Technical Articles
SAP Analytics Cloud User and Team Provisioning SCIM API Best Practices and Sample Scripts
Your one-stop shop for everything related to SAP Analytics Cloud SCIM API is here!
An essential blog for those:
- that have no interest in how the API works, you just want to use it to fulfil a function
- system administrators, system integrators or developers that need to understand how the API works, behaves and performs
I introduce two new articles:
- Sample Scripts
- Best Practices
What are the business benefits and use-cases?
For those using the standard user interface to create or manage your users:
- Automation. The scripts help to eliminate human errors in addition to saving considerable time performing multiple tasks. For example:
- Creating users and adding them into multiple teams at the time of creation
- Defining the users’ membership to multiple teams in one go (by either adding, removing or replacing those memberships)
- Removing a user from all teams without having to first determine which teams the user is a member of. The standard interface doesn’t make this task so easy
- Remove limitations of the User Interface, for example
- They enable a team to have more than 4000 users
- Eases the administration of users with team-on-team management capabilities (copy team, add or remove a team to or from another etc.)
In addition to the above, and whilst using your own Identity Provider with ‘automatic user creation’ and ‘user attribute mapping to teams’ do assist with the above tasks, these sample scripts also enable:
- Further automation:
- Updating a whole team of users at a time (for example updating all users of a team with a different BI license type or “active” status etc.)
- Deleting users or a whole team of users at a time
- Updating the users’ team membership so they receive publications sent to the team before they login (the user may miss a publication since SAML SSO only updates team membership at the time of login and not before)
- Improved user creation:
- Enables correct user settings at time of user creation. Users can be created with non-default settings for language, date/time/number formats, saving all your users from changes these settings
- Enables user creation with the user id of your choice rather than one determined by SAP (a common requirement for SAML SSO based on email or on ‘custom’). This is often needed to enable easier integration with other systems, typically access control security rights based on acquired data models from BW.
- Enables user creation with a different user id compared to the SAML mapping property (userName). For example, creating a user with userid M_SHAW, but with a saml property M-SHAW.
- Automated Administration tasks such as:
- Updating users’ SAML mapping property (’email’ or ‘custom’). This can also be helpful for a project changing the SAMLSSO mapping from ’email’ to ‘custom’
- Adding users not in a team, into a team
- Adding users not in a team or a role, into a team
- Delete users then delete managers avoiding the problem of not being able to delete a user that is a manager of another user
- Assigning Managers that currently have a BI concurrent session licence to BI named license
- Assigning a BI concurrent session license to any user that is disabled avoiding an unnecessarily consumption of a ‘named user’ license
- Changing the BI concurrent session license for all users, to a named user license. Ideal if you’re moving away from concurrent licenses.
- Reassign users of given manager to another
- Swap a directly assigned role for a team role, so adopting best practice
- Assign the correct settings for recently created users that currently have default settings
- Deleting dormant users based on their lack of login activity and if they have no personal folder content, and did not create any public folder content. More details
- Enables a multitude of life-cycle management use-cases. For example, transporting users and their relationship to teams and roles from one SAP Analytics Cloud Service to another (this just isn’t possible without these samples).
- SAP Analytics Cloud can transport teams and their relationships to roles and when it does so, it ‘adds’ the relationships. For many life-cycle management use-cases you often don’t want to ‘add’, but either ‘replace’ or simply ‘keep’ the existing relationships of the target. These samples support these other use-cases easing your management of security across your landscape.
- Service (tenant) migration use-cases when you’re moving or migrating from one SAP Analytics Cloud Service to another, for example migrating from NEO public to CF private. The samples can transport users* with their settings (of language, date/time/number formats etc.), unlike any user export/import provided by SAP Analytics Cloud.
For those that don’t need the sample scripts because you’re developing your own solution based off the SCIM API, then the best practices have everything and more you could ask for, from session and error management to sizing and performance. This article will dramatically accelerate your adoption and reduce your project risk.
Sample Scripts
I’ve created 51 sample scripts in Postman (called ‘Collections’ in Postman) that fulfil a whole range of functions related to the Analytics Cloud SCIM API:
SAP Analytics Cloud SCIM API Sample Scripts
These scripts allow you to perform a great number of user management operations and cover everything from creating users, updating users, performing team-on-team operations and even transporting users and teams from one SAP Analytics Cloud service to another!
I’ve designed these scripts to:
- be easily consumable (simple .csv files or .json files are needed)
- provide very maximum throughput possible (of not only the Analytics Cloud API, but also of Postman)
- return a known result
Creating and updating users
There are some 18 scripts to create and update users! Why so many? Some just read a .csv file so that its super easy for you to use. Others need to read a .json file as they need to read an array (of teams for example). There’s different ones depending upon what you’re doing, for example some are designed for greatest throughput for creating users, others for updating.
I designed these scripts to cover as many use-cases as possible. For example when updating users, the scripts read an ‘action’ so you can ‘add’, ‘remove’, ‘replace’ or just ‘keep’ the existing team and role assignment. (the scripts are versatile allowing you to use different actions for teams and roles)
creating or updating a user – actions on roles (left) and teams (right)
Updating users by team
Updating user properties requires an update to each user, but I often hear customers wishing to update a whole team of users. So, I provide scripts that reads a team, and then update all members of that team. For example, script 451 will update the ‘Business Intelligence licence type’ for all users of a team. You’ll find a script for almost every purpose including updating: active status, manager, datatime/number format, language and many more.
Team-on-team
I frequently hear of customers wishing to add a team to another team. Whilst this isn’t technically possible, it hasn’t stopped me using the API to read a team and add all the users of one team to another. Thus, I have scripts that perform this ‘team-on-team’ operations. With the ‘actions’ idea taken to act across teams, it means you can even do things like remove a team from another, as well as perform ‘set’ operations on teams including ‘intersect’ and ‘exclude’:
Team-on-team actions (shown is for users, but roles are also possible)
Transporting users and teams
You can’t really transport a user from one SAP Analytics Cloud service to another. However that hasn’t stopped me using the API to read all the properties of a user and either create or update the same user in another Service! It means I have created scripts that basically transport a user, albeit without their personal folder.
Relationships transported between SAP Analytics Cloud Services
Not only do I transport the user, but I also transport all the relationships to roles and teams. My transport scripts are highly versatile allowing you to transport whatever relationship you’d like to or not. I’ve extended the ‘actions’ concept from earlier allowing you to perform ‘add’, ‘remove’, ‘replace’ or just ‘keep’ either the existing teams or roles as you please! This in turn means there are now more life-cycle use-cases supported (as the Service only performs an ‘add’ operation when it comes to transporting relationships)
And because I’m using the API, you can use my scripts to transport between NEO and Cloud Foundry (or any combination)
For all my sample scripts, if the team doesn’t exist, it will create one for you!
Getting started
These samples, provided ‘as is’, are available to download from today. Getting started couldn’t be easier! It will take novice no more than 40 minutes.
