Product Information | PUBLIC

SAP Fieldglass
2023-05-22

SAP Fieldglass and SAP Cloud Identity Services

Integration
© 2023 SAP SE or an SAP affiliate company. All rights reserved.

Business Synopsis

THE BEST RUN

1 SAP Fieldglass and SAP Cloud Identity
Services Business Synopsis

Provides an overview of the SAP Fieldglass and SAP Cloud Identity Services integration.

Introduction

SAP Cloud Identity Services is a central cloud identity suite that enables organizations to easily manage user on-
boarding and application access. SAP Cloud Identity Services offers comprehensive single sign-on and encryption
across organizational and technical boundaries.

SAP Cloud Identity Services consists of 2 main components, the identity center and the virtual directory server,
which combine to deliver the following functions:

• Password management
• Roles and entitlements
• Reporting and auditing
• Provisioning, workflow, and approvals
• Identity virtualization
• Data synchronization

This central identity integration is used by all SAP users, applications, platforms, and sister companies, as well as
by SAP Fieldglass Buyers.

Internally, it allows for seamless user access to SAP Fieldglass, SAP applications and sister companies, giving users
secure access to SAP applications with a single password.

SAP Fieldglass has implemented integration with the SAP Cloud Identity Services: Identity Provisioning (IPS),
Identity Authentication (IAS) and SAP Cloud Identity Access Governance (IAG).

SAP Fieldglass and SAP Cloud Identity Services Integration

2 PUBLIC SAP Fieldglass and SAP Cloud Identity Services Business Synopsis
Bundling of SAP Fieldglass and SAP Cloud Identity Services

Effective November 22, 2021, SAP Cloud Identity Services: Identity Provisioning (IPS), and; Identity Authentication
(IAS) are automatically provisioned for new SAP Fieldglass buyer companies.

The SAP Identity Authentication Service (IAS) is responsible for:

• User Management – the user community is loaded into IAS for distribution to SAP Cloud Applications, in this
case SAP Fieldglass.
• Login Management – all users when calling the SAP Fieldglass URL are routed to SAP Identity Authentication
Service (IAS), which validates the user either through single sign-on with the buyer’s own Identity Management
System or through username and password.

The SAP Identity Provisioning Service (IPS) is responsible for provisioning users from the SAP Identity
Authentication Service (IAS) to SAP Fieldglass, and for updating those records as and when they change in the SAP
Identity Authentication Service (IAS).

 Note

All users need to be created and managed within the SAP Identity Authentication Service (IAS) and there's
no ability to create a user through the SAP Fieldglass user interface. Editing of users within SAP Fieldglass is
restricted to only those fields/attributes that aren't captured within IAS.

 Note

User Groups/Roles can be managed and assigned to users in both the SAP Identity Authentication Service
(IAS) and SAP Fieldglass. It should therefore be decided which system to designate as the master for user
role assignment and management. Where SAP Fieldglass is used, the SAP Identity Provisioning Service (IPS)
updates any user role changes back into the SAP Identity Authentication Service (IAS) at its next schedule run.

Related Information

Integration Architecture [page 4]

SAP Cloud Identity Services – Identity Provisioning [page 5]
Connecting SAP Fieldglass to SAP Cloud Identity Provisioning Service [page 6]
SAP Cloud Identity Access Governance [page 8]
Integration Scenarios [page 9]
Configuring SAP Fieldglass [page 9]
Connecting SAP Fieldglass to SAP Cloud Identity Access Governance Service [page 10]
Additional Resources [page 12]

SAP Fieldglass and SAP Cloud Identity Services Integration

SAP Fieldglass and SAP Cloud Identity Services Business Synopsis PUBLIC 3
1.1 Integration Architecture

The following illustration shows a reference architecture for integration with SAP Cloud Identity Services that run
on the SAP Business Technology Platform (previously SAP Cloud Platform). It defines the requirements that SAP
Cloud applications must fulfill in order to enable themselves for single sign-on and identity provisioning.

The architecture focuses mainly on integration points between both SAP Cloud Identity Services and applications.
Additional aspects of identity lifecycle (such as workflows, auditing, reporting, etc.) are out-of-scope of this
document and are covered in the SAP Cloud Identity Services themselves.

