Version: 2.0.0

Component Features

User Management

User Management provides comprehensive capabilities for managing user accounts, role assignments, and data-level access within the system. It ensures efficient user onboarding and assignment of appropriate roles, while maintaining compliance and security through audit and action logs that capture all operations performed on user accounts. Features such as user locking and unlocking, substitution management, and fine-grained data-level access controls help maintain strong security while ensuring operational continuity.

Summary Page

Displays total number of users with status-wise breakdown: Active, Inactive, Locked, and Expired.
User table shows User ID, Name, Email ID, Status, and Lock Status with sort support.
Search functionality using multiple attributes; filter by Active, Inactive, or Locked status.
Profile completion percentage displayed per user to highlight incomplete profiles.
Actions menu provides access to user account details, editing (personal info, roles, attributes), and permanent deletion.

User Creation

Method	Description
Add User	Administrators manually create users by entering detailed user information.
Quick Add User	Bulk/fast creation using minimal required details: User ID, First Name, Last Name, Name, Email ID, and User Type.
External User Sources	Users onboarded from SAP BTP CIS, SAP BTP Account, or Azure Active Directory.
Import Users	Bulk import using pre-defined CSV/XLS templates.
Export Users	Export user data for reporting, backup, or external system integration.

User Activation and Deactivation

Activating a User: Newly created accounts start in Draft status. Administrators use the Activate option in the Actions menu to enable system access.
Deactivating a User: For Active users, the Deactivate option revokes system access while retaining user data for audit and compliance.

Locking and Unlocking Users

Lock User: Prevents system access; used for security incidents or administrative reasons.
Unlock User: Restores access once the issue is resolved.

Substitution

The Substitute option in the Actions menu allows administrators to assign an alternate user to temporarily take over responsibilities during absences (vacation, sick leave, etc.). Vacation periods can be defined to automatically enable substitution during the specified timeframe.

Data-Level Access

The system provides data-level access control, allowing administrators to restrict user access to specific datasets based on role-based or user-specific rules. Administrators manage these settings from the User Details section under Data Level Access & Roles. The system supports:

Automatic evaluation of role-based rules.
Manually configured user-specific rules.
Options to view, add, modify, or remove dataset-level restrictions.

Role Assignment

Admins assign roles to users by navigating to the User Details section, clicking Add Role in the Roles section, and selecting the application and role. Both Standard and Exceptional role types are supported.

User Profile Management

Allows viewing and editing user profiles including personal information, roles, and permissions. Profile updates ensure user information remains accurate and up to date for business operations.

Provisioning and Audit Logs

Provision Log: Records all user provisioning actions such as role assignments and removals.
Audit Log: Records all user activities including profile updates, role changes, login history, and data access to support security and compliance.
Activity Log: Captures operational activity performed by and on users.

Role Management

Role Management provides a centralized framework for defining and managing roles, assigning users, and configuring module-, feature-, data-, and API-level access while ensuring compliance, traceability, and auditability. The module supports end-to-end role lifecycle management including role creation, assignment, synchronization with external sources, and deactivation.

Role Summary Screen

Displays Application Name, Role Name, Assigned User Count, Role Type, Role Segment, Created Date, Created By, and Status.
Summary counters: Total Roles, Total Applications, Standard Roles, Exceptional Roles, and Expired Roles.
Actions menu per role: View Details, Edit, Inactivate, Sync Role, Delete.
Search and filter by name, application, status, type, or segment.

Role Actions

Action	Description
View Details	Displays complete role information and mapped users in read-only mode.
Edit	Updates role details, access configurations, role segments, sync settings, and data-level access rules.
Activate / Deactivate	Toggles role status; inactive roles cannot be assigned to users.
Sync Role	Manually triggers synchronization with mapped source groups to import users and provision the IWA role.
Delete	Permanently deletes a role in Draft or Inactive status.

