On this page you can find all the available properties to use in the Identity Provisioning service. You can filter them by system type name, "All Systems", by a word or only part of it.
|
Name |
Description |
System Type |
|---|---|---|
|
|
Protocol type for making a connection Possible values:
System Role: Source, Target, Proxy |
All systems |
|
|
URL needed to make an HTTP(S) connection to an on-premise system or a cloud service Possible value:
System Role: Source, Target, Proxy |
All HTTP systems |
|
|
Proxy type required for HTTP connection Possible values:
System Role: Source, Target, Proxy |
All HTTP systems |
|
|
Authentication type required for HTTP connection Possible values:
System Role: Source, Target, Proxy |
All HTTP systems
|
|
|
It represents:
Possible values: Text/numeric string System Role: Source, Target, Proxy |
All HTTP systems |
|
|
The OAuth Client id used for access token retrieval in case of OAuth certificate authentication. Possible values: Text/numeric string System Role: Source, Target, Proxy |
All HTTP systems |
|
|
(Credential) It represents:
Possible values: Encrypted string System Role: Source, Target, Proxy |
All HTTP systems |
|
|
Filters users by a regular expression on their username. The regex can define any kind of search pattern.
Possible values: For example: This filter returns all user names that start with capital A. System Role: Source, Proxy |
SAP Application Server ABAP |
|
|
Possible values: For example: This filter provisions all roles that start with order. System Role: Source, Proxy |
SAP Application Server ABAP |
|
|
Filters user roles by a regular expression. The regex can defineFilters users by a regular expression on their username. The regex can define any kind of search pattern. This property has a higher priority over
Possible values: For example: This regex reads all user names that start with MAR, such as MARK, MARTINA, and so on. System Role: Source, Proxy |
SAP Application Server ABAP |
|
|
Filters roles by a regular expression. The regex can define any kind of search pattern. This property has a higher priority over
Possible values: For example: This regex reads all roles that start with inter, such as internal, internship, and so on. System Role: Source, Proxy |
SAP Application Server ABAP |
|
|
This property distinguishes SAP Application Server ABAP (AS ABAP) roles by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP Application Server ABAP |
|
|
Filters users by a regular expression, based on their Role memberships in AS ABAP. The regex can define any kind of search pattern. Possible values: For example: This reads all users who have an assigned role which starts with new. This regex is case insensitive, which means the result can be roles starting with new, or New, or NEW, and so on. System Role: Source, Proxy |
SAP Application Server ABAP |
|
|
(Credential) This property corresponds to the Application key for your SAP Ariba application. You obtain it during the creation of your application in the SAP Ariba developer portal. See: How to find your application's application key and OAuth client ID Possible values: Text/numeric string For example: This property corresponds to the SAP Ariba realm that your application has access to. To learn how to get it, see: 123abc123XYZ000abc123ABC012345 System Role: Source, Target, Proxy |
SAP Ariba Applications |
|
|
This property corresponds to the SAP Ariba realm that yourHow to find your SAP Ariba realm name? Possible values: Text/numeric string For example: 123abc123XYZ000abc123ABC012345 System Role: Source, Target, Proxy |
SAP Ariba Applications |
|
|
This property allows or forbids reading "nested groups" (group structures) from SAP Ariba Applications. If enabled (true), group members of type group will be ignored during read in order not to be provisioned to target systems that do not support nested groups. Possible values: Default value:
Predefined value (during system creation):
System Role: Source, Proxy |
SAP Ariba Applications |
|
|
This property distinguishes SAP Ariba Applications groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP Ariba Applications |
|
|
The default value of this property is false. But for SAP Ariba Applications proxy systems, this property appears during creation and its predefined value is true. That means, when the Identity Provisioning identifies a changed entity in the back-end system, it will execute the updates as PATCH requests instead of PUT. That is, only changes will be written in SAP Ariba Applications, instead of provisioning the whole entity data. Note that only attributes without
Possible values: Default value: false Predefined value (during system creation): true System Role: Target, Proxy |
SAP Ariba Applications |
|
|
When specified, only those SAP Ariba Applications users matching the filter expression will be read. Possible values: For example: userName eq "SmithJ" System Role: Source |
SAP Ariba Applications |
|
|
When specified, only those SAP Ariba Applications groups matching the filter expression will be read. Possible values: For example: displayName eq "ProjectTeam1" System Role: Source |
SAP Ariba Applications |
|
|
This property makes a SAP Ariba Applications connector to send a specified value for the Content-Type HTTP header. This is needed because SAP Ariba Applications could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of theContent-Type header. Possible values: For example: application/json Default value: application/scim+json System Role: Target, Proxy |
SAP Ariba Applications |
|
|
When the Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists in SAP Ariba Applications. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). According to your use case, choose how to set up this property:
Possible values:
Default value: userName System Role: Target, Proxy |
SAP Ariba Applications |
|
|
If the Identity Provisioning tries to create a group that already exists on the SAP Ariba Applications target system, the creation will fail. In this case, the existing group only needs to be updated. This group can be found via search, based on an attribute (default or specific). To make the search filter by a specific attribute, specify this attribute as a value for this property. Possible values: Default value (when not specified): displayName If the property is not specified, the search is done by the default attribute: displayName System Role: Target, Proxy |
SAP Ariba Applications |
|
|
Makes the SAP Ariba Applications connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by an SAP Ariba Applications system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP Ariba Applications |
|
|
The number of group members that SAP Ariba Applicationsreturns per request when reading a group. When the Identity Provisioning reads a group, it compares the number of group members with the value configured for
Setting the property Default value: 50 System Role: Source, Proxy |
SAP Ariba Applications |
|
|
This property enables paging of group members. When it is set to true, all groups with members count exceeding the value defined in Possible values:
Default value: true System Role: Source, Proxy |
SAP Ariba Applications |
|
|
The number of user groups that SAP Ariba Application returns per request when reading a user. When the Identity Provisioning reads a user, it compares the number groups assigned with the value configured for
Setting the property Default value: 50 System Role: Source, Proxy |
SAP Ariba Applications |
|
|
This property enables paging of user’s groups. This maximum value is specified by the property To read a user with 'groups' attribute over the configured value, set Possible values:
Default value: true System Role: Source, Proxy |
SAP Ariba Applications |
|
|
When specified, only those SAP Ariba Buying users matching the filter expression will be read. You can set a single attribute or multiple ones as search criteria. Supported filtering by the following attributes:
Possible values: For example:
System Role: Source, Proxy |
SAP Ariba Buying |
|
|
This property controls how modified users in the source system are updated in the target system.
Users can be updated in the target system in various cases, such as:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value: false System Role: Target, Proxy |
SAP Ariba Buying |
|
|
When Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists on the target system. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). If the service finds such a user on the target system via this filter, then the conflicting user will overwrite the existing one. If the service does not find such a user, the creation will fail. If the service finds an existing user by at least one of the uniqueness criteria, which are email, userName, or urn:ietf:params:scim:schemas:extension:sap:2.0:User:userUuid, it updates this user with the data of the conflicting one. If such a user is not found, that means the conflict is due to another reason, so the update of the conflicting user fails. If more than one users with these unique attributes are found, the update fails. According to your use case, choose how to set up this property:
Possible values:
Default value: userName System Role: Target, Proxy |
SAP Ariba Buying |
|
|
Makes the SAP Ariba Buying connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by an SAP Ariba Buying system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP Ariba Buying |
|
|
This property defines the API version that the API of your SAP Sales Cloud and SAP Service Cloud system uses. Possible values:
By default, Identity Provisioning uses version 3, which means - SCIM 2.0 based API. System Role: Source, Target, Proxy |
SAP Sales Cloud and SAP Service Cloud |
|
|
The value of this property is the origin key of your SAP Cloud Identity Services tenant. You can find it in the SAP BTP cockpit. Go to your SAP BTP subaccount, choose Trust Configuration and see the value under Origin Key for the relevant Custom Identity Provider for Platform Users. The value of this property is a string, which always ends with the suffix -platform. It will be used as the origin attribute in the system transformation. Possible values: Text/numeric string System Role: Source, Target, Proxy |
SAP BTP Platform Members (Cloud Foundry) |
|
|
Enter the technical key of the landscape in which your multi-environment subaccount with enabled Cloud Foundry environment is located. For more information, see Regions and API Endpoints Available for the Cloud Foundry Environment. For example: Possible values: Text/numeric string System Role: Source, Target, Proxy |
SAP BTP Platform Members (Cloud Foundry) |
|
|
This property distinguishes SAP BTP Platform Members (Cloud Foundry) groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP BTP Platform Members (Cloud Foundry) |
|
|
When specified, only those SAP BTP Platform Members (Cloud Foundry) users matching the filter expression will be read. Possible values: For example: userName eq "SmithJ" **System Role:**Source, Proxy |
SAP BTP Platform Members (Cloud Foundry) |
|
|
The Identity Provisioning service uses a single predefined namespace for all attributes. However, you can provision entities by defining your own (custom) namespaces for some attributes. For this purpose, you have to:
For more information, see: SAP Sales Cloud and SAP Service Cloud Possible values: The value of this property is the namespace URI. For <prefix>, enter the prefix of the custom XML namespace (for example, a123). Example for setting up the whole property: c4c.custom.namespace.a123=http://sap.com/xi/AP/CustomerExtension/ABC/A123XX System Role: Target |
SAP Sales Cloud and SAP Service Cloud |
|
|
When specified, only those SAP Central Business Configuration users matching the filter expression will be read.
Possible values: For example: name.familyName eq "Smith" and addresses.country eq "US" System Role: Source, Proxy |
SAP Central Business Configuration |
|
|
When specified, only those SAP Central Business Configuration groups matching the filter expression will be read. Possible values: For example: displayName eq "ProjectTeam1" or "Employees2020" System Role: Source, Proxy |
SAP Central Business Configuration |
|
|
This property distinguishes SAP Central Business Configuration groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP Central Business Configuration |
|
|
This property filters groups by display name or externalId. When specified, only those groups matching the filter expression will be read. Possible values:
For example: displayName eq "SAP_Data_Custodian_Auditor" System Role: Source, Proxy |
SAP Data Custodian |
|
|
If the service tries to create a group that already exists in the target system, the creation will fail. In this case, the existing group only needs to be updated. This group can be found via search, based on an attribute (default or specific). To make the search filter by a specific attribute, specify this attribute as a value for the If the property is not specified, the search is done by the default attribute: displayName System Role: Target, Proxy |
SAP Data Custodian |
|
|
When specified, only those SAP Data Custodian users matching the filter expression will be read. You can filter users by userName, displayName or externalId. Possible values: For example: userName eq "Smith.J" System Role: Source, Proxy |
SAP Data Custodian |
|
|
When Identity Provisioning attempts to provision a user for the first time, it may detect that this user already exists on the target system. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user will be searched and resolved. If the service finds a user on the target system via this filter, then the conflicting user will overwrite the existing one. If the service does not find a user on the target system via this filter, the creation will fail. Default behavior: This property is missing during system creation. Its default value is userName. This means, if the service finds an existing user by a userName, it updates this user with the data of the conflicting one. If a user with such userName is not found, the creation of the conflicting user fails. Possible values: Default value: userName System Role: Target, Proxy |
SAP Data Custodian |
|
|
Makes the connector send a specified value for the Content-Type HTTP header. This is needed because a SCIM system could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of the Content-Type header. Possible values: For example: application/json If the property is not specified, the default value is taken: application/scim+json System Role: Target, Proxy |
SAP Data Custodian |
|
|
Makes the SAP Data Custodian connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by an SAP Data Custodian system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP Data Custodian |
|
|
This property controls how modified users in the source system are updated in the target system.
Users can be updated in the target system in various cases, such as:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value: false System Role: Target, Proxy |
SAP Data Custodian |
|
|
This property distinguishes SAP Data Custodian groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source, Target |
SAP Data Custodian |
|
|
When specified, only those SAP Datasphere users matching the filter expression will be read. Possible values: For example: userName eq "SmithJ" **System Role:**Source, Proxy |
SAP Datasphere |
|
|
When the Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists in SAP Datasphere. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). According to your use case, choose how to set up this property:
Possible values:
Default value: userName System Role: Target, Proxy |
SAP Datasphere |
|
|
This property makes the SAP Datasphere connector send the If-Match HTTP header with a value of “*” for every request to the target system. The header could be used by an SAP Datasphere system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP Datasphere |
|
|
This property controls how modified entities (users and groups) in the source system are updated in the target system.
Possible values:
Default value: false System Role: Target, Proxy |
SAP Datasphere |
|
|
This property enables bulk operations for users. When bulk operations are enabled (set to true), Identity Provisioning service creates, updates, and deletes multiple users in one request. When bulk operations are not enabled (set to false), Identity Provisioning service creates, updates, and deletes one user at a time. For more information, see: SCIM Protocol: Bulk Operations Possible values:
Default value: false System Role: Target |
SAP Datasphere |
|
|
If you have enabled the SCIM bulk operations, you can use this property to set the number of users to be provisioned per request. Possible values: Default value: 30
System Role: Target |
SAP Datasphere |
|
|
Specifies whether to fetch a CSRF token when sending requests to the system. The property is automatically added in the system, with default value: enabled. Possible values:
Default value: enabled System Role: Target, Proxy |
SAP Datasphere |
|
|
Enter a comma-separated list of application names. That could be applications deployed on your account, or applications for which your account has subscribed. The property returns the roles assigned to these applications. Possible values: Use the following format (no spaces): <app_name1>,<app_name2>,<provider_subaccount>:<provider_app> For example: myapp1,myapp2,provider1:app123,provider2:cloud789,mynewapp
System Role: Source |
SAP BTP Java/HTML5 apps (Neo) |
|
|
If you set this property to true, the Identity Provisioning will read the following additional attributes for a SAP Business Technology Platform group:
Possible values:
Default value: false System Role: Proxy |
SAP BTP Java/HTML5 apps (Neo) |
|
|
This property distinguishes groups from Java/HTML5 applications running on SAP BTP, Neo environment by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP BTP Java/HTML5 apps (Neo) |
|
|
Use this property when you execute hybrid scenarios with SAP Business Technology Platform (Neo) as a SCIM proxy system, and you update an entity (mostly relevant to groups, like when you change the members of a group) via a PATCH request. If you set this property to true, the successful If you don't specify the property (or it's set to false), the successful For more information, see: SCIM 2.0: Modifying with PATCH. Possible values:
Default value: false System Role: Proxy |
SAP BTP Java/HTML5 apps (Neo) |
|
|
When specified, only those SAP Intelligent Agriculture groups matching the filter expression will be read. Possible values:
For example: displayName eq "intagri_Master_Data_Manager" System Role: Source, Proxy |
SAP Intelligent Agriculture |
|
|
When specified, only those SAP Intelligent Agriculture users matching the filter expression will be read. Supported operators: Possible values: For example: userName eq "Smith.J" emails eq "[email protected]" System Role: Source, Proxy |
SAP Intelligent Agriculture |
|
|
If the service tries to create a group that already exists in the target system, the creation will fail. In this case, the existing group only needs to be updated. This group can be found via search, based on an attribute (default or specific). This property defines by which unique attribute(s) the existing group will be searched and resolved. The default value is displayName. Currently, it is the only unique attribute that is supported. When set, you can expect the following behavior:
Possible values: If the property is not specified, the search is done by the default attribute: System Role: Target, Proxy |
SAP Intelligent Agriculture |
|
|
When Identity Provisioning attempts to provision a user for the first time, it may detect that this user already exists on the target system. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user will be searched and resolved. If the service finds a user on the target system via this filter, then the conflicting user will overwrite the existing one. If the service does not find a user on the target system via this filter, the creation will fail. Default behavior: This property is missing during system creation. Its default value is userName. This means, if the service finds an existing user by a userName, it updates this user with the data of the conflicting one. If a user with such userName is not found, the creation of the conflicting user fails. Possible values:
Default value: userName System Role: Target, Proxy |
SAP Intelligent Agriculture |
|
|
This property controls how modified entities (users and groups) in the source system are updated in the target system.
