Transport Across Organization
This guide explains how to transport IWA application configurations, roles, groups, and user data across organizational units or landscape environments (e.g., from Development to Quality to Production).
Overview
Transporting IWA configurations across organizations involves moving the following artefacts:
| Artefact | Transported Items |
|---|---|
| Application Master Data | Application name, description, domain settings, enabled toggles (Data Level Access, API Access, Email Notifications, User Events), data attributes, APIs, email events, and user events. |
| Roles | Role name, type, category, segment, module/feature access, data-level access rules, source group mappings, and role collection mappings. |
| Groups | Group name, description, associated application, and associated roles. |
| User Profiles | User ID, profile details, role assignments, and data-level access configurations. |
Transport Methods
IWA supports the following methods for transporting configurations across organizations or landscapes:
1. Excel-Based Export and Import
Export Application Configuration:
- Navigate to Application Management and locate the application to be transported.
- Use the Export option (where available) to download the application configuration as an Excel file.
- Review and adjust the exported file as needed for the target environment (e.g., update domain names, source group references).
Import Application Configuration:
- In the target environment, navigate to Application Management → Create Application.
- Select the Excel Upload option.
- Upload the exported and adjusted Excel file.
- Verify that all application metadata, toggles, data attributes, APIs, email events, and user events are correctly populated.
- Click Submit to activate the application.
Export and Import Users:
- In the source environment, navigate to User Management.
- Use the Export Users option to download user data.
- In the target environment, use Import Users and upload the exported file.
2. External Identity Source Synchronization
For organizations that manage users through SAP BTP CIS or Azure Active Directory, users and role assignments can be synchronized automatically across environments without manual transport:
- In the target environment, configure the application with the same Source Group mappings as the source environment.
- Trigger a Sync Role action on each role to import users from the mapped source groups.
- Verify that users and their role assignments are correctly provisioned in the target environment via the Provision Log.
3. Role and Group Recreation with Reference
When transporting roles to a new environment:
- Navigate to Role Management in the target environment.
- If a reference role already exists (e.g., transported via Excel or manually created), use Create Role With Reference to quickly replicate roles with the same configuration.
- Adjust any environment-specific settings (source group mappings, role collection mappings) before submitting.
User assignments, provisioning history, and sync data from the source role are not copied during reference-based creation. Role assignments must be re-provisioned in the target environment.
Post-Transport Checklist
After transporting configurations to the target organization or landscape, verify the following:
- All applications are in Active status in the target environment.
- Role types, segments, categories, and module/feature toggles match the source configuration.
- Source group mappings and role collection mappings point to the correct target-environment identity sources.
- Email notification events and user events are correctly configured for the target environment's SMTP/event settings.
- Data attributes and data-level access rules are present and correctly mapped.
- Test users can log in and are provisioned with the correct roles.
- Provision Logs and Audit Logs are capturing entries correctly in the target environment.
Handling Environment-Specific Differences
When transporting across organizations with different configurations, note the following:
| Item | Consideration |
|---|---|
| Domains | Update the Domain field to match the target organization's email domain (e.g., @org2.com). |
| Source Groups | Source groups from SAP BTP CIS or Azure AD are environment-specific; re-map to the equivalent groups in the target landscape. |
| Role Collections | SAP BTP role collections must exist in the target BTP subaccount before mapping; create them if they do not. |
| Provisioning Approval | If the target environment requires provisioning approval, enable the Enable User Provisioning Approval toggle during application setup. |
| Application Lock | Ensure the Application-Level Lock toggle is in the correct state for the target environment before going live. |