Skip to Content
Product Information
Author's profile photo Meghna Shishodiya

Creating a Technical User for Cloud Platform Integration

Moderator’s note:

“SAP strongly recommends to not use P-users in any productive integration scenarios. Instead we recommend using client certificate or Oauth authentication for such scenarios.”

 

Purpose of a technical user: Many times, you have several people working in the integration work space, but not all have an individual S-user assigned to them. Also sometimes, during an error, we need several parties to look at the problem and it is immensely cumbersome to assign access to each user on a need basis. There are cases, where you had to share your user password due to time constraints.

All the above problems can be addressed with the help of a technical user. A technical user is a generic user who you can assign the required roles and share with all the intended parties.

Steps to create a technical user:

Even though they are no technical users by definition, we will use an SAP P-user as technical user for our purpose. It can be created as follows:

  1. Go to blogs.sap.com in an incognito mode so you do not get logged in automatically. Click on Log On. Choose Register in the pop-up window:
  2. Enter all the required information on the register screen. The activation link shall be sent to the email address provided by you on this screen, so enter a valid email address:
  3. You will receive the following email for activating the new user:
  4. Click on the activation link – once activated, your registration is complete. You shall be directed to the following page:
  5. Click on Go to Account Settings to get your user details:
  6. Now go to your SAP Cloud Platform Accounts cockpit, choose the sub-account of your Cloud Platform Integration tenant and click on Members:
  7. Add the P-user that you picked in step 5, assign all the required roles and add a relevant description for future reference:
  8. The user is successfully added to your Cloud Platform’s sub-account:
  9. Go to Security –> Authorizations –> Users. Enter the P-user you just added and click on Assign. Now choose all the roles you want to assign to this technical user:
  10. The technical user is ready to use.

Assigned Tags

      26 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Thomas Berger
      Thomas Berger

      Hello, thanks for the documentation - but this P-User must change the password every 90 days -  for a technical user this is not practicable?!

      bg Thomas

      Author's profile photo Adrian Torres
      Adrian Torres

      Hi Thomas,

      It seems to me you are talking about a Service User, and this blog is about a technical user.

      Kind regards.

       

       

      Author's profile photo Ching Hong Chong
      Ching Hong Chong

      Hi, would like to check whether the P-user ID password expire? If yes, can we disable this? thanks

      Author's profile photo Zlatan Cehajic
      Zlatan Cehajic

      HI, on SAP Cloud trial account there is no 'member' tab ? Am I right ? Or could you please guide to me ?

      Author's profile photo France Masemo
      France Masemo

      Hi. I have been looking for that option too. First, I need to find where's SAP Cloud Platform Accounts cockpit located. Help!

      Author's profile photo Mounica Narava
      Mounica Narava

      Hi, On SAP Cloud trail account, I am not able to find the member tab. Can someone here please help me?

      Author's profile photo Manoj K
      Manoj K

      I don't think Members tab is available for trail account , i did cross check with my licensed tenant and i can see the same tab there.

      Author's profile photo Mounica Narava
      Mounica Narava

      Thank you so much Manoj for the information.

      Author's profile photo Ella Maria
      Ella Maria

      Thank you for sharing this data. Really increase in value the way you have describe everything in this article. Keep up the decent work

      Author's profile photo Philip Michels
      Philip Michels

      This did not work in our testing for a person that already has an S-User tied to the e-mail address.  We wanted to create and use a P-User as a technical user, but when we try to follow your steps for a person that already has an S-User, when we fill out the form we get an error that the e-mail address is already tied to another account.  How can you get a P-User for technical usage when you already have a S-User?

      Author's profile photo Jens Schwendemann
      Jens Schwendemann

      Not possible. Need a new (previously unused) email address for that. We circumvented using aliases so one common email address, say sap-it@example.com is main and sap-it-cpi-user1@example.com is alias.

      Better still to use certificates or own identity service, if applicable, see https://blogs.sap.com/2019/08/09/technical-user-cpi-with-custom-ias/

      Author's profile photo Antonio Voce
      Antonio Voce

      HI ,

       

      But the certificate is created with the s-user? Right?  according to the note 3069065 which refers you to the
      witepaper https://wiki.scn.sap.com/wiki/x/qQGJIg where there is a guide that says that to generate the certificate you must still use an S-USER:
      so the certificate is associated to the S-USER used to generate it.

       

      Or there is a chance to generate certificate not associated to an S-USER?

       

      TKS

       

       

      Author's profile photo Devendra Patil
      Devendra Patil

      Hi,

      I am not getting SAP Cloud Platform Accounts cockpit. Tab Could you please help me in this

      Thanks,

      Author's profile photo Pablo Lopez
      Pablo Lopez

      Hi,

      I was able to send messages to my CPI instance, even without registering the user as a member or as part of the Users under BTP Cockpit. I simply registered a user under the SAP Identity Service as suggested in this blog.

      Does everyone else get the same? Seems to be a big security risk.

      Thanks.

