Skip to Content
Technical Articles
Author's profile photo Aman Gupta

User and Team provisioning APIs for SAP Analytics Cloud

Hi guys,

This blog will cover a client requirement where users need to be created and provisioned in SAP Analytics Cloud(SAC) from the Identity and Access management (for example IdM). SAC user provisioning can be done via standard SAC REST APIs, which needs to be enabled before making an API call.

The complete process can be automated if using a middleware (for example SAP CPI) to get the request from IAM and calling the SAC APIs in sequence for user creation and provisioning. We will use Postman client to make APIs call.

The scope of this document covers the below scenarios

  • User creation
  • User update
  • User delete
  • Teams creation
  • Teams update
  • Users and teams extraction

In order to consume SAC APIs, first, an application client needs to create, to authenticate and authorize the incoming requests.

Let’s start with the creation of an application. Go to System -> Administrator -> app integration

Note: Logged in user should have proper admin role to perform below steps

Create a new OAuth client

  1. Enter some meaningful name for the app user
  2. OAuth client id name (will be visible in the API logs)
  3. Select “API access” from the drop-down
  4. Access scope will be “User provisioning”
  5. Enter the secret, which will be used for the authentication
  6. Lifetime for the secret expiry
  7. Lifetime for the access token generated by OAuth server

After specifying all details, click add(note down the OAuth client Id and secret)

Note down the Token URL as this will be used to make the first call and obtain the access token. Now, we are all set to do the API calls.

 

Test Case 1: User Creation

  • Request access token
  • Fetch CSRF token
  • Create a user with optional parameters

Perform the below steps in sequence

Request Access Token

  1. This must be done via the tenant Token URL.
  2. The OAuth Client ID and Secret and must be provided as part of the request

If OAuth authorization is successful, the returned token can be used to access the API

 

Fetch CSRF token

POST, PUT, and DELETE requests to the API can be made only after getting a valid CSRF token. To get the CSRF token, do a GET request to one of the SAC API (/Users or /Groups)

URL: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups  OR

URL: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users

Tip: HEAD operation can be used to avoid response payload.

 

Create a user

Users in SAC can be created with or without optional parameters as below.

POST: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users

Header section:

x-sap-sac-custom-auth = true

x-csrf-token = <<x-csrf-token from step 2>>

Content-Type = application/json

Authorization = Bearer <<Access Token from step 1>>

Body section:

username: a unique name for the user

emails: unique primary email id for the user

roles: multiple roles can be assigned by adding multiple role names in the request

isConcurrent: manage the concurrent license type

managerId: user id should exist in the system before assigning it as a manager

Note: userName and email must be unique while creating a new user in SAC.

Response: If a user creation call is successful, the API response will be “210 Created”

Verify the results in SAC, go to Security/Users.

 

 

Test Case 2: User update

Perform the below steps in sequence

  • Request access token: As explained earlier
  • Fetch CSRF token: As explained earlier
  • Update a user

Update a user

Note: This call always works in upsert mode. Meaning, existing user information will be overwritten with the new one.

PUT: https:// <SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users/AGUPTA

Header section:

x-sap-sac-custom-auth = true

x-csrf-token = <<x-csrf-token>>

Content-Type = application/json

Authorization = Bearer <<Access Token>>

Response: If user update call is successful, the API response will be “200 OK”

Verify the results in SAC, go to Security/Users.

 

 

Test Case 3: User delete

Perform the below steps in sequence

  • Request access token: As explained earlier
  • Fetch CSRF token: As explained earlier
  • Delete a user

Delete a user

Note: User which is to be deleted should not be an active manager in SAC

DELETE: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users/AGUPTA

Header section:

x-sap-sac-custom-auth = true

x-csrf-token = <<x-csrf-token>>

Content-Type = application/json

Authorization = Bearer <<Access Token>>

Response: If user delete call is successful, the API response will be “204 No Content”

 

Test Case 4: Group(teams) creation

Perform the below steps in sequence

  • Request access token: As explained earlier
  • Fetch CSRF token: As explained earlier
  • Create a team

POST: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups

Header section:

x-sap-sac-custom-auth = true

x-csrf-token = <<x-csrf-token from step 2>>

Content-Type = application/json

Authorization = Bearer <<Access Token from step 1>>

Body section:

id: a unique name for the group(team)

displayName: display name for the group(team)

roles: multiple roles can be assigned by adding multiple role names in the request

members: multiple members can be assigned by adding multiple member names in the request

Response: If group(teams) creation call is successful, the API response will be “201 Created”

Verify the results in SAC, go to Security/Teams

 

 

Test Case 5: Teams update

Perform the below steps in sequence

  • Request access token: As explained earlier
  • Fetch CSRF token: As explained earlier
  • Update a team

Note: This call always works in upsert mode. Meaning, existing teams information will be overwritten with the new one