Related Information

SAP Cloud Identity Services – Identity Provisioning [page 5]

Connecting SAP Fieldglass to SAP Cloud Identity Provisioning Service [page 6]

SAP Fieldglass and SAP Cloud Identity Services Integration

4 PUBLIC SAP Fieldglass and SAP Cloud Identity Services Business Synopsis
SAP Cloud Identity Access Governance [page 8]
Integration Scenarios [page 9]
Configuring SAP Fieldglass [page 9]
Connecting SAP Fieldglass to SAP Cloud Identity Access Governance Service [page 10]
Additional Resources [page 12]

1.2 SAP Cloud Identity Services – Identity Provisioning

Manage identity lifecycle processes for cloud and on-premise systems.

The Identity Provisioning service automates identity lifecycle processes. It helps you provision identities and their
authorizations to various cloud and on-premise business applications. The service provisions and synchronizes
user accounts and authorizations in a system landscape and includes a directory for storing basic user attributes
that support the authentication and identity lifecycle management scenarios.

This integration is coded to the System for Cross-domain Identity Management (SCIM) v2 protocol, the open
REST API standard for automating and managing the exchange of user identity information between IT systems.
The integration supports all operations as per the SCIM guidelines, including bulk operations, GET, POST, and so
forth. SCIM is designed to make managing user identities in cloud-based applications and services easier. In short,
SCIM makes user data more secure and simplifies the user experience by automating the user identity lifecycle
management process. For more information on SCIM, go to http://www.simplecloud.info/ .

With the integrated process workflow:

• SAP uploads users to the Identity Provisioning service via the SCIM API and assigns a unique universal ID (IDM
ID) to each user. The IDM ID is global for all SAP applications, platforms, and sister companies.
• The Identity Provisioning service sends the user name and external IDM ID to SAP Fieldglass. New users
are created, with SAP Fieldglass storing both the username and UUID. Existing users are updated where
appropriate and where an existing user doesn't have a UUID or valid UUID it's also updated.
• The logic of the User Upload Connector populates SAP Fieldglass with the users provisioned via the Identity
Provisioning service.

 Note

In SAP Fieldglass, you can add groups to a member and add roles to a user, but you can’t add members to a
group or add users to a role.

 Note

Where users are being managed via SAP Cloud Identity Services, new users can't be created directly within SAP
Fieldglass via the user interface, and restrictions apply to certain user attributes when editing an existing user
via the SAP Fieldglass user interface.

Related Information

SAP Fieldglass and SAP Cloud Identity Services Integration

SAP Fieldglass and SAP Cloud Identity Services Business Synopsis PUBLIC 5
Connecting SAP Fieldglass to SAP Cloud Identity Provisioning Service [page 6]
SAP Cloud Identity Access Governance [page 8]
Additional Resources [page 12]

1.2.1 Connecting SAP Fieldglass to SAP Cloud Identity

Provisioning Service

SAP Fieldglass provides the following APIs for buyers to facilitate the actions they want to perform in the SAP
Fieldglass application.

After a buyer user gets an access token and logs into the SAP Fieldglass application, the API gets all user roles
(groups in SAP) for the company of the user who obtained the access token and logged in. Then the API returns the
schema ID details of group, group name, group details, and all group members.

SAP Fieldglass APIs

API Description

Get Access Token Sends a GET request that returns a token to access the SAP
Fieldglass application.

Get Details of a Group Sends a GET request that returns all details of a role.

The member section displays the header attributes and

“members” [ ].

Members added by the PATCH operation display in the mem­

bers section of the payload, along with the previous members.

Specific schema, fields, goes into API to get details of group,

name of group, members (users assigned to the role).

SAP Fieldglass and SAP Cloud Identity Services Integration

6 PUBLIC SAP Fieldglass and SAP Cloud Identity Services Business Synopsis
API Description

Create User Sends a POST request that creates a user in SAP Fieldglass.

Requires the user's UUID to create the user in SAP Fieldglass,

with the UUID being stored against the user's SAP Fieldglass
user record.

If user isn’t created in SAP, then the user doesn't have a UUID.

IPS sends PUT requests to upload user details into SAP Field­
glass. Upload requests use the coding logic of the User Upload
connector, without actually triggering the connector to run,
and therefore, the connector activity isn’t visible in the Audit
Trail.

