Skip to Content
Technical Articles

User Provisioning APIs for SAP IBP

Recently I have been working with a client requirement where users need to be provisioned in SAP IBP from the Identity and Access management (for example IdM). SAP IBP user provisioning can be done via standard SOAP or OData APIs, which needs to be enabled before making an API call.

The complete process can be automated if using a middleware(for example SAP CPI) to get the request from IAM and calling the IBP APIs in sequence for user provisioning. We will use Potman client to make IBP APIs call.

The scope of this document covers the below scenarios

  • Creation of Employee and User profile
  • User roles assignment in replace mode
  • User lock
  • Query business user
  • Permission filter creation
  • Permission filter to user assignment
  • Permission filter to user assignment deletion
  • Extract existing users, roles and permission filters

In order to consume SAP IBP APIs, first the communication system, user and arrangement setup is mandatory to authenticate and authorize the incoming requests

Prerequisite Logged in user must have administrator role in IBP to perform the below steps

Let’s go step by step on how to create the Communication System

Communication System

  1. IBP home screen –> search for communication system tile
  2. Create a new communication system as shown in Figure 1

Hostname: Enter the hostname for the consumer system

Figure 1

Now, create a new communication user for the Inbound communication as shown in Figure 2,

Figure 2

Authentication type can be a basic authentication(Plain username and password) or certificate-based communication(SSL Client certs)

Figure 3

Note: Save the userId and password as it will be used later for all API calls

Communication system and user setup are completed as shown in Figure 4.

Figure 4

 

Communication Arrangements

IBP home screen –> Search for communication arrangements tile and create a new arrangement

Figure 5

Now, select the relevant communication scenario which needs to be used(Figure 6). “SAP_COM_0069” – Permission Filter Integration and “SAP_COM_0093” – Identity Management Integration.

Figure 6

Figure 7

Provide a relevant name for the communication arrangement(Figure 7) and assign the communication system and user created earlier as shown in figure 8.

Figure 8

Repeat the same steps and create an arrangement for SAP_COM_0093. Final communication arrangements should look like as shown in figure 9

Figure 9

Note down the service URLs for both communication arrangements.

Once the initial communication setup is done, IBP APIs are ready to consume. Let’s start to make SOAP and OData calls to IBP APIs using the ‘API_User’ userId and password.

 

Employee and User profile creation: In case of a new hire or creating a new record for a user in SAP IBP, this service can be used with mandatory parameters passed in the request.

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap/bc/srt/scs_ext/sap/managebusinessuserinHeaders: Authorization: Basic {Base64 encoded{UserId:Password}}  Content-Type: text/xml

Figure 11

Figure 12

actionCode: ‘01’ for new employee record creation. Following values can be used as per the requirement. ’01’ – Create |  ’02’ – Update BusinessPartnerRoleCode: Only business partner role code ‘BUP003’ (Employee) is supported

 

User roles assignment: Once the employee and user record are created, the next step is to provision the user with proper authorization by assigning the business roles.

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap/bc/srt/scs_ext/sap/managebusinessuserinHeaders: Authorization: Basic {Base64 encoded{UserId:Password}}  Content-Type: text/xml

Figure 13

actionCode: ‘02’ for updating the employee record with user role assignment                                                                                                      roleListCompleteTransmissionIndicator – ‘true’ (this replace all the existing roles and assign new roles if provided in the request)                                    RoleName – Name of the role to be assigned (multiple entries in case of multiple roles to be assigned)

 

User Lock: This scenario covers the user record locking, in case the user is no longer required to access the IBP application.

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap/bc/srt/scs_ext/sap/managebusinessuserinHeaders: Authorization: Basic {Base64 encoded{UserId:Password}} Content-Type: text/xml

Figure 14

PersonExternalID – Person to be locked                                                        LockedIndicator – ‘X’ in case locking the user, keep it blank in case of unlocking                                                                                                        roleListCompleteTransmissionIndicator – ‘true’ (it will Replace all the existing roles and assign new roles if provided in the request)

 

Query Business Users: A complete list of users with the roles assigned can be retrieved by below query business users call.

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap/bc/srt/scs_ext/sap/querybusinessuserin Headers: Authorization: Basic {Base64 encoded{UserId:Password}}              Content-Type: text/xml

Figure 15

 

Permission Filter creation: Permission filters define the set of data the user can view and work with. As per the API documentation, Permission filter is also known as Visibility Filter. To create a permission filter called “TEST_PF” (assuming one does not already exist), the payload must include the three attributes in JSON format.

Note: For HTTP POST/PUT/DELETE operations, x-csrf-token is mandatory and can be fetched with HTTP GET as shown below

Figure 16

Copy the csrf token and use in the HTTP POST as below

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV/VisibilityFilters(‘TEST_PF’)  Headers: Authorization: Basic {Base64 encoded{UserId:Password}} and x-csrf-token: {token}

Figure 17

 

Permission filter to User Assignment: Once Permission filter is created, user or user group can be assigned on that permission filter

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV/UserAssignments                        Headers: Authorization: Basic {Base64 encoded{UserId:Password}} and x-csrf-token: {token}

Figure 18

Note: The UserId in the assignment is the IBP internal user ID code, not the username. To get these values refer to extract users call.

 

Permission filter to user assignment deletion: In case of user assignment deletion for a permission filter, HTTP DELETE operation is required with valid x-csrf-token.

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV /UserAssignments(VisibilityFilterID=’TEST_PF’,UserId=’CB123456789′)      Headers: Authorization: Basic {Base64 encoded{UserId:Password}} and x-csrf-token: {token}

URL Parameters: UserId – IBP internal user code, which can be fetched from extract users call and VisibilityFilterID – Permission filter id, which can be fetched from extract PFs call

Figure 19

 

Extract Users, Business Roles, and Permission filters: The below API calls can be useful when there is a need to extract the existing users, business roles and permission filters.

Extract Users

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV/Users?                                          Headers: Authorization: Basic {Base64 encoded{UserId:Password}}

Figure 20

Extract permission filters

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV/VisibilityFilters?                            Headers: Authorization: Basic {Base64 encoded{UserId:Password}}

Figure 21

Extract business roles

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV/BusinessRoles?                            Headers: Authorization: Basic {Base64 encoded{UserId:Password}}

 

References:

Manage business user https://help.sap.com/viewer/c154a4d95870416ea0af012a6ddae2d8/1902.500/en-US/640fb5fa26664a7486de073b1882405c.html

Permission filter https://help.sap.com/viewer/da797ae2bf6246d58abd417f24915d55/1808/en-US/8458185263a34de884e0edf1e1973f64.html

Note: All the above content is based on personal learning from SAP help and SAP official documentation, comments, and suggestions are always welcome. Happy Integrating!

1 Comment
You must be Logged on to comment or reply to a post.