cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Can we automatically assign user group to publicly registered users in IAS?

former_member805282
Member

on ‎05-23-2022 8:48 AM

Hi experts,

We are using IAS as the only primary identity provider for our application in the BTP. If we look under the user management menu on IAS Console, each user by default hasn't been assigned to any user groups. However, we need each user to be assigned to a certain user group so we can work with the authorization. My question is, is it possible if we want to assign a user to a user group automatically during the registration process? For example, let's say we have a user group called 'customer' and if there are users who self-register themselves, we want them to be automatically assigned to the 'customer' user group.

How can we achieve this? We're looking for your suggestions. Thank you.

Kind regards,
Lalita

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (6)

Answers (6)

MSo
Product and Topic Expert
Product and Topic Expert
‎07-28-2022 7:57 AM
0 Kudos

Hi Chris,

this flag was introduced for a different scenario, but it will also do the job to prevent users from accessing a certain application unless the email is verified.
For your purpose everything should be available: setting the user status can be achieved with the SCIM API.

Best regards, Marko

Show replies
Show replies
MSo
Product and Topic Expert
Product and Topic Expert
‎07-27-2022 3:40 PM
0 Kudos

Hi Chris,
so you really intend to grant users access to an application even if they did not finish the account confirmation flow?
A user did not proof his identity unless he finished this step. What other verification of a user do you have in a self-registration scenario?
Never ever would I recommend to do so and it is 100% by intention that IAS by default prevents that.
But if you built a custom registration screen and use the SCIM API to manage users in IAS you have all the means at hand to do so.

Best regards, Marko

Show replies
Show replies
christoffer_fuss
Participant
‎07-27-2022 4:14 PM
0 Kudos

Hi again,
no we dont. As I said there is the option in the IDP "E-Mail Verification". This is asking the user to verify the email first and you cannot enter the application until you do that. But the difference is, that you dont get the error "wrong credentials", instead you can log on and are getting to the email verification screen.


But this option is useless then for the self-registration-flow....because when you click the ctivation lionk the eail adress is verified automaticlly.
So It would be nice to create the user with status active and use this E-Mail verification instead.

Best regards,
Chris

MSo
Product and Topic Expert
Product and Topic Expert
‎07-27-2022 1:53 PM
0 Kudos

Hi Chris,
the user status is bound to account confirmation flow. Only if the user has confirmed that he (or she) is the owner of the email inbox used for self-registration the user profile will be set to 'active'.

This behavior is from my pov for good - even legal - reasons: as self-registration I can register anyone. But I will only be able to activate such a user when clicking the activation link in the email that I received. If I am not the owner of the email inbox, I won't be able to do so.

And for the company owning the application this is very important to know: I must not treat a profile in status 'new' as valid, since it is not clear that it was really registered by the 'real' person.

Long story short: for self-registration it is not possible.
But of course it is possible to do so programmatically (e.g. via the SCIM API that Yogananda pointed to). This is intended when we have managed user lifecycle e.g. controlled by an HR system.

Best regards, Marko

Show replies
Show replies
christoffer_fuss
Participant
‎07-27-2022 2:09 PM
0 Kudos

Hi Marko, thanks for the quick answer 🙂
We would like to use the "Verify Email" option to confirm that the account is the real person. The difference is, that the user can alerady logon to the application and does not get the error "Wrong credentials". With userStatus "new" the user gets the error "Wrong credentials" when he tries to log on before activating the account.
We are using SCIM API already with a custom registration screen and thought it is a good idea to switch to the IDP standrad...

Best regards;
Chris

MSo
Product and Topic Expert
Product and Topic Expert
‎07-27-2022 12:25 PM
0 Kudos

As Martina correctly mentioned it is not possible to assign user group as part of the self-registration process.

Leveraging the SCIM API would require to develop a self-registration UI as part of the application and then programmatically create the user in IAS. Yet aside from the dev. effort one needs to be aware that the SCIM API entitles for user management on tenant level. So maybe a too strong authorization for a certain application.

Question is rather what the group assignment should be used for: if it's for a very simple authorization assignment as stated above, one could consider the user type attribute (all self-registered users will receive user type 'public').

And if this is not sufficient, why not creating an Influence Request: use BTP Foundation category https://influence.sap.com/sap/ino/#/campaign/2277
But just to add: we had such requirement in the past already and it unfortunately did not make it to the backlog. Yet if many customers vote for it, it would be a strong argument.

Marko

Show replies
Show replies
christoffer_fuss
Participant
‎07-27-2022 12:56 PM
0 Kudos

Hi marko.sommer,
this is said that this is not possible in the self-registration process 😞 is this possible to set the the userStatus to active in the self registration process instead of "new"?

Best regards,
Chris

yogananda
Product and Topic Expert
Product and Topic Expert
‎07-27-2022 7:02 AM
0 Kudos

lalitamarmika

Please refer to my blog and you can automate through IAS API assigning users to a group.

https://blogs.sap.com/2022/07/18/know-more-about-sap-ias-scim-apis-latest/

martina.kirschenmann

FYI

Show replies
Show replies
Martina_K
Product and Topic Expert
Product and Topic Expert
‎07-21-2022 10:46 AM
0 Kudos

Hi Lalita,

Unfortunately, this is not possible.

Best regards,

Martina

Show replies
Show replies
Ask a Question