API is designed to run with parameters such as

companyCode or /userid. If the API runs without parame­
ters, it returns all users, including worker users. If the access
token was retrieved using a user that is tied to a company, then
it returns all users for that company.

If any required fields are missing or the user already exists, a

response is sent.

Get Details of User Sends a GET request that returns the details of a user, in­
cluding schema, displayName, profileUrl, addresses, ims, and
meta.

IPS sends GET requests to download details from SAP Field­

glass via queries.

Update User Sends a PUT request that updates the details of a user.

Get Details of User After Update Sends a GET request that returns the details of a specified user
after update.

Delete User Sends a DEL request that deactivates a specified user (it
doesn’t remove the user from the application).

To reactivate a user, use a POST operation to resend the SAP

Fieldglass ID and the UUID. If either the SAP Fieldglass ID or
UUID doesn’t match, for example, same user name but a differ­
ent UUID, it causes an exception that the user name already
exists in SAP Fieldglass. If the UUID is the same but the user
name is different, and the ID is closed, it creates a new one.

SAP Fieldglass and SAP Cloud Identity Services Integration

SAP Fieldglass and SAP Cloud Identity Services Business Synopsis PUBLIC 7
API Description

Patch Sends a PATCH request that updates any fields of a group or

users (members) in a group. For example, you can add a user
to a group or remove all users in a group.

Supports ADD, REMOVE, and REPLACE operations:

Add – Adds the specified members to a group. Updates the

user group (role) with the group ID provided in the PATCH API.
(Internally, it uses the User Upload to update the user with the
new role).

Remove – Removes the specified members from a group. If no

members are specified, then all members are removed from
the group.

Replace – Replaces the specified members in a group with new

members.

Requires path parameter set to members. If unspecified, the

operation fails with HTTP status code 400.

Related Information

SAP Cloud Identity Access Governance [page 8]

Additional Resources [page 12]

1.3 SAP Cloud Identity Access Governance

SAP Cloud Identity Access Governance (IAG) is a cloud-based solution for creating self-service requests to
applications for on-premise and cloud source applications and systems.

By connecting to the IAG solution, it enables SAP Fieldglass users to initiate access requests, which are then
provisioned to target applications. This leverages out-of-box authorizations and risk modeling to analyze SAP
Fieldglass access requests.

The SAP Cloud Identity Access Governance (IAG) solution is built on the SAP Business Technology Platform. It
uses SAP NetWeaver APIs to fetch data from on-premise and cloud solutions, and enables you to use the following
services to create access requests, analyze risks, and design roles:

• SAP Cloud Identity Access Governance, access analysis service

• SAP Cloud Identity Access Governance, access request service
• SAP Cloud Identity Access Governance, role design service
• SAP Cloud Identity Access Governance, access certification service

IAG allows users to select SAP Fieldglass as a product from within any SAP sister company and attain access for
buyer users.

SAP Fieldglass and SAP Cloud Identity Services Integration

8 PUBLIC SAP Fieldglass and SAP Cloud Identity Services Business Synopsis
Related Information

Integration Scenarios [page 9]

Configuring SAP Fieldglass [page 9]
Connecting SAP Fieldglass to SAP Cloud Identity Access Governance Service [page 10]
Additional Resources [page 12]

1.3.1 Integration Scenarios

SAP Cloud Identity Access Governance is a service on the SAP Business Technology Platform (SAP BTP) that
integrates with other SAP BTP services and connects with cloud and on-premise target applications.

For detailed information on the integration scenarios, see Integration Scenarios in the SAP Cloud Identity Access
Governance Admin Guide.

Related Information

Configuring SAP Fieldglass [page 9]

Connecting SAP Fieldglass to SAP Cloud Identity Access Governance Service [page 10]
Additional Resources [page 12]

1.3.2 Configuring SAP Fieldglass

This integration requires the following SAP Fieldglass connectors enabled and the format type set to JSON:

• User Upload
• User Role Download
• User Role Detail Download
• User Download

Related Information

Connecting SAP Fieldglass to SAP Cloud Identity Access Governance Service [page 10]
Additional Resources [page 12]

SAP Fieldglass and SAP Cloud Identity Services Integration

SAP Fieldglass and SAP Cloud Identity Services Business Synopsis PUBLIC 9
1.3.3 Connecting SAP Fieldglass to SAP Cloud Identity Access
Governance Service

The information in this section provides an overview of the procedure for connecting SAP Fieldglass to the SAP
Cloud Identity Access Governance (IAG) service. By connecting to the IAG service, it enables SAP Fieldglass users
to initiate access requests, which are then provisioned to target applications.

