SAP Password reset tool using Azure Logic App, SAP PO/Integration Suite and ABAP
Recently while working on Azure Logic App, I felt we can make use of Office 365 email connector to automate a few manual processes.
I thought, why not create a password reset tool?
So, I designed a Logic App that picks up email from a specific folder(outlook) and passes on the information to SAP ECC6 via SAP PO, finally using the ABAP program user password is reset/unlocked and messages are returned back to the sender by the Logic App.
Develop a logic app in Azure that is connected with an outlook account(in the real world email must be a service account) and look for new emails.
- Emails are looked at under the Password Reset folder every 10 seconds, so any new email that comes in will be immediately picked up.
Make sure the email body is in a specific format (end-users need to be trained about the email body format), otherwise parsing at the logic app will fail and the correct format will be returned back the sender.
Default email format(JSON)
“action” : “unlock”
- whenever an email trigger invokes, it will have a unique Message-Id. using message-id reply is sent back to the same email sender.
As soon as the parsing completes, a proper JSON structure request will be created and hit the SAP PO REST adapter endpoint using HTTP connector in Logic App.
SAP PO or Integration Suite configuration:
In our DEV SAP ECC6, we have 2 clients(100 and 230), so the end-user needs to specify the proper client in the email body. once the payload is received in SAP PO it will be converted to XML by the REST adapter.
1. Develop ID objects in SAP PO with one REST sender adapter and 2 SOAP adapters(XI protocol) for two clients.
2. In the ICO, I have added conditions in the receiver determination so that based on the client its business system can be invoked for a password reset.
3. Create ESR objects, thus the structure appears in SPROXY for ABAP coding.
4. Mapping in ESR is straightforward (one-to-one mapping).
We are done with the SAP PO configuration.
If anyone is using SAP Integration suite, we can completely ignore Azure Logic App. It is a known thing that not everyone will be using Azure in their organization, hence we will be performing all the operations in SAP.
- In my case I have used XI adapter. cloud connector was already in place, so I directly hit my ECC system. (reference: Configuring Scenario Using the XI Receiver Adapter)
- I reused the same SAP PO generated Service Interface in ECC.
- It is also possible to connect via SOAMANAGER.
- IFlow can be found at my Git Repository.
Sender MAIL adapter is connected to my email account via IMAP and polls from the folder CPI at an interval of 10 seconds.
Once we have an email in the folder. It will pick, process it and change the email to read from unread.
For the purpose of sending the sender’s email ID along with the request payload for unlocking/reset, I’ve extracted the adapter header parameter(FROM) using a groovy script and passed it to ECC by forming a payload in the content modifier.
Finally, the response from ECC must be returned to the sender via receiver email adapter.
SAP ABAP development:-
1. Generate proxy for the service provider in t-code SPROXY.
3. We can either code in the same method or create a separate class where all the operations can be performed. I have created a separate class*(SE24) and did all the validations and password reset/unlock operation.
4. The most important thing is, how are we getting user details from SAP? to do this we can make use of standard BAPI: BAPI_USER_GET_DETAIL where we pass user-id(UNAME from email) as an exporting parameter and return user address details and SCN(secure network communication data )
- ls_address-e_mail will be holding the email address of the user in SAP.
- the returned email(BAPI returned) will be validated against the sender’s email address (coming from Logic App or SAP Integration Suite).
- if the email-id in SAP doesn’t match with the email sender’s email-id, then a reply will be sent back to the sender.
- Otherwise, based on the action(UNLOCK/RESET) program will either reset or unlock the user’s password
5. The user details can be seen in transaction code SU01.
- There would be situations when the BASIS team will lock all the users during system maintenance, during such situations users shouldn’t be allowed to unlock. (if the status of usr02-uflag is 32 & 66 then it is locked by the administrator)
- person who leaves the organization should not be allowed to reset/unlock. (usr02-class will hold user class)
- email-sender needs to specify the correct user-id in the email body.
7. After validating and getting details from SAP, we can go ahead and reset/unlock users based on their choice.
8. Finally, using standard BAPI: BAPI_USER_UNLOCK user can be unlocked.
9. If the choice is to reset, we can use BAPI: BAPI_USER_CHANGE.
- I have used FM-GENERAL_GET_RANDOM_STRING to generate a random 8 character password and concatenated “@1” to it strong.
- By passing a new string and username into FM-BAPI_USER_CHANGE, the password will be reset, and the response will be returned back to SAP PO –> Logic App –> email.
10. We are done with the ABAP development.
Note: Validations are based on my own understanding post discussing with the security team, you can add as many validations you want. Also, If you have any suggestions regarding validations please write in the comment section.
Now, It’s time to test our tool 🙂
Test:1 – If is user tries to reset his password
Test 2: If the user tries to unlock.
Test 3: Few more validations.
Test 4: In case the email body is not correct, the default email template will be returned as an email response.
Azure Logic App
SAP ECC6 Logs:
For the audit log purpose, I have added logs in ABAP SLG1 for each password reset request.
Logs in ECC can be checked in the SLG1 transaction code.
SAP Integration Suite:
One can only leverage on SAP Integration Suite if you do not want to use Logic App (I’ve done for my own experiment)
The only drawback of using SAP IS is, we cannot respond back to the same email using MAIL adapter. whereas in Logic App I was able to do.
To beautify user input, refer to my other post.
Hey Mohammed Aathif,
interesting use case. What happens if I send an email with your payload? Can I reset your password and lock you out? 😉 Are those CPI and logicApp endpoints protected?
Your setup could be applied as a service with a couple more tweaks to make it secure. Keep it up 🙂
Hi Martin Pankraz ,
You definitely cannot lock me with your payload and your email. because email From address is picked dynamically and also, it is again checked and validated in SAP too before doing any actual operation.
We do not have CPI endpoint as I am using MAIL adapter for sender and Logic App triggers only when a new email arrives in a specific folder configured in Logic App.
But for Azure Logic App <--> SAP PO connectivity I am having Azure API Management in between which serves as a proxy and I am checking subscription key too.
Nice work! Mohammed,
You can also try/use the BAPI Call methods (built-in Logic Apps trigger available now) directly connected to SAP to execute lock/unlock FMs in the discussion, btw I tried in my lab environment after seeing your blog post, and it's working perfectly.
Hi AMIT Lal,
Thanks for your kind response. Yes, I remember SAP connector in Logic App but I felt it is premium connector and will cost more, so I decided to use existing middleware(SAP PO/Integration Suite) and achieved it. (I proposed this tool by saying, Less development effort and cost effective)
Thanks for quickly doing in Azure Logic App and helping the community. Very well done!
One more thing I would like to highlight here is, If we directly hit FM from the connector we won't be able to validate below things because it is stored in one of the SAP table and this is most important to have.
While this is a very good example of what is technically possible, we should also consider whether the solution is practical for a real-world scenario as follows:
Good points Mustafa,
But of course you need to get started somewhere. Rough beta version first for the tech savy engineers and enterprise readiness further down the line 😉
Mohammed Aathif: Curious to see version two of this, to maybe even win Mustafa over.
Hi Mustafa Bensan ,
Believe me, overall cost for Logic App for the month of February was 12 euros.
Hi Martin Pankraz