Identity Directory is first configured as a target system, where users and groups are provisioned to, and then configured as a source system, from where users and groups are read and provisioned to target systems.

    The identity directory provides a system for Cross-domain Identity Management (SCIM) 2.0 REST API for managing resources (users, groups, and custom schemas).

    .

Prerequisites

To use Identity Provisioning, you need to obtain a tenant.

Tools

You can access the Identity Provisioning administration console as an HTML5 application.

Regional Availability

You can access Identity Provisioning tenants on the infrastructure of the SAP BTP.

Tenant Model

SAP Cloud Identity Services – Identity Provisioning functionality can be added to the Identity Authentication Service tenant.

Bundle Tenant

A bundle tenant is an instance of Identity Provisioning that comes with a set of preconfigured provisioning systems relevant to one or more bundled SAP cloud solutions.

Caution

Effective March 15, 2022, new Identity Provisioning bundle tenants are created on the infrastructure of SAP Cloud Identity Services only.

Standalone Tenant

A standalone tenant allows you to use Identity Provisioning as a separate (standalone) product.

Caution

Effective October 20, 2020, Identity Provisioning is offered bundled with SAP cloud solutions. You can obtain and use it, along with Identity Authentication, as part of a bundled SAP cloud solution that you need to purchase. The service is no longer sold as a standalone product. Existing customers of standalone Identity Provisioning can use it as is until the end of their contracts.

The scope of the standalone tenant is not restricted. It can be used for provisioning of users and groups to and from all supported systems by Identity Provisioning service.

Depending on the infrastructure or the environment your standalone tenant runs on, you can access and operate it.

Log in to track your progress & complete quizzes