I provide a comprehensive User Guide, an article and a webinar to introduce it all.
(Please also see the related blogs and videos for hands-on tutorials by HANA Academy)
Best Practices built-in
The scripts are designed with all the best practices and means you don’t need to worry about sessions or error management. That’s all taken care for you:
- Errors from the API are handled and automatic re-attempts will be made
- This includes errors that are exceptionally rare
And the very maximum performance is provided. They are highly intelligent scripts, for example they will:
- only perform an update if one is actually needed
- determine the ‘net’ change to a team, and only make the necessary changes
- batch requests together so to optimise team updates
- they even include automatic and dynamic self-tuning for updating teams by batching and chunking updates!
Demo
If you’d like to cut to the chase and see the scripts in action – preview or download
Best Practices
For those that need to understand more about the API then my article on the Best Practices covers everything!
My article is almost a training course on the API and provides practice examples covering things like session management and the basic things like creating or updating users and teams.
Managing errors on a create update workflow
I dive into the detail of combining the ‘create’ and ‘update’ workflow to help illustrate where care is needed around the API. For example, how to recover from a 409 or a 502 response. I answer the questions like “is it safe to resubmit a POST /Users (create user)”?
I’ve done all the thinking for you, so you don’t need to necessarily work it out for yourself or learn from your mistakes. I’ve covered the lot including helping you to identify when there might be a error, even very rare errors, and how to resolve them to a known result.
I take a very close look at the different workflows to achieve a particular task and share with you how to get the very maximum throughput possible. For example:
Activity or action: | Workflow (not optimised) | Optimised workflow |
Creating 500 users and adding each user into 3 teams | 1 hour 15 mins | 20 mins |
Updating 500 users | 25 mins 4 seconds | 10 mins 13 secs |
Updating 500 users and removing each user from 3 teams, and adding each user into 3 different teams | 3 hours 37 mins | 27 mins |
Adding 500 users into a team | 13 minutes | 13 seconds |
Updating teams can be particularly challenging when the membership is over 5000 and the total number of users registered is over 10,000. I share with you how to achieve the maximum throughput and reliability for adding 32767 users into a team on a service with 80000 users registered in it:
No one wants a surprise and so even if you’ve already implemented a solution using the API, you should find my article useful especially as user volumes increase
Performance
Both my articles provide comprehensive information.
Best Practices article provides, for every endpoint the performance of the API for both an empty service and one with 80000 users registered in it. Here’s one example:
And the samples article provides information on the throughput of the script, including its overhead expressed as a percentage and shown in (brackets). Here’s one example:
Articles & downloads
Your complete list of resources is summarised here:
Sample Scripts
Sample Scripts Presentation (version 1.0.2 – October 2021) |
Wiki Preview PPT Download PPT |
Webinar 1h 38 mins .mp4 Preview .mp4 Download |
Sample Scripts Demo | .mp4 Preview .mp4 Download |
|
Sample Scripts User Guide (version 0.8 – November 2023) |
.pdf Download .pdf Preview |
|
Samples (the code) (version 0.8 – November 2023) |
Github (zip download) | Change log |
Best Practices
Best Practices Presentation (version 1.0.2 – August 2021) |
Wiki Preview PPT Download PPT |
Webinar 1h 50mins .mp4 Preview .mp4 Download |
Blog posts referencing this blog post
- SAP Analytics Cloud – SAP SuccessFactors Import Model Security Use Case by Mohamed EZZAT
- Getting started with SAP Analytics Cloud, Embedded Edition (BTP service) by Alexey Dugarov
- SAP Analytics Cloud Embedded Edition | SAP Business Technology Platform | Hands-on Video Tutorials by Denys van Kempen
- SAP Analytics Cloud User and Team Provisioning API | Hands-on Video Tutorials by Denys van Kempen
- Making manually created SAP Analytics Cloud Teams readable by the SCIM API by Matthew Shaw
- Sample Scripts Update v0.6 – what’s new by Matthew Shaw
- Removing Concurrent Session licenses and other updates around managing licenses with roles and teams by Matthew Shaw
- SAP Analytics Cloud Embedded Edition Best Practices & Sample Scripts for Administration by Matthew Shaw
- Sample Scripts Update v0.7 – what’s new by Matthew Shaw
- SAP Analytics Cloud SCIM API version 1 and 2 high-level comparison by Matthew Shaw
- SAP Analytics Cloud – Managing dormant users by Matthew Shaw
- Sample Scripts Update v0.8 – what’s new by Matthew Shaw
Videos referencing this blog post
Feedback
I’ve invested a great deal of time and effort into these materials and so your feedback is very welcome and will help judge if I should continue to create these kind of resources
Please do:
- Comment if you use these resources in anyway (or if you’re shy, just hit the like button!)
- Share which sample scripts you’ve used. Other customers would love to hear if you’ve used the scripts. It will give them a sense of how reliable they are! 😉
- Share your experience of adopting the best practices, for example by how much did you improve your scripts’ performance, or did you resolve a rare error?
- Share how much time you saved because of these resources, would you had been as successfully without them?
Before posting any questions please:
- Do read the contents of both articles (or watch the videos). There’s a massive amount of content in each. I appreciate you may not have the time to read or watch them all. If you’re looking for a quick answer and don’t have the time, feel free to post a question to the community rather than here, it will help keep the number of questions here reduced and it will help others find answers easier (than searching this blogs’ Q and A). You can always ‘@tag’ me in your post so I get a notification, and you can always post a link to your question from a comment to this blog if you think that might help others.
- If you’ve got a question about the sample scripts, make sure you’ve read the User Guide! Some of the sample scripts are highly versatile and support a great number of use-cases, so I can imagine a few good discussions here about that.
Feel free to follow this blog post for updates and also follow the wiki pages for updates there too. I’ll update the version numbers in this blog post when there’s one.
Many thanks
Matthew Shaw @MattShaw_on_BI
https://people.sap.com/matthew.shaw/#content:blogposts
How to connect SAC with SCIM ?
You can use the SCIM Connector: https://help.sap.com/viewer/97ae2202f05940a19211f9c5174a971c/8.0/en-US/84015e848b904e1aad1dad4a92887293.html
You can also use SAP Intelligent RPA: SAP RPA 2.0: Use SAP Analytics Cloud REST API with SAP Intelligent RPA – Automations
Hi Matthew,
Excellent, thank you very much for sharing the scripts and a demo!!
Thanks,
Shailu.
Awsome article!
When API used to delete a user from SAC do we need to provide a surrogate user for to be deleted user's resources ? or is there admin as default surrogate user?
From UI you cannot delete without mentioning the user to which resources will be transferred. Does API enforce the same?
Hi Nilesh Salpe ,
By default it's Admin as default surrogate user.
Thanks,
Shailu.
Is there any API for downloading / deleting the Activity logs (Security - Activities). This will be very helpful to cleanup the logs by automating with the help of API.
