Skip to Content
User Experience Insights
Author's profile photo Gaurav Mishra

Import SAP BW users in SAC using SAP IPS

Introduction

We got a requirement to import SAP BW roles/users in SAC to enable folder restrictions based on sites. In this blog, I will provide the steps to import SAP BW roles/users in SAC using SAP IPS.

Some excellent blogs provide similar automated solutions using SCIM APIs, CSVs etc. Refer:

https://blogs.sap.com/2021/05/28/sap-analytics-cloud-scim-api-best-practices-and-sample-scripts/

https://blogs.sap.com/2021/12/02/sap-analytics-cloud-replicating-bw-analysis-authorizations-into-dimension-read-write-property/

The Identity Provisioning service automates identity lifecycle processes. It helps you provision identities and their authorizations to various cloud and on-premises business applications. For more information, you can refer to a very nice blog

https://blogs.sap.com/2019/11/20/sap-identity-provisioning-ips-is-now-bundled-with-s-4hana-cloud/

Step-by-step guide

  1. Ensure you are subscribed to an active IPS account and have minimum cloud admin access to this subaccount in BTP. The technical name should match
  2. Ensure in IPS you have access to ‘Manage Identity Provisioning’, Manage on-premise and Manage Destinations access.
  3. Onboard the IPS subaccount on your cloud connector
  4. Navigate to Cloud to on-premise->Access control and create a RFC destination with the below resource. Ref: https://help.sap.com/doc/c30747989e33466e8e4f789dd9c3c81c/Cloud/en-US/Provisioning_Service.pdf
  5. Login in BTP and in the IPS subaccount create RFC destination of your BW system
  6. Select SAP Application Server ABAP and create your ABAP source system in IPS account
  7. In transformation Tab, put a similar condition as below to import users with specific role/pattern e.g. Import all users with role ZSAC*

{

    “user”: {

        “ignore”: false,

        “condition”: “($.ACTIVITYGROUPS[?(@.AGR_NAME contains ‘ZSAC_’)] EMPTY false)”,

        “mappings”: [

            {

                “sourcePath”: “$.USERNAME”,

                “targetVariable”: “entityIdSourceSystem”

            },

  1. In the properties tab put a filter ‘abap.role.filter’ to create Teams. E.g. ^ZSAC_.* will import all the roles which start with ZSAC as Teams in SAC
  2. Create a Target system as Type ‘SAP analytics cloud’, in the transformation tab ensure that the source username and target username are mapped. By default, email Id without a domain name is created as a user Id in SAC. For additional properties, please refer: https://help.sap.com/doc/c30747989e33466e8e4f789dd9c3c81c/Cloud/en-US/Provisioning_Service.pdf

           {

                “sourcePath”: “$.userName”,

                “targetPath”: “$.userName”

            },

  1. Schedule the import job in IPS from the source system

  1. Check the job logs
  2. Verify the results in the SAC tenant

 

Thank you for your time reading this, I hope you found this useful and informative. Hopefully with this solution you will be able to connect your ABAP system with SAC for different use cases

Looking forward to hearing your thoughts!

Assigned Tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Gaurav,

      great that you share IPS content. But it looks like you're still using an IPS instance on SAP BTP Neo Environment. I would suggest you migrate your instance if possible. The Neo based instances do not receive new Features.

      Best Regards
      Gregor

      Author's profile photo Gaurav Mishra
      Gaurav Mishra
      Blog Post Author

      Hi Gregor,

      Thanks, this is in the plan. We will migrate IPS to CF soon.

      Regards,

      Gaurav

      Author's profile photo Dongxue Wu
      Dongxue Wu

      Great Blog! Thanks for Sharing!