Feedback for "User Groups"

[piejanssens]

https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/ddd067c899f94e2f9006cc4dd417be80.html

I'm looking for documentation about how IPS jobs can affect user group removal.

Cfr. https://answers.sap.com/questions/13847171/when-are-ias-user-groups-assignments-automatically.html
Not sure why it got downvoted, but I'm still looking for information on this.

Best regards,

Pieter

[ValAta]

Hi Pieter,
This is the documentation for the Resync Job you were looking for.
Does it answer your question?
BR,
Valentin

[piejanssens]

Hi Valentin,

It does, yes. Thank you.

IAS should make a distinction between manually assigned groups and IPS assigned groups.
Consequently, it would be great to have the option to keep manually assigned groups when executing "Resync Job".

Pieter

[ValAta]

Hi Pieter,
You are welcome!
As for your feedback, could you give more details about your scenario? What kind of problem would be solved with the option to keep manually assigned groups when executing "Resync Job"?
BR,
Valentin

[piejanssens]

SAP Work Zone requires admins to be of a certain IAS group (Workzone_Admin).

Instead of adding this authorization-only differentiator in a dummy attribute/property somewhere in the source system, it's easier to maintain these admin roles directly in IAS. A.t.m., the Work Zone admins loose their permissions as soon as anyone runs the "Resync Job".

Without the option to keep the group assignments when executing "Resync Job", directly editing user groups could only be useful/safe if IAS is used without it being target system of IPS. IAS is a 'special' target in that sense, since it's used as a user store (including group assignments) for the SSO flows (which is not the case for other targets).

[ValAta]

Hi Pieter,
Thanks for the clarification.
There are two aspects:

• You want to manage the group only in the admin console. If this is the case, you must ensure that this group is not read/mapped via the Identity Provisioning jobs (https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/531a2615b2d04eb8ba46a638b6d81cdc.html?q=jobs).
• You want to manage the group centrally and via the admin console. Which one has the priority over the other here? On the one hand, you may want to keep the assignments from the admin console, while on the other these assignments may not be desired and you may want to adhere to those coming from the source system. This contradicts the approach for automatic data management on the basis of the information coming from the source systems. If you want to do that you may start the job just once and after that remove it and rely only on the admin console. If you want to keep the job as well, then transfer the whole management of this group via the source system from which the job is read.
  BR,
  Valentin

[piejanssens]

Hi Valentin,

Interesting. In this case I'm in the "manage the group only in the admin console" scenario.

Are you saying that for a "Resync Job", IPS only considers deleting the user group assignments for those groups that are part in the transformation for that target system? If so, that would be great and the only thing possibly missing is this being documented.

Edit: just tested this and all users that still exist in the source system lost their "Workzone_Admin" group assignment. The IAS target system does not write to the "Workzone_Admin" group.

Best regards,

Pieter

[IvelinaKiryakova]

Hi Pieter,

My name is Ivelina Kiryakova. I’m covering the IPS documentation.
If I got it right, your provisioning scenario includes replicating users and groups from SAP Work Zone, standard edition (source system) to IAS (target system). You have Workzone_Admin group in IAS. Also, every time you run a Resync job, the assigned users to the Workzone_Admin group in IAS lose their assignments.

You may probably know that a Resync job makes a full replace of users and groups in the target system with users and groups from the source system. Normally, it is used to fix inconsistent data between both systems. Could this be the reason for losing the assignments?

Can you test one of the IPS recently released functionality described in Enabling Group Assignment and the following blog.
Basically, in the target system transformation, you need to define a condition to filter out the Work Zone administrators, add the ID of the Workzone_Admin group and specify the targetVariable for assignGroup as explained in the documentation.

Hope this helps.
Let us know if it works.

Best regards,
Ivelina

[piejanssens]

Hi @IvelinaKiryakova,

Yes, I do think that the group assignments are deleted due to the "Resync Job".

You want to manage the group only in the admin console. If this is the case, you must ensure that this group is not read/mapped via the Identity Provisioning jobs

With this info, Valentin was giving me some hope that the group assignment deletions would be limited to those groups that are part of the transformation of the said target system (IAS in this case). So this is not the case after all?

The group assignment solution would require us to have a mapping between a permission group (switch SF source to SCIM) and maintain the WZ admin permissions via a dummy SF group. I was hoping to have a solution by directly maintaining the assignment in IAS.

[sap-doc-bot]

Thank you for your valuable feedback contribution, @piejanssens! So that we can recognize your contribution in SAP Community, please tell us your SAP Community profile URL in a reply to this comment; don't include any other text, just the URL on its own, like this:

https://people.sap.com/your-user-name

Thanks!