Hello Narendra
There's currently no API for that, but what a great idea. Please submit the idea at https://influence.sap.com/sap/ino/#/campaign/884 or like an existing one. Regards, Matthew
Ooo! I got a mention: https://blogs.sap.com/2021/07/01/quarterly-code-sample-roundup-summer-edition/
Matthew Shaw Many thanks for your awesome blog post. But unfortunately I cannot access the Sample Scripts User guide. I do not have access to the dam.sap. com. Even not as a partner. Perhaps you can set it to public. I struggled setting up the Postman without a guide. Many tanks
Hi Peter
The user guide is already a public asset (always has been). Perhaps if you could try with a different browser? Many thanks Matthew
Absolutely great piece of work and very extensive!
Thank you Matthew!
Now that we learned SCIM for User Provisioning, are there perhaps also some examples for the other API's that are listed in SAP Analytics Cloud OAuth Access types like 'Modelling', 'Resource Permissions', etc.? Resource (Folder) permissions would be a nice one to complement SCIM.
Hello Jef,
Many thanks for your feedback.
Great minds think alike! I agree! 😉 Which would you vote for first? Many thanks, Matthew
I'd vote for the Resource Permissions, such that we can learn how to manage all permissions using API's, for example Team/Folder assignments, Sharing to Teams into the catalog, etc. Today it's too much manual work.
On second place: Content Network.
Wondering if that is the way to setup some kind of CI/CD pipeline.
Also wondering if there is any documentation, examples & support for other endpoints like
/sap/fpa/services/rest/fpa/dataintegration as described in this blog
Hi Matthew Shaw, is there anything in the works already?
Otherwise we'll have to explore these ourselves from scratch... 🙂
Hello Jef, nothing in the works yet, but I do hope to start on that sometime perhaps later this year. I'm currently writing the user guide for my Embedded Edition Administration Best Practices and Sample Scripts. So that's the next one to come out soon, Regards Matthew
Hello Mathew ,
We had a set of Team that were created Manually. ( not using the API). I had tried using the API to delete the Teams. However the API doe not allow teams to be deleted if there were created Manually too. I had created Teams through the API which now has 2 records as shown in picture.
The issue we are facing is how do we delete 500 teams that were created manually without affecting the Teams that were created from API through postman. as both teams have identical names as show in picture. The Record that was created manually has the user id under "created and "last changed" by attribute tab -.
Wondering if there is anything in cloud that can toggle
Hello customer,
Its expected that teams created manually can not be managed via the API. The User Guide (around page 27) and the presentation cover this in 'Prerequisites for using Teams'.
So you have to delete those teams via the user interface. I don't think its too much effort, just sort by 'created date' or 'last changed by' making it easier to select the teams you want to delete, and then just press the delete button. Should only take a few minutes.
For next time, please consider posting your question to the community site. Only the search and question/answer feature doesn't work in blog post comments. It will then help others find the answer without having to look in blog post comments. You can always @tag me in a question. Many thanks 😉
All the best, Matthew
Hi Matthew,
unfortunately, I do not have access to the User Guide PDF (It looks that you do not have access to the requested resource.).
Can I get it from somewhere else?
Best regards.
Oliver
Hello Oliver
Please try again using an incognito window and/or a different browser. That should resolve your problem. Regards Matthew
Hi Matthew,
also incognito/different browser did not work. I'm asked to loggin via Universal ID, and there I got the message from above.
Doesn't matter, meanwhile I got another link from the support which works ... 🙂
Best Regards.
Oliver
Hi Oliver
Many thanks for posting back. I'm pleased you got it to work and I'm sorry you've had problems. I've checked with the support team that support the digital library and somehow I published the wrong URL (a URL that would only work for SAP employees!). We have no clue how I managed to get this link, because it seems impossible to generate it again. So, I've updated the direct download link here, in the wiki and in PPT. Hopefully that will resolve the problem completely! (famous last words!) Sorry again for this.
All the best Matthew
I've just published a new 'AdminToolKit' sample to GitHub!
The AdminToolKit (sample 665) is a very versatile script that creates teams for different types of users (e.g. users without a team)
Thought I'd share the news here for you to play before I update the documentation next week. But it should be easy enough to use with all the sample data files I've shared:
Stay tuned for the documentation!
Matthew
Sorry the documentation took a little longer to get out. The delay was because I added support for additional use-cases. If you used this earlier version of sample script 665, please delete it and the associated sample data files. The new version is shinier, comes with a few bug fixes and supports more use-cases. Please see my what's new v0.6 blog for more.
Many thanks, Matthew
Hello Matthew,
Thank you very much for the excellent and very informative blog .
I have a query on the Get request.
I tried to call the below Get API and got 200 OK response with Basic Auth . In the response I can see some <head> <link> and <script> </head> between <html> and </html> . I don't see any <body> or the list of Teams which are extracted from the server . Please point out on where can that information be found in the response? - or is it because the teams were created manually ?
Get all SAC teams: https://<SAC.TenantId>.<region>.hcs.cloud.sap/api/v1/scim/Groups
Also when I choose the headers "x-sap-sac-custom-auth" = true and "x-csrf-token" = fetch Im getting internal server error. If I deselect them , its 200 OK. Not sure whether the response body is missing due to any of these headers.
Is it possible to extract all the teams with user mapping from SAC via API ?
Also is it possible to extract the roles (with content also) via SAC API ?
Thanks and Regards
Sri.
Hello Sri
What client tool are you using?
Are you using the Postman Sample Scripts that I've provided?
Even if you're not using Postman, have you looked the code I've shared ? The code will call almost every SCIM API endpoint and provides a wonderful example for you use or copy. It also captures all the best practices for making the call including how to handle the response.
I get the impression you might need to review the best practices article this blog refers to? I'm not so sure you've read it that carefully? There's a video too of me presenting it if you'd prefer that.
Seems to me, though, your response body contains content because you're calling a web page and not the API, certainly if you're getting html mark-up, then its the wrong endpoint and you're seeing html mark-up!
I'm not sure what you mean by "Is it possible to extract all the teams with user mapping from SAC via API ?" The /Groups endpoint will return all the teams (samples 654 provides an example of this endpoint and how to handle the paging) Did you look at that? The User Guide I provide explains all the samples and will help you identify which sample script best suits your use-case, even if you don't use Postman, the code and the detailed User Guide documentation provides almost all the details you'll ever want to know. The /Users/UserID endpoint will return the roles and teams a user is a member of, again this is covered in the Best Practices.
"Also is it possible to extract the roles (with content also) via SAC API ?" So my best practices covers this, but again it depends what you mean by "extract the roles".
As I mentioned in the blog:
Before posting any questions please:
Do read the contents of both articles (or watch the videos). There’s a massive amount of content in each. I appreciate you may not have the time to read or watch them all. If you’re looking for a quick answer and don’t have the time, feel free to post a question to the community rather than here, it will help keep the number of questions here reduced and it will help others find answers easier (than searching this blogs’ Q and A). You can always ‘@tag’ me in your post so I get a notification, and you can always post a link to your question from a comment to this blog if you think that might help others.
