Skip to Content
Technical Articles
Author's profile photo Witalij Rudnicki

Create additional users in SAP Data Intelligence trial (with vctl)

Ok, so assuming you got your SAP Data Intelligence 3.0 trial (see more details in the post by Dimitri Vorobiev) running and you are the one having administrator (user system in tenant system) access to it.

Tutorials assume you keep using the admin user for all the exercises, but you want more people from your team/organization to be able learning how to develop data-intensive applications without sharing the admin user and password with them. That’s, at least, my case. And I plan to resolve it by creating separate DI developer (I name them didevXX) users.

I will use SAP Data intelligence’s CLI utility vctl, because — as DJ Adams keeps saying — “The future is terminal” 🙂

Get vctl utility

Thanks to Gianluca De Lorenzo who already covered vctl in his post Zen and the Art of SAP Data Intelligence. Episode 3: vctl, the hidden pearl you must know!

So, I logon to my SAP Data Intelligence system tenant as a system user and open System Management. And then go to the Help icon to download VCTL.

From the pop-up pick the right version for your OS. I am using MacOS, so I pick Darwin and download the utility to my ~/Tools folder.

And because I am using macOS Catalina version I need to remove the extended attribute Catalina assigned this attribute to the file because it was downloaded from the web.

ls -l@ vctl
xattr -d vctl


One more step — make it executable.

chmod u+x vctl

Who am I?

./vctl whoami

…returns Error: invalid session. Did you login? Has your session expired? as I am not logged in yet.

./vctl login --help
./vctl login system system --insecure
./vctl whoami

I had to use --insecure option, as a host in the Trial is using a self-signed certificate.

Hint: If you have kubectl installed and its context is set to the Data Intelligence’s K8s cluster, then you can get the ingress host name from kubectl get ingress -n datahub -o=jsonpath='{.items[0].status.loadBalancer.ingress[0].hostname}'.

Use it in the login command:

./vctl login https://$(kubectl get ingress -n datahub  -o=jsonpath='{.items[0].status.loadBalancer.ingress[0].hostname}') system system --insecure

Once login is successful the connection info is stored in the file ~/.vsystem/.vsystem_conn.

Create a tenant

I am going to create a separate tenant learning, but if you want users to access all connections and data pre-configured for tutorials, then you should create new users in the existing default tenant.

./vctl tenant create --help
./vctl tenant create learning
./vctl tenant set-strategy learning sdi-default-extension-strategy

should return Successfully created tenant "learning" and Successfully set strategy "sdi-default-extension-strategy" for tenant "learning".

Create a user

./vctl user create --help
./vctl user create learning didev00 Welcome20 member

…should return Successfully created user "learning/didev00".

It created a member (not an admin) user didev00 in the tenant learning with the password Welcome20 (although I understand many might say 2020 is not that welcoming…)

Assign policies to a user

./vctl policy --help
./vctl policy list-policies --tenant learning
./vctl policy assign sap.dh.metadata --tenant learning didev00
./vctl policy assign sap.dh.developer --tenant learning didev00

Now this user can logon into your SAP Data Intelligence trial to start learning and experimenting ?️.

The script to create developer users

Obviously, creating all users manually can be annoying, so here is a quick and dirty (i.e.  no checks for errors, or if running user is logged and has authorizations) bash script


while getopts n:t:p: option
  case "${option}"
    n) NRTOTAL=${OPTARG};;
    p) DEVPWD=${OPTARG};;


for i in $(eval echo {1..${NRTOTAL}})
  nr=$(printf "%02d" $i)
  echo "${didevnr} out of ${NRTOTAL} being created..."
  ./vctl user create ${DITENANT} ${didevnr} ${DEVPWD} member
  ./vctl policy assign sap.dh.metadata --tenant ${DITENANT} ${didevnr}
  ./vctl policy assign sap.dh.developer --tenant ${DITENANT} ${didevnr}

By default, it creates 3 users with the password SAPDI30trial in the default tenant.

These defaults can be changed by providing parameters from the command line:

  • -n number of users to create starting from didev01
  • -t tenant
  • -p new user’s password (same for all newly created users)
./ -n 2 -t learning -p P@$$w0rd$

As I am not an expert in Bash scripts, any suggestions for improvement are welcome! Or if you want to rework it to PowerShell script and to share in comments — please do so!

I hope you find it useful,
-Vitaliy (aka @Sygyzmundovych)


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Roland Kramer
      Roland Kramer

      Hello Witalij
      additional hints for vctl can also be found in the Blog - prepare the Installation Host for the SLC Bridge

      Best Regards Roland

      Author's profile photo Indu Khurana
      Indu Khurana

      Thank you Witalij Rudnicki for the details. This is very helpful.

      I could easily create user (developer) in the system tenant ending in two users (default, developer).

      I also tried creating another tenant (tenant2) and assigned admin policies to it, but when I created a new user(user1) in tenant2, even after assigning all the policies (except admin) , the user1 is having only two applications in the launchpad, not the metadata ,modeler etc.

      Is it the expected behaviour or am I missing something?


      P.S. I have created users/tenants from SAP Data Intelligence platform not from vctl.


      Indu Khurana.

      Author's profile photo Witalij Rudnicki
      Witalij Rudnicki
      Blog Post Author

      Hi Indu. Have you created it in the trial edition of SAP Data Intelligence? What version of Data Intelligence have you gotten?

      Author's profile photo Indu Khurana
      Indu Khurana

      Hello Witalij,

      I have created in SAP Data Intelligence, trial edition 3.1.



      Author's profile photo Indu Khurana
      Indu Khurana

      Hello Witalij,

      I understood where I was wrong, It was the strategy which should be correct for a tenant ,in order to have all the applications to appear in the launchpad for the user under that tenant.



      Author's profile photo Witalij Rudnicki
      Witalij Rudnicki
      Blog Post Author

      I am glad it worked out for you Indu Khurana 🙂

      Author's profile photo Indu Khurana
      Indu Khurana

      Hi Witalij Rudnicki

      I have a new issue now. 🙂

      1. I have created a new tenant: tenant2.
      2. Transported all my graph in form of a package from tenant 'default' to 'tenant2'
      3. I could see all my graphs in tenant2.
      4. I could run new graphs in tenant2.


      There is no connection in connection management (by default) in 'tenant2' , hence I created one for s3 , status ok.

      But for HANA local host, If I provide the same host, port of existing HANA local host as we have in tenant 'default' , it fails. ( credentials used are user and pass used to login tenant2)

      what port/host should I provide for creating new connection to HAAN DB?

      Please advise.


      Indu Khurana.