Product Information
Creating a Technical User for Cloud Platform Integration
Moderator’s note:
“SAP strongly recommends to not use P-users in any productive integration scenarios. Instead we recommend using client certificate or Oauth authentication for such scenarios.”
Purpose of a technical user: Many times, you have several people working in the integration work space, but not all have an individual S-user assigned to them. Also sometimes, during an error, we need several parties to look at the problem and it is immensely cumbersome to assign access to each user on a need basis. There are cases, where you had to share your user password due to time constraints.
All the above problems can be addressed with the help of a technical user. A technical user is a generic user who you can assign the required roles and share with all the intended parties.
Steps to create a technical user:
Even though they are no technical users by definition, we will use an SAP P-user as technical user for our purpose. It can be created as follows:
- Go to blogs.sap.com in an incognito mode so you do not get logged in automatically. Click on Log On. Choose Register in the pop-up window:
- Enter all the required information on the register screen. The activation link shall be sent to the email address provided by you on this screen, so enter a valid email address:
- You will receive the following email for activating the new user:
- Click on the activation link – once activated, your registration is complete. You shall be directed to the following page:
- Click on Go to Account Settings to get your user details:
- Now go to your SAP Cloud Platform Accounts cockpit, choose the sub-account of your Cloud Platform Integration tenant and click on Members:
- Add the P-user that you picked in step 5, assign all the required roles and add a relevant description for future reference:
- The user is successfully added to your Cloud Platform’s sub-account:
- Go to Security –> Authorizations –> Users. Enter the P-user you just added and click on Assign. Now choose all the roles you want to assign to this technical user:
- The technical user is ready to use.
Hello, thanks for the documentation - but this P-User must change the password every 90 days - for a technical user this is not practicable?!
bg Thomas
Hi Thomas,
It seems to me you are talking about a Service User, and this blog is about a technical user.
Kind regards.
Hi, would like to check whether the P-user ID password expire? If yes, can we disable this? thanks
HI, on SAP Cloud trial account there is no 'member' tab ? Am I right ? Or could you please guide to me ?
Hi. I have been looking for that option too. First, I need to find where's SAP Cloud Platform Accounts cockpit located. Help!
Hi, On SAP Cloud trail account, I am not able to find the member tab. Can someone here please help me?
I don't think Members tab is available for trail account , i did cross check with my licensed tenant and i can see the same tab there.
Thank you so much Manoj for the information.
Thank you for sharing this data. Really increase in value the way you have describe everything in this article. Keep up the decent work
This did not work in our testing for a person that already has an S-User tied to the e-mail address. We wanted to create and use a P-User as a technical user, but when we try to follow your steps for a person that already has an S-User, when we fill out the form we get an error that the e-mail address is already tied to another account. How can you get a P-User for technical usage when you already have a S-User?
Not possible. Need a new (previously unused) email address for that. We circumvented using aliases so one common email address, say sap-it@example.com is main and sap-it-cpi-user1@example.com is alias.
Better still to use certificates or own identity service, if applicable, see https://blogs.sap.com/2019/08/09/technical-user-cpi-with-custom-ias/
HI ,
But the certificate is created with the s-user? Right? according to the note 3069065 which refers you to the
witepaper https://wiki.scn.sap.com/wiki/x/qQGJIg where there is a guide that says that to generate the certificate you must still use an S-USER:
so the certificate is associated to the S-USER used to generate it.
Or there is a chance to generate certificate not associated to an S-USER?
TKS
Hi,
I am not getting SAP Cloud Platform Accounts cockpit. Tab Could you please help me in this
Thanks,
Hi,
I was able to send messages to my CPI instance, even without registering the user as a member or as part of the Users under BTP Cockpit. I simply registered a user under the SAP Identity Service as suggested in this blog.
Does everyone else get the same? Seems to be a big security risk.
Thanks.