Possible values:
Default value: false System Role: Target, Proxy |
SAP Intelligent Agriculture |
|
|
This property distinguishes SAP Intelligent Agriculture groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source, Target |
SAP Intelligent Agriculture |
|
|
Makes the connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by an SAP Intelligent Agriculture system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP Intelligent Agriculture |
|
|
This property filters groups by display name. You can set a single display name or multiple ones as filter criteria. If you enter multiple display names (using Value pattern (single): displayName eq "<group_name>" Value pattern (multiple): displayName eq "<group_name1>" or displayName eq "<group_name2>" Possible values: For example:
System Role: Source, Proxy |
Local Identity Directory |
|
|
This property filters users by particular attributes. You can set a single attribute or multiple ones as search criteria. Value pattern (single): <user_attribute> eq "<value>" Value pattern (multiple): <user_attribute1> eq "<value1>" and/or <user_attribute2> eq "<value2>" Possible values: For example:
System Role: Source, Proxy |
Local Identity Directory |
|
|
This property enables paging of group members. The maximum number of group members returned per request is 20 000. To read more than 20 000 group members, paging must be enabled. Possible values:
Default value: false System Role: Source, Proxy |
Local Identity Directory |
|
|
This property enables paging of user’s groups. The maximum number of user’s groups returned per request is 1000. To read more than 1000 user’s groups, paging must be enabled. Possible values:
Default value: false System Role: Source, Proxy |
Local Identity Directory |
|
|
Makes the connector send a specified value for the Content-Type HTTP header. This is needed because a SCIM system could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of the Content-Type header. Possible values: For example: application/json If the property is not specified, the default value is taken: application/scim+json System Role: Target, Proxy |
Local Identity Directory |
|
|
If you try to provision a group that already exists in a target system, the group creation will fail. In this case, the existing group only needs to be updated. This property defines by which unique attribute(s) the existing group will be searched and resolved. The default value is displayName. Currently, it is the only unique attribute that is supported. When set, you can expect the following behavior:
Possible values: If the property is not specified, the search is done by the default attribute: System Role: Target, Proxy |
Local Identity Directory |
|
|
Makes the connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by a SCIM system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
Local Identity Directory |
|
|
This property controls how modified entities (users and groups) in the source system are updated in the target system.
Users and groups can be updated in the target system in various cases, such as:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value: false System Role: Target, Proxy |
Local Identity Directory |
|
|
Controls whether automatic conflict resolution is switched on or off in Local Identity Directory (target system) when provisioning is triggered from source systems containing different users with the same user identifiers (IDs). For example, when SAP SuccessFactors and SAP SuccessFactors Learning are configured as source systems for provisioning users to Local Identity Directory, it could happen that different SAP SuccessFactors and SAP SuccessFactors Learning users have the same user IDs. In this case, when the first user is created in Local Identity Directory, after triggering a provisioning job, the second (conflicting) user will either overwrite the already existing one (automatic conflict resolution is switched on) or will fail and won't be created (automatic conflict resolution is switched off). To control this behavior, you can use the Possible values:
Default value: true System Role: Target |
Local Identity Directory |
|
|
When Identity Provisioning attempts to provision a user for the first time, it may detect that this user already exists on the target system. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user will be searched and resolved. If the service finds a user on the target system via this filter, then the conflicting user will overwrite the existing one. If the service does not find a user on the target system via this filter, the creation will fail. According to your use case and system type, choose how to set up this property:
Possible values:
Default value: userName System Role: Target, Proxy |
Local Identity Directory |
|
|
In addition to configuring this property, you also need to adapt the write transformation. For example, if you want to disable a user account in Local Identity Directory, you need to do the following:
In this case, the For more information, see: Transformation Expressions → Scope → deleteEntity Possible values:
Default value: false When the property is set to true, adapt the write transformation with the attribute name and the attribute value you want to update: System Role: Target |
Local Identity Directory |
|
|
This is a default property that the Identity Provisioning UI automatically adds to the configuration of every newly created system. The property allows you to change the default date format to another, more suitable for your scenario. See also: Transformation Variables. Possible values: Default value: yyyy-MM-dd HH:mm:ss.SSS System Role: Source, Target, Proxy |
All systems |
|
|
Use case: An entity exists on the target system, and then a provisioning job reads the same entity from a source system and updates it on the target. If later on you delete this entity from the source system, the next provisioning job will recognize it as a "previously existed one" and will not delete it from the target. If you want such recognized entities to be deleted from the target as well, open the relevant target system and set this property to true. For more information, see Manage Deleted Entities. Possible values:
Default value: false System Role: Target, Proxy |
All systems |
|
|
This property defines whether or not the Identity Provisioning service to overwrite user/group assignments that have existed in the target system before you start provisioning entities to that system. Example: Let's say there is a group in the target system that contains some assignments (users and subgroups). In the source system there is a matching group, which contains different assignments.
Possible values:
Default value: true System Role: Target |
SAP Application Server ABAP |
|
|
If an entity operation fails due to an occurred exception (rate limit, bad gateway, missing authorization, or timeout), you can specify a number of retries for this operation. Use this property to set the number of retries.
Possible values: Default value: 2 Maximum value: 3 System Role: Source, Target, Proxy |
All systems
|
|
|
Specify a time interval (in seconds) between the retries, in case an operation fails due to an occurred exception. This property is related to Possible values: Default value: 30 Maximum value: 60
System Role: Source, Target, Proxy |
All systems
|
|
|
If you have activated notifications for a source system and a provisioning job fails, you'll receive notification e-mails with subject Provisioning Finished with Error. You can also receive an e-mail if you manually stop a running job. With property
This property has a higher priority than See also: Manage Job Notifications. Possible values:
Default value: false. That means, when a job fails, only one notification e-mail will be sent. System Role: Source |
All systems |
|
|
If you have activated notifications for a source system and a provisioning job fails, you'll receive notification e-mails with subject Provisioning Finished with Error. You can also receive an e-mail if you manually stop a running job. With property
Example: If you set See also: Manage Job Notifications. Possible values: Default value: 0. That means, a notification e-mail will be sent after the first job fail. System Role: Source |
All systems |
|
|
If you have activated notifications for a source system, and an entity fails during the provisioning job, you'll receive one notification e-mail with subject Provisioning Running with Error. Property
See also: Manage Job Notifications. Possible values:
Default value: false. That means, after the first failed entity, a notification e-mail will be sent. System Role: Source |
All systems |
|
|
If a provisioning job repeatedly fails and you need problem investigation, you can enable logging and tracing for the personal and sensitive data of your provisioned entities. To do this, set this property to true. If the property is not set, in the logs you see: To learn more about personal and sensitive data, see:
Possible values:
Default value: false System Role: Source |
All systems |
|
|
If a provisioning job results in skipping entities from source or target systems, you can view the details for each skipped user and group. To do this, you need to enable logging and tracing for the personal and sensitive data of your provisioned entities by setting the property to true. If the property is not set, in the logs you see: To learn more about personal and sensitive data, see:
Possible values:
Default value: false System Role: Source |
All systems |
|
|
This property allows you to download and view the details of all skipped entities for a given job in a Possible values:
Default value: false System Role: Source |
All systems |
|
|
Use this property to pass additional information with the HTTP requests. The provisioning system may override your custom HTTP headers, if specific header settings are implemented in the system. Possible values: Example for an authorization header:
System Role: Source, Target, Proxy |
All HTTP systems |
|
|
If this property is enabled, every time a provisioning job is started, it does not retrieve the entire amount of source system data but only the last changed entities. For more information, see Manage Full and Delta Read. Possible values:
System Role: Source |
|
|
|
If your system (connector) works in delta read mode, it's recommended to enforce full reads from time to time. To achieve this, set this property to an integer number. Possible values: For example: 10 This value results in alternating full reads after every 10 delta reads are performed. In case the property is not set, only delta read jobs will be executed. For more information, see Manage Full and Delta Read. System Role: Source |
|
|
|
This property holds the value of the applicationId group attribute. Its main purpose is to show that a group is associated with a particular application. This is an optional property set by the customer. The application ID is the identifier of an application configured in SAP Cloud Identity Services - Identity Authentication that corresponds to a particular source system configured in the Identity Provisioning admin consoleadministration console for SAP Cloud Identity Services. It is used to distinguish groups provisioned from various source systems to the Identity Directory of SAP Cloud Identity Services. When the property is set, the groups are provisioned with their applicationId attribute which is internally mapped to the name of the corresponding application. As a result, the name of the associated application with the group is displayed in the Application Name field under Users&Authorizations > Groups. System Role: Source |
|
|
|
If you need to make OAuth authentication to the system, enter the URL to the access token provider service. Possible values: Access token URL System Role: Source, Target, Proxy |
|
|
|
If your backend system is OAuth protected and requires an access token with scope, use this property to specify the scope. It defines the token's level of access to protected resources. This is an optional property. Providing a value only makes sense if the backend system and its trusted OAuth server requires it. For more information, see OAuth Scopes. Example value of Google G Suite OAuth scope: Although Google G Suite OAuth scopes look like URLs, they are not web pages. They are access token permissions. Possible values: Scopes are system specific. System Role: Source, Target, Proxy |
|
|
|
Enter the user for AS ABAP. System Role: Source, Target, Proxy |
SAP Application Server ABAP |
|
|
(Credential) Enter the password for the AS ABAP user. System Role: Source, Target, Proxy |
SAP Application Server ABAP |
|
|
Enter the virtual host entry that you have configured in the Cloud connector → Access Control configuration. Possible values: For example: abapserver.hana.cloud System Role: Source, Target, Proxy |
SAP Application Server ABAP |
|
|
Enter the client to be used in the ABAP system. Valid format is a three-digit number. Possible values: For example: 001 System Role: Source, Target, Proxy |
SAP Application Server ABAP |
|
|
Enter the three-character system ID of the ABAP system to be addressed. Possible values: For example: WPE System Role: Source, Target, Proxy |
SAP Application Server ABAP |
|
|
Enter the "system number" of the ABAP system. Possible values: For example: 42 System Role: Source, Target, Proxy |
SAP Application Server ABAP |
|
|
Defines the proxy type of the connection you need to provide for your ABAP system. The proxy type OnPremise requires the Cloud Connector to access resources within your on-premise network. Possible values:OnPremise System Role: Source, Target, Proxy |
SAP Application Server ABAP |
|
|
Represents the maximum number of active connections that can simultaneously be created for a destination. Possible values: For example: 10 System Role: Source, Target, Proxy |
SAP Application Server ABAP |
|
|
Represents the maximum number of idle connections kept open by the destination. Possible values: For example: 5 System Role: Source, Target, Proxy |
SAP Application Server ABAP |
|
|
Represents the message server host to be used. System Role: Source, Target, Proxy |
SAP Application Server ABAP |
|
|
(Credential) Enter the Concur access token needed for the connection. System Role: Target, Proxy |
SAP Concur |
|
|
Enter the Google G Suite user on behalf of which the Google Directory API is called. System Role: Target, Proxy |
Google G Suite |
|
|
Enter space-separated Google Directory API authorization scopes. System Role: Target, Proxy |
Google G Suite |
|
|
URL needed to make an LDAP connection to an on-premise system or a cloud service Possible values: System Role: Source, Target, Proxy |
|
|
|
Proxy type for the LDAP connection Possible values: OnPremise System Role: Source, Target, Proxy |
|
|
|
Authentication type for the LDAP connection Possible values: BasicAuthentication System Role: Source, Target, Proxy |
|
|
|
User name for the LDAP Server Possible values: Text/numeric string System Role: Source, Target, Proxy |
|
|
|
(Credential) Password for the LDAP Server user Possible values: Encrypted string System Role: Source, Target, Proxy |
|
|
|
Enter the complete path to the node containing the groups in the LDAP tree.
Possible values: For example:
System Role: Source, Target, Proxy |
|
|
|
Enter the complete path to the users in the LDAP Server or Microsoft AD.
Possible values: For example:
System Role: Source, Target, Proxy |
|
|
|
Shows which user attributes to be read from the LDAP server the source system, LDAP server or Microsoft AD(and respectively, from the intermediate JSON data). Separate the attributes by comma (,). Possible values:
If nothing is set, all attributes are read. System Role: Source, Proxy |
|
|
|
Shows which group attributes to be read from the LDAP server the source system, LDAP server or Microsoft AD(and respectively, from the intermediate JSON data). Separate the attributes by comma (,). Possible values:
If nothing is set, all attributes are read. System Role: Source, Proxy |
|
|
|
Criteria for user. In the intermediate JSON data, the following LDAP filter is used: For target LDAP systems: this property defines the set of supported and required attributes for an LDAP user entity. Possible values: Default value: inetOrgPerson System Role: Source, Target, Proxy |
|
|
|
Criteria for group. In the intermediate JSON data the following LDAP filter is used: For target LDAP systems: this property defines the set of supported and required attributes for an LDAP group entity. Possible values: Default value: groupOfNames System Role: Source, Target, Proxy |
|
|
|
By default, the memberOf array in the source JSON data contains the CN part of the complete distinguished name of the groups to which the entity belongs. An administrator can use this property to change the default behavior and specify an attribute name to be used instead of CN.
