Skip to Content
Author's profile photo Maik Toth

How to manage authorization assigments in HANA Cloud using the Authorization Management REST API

Maybe you have had already the chance to work with SAP HANA Cloud Platform and were asking yourself, how to manage users, roles and groups in a convenient automatic way rather than maintaining the users manually. I case you did, let me use the chance give you a small introduction how to use the Authorization Management REST API provided by SAP HANA Cloud Platform.

Let me clearly emphasis that this API can manage Predefined & Custom roles but not Account Member Roles

To consume this REST API, you need to obtain OAuth client credentials (client ID and secret) from your account in the SAP HANA Cloud Platform. For that, enable the Beta features in your account.

2 - 2016-08-29_12-49-05.jpg
Once done you can generate a global Oauth Client for your account.
1 - 2016-08-29_12-48-31.jpg

Remember the Client ID & Secret as you will need them in the next step to obtain the OAuth Access Token. The Client ID can be seen as an user id and the Client Secret is the password. There is quite a good documentation in place how to tackle the first hurdle, obtaining the OAuth access token. Refer to the official SAP HANA Cloud Documentation. I want to give you a brief overview how to manage that with an API Client test tool. The goal is to have a light weighted user life-cycle.

These are the steps we want to follow:
  1. Get a list of assigned roles
  2. assign the predefined role “Administrator” for the Java application “testd0xxxxxx”
  3. check the result on the HCP Account
  4. delete the role again
  5. check again the result on the HCP Account

Pretty straight forward and a common user life-cycle scenario, isn’t it.

Retrieve an OAuth Access token

Assuming you have obtained the OAuth Client and Client Secret, we can start by Encoding those into a Base-64 encoded string.

POST https://api.<landscape_ host>/OAuth2/apitoken/v1?grant_type=client_credentials

Authenticate by Basis Authentication

Update the HTTP Headers Authorization:

Basic <Base-64 encoded <ClientID>:<ClientSecret>>

You receive a response like this:


“access_token”: “b29c79e3859d25aa62c234494eda33b9”,

“token_type”: “Bearer”,

“expires_in”: 1500,

“scopes”: [





Eh voila, this is your OAuth Access token for the next 1500ms. The response is a JSON object, whose access_token value is the one which makes you happy.

Get a list of assigned roles

You received an access_token in the previous step. Use this token in all future request until the token expires.

<!– HTTPS Request –>


Headers: Authorization: Bearer b29c79e3859d25aa62c234494eda33b9

List of assigned roles for user Goofy

<!– HTTPS response object as JSON Object–>

{  “roles”: [


          “name”: “ProjectMember”,

          “applicationName”: “dispatcher”,

          “providerAccount”: “services”

    } ]


To confirm the result simply jump to your HCP Account.

6.1 - 2016-08-29_14-30-42.jpg

Assign a role to the user

It’s a bit hard to maintain the JSON String in the HTTP Body. You can also add the user to multiple roles, just enhance the JSON Array properly. If all is working fine you will receive an 200 response code as success message.



Authorization: Bearer b29c79e3859d25aa62c234494eda33b9


{    “roles”: [


          “name”: “Administrator”,


          “providerAccount”: “{accountName}”

    } ]


Let’s check the assignment in the HCP Account again.

8.1 - 2016-08-29_14-30-09.jpg

Delete a role to the user

The pitfall with this request was to get the correct roles concatenated. There are two sets of roles available in the HCP. These are roles defined using the Cockpit and roles defined in the web.xml of an application.

Provider Account Name
Application Name
Services dispatcher YourRole roles defined using the Cockpit
yourAccount yourApplication YourRole roles defined in the web.xml of an application
d0xxxxxtrial testd0xxxxx Administrator role is used for the current scenario
A role is defined by the role name and the application name for which it is defined separated by @ symbol. The application is defined by the provider account name and the application name separated with column (:) All details for the DELETE request can be found here.



Headers: Authorization: Bearer b29c79e3859d25aa62c234494eda33b9

Let’s check again the user in the HCP Account again an cross fingers that the user is no longer assigned to the role.

9.1 2016-08-29_14-30-42 - Copy.jpg

Ok, that’s nice but whats next? How can I use this API now for my daily work? Well, we developed an HCP connector to enable the internal SAP IdM doing the role provisioning with the same quality as for all on-prem system within the company.

Other scenarios would be using Apache and Java or make a fancy node.js application. It doesn’t matter actually which technology you’re using as long as OAuth and JSON is supported.
Do not forget the other options like Groups and Role Management which ist also supported by the API.

Have fun!

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Abdel DADOUCHE
      Abdel DADOUCHE


      Thanks for writing this tutorial.

