Skip to Content
Technical Articles

Cloud Integration (CPI) – Authorization Management using API’s

SAP Cloud Platform Integration (CPI) is one of the SAP Cloud Platform (SCP) Services. SCP administrators ideally manage CPI – Authorization groups, roles and their assignments to users through SCP Cockpit over web browser.

There is another smart way of performing Authorization Management using SAP Cloud Platform API’s.

Usage of SCP – Authorization Management REST API’s are not limited to CPI Service but can be extended to other Subscriptions/Services under SCP Sub-accounts. These API’s can be used in cases where User Assignment needs to happen in a controlled manner to enforce security policies, audit and compliance from SAP GRC or other User Management & governance products. User Management REST API’s are available in SAP Cloud Platform API Documentation but not listed (as of now) on SAP API Business Hub.

Let’s get into action and perform authorization management on CPI using REST API’s.

Manage Authorizations from SCP Cockpit – Web UI:

SCP > Sub-account > ‘Security’ > ‘Authorizations’ > ‘Groups’ > ‘New Group’ + Assign ‘Roles’/’Users’

Manage Authorizations from SCP – Authorization Management API’s:

Prerequisites:

Access to SCP Cockpit with Developer/Administrator role to create OAuth – Platform API Client.

SCP > Sub-account > ‘Members’ > ‘Add Members’

Authorization Management API – Operations:

  • Groups – Manage groups and their assignments to users and roles within the specified account.
  • Roles – Manage roles and their assignments to users and groups in the specified account and application
  • Users – Manage role and group assignments to the specified user.

Procedure:

Step 1: Create OAuth Platform API Client Credentials –  To invoke API’s on SCP, OAuth client credentials are required. Client Credentials are specific to SCP Sub-account.

Step 2: Invoke Authorization Management REST API’s – Use the Bearer token retrieved from step 1 response and execute the REST method (GET/PUT/POST/DELETE) with respective API operation.

Execute the scenario:

Step 1: Create OAuth Platform API Client Credentials

SAP Cloud Platform API’s are protected by OAuth 2.0 with grant type – Client Credentials. Follow the below steps to create Platform API Client on SAP Cloud Platform.

SCP > Sub-account > ‘Security’ > ‘OAuth’ > ‘Platform API‘ tab > ‘Create API Client’

Give meaningful description to the API Client and select the scope of API’s for which this the OAuth Client credentials to be used. For this exercise, let’s select the checkbox ‘Authorization Management’ and click on save. This generates OAuth Client Credentials for consuming Platform API’s as in the below snapshot. Note the Client ID & Client Secret. These will serve like User ID & Password to get OAuth token.

Now it’s time to call the OAuth endpoint for platform API’s and get the token which is valid only for 25 minutes. Let’s use postman tool to explore the OAuth Token.

SCP Token Endpoint: https://api.{landscapeHost}/oauth2/apitoken/v1

{landscapeHost} – this is tagged to the region on which SCP is hosted for your account.

For this example, the CPI tenant is running on us2 region (https://lxxxx-tmn.hci.us2.hana.ondemand.com/itspaces/). Accordingly built the below OAuth Token endpoint URL.

Token endpoint URL: https://api.us2.hana.ondemand.com/oauth2/apitoken/v1?grant_type=client_credentials

Select ‘Basic Auth’ as the Authorization type and pass the OAuth Client Credentials generated earlier as below and execute the OAuth Endpoint URL with POST method.

The response has the Bearer token. We will use this token to execute the Authorization management API’s.

Step 2: Invoke Authorization Management REST API’s

API URL extensions vary for each API operation. Refer to detailed API documentation on Authorization Management API’s. In this exercise, let’s execute some of the operations and know how to interpret API Documentation & execute REST API calls.

API Endpoint URL : https://api.{landscapeHost}/authorization/v1

Examples:

# Get Groups – To retrieve all the existing groups created, use the below API endpoint extension ‘/accounts/{accountName}/groups’.

Get the accountName of the respective SCP Sub-account under which the CPI tenant linked to & the OAuth client credentials created under.

Resolves into: https://api.us2.hana.ondemand.com/authorization/v1/accounts/test00500/groups

Pass the Bearer token generated in step 1 and execute GET method as below.

# Get Users – To retrieve users under each group, use the below API endpoint extension ‘/accounts/{accountName}/groups/users’.

Resolves into: https://api.us2.hana.ondemand.com/authorization/v1/accounts/test00500/groups/users?groupName=ZGRP_ServiceAccounts

Pass the Bearer token generated in step 1 and execute GET method as below.

# Get Roles – To retrieve Roles assigned to each group, use the below API endpoint extension ‘/accounts/{accountName}/groups/roles’.

Resolves into: https://api.us2.hana.ondemand.com/authorization/v1/accounts/test00500/groups/roles?groupName=ZGRP_Administrators

Pass the Bearer token generated in step 1 and execute GET method as below.

# Add Users – Add users to a particular existing group, use the below API endpoint extension ‘/accounts/{accountName}/groups/users’.

Resolves into: https://api.us2.hana.ondemand.com/authorization/v1/accounts/test00500/groups/users?groupName=ZGRP_ServiceAccounts

Pass the Bearer token generated in step 1 and execute PUT method as below.

This REST operation added the S-User and can be validated from SCP Cockpit Web UI (shown under the section – ‘Manage Authorizations from SCP Cockpit – Web UI’).

With this, we know how to interpret the API documentation and execute Authorization Management REST API calls – PUT/GET.

In similar way, other API Operations and the respective methods can be executed by following the Authorization Management API documentation.

With this understanding, we can create integration flows in CPI to manage Authorization groups, roles and users using HTTP adapter to work with these REST Operations. Such i-flows can be consumed by SAP GRC/User Management tools in a controlled manner.

Enjoy exploring API’s!

1 Comment
You must be Logged on to comment or reply to a post.
  • Hi Sandeep,

    Thanks for the detailed blog. I want to do same kind of configuration with Cloud Foundry sub-account and use the Authorization Management REST APIs to manage user roles/groups for the application deployed in CF sub-account. But i could not found the OAuth settings in CF sub-account. Is there any way to use the same Authorization Management REST APIs with CF sub-account. I am using Identity Authentication Service as Idp and want to assign role to the user in CF sub-account. User is created in Idp and Role is created for the application in CF sub-account.

     

    Thanks,

    Ravindra