Possible values:
System Role: Source, Target, Proxy |
|
|
|
This property denotes the ID of a group.
Possible values:
System Role: Source, Target, Proxy |
|
|
|
This property denotes the distinguished name of a user or a group. The distinguished name is auttomatically assigned and cannot be configured. The behavior described below is valid only when Microsoft Active Directory is used as target system: When the Identity Provisioning attempts to provision a user or a group to Microsoft Active Directory for the first time, it may detect that such a user or group already exists on the target system. Thus, the service needs to retrieve the entityId of the existing user or group by using this property for conflict resolution. If the service finds such a user on the target system via this filter, the creation will fail. In this case, the conflicting user will overwrite the existing one. If the service finds such a group on the target system via this filter, the creation will fail. In this case, the existing group only needs to be updated. If the service does not find a user or a group via this filter, the creation will fail. Possible values: Default and only possible value: distinguishedName System Role: Source, Target, Proxy |
|
|
|
Determines the value of the This property can return either the common name (CN) of the user or the entire distinguished name (DN). Possible values:
System Role: Source |
|
|
|
This property denotes the ID of a user. When a user is a member of a group, this property evaluates the attribute used as ID of this member. In this case, the Possible values: Possible values for LDAP Server:
System Role: Source, Target, Proxy |
|
|
|
Default value: member System Role: Source, Target, Proxy |
LDAP Server |
|
|
Default value: mail System Role: Source, Target, Proxy |
LDAP Server |
|
|
Default value: mobile System Role: Source, Target, Proxy |
LDAP Server |
|
|
Default value: givenName System Role: Source, Target, Proxy |
LDAP Server |
|
|
Default value: sn System Role: Source, Target, Proxy |
LDAP Server |
|
|
Default value: memberOf System Role: Source, Target, Proxy |
LDAP Server |
|
|
Default value: telephoneNumber System Role: Source, Target, Proxy |
LDAP Server |
|
|
The LDAP object classes have attributes required for creation of entities.
Default value: cn System Role: Target, Proxy |
LDAP Server |
|
|
The LDAP object classes have attributes required for creation of entities.
Default value: cn System Role: Target, Proxy |
LDAP Server |
|
|
When set to true, the SCIM Value true is required because the SCIM Default value: true System Role: Proxy |
LDAP Server |
|
|
When set to true, the SCIM When set to false or the property is missing, the Default value: true System Role: Proxy |
LDAP Server |
|
|
You can optimize the search to return only particular users. To enter correct user filters, stick to the standard LDAP specification. See: LDAP Representation of Filters – Examples. Possible values: For example: Value (cn=123*) will return only users whose UID starts with "123" (such as 1234567689 or 1230011). By default, this filter is empty. That is, if the property is not specified, the filter will search for every user. System Role: Source |
|
|
|
You can optimize the search to return only particular groups. To enter correct group filters, stick to the standard LDAP specification. See: LDAP Representation of Filters – Examples. Possible values: For example: Value (cn=mar*) will return only groups whose CN starts with "mar" (such as marked, March, or Marketing). By default, this filter is empty. That is, if the property is not specified, the filter will search for every group. System Role: Source |
|
|
|
Use this property to configure the paging (pagination). That means, the number of entities to be read from the LDAP server at once. Possible values: Default value: 100
System Role: Source |
|
|
|
Defines the version of LDAP Server API. Possible values:
If the property is not defined - LDAP Server API version 1 is used. System Role: Source, Target, Proxy |
LDAP Server
|
|
|
Use this property to configure the paging. That means, the number of entities to be read from Concur at once. Possible values: Default value: 100
System Role: Source |
SAP Concur |
|
(Deprecated) |
Use this property to filter users and groups by specific criteria, according to the API syntax of Microsoft Entra ID.
Possible values: Default value: null To set a particular value, see Microsoft Graph: filter parameter. System Role: Source |
Microsoft Entra ID |
|
|
Use this property to configure the paging. That means, the number of entities to be read from Google G Suite at once. Possible values: Default value: 100
System Role: Source |
Google G Suite |
|
|
This property determines whether recently deleted entities should be read.
Possible values:
Default value: false System Role: Source |
Google G Suite |
|
|
This property determines whether entities from a particular domain should be read. Possible values: For example: myaccount.ondemand.com System Role: Source |
Google G Suite |
|
|
This property determines whether entities for a particular customer ID to be read. This property takes precedence over Possible values: Customer ID number For more information, see Google G Suite API: User Accounts. System Role: Source |
Google G Suite |
|
|
Use this property if you want to specify the read timeout (in milliseconds) for an LDAP connection. Possible values: For example: 5000 This value causes the LDAP service provider to abort the read attempt if the server does not respond within 5 seconds. System Role: Source |
|
|
|
Use this property if you want to set the timeout (in milliseconds) for connecting to the LDAP server. Possible values: For example: 500 This value causes the LDAP service provider to abort the connection attempt if a connection cannot be established in half a second. System Role: Source |
|
|
|
Enter the URL to the Microsoft Graph. Possible values: https://graph.microsoft.com System Role: Source, Target, Proxy |
Microsoft Entra ID |
|
|
There are target systems that do not support nested groups (group structures). Therefore, if your Microsoft AD system contains such groups, they will not be resolved properly during the provisioning job. Such target systems are:
To enable reading of group structures, you can use the For best results, we recommend you also set the system property Possible values:
Default value: false Examples for filtering:
System Role: Source |
Microsoft Active Directory |
|
|
Enter one of the verified domain names from the corresponding Microsoft Entra ID tenant. System Role: Source, Target, Proxy |
Microsoft Entra ID |
|
|
This property defines the attributes of a group member to be read by the Identity Provisioning. By default, it always reads the type and the id of a member. If you prefer the Identity Provisioning to read additional attributes, you can add them as a single or a comma-separated value. For example:
See: Microsoft Entra ID Possible values:
System Role: Source, Proxy |
Microsoft Entra ID |
|
|
Use this property if you want to get information about all the groups to which the users are assigned (if any).
If you set the property to true, you will get information about the group ID and its entity type (group) – default result. However, if you also set a value for property For example: If you set "groups": [
{
"displayName": "Microsoft Entra ID Group 1",
"id": "aaa111999-0000-444-123-777fff000",
"type": "group"
}
]Possible values:
System Role: Source, Proxy |
Microsoft Entra ID |
|
|
Via this property, you can filter users by specific criteria, according to the syntax of Microsoft Graph REST API. You can also filter out users with advanced query parameters, as described in Advanced query capabilities on Microsoft Entra ID objects
Possible values: Text/numeric string For example:
System Role: Source, Proxy |
Microsoft Entra ID |
|
|
Via this property, you can filter groups by specific criteria, according to the syntax of Microsoft Graph REST API. You can also filter out groups with advanced query parameters, as described in Advanced query capabilities on Microsoft Entra ID objects Possible values: Text/numeric string For example:
System Role: Source, Proxy |
Microsoft Entra ID |
|
|
Defines which user attributes are read from Microsoft Entra ID system. The property is set during system creation with the following default value: id,mail,userPrincipalName,displayName,mailNickname,givenName,surname,mobilePhone,businessPhones This means that by default, Identity Provisioning will read from Microsoft Entra ID the user attributes defined in the property value. Those attributes are also used in the default read transformation. To check the complete set of user attributes (properties) supported by Microsoft Entra ID, see: Microsoft Graph: User Properties If you want the Identity Provisioning to read additional user attributes, add them to the default list of attributes separated by comma and adapt the transformations. For example, to read the employeeId of the Microsoft Entra ID users in addition to the default list of attributes, and provision them to Identity Authentication, proceed as follows:
In case you remove the default list of attributes from the value of this property and only add the additional attributes, Identity Provisioning will return the additional user attributes plus the mandatory ones: id,mail, userPrincipalName. System Role: Source, Proxy |
Microsoft Entra ID |
|
|
Defines which group attributes are read from Microsoft Entra ID system. The property is set during system creation with the following default value: id,displayName,mailNickname This means that by default, Identity Provisioning will read from Microsoft Entra ID the group attributes defined in the property value and will also return the members attribute. Those attributes are used in the default read transformation. To check the complete set of group attributes (properties) supported by Microsoft Entra ID, see: Microsoft Graph: Group Properties If you want the Identity Provisioning to read additional group attributes, add them to the default list of attributes separated by comma and adapt the transformations. For example, to read the description of the Microsoft Entra ID groups in addition to the default list of attributes, and provision them to Identity Authentication, proceed as follows:
In case you remove the default list of attributes from the value of this property and only add the additional attributes, Identity Provisioning will read from Microsoft Entra ID the additional group attributes, the group id, displayName, mailNickname and will also return the members attribute. System Role: Source, Proxy |
Microsoft Entra ID |
|
|
This property defines the number of entities to be read per page. Default value: 100 **System Role:**Source, Proxy |
Microsoft Entra ID |
|
|
Path added to the URL to retrieve the CSRF token. The property is automatically added in the system, with default value: /api/v1/scim/Users?count=1. System Role: Source, Target, Proxy |
SAP Analytics Cloud |
|
|
A default property, whose only possible value is true. That means, HR integration is enabled for your system.
Possible value: true System Role: Target, Proxy |
SAP S/4HANA Cloud |
|
|
Enter OData filtering for reading roles in the SAP S/4HANA Cloud system. To learn what criteria you can use, see: OData URI Conventions → 4.5 Filter System Query Option System Role: Source, Proxy |
SAP S/4HANA Cloud |
|
|
This property defines the API version that your SAP S/4HANA Cloud system uses. Version 1 means your SAP S/4HANA Cloud system uses SAP_COM_0193 communication arrangement. System Role: Source, Target, Proxy |
SAP S/4HANA Cloud |
|
|
A default property. Add the codes of the roles maintained by the HR integration. Make sure these role codes are part of your read and write transformations. Possible values: For example: BUP003, BBP005 That means, your HR integration will support employees and contingent worker. System Role: Target, Proxy |
SAP S/4HANA Cloud |
|
|
In the event of archived (disabled) entities in a source SAP S/4HANA Cloud system, you can choose whether the provisioning jobs to continue reading such entities or to skip them. In the source and proxy systems, this property is activated by default. If you want to always read disabled entities, set the property to false, or delete it. Possible values:
Default value: true System Role: Source, Proxy |
SAP S/4HANA Cloud |
|
|
Add the codes of the roles maintained by the HR integration. Make sure these role codes are part of your read and write transformations. This property is applicable only if Possible values: For example: BUP003, BBP005, BUP012, WFM001 That means, your HR integration will support employees, contingent workers, collaboration users, and resources. System Role: Target, Proxy |
SAP S/4HANA On-Premise |
|
|
Defines whether the system should include HR integration or not. This property is related to Possible values:
Default value: false System Role: Target, Proxy |
SAP S/4HANA On-Premise |
|
|
In the event of archived (disabled) entities in a source SAP S/4HANA On-Premise system, you can choose whether the provisioning jobs to continue reading such entities or to skip them. In the source and proxy systems, this property is activated by default. If you want to always read disabled entities, set the property to false, or delete it. Possible values:
Default value: true System Role: Source, Proxy |
SAP S/4HANA On-Premise |
|
|
Use this property if you want to specify a particular AS ABAP client to use as the AS ABAP client. To learn more, see: Specifying the Client For more information about Possible values: A three-digit integer number For example: 102 System Role: Source, Target, Proxy |
SAP S/4HANA On-Premise |
|
|
Set this property to true if you want to enable bulk operations for provisioning entities. That means, the Identity Provisioning service can write, update, and delete multiple users or groups in a single request. For more information, see: APIs for Business User Management Possible values:
Default value: false System Role: Source, Target, Proxy |
SAP S/4HANA On-Premise |
|
|
If you have enabled the bulk operations, you can use this property to set the number of users to be provisioned per request. Possible values: Default value: 20 Maximum value: 100 If you enter a number larger than 100, the service will replace it with the default value (20). System Role: Target |
SAP S/4HANA On-Premise |
|
|
This property distinguishes SAP Fieldglass groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP Fieldglass |
|
|
Set this property to true if you want to enable bulk operations for provisioning users and groups. This means, the Identity Provisioning service can write, update, and delete multiple usersor update multiple group members in a single request. For more information, see: SAP Fieldglass Identity Management API Possible values:
Default value: false System Role: Target |
SAP Fieldglass |
|
|
This property sets the number of operations to be performed in one bulk request. Possible values: Default value: 20 Minimum value: 10 Maximum value: 100 If you provide a value outside of the minimum and maximum range, the service will replace it with the default value (20). System Role: Target |
SAP Fieldglass |
|
|
In the event of archived (disabled) entities in a source SAP BTP ABAP environment system, you can choose whether the provisioning jobs to continue reading such entities or to skip them. In the source and proxy systems, this property is activated by default. If you want to always read disabled entities, set the property to false, or delete it. Possible values:
Default value: true System Role: Source, Target, Proxy |
SAP BTP ABAP environment |
|
|
Enter OData filtering for reading roles in the SAP BTP ABAP environment system. To learn what criteria you can use, see: OData URI Conventions → 4.5 Filter System Query Option System Role: Source, Proxy |
SAP BTP ABAP environment |
|
|
This property distinguishes SAP BTP ABAP environment roles by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP BTP ABAP environment |
|
|
This property defines whether the current roles of a user to be preserved or overwritten by the Identity Provisioning service within the SAP BTP ABAP environment target or proxy system. See also: Extended Explanation of the *user.roles.overwrite Properties Possible values:
Default value (if the property is missing during system creation): true Default value (if the property appears during system creation): false System Role: Target, Proxy |
SAP BTP ABAP environment |
|
|
This property distinguishes SAP Integrated Business Planning for Supply Chain roles by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP Integrated Business Planning for Supply Chain |
|
|
This property defines whether the current roles of a user to be preserved or overwritten by the Identity Provisioning service within the SAP IBP target or proxy system. See also: Extended Explanation of the *user.roles.overwrite Properties Possible values:
Default value (if the property is missing during system creation): true Default value (if the property appears during system creation): false System Role: Target, Proxy |
SAP Integrated Business Planning for Supply Chain |
|
|
This property defines whether the current roles of a user to be preserved or overwritten by the Identity Provisioning service within the SAP Marketing Cloud target or proxy system. See also: Extended Explanation of the *user.roles.overwrite Properties Possible values:
Default value (if the property is missing during system creation): true Default value (if the property appears during system creation): false System Role: Target, Proxy |
SAP Marketing Cloud |
|
|
