Skip to Content
Technical Articles

User and Team provisioning APIs for SAP Analytics Cloud

Hi guys,

This blog will cover a client requirement where users need to be created and provisioned in SAP Analytics Cloud(SAC) from the Identity and Access management (for example IdM). SAC user provisioning can be done via standard SAC REST APIs, which needs to be enabled before making an API call.

The complete process can be automated if using a middleware (for example SAP CPI) to get the request from IAM and calling the SAC APIs in sequence for user creation and provisioning. We will use Postman client to make APIs call.

The scope of this document covers the below scenarios

  • User creation
  • User update
  • User delete
  • Teams creation
  • Teams update
  • Users and teams extraction

In order to consume SAC APIs, first, an application client needs to create, to authenticate and authorize the incoming requests.

Let’s start with the creation of an application. Go to System -> Administrator -> app integration

Note: Logged in user should have proper admin role to perform below steps

Create a new OAuth client

  1. Enter some meaningful name for the app user
  2. OAuth client id name (will be visible in the API logs)
  3. Select “API access” from the drop-down
  4. Access scope will be “User provisioning”
  5. Enter the secret, which will be used for the authentication
  6. Lifetime for the secret expiry
  7. Lifetime for the access token generated by OAuth server

After specifying all details, click add(note down the OAuth client Id and secret)

Note down the Token URL as this will be used to make the first call and obtain the access token. Now, we are all set to do the API calls.

 

Test Case 1: User Creation

  • Request access token
  • Fetch CSRF token
  • Create a user with optional parameters

Perform the below steps in sequence

Request Access Token

  1. This must be done via the tenant Token URL.
  2. The OAuth Client ID and Secret and must be provided as part of the request

If OAuth authorization is successful, the returned token can be used to access the API

 

Fetch CSRF token

POST, PUT, and DELETE requests to the API can be made only after getting a valid CSRF token. To get the CSRF token, do a GET request to one of the SAC API (/Users or /Groups)

URL: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups  OR

URL: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users

Tip: HEAD operation can be used to avoid response payload.

 

Create a user

Users in SAC can be created with or without optional parameters as below.

POST: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users

Header section:

x-sap-sac-custom-auth = true

x-csrf-token = <<x-csrf-token from step 2>>

Content-Type = application/json

Authorization = Bearer <<Access Token from step 1>>

Body section:

username: a unique name for the user

emails: unique primary email id for the user

roles: multiple roles can be assigned by adding multiple role names in the request

isConcurrent: manage the concurrent license type

managerId: user id should exist in the system before assigning it as a manager

Note: userName and email must be unique while creating a new user in SAC.

Response: If a user creation call is successful, the API response will be “210 Created”

Verify the results in SAC, go to Security/Users.

 

 

Test Case 2: User update

Perform the below steps in sequence

  • Request access token: As explained earlier
  • Fetch CSRF token: As explained earlier
  • Update a user

Update a user

Note: This call always works in upsert mode. Meaning, existing user information will be overwritten with the new one.

PUT: https:// <SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users/AGUPTA

Header section:

x-sap-sac-custom-auth = true

x-csrf-token = <<x-csrf-token>>

Content-Type = application/json

Authorization = Bearer <<Access Token>>

Response: If user update call is successful, the API response will be “200 OK”

Verify the results in SAC, go to Security/Users.

 

 

Test Case 3: User delete

Perform the below steps in sequence

  • Request access token: As explained earlier
  • Fetch CSRF token: As explained earlier
  • Delete a user

Delete a user

Note: User which is to be deleted should not be an active manager in SAC

DELETE: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users/AGUPTA

Header section:

x-sap-sac-custom-auth = true

x-csrf-token = <<x-csrf-token>>

Content-Type = application/json

Authorization = Bearer <<Access Token>>

Response: If user delete call is successful, the API response will be “204 No Content”

 

Test Case 4: Group(teams) creation

Perform the below steps in sequence

  • Request access token: As explained earlier
  • Fetch CSRF token: As explained earlier
  • Create a team

POST: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups

Header section:

x-sap-sac-custom-auth = true

x-csrf-token = <<x-csrf-token from step 2>>

Content-Type = application/json

Authorization = Bearer <<Access Token from step 1>>

Body section:

id: a unique name for the group(team)

displayName: display name for the group(team)

roles: multiple roles can be assigned by adding multiple role names in the request

members: multiple members can be assigned by adding multiple member names in the request

Response: If group(teams) creation call is successful, the API response will be “201 Created”

Verify the results in SAC, go to Security/Teams

 

 

Test Case 5: Teams update

Perform the below steps in sequence

  • Request access token: As explained earlier
  • Fetch CSRF token: As explained earlier
  • Update a team

Note: This call always works in upsert mode. Meaning, existing teams information will be overwritten with the new one

PUT: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups/Teams1

Header section:

x-sap-sac-custom-auth = true

x-csrf-token = <<x-csrf-token from step 2>>

Content-Type = application/json

Authorization = Bearer <<Access Token from step 1>>

Response: If teams update call is successful, the API response will be “200 OK”

Note: Users added in the teams will inherit the roles assigned to that teams

 

Test Case 6: User and Group(teams) extraction

Perform the below steps in sequence

  • Request access token: As explained earlier
  • Get call for user or team extraction

Header section:

Authorization = Bearer <<Access Token from step 1>>

Get all SAC users: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users

Get specific SAC user: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users/AGUPTA

Get specific SAC user with Filter conditions:

https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users?filter=username eq “AGUPTA”

Get all SAC teams: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups

Get specific SAC team: https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups/Teams1

 

References: https://help.sap.com/viewer/298f82da4b184d1fb825b7ffe365e94a/release/en-US/b687e9589b834a2db872414b0b8d3a12.html

Note: All the above content is based on personal learning from SAP help and SAP official documentation, comments, and suggestions are always welcome. Happy Integrating! 🙂

4 Comments
You must be Logged on to comment or reply to a post.
  • Hi there Aman,

    Great blog. Very helpfull. I have one question though. I have been trying to add and remove group teams to users through the API. I have tried using the method to update users by passing the list of groups i want a user to have and tried using the method to update groups by passing the list of users i want a group to have as members but neither of those methods have worked for me.

    This is the JSON i pass in the request body:

    Update User

    If i request the user details it shows no groups assigned to it.

    Update Group

    If i request the group details it shows no members.

     

    Could you help me, please.

     

    Thank you!