Create Role

Mandatory fields: Application Name, Role Name, Role Description, Role Type, Role Segment, and Role Category.
Role name must be unique within the selected application.
Module & Feature Role Segment: Enables or disables specific modules and features via toggles.
Role Categories:
- Admin Role — full control and configuration rights.
- Internal Role — restricted to internal users and datasets.
- External Role — restricted to external partners/vendors with limited access.
Standard Role: Provides the regular predefined set of permissions for routine business operations.
Exceptional Role: Requires an expiry date; the role automatically transitions to Expired status after that date.
Save stores the role in Draft status; Submit finalizes and makes the role Active.

Role Configuration Options

User Reconfirmation Settings: Users periodically verify their continued need for an assigned role.
Data-Level Access Modes:
- Disabled — no data filtering.
- Simple Filtering — basic dataset filters (region, country, location, etc.).
- Advanced Access — multi-condition, rule-based filtering with complex attribute combinations.
Admin can add/remove associated users via the Add User option; each user has a Data Level Access icon for per-user configuration.

External Mapping and Sync

Source Group Mapping:

Maps an IWA role to an existing AD group so that users belonging to that external group are automatically aligned with the role.
When a group is selected, a description can be added and users from the group can be included.

Provisioning & Deprovisioning Methods (appear only when Add Users from Source toggle is enabled):

SYSTEMSYNC — automatic provisioning and deprovisioning based solely on external source group changes.
ADMIN_AND_SYSTEMSYNC — user assignments managed through both administrator actions and automatic synchronization.

Role Collection Mapping:

Connects the IWA role to an SAP BTP role collection so that users receive corresponding SAP BTP permissions automatically.
A name and optional description can be provided.

Copy / Create Role With Reference

Creates a new role using an existing role as a template.
Automatically copies: role segment, role type, role category, modules, features, and data-level access settings.
User assignments, provisioning history, and sync-related data are not copied to prevent unintended access inheritance.
The new role behaves like any freshly created role and can be saved as Draft or activated.

Provision Log & Audit Log (Roles)

Provision Log: Captures all provisioning-related actions (assignments, removals, sync updates, status changes) with user, role, action, timestamp, and initiator.
Audit Log: Records all configuration-level changes including updates to roles, users, data-level access, and provisioning settings, along with previous and updated values.

Group Management

The Group Summary screen displays Group Name, Application, Associated Role, Number of Users, Created By, Created On, and Status. It includes counters for Total, Active, Inactive, and Draft groups.

Group Actions

Action	Description
View Details	Displays group metadata and group members in read-only format.
Edit	Updates group name, description, associated application, and associated role.
De-Activate	Marks an active group as inactive, preventing further use.
Delete	Permanently removes a group in Draft status or with no dependencies.

Group Creation

Mandatory fields: Group Name, Group Description, Associated Application, and Associated Role(s).
The Associated Application dropdown lists all available applications that support group mapping.
The Associated Role dropdown shows only roles belonging to the selected application; multiple roles can be selected.
Admin can save as Draft or activate directly.

Group Members

Displays User ID, First Name, Last Name, Email ID, Added By, Added On, Data Level Access, and Status.
Users are added via the Add Users option; each member can have group-specific data-level access configured.
Removing a user clears their group-specific data-level access automatically.

Group Status Handling

Status	Behavior
Active	Available for mapping in role and user configurations.
Inactive	Visible but not assignable until reactivated.
Draft	Editable before activation; not visible in assignment dropdowns.

Provision Summary

The Provision Summary screen displays:

Total Applications, Active Applications, Deactivated Applications, and Excel-uploaded Applications.
Each application row shows Description, Number of Roles Added, Number of Users, Creator, Creation Date, and Status.
Clicking an application navigates to the detailed application view.
Active applications allow role provisioning and revocation; Inactive applications remain visible but block provisioning actions.

Provision Role

Navigate to Manage Role → Provision Role.
Select an application, then choose a user for role assignment.
The Provision Role button shows all active roles for the selected application.
If a selected role contains mapped groups, all groups are displayed automatically.
Use Preview to review application, role, group, and account details before submission.
Submit assigns the role; duplicate assignment for the same account is restricted.
Add User supports multiple user selection for bulk assignment.
Bulk Request supports Excel upload for mass provisioning.

