Sync SAP BW Roles to SAC Team
SAP Analytics Cloud is getting more important within SAP Landscape when it comes to visualizing data from the customer ecosystem. With that there is also a major increase in user administration and management. Especially if you want to synchronize your BW Roles with a SAC Team to easily maintain the rights to a functional folder structure, there is currently no built-in way to bring your BW Roles and assigned Users to a Team in SAC.
In my role as a solution consultant for almost 10 years this issue has come up with customers starting with SAP Analytics Cloud, but also with customers using the product for quite some time.
With the SCIM User Management API it is now possible to create teams and assign Users programmatically. But there is still some steps to overcome in order to synchronize the role assignments from your leading system like SAP Business Warehouse.
If you want to know more about the API, please check out the documentation.
This How-To will not primarily focus on the Authentication Setup, because this is mentioned in several other Blog Posts, but i wanted to point out the main topics in making OAuth2.0 work, because troubleshooting can be quite frustrating and time consuming.
However, i will provide you an ABAP report utilizing the SCIM API to bring your Roles to a Team in SAP Analytics Cloud and synchronize the user assignment. This can be useful if you have a fresh SAP Analytics Cloud system and just want to use the same roles and authorization assignments from SAP Business Warehouse. You can also schedule the report to sync on a daily basis. Removed users from the role in SAP BW will also be removed from the team assignment.
- Create OAuth 2.0 Client in SAP Analytics Cloud
- Create and Configuration of OAuth 2.0 Profile in SAP
- Authorization for OAuth 2.0
- Whitelisting Http Calls to SAP Analytics Cloud in SAP
- ABAP Report
1.Create OAuth 2.0 Client in SAP Analytics Cloud
- Go to Administration -> App Integration -> Add a new OAuth Client
- Purpose = Interactive Usage and API Access
- Access = User Provisioning
- Redirect URL: https://<host_name>:<https_port>\sap\public\bc\sec\oauth2\client\redirect?sap-client=<client_id>
2.Creation and Configuration of OAuth 2.0 Profile in SAP
3.Authorization for OAuth 2.0
Make sure the user (executing the report) has the following authorization assigned.
4.Whitelisting Http Calls to SAC in SAP
The Abap program is hosted on GitHub and contains six methods to sync your roles.
- Getting the assigned users from a role in BW you want to create a team from.
- Name of BW Role
- Connect with OAuth
- Get all users from SAC.
- Connect Users through email address or by user id (selection screen choice)
- Create a Team. (If the team already exists, only user sync is triggered)
- Assign the Users to the created Team.
Please check out the coding on the public github repository. (Feedback is welcome.)
How does the user matching work?
If you have selected the Email Address matching the tables “usr21” and “adr6” are joined to get the email address information which will be matched with email addresses from SAC Users.
When User ID is selected the User id (bname) from table “usr21” is matched with the user id from SAP Analytics Cloud.
Team is created and the respective Users are assigned to the team. If the Team already exists, it will sync all relevant users. Removed Users in BW role will then also be removed from team.
After program execution you will get an overview of the BW User Count (assigned to role), the SAC User count (total number of users on your system). Furthermore, the program states whether a team was created or just synchronized. Also, the total number of assigned users is shown within the last message.
Team Folder is automatically created and can be deleted within the system view.
With that solution you are able to synchronize BW Roles and Users with SAP Analytics Cloud Teams and Users. Going one step further could lead to a harmonization of roles in SAP BW with Teams in SAP Analytics Cloud having SAP BW as the place to maintain roles for end-users for both systems. A good architecture of BW Roles with a consistent naming concept could help a lot to reach that goal.
Please let me know if you have any questions about this Blog or you would have more features requests regarding this topic. Your feedback is appreciated.
If you liked this Blog Post, make sure to follow. Next Blog will cover the Export API integrating data from SAP Analytics Cloud to SAP BW.
Great article, thank you for sharing!
Thanks for the article, I wonder if the same method can be uses to sync roles and users with DWC
is there a documentation for that user management DWC API?
to my knowledge there is currently no API supporting something similar in DWC.
There is however the CLI, you can find the documentation here, and hands on examples in this very nice blog.
I'm trying to set up your solution in my SAP BW 7.5 environment. I'm following step by step via your instruction, but when I'm running your ABAP program I got this nice error:
Any idea what I'm missing?
Thanks in advance!
i guess you have to add the ssl certificate in Transaction STRUST on BW to your SAC tennant.
in SSL Client (Anonymous )