Skip to Content
Technical Articles
Author's profile photo Prabhugoud Gogi

Platform Authorization Management API-SAP Cloud Integration (CPI)

Introduction 

I can see most of the customers are going for a centralized Identity management so that they can manage their access provisioning and managing roles centrally for different cloud applications using API’s.

This can be implemented with the help of API’s over the SCIM protocol. In this blog I will discuss only SAP CPI (Cloud Process Integration ) Platform/Tenant access provisioning and managing users using API’s.

Pre-Requisite

You should have SCP Cockpit access with Administrator role to create API Client.

Implementation 

The OAuth 2.0 Authentication mechanism is enabled for all the Platform Authorization Management API’s.

  1. In order to call API methods you will need access token, so create an OAuth client.
  2. Make sure “readAccountMembers” and ”manageAccountMembers” scope is assigned while creating the OAuth Client.

In Order to create OAuth Client,Logon to SCP Cockpit

Make a note of Client ID and Client Secret which was created in the above steps.

Get an Access token with the help of below API:

URL: https://api.<region>.hana.ondemand.com/oauth2/apitoken/v1?grant_type=client_credentials

Method-POST

 

Platform API to get all users from the tenant/platform using API

URL : https://api.<Region>.hana.ondemand.com/authorization/v1/platform/accounts/<sub-account-name>/Users

Method-GET

 

Platform API to get specific user details from the tenant/platform using API

URL : https://api.<Region>.hana.ondemand.com/authorization/v1/platform/accounts/<sub-account-name>/Users/<user-id>

Method-GET

 

Platform API to add new user to the tenant/platform using API

URL : https://api.<Region>.hana.ondemand.com/authorization/v1/platform/accounts/<sub-account-name>/Users

Method-POST

Headers-Content-type: application/scim+json

Body

Sample Structure of an user:

You can also refer the sample structure from SAP Help .

{
    "schemas": [
        "urn:sap:cloud:scim:schemas:extension:custom:2.0:UserExt",
        "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "userName": "S0012345678",
    "name": {
        "familyName": "FirstName",
        "givenName": "LasstName"
    },
    "emails": [
        {
            "value": "firstname.lastname@domain.com",
            "primary": true
        }
    ],
    "roles": [
        {
            "value": "Developer",
            "primary": false,
            "type": "Predefined"
        },
        {
            "value": "ReadOnly",
            "primary": false,
            "type": "Predefined"
        }
    ]
}

 

 

Platform API to Remove/Delete the user from tenant/platform using API

URL : https://api.<Region>.hana.ondemand.com/authorization/v1/platform/accounts/<sub-account-name>/Users/<user-id>

Method-DELETE

Conclusion

The Idea is to cover only platform access provisioning and managing users through API.

We can make use of these APIs in those scenarios where other cloud applications are willing to integrate and mange access provisioning with SAP CPI.

Providing the customized service by designing iFlows to consumers will restrict the operations in a secured manner rather than providing APIs and OAuth details to the consumers directly.

You also can manage roles,groups for the platform users by consuming Authorization Management REST APIs

References

Authorization Management API

https://api.hana.ondemand.com/authorization/v1/documentation

Platform Authorization Management API:

https://help.sap.com/viewer/ea72206b834e4ace9cd834feed6c0e09/Cloud/en-US/eb01a9f3ecad4a41a6033855ca61a9a8.html

 

Hope this blog served its purpose !! Please do try to access these APIs and do let me know your thoughts.

 

Regards,

Prabhugoud Gogi

Assigned Tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Rahul Yadav
      Rahul Yadav

      Nice Work Prabhu !!!
      Thanks for combining multiple resources at single place.

      Author's profile photo Prabhugoud Gogi
      Prabhugoud Gogi
      Blog Post Author

      Thanks Rahul !!

      Author's profile photo Niranjan Gattupalli
      Niranjan Gattupalli

      Really helpful for my research. I have few questions

      1. Is it required to enable cloudfoundry for  the sub-account?
      2. Will it work for " Cloud Management Tools Feature Set A" ?
      Author's profile photo Prabhugoud Gogi
      Prabhugoud Gogi
      Blog Post Author

      Hi Niranjan

      Thanks for you feedback !!

      1. There is no need to enable cloud foundry as we are only dealing with managing users of NEO sub-accounts.
      2. YES

       

      Regards,

      Prabhugoud Gogi

      Author's profile photo Saurabh Saxena
      Saurabh Saxena

      How to fetch application roles and their respective users? which API should we use ?

      Author's profile photo Prabhugoud Gogi
      Prabhugoud Gogi
      Blog Post Author

      Hi Saurabh,

      Please go through this Link where you can find all APIs related to Authorization Management.

      Regards,

      Prabhu

      Author's profile photo Saurabh Saxena
      Saurabh Saxena

      Hi,

      I am using

      DELETE /accounts/{accountName}/users/roles API

      from https://api.hana.ondemand.com/authorization/v1/documentation#accounts__accountName__users_roles_delete

      where I am passing userId and roles to remove roles from user but getting exception as below :

      { "code": "b2516eab-64e5-483b-a037-03dce00fb447", "description": "Parameter roles is required" }

      Can you please give format as how this API can be used to remove roles from specified user?