Many thanks
Matthew
Hello Matthew,
Many thanks for the response.
Today , extracting teams and users with /Groups and /Users end point returned me successful result (with the list of teams or users) after trying with new access token and by adding one more header "Content type" as application/json referring one of your Get request headers. ( I did not add content type in my headers earlier) . I also got the csrf token in the response header.
Please find my response below.
Tool Used : Postman.
Are you using the Postman Sample Scripts that I've provided? : Not yet . I have downloaded them .Since I was looking for only Get API - I was trying just with the Get API with end point /Groups . However , I'm going through the videos and help documents that you have given here and will try them.
Teams extract - working fine now.
Roles extract - By that I meant to get the SAC roles with all its permissions/model security. I know that we can export the role today as a tar file from the UI, but was wondering whether its possible via API. If its covered in your help documents, I will get to that.:)
Again, thank you but I'm not sure whether I shall move this question chain into the community now ,however I will do that in future and tag you where required.
Best Regards
Sri
For those that use the SAP Analytics Cloud Embedded Edition. I've just published a load of sample scripts to https://github.com/SAP-samples/analytics-cloud-scim-api-samples/tree/main/Embedded This includes an environment, 18 new sample scripts (collections in Postman) and a bunch of sample data files to match. These are currently undocumented, but with the example data files you should be able to workout how most of them work. Still, wait a bit for a documentation update. Feel free to use and test this 'early' version. Expect a blog to follow to explain it a bit more too.
These new sample scripts provide the ability to perform administrations tasks including:
Hi Matthew, thanks for sharing. My requeriment is very simple, to get list of all users and their teams. Using the URL https://<tenant URL>/api/v1/scim/Users I only get the first 50 users, but SAC has 190. How can I get all the users?
Thanks,
Liliana
Hello Liliana,
You need to page the results in 200 at a time. 200 is the max page size.
Sample script 665 is a working example of how to read all the users in your SAP Analytics Cloud Service. It will page the results 200 at a time.
The User Guide and the comments in the sample code have more details.
Regards, Matthew
Thanks Matthew, after reading sample 665 I was able to get all the users (210) with this two URL:
https://<tenant URL>/api/v1/scim/Users/?startIndex=1&count=200
https://<tenant URL>/api/v1/scim/Users/?startIndex=201&count=200
Regards,
Liliana
Hi Matthew Shaw is there any support planned soon for the SCIM API to handle SAC Workspaces?
Hello Jef,
No, not as far as I'm aware. I believe the next thing for SCIM is support for the PATCH to the /Users and I think also /Groups endpoints. Roadmap is published, but I can't see the SCIM API mentioned at the moment. Regards, Matthew
Dear Matthew Shaw , Experts,
We are provisioning users to SAC via SAP IPS, require some expert advise on the below.
Both of them requires user schema update, facing issue with exact syntax.
Appreciate support on the same.
Regards,
Selva
I had got this resolved with below mapping , posting here for reference.
{
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:user-custom-parameters:1.0']['isConcurrent']",
"constant": "true"
}
Regards,
Selva
I've just made 4 bug fixes to sample script 983 (transports teams from one SAC service to another)
I've also just published a new sample 601: this lists all your teams. I'll update the documentation later, but thought I'd share the update.
Feel free to also follow the code wiki for updates
I've found a problem with pretty much all my samples when it comes to the NEO platform. It seems you HAVE to run the test scripts beforehand or you'll get a load of errors. So, I need to update the samples for the NEO, so you don't need to run the test scripts beforehand. It won't be my top priority for the moment, so just wanted to share this news for now.
If you're on Cloud Foundry then this isn't an issue at all. Carry on, nothing to see here!
I've worked out the problem, there appears to be an issue with the SAC API on NEO. It's actually very simple! When the accesstoken is empty the response code is not what is expected. To solve this, just use a dummy value for the accesstoken. I've now updated the template environments with a dummy value for the access token. It means, if you're on NEO, and you use the updated environment template, then you do NOT need to run the test scripts before other scripts.
If you are on NEO and you want to use newman, then either: A) use the new environment template that has a dummy value for the accesstoken, or B) press the 'Persist' button for the environment you already have before exporting it.
This simply thing means no code changes are required to the samples 🙂
Wiki updated
Hi Matthew Shaw - I have a question on team provisioning - We would like to assign team to user account without listing all the users in groups - Is it possible ? As we plan to integrate our IDM solution using API's - Its a risk if we need to load all users along with new account being requested for a team ? Please advice if this is possible - if yes - how ?
Hello Deepak
Thanks for your question, but its a little unclear. So I hope its ok, if I re-phase it a little. I think your asking this question:
Q. Can I add a user to a team using the /Groups/TEAMID endpoint without the need to perform a GET /Groups/TEAMID beforehand?
A. Well, yes and no. Take a look at my Best Practices article about integrating this API with provisioning solutions. You can just use the PUT method to /Groups/TEAMID but when you do, you have to specify all the users that should be in that team, otherwise they will be removed (you also have to specify the roles the team is a member of too). So you can just use a PUT without the GET beforehand (which would then list all current members of the team and the roles the team is a member of), but your source system needs to know all the users of that team (and what roles that team should be a member of).
Most, though not all, provisioning solutions really want to use the PATCH method to just add a user to a team. Today this API doesn't support that, but it is planned. In fact the SAC SCIM API v2 is currently in beta. You could ask Product Support to see if you could be a beta customer, and then you could use the PATCH method to just add a user to a team, without the need to specify the other users (or roles) that form that team. The PATCH is planned for both the /Groups/TEAMID and the /Users/USERID endpoints.
There's a lot of customers keen as mustard to use the SCIM v2 that supports this PATCH method, so stay tuned for updates.
Hope this answers your question.
All the best, Matthew
Thanks much Matthew, This is exactly I was looking for.
Question question - You said there is a SCIM API V2 which is in beta, If I would like to be Beta customer - What that would mean - Would this only be beta version for SCIM API V2 alone or beta version will be application to our whole SAC system as such ?
Is there anywhere I can read more details or share link while reaching out to our account manager from SAP to connect us with product support ?
Hello Deepak
The Beta would be just for the SCIM API, not for anything else. I'm sorry I don't know much about the Beta Program, but you're right please ask your account manager and/or Product Support if SAP can consider you for the Beta of SCIM API v2.
(please note this is the v2 of the SAC API. The existing SAC API v1 is already SCIM v2.0 compliant)
Hope this helps, Matthew
Matthew Shaw @MattShaw_on_BI We checked with SAP and tested API end points - api/v1/scim2/Users - Seems new end points are also not enabling us to assign a team directly to user account.
/scim2/Users/<ID> | SAP Help Portal
Any feedback as how I can make it work ?
