How to reuse user groups from IdP as External member lists

As mentioned in SAP Help member lists could be used to invite users to workspaces. In this blog I’m covering how to reuse Groups from you Source system (eg. IAS, Azure AD) as External Member list.

There are three types of member lists:

  • Member List. Users added manually or by uploading a csv file.
  • Dynamic Member List. User added by rules. Fro example Cost center, Department or a Custom attribute.
  • External Member list. Users are uploaded from another system by IPS.

In order provision External Member lists you can use SCIM groups (as a second artifact / entity next to users) via the SCIM API, using the Work Zone target system in IPS:  

"group": { "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:Group']['name']", "targetPath": "$.displayName" }, { "targetPath": "$.schemas", "type": "remove" }, { "constant": "urn:scim:schemas:core:1.0", "targetPath": "$.schemas[0]" }, { "targetPath": "$.members", "type": "remove" }, { "sourcePath": "$.members[*].value", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]", "functions": [ { "type": "resolveEntityIds" }] }] }

*Code sample works for IAS as source system and may require changes for other source systems

Apter the successful IPS job completion the groups from the source system will appear in SAP Work Zone as External Member list and could be used as invitation to a workspace.

For Example:

A group “Account” in IAS contains three users:


Group in IAS

After IPS job completion the group “Account” has been created/updated in SAP Work Zone External member lists:


SAP Work Zone External member lists

And the External Member list “Account” contains the same three users as IAS group:


External Member list users


Now you know how easy it is to reuse Groups from Source system connected to SAP Work Zone system (eg. IAS, Azure AD and etc). Further External Member lists are used to control membership for Workspaces. Let me know in case a separate blog is required to cover that topic as well.

For questions on SAP Work Zone, please raise them in the forums and use the tag “SAP Work Zone”.