PUT: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups/Teams1

Header section:

x-sap-sac-custom-auth = true

x-csrf-token = <<x-csrf-token from step 2>>

Content-Type = application/json

Authorization = Bearer <<Access Token from step 1>>

Response: If teams update call is successful, the API response will be “200 OK”

Note: Users added in the teams will inherit the roles assigned to that teams

 

Test Case 6: User and Group(teams) extraction

Perform the below steps in sequence

  • Request access token: As explained earlier
  • Get call for user or team extraction

Header section:

Authorization = Bearer <<Access Token from step 1>>

Get all SAC users: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users

Get specific SAC user: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users/AGUPTA

Get specific SAC user with Filter conditions:

https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users?filter=username eq “AGUPTA”

Get all SAC teams: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups

Get specific SAC team: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups/Teams1

 

References: https://help.sap.com/viewer/298f82da4b184d1fb825b7ffe365e94a/release/en-US/b687e9589b834a2db872414b0b8d3a12.html

Note: All the above content is based on personal learning from SAP help and SAP official documentation, comments, and suggestions are always welcome. Happy Integrating! 🙂

Assigned Tags

      22 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Markus Ganser
      Markus Ganser

      Hi Aman,

      we found two typos in your post.

      In the lines
      URL: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/vi/scim/Groups
      URL: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/vi/scim/Users

      '.../api/vi/scim...' is wrong, it should read '.../api/v1/scim...'.

      Otherwise a great blog!
      Thanks and best regards
      Markus

      Author's profile photo Aman Gupta
      Aman Gupta
      Blog Post Author

      Hello Markus,

      Thanks for pointing out the typos, I have corrected them.

       

      Cheers,

      Aman

      Author's profile photo Srilakshmi Suriyanarayanan
      Srilakshmi Suriyanarayanan

      Hello Aman,

      I tried to call the below Get API and got 200 OK response . In the response I can see some <head> <link> and <script> </head> between <html> and </html> . I don't see the list of Teams which are extracted from the server . Am I missing anything in this Get call or please point out on where can that information can be found?

      Get all SAC teams: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups

      Is it possible to extract all the teams with user mapping from SAC via API ?

      Also is it possible to extract the roles (with content also) via SAC API ?

      Thanks and Regards

      Sri.

      Author's profile photo Javier Omar Contreras Rodriguez
      Javier Omar Contreras Rodriguez

      Hi there Aman,

      Great blog. Very helpfull. I have one question though. I have been trying to add and remove group teams to users through the API. I have tried using the method to update users by passing the list of groups i want a user to have and tried using the method to update groups by passing the list of users i want a group to have as members but neither of those methods have worked for me.

      This is the JSON i pass in the request body:

      Update User

      If i request the user details it shows no groups assigned to it.

      Update Group

      If i request the group details it shows no members.

       

      Could you help me, please.

       

      Thank you!

      Author's profile photo Aman Gupta
      Aman Gupta
      Blog Post Author

      Hello Javier,

      Update User: /Users API cannot be used for assigning groups to the SAC users. This is confirmed by SAP, https://launchpad.support.sap.com/#/incident/pointer/002075129400002576342019

      Update Group: Please try giving below format, AFAIK username value should be in uppercase.

      {
      “type”: “User”,
      “value”: “DAVIDCABRA”,
      “$ref”: “/api/v1/scim/Users/DAVIDCABRA”
      }

       

      Thanks,

      Aman

       

      Author's profile photo Javier Omar Contreras Rodriguez
      Javier Omar Contreras Rodriguez

      Hello Aman,

      I hope you are doing well.

      I have tried what you suggested but I still can't add users to a group. I am getting the following error "HTTP Status 401 – Unauthorized". I only get this error if i try to update, create and delete a group, if i create, delete or update a user it works fine.

      I followed the steps to create a OAuth client and mi configuration is as follow:

      My tenant version is 2019.15. Maybe is a version issue?

      Thank you for the help.

      Author's profile photo Aman Gupta
      Aman Gupta
      Blog Post Author

      Hello Javier,

       

      While creating an Oauth client, I hope you have entered the access token lifetime(validity) like 1min/1hour/1day(in your above snapshot it looks missing).

      Also, EDIT operations like POST/PUT/DELETE are CSRF protected, try to get the CSRF token by doing a GET/HEAD call for /Groups API and use the same CSRF token for updating the /Groups.

      SAC tenant version should not be an issue here. :-/

       

      Regards,

      Aman

      Author's profile photo Timo Litzbarski
      Timo Litzbarski

      Hi Javier,

      we had the same problem, in our case we had to accept cookies from the csrf fetch request and reuse them for the update API call.

      Regards,
      Timo

      Author's profile photo Julio Alvarez
      Julio Alvarez

      Hi, is it possible reset and unblock user from this API? Regards.