This property indicates how many business roles (considered as groups) per page to be read from your SAP S/4HANA Cloud source system. Possible values: Integer number For example, if you set the property's value = 30, the Identity Provisioning will read 30 roles (groups) at once, then – another 30, and so on. System Role: Source, Proxy |
SAP S/4HANA Cloud |
|
|
Set this property to true if you want to enable bulk operations for provisioning entities. That means, the Identity Provisioning service can write, update, and delete multiple users or groups in a single request. For more information, see: APIs for Business User Management Possible values:
Default value: false System Role: Target |
SAP S/4HANA Cloud |
|
|
If you have enabled the bulk operations, you can use this property to set the number of users to be provisioned per request. Possible values: Default value: 20 Maximum value: 100 If you enter a number larger than 100, the service will replace it with the default value (20). System Role: Target |
SAP S/4HANA Cloud |
|
|
Set this property to true if you want to enable bulk operations for provisioning entities. That means, the Identity Provisioning service can write, update, and delete multiple users or groups in a single request. For more information, see: APIs for Business User Management Possible values:
Default value: false System Role: Target |
SAP Marketing Cloud |
|
|
If you have enabled the bulk operations, you can use this property to set the number of users to be provisioned per request. Possible values: Default value: 20 Maximum value: 100 If you enter a number larger than 100, the service will replace it with the default value (20). System Role: Target |
SAP Marketing Cloud |
|
|
Set this property to true if you want to enable bulk operations for provisioning entities. That means, the Identity Provisioning service can write, update, and delete multiple users or groups in a single request. For more information, see: APIs for Business User Management Possible values:
Default value: false System Role: Target |
SAP BTP ABAP environment |
|
|
If you have enabled the bulk operations, you can use this property to set the number of users to be provisioned per request. Possible values: Default value: 20 Maximum value: 100 If you enter a number larger than 100, the service will replace it with the default value (20). System Role: Target |
SAP BTP ABAP environment |
|
|
This property indicates how many business roles (considered as groups) per page to be read from your SAP BTP ABAP environment source system. Possible values: Integer number For example, if you set the property's value = 30, the Identity Provisioning will read 30 roles (groups) at once, then – another 30, and so on. System Role: Source, Proxy |
SAP BTP ABAP environment |
|
|
This property indicates how many business roles (considered as groups) per page to be read from your SAP IBP source system. Possible values: Integer number For example, if you set the property's value = 30, the Identity Provisioning will read 30 roles (groups) at once, then – another 30, and so on. System Role: Source, Proxy |
SAP Integrated Business Planning for Supply Chain |
|
|
Set this property to true if you want to enable bulk operations for provisioning entities. That means, the Identity Provisioning service can write, update, and delete multiple users or groups in a single request. For more information, see: APIs for Business User Management Possible values:
Default value: false System Role: Target |
SAP Integrated Business Planning for Supply Chain |
|
|
If you have enabled the bulk operations, you can use this property to set the number of users to be provisioned per request. Possible values: Default value: 20 Maximum value: 100 If you enter a number larger than 100, the service will replace it with the default value (20). System Role: Target |
SAP Integrated Business Planning for Supply Chain |
|
|
This property indicates how many business roles (considered as groups) per page to be read from your SAP Marketing Cloud source system. Possible values: Integer number For example, if you set the property's value = 30, the Identity Provisioning will read 30 roles (groups) at once, then – another 30, and so on. System Role: Source, Proxy |
SAP Marketing Cloud |
|
|
This property distinguishes SAP Marketing Cloud roles by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP Marketing Cloud |
|
|
This property defines whether the current roles of a user to be preserved or overwritten by the Identity Provisioning service within the SAP S/4HANA Cloud target or proxy system. See also: Extended Explanation of the *user.roles.overwrite Properties Possible values:
Default value (if the property is missing during system creation): true Default value (if the property appears during system creation): false System Role: Target, Proxy |
SAP S/4HANA Cloud |
|
|
In the event of archived (disabled) entities in a source SAP IBP system, you can choose whether the provisioning jobs to continue reading such entities or to skip them. In the source systems, this property is activated by default. If you want to always read disabled entities, set the property to false, or delete it. Possible values:
Default value: true System Role: Source, Target, Proxy |
SAP Integrated Business Planning for Supply Chain |
|
|
Enter OData filtering for reading roles in the SAP IBP system. To learn what criteria you can use, see: OData URI Conventions → 4.5 Filter System Query Option System Role: Source, Proxy |
SAP Integrated Business Planning for Supply Chain |
|
|
In the event of archived (disabled) entities in a source SAP Marketing Cloud system, you can choose whether the provisioning jobs to continue reading such entities or to skip them. In the source and proxy systems, this property is activated by default. If you want to always read disabled entities, set the property to false, or delete it. Possible values:
Default value: true System Role: Source, Target, Proxy |
SAP Marketing Cloud |
|
|
Enter OData filtering for reading roles in the SAP Marketing Cloud system. To learn what criteria you can use, see: OData URI Conventions → 4.5 Filter System Query Option System Role: Source, Proxy |
SAP Marketing Cloud |
|
|
Specifies whether to fetch a CSRF token when sending requests to the system. The property is automatically added in the system, with default value: enabled. Possible values:
Default value: enabled System Role: Source, Target, Proxy |
SAP Analytics Cloud |
|
|
Specifies whether to fetch a CSRF token when sending requests to the system. The property is automatically added in the system, with default value: enabled. Possible values:
Default value: enabled System Role: Source, Target, Proxy |
SAP Analytics Cloud |
|
|
This property enables bulk operations for users. When bulk operations are enabled (set to true), Identity Provisioning service creates, updates, and deletes multiple users in one request. When bulk operations are not enabled (set to false), Identity Provisioning service creates, updates, and deletes one user at a time. For more information, see: SCIM Protocol: Bulk Operations
Possible values:
Default value: false System Role: Target |
SAP Analytics Cloud |
|
|
If you have enabled the SCIM bulk operations, you can use this property to set the number of users to be provisioned per request. Possible values: Default value:
System Role: Target |
SAP Analytics Cloud |
|
|
When specified, only those users matching the filter expression will be read. Possible values: For example: name.familyName eq "SmithJ" and addresses.country eq "US" System Role: Source |
All SCIM-based systems |
|
|
When specified, only those groups matching the filter expression will be read. Possible values: For example: displayName eq "ProjectTeam1" or "Students2018" System Role: Source |
|
|
|
Makes the connector send a specified value for the Content-Type HTTP header. This is needed because a SCIM system could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of the Content-Type header. Possible values: For example: application/json If the property is not specified, the default value is taken: application/scim+json System Role: Target, Proxy |
All SCIM-based systems |
|
|
When the Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists on the target system. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). If the service finds such a user on the target system via this filter, then the conflicting user will overwrite the existing one. If the service does not find such a user, the creation will fail. According to your use case and system type, choose how to set up this property:
Possible values:
Default value: userName System Role: Target |
All SCIM-based systems |
|
|
If the service tries to create a group that already exists in the target system, the creation will fail. In this case, the existing group only needs to be updated. This group can be found via search, based on an attribute (default or specific). To make the search filter by a specific attribute, specify this attribute as a value for the If the property is not specified, the search is done by the default attribute: displayName System Role: Target, Proxy |
|
|
|
Defines additional attributes you can request from an Identity Authentication source system when reading groups. If you read groups through REST API, use the Possible values: a coma-separated list of attribute names You can add the following attributes:
System Role: Source |
Identity Authentication (SCIM API version 1) |
|
|
Makes the connector send the Possible values:
Default value: false System Role: Target, Proxy |
All SCIM-based systems |
|
|
If your target or proxy system is among the SCIM-based ones listed under System Type and supports Note that only attributes without Additional Information: There are different cases when an entity should be updated in the target system:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value: false System Role: Target, Proxy |
|
|
|
This property distinguishes SAP Jam Collaboration groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP Jam Collaboration |
|
|
This property specifies the host to the identity provider to be used with this target system. All provisioned users can be authenticated only by this identity provider. If you use another IdP, enter its value as configured in the SAP BTP cockpit. For example: Possible values: Default value: accounts.sap.com System Role: Target, Proxy |
SAP BTP Account Members (Neo) |
|
|
Enter the type of authentication used for access token retrieval for OAuth HTTP destinations. Possible values:
Default value: Basic System Role: Source, Target, Proxy |
|
|
|
Relevant when the Possible values: String System Role: Source, Target, Proxy |
|
|
|
Name of the SAP HANA Database user System Role: Target |
SAP HANA Database (Beta) |
|
|
(Credential) System Role: Target |
SAP HANA Database (Beta) |
|
|
SAP HANA Database host System Role: Target |
SAP HANA Database (Beta) |
|
|
SAP HANA Database port Possible values: 30015 System Role: Target |
SAP HANA Database (Beta) |
|
|
There are three types of SAP HANA access:
Possible values:
System Role: Target |
SAP HANA Database (Beta) |
|
|
The username used for opening the SSH Tunnel System Role: Target |
SAP HANA Database (Beta) |
|
|
This is the origin of the Cloud Foundry technical user, specified in property If the origin is the same as of the other Cloud Foundry users, you don't need this property – leave it empty or delete it. Possible values: Text/numeric string For example: uaa System Role: Target |
SAP HANA Database (Beta) |
|
|
SSH Tunnel’s host System Role: Target |
SAP HANA Database (Beta) |
|
|
SSH Tunnel’s port Possible values: 22 System Role: Target |
SAP HANA Database (Beta) |
|
|
The authentication type for the SSH Tunnel. Possible values: Supported SSH authentication types:
System Role: Target |
SAP HANA Database (Beta) |
|
|
The URL of the Cloud Foundry API. Possible values: For example: https://api.cf.mycloudfoundryhost.ondemand.com System Role: Target |
SAP HANA Database (Beta) |
|
|
The URL of the OAuth token endpoint.
System Role: Target |
SAP HANA Database (Beta) |
|
|
This is the Cloud Foundry organization. System Role: Target |
SAP HANA Database (Beta) |
|
|
This is the Cloud Foundry space. System Role: Target |
SAP HANA Database (Beta) |
|
|
This is the Cloud Foundry application to which the SAP HANA Database (Beta) system opens an SSH tunnel. For more information, see: Cloud Foundry: Accessing apps with SSH System Role: Target |
SAP HANA Database (Beta) |
|
|
This is the instance number of the Cloud Foundry application. System Role: Target |
SAP HANA Database (Beta) |
|
|
This is the Cloud Foundry user. It has the role Developer for the space where the application is deployed. System Role: Target |
SAP HANA Database (Beta) |
|
|
(Credential) The password for property System Role: Target |
SAP HANA Database (Beta) |
|
|
(Credential) Taken into account only if the authentication type includes pwd. That means any of the following:
System Role: Target |
SAP HANA Database (Beta) |
|
|
(Credential) Taken into account only if the authentication type includes otp. That means any of the following:
System Role: Target |
SAP HANA Database (Beta) |
|
|
(Credential) Taken into account only if the authentication type includes key. That means any of the following:
System Role: Target |
SAP HANA Database (Beta) |
|
|
Use this property to filter users by specific criteria, according to the API syntax of SCAAI. Possible values: Text/numeric string For example: externalId eq "John123" System Role: Source, Proxy |
Sales Cloud – Analytics & AI |
|
|
Use this property to filter groups by specific criteria, according to the API syntax of SCAAI. Possible values: Text/numeric string For example: displayName eq "first_group" System Role: Source, Proxy |
Sales Cloud – Analytics & AI |
|
|
Path to the bash command you need to execute to read users. System Role: Source |
SSH Server (Beta) |
|
|
Path to the bash command you need to execute to create a user. System Role: Source, Target |
SSH Server (Beta) |
|
|
Path to the bash command you need to execute to update a user. System Role: Source, Target |
SSH Server (Beta) |
|
|
Path to the bash command you need to execute to delete a user. System Role: Source, Target |
SSH Server (Beta) |
|
|
Path to the bash command you need to execute to read groups. System Role: Source |
SSH Server (Beta) |
|
|
Path to the bash command you need to execute to create a group. System Role: Source, Target |
SSH Server (Beta) |
|
|
Path to the bash command you need to execute to update a group. System Role: Source, Target |
SSH Server (Beta) |
|
|
Path to the bash command you need to execute to delete a group. System Role: Source, Target |
SSH Server (Beta) |
|
|
An exit code number System Role: Source, Target |
SSH Server (Beta) |
|
|
An exit code number System Role: Source, Target |
SSH Server (Beta) |
|
|
An exit code number System Role: Source, Target |
SSH Server (Beta) |
|
|
An exit code number System Role: Source, Target |
SSH Server (Beta) |
|
|
An exit code number System Role: Source, Target |
SSH Server (Beta) |
|
|
An exit code number System Role: Source, Target |
SSH Server (Beta) |
|
|
Supported SSH authentication types:
System Role: Source, Target |
SSH Server (Beta) |
|
|
System Role: Source, Target |
SSH Server (Beta) |
|
|
Possible values: 22 System Role: Source, Target |
SSH Server (Beta) |
|
|
System Role: Source, Target |
SSH Server (Beta) |
|
|
(Credential) Taken into account only if the authentication type includes pwd. That means any of the following:
System Role: Source, Target |
SSH Server (Beta) |
|
|
(Credential) Taken into account only if the authentication type includes otp. That means any of the following:
System Role: Source, Target |
SSH Server (Beta) |
|
|
(Credential) Taken into account only if the authentication type includes key. That means any of the following:
System Role: Source, Target |
SSH Server (Beta) |
|
|
The format of SSH private key. Possible values:
Default value: ssh-rsa System Role: Source, Target |
SSH Server (Beta) |
|
|
Use this property to configure the paging. That means, the number of entities to be read from SAP SuccessFactors at once. Default value: 100 System Role: Source, Proxy |
SAP SuccessFactors (using version 1 - SAP SuccessFactors HCM Suite OData API) |
|
|
The possible values of this property depend on the API version which your SAP SuccessFactors system consumes. Use this property to filter dynamic groups from SAP SuccessFactors. The filter obtains values as described in the OData 2.0 syntax, except any statements with attribute
Possible values: If your system consumes SAP SuccessFactors Workforce SCIM API, you can filter groups only by For example: groupType eq 'permission' System Role: Source, Proxy |
|
|
|
This property distinguishes SAP SuccessFactors groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
If the property is not set, the SAP SuccessFactors groups will be read and provisioned to the target system with their actual display names. System Role: Source, Target |
SAP SuccessFactors (using version 2 - SAP SuccessFactors Workforce SCIM API) |
|
|
The possible values of this property depend on the API version which your SAP SuccessFactors system consumes. This property takes values as described in the OData version 2
Possible values:
System Role: Source, Proxy |
|
|
|
The value of this property is a comma-separated list of user attributes that have to be loaded from/to the SAP SuccessFactors system. Possible values: Default value: userId,username,status,email,lastName,firstName,lastModifiedDateTime,personKeyNav SAP SuccessFactors supports a huge amount of user information, which requires a lot of memory processing time and may even lead to time-out errors. That's why we recommend that you keep the default list of attributes, or specify only a few (the most significant attributes) for your provisioning scenario.
