Introduction

You are using SAP Cloud ALM – the cloud-based application lifecycle management tool to facilitate and streamline the implementation, operation, and continuous improvement of SAP solutions. In SAP Cloud ALM, SAP Cloud Identity Services - Identity Authentication assumes the role of the identity provider. This means that business users log on to SAP Cloud ALM with the mechanisms and credentials defined in the corresponding Identity Authentication tenant.

If the Identity Authentication service is serving as authenticating identity provider or as a proxy to your corporate identity provider, it is quite obvious that you might also want to centralize the authorization management of SAP Cloud ALM there. This blog presents a method for doing this using SAP Cloud Identity Services - Identity Provisioning – a service that automates identity lifecycle processes and helps you provision identities and their authorizations to various cloud and on-premise business applications.

In this method, the SAP Cloud ALM roles with the respective users are modeled as groups in the Identity Authentication tenant. Communication between these participants is done via the Identity Provisioning service, where they are defined as source and target systems.

Prerequisites

To provision groups from Identity Authentication with their members as roles with users assigned to them in SAP Cloud ALM, the following requirements must be met:

• In your Identity Provisioning tenant, your Identity Authentication tenant used as the identity provider for SAP Cloud ALM is defined as a source system. For more information, see https://help.sap.com/docs/identity-provisioning/identity-provisioning/identity-authentication.

• In your Identity Provisioning tenant, your SAP BTP XS Advanced UAA running on a SAP BTP Cloud Foundry subaccount is defined as a target system. For more information, see https://help.sap.com/docs/identity-provisioning/identity-provisioning/target-sap-btp-xs-advanced-uaa.... This is the BTP subaccount where SAP Cloud ALM is deployed.

How to do it

1. In your Identity Authentication tenant, define the role collections from your BTP subaccount as groups.

   It makes sense to use a common prefix for the display name, like CloudALM_– so use CloudALM_ + <Role Collection Name> as the display name of the group. You can use any prefix you like as long as it does not include an & – such a value would not work as a filter value (see below).

   There are two reasons for using a common prefix:

   • When you browse through all groups, you can better distinguish these groups representing the role collections.

   • Later you create filters ensuring that only groups representing the role collections and their members are provisioned to the BTP subaccount. And a common prefix for the group name makes it much easier to define which groups are to be provisioned.

2. Add users to these groups according to the authorizations they require for SAP Cloud ALM.

   

    

3. In your Identity Provisioning tenant, navigate to your Identity Authentication source system, tab Transformation, and ensure that the group section of the transformation is enabled – which means that it does not have an entry "ignore": true.

   

    

4. In your Identity Provisioning tenant, navigate to your Identity Authentication source system, tab Properties, and define filters containing your prefix you used above so that only groups relevant for SAP Cloud ALM and their members are provisioned via Identity Provisioning to the BTP subaccount:

   • ias.user.filter=groups.display sw "CloudALM_"

   • ias.group.filter=displayName sw "CloudALM_"

   Note
   To provision all users from Identity Authentication to the BTP subaccount, you can skip the ias.user.filter.

   

5. In your Identity Provisioning tenant, navigate to your SAP BTP XS Advanced UAA target system, tab Transformation, and ensure that the group section of the transformation is enabled and it is not ignored.

   

6. In your Identity Provisioning tenant, navigate to your SAP BTP XS Advanced UAA target system, tab Properties, and define the group prefix you used for the display name. In our example, this is: xsuaa.group.prefix= CloudALM_.

   

7. After your source and target systems are configured and enabled, you can now execute the Read Job. To do so, in your Identity Provisioning tenant, navigate to your Identity Authentication source system, tab Jobs.

   Usually you want to schedule this job permanently so that later changes to the groups and their members are provisioned to your BTP subaccount and thus also to SAP Cloud ALM.

   

8. Check the result of the provisioning job. If any errors occur, investigate them and fix them. Some users or groups might not be provisioned, if they are reported as failed. To have them provisioned to SAP BTP XS Advanced UAA with proper authorizations, you have to fix the errors first.

   

9. Go to the SAP BTP Cockpit of your BTP subaccount, and select Security -> Role Collections in the navigation bar. The members of the role collection you’ve just created as a group in your Identity Authentication tenant are updated.

   

That’s it! If you now create groups in your Identity Authentication tenant with your chosen prefix and the name of a role collection, assign users to these groups and wait for the next scheduled provisioning job, then the role collections and their members are updated in your BTP subaccount and SAP Cloud ALM, respectively.

There’s just one thing you should keep in mind: If you delete such a group from your Identity Authentication tenant, the lastly provisioned users in the corresponding role collection in the BTP subaccount are preserved as members of the role collection. So better don't delete such a group at all.

However, if you must, first remove all its members, then let the next job run provision the group to the target system, so that it is updated. Make sure that the role collection has no more members in the BTP subaccount, before you remove the group from Identity Authentication tenant.