      Author's profile photo Aman Gupta
      Aman Gupta
      Blog Post Author

      Hi Julio,

      AFAIK, SAC API does not support lock/unlock, Activate/Deactivate of users, the only possibility I see is to delete the user and then re create.

      If the requirement is to reset the user roles, then it is possible using PUT operation on /users API.

       

      Thanks,

      Aman

      Author's profile photo Ravi Paul
      Ravi Paul

      Hi Aman,

      Can we use REST API to create users in SAP ABAP NW Gateway System leveraging webgui?

      Probably I'm sounding dumb, but just popped up.

       

      -RP

      Author's profile photo Jeroen MARIJNISSEN
      Jeroen MARIJNISSEN

      When I follow the steps above, I Always get following error requesting all users

       

      I was able to request access token using client credentials

      {
          "status": 500,
          "message": "Error executing the user/group operation."
      }
      Can there be something that I have forgotten? I haven't added a trusted identity provider
      Author's profile photo Aman Gupta
      Aman Gupta
      Blog Post Author

      Which SAC API url you are trying to hit? Please share the snapshot.

      Fetch all the SAC users: https://<SAC>/api/v1/scim/Users

      Author's profile photo R Ea
      R Ea

      Hi I am having the same problem. Was this ever resolved?

      I also get an empty response body on GETing groups

      Author's profile photo Nagaveni Shankarappa Narasammanavar
      Nagaveni Shankarappa Narasammanavar

      Hi Aman Gupta ,

      i able to exuecte GET API successfully, but while POST where i am trying to create one test user, i am getting

      {
      "status": 400,
      "message": "User information and username cannot be empty"
      }

      error

      .

      code:

      {
      "username":"TESTSCIM",
      "name": {
      "givenName": "Test",
      "familyName": "SCIM"
      },
      "displayName": "Test SCIM",
      "active": true,
      "emails": [
      {
      "value": "test@abc.com",
      "type": "work",
      "primary": true
      }
      ],
      "roles": [
      "PROFILE:t.3:BI_Composer",
      "PROFILE:t.3:BI_Consumer"
      ],
      "urn:scim:schemas:extension:enterprise:1.0": {
      "manager": {
      "managerId": ""
      }
      }
      }

       

      can you please help me with it.

      Author's profile photo Matthew Shaw
      Matthew Shaw

      Hello

      Your request body is badly formed. The 'username' should be 'userName'.

      For sample code that creates users (and a lot of other things) please visit my blog https://blogs.sap.com/2021/05/28/sap-analytics-cloud-scim-api-best-practices-and-sample-scripts/

      All the best, Matthew

      Author's profile photo Nivetha Jeyananthan
      Nivetha Jeyananthan

      Hi Aman,

      Is it possible to delete multiple users with a single delete request? Also, when we remove/delete a user from SAC manually, it will prompt us to transfer the content to another user. How that is managed when we do a API call?

      Thanks,

      Nivetha

      Author's profile photo Matthew Shaw
      Matthew Shaw

      Hello Nivetha

      For deleting multiple users- the answer is 'no', a separate request is required for each user.

      For deleting users my FAQ's answer this question. This article is introduced by this blog that provides an overview. Its likely to answer a number of other questions you may have.

      The blog also introduces sample scripts, some of which delete a whole team of users!

      All the best, Matthew

      Author's profile photo Ravi Condamoor
      Ravi Condamoor

      Hi,

      Is it possible to read/write data from a Model through REST APIs? Is there any sample code for doing that?

      Thanks

      -ravi

      Author's profile photo Denys van Kempen
      Denys van Kempen

      For the interested reader, we have started to record a video tutorial series about the SAP Analytics Cloud user and team provisioning API​

      • ​https://blogs.sap.com/2021/09/25/sap-analytics-cloud-user-and-team-provisioning-api-hands-on-video-tutorials/
      Author's profile photo Bhushan Dhodi
      Bhushan Dhodi

      Hi Aman,

       

      When we make update Group PUT API call while adding new member into the members list, later when we make GET call on that particular user, we can see that the groups list is updated for the user but roles list is still empty.

      How can we make sure that roles list is also updated?

       

      Author's profile photo Sneha Veerabhadrappa Dugani
      Sneha Veerabhadrappa Dugani

      Hi Matthew,

      We have exposed, Users Entity and Stories Entity as OData service using cap. We are not able to fetch the data when we query Users Entity , whereas we are able to fetch the data from Stories Entity.

      I tried to call the below Get API and got 200 OK response . I don't see the list of users which are extracted from the server . Am I missing anything in this Get call or please point out on where can that information can be found?

      Get all SAC teams: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users.

      Could you please help in

      • how to consume Users Entity in the Fiori application?

       

      Thanks in Advance ,

      Kind Regards,

      Sneha.