System Role: Source, Target, Proxy |
SAP SuccessFactors (using version 1 - SAP SuccessFactors HCM Suite OData API) |
|
|
This property reads/writes additional user data related to complex (navigation) attributes, which are specified in the Possible values: Default value: personKeyNav,personKeyNav/userAccountNav For example: If you also need to read the username of the manager of a company employee, enter the following configuration in the Properties tab:
System Role: Source, Target, Proxy |
SAP SuccessFactors (using version 1 - SAP SuccessFactors HCM Suite OData API) |
|
|
This property allows you to expand the list of attributes specified in the Once you provide the value of the additional attributes in the Currently, the read transformation of Microsoft Entra ID is extended with the attribute mappings for manager id and displayName as follows:
To read the manager of the user, you need to provide the manager as a value of the For more information on the attributes (relationships) that support the $expand query parameter, refer to Microsoft Graph REST API v1.0 → Relationships. System Role: Source, Proxy |
Microsoft Entra ID |
|
|
This property allows you to expand the list of attributes specified in the Once you provide the value of the additional attributes in the For more information on the attributes (relationships) that support the $expand query parameter, refer to Microsoft Graph REST API v1.0 → Relationships. System Role: Source, Proxy |
Microsoft Entra ID |
|
|
Enter the system instance ID, configured for the communication system setting in the SAP Sales Cloud and SAP Service Cloud system. Possible values: For example: IPS System Role: Target |
SAP Sales Cloud and SAP Service Cloud |
|
|
Enter the recipient system name. Possible values: For example: 0011SAP System Role: Target |
SAP Sales Cloud and SAP Service Cloud |
|
|
Enter the name of the sender system name. It's equal to the value of property Possible values: For example: IPS System Role: Target |
SAP Sales Cloud and SAP Service Cloud |
|
|
Use this property when you create a connectivity destination in SAP BTP cockpit with authentication type
Possible values:
Default value: false System Role: Source, Target, Proxy |
All systems |
|
|
It denotes the The value of this property is the location of your Cloud Foundry identity provider. If not sure about the value, ask your Cloud Foundry system administrator. Possible values: Text/numeric string System Role: Source, Target, Proxy |
Cloud Foundry UAA Server |
|
|
This flag property depends on If the flag is set to true, the Identity Provisioning service will read only users whose identity provider is set as a value of Possible values: true or false
System Role: Source, Proxy |
Cloud Foundry UAA Server |
|
|
Use this property if you want to retrieve a group whose membership was modified.
Possible values:
System Role: Proxy |
Cloud Foundry UAA Server |
|
|
This property distinguishes Cloud Foundry UAA Server groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
Cloud Foundry UAA Server |
|
|
Holds the identity provider of a user in SAP BTP XS Advanced UAA (Cloud Foundry). You can find it in the SAP BTP cockpit. Go to your Cloud Foundry subaccount, choose Trust Configuration and see the value under Origin Key. For more information, see Configure Single and Multiple Origins Possible values: Text/numeric string For example: myaccount-xsuaa.accounts.ondemand.com System Role: Source, Target, Proxy |
SAP BTP XS Advanced UAA (Cloud Foundry) |
|
|
This flag property depends on If the flag is set to true, the Identity Provisioning service will read only users whose identity provider is set as a value of Possible values: true or false
System Role: Source, Proxy |
SAP BTP XS Advanced UAA (Cloud Foundry) |
|
|
Use this property if you want to retrieve a group whose membership was modified.
Possible values:
System Role: Proxy |
SAP BTP XS Advanced UAA (Cloud Foundry) |
|
|
When specified, only those SAP Build Work Zone, advanced edition users matching the filter expression will be read. Possible values: For example: userName eq "SmithJ" System Role: Source |
SAP Build Work Zone, advanced edition |
|
|
When specified, only those SAP Build Work Zone, advanced edition groups matching the filter expression will be read. Possible values: For example: displayName eq "ProjectTeam1" System Role: Source |
SAP Build Work Zone, advanced edition |
|
|
This property makes a SAP Build Work Zone, advanced edition connector to send a specified value for the Content-Type HTTP header. This is needed because SAP Build Work Zone, advanced edition could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of theContent-Type header. Possible values: For example: application/json Default value: application/scim+json System Role: Target, Proxy |
SAP Build Work Zone, advanced edition |
|
|
The default value of this property is false. But for SAP Build Work Zone, advanced edition proxy systems, this property appears during creation and its predefined value is true. That means, when the Identity Provisioning identifies a changed entity in the back-end system, it will execute the updates as Additional Information: There are different cases when an entity should be updated in the target system:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value for proxy systems: true Default value for target systems: false System Role: Target, Proxy |
SAP Build Work Zone, advanced edition |
|
|
When the Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists in SAP Build Work Zone, advanced edition. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). According to your use case, choose how to set up this property:
Possible values:
Default value: userName System Role: Target, Proxy |
SAP Build Work Zone, advanced edition |
|
|
If the Identity Provisioning tries to create a group that already exists on the SAP Build Work Zone, advanced edition target system, the creation will fail. In this case, the existing group only needs to be updated. This group can be found via search, based on an attribute (default or specific). To make the search filter by a specific attribute, specify this attribute as a value for this property. Possible values: Default value (when not specified): displayName If the property is not specified, the search is done by the default attribute: System Role: Target, Proxy |
SAP Build Work Zone, advanced edition |
|
|
When specified, only those SAP Field Service Management groups matching the filter expression will be read. Possible values: For example: displayName eq "ProjectTeam1" System Role: Source, Proxy |
SAP Field Service Management |
|
|
When specified, only those SAP Field Service Management users matching the filter expression will be read. Possible values: For example: userName eq "SmithJ" System Role: Source, Proxy |
SAP Field Service Management |
|
|
This property makes the SAP Field Service Management connector to send a specified value for the Content-Type HTTP header. This is needed because SAP Field Service Management could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of the Content-Type header. Possible values: For example: application/json Default value: application/scim+json System Role: Target, Proxy |
SAP Field Service Management |
|
|
If the Identity Provisioning tries to create a group that already exists in the SAP Field Service Management target system, the creation will fail. In this case, the existing group only needs to be updated. This group can be found via search, based on an attribute (default or specific). To make the search filter by a specific attribute, specify this attribute as a value for this property. Possible values: Default value (when not specified): displayName If the property is not specified, the search is done by the default attribute: System Role: Target, Proxy |
SAP Field Service Management |
|
|
Makes the SAP Field Service Management connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by an SAP Field Service Management system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP Field Service Management |
|
|
The default value of this property is false. But for SAP Field Service Management proxy systems, this property appears during creation and its predefined value is true. That means, when the Identity Provisioning identifies a changed entity in the back-end system, it will execute the updates as Note that only attributes without Possible values: Default value: false Predefined value (during system creation): true System Role: Target, Proxy |
SAP Field Service Management |
|
|
When the Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists in SAP Field Service Management. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). According to your use case, choose how to set up this property:
Possible values:
Default value: userName System Role: Target, Proxy |
SAP Field Service Management |
|
|
Defines the version of Identity Authentication SCIM API. Possible values:
Default value: 2 System Role: Source, Target, Proxy |
Identity Authentication |
|
|
This property filters users by attributes from the SCIM core schema, the Enterprise user resource schema and the Custom defined schema. For example: For more information on the attributes defined in the SCIM core schema and the Enterprise user resource schema, see Identity Directory Service Schema View You can set a single attribute or multiple ones as search criteria in the following value pattern: Single attribute:<user_attribute> eq "<value>" Multiple attributes: <user_attribute1> eq "<value1>" and/or <user_attribute2> eq "<value2>" Possible values: For example:
System Role: Source, Proxy |
Identity Authentication (SCIM API version 2) |
|
|
This property filters groups by display name. You can set a single display name or multiple ones as filter criteria. If you enter multiple display names (using Single attribute: displayName eq "<group_name>" Multiple attributes: displayName eq "<group_name1>" or displayName eq "<group_name2>" Possible values: For example:
System Role: Source, Proxy |
Identity Authentication (SCIM API version 2) |
|
|
This property controls how modified entities (users and groups) in the source system are updated in the target system.
Users and groups can be updated in the target system in various cases, such as:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value: false System Role: Target, Proxy |
Identity Authentication (SCIM API version 2) |
|
|
This property enables paging of user’s groups. The maximum number of user’s groups returned per request is 1000. To read more than 1000 user’s groups, paging must be enabled. Possible values:
Default value: false System Role: Source, Proxy |
Identity Authentication (SCIM API version 2) |
|
|
This property enables paging of group members. The maximum number of group members returned per request is 20 000. To read more than 20 000 group members, paging must be enabled. Possible values:
Default value: false System Role: Source, Proxy |
Identity Authentication (SCIM API version 2) |
|
|
Makes the connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by a SCIM system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
Identity Authentication (SCIM API version 2) |
|
|
When Identity Provisioning attempts to provision a user for the first time, it may detect that this user already exists on the target system. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user will be searched and resolved. If the service finds a user on the target system via this filter, then the conflicting user will overwrite the existing one. If the service does not find a user on the target system via this filter, the creation will fail. According to your use case and system type, choose how to set up this property:
Possible values:
Default value: userName System Role: Target, Proxy |
Identity Authentication (SCIM API version 2) |
|
|
If you try to provision a group that already exists in a target system, the group creation will fail. In this case, the existing group only needs to be updated. This property defines by which unique attribute(s) the existing group will be searched and resolved. The default value is displayName. Currently, it is the only unique attribute that is supported. When set, you can expect the following behavior:
Possible values: If the property is not specified, the search is done by the default attribute: System Role: Target, Proxy |
Identity Authentication (SCIM API version 2) |
|
|
Makes the connector send a specified value for the Content-Type HTTP header. This is needed because a SCIM system could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of the Content-Type header. Possible values: For example: application/json If the property is not specified, the default value is taken: application/scim+json System Role: Target, Proxy |
Identity Authentication (SCIM API version 2) |
|
|
Filters Microsoft Entra ID users based on their group assignments. When set to true, this property combines user and group filters defined on the
When set to false, user and group filters are not combined. For more information, see: Identity Provisioning: How to Get Users Based on Group Assignments from MS Entra ID Possible values:
System Role: Source, Proxy |
Microsoft Entra ID |
|
|
When specified, only those SAP S/4HANA for procurement planning users matching the filter expression will be read. Possible values: Example: name.familyName eq "Smith" and addresses.country eq "US" System Role: Source, Proxy |
SAP S/4HANA for procurement planning |
|
|
Makes the connector send a specified value for the Content-Type HTTP header. This is needed because a SCIM system could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of the Content-Type header. Possible values: For example: application/json If the property is not specified, the default value is taken: application/scim+json **System Role:**Target, Proxy |
SAP S/4HANA for procurement planning |
|
|
Makes the connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by a SCIM system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP S/4HANA for procurement planning |
|
|
When the Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists on the target system. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). If the service finds such a user on the target system via this filter, then the conflicting user will overwrite the existing one. If the service does not find such a user, the creation will fail. According to your use case and system type, choose how to set up this property:
Possible values:
Default value: userName System Role: Target |
SAP S/4HANA for procurement planning |
|
|
Controls whether automatic conflict resolution is switched on or off in Identity Authentication (target system) when provisioning is triggered from source systems containing different users with the same user identifiers (IDs). For example, when SAP SuccessFactors and SAP SuccessFactors Learning are configured as source systems for provisioning users to Identity Authentication, it could happen that different SAP SuccessFactors and SAP SuccessFactors Learning users have the same user IDs. In this case, when the first user is created in Identity Authentication, after triggering a provisioning job, the second (conflicting) user will either overwrite the already existing one (automatic conflict resolution is switched on) or will fail and won't be created (automatic conflict resolution is switched off). To control this behavior, you can use the Possible values:
Default value: true System Role: Target |
Identity Authentication |
|
|
Defines the threshold number of group members above which they are provisioned on batches with PATCH requests, and below which they are provisioned with PUT request. Setting this property allows you to avoid timeouts when updating groups with a large number of group members.
