Skip to Content
Product Information
Author's profile photo Praveen Kumar Dwivedi

Integration User for Odata services in SAP Cloud for Customer

Dear Community members,

 

Note: Current post strictly provides steps for SAP Cloud for Customer (SAP Sales Cloud and SAP Service Cloud).

With the 1911 release of SAP Cloud for Customer, SAP has provided capability to use integration or technical user for Odata services.

Odata Services – 1911

 

With A2X services being deprecated from February 2020, customers and partners are requested to move their A2X and SOAP services to Odata. But with Odata services we have had to use basic authentication with a Business User. This causes concerns when the password expires, leading to failure of the integration.

You can read more on this here.

https://apps.support.sap.com/sap/support/knowledge/public/en/2325562

 

Below, we will see how we can use a technical user for basic authentication and Certificate based authentication for Odata services.

 

Create a new Communication system. Maintain the host name.

 

Create Communication arrangement for standard Communication Scenario: OData Services for Business Objects

Select the services which you wish to enable under technical data. In the next image you can see that the technical user is generated.

 

The technical user created above can be used for basic authentication as well.

Further, we have similar steps as with SOAP services.

Click on edit credentials and create and download a key pair. (a *.p12 extension file will be downloaded)

 

Add the key pair file to your CPI tenant under manage keystore.

 

Configure the Odata adapter as follows.

Maintain the address of the service you wish to call, and the alias saved in the previous step.

Select authentication method as Client Certificate or Basic authentication.

 

Note: CSRF token is not needed as we are using a technical user.

In case of Client certificate, provide the name of the *.p12 file which you saved in keystore.

In case of Basic authentication, deploy a credential artifact in CPI with the technical user created above, and provide the credential name.

 

Download the edmx file from the metadata URL.

https://myNNNNN.crm.ondemand.com/sap/c4c/odata/v1/c4codataapi/$metadata

and configure the request query.

 

Using a technical user provides better security and prevents failure of integrations due to expiration of password.

 

You can get more details on this here.

https://github.com/SAP/C4CODATAAPIDEVGUIDE

 

Edit:

For certain services like: accounthierarchylist, businesspartnerrelationship… if you use CSRF token, you’ll get error “Inconsistent Authorization: Re-activate Communication Arrangement.” This is an authorization error. In Odata services authorization occurs via a workcenter view which is also assigned to the access user. And because such services don’t have WoCview assigned due to which reading metadata causes issue.

 

To resolve this error, remove the CSRF fetch as it is not needed with a communication user, or assign a workcenter view which can accessed by the access user (in case of business user).

 

Regards

Praveen Dwivedi

Assigned Tags

      12 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Catalin Dutta
      Catalin Dutta

      In case anyone runs into the same issue that I did:

      • when you go into the settings of the Communication Arrangement, under Services Used - you might not see all of your custom OData services
      • go into OData Service Explorer, edit the corresponding service
      • expand the Header and assign a WOCV

      I know it's counter-intuitive because the technical user does not have a business role, i.e. no restrictions, but at least it works.

      Author's profile photo suchita phulkar
      suchita phulkar

      Hi Praveen Kumar Dwivedi ,

      Firstly, thanks for the excellent blog. I wish this was documented in the C4C guides too.

      You have an edit on your blog where you mentioned about error “Inconsistent Authorization: Re-activate Communication Arrangement.

      I am getting this error for my custom OData service - despite I have assigned it to the communication arrangement.

      I get this error only when I do a GET to my custom OData with Technical User (maintained for the communication arrangement). The Authentication is Basic and with User ID and Password defined on Communication arrangement. When I test with POSTMAN, I get the same error.  But if I user the GET via POSTMAN with any other business user details , I do not get this error.

      The test on custom OData via OData explorer is also fine. So means, system has a problem only when I do a GET on my custom OData with technical user.

      Do you know how to solve this error ?

      Thanks,

      Suchita

      Author's profile photo Praveen Kumar Dwivedi
      Praveen Kumar Dwivedi
      Blog Post Author

      Hi Suchita, This issue occurs when no WoCView is assigned to the service.

      Check if WoCView is assigned to your custom Odata service entity types.

      Alternatively, you are fetching CSRF token to GET data, this is not needed for technical user. Remove CSRF token fetch.

      Author's profile photo suchita phulkar
      suchita phulkar

      Hi Praveen Kumar Dwivedi ,

      Thanks for your reply .

      My issue is now solved. There are two placed for WoCV assignment on OData – on Header and on Property. I was doing it only on Property and that was it problem (as header is always collapsed so didn't realised it) .

      The got resolved once the header WoCV is maintained.

      Regards,

      Suchita

      Author's profile photo Lubos Krajcir
      Lubos Krajcir

      Hello All,

       

      Can I ask you, which WoCV did you assign for your technical users? Also, will the POST / PUT action work for technical user?

       

      Thank you very much

      Regards

      Ľuboš

      Author's profile photo Maxime Gillet
      Maxime Gillet

      Hello,

      By any chance, is it possible to do so with SAP ByDesign?

      Thanks/Regards

      Author's profile photo Praveen Kumar Dwivedi
      Praveen Kumar Dwivedi
      Blog Post Author

      Hi Maxime

      Being on the same architecture, it should be possible. Although, I haven’t tried it in a ByD system.

      Hopefully you must have already tried it out already by now.

       

      Praveen

      Author's profile photo Jacques-Antoine Ollier
      Jacques-Antoine Ollier

      Edit: Maxime Gillet 

      From 2102 version of SAP ByDesign (ByD)), we are now able to create a Technical User in order to consume OData endpoints, as it is possible in SAP C4C.

      Enjoy!

      Thank you for your attention

       

      Author's profile photo Mario Fliegner
      Mario Fliegner

      Hi,

      I'm trying to update a Product via https://api.sap.com/api/API_PRODUCT_SRV/ OData service (for example the product text) using Communication Arrangement SAP_COM_0077. I've also created a Communication User with password. However, the OData service does not update anything but return with "Matl master maintenance not possible for transaction chosen (TKSTATUS)":

              <application>
                  <component_id>LO-MD-MM</component_id>
                  <service_namespace>/SAP/</service_namespace>
                  <service_id>API_PRODUCT_SRV</service_id>
                  <service_version>0001</service_version>
              </application>

      This looks like the Communication User do not have the permission for the transaction!? The same issue I get for all OData services from the mentioned Communication Arrangement which tries to update the Business Objects (POST, PATCH). It works fine for any GET requests to retrieve data.

      As we're in the SAP managed Cloud, there is no way to maintain the users permissions. Any thoughts? Maybe I'm doing something wrong?

      Author's profile photo Stefania Zanzottera
      Stefania Zanzottera

      Hi Mario Fliegner

      I have the same problem as you, how did you solve it?

      Thanks

      Stefania

      Author's profile photo Senthilkumar Thangavel Namasivayam
      Senthilkumar Thangavel Namasivayam

      Hi Praveen,

      I have outbound OData call from C4C, and getting 403 forbidden with csrf token missing issue.

       

      As I see your blog works well for Inbound in C4C. do you have a solution for C4C Outbound calls?

       

      Thanks

      Sam

      Author's profile photo Praveen Kumar Dwivedi
      Praveen Kumar Dwivedi
      Blog Post Author

      hello Sam

      403 error means the service call isn't authorized to access the target system. You need to check in your target system for the issue.

      Also, for any kind of POST or PATCH calls, CSRF token is needed. try adding the CSRF token to the message header of your service call. Without CSRF token, you won't be able to use POST or PATCH.

       

      Regards

      Praveen