BPM, Workflow, and Case

BPM, Workflow, and Case

Come for answers. Stay for best practices. All we’re missing is you.

 View Only
Back to discussions
Expand all | Collapse all

User/Group Membership Synchronization for IBM BAW OnCloud and CP4BA SaaS Offerings

  • 1.  User/Group Membership Synchronization for IBM BAW OnCloud and CP4BA SaaS Offerings

    Posted Wed January 08, 2025 03:20 PM
    Edited by Don Williams Wed January 08, 2025 03:21 PM

    A customer of mine has a need for synchronizing users, groups, and group membership on their IBM CP4BA SaaS environment with their LDAP (which happens to be Microsoft Active Directory).  The goal here is to continue to use established ticketing processes to request user access to specific LDAP groups, and have those groups  and their memberships synchronized to the IBM BAW OnCloud or CP4BA SaaS User Management Repository LDAP.  This would allow BAW developers to simply map a BAW role or Team to the IBM BAW OnCloud or CP4BA SaaS User Management Repository LDAP, just as they would in an on-premise installation.  The result would be that submitting a ticket to add a user to a group in the customer LDAP would effectively grant them the associated role access in a BAW application in the SaaS environment.

    To achieve this, we built a custom "AD Group to BAW Role synchronization" job that reads a JSON configuration similar to this:

    [
{"adGroupName": "AD Test Group1", "bawRoleName": "BAW Test Group1"},
{"adGroupName": "AD Test Group2", "bawRoleName": "BAW Test Group2"},
…etc...
]

    The job iterates through items defined in configuration, compares AD group members to BAW role members and adds/removes members as needed.  It also has the capability to provision new OnCloud users in the SaaS LDAP / User Management Repository.  This solution, however, had to be custom built, was complicated, and it would be much better if IBM had an offering to manage this problem.

    Currently IBM does not support WebSphere-based integrations with customer LDAPs in their CP4BA SaaS offering, and the IBM User Management Service (UMS) which has SCIM support (SCIM is a specification for synchronizing group membership) is also not available in the SaaS offering.  I spoke with some knowledgeable folks from IBM about this today, they indicated there has been some momentum behind building a SCIM 2.0 interface for CP4BA SaaS, and as a result I have submitted the following idea: https://ideas.ibm.com/ideas/ICPFORA-I-476

    If you or any of your clients would also benefit from this functionality to simply user and group membership management in your IBM CP4BA SaaS environments, I urge you to upvote the idea and/or provide me with your customer name so I can communicate to the IBM team various specific customers that would be interested in this.

    Thanks for reading!



    ------------------------------
    Don Williams
    ------------------------------



  • 2.  RE: User/Group Membership Synchronization for IBM BAW OnCloud and CP4BA SaaS Offerings

    Posted Wed January 08, 2025 10:26 PM

    Hello Don,

    This is a classic problem with BAWoC, and we are facing the same issue.

    In one of my previous projects, I ended up creating a custom job (like yours) to synchronize Azure AD with BAWoC LDAP.

    Thank you for creating this idea; I'll definitely upvote it.

    Thanks!



    ------------------------------
    Atanu Roy
    Lead Engineer
    London Stock Exchange Group
    ------------------------------

    Original Message