Possible values: integer Default value: 20 000 Minimum value: 1 Maximum value: 20 000 For example:
**System Role:**Target |
Identity Authentication |
|
|
Defines the threshold number of group members above which they are provisioned on batches with
Possible values: integer Default value: 20 000 Minimum value: 1 Maximum value: 200 000 For example:
System Role: Target |
Local Identity Directory |
|
|
Defines the threshold number of group members above which they are provisioned on batches with Possible values: integer Default value: 20 000 Minimum value: 1 Maximum value: 200 000 For example:
System Role: Target |
SAP BTP XS Advanced UAA (Cloud Foundry) |
|
|
When using SCIM API version 2, this property allows you to update user attributes with In addition to configuring this property, you also need to adapt the write transformation. For example, if you want to disable a user account in Identity Authentication, you need to do the following:
In this case, the For more information, see: Transformation Expressions → Scope → deleteEntity → Identity Authentication (SCIM API version 2) Possible values:
Default value: false When the property is set to true, adapt the write transformation with the attribute name and the attribute value you want to update: System Role: Target |
Identity Authentication |
|
|
When specified, only those users matching the filter expression will be read. Possible values:
System Role: Source |
SAP SuccessFactors Learning |
|
|
This property makes the SAP SuccessFactors Learning connector to send a specified value for the Content-Type HTTP header. This is needed because SAP SuccessFactors Learning could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of the Content-Type header. Possible values: For example: application/json Default value: application/scim+json System Role: Target, Proxy |
SAP SuccessFactors Learning |
|
|
When Identity Provisioning attempts to provision a user for the first time, it may detect that such user already exists on the target system. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). If the service finds such user on the target system via this filter, then the conflicting user will overwrite the existing one. If the service does not find such a user, the creation will fail. Default behavior: The property is missing during system creation. Its default value is userName. This means, if the service finds an existing user by a userName, it updates this user with the data of the conflicting one. If a user with such userName is not found, the creation of the conflicting user fails. Possible values: Default value: userName System Role: Target |
SAP SuccessFactors Learning |
|
|
Makes the connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by a SCIM system for entity versioning. Possible values:
System Role: Target, Proxy |
SAP SuccessFactors Learning |
|
|
This property controls how modified users in the source system are updated in the target system.
Users can be updated in the target system in various cases, such as:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value: false System Role: Target |
SAP SuccessFactors Learning |
|
|
Enter the host of your SAP SuccessFactors Learning instance. This property must be configured if you what to use client certificate authentication for the communication between Identity Provisioning and SAP SuccessFactors Learning. System Role: Source, Target, Proxy |
SAP SuccessFactors Learning |
|
|
This property enables bulk operations for users and groups. When bulk operations are enabled, Identity Provisioning creates, updates, and deletes multiple users and groups in one request. When bulk operations are not enabled, Identity Provisioning creates, updates, and deletes one user at a time. For more information, see: Identity Directory SCIM API. Possible values:
Default value: false System Role: Target |
Identity Authentication (using SCIM API version 2) |
|
|
This property sets the number of operations to be performed in one bulk request. Possible values: Default value: 20 Maximum value: 100 If you enter a number larger than 100, Identity Provisioning will replace it with the default value (20). System Role: Target |
Identity Authentication (using SCIM API version 2) |
|
|
This property enables bulk operations for users and groups. When bulk operations are enabled, Identity Provisioning creates, updates, and deletes multiple users and groups in one request. When bulk operations are not enabled, Identity Provisioning creates, updates, and deletes one user at a time. For more information, see: Identity Directory SCIM API. Possible values:
Default value: false System Role: Target |
Local Identity Directory |
|
|
This property sets the number of operations to be performed in one bulk request. Possible values: Default value: 20 Maximum value: 100 If you enter a number larger than 100, Identity Provisioning will replace it with the default value (20). System Role: Target |
Local Identity Directory |
|
|
When specified, only those users matching the filter expression will be read. Possible values: For example:
System Role: Source |
SAP Concur (using SAP Concur Identity v4 API) |
|
|
Makes the connector send a specified value for the Content-Type HTTP header. This is needed because a SCIM system could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of the Content-Type header. Possible values: For example: application/json If the property is not specified, the default value is taken: application/scim+json System Role: Target, Proxy |
SAP Concur (using SAP Concur Identity v4 API) |
|
|
Makes the connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by a SCIM system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP Concur (using SAP Concur Identity v4 API) |
|
|
When the Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists on the target system. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). If the service finds such a user on the target system via this filter, then the conflicting user will overwrite the existing one. If the service does not find such a user, the creation will fail. According to your use case and system type, choose how to set up this property:
Possible values:
Default value: userName System Role: Target |
SAP Concur (using SAP Concur Identity v4 API) |
|
|
The SAP Concur data center your Identity Provisioning tenant belongs to. Based on the provided data center, Identity Provisioning configures the URL of the User Provisioning Service (UPS) v4 API or the SAP Concur Identity v4 API. For example, if you provide Possible values: The following SAP Concur data centers are available:
System Role: Source, Target, Proxy |
SAP Concur |
|
|
Defines the version of SAP Concur API. Possible values:
Default value: 2 System Role: Source, Target, Proxy |
SAP Concur |
|
|
(Credential) Enter the Company Request Token and run a provisioning job within 24 hours from generating the token in the SAP Concur Company Request Token self-service tool. Otherwise, the token will expire, and you’ll need a new one. After the first run of the job, Identity Provisioning fills in automatically a refresh token as the value of the concur.refresh.token property. If a provisioning job has not been run for six months, you’ll again need to generate a new token.
The Company Request Token is generated in the SAP Concur Company Request Token self-service tool. System Role: Source, Target, Proxy |
SAP Concur |
|
|
Your company UUID The Company ID is generated in the SAP Concur Company Request Token self-service tool. System Role: Target, Proxy |
SAP Concur |
|
|
Your company domain The username and the company domain are concatenated in the SAP Concur default transformations in the following format: user@domain Your company domain is the part of your username behind the @ symbol. For example:[email protected] System Role: Target, Proxy |
SAP Concur |
|
|
If you set this property to true, Identity Provisioning will update only user members of a group in SAP Ariba Applications target system. The update will be executed on batches via PATCH requests. This will preserve the group hierarchy with nested groups in the SAP Ariba Applications backend. Possible values:
Default value: false System Role: Target |
SAP Ariba Applications |
|
|
This property is relevant only when It defines the maximum number of user members of a group that are included in one PATCH request. If the maximum value of 200 000 is exceeded, the system sets automatically the default value. Possible values: integer Default value: 20 000 Minimum value: 1 Maximum value: 200 000 System Role: Target |
SAP Ariba Applications |
|
|
Your SAP Build Work Zone, standard edition provider ID The provider ID is specified in the Channel Manager of theSAP Build Work Zone, standard edition when defining a new content provider. For more information about configuring the content provider to use the Identity Provisioning service, see Configure Integration with the Identity Provisioning Service Possible values: The value of your SAP Build Work Zone, standard edition provider ID For example: ABC123 System Role: Target, Proxy |
SAP Build Work Zone, standard edition |
|
|
When specified, only those SAP Build Work Zone, standard edition users matching the filter expression will be read. By default, users are always filtered by the providerId. If another filtering attribute is defined, for example the email of the user, both filters are combined. Possible values:
System Role: Proxy |
SAP Build Work Zone, standard edition |
|
|
When specified, only those SAP Build Work Zone, standard edition groups matching the filter expression will be read. By default, groups are always filtered by the providerId. Possible values:
System Role: Proxy |
SAP Build Work Zone, standard edition |
|
|
If Identity Provisioning tries to provision a user that already exists in the target system (a conflicting user), this property defines the unique attributes by which the existing user will be searched and resolved. Possible values: SAP Build Work Zone, standard edition supports the following unique attributes which are automatically filled in when the target system is added in the service UI:
For the conflict to be resolved, an existing user matching both unique attributes should be found. Whether the existing user will be updated or a new one will be created by Identity Provisioning depends on the following conditions - was the user created by the Identity Provisioning service, what combination of unique attributes exist for the user, and has any of the provisioning systems (source or target) been reset. For more information, see Step 4 of the relevant SAP Build Work Zone, standard edition documentation.
System Role: Target, Proxy |
SAP Build Work Zone, standard edition |
|
|
If Identity Provisioning tries to provision a group that already exists in the target system (a conflicting group), this property defines the unique attributes by which the existing group will be searched and resolved. Possible values: SAP Build Work Zone, standard edition supports a pair of unique attributes which is automatically filled in when the target system is added in the service UI: externalId,['urn:ietf:params:scim:schemas:extension:2.0:mapping']['providerId'] For the conflict to be resolved, an existing group matching both unique attributes should be found. In this case, Identity Provisioning updates the group. This means, the conflicting group overwrites the existing one. If the group matches only one of the unique attributes, the conflict is not resolved, and the group creation fails.
System Role: Target, Proxy |
SAP Build Work Zone, standard edition |
|
|
Defines the threshold number of group members above which they are provisioned on batches with Possible values: integer Default and maximum value: 5000 Minimum value: 1 For example:
System Role: Target |
SAP Build Work Zone, standard edition |
|
|
This property enables bulk operations for users and groups. When the property is enabled (set to true), the following operations can be executed by Identity Provisioning service in a single request:
When the property is disabled (set to false), the following operations can be executed by Identity Provisioning service for a single entity at a time:
Possible values:
Default value: false System Role: Target |
SAP Build Work Zone, standard edition |
|
|
This property sets the number of operations to be performed in one bulk request. Possible values: Default value: 20 Maximum value: 100 If you enter a number larger than 100, the service will replace it with the default value (20). System Role: Target |
SAP Build Work Zone, standard edition |
|
|
When Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists on the target system. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). If the service finds such a user on the target system via this filter, then the conflicting user will overwrite the existing one. If the service does not find such a user, the creation will fail. According to your use case, choose how to set up this property:
Possible values:
Default value: userName System Role: Target |
SAP BTP XS Advanced UAA (Cloud Foundry) |
|
|
This property distinguishes SAP Field Service Management groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP Field Service Management |
|
|
This property controls the size of the Possible values:
To use this property, you need to set the following ones to true:
System Role: Source |
All systems |
|
|
This property filters SAP SuccessFactors inactive users from a particular date on. It is an optional property which does not appear by default at system creation. It accepts a value in the The To filter active users along with inactive ones from a particular date on, the following configuration must be in place:
As a result, Identity Provisioning reads SAP SuccessFactors active users and the users set to inactive from that date on using the 2023-07-17T00:00:00Z date-time format. Depending on the value you define for
System Role: Source, Proxy |
SAP SuccessFactors (using version 2 - SAP SuccessFactors Workforce SCIM API) |
|
|
When specified, only those users matching the filter expression will be read. You can filter users by Possible values: text/ numeric string For example:
System Role: Source, Proxy |
SAP Commerce Cloud |
|
|
When specified, only those groups matching the filter expression will be read. Possible values: For example: displayName eq "ProjectTeam1" or "Students2018" System Role: Source, Proxy |
SAP Commerce Cloud |
|
|
This property controls how modified entities (users and groups) in the source system are updated in the target system.
Additional Information: There are different cases when an entity should be updated in the target system:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value for proxy systems: true Default value for target systems: false System Role: Proxy, Target |
SAP Commerce Cloud |
|
|
Makes the SAP Commerce Cloud connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by an SAP Commerce Cloud system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP Commerce Cloud |
|
|
If you try to provision a group that already exists in a target system, the group creation will fail. In this case, the existing group only needs to be updated. This property defines by which unique attribute(s) the existing group will be searched and resolved. The default value is displayName. Currently, it is the only unique attribute that is supported. When set, you can expect the following behavior:
Possible values: If the property is not specified, the search is done by the default attribute: System Role: Target, Proxy |
SAP Commerce Cloud |
|
|
When Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists on the target system. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). If the service finds such a user on the target system via this filter, then the conflicting user will overwrite the existing one. If the service does not find such a user, the creation will fail. The property is automatically added during system creation. If the service finds an existing user by at least one of the uniqueness criteria, which are email, userName, or externalId, it updates this user with the data of the conflicting one. If such a user is not found, that means the conflict is due to another reason, so the update of the conflicting user fails. If more than one users with these unique attributes are found, the update fails. **Possible values:**emails[0].value, userName, externalId Default value: emails[0].value, userName, externalId System Role: Target, Proxy |
SAP Commerce Cloud |
|
|
Makes the connector send a specified value for the Content-Type HTTP header. This is needed because a SCIM system could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of the Content-Type header. Possible values: For example: application/json If the property is not specified, the default value is taken: application/scim+json System Role: Target, Proxy |
SAP Commerce Cloud |
|
|
Defines the threshold number of group members above which they are provisioned on batches with PATCH requests, and below which they are provisioned with PUT request. Setting this property allows you to avoid timeouts when updating groups with a large number of group members.
Possible values: integer Default value: 20 000 Minimum value: 1 Maximum value: 200 000 For example:
**System Role:**Target |
SAP Commerce Cloud |
|
|
If you set this property to true, Identity Provisioning will update only user members of a group in SAP Commerce Cloud target system. The update will be executed on batches via PATCH requests. This will preserve the group hierarchy with nested groups in the SAP Commerce Cloud backend. Possible values:
Default value: false System Role: Target |
SAP Commerce Cloud |
|
|
This property distinguishes SAP Market Communication for Utilities roles by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP Market Communication for Utilities |
|
|
This property defines whether the current roles of a user to be preserved or overwritten by the Identity Provisioning service within the SAP Market Communication for Utilities target or proxy system. See also: Extended Explanation of the *user.roles.overwrite Properties Possible values:
Default value (if the property is missing during system creation): true Default value (if the property appears during system creation): false System Role: Target, Proxy |
SAP Market Communication for Utilities |
|
|
Enter OData filtering for reading roles in the SAP Market Communication for Utilities system. To learn what criteria you can use, see: OData URI Conventions → 4.5 Filter System Query Option System Role: Source, Proxy |
SAP Market Communication for Utilities |
|
|
This property indicates how many business roles (considered as groups) per page to be read from your SAP Market Communication for Utilities source system. Possible values: Integer number For example, if you set the property's value = 30, the Identity Provisioning will read 30 roles (groups) at once, then – another 30, and so on. System Role: Source, Proxy |
SAP Market Communication for Utilities |
|
|
In the event of archived (disabled) entities in a source SAP Market Communication for Utilities system, you can choose whether the provisioning jobs to continue reading such entities or to skip them. In the source systems, this property is activated by default. If you want to always read disabled entities, set the property to false, or delete it. Possible values:
Default value: true System Role: Source, Target, Proxy |
SAP Market Communication for Utilities |
|
|
Set this property to true if you want to enable bulk operations for provisioning entities. That means, the Identity Provisioning service can write, update, and delete multiple users or groups in a single request. For more information, see: APIs for Business User Management Possible values:
Default value: false System Role: Target |
SAP Market Communication for Utilities |
|
|
If you have enabled the bulk operations, you can use this property to set the number of users to be provisioned per request. Possible values: Default value: 20 Maximum value: 100 If you enter a number larger than 100, the service will replace it with the default value (20). System Role: Target |
SAP Market Communication for Utilities |
|
|
Handles the version of the API which is consumed by the SAP SuccessFactors system. Possible values:
Default value: 1 System Role: Source, Target, Proxy |
|
|
|
Enter the Company ID of your SAP SuccessFactors system. The Company ID is a short string of characters that identifies each SAP SuccessFactors system. It is like a username for your organization. All users of the same system share the same Company ID. This property must be configured if you what to use client certificate authentication for the communication between Identity Provisioning and SAP SuccessFactors. System Role: Source, Target, Proxy |
|
|
|
This property controls how modified users in the source system are updated in the target system.