Regards
Deepak
Hello Deepak,
Which method are you using POST or PUT or PATCH please?
The thing with the v2 is you need to specify the UUID of the team, not the "teamID" we use for v1.
V1 you specify the teamID (or team name, same thing), V2 you specify the team UUID.
Thanks, Matthew
Thanks for your revert Matthew Shaw @MattShaw_on_BI
I tried using both Put/Patch method on Users end point for assigning team - But didnt worked.
But when i use SCIM2 end point for assigning team to user via Teams end point - it works as same with V1 API end point.
Hello Matthew,
First of all, Thank you for such an informative blog. Its very helpful.
I had a question on the PATCH capability of the SCIM API for SAP Analytics Cloud.
As per documentation , it is available https://help.sap.com/docs/SAP_ANALYTICS_CLOUD/14cac91febef464dbb1efce20e3f1613/6e4a269898b14165883650826e5bbafb.html
But i am not able to get it to work. Whatever information I pass in the body, the system returns get 400 Bad Request: Request is Unparsable.
Is there any sample documentation for Patch Requests to update user profile data / Update team Team/Role membership of a user?
Looking forward for a reply. Thanks
Regards
Arjun
Hello Arjun,
Many thanks for your feedback. I'm pleased the resources I've created and shared are helpful.
However, I can also see, that they need enhancing so to demonstrate the new PATCH request that was introduced in Feb2023 (Q1 QRC).
Rest assured, I have this in my list of things to do. For the meantime, you'll need to rely on the documentation. The important this to remember when using scim2 is everything is done on UUID's, not user IDs or Team IDs, otherwise you'll get an 400 response status.
All the best, Matthew
I'm receiving a number of reports from customers that the SCIM API has suddenly stopped working. Whilst I'll leave you to log a support incident with SAP Support, please do feel free to apply the 'fix' which is super easy.
The problem is related to reading/updating or deleting teams (GET/PUT/DELETE) to the /Groups/TEAMID endpoint.
Once you enable a new feature that can be found in the SAP Analytics Cloud User Interface via Menu-Admin-SystemConfig-Ignore Content Namespace for Teams this issue will disappear.
If you find this comment handy, hit the like button. It will be helpful for me to know how many have been affected.
All the best, Matthew
hi Matthew
thank you very much! We should have checked your blogs earlier 😉
Is it worth to open an incident or is that fix also the sustainable solution? 🙂
Best regards
Paul
Hi Paul
Please log a support incident as, for me, that isn't expected. I don't think you should need to make a change to keep it working. Though you have a solution here, I still think it's fair to ask for an explanation.
All the best Matthew
A nice little update with the SAP Analytics Cloud SCIM API: The DELETE method on users endpoint /api/v1/scim/Users/USERID now transfers the ownership of content to the System Owner. Personal content is also moved to the System Owners personal folder. (my PPT and wiki updated to reflect this)
Nice indeed Matthew Shaw! Is it directly available?
Kind regards,
Martijn van Foeken | Interdobs
Hi Martijn, available now (at least it is for me on the Fast Track wave 2022.22). I'm checking to see what, if any, gaps there are in the transfer of ownership. Regards, Matthew
[update 3 Nov 2022: Available since at least 2022 Q2 :-)]
Hi Matthew,
Ok, great. And as always we can rely on you sharing sample scripts, right ;-)?
Kind regards,
Martijn van Foeken | Interdobs
Hi Martijn,
So no special API request needed, the regular DELETE method on a user endpoint will do the job. Existing sample scripts that delete users (by user, but or by team of users) requires no updates, they all benefit from the backend API improvements. Cool hey! All the best Matthew
Hi Matthew,
We are facing issues while creating/updating accounts for SAC from SailPoint using Java code
Here are our observations:
Here is the URL used for account creation which works fine using Postman
POST https://<Subaccount>.hcs.cloud.sap/api/v1/scim/Users
2. We implemented the similar logic through java code form SailPoint, it failed with 403 Forbidden error as below.
{
"timestamp": "2022-12-14T12:35:11.731+00:00",
"status": 403,
"error": "Forbidden",
"path": "/api/v1/scim/Users"
}
Seems x-csrf-token which we are generating via Sailpoint is not working and hence 403 error is coming - Can you please advice how we can make it working ?
As of now, we are trying to include cookies for JSESSIONID=<sessionId>; __VCAP_ID__=<vcapid> in the modify operation by taking the values from get all users API. It gave the similar error as of now, which we are debugging still.
Hello Deepak
The 403 will be because the x-csrf-token is not valid for the related accesstoken session. It means you can't just use an x-csrf-token from another session and re-use. The x-csrf-token needs to 'fetch'ed using a GET request. You can use the /api/v1/scim/Users as you've mentioned and is in the documentation, though I prefer /api/v1/csrf as its much quicker and has no responsebody.
I'm guessing this is what's wrong with your code. Let us know, Matthew
Thanks Matthew, it worked.
We encountered new issue now - In SAC to enable SSO we are using Custom SAML User Mapping as our email address in IDP are not case sensitive.
While using create user API - I dont see any option of passing Custom SAML user mapping attribute - Can you please advice how we can update this using API ?
Regards
Deepak
Hi Deepak
For the short term you can't (when SAML SSO=email or SAML SSO=custom) to create a user with a different userName (SAML mapping) property than the userid. My scripts provide a workaround to this problem by creating the user with the wrong email or wrong custom id, before then updating it to the right one.
My user guide has it all, but I introduced this support for my samples in https://blogs.sap.com/2022/05/12/sap-analytics-cloud-user-and-team-provisioning-scim-api-sample-scripts-update-v0.7-whats-new/
Having said all this, I would advise against using email as the SAML mapping. I need to write a blog on this whole topic, as there's a lot to this. But in a very few words: userID is the best way to set SAML mapping. Just because the user may authenticate with their email doesn't mean the SAML mapping needs to be email, it really doesn't. Using email or custom means the userid generated (unless you're using my scripts) will create the user with a derived userid and not necessarily the one you want. The userid is seen within the user interface and is used for data access restrictions, so its often needed to be something you tell SAC, not SAC tells you, it should be!
My samples also include scripts that update the SAML mapping property and you can identify the user by userid, email or existing saml mapping (which would also be their email if the email is the SAML mapping property).
The next version of the SCIM API for SAC will help with these issues, and I hope to write a blog soon on that too!
Hope this helps
Matthew
Hi Matthew,
Many thanks for your revert, we were able to implement your suggested logic to use wrong email address and then update later with correct one.
One question - You mentioned that we shall always use user ID as SAML attribute, In our case we are using Azure AD for authentication and using user ID wont work as in our setup we dont have SAMACCOUNTNAME attribute in Azure AD - We can only use email address or employee number.
Please advice, if there is a way to do authentication basis of email address and also keeping SAML attribute as "User ID"
Regards
Deepak Gupta
Matthew Shaw Request your feedback here, appreciate your help as always.
