Follow this procedure to set up SAP Ariba Central Invoice Management as a target system.
This system is available for bundle tenants running on SAP Cloud Identity infrastructure and standalone tenants running on SAP Cloud Identity infrastructure and SAP BTP, Neo environment. Bundle tenants running on Neo environment can use it only through SAP Identity Access Governance bundle option.
You have created an instance and generated a service key for the scim service plan of SAP Ariba Central Invoice Management. This step is automated by the booster Set Up SAP Ariba Central Invoice Management. For more information, see Setting Up Invoice Processing with SAP Ariba Central Invoice Management (4N6) –> Set up Configuration Using Booster in SAP BTP Cockpit.
SAP Ariba Central Invoice Management is an SAP BTP SaaS application running on SAP BTP, Cloud Foundry environment. This application enables central management of supplier invoices from multiple connected systems, such as SAP S/4HANA Cloud systems. You can use Identity Provisioning to configure SAP Ariba Central Invoice Management as a target system where you can provision users and groups from source systems.
-
Access the Identity Provisioning UI.
-
Sign in to the administration console of SAP Cloud Identity Services and navigate to Identity Provisioning > Target Systems.
-
Add SAP Ariba Central Invoice Management as a target system. For more information, see Add New Systems.
-
Choose the Properties tab to configure the connection settings for your system.
If your tenant is running on SAP BTP, Neo environment, you can create a connectivity destination in your subaccount in the SAP BTP cockpit, and then select it from the Destination Name combo box in your Identity Provisioning User Interface.
If one and the same property exists both in the cockpit and in the Properties tab, the value set in the Properties tab is considered with higher priority.
We recommend that you use the Properties tab. Use a connectivity destination only if you need to reuse one and the same configuration for multiple provisioning systems.
Mandatory Properties
Property Name
Value
TypeEnter: HTTP
URLEnter the URL provided by the service key under the ips-connector field without adding the path information.
For example:
https://eu10.cim.cloud.sapProxyTypeEnter: Internet
AuthenticationEnter: BasicAuthentication
UserEnter the value from the clientid field of the service key.
Password(Credential) Enter the value from the clientsecret field of the service key.
OAuth2TokenServiceURLEnter the OAuth 2.0 Token Service URL. This is the value from the url field of the service key plus
/oauth/tokenFor example:
https://<my tenant>.authentication.eu10.hana.ondemand.com/oauth/token(Optional)
cim.user.unique.attributeIf Identity Provisioning tries to provision a user that already exists in the target system (a conflicting user), this property defines the unique attributes by which the existing user will be searched and resolved. The property is not added automatically at system creation.
Possible values:
- userName - default value
- emails[*].value
- userName,emails[*].value
For more information, see: List of Properties
(Optional)
cim.group.prefixThis property distinguishes SAP Ariba Central Invoice Management groups by specific prefix. It is an optional property which does not appear by default at system creation.
Example value:
CIM_You can use the example value or provide your own.
When set in the target system, only groups containing the
CIM_prefix in their display name will be provisioned to SAP Ariba Central Invoice Management. Groups without this prefix in the display name won't be provisioned.If the property is not set, all groups will be be provisioned to SAP Ariba Central Invoice Management.
(Optional)
ips.delete.threshold.groupsUse this property to control the number of groups to be deleted in a target system by defining a threshold. This will prevent you from accidentally deleting a huge number of groups, for example by adding a filter or condition.
For more information, see: List of Properties
(Optional)
ips.delete.threshold.usersUse this property to control the number of users to be deleted in a target system by defining a threshold. This will prevent you from accidentally deleting a huge number of users, for example by adding a filter or condition.
For more information, see: List of Properties
To learn what additional properties are relevant to this system, see List of Properties. You can use the main search, or filter properties by the Name or System Type columns.
-
Configure the transformations.
Transformations are used to map the user attributes from the data model of the source system to the data model of the target system, and the other way around. The Identity Provisioning offers a default transformation for the SAP Ariba Central Invoice Management target system, whose settings are displayed under the Transformations tab after saving its initial configuration.
You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Ariba Central Invoice Management system. For more information, see:
User Management (SCIM) for SAP Ariba Central Invoice Management
Mapping logic – The behavior of the default transformation logic is to map all attributes from the internal SCIM representation to the target SAP Ariba Central Invoice Management entity.
Default transformation:
{ "user": { "mappings": [ { "constant": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "preserveArrayWithSingleElement": true, "targetPath": "$.schemas" }, { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$.userName", "targetPath": "$.userName" }, { "sourcePath": "$.externalId", "targetPath": "$.externalId", "optional": true }, { "sourcePath": "$.name.givenName", "targetPath": "$.name.givenName", "optional": true }, { "sourcePath": "$.name.middleName", "targetPath": "$.name.middleName", "optional": true }, { "sourcePath": "$.name.familyName", "targetPath": "$.name.familyName", "optional": true }, { "sourcePath": "$.name.formatted", "targetPath": "$.name.formatted", "optional": true }, { "sourcePath": "$.name.honorificPrefix", "targetPath": "$.name.honorificPrefix", "optional": true }, { "sourcePath": "$.name.honorificSuffix", "targetPath": "$.name.honorificSuffix", "optional": true }, { "sourcePath": "$.emails", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.emails" }, { "sourcePath": "$.active", "targetPath": "$.active", "optional": true }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "optional": true }, { "sourcePath": "$.nickName", "targetPath": "$.nickName", "optional": true }, { "sourcePath": "$.profileUrl", "targetPath": "$.profileUrl", "optional": true }, { "sourcePath": "$.title", "targetPath": "$.title", "optional": true }, { "sourcePath": "$.userType", "targetPath": "$.userType", "optional": true }, { "sourcePath": "$.preferedLanguage", "targetPath": "$.preferredLanguage", "optional": true }, { "sourcePath": "$.locale", "targetPath": "$.locale", "optional": true }, { "sourcePath": "$.timezone", "targetPath": "$.timezone", "optional": true } ] }, "group": { "condition": "('%cim.group.prefix%' === 'null') || ($.displayName =~ /%cim.group.prefix%.*/)", "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "constant": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ], "targetPath": "$.schemas" }, { "sourcePath": "$.externalId", "targetPath": "$.externalId", "optional": true }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "functions": [ { "condition": "('%cim.group.prefix%' !== 'null') && (@ =~ /%cim.group.prefix%.*/)", "function": "replaceFirstString", "regex": "%cim.group.prefix%", "replacement": "" } ] }, { "sourcePath": "$.members[*].value", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]", "functions": [ { "function": "resolveEntityIds" } ] } ] } } -
Add a source system from which to read users. Choose from: Source Systems
- Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications.
- Now, start an identity provisioning job. For more information, see Monitor Provisioning Job Logs.
Related Information