Hi Everyone,
Is there a way to Grant a Permission Set for Users by default, when they are being Provisioned through SCIM Configuration with Azure AD?
I saw many had asked this question before, and that RnD was working on this feature. Is it it available now or any estimated release in which this will be available?
Thanks and Regards,
Devin Amarasekara
Best answer by devin.amarasekara
I reached out to IFS through support channels and the solution suggested was that from 23R1 onwards there will be User Group Provisioning with Azure Active Directory on IFS Cloud. Therefore to set the Permission set to the User Group and to set the Users to that User Group. Will test it out when we get the 23R1 release.
I reached out to IFS through support channels and the solution suggested was that from 23R1 onwards there will be User Group Provisioning with Azure Active Directory on IFS Cloud. Therefore to set the Permission set to the User Group and to set the Users to that User Group. Will test it out when we get the 23R1 release.
I have managed to sync a group now and assign a permission set, so this appears to work finally in 23R2
Thanks
Dominik
+10
can you share some overview steps on how you achieved this?
Thanks in advance for your help!
Regards,
Hardik
Hi
Unfortunately, I didnt get around to setting up automatically assigning permission sets to users when being provisioned. But I will try once I get a chance.
I think
Best Regards,
Devin
+10Thanks
can you share some overview steps on how you achieved this?
Thanks in advance for your help!
unfortunately I still struggle with the basics on the user sync, since IFS has not fully implemented APPS10 AD Sync functionality when it comes to PersonID and Work addresses, but the group sync appears to work.
in Azure, the default Group Mapping has to be adjusted to remove the external ID:
very bad, and ticket open, since that means that each environment will end up with different DB ID’s for each group, making cloning of environments cumbersome.
these groups will then show up inside IFS Cloud, under User and Permissions / Users / User Group
where they can be mapped against the respective Permission Set:
Have You noticed any errors on Azure provisioning logs related to synchronization groups/users?
yes hundreds unfortunately.
with 23R2SU8 I can control now whether a person ID gets created by SCIM or not. In my case, we don’t want that. We actually want to specify the already existing personID during user creation. IFS will work on this.
But unfortunately with the setting personID creation off, it fails to sync work address attribuntes, which I don’t understand, since its not even in the mapping.
Errors can be:
""IFS SCIM returned an error. Code: 500. Details: {\""error\"":{\""code\"":\""DATABASE_ERROR\"",\""message\"":\""Database error occurred. Contact administrator.\"",\""details\"":[{\""code\"":20116,\""message\"":\""ORA-20116: PersonInfoAddress.CONSTRAINT: The Person Info Address \\\""1\\\"" is used by 5 rows in another object (Investigation Team).\""}]}}"",""status"":""500""}
or
"IFS SCIM returned an error. Code: 500. Details: {\""error\"":{\""code\"":\""DATABASE_ERROR\"",\""message\"":\""Database error occurred. Contact administrator.\"",\""details\"":[{\""code\"":20115,\""message\"":\""ORA-20115: CommMethod.The \\\""Comm Method\\\"" has already been removed by another user.\""}]}}"",""status"":""500""}
or
"IFS SCIM returned an error. Code: 500. Details: {\""error\"":{\""code\"":\""DATABASE_ERROR\"",\""message\"":\""Database error occurred. Contact administrator.\"",\""details\"":[{\""code\"":20116,\""message\"":\""ORA-20116: PersonInfoAddress.CONSTRAINT: The Person Info Address \\\""HOME\\\"" is used by 1 rows in another object (Related Person).\""}]}}"",""status"":""500""}
or
"IFS SCIM returned an error. Code: 500. Details: {\""error\"":{\""code\"":\""DATABASE_ERROR\"",\""message\"":\""Database error occurred. Contact administrator.\"",\""details\"":[{\""code\"":20116,\""message\"":\""ORA-20116: PersonInfoAddress.CONSTRAINT: The Person Info Address \\\""WORK\\\"" is used by 1 rows in another object (Supplier Info Contact).\""}]}}"",""status"":""500""}
so the entire sync is a bit of a joke...
Good to know that others have the same problems :). I am in touch with Rnd - two tickets opened.
Thanks, good to know. I’m pressuring a lot Rnd now, but they already told me there wont be hotfixes for this (since we go live in 2 weeks).
Best regards
Dominik
Hello
If I understand the method correctly:
In the Azure AD application, we have the option to synchronize user groups as well.
These groups will be automatically created in IFS, but we will need to manually assign the appropriate permission sets. So, the next time we enable user provisioning, we can simply attach a user to a group, and it will exist in IFS, linked to its group with the correct permissions sets.
Do you have more documentation regarding the configuration of user group provisioning, and how to assign a group to a user during the provisioning process?
Best regards,
Hi
You need to define groups and assign users to these groups in Azure side. Of course mappings of Users and Groups attributes are also important. Next in IFS Cloud You have to grant manualy permissions for each newly created group.
at this stage I would highly avoid SCIM sync.
we noticed that it deletes employees private and work addresses, but even if just job title changes and is in the sync, firstname and last name gets deleted!
3rd case now open with IFS.
It depends of list of mapping attributes on Azure side. Remove from the list entries related to job title, address and then it should work.
I would be interested in an exchange. The more I remove, the more SCIM deleted!
initially I did not map firstname/lastname, and SCIM deleted this data from our employees!!!
Now it appears that if only one value changes, and SCIM of course only sends over the changes, like a job title, it still wipes firstname/lastname. To me this is a serious bug, and fully untested.
Today I noticed the same problem: no mappings but addresses and comm methods are deleted. We are a few weeks before GoLive and personal migrated data were lost…
I have create SNOW ticket CS0308685. Please create new on Your side. Both we can do much more...
I will escalate my case again.
We still have the Apps10 Db, already exported the data and have data migration jobs ready to load it again. But no point if SCIM deletes it again.
I checked Scim_Handling_SVC.Replace_User___ procedure and there are deletions of comm methods and addresses without any conditions:
-- Remove all (if existing, for id_) entries in Comm_Method
FOR index_ IN 1 .. comm_method_count_ LOOP
Comm_Method_API.Remove(Party_Type_API.DB_PERSON, person_id_, index_);
END LOOP;
……..
-- Remove all (if existing, for id_) entries in Person_Info_Address
Remove_User_Addresses__;
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