      Author's profile photo Axel Albrecht
      Axel Albrecht

      Hi Pablo,

      without the esb.messaging role you should not be able to execute any integration scenario. So without any role assignment I doubt that your calls are successful. If they are, kindly open a ticket.

      thx,
      Axel

      Author's profile photo Pablo Lopez
      Pablo Lopez

      Hi,

      I've tried this a few times. Deleting the user from BTP and sending a request with the that user. I also tried this with an Identity User that was never registered in my BTP. In both cases the requests are reaching the tenant.

      Regards.

      Author's profile photo Jon Prow
      Jon Prow

      Hi Pablo,

       

      Would you try deleting cookies in postman then confirming if they are successful? 🙂

       

      Thanks.

      Author's profile photo Joachim Herud
      Joachim Herud

      We have implemented an CPI integration scenario in 2019 with a P-User in our HR-System. Now we can't find the password, furthermore we don't find any traces from the P-User in the CPI administration console.
      Where can we find the P-User in the cloud and do changes?
      How do we get the password?

      Thanks

      Joachim

      Author's profile photo Axel Albrecht
      Axel Albrecht

      Hi Joachim,

      try opening a ticket on the SAP ID service. Or write a mail from the mail account that you were using for that p-user to sso @ sap.com.

      regards,
      Axel

      Author's profile photo Philomena steffy
      Philomena steffy

      Hi All,

      Under Security I cannot see OAuth option,

      Author's profile photo Axel Albrecht
      Axel Albrecht

      The screenshots are a bit outdated...

      Author's profile photo Antonio Voce
      Antonio Voce

      Hi

      S-USER , as requested by SAP , must be converted in SAP Universal ID , so the logon to OSS is in Single sign on with email address of the owner of the S-USER.

      My question is : if i use this S-USER also for SAP CPI integration ( call to web service and so on ) , the chagen in SAP universal ID management for this S-USER is impacted for SAP CPI integration? Can I continue to use S-USER converted to SAP Universal ID management , for integrazion purpose? Does SAP CPI integration continue to accept the old S-USER password or not? I dont think that integration can manage SSO with SAP UNIVERSAL ID ACCOUNT....

      Anyone who already done this can explain me?

      regards

      Author's profile photo Philippe Addor
      Philippe Addor

      Hi Antonio,

      I have the same question/problem. Login with basic auth (e.g. from Postman) doesn't work for me anymore after migrating to Universal ID :-(. So I resorted to Oauth 2.0. By the way, to do it in the standard way with Postman's Oauth 2.0 auth, see my comment on this blog which explains how to set-up the Oauth 2.0 client: https://blogs.sap.com/2018/03/12/part-1-secure-connectivity-oauth-to-sap-cloud-platform-integration/comment-page-1/#comment-618522

      Philippe

      Author's profile photo Ludwig Hofmann
      Ludwig Hofmann

      Hello,
      just to ask, isn't it possible to use manually created users in IAS to be used as "technical" users or System-users? These users are not in our AD but can easily be created and maintained in IAS.
      What else is required? Of course a IAS tennant should be trusted with hte CPI subaccount.
      but still I failed to use these users for CPI integration.

      thanks for sharing your experience...

      Ludwig

      Author's profile photo Desislava Petkova
      Desislava Petkova

      Hello Ludwig,

      Please refer to KBA https://launchpad.support.sap.com/#/notes/2801551

       

      Best regards,

      Desislava

      Author's profile photo Antonio Voce
      Antonio Voce

      Hi,

      CPI only supports S-USER or P-USER for integrations -> see note Title: Creating a Technical User for Cloud Platform Integration
      Link: https://launchpad.support.sap.com/#/notes/2792641

      According to the new SAP guidelines https://support.sap.com/en/my-support/users/email-guidelines.html shared email addresses cannot be used and each S-USER must be associated with 1 person

      Again according to note 2792641, HCI does not support the use of technical users that you can define in the "user management" in OSS (BAD!)

      Again each S-user must be linked to a SAP universal ID.

      Furthermore, the use of a P-USER in production is not recommended

      It is recommended, again from the blog referred to in note 2792641 (this blog), the use of a certificate but:
      As for the use of the certificate, the only documentation I found says that the certificate must still be created by tying it to the S-USER; according to the note 3069065 which refers you to the
      witepaper https://wiki.scn.sap.com/wiki/x/qQGJIg where there is a guide that says that to generate the certificate you must still use an S-USER:
      SO Again the certificate is associated to the S-USER used to generate it.

      But beacuse the S-USER is personal as per SAP policy, in fact the CPI does not allow the use of REAL AND OWN INTEGRATION TECHNICAL USERS. And the use of the certificate linked to an S-USER that is linked to a physical person
      would not solve hence the problem of depersonalization of the integration as a phisical person.

      Why does SCP not allow the use of technhnical users? for me this is a serious shortcoming on SAP's part.

      An integration user should not be linked to a natural person, but as things stand you are obliged to link an SCP integration to a natural person and this is not correct !!

      Please advise me if i'm wrong and what is the best choice, and if SAP think to solve this BIG bug.

      regards