In this blog you will find detailed steps on how to configure and test the IAG Access Request APIs, which enable external applications to submit request to SAP Cloud Identity Access Governance (IAG) and search for specific entities that are required to create request. For more information, see Access Request API.
Configuring the Access Request APIs
>> In the Global Account <<
Prerequisites:
- You have administrative access to the Global Account.
- You have IAG license provisioned in this Global Account.
Procedure:
- Log in to the SAP BTP Cockpit and open your Global Account where the IAG Subaccounts have been created.
- Go to Entitlements > Entity Assignments and select your IAG Subaccount.
- Choose Configure Entitlements and Add Service Plan.
- Search for the entitlement SAP Cloud Identity Access Governance. If you do not find, then contact your admin or SAP AE (Account Executive) for license details.
- Activate the checkbox for standard - Standard API access Plan. Even if you are entitled to more than one, you may only add one to each Subaccount.
- Click Add 1 Service Plan and Save.
>> In the Subaccount <<
Prerequisites:
- The Cloud Foundry environment is enabled. For more information, see:
3136962 - Cloud Foundry tab is not visible in BTP Cockpit
3082980 - "Cloud Foundry" tile is not shown in BTP Subaccount - You have the Org Manager role. For more information, see Add Org Members Using the Cockpit.
- A Space is created. For more information, see Create Spaces.
Procedure:
- Open your IAG Subaccount in SAP BTP Cockpit.
- Go to Instances and Subscriptions and click Create.
- Select the Service SAP Cloud Identity Access Governance - grc-iag-api from the dropdown list.
- For the Plan, select standard.
- For Runtime Environment, select Cloud Foundry.
- For the Space, select the relevant Space.
- Fill the Instance Name and and click Create.
- Click the Instance you created.
- Go to Service Keys and click Create.
- Fill the Service Key Name and click Create.
Testing the Access Request APIs
Go to 'Instances and Subscriptions' in your IAG Subaccount in the SAP BTP Cockpit > click the 'Instance' to see the 'Service Key' which has been created for this purpose and copy the below data:
- ARQAPI (e.g. https://..arqapi.cfapps.eu10.hana.ondemand.com)
- url (it is used later in testing phase for fetching the token, e.g. https://{iag subdomain}.authentication.eu10.hana.ondemand.com)
- clientid
- clientsecret
1. Testing Access Request APIs at 'SAP API Business HUB'
- Go to SAP Cloud Identity Access Governance, Access Request Service.
- Select the API you would like to test e.g. Create IAG Request and click Try Out.
- Add New Environment and configure it as below using the data copied from the Service Key.
- Go to Body and fill the Payload:
- priorityId: check the 'Access Request Priority' tile in IAG
- reasonCode: check the 'Request Reason' tile in IAG
- requesttypeid: CHANGE or CREATE
- accessType: e.g. BR, CR, GP, SFSG, TR ...
- applicationType: e.g. SAPERP, S4HANA, S4HANACLOUD ... > check the 'Connector Types' tile in IAG
- action: A or D
- connector: check the System tile in IAG
- domain: check the subdomain under the Overview section in your IAG Subaccount in SAP BTP Cockpit
- Click Run and check the Response.
Postman is an API platform, which you can download from here.
- Go to Authorization tab and select Type OAuth 2.0.
- Fill the required fields using the data (ARQAPI, url, clientid, clientsecret) copied from the Service Key.
- Click Get New Access Token to generate the token and click Send.
How the API URL is built:
GET: {ARQAPI} + /com/sap/grc/iag/service/eaccessrequest.svc + /{API Name} + ?{Parameters}
To check the API Name and Parameters, go to SAP Cloud Identity Access Governance, Access Request Service, select the API you would like to test e.g. Request Status and go to 'API References'.
Note: Please share your feedback or thoughts in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Access Governance.
- SAP Managed Tags:
