Skip to content

Provision Lightrun roles with SCIM for SAP IAS

Note

This feature is under limited availability and can be enabled upon request.

Lightrun version 1.51.3 for on-premise deployments supports mapping IDP roles to Lightrun roles when working with SCIM provisioning using SAP Identity Authentication Service (IAS).

You can assign the following Lightrun roles:

  • ROLE_MANAGER
  • ROLE_USER
  • ROLE_IGNORE_QUOTA

Enable SCIM role support in Lightrun

You can enable SCIM role support in the Lightrun Management Portal.

  1. Log in to your Lightrun account.
  2. Navigate to Identity and Access Management > Identity Configuration > Provisioning.
  3. Select Use Identity Provider.

  4. Enable SCIM by selecting SCIM - System for Cross-Domain Identity Management.

    enable Lightrun roles --half

  5. Select Provision user roles to transfer Lightrun role management to users.

  6. Click Save

Proceed to provision Lightrun roles in SAP IAS.

/Schemas endpoint for mapping Lightrun roles

Lightrun supports the /Schemas endpoint, which is used by SCIM to map SAP IAS user roles to Lightrun roles. This ensures seamless role-based access control by assigning the appropriate Lightrun roles based on roles provisioned in SAP IAS.

Request example

{
      "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "userName": "exampleUser@companyOfjohn.com",
      "name": {
        "familyName": "B",
        "givenName": "John"
      },
      "preferredLanguage": "en",
      "active": true,
      "roles": [
        {
          "value": "ROLE_USER",
          "display": "ROLE_USER",
          "type": "ROLE_USER"
        },
        {
          "value": "ROLE_MANAGER",
          "display": "ROLE_MANAGER",
          "type": "ROLE_MANAGER"
        }
      ]
    }

Request parameters

Parameter Type Description
schemas Array Defines the SCIM schema for a user resource (urn:ietf:params:scim:schemas:core:2.0:User).
userName* String Unique identifier of the user in SAP IAS (e.g., exampleUser@company.com).
name* Object Contains the user’s structured name.
familyName String User’s last name (e.g., Doe).
givenName String User’s first name (e.g., John).
preferredLanguage String User’s language preference (e.g., en).
active Boolean Indicates if the user account is active (true or false).
roles Array Assigns the Lightrun roles to the user: ROLE_MANAGER, ROLE_USE, ROLE_IGNORE_QUOTA.

Note

Parameters marked with * are mandatory.

Last update: April 23, 2025