Technical Articles
User and Team provisioning APIs for SAP Analytics Cloud
Hi guys,
This blog will cover a client requirement where users need to be created and provisioned in SAP Analytics Cloud(SAC) from the Identity and Access management (for example IdM). SAC user provisioning can be done via standard SAC REST APIs, which needs to be enabled before making an API call.
The complete process can be automated if using a middleware (for example SAP CPI) to get the request from IAM and calling the SAC APIs in sequence for user creation and provisioning. We will use Postman client to make APIs call.
The scope of this document covers the below scenarios
- User creation
- User update
- User delete
- Teams creation
- Teams update
- Users and teams extraction
In order to consume SAC APIs, first, an application client needs to create, to authenticate and authorize the incoming requests.
Let’s start with the creation of an application. Go to System -> Administrator -> app integration
Note: Logged in user should have proper admin role to perform below steps
Create a new OAuth client
- Enter some meaningful name for the app user
- OAuth client id name (will be visible in the API logs)
- Select “API access” from the drop-down
- Access scope will be “User provisioning”
- Enter the secret, which will be used for the authentication
- Lifetime for the secret expiry
- Lifetime for the access token generated by OAuth server
After specifying all details, click add(note down the OAuth client Id and secret)
Note down the Token URL as this will be used to make the first call and obtain the access token. Now, we are all set to do the API calls.
Test Case 1: User Creation
- Request access token
- Fetch CSRF token
- Create a user with optional parameters
Perform the below steps in sequence
Request Access Token
- This must be done via the tenant Token URL.
- The OAuth Client ID and Secret and must be provided as part of the request
If OAuth authorization is successful, the returned token can be used to access the API
Fetch CSRF token
POST, PUT, and DELETE requests to the API can be made only after getting a valid CSRF token. To get the CSRF token, do a GET request to one of the SAC API (/Users or /Groups)
URL: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups OR
URL: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users
Tip: HEAD operation can be used to avoid response payload.
Create a user
Users in SAC can be created with or without optional parameters as below.
POST: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users
Header section:
x-sap-sac-custom-auth = true
x-csrf-token = <<x-csrf-token from step 2>>
Content-Type = application/json
Authorization = Bearer <<Access Token from step 1>>
Body section:
username: a unique name for the user
emails: unique primary email id for the user
roles: multiple roles can be assigned by adding multiple role names in the request
isConcurrent: manage the concurrent license type
managerId: user id should exist in the system before assigning it as a manager
Note: userName and email must be unique while creating a new user in SAC.
Response: If a user creation call is successful, the API response will be “210 Created”
Verify the results in SAC, go to Security/Users.
Test Case 2: User update
Perform the below steps in sequence
- Request access token: As explained earlier
- Fetch CSRF token: As explained earlier
- Update a user
Update a user
Note: This call always works in upsert mode. Meaning, existing user information will be overwritten with the new one.
PUT: https:// <SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users/AGUPTA
Header section:
x-sap-sac-custom-auth = true
x-csrf-token = <<x-csrf-token>>
Content-Type = application/json
Authorization = Bearer <<Access Token>>
Response: If user update call is successful, the API response will be “200 OK”
Verify the results in SAC, go to Security/Users.
Test Case 3: User delete
Perform the below steps in sequence
- Request access token: As explained earlier
- Fetch CSRF token: As explained earlier
- Delete a user
Delete a user
Note: User which is to be deleted should not be an active manager in SAC
DELETE: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users/AGUPTA
Header section:
x-sap-sac-custom-auth = true
x-csrf-token = <<x-csrf-token>>
Content-Type = application/json
Authorization = Bearer <<Access Token>>
Response: If user delete call is successful, the API response will be “204 No Content”
Test Case 4: Group(teams) creation
Perform the below steps in sequence
- Request access token: As explained earlier
- Fetch CSRF token: As explained earlier
- Create a team
POST: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups
Header section:
x-sap-sac-custom-auth = true
x-csrf-token = <<x-csrf-token from step 2>>
Content-Type = application/json
Authorization = Bearer <<Access Token from step 1>>
Body section:
id: a unique name for the group(team)
displayName: display name for the group(team)
roles: multiple roles can be assigned by adding multiple role names in the request
members: multiple members can be assigned by adding multiple member names in the request
Response: If group(teams) creation call is successful, the API response will be “201 Created”
Verify the results in SAC, go to Security/Teams
Test Case 5: Teams update
Perform the below steps in sequence
- Request access token: As explained earlier
- Fetch CSRF token: As explained earlier
- Update a team
Note: This call always works in upsert mode. Meaning, existing teams information will be overwritten with the new one
PUT: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups/Teams1
Header section:
x-sap-sac-custom-auth = true
x-csrf-token = <<x-csrf-token from step 2>>
Content-Type = application/json
Authorization = Bearer <<Access Token from step 1>>
Response: If teams update call is successful, the API response will be “200 OK”
Note: Users added in the teams will inherit the roles assigned to that teams
Test Case 6: User and Group(teams) extraction
Perform the below steps in sequence
- Request access token: As explained earlier
- Get call for user or team extraction
Header section:
Authorization = Bearer <<Access Token from step 1>>
Get all SAC users: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users
Get specific SAC user: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users/AGUPTA
Get specific SAC user with Filter conditions:
https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users?filter=username eq “AGUPTA”
Get all SAC teams: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups
Get specific SAC team: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups/Teams1
References: https://help.sap.com/viewer/298f82da4b184d1fb825b7ffe365e94a/release/en-US/b687e9589b834a2db872414b0b8d3a12.html
Note: All the above content is based on personal learning from SAP help and SAP official documentation, comments, and suggestions are always welcome. Happy Integrating! 🙂
Hi Aman,
we found two typos in your post.
