Maybe you have had already the chance to work with SAP HANA Cloud Platform and were asking yourself, how to manage users, roles and groups in a convenient automatic way rather than maintaining the users manually. I case you did, let me use the chance give you a small introduction how to use the Authorization Management REST API provided by SAP HANA Cloud Platform.

Let me clearly emphasis that this API can manage Predefined & Custom roles but not Account Member Roles

To consume this REST API, you need to obtain OAuth client credentials (client ID and secret) from your account in the SAP HANA Cloud Platform. For that, enable the Beta features in your account.

2 - 2016-08-29_12-49-05.jpg
Once done you can generate a global Oauth Client for your account.
1 - 2016-08-29_12-48-31.jpg

Remember the Client ID & Secret as you will need them in the next step to obtain the OAuth Access Token. The Client ID can be seen as an user id and the Client Secret is the password. There is quite a good documentation in place how to tackle the first hurdle, obtaining the OAuth access token. Refer to the official SAP HANA Cloud Documentation. I want to give you a brief overview how to manage that with an API Client test tool. The goal is to have a light weighted user life-cycle.

These are the steps we want to follow:
  1. Get a list of assigned roles
  2. assign the predefined role “Administrator” for the Java application “testd0xxxxxx”
  3. check the result on the HCP Account
  4. delete the role again
  5. check again the result on the HCP Account

Pretty straight forward and a common user life-cycle scenario, isn’t it.

Retrieve an OAuth Access token

Assuming you have obtained the OAuth Client and Client Secret, we can start by Encoding those into a Base-64 encoded string.

POST https://api.<landscape_ host>/OAuth2/apitoken/v1?grant_type=client_credentials

Authenticate by Basis Authentication

Update the HTTP Headers Authorization:

Basic <Base-64 encoded <ClientID>:<ClientSecret>>

You receive a response like this:

{

“access_token”: “b29c79e3859d25aa62c234494eda33b9”,

“token_type”: “Bearer”,

“expires_in”: 1500,

“scopes”: [

          “hcp.manageAuthorizationSettings”,

          “hcp.readAuthorizationSettings”

    ]

}

Eh voila, this is your OAuth Access token for the next 1500ms. The response is a JSON object, whose access_token value is the one which makes you happy.

Get a list of assigned roles

You received an access_token in the previous step. Use this token in all future request until the token expires.

<!– HTTPS Request –>

GET https://api.hanatrial.ondemand.com/authorization/v1/accounts/{accountName}/users/roles/?userId=GOOFY

Headers: Authorization: Bearer b29c79e3859d25aa62c234494eda33b9

List of assigned roles for user Goofy

<!– HTTPS response object as JSON Object–>

{  “roles”: [

    {

          “name”: “ProjectMember”,

          “applicationName”: “dispatcher”,

          “providerAccount”: “services”

    } ]

}

To confirm the result simply jump to your HCP Account.

6.1 - 2016-08-29_14-30-42.jpg

Assign a role to the user

It’s a bit hard to maintain the JSON String in the HTTP Body. You can also add the user to multiple roles, just enhance the JSON Array properly. If all is working fine you will receive an 200 response code as success message.

PUT https://api.hanatrial.ondemand.com/authorization/v1/accounts/{accountName}/users/roles/?userId=GOOFY

Headers:

Authorization: Bearer b29c79e3859d25aa62c234494eda33b9

Content-Type:application/json

{    “roles”: [

    {

          “name”: “Administrator”,

          “applicationName”:”testd0xxxxx”,

          “providerAccount”: “{accountName}”

    } ]

}

Let’s check the assignment in the HCP Account again.

8.1 - 2016-08-29_14-30-09.jpg

Delete a role to the user

The pitfall with this request was to get the correct roles concatenated. There are two sets of roles available in the HCP. These are roles defined using the Cockpit and roles defined in the web.xml of an application.