Prerequisites
Before setting up the integration, ensure you complete the configuration for the SAP Cloud Identity Access
Governance service:

• Set up destinations and systems to enable repository synchronization.

• Enable the respective services for access analysis, access request, and role design.
• Configure the OAuth service to maintain secure internal communication between the IAG services.

Process Overview
There are three owner steps to enable integration between SAP Fieldglass and the SAP Cloud Identify Access
Governance service:

1. In the SAP BTP, set up a destination for the SAP Fieldglass solution.
2. In the access request service, use the Systems app to create an instance for the SAP Fieldglass solution.
3. In the access request service, use the Job Scheduler app to synchronize user data and provision access
requests.

SAP Fieldglass and SAP Cloud Identity Services Integration

10 PUBLIC SAP Fieldglass and SAP Cloud Identity Services Business Synopsis
User Management
The IAG service uses the Identity Authentication service for user authentication and to manage access to IAG
applications. Security and permissions are maintained in groups and roles. You control the tasks a user can
perform and the apps they can access through the appropriate assignment of group and role combinations to the
user.

The assignment of groups and roles to users controls the following three security aspects:

• Permission to access and use specific apps

• You may ensure users can access only those apps relevant for their job function. For example, that only
administrators can access admin apps.
• Permission to perform administrative tasks
• Within the framework of access governance, tasks have different levels of risk and sensitivity. You may
ensure that users can only perform administrative tasks in line with their job function. For example, only
users assigned to the Control Owners group have the ability to approve new or updated mitigation controls.
• Permission to use specific services
• The IAG service integrates with other SAP services, such as SAP Business Rules service. These services
require users have specific roles to use them.

Related Information

Additional Resources [page 12]

SAP Fieldglass and SAP Cloud Identity Services Integration

SAP Fieldglass and SAP Cloud Identity Services Business Synopsis PUBLIC 11
1.4 Additional Resources

Google provides a wealth of knowledge and information on SAP Cloud Integration. In addition, the following internal
and external resources are available.

Resource URL

SAP Fieldglass user assistance for SAP Cloud Integration on https://help.sap.com/viewer/p/CLOUD_INTEGRATION

the SAP Help Portal

SAP Cloud Identity Services - Identity Provisioning https://help.sap.com/viewer/p/IDENTITY_PROVISIONING

and

https://help.sap.com/viewer/
f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/
2d2685d469a54a56b886105a06ccdae6.html

SAP Cloud Identity Services product page https://help.sap.com/viewer/product/SAP_CLOUD_IDEN­

TITY/Cloud/en-US?task=discover_task

SAP Cloud Identity Services - Identity Authentication https://help.sap.com/viewer/product/IDENTITY_AUTHENTI­

CATION/Cloud/en-US and https://help.sap.com/
viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/
d17a116432d24470930ebea41977a888.html

SAP Cloud Identity Access Governance https://help.sap.com/viewer/p/SAP_CLOUD_IDENTITY_AC­

CESS_GOVERNANCE

User assistance for SAP Cloud Integration on SAP Help Portal https://help.sap.com/viewer/product/CLOUD_INTEGRA­
TION/Cloud/en-US

SAP Blogs https://blogs.sap.com/tags/

SAP Business Technology Platform https://developers.sap.com/topics/business-technology-plat­

form.html#community

SAP Fieldglass and SAP Cloud Identity Services Integration

12 PUBLIC SAP Fieldglass and SAP Cloud Identity Services Business Synopsis
Important Disclaimers and Legal Information

Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:

• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements
with SAP) to this:

• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.

• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering an SAP-hosted Web site. By using such links,
you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within the
control or responsibility of SAP.

Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the
experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback
(e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and
phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example
code unless damages have been caused by SAP's gross negligence or willful misconduct.

Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities, genders,
and abilities.

SAP Fieldglass and SAP Cloud Identity Services Integration

Important Disclaimers and Legal Information PUBLIC 13
www.sap.com/contactsap

© 2023 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.

Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.

SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.

Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.

Material Number: 20190716

*20190716*

THE BEST RUN