In the lines
URL: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/vi/scim/Groups
URL: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/vi/scim/Users
'.../api/vi/scim...' is wrong, it should read '.../api/v1/scim...'.
Otherwise a great blog!
Thanks and best regards
Markus
Hello Markus,
Thanks for pointing out the typos, I have corrected them.
Cheers,
Aman
Hello Aman,
I tried to call the below Get API and got 200 OK response . In the response I can see some <head> <link> and <script> </head> between <html> and </html> . I don't see the list of Teams which are extracted from the server . Am I missing anything in this Get call or please point out on where can that information can be found?
Get all SAC teams: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups
Is it possible to extract all the teams with user mapping from SAC via API ?
Also is it possible to extract the roles (with content also) via SAC API ?
Thanks and Regards
Sri.
Hi there Aman,
Great blog. Very helpfull. I have one question though. I have been trying to add and remove group teams to users through the API. I have tried using the method to update users by passing the list of groups i want a user to have and tried using the method to update groups by passing the list of users i want a group to have as members but neither of those methods have worked for me.
This is the JSON i pass in the request body:
Update User
If i request the user details it shows no groups assigned to it.
Update Group
If i request the group details it shows no members.
Could you help me, please.
Thank you!
Hello Javier,
Update User: /Users API cannot be used for assigning groups to the SAC users. This is confirmed by SAP, https://launchpad.support.sap.com/#/incident/pointer/002075129400002576342019
Update Group: Please try giving below format, AFAIK username value should be in uppercase.
{
“type”: “User”,
“value”: “DAVIDCABRA”,
“$ref”: “/api/v1/scim/Users/DAVIDCABRA”
}
Thanks,
Aman
Hello Aman,
I hope you are doing well.
I have tried what you suggested but I still can't add users to a group. I am getting the following error "HTTP Status 401 – Unauthorized". I only get this error if i try to update, create and delete a group, if i create, delete or update a user it works fine.
I followed the steps to create a OAuth client and mi configuration is as follow:
My tenant version is 2019.15. Maybe is a version issue?
Thank you for the help.
Hello Javier,
While creating an Oauth client, I hope you have entered the access token lifetime(validity) like 1min/1hour/1day(in your above snapshot it looks missing).
Also, EDIT operations like POST/PUT/DELETE are CSRF protected, try to get the CSRF token by doing a GET/HEAD call for /Groups API and use the same CSRF token for updating the /Groups.
SAC tenant version should not be an issue here. :-/
Regards,
Aman
Hi Javier,
we had the same problem, in our case we had to accept cookies from the csrf fetch request and reuse them for the update API call.
Regards,
Timo
Hi, is it possible reset and unblock user from this API? Regards.
Hi Julio,
AFAIK, SAC API does not support lock/unlock, Activate/Deactivate of users, the only possibility I see is to delete the user and then re create.
If the requirement is to reset the user roles, then it is possible using PUT operation on /users API.
Thanks,
Aman
Hi Aman,
Can we use REST API to create users in SAP ABAP NW Gateway System leveraging webgui?
Probably I'm sounding dumb, but just popped up.
-RP
When I follow the steps above, I Always get following error requesting all users
I was able to request access token using client credentials
Which SAC API url you are trying to hit? Please share the snapshot.
Fetch all the SAC users: https://<SAC>/api/v1/scim/Users
Hi I am having the same problem. Was this ever resolved?
I also get an empty response body on GETing groups
Hi Aman Gupta ,
i able to exuecte GET API successfully, but while POST where i am trying to create one test user, i am getting
{
"status": 400,
"message": "User information and username cannot be empty"
}
error
.
code:
{
"username":"TESTSCIM",
"name": {
"givenName": "Test",
"familyName": "SCIM"
},
"displayName": "Test SCIM",
"active": true,
"emails": [
{
"value": "test@abc.com",
"type": "work",
"primary": true
}
],
"roles": [
"PROFILE:t.3:BI_Composer",
"PROFILE:t.3:BI_Consumer"
],
"urn:scim:schemas:extension:enterprise:1.0": {
"manager": {
"managerId": ""
}
}
}
can you please help me with it.
Hello
Your request body is badly formed. The 'username' should be 'userName'.
For sample code that creates users (and a lot of other things) please visit my blog https://blogs.sap.com/2021/05/28/sap-analytics-cloud-scim-api-best-practices-and-sample-scripts/
All the best, Matthew
Hi Aman,
Is it possible to delete multiple users with a single delete request? Also, when we remove/delete a user from SAC manually, it will prompt us to transfer the content to another user. How that is managed when we do a API call?
Thanks,
Nivetha
Hello Nivetha
For deleting multiple users- the answer is 'no', a separate request is required for each user.
For deleting users my FAQ's answer this question. This article is introduced by this blog that provides an overview. Its likely to answer a number of other questions you may have.
The blog also introduces sample scripts, some of which delete a whole team of users!
All the best, Matthew
Hi,
Is it possible to read/write data from a Model through REST APIs? Is there any sample code for doing that?
Thanks
-ravi
For the interested reader, we have started to record a video tutorial series about the SAP Analytics Cloud user and team provisioning API
When we make update Group PUT API call while adding new member into the members list, later when we make GET call on that particular user, we can see that the groups list is updated for the user but roles list is still empty.
How can we make sure that roles list is also updated?
Hi Matthew,
We have exposed, Users Entity and Stories Entity as OData service using cap. We are not able to fetch the data when we query Users Entity , whereas we are able to fetch the data from Stories Entity.
I tried to call the below Get API and got 200 OK response . I don't see the list of users which are extracted from the server . Am I missing anything in this Get call or please point out on where can that information can be found?
Get all SAC teams: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users.
Could you please help in
Thanks in Advance ,
Kind Regards,
Sneha.