Follow this procedure to set up SAP BTP ABAP environment as a source system.
To establish the connection between Identity Provisioning and SAP BTP ABAP environment, you need to set up the communication (user, system and arrangement) on SAP BTP ABAP environment. You have the option to do it either now, as a prerequisite, or while configuring SAP BTP ABAP environment as a source system, as described in step 3.
You can use SAP BTP ABAP environment to read entities from it and provision them to a target system. This scenario supports reading business users (Employee), user assignments, and business roles (which are considered as groups).
-
Access the Identity Provisioning UI.
-
Sign in to the administration console of SAP Cloud Identity Services and navigate to Identity Provisioning > Source Systems.
-
Add SAP BTP ABAP environment as a source system. For more information, see Add New Systems.
-
Set up the communication between Identity Provisioning and SAP BTP ABAP environment and configure your authentication method (basic or certificate-based).
We recommend that you use certificate-based authentication.
-
In your newly added SAP BTP ABAP environment source system, select the Certificate tab and choose Generate > Download, as described in Generate and Manage Certificates for Outbound Connection.
Skip step a. if you want to use basic authentication.
The next steps are performed in SAP BTP ABAP environment backend system and are relevant for both basic and certificate-based authentication.
-
Create a communication user and provide the respective credentials.
For basic authentication, provide User Name and Password.
For certificate-based authentication, upload the certificate you have generated in the Identity Provisioning UI on the previous step.
-
Create a communication system and assign the created user to the communication system.
For your Identity Provisioning scenario, provide System ID, System Name and Host Name.
-
Create a communication arrangement with the created system.
For your Identity Provisioning scenario, choose Scenario ID SAP_COM_0193 (SAP Cloud Identity Provisioning Integration).
For more information, see Maintain a Communication Arrangement for Inbound Communication
The communication scenario SAP_COM_0193 is enhanced to support the User UUID attribute which is generated by Identity Authentication at user creation.
The User UUID is universally unique identifier. This attribute is immutable and unique across technology layers, such as user interface, APIs, and security tokens, as well as across products and lines of business contributing to a business process in the Intelligent Enterprise.
-
-
Choose the Properties tab to configure the connection settings for your system.
If your tenant is running on SAP BTP, Neo environment, you can create a connectivity destination in your subaccount in the SAP BTP cockpit, and then select it from the Destination Name combo box in your Identity Provisioning User Interface.
If one and the same property exists both in the cockpit and in the Properties tab, the value set in the Properties tab is considered with higher priority.
We recommend that you use the Properties tab. Use a connectivity destination only if you need to reuse one and the same configuration for multiple provisioning systems.
Mandatory Properties
Property Name
Description & Value
TypeEnter: HTTP
URLSpecify the API URL to your SAP BTP ABAP environment system.
You can take the URL from the communication scenario SAP_COM_0193.
ProxyTypeEnter: Internet
AuthenticationEnter your authentication method:
-
BasicAuthentication
-
ClientCertificateAuthentication
UserValid if BasicAuthentication is configured as authentication method.
Enter the User Name from the communication arrangement.
Do not use special symbol ',' (comma) as it is not supported.
Password(Credential) Valid if BasicAuthentication is configured as authentication method.
Enter the Password for the user name from the communication arrangement.
Do not use special symbol ',' (comma) as it is not supported.
a4c.skip.read.archivedIn the event of archived (disabled) entities in a source SAP BTP ABAP environment system, choose whether the provisioning jobs to continue reading such entities or to skip them.
This property is enabled by default. If you want to always read disabled entities, set the property to false, or delete it.
ips.date.variable.formatyyyy-MM-dd
(Optional)
a4c.roles.filterEnter OData filtering for reading roles in the SAP BTP ABAP environment system.
To learn what criteria you can use, see: OData URI Conventions → 4.5 Filter System Query Option
(Optional)
a4c.roles.page.sizeIndicate how many business roles (considered as groups) per page to be read from your SAP BTP ABAP environment system.
The value must be an integer number.
To learn what additional properties are relevant to this system, see List of Properties. You can use the main search, or filter properties by the Name or System Type columns.
Exemplary destination:
Type=HTTPAuthentication=BasicAuthenticationProxyType=InternetURL=https://12345-aaaaa-3333.abap.hana.ondemand.comUser=MyABAPEnvUserPassword=************ips.date.variable.format=yyyy-MM-dda4c.skip.read.archived=truea4c.roles.filter=startswith(ID, 'EMPLOYEE_LEVEL_3') eq truea4c.roles.page.size=30 -
-
(Optional) Configure the transformations.
Transformations are used to map the user attributes from the data model of the source system to the data model of the target system, and the other way around. The Identity Provisioning offers a default transformation for the SAP BTP ABAP environment source system, whose settings are displayed under the Transformations tab after saving its initial configuration.