Users can be updated in the target system in various cases, such as:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value: false System Role: Target |
SAP SuccessFactors (using version 2 - SAP SuccessFactors Workforce SCIM API) |
|
|
Makes the connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by a SCIM system for entity versioning. Possible values:
System Role: Target, Proxy |
SAP SuccessFactors (using version 2 - SAP SuccessFactors Workforce SCIM API) |
|
|
If the service tries to create a group that already exists in the target system, the creation will fail. In this case, the existing group only needs to be updated. This group can be found via search, based on an attribute (default or specific). To make the search filter by a specific attribute, specify this attribute as a value for the If the property is not specified, the search is done by the default attribute: displayName System Role: Target, Proxy |
SAP SuccessFactors (using version 2 - SAP SuccessFactors Workforce SCIM API) |
|
|
When the Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists on the target system. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). If the service finds such a user on the target system via this filter, then the conflicting user will overwrite the existing one. If the service does not find such a user, the creation will fail. According to your use case and system type, choose how to set up this property:
Possible values:
Default value: userName System Role: Target |
SAP SuccessFactors (using version 2 - SAP SuccessFactors Workforce SCIM API) |
|
|
This property makes the SAP SuccessFactors connector to send a specified value for the Content-Type HTTP header. This is needed because SAP SuccessFactors could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of the Content-Type header. Possible values: For example: application/json Default value: application/scim+json System Role: Target, Proxy |
SAP SuccessFactors (using version 1 - SAP SuccessFactors HCM Suite OData API) |
|
|
Defines the threshold number of group members above which they are provisioned on batches with
Possible values: integer Default value: 20 000 Minimum value: 1 Maximum value: 200 000 For example:
System Role: Target |
SAP SuccessFactors (using version 2 - SAP SuccessFactors Workforce SCIM API) |
|
|
This property enables paging of group members. The maximum number of group members returned per request is 100. To read more than 100 group members, paging must be enabled. Possible values:
Default value: false System Role: Source, Proxy |
SAP SuccessFactors (using version 2 - SAP SuccessFactors Workforce SCIM API) |
|
|
If you set this property to true, Identity Provisioning will update only user members of a group in SAP SuccessFactors target system. The update will be executed on batches via PATCH requests. This will preserve the group hierarchy with nested groups in the SAP SuccessFactors backend. Possible values:
Default value: false System Role: Target |
SAP SuccessFactors (using version 2 - SAP SuccessFactors Workforce SCIM API) |
|
|
This property distinguishes SAP Analytics Cloud groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP Analytics Cloud |
|
|
This property distinguishes SAP CPQ groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP CPQ |
|
|
When specified, only those SAP CPQ users matching the filter expression will be read. Example: name.familyName eq "Smith" and addresses.country eq "US" System Role: Source, Proxy |
SAP CPQ |
|
|
This property distinguishes SAP BTP Account Members (Neo) groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP BTP Account Members (Neo) |
|
|
When specified, only those SAP Sales Cloud and SAP Service Cloud users matching the filter expression will be read. SAP Sales Cloud and SAP Service Cloud is formerly known as SAP Cloud for Customer (in short, C4C). For example:
System Role: Source, Proxy |
SAP Sales Cloud and SAP Service Cloud |
|
|
When specified, only those SAP Sales Cloud and SAP Service Cloud groups matching the filter expression will be read. SAP Sales Cloud and SAP Service Cloud is formerly known as SAP Cloud for Customer (in short, C4C). Example: displayName eq "ProjectTeam1" System Role: Source, Proxy |
SAP Sales Cloud and SAP Service Cloud |
|
|
This property distinguishes SAP BTP XS Advanced UAA (Cloud Foundry) groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP BTP XS Advanced UAA (Cloud Foundry) |
|
|
This property controls how modified entities (users and groups) in the source system are updated in the target system.
Users and groups can be updated in the target system in various cases, such as:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value for proxy systems: true Default value for target systems: false System Role: Target, Proxy |
SAP Build Work Zone, standard edition |
|
|
Defines the version of SAP Analytics Cloud SCIM API. Possible values:
Default value: 1 System Role: Source, Target, Proxy |
SAP Analytics Cloud |
|
|
This property controls how modified entities (users and groups) in the source system are updated in the target system.
Possible values:
Default value: false System Role: Target, Proxy |
SAP Analytics Cloud |
|
|
This property makes the SAP Analytics Cloud connector send the If-Match HTTP header with a value of “*” for every request to the target system. The header could be used by an SAP Analytics Cloud system for entity versioning.
Possible values:
Default value: false System Role: Target, Proxy |
SAP Analytics Cloud |
|
|
If the Identity Provisioning tries to create a group that already exists in the SAP Analytics Cloud target system, the creation will fail. In this case, the existing group only needs to be updated. This group can be found via search, based on an attribute (default or specific). To make the search filter by a specific attribute, specify this attribute as a value for this property.
Possible values: Default value: displayName If the property is not specified, the search is done by the default attribute: System Role: Target, Proxy |
SAP Analytics Cloud |
|
|
When the Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists in SAP Analytics Cloud. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). According to your use case, choose how to set up this property:
Possible values:
Default value: userName System Role: Target, Proxy |
SAP Analytics Cloud |
|
|
Makes the connector send a specified value for the Content-Type HTTP header. This is needed because a SCIM system could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of the Content-Type header.
Possible values: For example: application/json If the property is not specified, the default value is taken: application/scim+json System Role: Target, Proxy |
SAP Analytics Cloud |
|
|
When specified, only those SAP Analytics Cloud users matching the filter expression will be read.
Possible values: For example: userName eq "SmithJ" System Role: Source |
SAP Analytics Cloud |
|
|
When specified, only those SAP Analytics Cloud groups matching the filter expression will be read.
Possible values: For example: displayName eq "ProjectTeam1" System Role: Source |
SAP Analytics Cloud |
|
|
Defines the threshold number of group members above which they are provisioned on batches with PATCH requests, and below which they are provisioned with PUT request. Setting this property allows you to avoid timeouts when updating groups with a large number of group members.
Possible values: integer Default value: 20 000 Minimum value: 1 Maximum value: 200 000 For example:
System Role: Target |
SAP Analytics Cloud |
|
|
If you set this property to true, Identity Provisioning will update only user members of a group in SAP Analytics Cloud target system. The update will be executed on batches via PATCH requests. This will preserve the group hierarchy with nested groups in the SAP Analytics Cloud backend.
Possible values:
Default value: false System Role: Target |
SAP Analytics Cloud |
|
|
When specified, only those SAP Enterprise Portal users matching the filter expression will be read. For more information, see Filtering. |
SAP Enterprise Portal |
|
|
When specified, only those SAP Enterprise Portal groups matching the filter expression will be read. For more information, see Filtering. |
SAP Enterprise Portal |
|
|
When specified, only those SAP Business Network users matching the filter expression will be read. Possible values:
System Role: Source |
SAP Business Network |
|
|
When specified, only those SAP Business Network groups matching the filter expression will be read. Possible values: displayName eq "Employees" System Role: Source |
SAP Business Network |
|
|
If Identity Provisioning tries to provision a user that already exists in the target system (a conflicting user), this property defines the unique attributes by which the existing user will be searched and resolved. The property is not added automatically at system creation. Default value: userName If the service finds an existing user by userName, it updates this user with the data of the conflicting one. If the service does not find an existing user by userName, the creation of the conflicting user fails. System Role: Target, Proxy |
SAP Business Network |
|
|
Makes the connector send the Possible values:
Default value: false System Role: Target, Proxy |
SAP Business Network |
|
|
This property controls how modified entities (users and groups) in the source system are updated in the target system.
Users and groups can be updated in the target system in various cases, such as:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value for proxy systems: true Default value for target systems: false System Role: Target, Proxy |
SAP Business Network |
|
|
This property makes SAP Business Network connector to send a specified value for the Content-Type HTTP header. This is needed because SAP Business Network could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of theContent-Type header. Possible values: For example: application/json Default value: application/scim+json System Role: Target, Proxy |
SAP Business Network |
|
|
An API Key represents the unique key that identifies a particular application as a legitimate consumer of an API. **System Role:**Source, Target, Proxy |
SAP Business Network |
|
|
The realm name is part of the URL you use to access SAP Business Network. **System Role:**Source, Target, Proxy |
SAP Business Network |
|
|
Specifies the time zone of SAP Application Server ABAP on-premise systems. The value is used for calculating the correct assignments validity in case your SAP AS ABAP and Identity Provisioning tenant are running in different time zones. Possible values: The value should be provided in the following format: Internet Assigned Numbers Authority (IANA) Time Zone database format is also supported. For more information, see RFC 6557: Procedures for Maintaining the Time Zone Database. System Role: Source |
SAP Application Server ABAP |
|
|
When the Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists in Procurement Data Warehouse. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). According to your use case, choose how to set up this property:
Default value: userName Possible values:
System Role: Target, Proxy |
Procurement Data Warehouse |
|
|
This property distinguishes procurement data warehouse groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
If the property is not set, the procurement data warehouse groups will be read and provisioned to the target system with their actual display names. System Role: Source, Target |
Procurement Data Warehouse |
|
|
Set this property to true if you want to enable SCIM bulk operations for provisioning users. That means, the Identity Provisioning service can write, update, and delete a potentially large collection of users in a single request. For more information, see: SCIM Protocol: Bulk Operations If not specified, the default value is false.
System Role: Target |
Procurement Data Warehouse |
|
|
If you have enabled the SCIM bulk operations, you can use this property to set the number of users to be provisioned per request. Default value:
System Role: Target |
Procurement Data Warehouse |
|
|
When specified, only those procurement data warehouse users matching the filter expression will be read. For example:
System Role: Source |
Procurement Data Warehouse |
|
|
Makes the connector send a specified value for the Content-Type HTTP header. This is needed because a SCIM system could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of the Content-Type header. Possible values: For example: application/json If the property is not specified, the default value is taken: application/scim+json System Role: Target, Proxy |
Procurement Data Warehouse |
|
|
When specified, only those SAP Advanced Financial Closing groups matching the filter expression will be read. Supported operators: Possible values: For example: displayName eq "Administrators" System Role: Source, Proxy |
SAP Advanced Financial Closing |
|
|
When specified, only those SAP Advanced Financial Closing users matching the filter expression will be read. Supported operators: Possible values: For example:
System Role: Source, Proxy |
SAP Advanced Financial Closing |
|
|
This property makes a SAP Advanced Financial Closing connector to send a specified value for the Content-Type HTTP header. This is needed because SAP Advanced Financial Closing could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of theContent-Type header. Possible values: For example: application/json Default value: application/scim+json System Role: Target, Proxy |
SAP Advanced Financial Closing |
|
|
If the Identity Provisioning tries to create a group that already exists on the SAP Advanced Financial Closing target system, the creation will fail. In this case, the existing group only needs to be updated. This group can be found via search, based on an attribute (default or specific). To make the search filter by a specific attribute, specify this attribute as a value for this property. Possible values: Default value: displayName If the property is not specified, the search is done by the default attribute: displayName System Role: Target, Proxy |
SAP Advanced Financial Closing |
|
|
Makes the SAP Advanced Financial Closing connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by an SAP Advanced Financial Closing system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP Advanced Financial Closing |
|
|
This property controls how modified entities (users and groups) in the source system are updated in the target system.
Possible values:
Default value: false System Role: Target, Proxy |
SAP Advanced Financial Closing |
|
|
If Identity Provisioning tries to provision a user that already exists in the SAP Advanced Financial Closing target system (a conflicting user), this property defines the unique attributes by which the existing user will be searched and resolved. According to your use case, choose how to set up this property:
Possible values:
Default value: userName System Role: Target, Proxy |
SAP Advanced Financial Closing |
|
|
This property distinguishes SAP Advanced Financial Closing groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP Advanced Financial Closing |
|
|
This property distinguishes the groups of a given provisioning system by specific prefix that you provide. It is optional and does not appear by default at system creation.
System Role: Source and Target |
SAP S/4HANA for procurement planning |
|
|
If Identity Provisioning tries to provision a user that already exists in the SAP S/4HANA Cloud target system (a conflicting user), this property defines the unique attributes by which the existing user will be searched and resolved.