      One quick comment which might be useful for people having trouble encoding the client id/secret in base64: use PostMan Basic Authentication where your user is the client id and the password will be the client secret.

      I have an additional question for you, do you know if there is a similar API to add/associate an existing member to an existing account?

      I need to add/remove members (in mass) to an HCP account via a node.js program I'm building.

      But I can't find a way to use the API used in the cockpit:

      Thanks in adavnce.


      Author's profile photo Maik Toth
      Maik Toth
      Blog Post Author

      Hi Abdel,

      thanks for the hint about the encoding.
      Coming to your question about account member provisioning. There is unfortunately no API available yet. I would be more than happy to have such one as well in the future. So cross fingers that development will provide once in the near future.

      Thanks for your feedback!

      Best regards

      Author's profile photo Ashok Kumar M
      Ashok Kumar M

      Hi Maik,

      This capability is to unassign roles that are provided within an application.
      Are there REST APIs to add/remove member to access HANA cloud platform cockpit?

      Reason I ask is, most customers use a Identity Management system centrally to control users and access from one place. This helps them to provision a new user when they join and also remove access once they user leaves the organization.

      Best Regards,


      Author's profile photo Maik Toth
      Maik Toth
      Blog Post Author

      Hi Ashok,
      due to the fact that the HCP has no own user store its only possible to assign those users to role / group.
      Assigning Members to the Account like Admin, Developer etc is not possible via the API yet.

      Best Regards

      Author's profile photo Michael Healy
      Michael Healy

      Hi Maik, great document thanks for this. Is there plans to have an API to do the above in the road map?

      Author's profile photo Mario Günter
      Mario Günter

      Edit: Has been reviewed by SAP in the meantime. Works now again. Thanks!


      Hi Maik,

      I try to figure out, how to assign roles to a specific group, my request body looks like:

      (as described here)

         "roles" : [


      Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxx





      The GET is working just fine and displays some roles from SUBACCOUNTID already assigned to “testgrp”. But if I do a PUT with new (existing roles) I get 415 Unsupported Media Type.

      Can you please give any advice how to solve it?

      Best Regards,





      Author's profile photo Umapathi Patana
      Umapathi Patana

      Hello Maik,

      I am able to create group using API: /accounts/{accountName}/groups

      But I am not able to assign users to group. Below is the code I am writing but I am getting 405 error code. Any idea on how this can be fixed?


      Regards, Umapathi

      String urlConnection = "<traial_account>/groups/users/?groupName=ABCDGROUP1"; //
      			URL url = new URL(urlConnection); 
      	        httpConn = (HttpURLConnection) url.openConnection();
      	        httpConn.setRequestProperty("Content-Type", "application/json; charset=UTF-8");	
      	        if (token != null && !"".equalsIgnoreCase(token)) {
      	            String newEncoded = "Bearer " + token;
      	            httpConn.setRequestProperty("Authorization", newEncoded);
      	        JSONObject object = new JSONObject();
      	        JSONArray array = new JSONArray();
      	        JSONObject item1 = new JSONObject();
      	        item1.put("name", "umapathi");
      	        JSONObject item2 = new JSONObject();
      	        item2.put("name", "patana");
      	        array.put(0, item1);
      	        array.put(1, item2);
      	        object.put("users", array);
      	        String message = object.toString();
      	        logger.error("CONNECTION - addUsersToGroup REQUEST:"+message);
      	        OutputStream os = httpConn.getOutputStream();
      	        OutputStreamWriter osw = new OutputStreamWriter(os, "UTF-8");
      	        int status = httpConn.getResponseCode();
      Author's profile photo Maik Toth
      Maik Toth
      Blog Post Author

      Hello Umapathi,

      you have to pass the users in the Body in JASON format.

        "users": [
            "name": "USER_1"
            "name": "USER_2"
            "name": "USER_3"


      Best regards


      Author's profile photo Ravindra PAWAR
      Ravindra PAWAR

      Hi Maik,

      Thanks for the detailed blog. I want to do same kind of configuration with Cloud Foundry sub-account and use the Authorization Management REST APIs to manage user roles/groups for the application deployed in CF sub-account. But i could not found the OAuth settings in CF sub-account. Is there any way to use the same Authorization Management REST APIs with CF sub-account. I am using Identity Authentication Service as Idp and want to assign role to the user in CF sub-account. User is created in Idp and Role is created for the application in CF sub-account and i need to do the assignment using REST APIs.



      Author's profile photo Maik Toth
      Maik Toth
      Blog Post Author

      Hi Ravindran,

      sorry for the late replay! However, i did not proceed with CF. But I expect that CF has as well an API, maybe you try to find some entry point here,

      Would be more than happy if you can post your experience in this blog as well.

      Best Maik