Provider Account Name
Application Name
Role
comment
Services dispatcher YourRole roles defined using the Cockpit
yourAccount yourApplication YourRole roles defined in the web.xml of an application
d0xxxxxtrial testd0xxxxx Administrator role is used for the current scenario
A role is defined by the role name and the application name for which it is defined separated by @ symbol. The application is defined by the provider account name and the application name separated with column (:) All details for the DELETE request can be found here.

DELETE https://api.hanatrial.ondemand.com/authorization/v1/accounts/{accountName}/users/roles/

?userId=GOOFY&roles=Administrator@d0xxxxxtrial:testd0xxxxx

Headers: Authorization: Bearer b29c79e3859d25aa62c234494eda33b9

Let’s check again the user in the HCP Account again an cross fingers that the user is no longer assigned to the role.

9.1 2016-08-29_14-30-42 - Copy.jpg

Ok, that’s nice but whats next? How can I use this API now for my daily work? Well, we developed an HCP connector to enable the internal SAP IdM doing the role provisioning with the same quality as for all on-prem system within the company.

Other scenarios would be using Apache and Java or make a fancy node.js application. It doesn’t matter actually which technology you’re using as long as OAuth and JSON is supported.
Do not forget the other options like Groups and Role Management which ist also supported by the API.

Have fun!

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Abdel DADOUCHE

    Hi,

    Thanks for writing this tutorial.

    One quick comment which might be useful for people having trouble encoding the client id/secret in base64: use PostMan Basic Authentication where your user is the client id and the password will be the client secret.

    I have an additional question for you, do you know if there is a similar API to add/associate an existing member to an existing account?

    I need to add/remove members (in mass) to an HCP account via a node.js program I’m building.

    But I can’t find a way to use the API used in the cockpit:
    https://account.eu1.hana.ondemand.com/ajax/deleteAccountMembers/xxxxx

    Thanks in adavnce.

    @bdel

    (0) 
    1. Maik Toth Post author

      Hi Abdel,

      thanks for the hint about the encoding.
      Coming to your question about account member provisioning. There is unfortunately no API available yet. I would be more than happy to have such one as well in the future. So cross fingers that development will provide once in the near future.

      Thanks for your feedback!

      Best regards
      Maik

      (0) 
  2. Ashok Kumar M

    Hi Maik,

    This capability is to unassign roles that are provided within an application.
    Are there REST APIs to add/remove member to access HANA cloud platform cockpit?

    Reason I ask is, most customers use a Identity Management system centrally to control users and access from one place. This helps them to provision a new user when they join and also remove access once they user leaves the organization.

    Best Regards,

    Ashok.

    (0) 
    1. Maik Toth Post author

      Hi Ashok,
      due to the fact that the HCP has no own user store its only possible to assign those users to role / group.
      Assigning Members to the Account like Admin, Developer etc is not possible via the API yet.

      Best Regards
      Maik

      (1) 
  3. Mario Günter

    Edit: Has been reviewed by SAP in the meantime. Works now again. Thanks!

     

    Hi Maik,

    I try to figure out, how to assign roles to a specific group, my request body looks like:

    (as described here)

    {
       "roles" : [
          {
             "name":"ROLE_A",
             "applicationName":"JAVAAPPNAME",
             "providerAccount":"PROVIDERACC"
          },
          {
             "name":"ROLE_B",
             "applicationName":"JAVAAPPNAME",
             "providerAccount":"PROVIDERACC"
          }
       ]
    }

    Headers:

    Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    Content-Type:application/json

     

    PUT: https://api.hana.ondemand.com/authorization/v1/accounts/SUBACCOUNTID/groups/roles?groupName=testgrp

     

    The GET is working just fine and displays some roles from SUBACCOUNTID already assigned to “testgrp”. But if I do a PUT with new (existing roles) I get 415 Unsupported Media Type.

    Can you please give any advice how to solve it?

    Best Regards,

    Mario

     

     

     

    (1) 

Leave a Reply