Exploring Identify Provisioning

Objectives

After completing this lesson, you will be able to:

  • Get to know the environment and the infrastructure of SAP Cloud Identity Services and SAP BTP
  • Summarize the features of Identity Provisioning
  • Understand the features
  • Learn how to use prerequisites, tools, and regional availability
  • Understand the basics of the tenant model
  • Understand the basics of the bundle tenant
  • Understand the basics of the standalone tenant

Identity Provisioning

Disclaimer: The SAP BTP platform is evolving permanently and frequently. Therefore, there might be some differences between the screenshots and simulations in this course and the actual environment. Some changes are due to the strategy of SAP, which is to harmonize the user experience across platforms while others bring new features. Nevertheless, the major transformation that took place over the last two years was related to the replacement of the Neo infrastructure. Always refer to the latest documentation available in https://help.sap.com.

The Identity Provisioning service automates identity lifecycle processes. It helps you to provision identities and their authorizations to various cloud and on-premise business applications.

Environment

Identity Provisioning tenants run on the infrastructure of SAP Cloud Identity Services and the SAP Business Technology Platform (BTP), Neo Environment.

Features

User and Group Provisioning
Provisions users and groups between multiple supported cloud and on-premise systems (for both SAP and non-SAP).
User and Group Filtering
Configure default transformations or filtering properties to control what data is going to be provisioned and what is going to be skipped.
Full and Delta Read Mode
Run a provisioning job in full mode to read all entities from a source system, or in delta read mode - to read only the modified data.
Job Logging
View and export job logs from the Identity Provisioning administration console. Logs display details about the job status and the provisioned entities.
Notifications
Subscribe to a source system to receive notifications for the status of provisioning jobs.

Use Cases

Identity Provisioning supports the following use cases:

  • Provisioning from Source to Target Systems:

    The main use case of Identity Provisioning is to read users and groups from a source system and provision them to a target system. Filtering and/or mapping are applied during job execution.

  • Hybrid Integration with Identity Management Systems:

    Identity Provisioning can be used for integrating cloud solutions with on-premise or cloud identity management systems that support SCIM 2.0 standard, such as SAP Identity Management and SAP Cloud Identity Access Governance.

    In a hybrid integration scenario, Identity Provisioning acts as a proxy between a cloud solution and an on-premise or cloud system. This means the Identity Provisioning is used for configuring and exposing the cloud solution as a proxy system and connect it to the external identity management system without making a direct connection between them.

  • Real-Time Provisioning from Identity Authentication:

    Identity Provisioning can be used for immediate, real-time provisioning of Identity Authentication users to any target system. Unlike the standard provisioning, where reading and writing of users is triggered by jobs, real-time provisioning is triggered by events (such as user self-registration or user modification in Identity Authentication).

  • Storing Users and Groups in Local Identity Directory:

    Identity Provisioning is mainly used for provisioning users and groups. However, it can also be used for storing users and groups when a specific type of system - Local Identity Directory, is configured. In a typical use case, the Local Identity Directory is first configured as a target system, where users and groups are provisioned to, and then configured as a source system, from where users and groups are read and provisioned to target systems.

    The identity directory provides a System for Cross-domain Identity Management (SCIM) 2.0 REST API for managing resources (users, groups, and custom schemas).

Note

Restriction: A Local Identity Directory is not available in bundle tenants.

Prerequisites

To use Identity Provisioning, you need to obtain a tenant. The service provides two types of tenants: bundle and standalone.

Tools

You can access the Identity Provisioning administration console as an HTML5 application.

Caution
Effective October 20, 2020, Identity Provisioning is offered bundled with SAP cloud solutions. You can obtain and use it, along with Identity Authentication, as part of a bundled SAP cloud solution that you need to purchase. The service is no longer sold as a standalone product. Existing customers of standalone Identity Provisioning can use it as-is until the end of their contracts.