Revoke Role

Navigate to Manage Role → Revoke Role.
Select the User and Role (mandatory).
Only roles currently assigned to the selected user appear in the dropdown.
If the role contains data-level access, a View Data Level Access option is displayed.
Submit revokes the role and updates the member's role list immediately.
Add User allows revoking the same role for multiple users in one action.

Application Dashboard (After Selecting an Application)

Displays Application Name, Provisioned By, and Provisioned On. Contains three sub-sections:

Users Section

Lists all users associated with the application with Name, Email ID, and Status.
Selecting an account shows full personal details.
All roles and mapped groups for the account are displayed in sub-sections.
Data-level access is editable via an Edit icon; all changes are recorded in the Provision Log.
Filters: Provisioned Status, Provisioned By, Provisioned On (Date), and Roles.

Roles Section

Displays all roles for the application: Role Name, Type, Status, Associated Users count, and Associated Groups count.
Role Details panel shows Role Name, Created By, and Created On.
Create Role button available within the application context.
Associated Users section: bulk select, Add/Remove Users, data-level access per user, filters by Group Name and User ID.
Provision Log entries show: Request No, Associated Users, Initiated By, Initiated On, Provision Type, Provision By, and Request Status.

Groups Section

Lists all groups for the application: Group Name, Description, Associated Roles, Members, Created By, Created On, and Status.
Group Members: Add/Remove Users, data-level access per member, filters by Status and User ID.
Associated Role section shows Role Name, Provisioned By, Created By, Created On, Status, and a Role Details button.

Application Management

The Application Summary screen displays Total Applications, Active Applications, Draft Applications, and Deactivated Applications. Each application row shows Application Name, Description, Created By, Created On, and Status.

Search by application name or description.
Filters: Created By, Created On (date range), and Status.

Application Actions

Action	Description
View Details	Navigates to the detailed application view (roles, groups, users).
Edit	Modifies application metadata (Name, Description, Status, etc.).
Delete	Supported when no roles, users, or other objects are mapped to the application.
Activate	Changes application status from Draft or Deactivated to Active.
Deactivate	Changes an Active application's status to Deactivated.

Application Details

A new application can be created in two ways:

Filling in a form manually with all required details.
Uploading an Excel file containing all application configuration data.

Mandatory Fields:

Field	Type
Application Name	Text input
Application Description	Text area
Select Sources	Dropdown
Select Source Groups	Dependent dropdown (enabled after Sources is selected)
Domain	Text input (e.g. `@incture.com`); press Enter to add multiple domains

Configuration Toggles:

Toggle	Effect When Enabled
Email Notifications	Adds an Email Events configuration section.
Enable Data Level Access	Adds a Data Level Access step for role-level access rules.
Enable API Level Access	Adds an API Access configuration panel for role-level settings.
User Events	Adds a User Events section for configuring user event notifications and logs.
Application-Level Lock	Prevents application usage when locked.
Enable User Provisioning Approval	Requires manual approval for new provisioning requests.

Breadcrumb/wizard navigation updates dynamically based on enabled toggles.
Data Attributes can be created and mapped when Data-Level Access is enabled.
APIs can be created and mapped when API-Level Access is enabled.
Email Event types can be added and configured when Email Notifications is enabled.
User Event types can be defined and mapped when User Events is enabled.
An Audit Log section is available to view all configuration changes with actor and timestamp.
Save stores the application in Draft state; Submit moves it to Active status.
Validation ensures that if a toggle (Data Level, API, Email, User Events) is enabled, at least one corresponding configuration item is defined.

User Management​

User Creation​

User Activation and Deactivation​

Locking and Unlocking Users​

Substitution​

Data-Level Access​

Role Assignment​

User Profile Management​

Provisioning and Audit Logs​

Role Management​

Role Actions​

Create Role​

Role Configuration Options​

External Mapping and Sync​

Copy / Create Role With Reference​

Provision Log & Audit Log (Roles)​

Group Management​

Group Actions​

Group Creation​

Group Members​

Group Status Handling​

Provision Summary​

Provision Role​

Revoke Role​

Application Dashboard (After Selecting an Application)​

Application Management​

Application Actions​

Application Details​