According to your use case, choose how to set up this property:
Possible values:
Default value: personExternalID System Role: Target, Proxy |
SAP S/4HANA Cloud |
|
|
If Identity Provisioning tries to provision a user that already exists in the SAP S/4HANA On-Premise target system (a conflicting user), this property defines the unique attributes by which the existing user will be searched and resolved. According to your use case, choose how to set up this property:
Possible values:
Default value: personExternalID System Role: Target, Proxy |
SAP S/4HANA On-Premise |
|
|
If Identity Provisioning tries to provision a user that already exists in the SAP Integrated Business Planning for Supply Chain target system (a conflicting user), this property defines the unique attributes by which the existing user will be searched and resolved. According to your use case, choose how to set up this property:
Possible values:
Default value: personExternalID System Role: Target, Proxy |
SAP Integrated Business Planning for Supply Chain |
|
|
If Identity Provisioning tries to provision a user that already exists in the SAP Market Communication for Utilities target system (a conflicting user), this property defines the unique attributes by which the existing user will be searched and resolved. According to your use case, choose how to set up this property:
Possible values:
Default value: personExternalID System Role: Target, Proxy |
SAP Market Communication for Utilities |
|
|
If Identity Provisioning tries to provision a user that already exists in the SAP Marketing Cloud target system (a conflicting user), this property defines the unique attributes by which the existing user will be searched and resolved. According to your use case, choose how to set up this property:
Possible values:
Default value: personExternalID System Role: Target, Proxy |
SAP Marketing Cloud |
|
|
If Identity Provisioning tries to provision a user that already exists in the SAP BTP ABAP environment target system (a conflicting user), this property defines the unique attributes by which the existing user will be searched and resolved. According to your use case, choose how to set up this property:
Possible values:
Default value: personExternalID System Role: Target, Proxy |
SAP BTP ABAP environment |
|
|
This property distinguishes SAP Sales Cloud and SAP Service Cloud groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
If the property is not set, the SAP Sales Cloud and SAP Service Cloud groups will be read and provisioned to the target system with their actual display names. System Role: Source, Target |
SAP Sales Cloud and SAP Service Cloud |
|
|
This property distinguishes SAP S/4HANA Cloud roles by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP S/4HANA Cloud |
|
|
Use this property to control the number of users to be deleted in a target system by defining a threshold. This will prevent you from accidentally deleting a huge number of users, for example by adding a filter or condition. For more information, see Thresholds Prevent Unintended Deletion of Users when Provisioning with SAP Cloud Identity Services. The property is optional and is defined on the target systems only. It is not added at system creation. Its value must be greater than "0". Controlling the deletion works as follows:
As a result, expect the following behavior:
System Role: Target |
All systems |
|
|
Use this property to control the number of groups or group assignments to be deleted in a target system by defining a threshold. This will prevent you from accidentally deleting a huge number of groups or group assignments, for example by adding a filter or condition. For more information, see Thresholds Prevent Unintended Deletion of Users when Provisioning with SAP Cloud Identity Services. The property is optional and is defined on the target systems only. It is not added at system creation. Its value must be greater than "0". Controlling the deletion works as follows:
As a result, expect the following behavior:
System Role: Target |
|
|
|
Use this property to control the number of roles or user assignments of a role to be deleted in a target system by defining a threshold. This will prevent you from accidentally deleting a huge number of roles or user assignments of a role, for example by adding a filter or condition. For more information, see Thresholds Prevent Unintended Deletion of Users when Provisioning with SAP Cloud Identity Services. The property is optional and is defined on the target systems only. It is not added at system creation. Its value must be greater than "0". Controlling the deletion works as follows:
As a result, expect the following behavior:
System Role: Target |
SAP BTP ABAP environment SAP Application Server ABAP SAP Integrated Business Planning for Supply Chain SAP Market Communication for Utilities SAP Marketing Cloud SAP S/4HANA Cloud SAP S/4HANA On-Premise |
|
|
The domain name is the name of your SAP Advanced Workflow tenant. If you don't know your tenant name, contact your supervisor or administrator, or refer to the email notification you received when your account was created. System Role: Source, Target, Proxy |
SAP Advanced Workflow |
|
|
When specified, only those SAP Advanced Workflow users matching the filter expression will be read. Possible values:
System Role: Source |
SAP Advanced Workflow |
|
|
Makes the connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by an SAP Advanced Workflow system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP Advanced Workflow |
|
|
This property controls how modified users in the source system are updated in the target system.
Users can be updated in the target system in various cases, such as:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value: false System Role: Target, Proxy |
SAP Advanced Workflow |
|
|
When the Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists in SAP Advanced Workflow. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). Default behavior: This property is missing during system creation. Its default value is userName. That means, if the service finds an existing user by a userName, it updates this user with the data of the conflicting one. If a user with such а userName is not found, the creation of the conflicting user fails. Possible values: Default value: userName System Role: Target, Proxy |
SAP Advanced Workflow |
|
|
When specified, only those users matching the filter expression will be read. Possible values: For example: name.familyName eq "SmithJ" System Role: Source, Proxy |
SAP Ariba Central Invoice Management |
|
|
When specified, only those groups matching the filter expression will be read. Possible values: For example: displayName eq "ProjectTeam1" System Role: Source, Proxy |
SAP Ariba Central Invoice Management |
|
|
When the Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists in SAP Ariba Central Invoice Management. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). According to your use case, choose how to set up this property:
Possible values:
Default value: userName System Role: Target, Proxy |
SAP Ariba Central Invoice Management |
|
|
If the Identity Provisioning tries to create a group that already exists on the SAP Central Invoice Management target system, the creation will fail. In this case, the existing group only needs to be updated. This group can be found via search, based on an attribute (default or specific). To make the search filter by a specific attribute, specify this attribute as a value for this property. Possible values: Default value (when not specified): displayName If the property is not specified, the search is done by the default attribute: displayName System Role: Target, Proxy |
SAP Ariba Central Invoice Management |
|
|
This property controls how modified users in the source system are updated in the target system.
Users can be updated in the target system in various cases, such as:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value: false System Role: Target, Proxy |
SAP Ariba Central Invoice Management |
|
|
Makes the SAP Central Invoice Management connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by an SAP Central Invoice Management system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP Ariba Central Invoice Management |
|
|
This property makes a SAP Central Invoice Management connector to send a specified value for the Content-Type HTTP header. This is needed because SAP Central Invoice Management could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of theContent-Type header. Possible values: For example: application/json Default value: application/scim+json System Role: Target, Proxy |
SAP Ariba Central Invoice Management |
|
|
This property distinguishes SAP Central Invoice Management groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP Ariba Central Invoice Management |
|
|
This property sets the number of operations to be performed in one bulk request. Possible values: Default value: 20 Maximum value: 100 If you enter a number larger than 100, Identity Provisioning will replace it with the default value (20). System Role: Target |
SAP Ariba Central Invoice Management |
|
|
Set this property to true if you want to enable bulk operations for provisioning entities. That means, the Identity Provisioning service can write, update, and delete multiple users or groups in a single request. For more information, see: User Management (SCIM) for SAP Ariba Central Invoice Management Possible values:
Default value: false System Role: Target |
SAP Ariba Central Invoice Management |
|
|
When specified, only those SAP SuccessFactors Employee Central Payroll users matching the filter expression will be read. Supported operators: eq (equal) and sw (starts with). For example:
System Role: Source, Proxy |
SAP SuccessFactors Employee Central Payroll |
|
|
When specified, only those groups matching the filter expression will be read. Supported operators: eq (equal) and sw (starts with). For example:
System Role: Source, Proxy |
SAP SuccessFactors Employee Central Payroll |
|
|
When the Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists in SAP SuccessFactors Employee Central Payroll. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). Default behavior: This property is missing during system creation. Its default value is userName. That means, if the service finds an existing user by a userName, it updates this user with the data of the conflicting one. If a user with such а userName is not found, the creation of the conflicting user fails. Possible values: userName System Role: Target, Proxy |
SAP SuccessFactors Employee Central Payroll |
|
|
If the Identity Provisioning tries to create a group that already exists on the SAP SuccessFactors Employee Central Payroll target system, the creation will fail. In this case, the existing group only needs to be updated. This group can be found via search, based on an attribute (default or specific). To make the search filter by a specific attribute, specify this attribute as a value for this property. Possible values: Default value (when not specified): displayName If the property is not specified, the search is done by the default attribute: displayName System Role: Target, Proxy |
SAP SuccessFactors Employee Central Payroll |
|
|
This property controls how modified users in the source system are updated in the target system.
Users can be updated in the target system in various cases, such as:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value: false System Role: Target, Proxy |
SAP SuccessFactors Employee Central Payroll |
|
|
Makes the SAP SuccessFactors Employee Central Payroll connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by an SAP SuccessFactors Employee Central Payroll system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP SuccessFactors Employee Central Payroll |
|
|
This property makes a SAP SuccessFactors Employee Central Payroll connector to send a specified value for the Content-Type HTTP header. This is needed because SAP SuccessFactors Employee Central Payroll could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of theContent-Type header. Possible values: For example: application/json Default value: application/scim+json System Role: Target, Proxy |
SAP SuccessFactors Employee Central Payroll |
|
|
This property distinguishes SAP SuccessFactors Employee Central Payroll groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source and Target |
SAP SuccessFactors Employee Central Payroll |
|
|
Use this property to specify the SAP client number (a three-digit number) of your SAP SuccessFactors Employee Central Payroll system. For example: |
SAP SuccessFactors Employee Central Payroll |
|
|
When specified, only those SAP Ariba Category Management users matching the filter expression will be read. Supported operators: eq (equal) and sw (starts with). For example:
System Role: Source, Proxy |
SAP Ariba Category Management |
|
|
When the Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists in SAP Ariba Category Management. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attributes. This property defines by which unique attributes the existing user to be searched and resolved. SAP Ariba Category Management supports two user unique attributes for managing conflict resolution: username and email. The username is a mandatory attribute, while the email is an optional, multivalue attribute, indicating that a user may have multiple unique emails. According to your use case, choose how to set up this property:
Possible values:
Default value: userName System Role: Target, Proxy |
SAP Ariba Category Management |
|
|
This property controls how modified users in the source system are updated in the target system.
Users can be updated in the target system in various cases, such as:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value: false System Role: Target, Proxy |
SAP Ariba Category Management |
|
|
Makes the SAP Ariba Category Management connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by an SAP Ariba Category Management system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP Ariba Category Management |
|
|
This property makes a SAP Ariba Category Management connector to send a specified value for the Content-Type HTTP header. This is needed because SAP Ariba Category Management could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of theContent-Type header. Possible values: For example: application/json Default value: application/scim+json System Role: Target, Proxy |
SAP Ariba Category Management |
|
|
When specified, only those SAP HANA Cloud, SAP HANA Database groups matching the filter expression will be read. For example: displayName eq "ProjectTeam1" System Role: Source, Proxy |
SAP HANA Cloud, SAP HANA Database |
|
|
When specified, only those SAP HANA Cloud, SAP HANA Database users matching the filter expression will be read. For example: userName eq "SmithJ" System Role: Source, Proxy |
SAP HANA Cloud, SAP HANA Database |
|
|
This property makes a SAP HANA Cloud, SAP HANA Database connector to send a specified value for the Content-Type HTTP header. This is needed because SAP HANA Cloud, SAP HANA Database could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of theContent-Type header. Possible values: For example: application/json Default value: application/scim+json System Role: Target, Proxy |
SAP HANA Cloud, SAP HANA Database |
|
|
If the Identity Provisioning tries to create a group that already exists on the SAP HANA Cloud, SAP HANA Database target system, the creation will fail. In this case, the existing group only needs to be updated. This group can be found via search, based on an attribute (default or specific). To make the search filter by a specific attribute, specify this attribute as a value for this property. Possible values: Default value (when not specified): displayName If the property is not specified, the search is done by the default attribute: displayName System Role: Target, Proxy |
SAP HANA Cloud, SAP HANA Database |
|
|
Makes the SAP HANA Cloud, SAP HANA Database connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by an SAP HANA Cloud, SAP HANA Database system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP HANA Cloud, SAP HANA Database |
|
|
This property controls how modified users in the source system are updated in the target system.
Users can be updated in the target system in various cases, such as:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value: false System Role: Target, Proxy |
SAP HANA Cloud, SAP HANA Database |
|
|
When the Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists in SAP HANA Cloud, SAP HANA Database. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s). This property defines by which unique attribute(s) the existing user to be searched (resolved). According to your use case, choose how to set up this property:
Possible values:
Default value: userName System Role: Target, Proxy |
SAP HANA Cloud, SAP HANA Database |
|
|
Specifies the method by which users authenticate when connecting to the database. Possible values: JWT ( Users authenticate via JWT tokens issued by an identity provider.) System Role: Target |
SAP HANA Cloud, SAP HANA Database |
|
|
Refers to a unique identifier associated with a specific database instance within the SAP HANA Cloud. System Role: Source, Target |
SAP HANA Cloud, SAP HANA Database |
|
|
Refers to the type of instance being configured or used within the SAP HANA Cloud. The value is set to hdb at system creation. System Role: Source, Target |
SAP HANA Cloud, SAP HANA Database |
|
|
Specifies the identity provider (IdP) that is responsible for handling authentication requests. System Role: Target |
SAP HANA Cloud, SAP HANA Database |
|
|
(Optional) This property distinguishes SAP HANA Cloud, SAP HANA Database groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source, Target |
SAP HANA Cloud, SAP HANA Database |
|
|
When specified, only those SAP Enable Now users matching the filter expression will be read. Possible values: For example: userName eq "SmithJ" **System Role:**Source, Proxy |
SAP Enable Now |
|
|
When specified, only those SAP Enable Now groups matching the filter expression will be read. Possible values: For example: displayName eq "ProjectTeam1" System Role: Source |
SAP Enable Now |
|
|
This property makes a SAP Enable Now connector to send a specified value for the Content-Type HTTP header. This is needed because SAP Enable Now could potentially not implement the protocol in the specification, which states that a system must accept application/scim+json as a value of theContent-Type header. Possible values: For example: application/json Default value: application/scim+json System Role: Target, Proxy |
SAP Enable Now |
|
|
If Identity Provisioning tries to provision a user that already exists in the target system (a conflicting user), this property defines the unique attributes by which the existing user will be searched and resolved. The property is not added automatically at system creation. Default value: userName If the service finds an existing user by userName, it updates this user with the data of the conflicting one. If the service does not find an existing user by userName, the creation of the conflicting user fails. System Role: Target, Proxy |
SAP Enable Now |
|
|
If the Identity Provisioning tries to create a group that already exists on the SAP Enable Now target system, the creation will fail. In this case, the existing group only needs to be updated. This group can be found via search, based on an attribute (default or specific). To make the search filter by a specific attribute, specify this attribute as a value for this property. Possible values: Default value (when not specified): displayName If the property is not specified, the search is done by the default attribute: displayName System Role: Target, Proxy |
SAP Enable Now |
|
|
Makes the SAP Enable Now connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by an SAP Enable Now system for entity versioning. Possible values:
Default value: false System Role: Target, Proxy |
SAP Enable Now |
|
|
This property controls how modified users in the source system are updated in the target system.
Users can be updated in the target system in various cases, such as:
In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the Possible values:
Default value: false System Role: Target |
SAP Enable Now |
|
|
(Optional) This property distinguishes SAP Enable Now groups by specific prefix. It is an optional property which does not appear by default at system creation. Example value: You can use the example value or provide your own.
System Role: Source, Target |
SAP Enable Now |