Regional Availability

You can access Identity Provisioning tenants on the infrastructure of SAP Cloud Identity Services and the SAP BTP, Neo Environment.

Tenant Model

SAP Cloud Identity Services – Identity Provisioning provides two types of tenants: bundle and standalone.

Although bundle and standalone tenants differ in various aspects: pricing (in bundle tenants, Identity Provisioning is free of charge), connectors availability and level of access to SAP BTP cockpit, the provisioning functionality remains the same.

Both type of tenants can run on SAP Cloud Identity Services infrastructure and SAP BTP, Neo Environment.

Bundle Tenant

A bundle tenant is an instance of Identity Provisioning that comes with a set of pre-configured provisioning systems relevant to one or more bundled SAP cloud solutions.

Caution
Effective March 15, 2022, new Identity Provisioning bundle tenants are created on the infrastructure of SAP Cloud Identity Services only. Existing customers of bundle tenants on the Neo environment can continue using them as-is.

When an SAP cloud solution bundles with SAP Cloud Identity Services, you are entitled to receive Identity Authentication and Identity Provisioning tenants without additional costs on the purchase of the corresponding SAP cloud solution's license. These Identity Authentication and Identity Provisioning tenants come pre-configured with the SAP cloud solution.

You obtain Identity Provisioning bundle tenant with a set of provisioning systems (source, target, and proxy) for which you have a license. Those systems are pre-configured in your tenant. Further usage of Identity Provisioning connectors and their availability depend on the infrastructure/environment on which your bundle tenant is running.

Regardless of how many SAP cloud solutions you have purchased, you are entitled to two Identity Provisioning bundle tenants – one for testing and one for productive purposes.

Depending on the infrastructure or the environment, your bundle tenant runs on, you can access and operate it as follows:

SAP Cloud Identity Services Infrastructure

Bundle tenants created after March 15, 2022, run on SAP Cloud Identity Services infrastructure.

The Identity Provisioning admin access is fully controlled and configured in the administration console of Identity Authentication. This access is based on roles which are assigned to admin users in the Users & Authorizations screen of the Identity Authentication administration console.

SAP BTP, Neo Environment

Bundle tenants created before March 15, 2022, run on SAP BTP, Neo Environment.

Administrators of bundle tenants can only access their Identity Provisioning subaccount in SAP BTP cockpit to register OAuth clients, create connectivity destinations and configure Cloud Connector connections. This access is based on roles that are assigned to admin users in the Authorization tile of the Identity Provisioning administration console.

Standalone Tenant

A standalone tenant allows you to use Identity Provisioning as a separate (standalone) product.

Caution
Effective October 20, 2020, Identity Provisioning is offered bundled with SAP cloud solutions. You can obtain and use it, along with Identity Authentication, as part of a bundled SAP cloud solution that you need to purchase. The service is no longer sold as a standalone product. Existing customers of standalone Identity Provisioning can use it as-is until the end of their contracts.

The scope of the standalone tenant is not restricted. It can be used for provisioning of users and groups to and from all supported systems by Identity Provisioning service.

Depending on the infrastructure or the environment your standalone tenant runs on, you can access and operate it as follows:

SAP Cloud Identity Services Infrastructure

Identity Provisioning service purchased between September 1, 2020 and October 20, 2020 runs on the infrastructure of SAP Cloud Identity Services.

You use a tenant that provides you with the access to both Identity Provisioning and Identity Authentication. You can access Identity Provisioning in all regions and data centers where the Identity Authentication is running.

SAP BTP, Neo Environment

Identity Provisioning service purchased before September 1, 2020, runs on the SAP BTP, Neo Environment.

You access Identity Provisioning admin console by using SAP Business Technology Platform subaccounts through the SAP BTP cockpit. You can access Identity Provisioning in all regions available for SAP BTP, Neo Environment. 

Identity Provisioning Overview

ExerciseStart Exercise

Log in to track your progress & complete quizzes