You can change the default transformation mapping rules depending on your setup of entities in your SAP BTP ABAP environment. For more information, see:
Inbound Service: Business User
Default transformation:
{ "user": { "condition": "($.validityPeriod.startDate <= '${currentDate}') && ($.validityPeriod.endDate > '${currentDate}')", "mappings": [ { "sourcePath": "$.personID", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.personalInformation.firstName", "targetPath": "$.name.givenName", "optional": true }, { "sourcePath": "$.personalInformation.lastName", "targetPath": "$.name.familyName", "optional": true }, { "sourcePath": "$.personalInformation.middleName", "targetPath": "$.name.middleName", "optional": true }, { "sourcePath": "$.personalInformation.personFullName", "targetPath": "$.name.formatted", "optional": true }, { "sourcePath": "$.user.userName", "targetPath": "$.userName", "optional": true, "correlationAttribute": true }, { "constant": true, "targetPath": "$.active" }, { "condition": "$.user.lockedIndicator == 'true'", "constant": false, "targetPath": "$.active", "optional": true }, // The following condition states that if a business user is outside its validity period, it will be set as inactive. // That means, this user will not be able to log into the SAP BTP ABAP environment system. { "condition": "($.user.validityPeriod.startDate > '${currentDate}') || ('${currentDate}' > $.user.validityPeriod.endDate)", "constant": false, "optional": true, "targetPath": "$.active" }, { "sourcePath": "$.workplaceInformation.emailAddress", "targetPath": "$.emails[0].value", "optional": true, "correlationAttribute": true }, { "sourcePath": "$.user.logonLanguageCode", "optional": true, "targetPath": "$.locale" }, { "sourcePath": "$.PersonExternalID", "optional": true, "correlationAttribute": true }, // The Identity Provisioning reads both users and user assignments from SAP BTP ABAP environment. { "sourcePath": "$.user.role", "optional": true, "targetPath": "$.groups", "preserveArrayWithSingleElement": true, "functions": [ { "condition": "'%a4c.roles.prefix%' !== 'null'", "function": "concatString", "applyOnElements": true, "prefix": "%a4c.roles.prefix%", "applyOnAttribute": "roleName", "assignToAttribute": "display" }, { "condition": "'%a4c.roles.prefix%' === 'null'", "function": "concatString", "applyOnElements": true, "prefix": "", "applyOnAttribute": "roleName", "assignToAttribute": "display" }, { "function": "concatString", "applyOnElements": true, "prefix": "", "applyOnAttribute": "roleName", "assignToAttribute": "value" } ] }, { "type": "remove", "targetPath": "$.groups[*].roleName" }, { "sourcePath": "$.user.globalUserID", "optional": true, "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']" }, { "type": "valueMapping", "sourcePaths": [ "$.user.timeZoneCode" ], "targetPath": "$.timezone", "defaultValue": "Europe/Berlin", "valueMappings": [ { "key": [ "WDFT" ], "mappedValue": "Europe/Berlin" }, { "key": [ "ISRAEL" ], "mappedValue": "Asia/Jerusalem" }, { "key": [ "RUS03" ], "mappedValue": "Europe/Moscow" }, { "key": [ "AUSNSW" ], "mappedValue": "Australia/Sydney" }, { "key": [ "UTC+4" ], "mappedValue": "Asia/Dubai" }, { "key": [ "BRAZIL" ], "mappedValue": "America/Sao_Paulo" }, { "key": [ "BRZLEA" ], "mappedValue": "America/Sao_Paulo" }, { "key": [ "MSTNO" ], "mappedValue": "America/Phoenix" }, { "key": [ "EST" ], "mappedValue": "America/New_York" }, { "key": [ "UTC" ], "mappedValue": "Etc/UTC" }, { "key": [ "UTC+3" ], "mappedValue": "Asia/Riyadh" }, { "key": [ "EST_" ], "mappedValue": "America/Toronto" }, { "key": [ "UTC+8" ], "mappedValue": "Asia/Shanghai" }, { "key": [ "JAPAN" ], "mappedValue": "Asia/Tokyo" } ] }, { "type": "valueMapping", "sourcePaths": [ "$.businessPartnerRoleCode" ], "targetPath": "$.userType", "defaultValue": "Employee", "valueMappings": [ { "key": [ "BUP003" ], "mappedValue": "Employee" } ] } ] }, "group": { "mappings": [ { "sourcePath": "$.ID", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.ID", "functions": [ { "condition": "'%a4c.roles.prefix%' !== 'null'", "function": "concatString", "prefix": "%a4c.roles.prefix%" } ], "targetPath": "$.displayName" }, { "constant": "urn:ietf:params:scim:schemas:core:2.0:Group", "targetPath": "$.schemas[0]" }, { "sourcePath": "$.to_BusinessUserAssignment.results", "optional": true, "preserveArrayWithSingleElement": true, "targetPath": "$.members" }, { "type": "remove", "targetPath": "$.members[*].__metadata" }, { "type": "remove", "targetPath": "$.members[*].UserName" }, { "type": "rename", "constant": "value", "targetPath": "$.members[*].PersonID" }, { "constant": "User", "targetPath": "$.members[*].type" } ] } }By default, Identity Provisioning reads group IDs and members. If you want the service to also read group descriptions, you can add an extra mapping to the "group" resource. To learn how, see Guided Answers: Business Role Description.
-
Now, add a target system to provision users and groups into it. Choose from: Target Systems
- Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications.
- Now, start an identity provisioning job. For more information, see Monitor Provisioning Job Logs.
Related Information