Platform Authorization Management API-SAP Cloud Integration (CPI)

Introduction 

I can see most of the customers are going for a centralized Identity management so that they can manage their access provisioning and managing roles centrally for different cloud applications using API’s.

This can be implemented with the help of API’s over the SCIM protocol. In this blog I will discuss only SAP CPI (Cloud Process Integration ) Platform/Tenant access provisioning and managing users using API’s.

Pre-Requisite

You should have SCP Cockpit access with Administrator role to create API Client.

Implementation 

The OAuth 2.0 Authentication mechanism is enabled for all the Platform Authorization Management API’s.

1. In order to call API methods you will need access token, so create an OAuth client.
2. Make sure “readAccountMembers” and ”manageAccountMembers” scope is assigned while creating the OAuth Client.

In Order to create OAuth Client,Logon to SCP Cockpit

Make a note of Client ID and Client Secret which was created in the above steps.

Get an Access token with the help of below API:

URL: https://api.<region>.hana.ondemand.com/oauth2/apitoken/v1?grant_type=client_credentials

Method-POST

Platform API to get all users from the tenant/platform using API

URL : https://api.<Region>.hana.ondemand.com/authorization/v1/platform/accounts/<sub-account-name>/Users

Method-GET

Platform API to get specific user details from the tenant/platform using API

URL : https://api.<Region>.hana.ondemand.com/authorization/v1/platform/accounts/<sub-account-name>/Users/<user-id>

Method-GET

Platform API to add new user to the tenant/platform using API

URL : https://api.<Region>.hana.ondemand.com/authorization/v1/platform/accounts/<sub-account-name>/Users

Method-POST

Headers-Content-type: application/scim+json

Body–

Sample Structure of an user:

You can also refer the sample structure from SAP Help .

{
    "schemas": [
        "urn:sap:cloud:scim:schemas:extension:custom:2.0:UserExt",
        "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "userName": "S0012345678",
    "name": {
        "familyName": "FirstName",
        "givenName": "LasstName"
    },
    "emails": [
        {
            "value": "firstname.lastname@domain.com",
            "primary": true
        }
    ],
    "roles": [
        {
            "value": "Developer",
            "primary": false,
            "type": "Predefined"
        },
        {
            "value": "ReadOnly",
            "primary": false,
            "type": "Predefined"
        }
    ]
}

Platform API to Remove/Delete the user from tenant/platform using API

URL : https://api.<Region>.hana.ondemand.com/authorization/v1/platform/accounts/<sub-account-name>/Users/<user-id>

Method-DELETE

Conclusion

The Idea is to cover only platform access provisioning and managing users through API.

We can make use of these APIs in those scenarios where other cloud applications are willing to integrate and mange access provisioning with SAP CPI.

Providing the customized service by designing iFlows to consumers will restrict the operations in a secured manner rather than providing APIs and OAuth details to the consumers directly.

You also can manage roles,groups for the platform users by consuming Authorization Management REST APIs

References

Authorization Management API

https://api.hana.ondemand.com/authorization/v1/documentation

Platform Authorization Management API:

https://help.sap.com/viewer/ea72206b834e4ace9cd834feed6c0e09/Cloud/en-US/eb01a9f3ecad4a41a6033855ca61a9a8.html

Hope this blog served its purpose !! Please do try to access these APIs and do let me know your thoughts.

Regards,

Prabhugoud Gogi