Dear Matthew,
thank you for this article.
Is there a way to avoid the limitation of the results for the sapanalytics.cloud/api/v1/scim/Users API.
We always get just 50 Results. But we do have more users created.
i'm happy to hear from you.
best regards
Marc
Hello Marc
Please take a look at sample script '665-All_U-Uc-Uu-Oarrieei-Fj-Es-AdminToolKit'
This very versatile script creates teams of users by scanning all users. It can create a team of 'all' the users, or users that fulfil certain criteria. It can not only create teams that match these criteria, but it can perform 'set' operations on existing teams, like removing users from a team that have a certain criteria. My samples provide data files that create these teams:
The versatility shines when you combine this with other scripts into what I call 'scenarios', and allows to complete more end-to-end tasks. I provide a few out-of-the-box for you:
It might be your requirement is already met by these. Check-out my update for more on the AdminToolKit and Scenarios here: https://blogs.sap.com/2021/11/08/sap-analytics-cloud-user-and-team-provisioning-scim-api-sample-scripts-update-v0.6-whats-new/
I do plan to add a few more enhancements to the AdminToolKit soon, so stay tuned and click 'follow'!
Now, that was a long diversion from your question! So lets get to that...
...The API supports paging of users. You can ask for 200 users at a time just by using the startIndex and count parameters: https://{{SACserviceFQDN}}/api/v1/scim/Users/?startIndex={{StartUserIndex}}&count={{ReadUsersIndexSize}}
Check-out the sample 665 'Tests' and you'll see in this in the code:
Thank You Matthew !
it works, well !
Thank you Matthew, great blog, very helpful!
Hello Matthew, is there any plan to publish another collection deck for SCIM2?
Many thanks,
Wu
Hello Dongxue
Many thanks for your feedback. Yes. I do plan to update my samples for the v2 of the SAP Analytics Cloud SCIM (v1 was already SCIM 2.0 compliant). Stay tuned! 😉
All the best, Matthew
Hello Matthew,
Appreciate your reply! Looking forwards to and will keep following your updates 😊
All the best, Wu Dongxue
Hello,
I am trying to build up an teste scenario and hope someone can help me at the point i am currently stuck:
Within the coding, the result written into the variable "response" is empty. Therefore, its running into a runtime error because coding tries to access the field symbol.
The received Response Code is 200, but it seems as the response is empty.
I also tried to send a get request via postman to https://Firma.eu10.hcs.cloud.sap/api/v1/scim/Users/"?count=50&startIndex= { 1 }|, but also get only an empty result. Does someone see why don't I get a list of user back here?
Kind regards,
FH
Looks like the request isn't valid:
https://Firma.eu10.hcs.cloud.sap/api/v1/scim/Users/"?count=50&startIndex= { 1 }|
better would be: https://Firma.eu10.hcs.cloud.sap/api/v1/scim/Users/?count=50&startIndex=1
The sample script 665 uses the /Users/ endpoint and would be a great starting point to see a working example, then go from there.
Hope this helps, Matthew
Hello Matthew, thank you for your answer. I tested also that link. Response was 200 (with authorisation ok). It seems for me as this is okay. Just the result ist as following:
It is not even JSON (I explicitly requested Content-type: application/json). For me, it looks as there as an additional Authorisation step before getting the requested JSON response. Have you ever encountered that problem?
Kind regards,
FH
Hello FH
So tricky to give you the root cause because I can't see your full request, nor if your authorisation request beforehand was really valid.
My guess is your authorisation request isn't actually valid. A 200 response when on NEO is possible if your accesstoken was empty for example. A 200 response on Cloud Foundry will always be valid, but you may not be reusing the access token correctly, or you've not got a valid csrf token beforehand either. Your request is probably badly formed too, but I can't say without viewing all the previous requests and their respective headers, body etc.
I urge you to use the sample script to see a working solution and then determine what's different between yours and the working sample.
Sorry I can't debug your code, one reason why samples are handy
All the best Matthew
Please ignore my previous question 😁. Found the answer
No worries.. stay tuned for a blog from me about changing license consumption that will be possible in a later release of SAP Analytics Cloud. Coming soon! 😉
Hello Matthew, it is so kind of you and you are supportive all the time ❤️. Sure I will keep following
Hello Matthew,
we use the propagated API of SAC called SCIM for creating and updating users in SAC. One of the parameters we do adress is a parameter for setting the license type of the SAC-User. By default a user created on SAC does get the license type "Business Intelligence".
But with our script , using the SCIM API we do override the value to "Concurrent - Business Intelligence", by setting the parameters as follows: isConcurrent: true.
This is still implemented and in the activity log I can see , that the Parameter IS_CONCURRENT does get the value 1 .
But the problem is, that the license type of the newly created user is the SAP default "Business Intelligence".
I think, that there is a error in the API SCIM, when setting the license type by the above mentioned parameter.
The API worked without wrong behaviour until minimum 11 of may 2023, but minimum since 15 of may 2023 this described wrong behaviour occurs. So our users are running out of license.
Best regards
Cengiz
Hello Cengiz
I'm out of the office on leave this week, but sounds like a defect to me. Please reproduce the issue with my sample scripts and then log an incident with SAP support. SAP support would love to see this issue reproduced with my samples, just share the sample script number, the data file, and your postman environment exported as a file, with SAP support.
I confirm you should be able to create new users with isConcurrent set to false.
Many thanks Matthew
Hi, Matthew.
This is the most active blog I have followed and I love the interaction below your blogs. I have a customer who has set up the SAC SSO, user mapping, role SAML mapping, and team SAML mapping. In this case, the SAC user attribute is always synchronized with the Azure IDP. And we have a question of overwriting: Do you know which modification method can overwrite the User attributes or Team assignment against the SAML synchronization?
Many thanks, Wu Dongxue
Hi Wu,
Many thanks for your feedback 🙂
I'm not entirely sure I've understood the question, but here goes...
... you are mapping attributes from SAML into SAP Analytics Cloud but you want to change what attributes are mapped so you can change them? (I think this is your question).
I hope this diagram I've just created will help. You can see the 'security-users' screen and it shows a 'link' icon for all the attributes that are mapped.
In my example, the email address is the property the users are identified with and you can see that by the icon on that column. If you had 'USERID' or 'CUSTOM' then that icon will be on a different column and it will match what is set in the 'menu-system-administration-Security-SAML SSO-Step 3-User Attribute'. (If you are using 'CUSTOM' then another column 'SAML MAPPING' will be shown in the menu-security-users screen).
The thing you are mapping users on, in my case email, is a property you can edit it, if and only if, its email or custom. If its USERID, then you can't edit that because USERIDs are editable.
The other things you are mapping 'First Name', 'Last Name', 'Display Name' are, by default, not editable because these are mapped from your custom IdP. That button (1) 'Map SAML User Properties' enables you to edit what is mapped, or not.
