Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User and Team provisioning APIs for SAP Analytics Cloud

aman175105
Explorer
‎08-16-2019 7:36 AM
Hi guys,

This blog will cover a client requirement where users need to be created and provisioned in SAP Analytics Cloud(SAC) from the Identity and Access management (for example IdM). SAC user provisioning can be done via standard SAC REST APIs, which needs to be enabled before making an API call.

The complete process can be automated if using a middleware (for example SAP CPI) to get the request from IAM and calling the SAC APIs in sequence for user creation and provisioning. We will use Postman client to make APIs call.

The scope of this document covers the below scenarios

  • User creation

  • User update

  • User delete

  • Teams creation

  • Teams update

  • Users and teams extraction


In order to consume SAC APIs, first, an application client needs to create, to authenticate and authorize the incoming requests.

Let's start with the creation of an application. Go to System -> Administrator -> app integration

Note: Logged in user should have proper admin role to perform below steps

Create a new OAuth client



  1. Enter some meaningful name for the app user

  2. OAuth client id name (will be visible in the API logs)

  3. Select “API access” from the drop-down

  4. Access scope will be “User provisioning”

  5. Enter the secret, which will be used for the authentication

  6. Lifetime for the secret expiry

  7. Lifetime for the access token generated by OAuth server


After specifying all details, click add(note down the OAuth client Id and secret)



Note down the Token URL as this will be used to make the first call and obtain the access token. Now, we are all set to do the API calls.

 

Test Case 1: User Creation

  • Request access token

  • Fetch CSRF token

  • Create a user with optional parameters


Perform the below steps in sequence

Request Access Token

  1. This must be done via the tenant Token URL.

  2. The OAuth Client ID and Secret and must be provided as part of the request




If OAuth authorization is successful, the returned token can be used to access the API

 

Fetch CSRF token

POST, PUT, and DELETE requests to the API can be made only after getting a valid CSRF token. To get the CSRF token, do a GET request to one of the SAC API (/Users or /Groups)

URL: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups  OR

URL: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users



Tip: HEAD operation can be used to avoid response payload.

 

Create a user

Users in SAC can be created with or without optional parameters as below.

POST: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users
Header section:

x-sap-sac-custom-auth = true

x-csrf-token = <<x-csrf-token from step 2>>

Content-Type = application/json

Authorization = Bearer <<Access Token from step 1>>

Body section:

username: a unique name for the user

emails: unique primary email id for the user

roles: multiple roles can be assigned by adding multiple role names in the request

isConcurrent: manage the concurrent license type

managerId: user id should exist in the system before assigning it as a manager

Note: userName and email must be unique while creating a new user in SAC.



Response: If a user creation call is successful, the API response will be “210 Created”

Verify the results in SAC, go to Security/Users.



 

 

Test Case 2: User update

Perform the below steps in sequence

  • Request access token: As explained earlier

  • Fetch CSRF token: As explained earlier

  • Update a user


Update a user

Note: This call always works in upsert mode. Meaning, existing user information will be overwritten with the new one.

PUT: https:// <SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users/AGUPTA
Header section:

x-sap-sac-custom-auth = true

x-csrf-token = <<x-csrf-token>>

Content-Type = application/json

Authorization = Bearer <<Access Token>>



Response: If user update call is successful, the API response will be “200 OK”

Verify the results in SAC, go to Security/Users.



 

 

Test Case 3: User delete

Perform the below steps in sequence

  • Request access token: As explained earlier

  • Fetch CSRF token: As explained earlier

  • Delete a user


Delete a user

Note: User which is to be deleted should not be an active manager in SAC

DELETE: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users/AGUPTA
Header section:

x-sap-sac-custom-auth = true

x-csrf-token = <<x-csrf-token>>

Content-Type = application/json

Authorization = Bearer <<Access Token>>



Response: If user delete call is successful, the API response will be “204 No Content”

 

Test Case 4: Group(teams) creation

Perform the below steps in sequence

  • Request access token: As explained earlier

  • Fetch CSRF token: As explained earlier

  • Create a team


POST: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups
Header section:

x-sap-sac-custom-auth = true

x-csrf-token = <<x-csrf-token from step 2>>

Content-Type = application/json

Authorization = Bearer <<Access Token from step 1>>

Body section:

id: a unique name for the group(team)

displayName: display name for the group(team)

roles: multiple roles can be assigned by adding multiple role names in the request

members: multiple members can be assigned by adding multiple member names in the request



Response: If group(teams) creation call is successful, the API response will be “201 Created”

Verify the results in SAC, go to Security/Teams



 

 

Test Case 5: Teams update

Perform the below steps in sequence

  • Request access token: As explained earlier

  • Fetch CSRF token: As explained earlier

  • Update a team


Note: This call always works in upsert mode. Meaning, existing teams information will be overwritten with the new one

PUT: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups/Teams1
Header section:

x-sap-sac-custom-auth = true

x-csrf-token = <<x-csrf-token from step 2>>

Content-Type = application/json

Authorization = Bearer <<Access Token from step 1>>



Response: If teams update call is successful, the API response will be “200 OK”

Note: Users added in the teams will inherit the roles assigned to that teams

 

Test Case 6: User and Group(teams) extraction


Perform the below steps in sequence

  • Request access token: As explained earlier

  • Get call for user or team extraction


Header section:

Authorization = Bearer <<Access Token from step 1>>

Get all SAC users: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users

Get specific SAC user: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users/AGUPTA

Get specific SAC user with Filter conditions:

https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users?filter=username eq “AGUPTA”

Get all SAC teams: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups

Get specific SAC team: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups/Teams1

 

References: https://help.sap.com/viewer/298f82da4b184d1fb825b7ffe365e94a/release/en-US/b687e9589b834a2db872414b0...

Note: All the above content is based on personal learning from SAP help and SAP official documentation, comments, and suggestions are always welcome. Happy Integrating! 🙂
23 Comments
Labels in this area
Popular Blog Posts