Why You Should Jump On Board!
Picture this: You're using SAP Cloud Identity Services (SCI), but there's a hitch. You can't whip out your magic wand and conjure up some custom logic for any event in the Identity Directory Service (IDDS). What a downer, right?
Well, wipe that frown away! The SAP Best Practices Identity Lifecycle Service (IDLS) is here to save the day. It's like your personal superhero, giving you the power to inject your own custom wizardry into the SCI. Whether there's a tiny tweak or a mammoth modification in the IDDS, IDLS is ready to execute your custom logic, written in the language of the internet - JavaScript!
Three Fabulous Feats You Can Perform:
- Abra-cadabra! Change a name and the email address recalculates automatically!
- Have a new hire? Or a sudden termination? No worries! Activate or deactivate identities based on data in the IDDS.
- Organize a coup! Automatically assign groups based on juicy info like cost center.
How This Magic Works:
- IDLS acts like a busy bee, frequently buzzing around the IDDS to gather user information. You decide how often it buzzes.
- Detects any changes in the user data and neatly stacks them up in a queue in the Event Mesh service.
- Voila! It executes your custom logic.
- Writes back the modification into the IDDS, like a diligent scribe.
The service comes with a treasure chest of predefined JavaScript functions. It's nostalgia-inducing, just like good old SAP IdM. Use these to perform certain operations inside IDDS.
Peek Into A Sample Spellbook:
Here's a sneak peek at a script that covers two of the scenarios mentioned above: Recalculating an email address (including checking for uniqueness) and assigning a group based on the user's cost center.
function eventTriggered(value, event) {
if (event.getValue() == "Changed") {
if (value instanceof Java.type("com.sap.openapi.idds.model.User")) {
let changesMap = new Map(Object.entries(JSON.parse(changes)));
changesMap.forEach((valueAttr, key) => {
print(`Changes: ${value.getUserName()} : ${key} `);
if (key == 'familyName' || key == 'givenName') {
handleUserNameChanged(value);
}
if (key == 'costCenter') {
addUserToGroupByCC(value);
}
});
utils.patchValues('user', value);
}
}
}
function handleUserNameChanged(user) {
let name = user.getName();
var familyName = name.getFamilyName();
var givenName = name.getGivenName();
var emailList = [];
var email = `${givenName}.${familyName}@company.com`;
email = deleteUmlauts(email);
var index = 1;
while (utils.getValueByEntry("email", email)) {
email = `${givenName}.${familyName}${index}@company.com`;
index++;
}
user.getEmails().forEach(element => {
element.setValue(email);
element.display(email);
element.setPrimary(true);
element.setType(utils.getEmailType('work'));
emailList.push(element);
});
print(emailList);
user.setEmails(emailList);
user.setUserName(email);
}
function addUserToGroupByCC(user) {
if (user.isActive()) {
var listGroups = utils.getGroups();
listGroups.forEach((group) => {
let name = group.getGroupExentsion().getName();
print(`Cost Center Name: ${name}`);
if(name.indexOf("_") > -1) {
let cc_number = name.substring(name.indexOf("_") + 1)
print(`Cost Center Number: ${name}`);
if (cc_number == (user.getEnterpriseUser().getCostCenter())) {
utils.addUserToGroup(user.getId(), group.getId());
}
}
});
}
}
function deleteUmlauts(value) {
value = value.replace(/\u00e4/g, "ae");
value = value.replace(/\u00fc/g, "ue");
value = value.replace(/\u00f6/g, "oe");
value = value.replace(/\u00df/g, "ss");
value = value.replace(/\u00dc/g, "Ue");
value = value.replace(/\u00c4/g, "Ae");
value = value.replace(/\u00d6/g, "Oe");
return value;
}The function "eventTriggered" is like the red carpet rolled out for every modification the IDSL detects. This function sorts out the modifications ("Created", "Changed", "Deleted") and provides all the juicy details related to the event (like the modified name). This function is your VIP pass into the IDSL.
The functions "handleUserNameChanged" and "addUserToGroupByCC" jump into action when the name or cost center are tweaked, and perform the necessary operations. Think of them as your trusty sidekicks, ready to perform more feats as you add them.
So, buckle up and get ready to automate your user administration in the Cloud with SAP's IDLS!
Predefined Script Functions
This is a list of the predefined script functions available as of now:
patchValues
- Input Parameters:<entryType>,<JSONEntry>
- Updating the entry in the IDDS
getValueByEntry
- Input Parameters: <searchAttribute>,<searchValue>
- Return Value: Boolean (true if entry was found in the IDDS)
- Search for an entry in IDDS by attribute name and value
addUserToGroup
- Input Parameters: <userScimId>,<groupScimId>
- Adding a user as member of a group inside the IDDS
deleteUserFromGroup
- Input Parameters: <userScimId>,<groupScimId>
- Removing a user as member from a group inside the IDDS
deleteUser
- InputParameters: <userScimId>
- Delete a user form IDDS
deleteGroup
- InputParameters: <groupScimId>
- Delete a group form IDDS
getGroups
- Returning a List of all groups inside the IDDS
Prerequisites
The following BTP Services are required to be available to be able to use this SAP Best Practices Service:
- SAP Cloud Identity Services
- SAP Cloud Foundry Runtime Environment
- SAP Event Mesh Service
- SAP Object Store Service
The Inside Scoop
If your curiosity is piqued and you're itching to know more about this service and how to roll it out, don't be shy! Reach out to me directly or shoot an email to security.consulting@sap.com. We're all ears!
- SAP Managed Tags:
3 Comments