If you open that dialogue to show the 'Property Map Definitions', you can optionally delete any or all of these mappings. In my example, I've deleted the 'displayName' mapping (2) (3) and I then pressed save (4).
As the 'Display Name' is now not mapped, the 'link' icon next to the column is removed and I can also edit this value for a user unlike before (5). I can always re-map the attribute back, after I've made an ah-hoc change if I wanted to.
There's recently been a change to what can be stored in the 'Display Name' and it might mean this value isn't updated. Basically characters < and > are now not allowed. Though there's a small bug when comma (,) and brackets and dot (.) and at sign (@) are also not allowed, but that should be resolved soon. Product Support are best to advise for your service as it depends!
Does this help?
Matthew
Hello Matthew,
Very much appreciate the clear explanation. I will link your answer directly to my customer. 💙
Many thanks, Wu
Hi,
Thanks a lot for the blog post, it sure helped me a lot!
However I have a question, in Script Sample 001 Step 2 you get a "totalResult" with the total amount of users in the system.
Is there somehow possible to get a list of the users that has been logged in for the past couple of months? Does the API contain this information, and how can it be put to use?
And in SAC the OAuth token lifetime is automatically set to 720 hours, is it possible to extend it?
Once again many thanks!
Cheers
Mattias
Hello Mattias
Thanks for your feedback.
The /activities endpoint enables you to see who logged on and when. This isn't part of the SCIM API but a separate one. For this, your best starting point is my article, which automates the activity log download via a command-line interface. I've done all the hard work for you, so you don't need to work out all the slightly weird quirks and issues when using that API. I've done it all for you.
I've coded almost precisely what you're after in a new version of the sample 665 AdminToolKit. I've yet to finalise and publish it, but it will enable you to add users to a team that have (or haven't) logged on in the last X days (or have only logged on X times). Once in a team, you can do other things like delete the users or remove other teams from the user, so they can't do anything if they did log on. The updated version will also work out if the user has personal content. I hope to publish the updated sample soon, but I think that will be in early August. So stay tuned for updates!
There is no API or supported means to automate the deactivation or re-activation of a user.
The lifetime of the OAuth token is limited, and I don't believe it can be increased; you just have to get another one. I guess this must be a security requirement. All my sample scripts automatically get a new token if the existing one expires. When using my samples, you don't need to worry about this.
Hope this helps. All the best, Matthew
Hi Matthew,
Thanks for the quick response.
You're absolutely right, what I'm after is to remove users that haven't logged in for x amount days/months.
I then want to schedule the Postman "Run" so the users will automatically be removed each week/month.
Looking forward to the updated AdminToolKit.
Regards
Mattias
Hi again Matthew,
Do you have an ETA on the new Admintoolkit? Just curious 🙂
Thanks, Mattias
Hi Mattias
I'm so very keen to get this out ASAP. I've just finished a bit more testing and it seems pretty good now.
Whilst it will be a little while until I have written and updated the user guide I thought I'd share a 'BETA' version of this new sample collection.
A few bits of info to share until I write it up properly:
The new fields and conditions you can set are:
I need to write this up properly, but in short, these should explain themselves quite well. However, a few notes:
As you may expect, I've put a lot of thought into this, and these parameters allow for a great number of complex use cases, that actually are best explained and described by the sample data files. But to give you an idea, you can do things like: users that have not logged-in in the last 30 days, have 2 or fewer logins within the last 90 days, and were created over 30 days ago. You can then go on and make a more complex set of users, such as filtering out users that have public or private content.
The sample data file includes 'dormant' users:
You'll find the description in each of these data files provides a good summary of what they do.
It means, most can use re-use any one of these 'Domant' User sets and you'll be good to go. I've tried to do all the hard work and thinking so you don't need to.
file_action_users_that_created_public_content
When Public content is identified, it's only stories, applications, digital boardrooms, templates and insights. Sadly the API doesn't allow to models or other object types at the moment. This setting is handy, because it will identify users that created public content and could be the owner of such content. The biggest problem though, is that models are not identified.
file_action_users_with_private_folder_content
Users with Private content are identified by some logic that's not very obvious! There is no API that allows us to get the list of content from a user's personal folder.
Login Activity
I use the activities API to query the number and last time users log in. It means this only works if the activities exist and aren't deleted. I test to check the oldest activity timestamp and abort the script if their entry is too recent for the test you want to run. In summary, don't delete any of these activity logs and for this sample script, it uses only LOGIN activities. For more on the activities log check out my other blog.
Until I've written it up, I may not be able to help much more, but hope these brief notes will help you and others with the updated version. I'd love to hear if you find a bug or some improvement. Just comment back here and I'll take a look.
I've got some other tasks to do before I can refocus on the documentation for this, but hope to get something out in September now. Sorry for the delay.
[update] Sorry forgot to mention the obvious. Once you have these teams of users created, you can then run another sample script to delete them or remove those users of that team from other teams etc. It should help manage the lifecycle of your users and in particular, help identify the users that are safe (or safer) to delete. Remember there is NO API to automatically deactivate a user. For more on the license topic and deactivating check out my updated blog
All the very best
Matthew
Hi again Matthew,
Thanks a lot, will be digging deep into this ASAP.
Do you have any idea why the new Beta version Samples doesn't work to import into Postman? I get an error telling me it's "wrong format".
Thanks again,
Mattias
Hi Mattias
Just double check you are trying to import the collection, not any of the sample data file please. There is just 1 collection to import, ie there is only 1 collection file in that beta folder amongst loads of sample data files. Regards Matthew
Hi again Matthew,
I'm reaching out with another question. 🙂
I've been experimenting with the scripts and have attempted to combine them.
I've created three teams:
- Team A: Users that has not logged in for the past 90 days.
- Team B: Users with private content.
- Team C: Users that has not logged in for past 90 days AND have private content.
My intention for Team C is for it to represent the intersection of Team A and Team B, functioning as an "AND" combination. However, it seems to add all users from both teams, using the two conditions as if they were linked by an "OR" operator (in database terms, if that analogy holds).
Here's the script I've been using:
[
{
"file_team": "MI_No_Recent_Login_with_private_content",
"file_team_displayname": "Users who have not logged in within the last 90 days and have private content",
"file_users_action": "replace",
"file_action_users_with_most_recent_login_at_least_days_ago": true,
"file_users_with_with_most_recent_login_at_least_days": 90,
"file_action_users_with_private_folder_content": true
}
]
Maybe I could create some sort of logic to remove users that is also in team B from team C, after I've done all the above.
But I’m thinking I might want to have more than two conditions in another team going forward. So it would save a lot of time and effort just being able to have it in the same script.
Could you shed some light on whether this behavior is intentional or if it can be modified? Have you encountered and resolved something similar before?
Once more, I truly appreciate all your help.
Best regards,
Mattias
Hello Mattias
I presume you managed to import the collection okay now.