Hi Pablo,
without the esb.messaging role you should not be able to execute any integration scenario. So without any role assignment I doubt that your calls are successful. If they are, kindly open a ticket.
thx,
Axel
Hi,
I've tried this a few times. Deleting the user from BTP and sending a request with the that user. I also tried this with an Identity User that was never registered in my BTP. In both cases the requests are reaching the tenant.
Regards.
Hi Pablo,
Would you try deleting cookies in postman then confirming if they are successful? 🙂
Thanks.
We have implemented an CPI integration scenario in 2019 with a P-User in our HR-System. Now we can't find the password, furthermore we don't find any traces from the P-User in the CPI administration console.
Where can we find the P-User in the cloud and do changes?
How do we get the password?
Thanks
Joachim
Hi Joachim,
try opening a ticket on the SAP ID service. Or write a mail from the mail account that you were using for that p-user to sso @ sap.com.
regards,
Axel
Hi All,
Under Security I cannot see OAuth option,
The screenshots are a bit outdated...
Hi
S-USER , as requested by SAP , must be converted in SAP Universal ID , so the logon to OSS is in Single sign on with email address of the owner of the S-USER.
My question is : if i use this S-USER also for SAP CPI integration ( call to web service and so on ) , the chagen in SAP universal ID management for this S-USER is impacted for SAP CPI integration? Can I continue to use S-USER converted to SAP Universal ID management , for integrazion purpose? Does SAP CPI integration continue to accept the old S-USER password or not? I dont think that integration can manage SSO with SAP UNIVERSAL ID ACCOUNT....
Anyone who already done this can explain me?
regards
Hi Antonio,
I have the same question/problem. Login with basic auth (e.g. from Postman) doesn't work for me anymore after migrating to Universal ID :-(. So I resorted to Oauth 2.0. By the way, to do it in the standard way with Postman's Oauth 2.0 auth, see my comment on this blog which explains how to set-up the Oauth 2.0 client: https://blogs.sap.com/2018/03/12/part-1-secure-connectivity-oauth-to-sap-cloud-platform-integration/comment-page-1/#comment-618522
Philippe
Hello,
just to ask, isn't it possible to use manually created users in IAS to be used as "technical" users or System-users? These users are not in our AD but can easily be created and maintained in IAS.
What else is required? Of course a IAS tennant should be trusted with hte CPI subaccount.
but still I failed to use these users for CPI integration.
thanks for sharing your experience...
Ludwig
Hello Ludwig,
Please refer to KBA https://launchpad.support.sap.com/#/notes/2801551
Best regards,
Desislava
Hi,
CPI only supports S-USER or P-USER for integrations -> see note Title: Creating a Technical User for Cloud Platform Integration
Link: https://launchpad.support.sap.com/#/notes/2792641
According to the new SAP guidelines https://support.sap.com/en/my-support/users/email-guidelines.html shared email addresses cannot be used and each S-USER must be associated with 1 person
Again according to note 2792641, HCI does not support the use of technical users that you can define in the "user management" in OSS (BAD!)
Again each S-user must be linked to a SAP universal ID.
Furthermore, the use of a P-USER in production is not recommended
It is recommended, again from the blog referred to in note 2792641 (this blog), the use of a certificate but:
As for the use of the certificate, the only documentation I found says that the certificate must still be created by tying it to the S-USER; according to the note 3069065 which refers you to the
witepaper https://wiki.scn.sap.com/wiki/x/qQGJIg where there is a guide that says that to generate the certificate you must still use an S-USER:
SO Again the certificate is associated to the S-USER used to generate it.
But beacuse the S-USER is personal as per SAP policy, in fact the CPI does not allow the use of REAL AND OWN INTEGRATION TECHNICAL USERS. And the use of the certificate linked to an S-USER that is linked to a physical person
would not solve hence the problem of depersonalization of the integration as a phisical person.
Why does SCP not allow the use of technhnical users? for me this is a serious shortcoming on SAP's part.
An integration user should not be linked to a natural person, but as things stand you are obliged to link an SCP integration to a natural person and this is not correct !!
Please advise me if i'm wrong and what is the best choice, and if SAP think to solve this BIG bug.
regards