As mentioned in my comment above, there are many sample collections already available that combine these kinds of conditions. For what you want, this one would be ideal (665 sample - 34 - AdminToolKit_Users_Dormant_B__Dormant_A_Plus_No_Private_Folder_Content)
The reason why you're experiencing an 'OR' between the statements is because you've not set them to be an 'AND'. This is explained in detail in my user guide. It's the field: file_multiple_action_users_operator_is_AND.
My user guide explains when and where the AND can be used. It can't be used with the 'users_that_are_managers', which is why when we need to exclude users that are managers, we perform an invert and OR the opposite since "X and Y = NOT( X or Y )". An example data file is provided.
There's no need to create 2 different teams and then do logic on them, since my AdminToolKit script supports this kind of thing in a single pass. If you want to combine teams (add, remove, replace, intersect, exclude) then you can with sample script 653-T-Uc-Utr-Oarrkie-Fcj-Es-Teams on Teams. This is explained in detail in my user guide, but as I mentioned, there's no need to do that for this use case.
[update 1Sep2023: Forgot to mention, perhaps the obvious. You can just add another entry into the data file to update the same or a different team. The data file samples I provide all use the 'replace' action, but as my user guide explains, there are many more that allow complex set operations and includes: add, remove, replace, intersect, exclude, excludeall and invert. See the guide for more info please! One of my sample data file shows multiple entries and basically combines all the samples into one]
Kind regards, Matthew
Hi Matthew,
I am trying to use sample 402-U-U-Ua-Fcj-Es-Update User Active status to deactivate access of few users from a csv file. The collection runs without any problem but the users are not getting disabled for some reason in SAC portal. Any Idea where am i making a mistake.
Hello
Sorry for this quick reply (on annual leave) but your question is simple.
Please visit https://blogs.sap.com/2023/07/05/sap-analytics-cloud-changes-with-managing-licenses-q3-2023/ and https://blogs.sap.com/2020/03/10/sap-analytics-cloud-managing-licenses-with-roles-and-teams/ for an faq on this exact question. I will be updating the user guide for these samples to reflect the changes in the API later.
Many thanks Matthew
Many Thanks for prompt reply.
So as I understand from those blogs, calling API is no longer an option for mass user status update. I've exported the user list but for some reason the field IS_USER_DEACTIVATED is blank for many users. I'm bit sceptical about filling these blanks with TRUE/FALSE and then importing file back directly in the production tenant.
Hello, don't worry if it's blank, it's just using the default value of FALSE. Perhaps not so obvious, you can delete all the rows in the exported file, leaving only the rows you want to change. Hope this helps, Matthew
Hello Matthew.
I met one problem when integrating SCIM2 PUT a request with BW using ABAP. I got the error as:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":"500","scimType":"","detail":"An internal error occurred."}
When I tested with Postman, everything worked fine. Have you heard of any successful cases in BW that can be integrated with SCIM2 PUT requests successfully?
Many thanks ahead!
Wu DX
Hi Matthew,
We are trying to extract a list of teams assigned to all the SAC users in our prod tenant. I tried using 'Get READ user' without any user ID and it gives me a response however due to pagination limit it just shows first few results without giving a url or anything for next page.is there any other way to extract such information for a list of users?
Many Thanks,
Abhishek Singh
Hello Abhishek
In the latest update to the samples, version 0.8 which I published Friday, I added 2 new collections.
SCIM 1601-All_T-List all teams and SCIM 2601-All_T-List all teams. Both list all the teams. 1601 uses version 1 of the API, and 2601 uses version 2.
Both just read and no updates are performed. The updated user guide shows examples of the output made to the Postman console, which is a list of teams, each with the number of users and roles associated with them.
Both samples do all the pagination for you. Sample 1601 has code commented out which means all the users of each team are written to the console. I've commented this code out because the Postman console becomes very slow when you write a lot of text to it. But you have the option to list all the users of each team by a very simple edit. Here's a screenshot of 1601 'Tests' for the request 'READ teams page by page':
uncomment line 70 for this sample. You could do something similar with 2601.
I think this should help?
All the best, Matthew
Many Thanks Matthew. It certainly worked like you explained.
I got the response in JSON that I'd convert into csv to get records I'm looking for. Much appreciate the excellent work you've done with SCIM APIs. It has certainly made my life easier with user/mass user provisioning work 🙂
Hello Abhishek
Many thanks for your feedback.
To get a csv file output you could take what I did with the export of activities and change it. You would mostly need to delete a load of code in that sample, and just move the code from this Postman 'Tests' into the JavaScript. It wouldn't be too much work in fact. I left a good number of comments in the code to help with things like this. Hope it helps, Matthew
Can we replicate the postman script in ABAP?
I'm aware of calling an API in ABAP, but wondering how to replicate a script in ABAP?
This could be a starting point: Sync SAP BW Roles to SAC Team | SAP Blogs
I didn't try this, beacause we are trying to go with IPS. So I cannot provide additional information except the link.
Hi Matthew,
I'm using SCIM 1403-U-U-Ut-Fj-Es-Update user team membership to add new team memberships to few users, but the users are not getting updated for some reason. This is the same issue i had with previous version of this script also. In general, I've seen issue with update action in other scripts also for other work like activating/de-activating users.
Regards
Abhishek
Hello Abhishek,
I suspect the first issue you mention is related to the second.
User, team and role updates will fail due to a lack of license. For more details and examples please visit my blog https://blogs.sap.com/2020/03/10/sap-analytics-cloud-managing-licenses-with-roles-and-teams/ Before the named-user license entitlement was enforced, you could exceed the license entitlement and the API updates will always have worked from this perspective, whereas now they will fail for this reason. I've just updated the user guide and added a section called 'License restrictions causing user and team updates to fail' into the 'when things go wrong' section so others might find it easier.
The isActive property is now read-only. (search for 'isActive' in the blog I just mentioned for a little more on that), It means I've now retired the sample scripts that previously updated this property. My 'what's new in version 0.8' blog mentions it very briefly, search for 'isActive' again on that blog! It is hidden away a little)
Let us know how things go, all the best, Matthew
Thanks for your reply, Matthew.
In terms of licenses, we do have sufficient of those available - out of 644 (BI+PS+PF) we have 526 in total active users consuming licenses.
It's just while updating any user's team membership (e.g. adding them in one more team) the script doesn't fail or displays any error which feels like the change went through but in actual the user still doesn't get those new membership. Here's the postman console logs:
Thank you for sharing this Abhishek,
It does look like the script is behaving correctly, but something somewhere else isn't. All those warnings suggest the issue might be with the API or the user, or the team perhaps. I'd love to see what the HTTP response code was for all those requests (the response code is just out of screenshot!). It's not right all those warnings are shown on each request.
I think I would do the following:
Otherwise, I'm pretty happy the sample script is working as expected, it is just an issue elsewhere.
Report back, once the root cause is found so others can benefit, Many thanks, Matthew