One of the thing I often get asked by clients is around compliance. Whilst most of the questions are normally quite easy to answer, one of the more common ones is "How do I get a list of users and their roles on our tenants". The cockpit does show this but its not possible to export this or to access it programatically so for example using Cloud Platform Integration, add to a business process to do review compliance or for input into a GRC (Governance, Risk and Compliance) system
Whilst we have documented this in on help.sap.com it is still not clear how to actually do this so to save you some time we will work through an example.
Since SAP has move towards adopting open standards we do this in two parts. The first is to generate an oAuth token and then the second is to access the users.
For the next exercises you will need to use either PostMan or CuRL to make HTTP requests as the basis for getting access is HTTP, making it easy to implement in what ever language or tooling you would like.
This part is documented here. However lets work it through to get the token.
We login to our tenant and goto the "OAuth" tab under the "Security" submenu on the right.
Select the "Platform API" tab under "Auth Settings" as we will use this to create the oAuth token.
Click on the "Create API Client" button to bring up a form to allow common authorizations to be selected.
As we noted in the documentation the "Account Member Management" scope is required to access the member information in the tenant. Check the checkbox next to the scope, supply a description and click the "Save" button on the bottom right to create the API client.
This will generate a client id and a client secret which need to be be saved somewhere. A tip to note is that the text can be selected here and copied to the clipboard.
Once you have saved off the ClientId and the Client Secret, click the OK button. If you forgot to save these details then you will have to regenerate a new client and secret with the relevant scopes.
We will now use this to generate an oAuth token that can be used with the authorization API.
The URL we will use will be
https://api.eu1.hana.ondemand.com/oauth2/apitoken/v1?grant_type=client_credentials
This URL is for the data center my tenant is in and I want a client credentials token. In the link to the documentation above, there are a list of data centres.
Open the Postman app and put in your URL to generate an oAuth Token. Click on the "Authorization tab" and select the "Basic Auth" option from the dropdown since we want to generate a token.
Note that you would expect this to normally be a GET request but it is infact a POST request.
Click the "Send" button to make the request and get a response.
You need to now save the access_token property as this will form the basis for the authentication when accessing the API in the next section.
Now we have an oAuth token, we can get access to the members API when accessing the tenant.
This process is documented here but let us continue and show a worked example for using the API.
The documentation says we need to use
https://api.<SAP Cloud Platform host>/authorization/v1/platform/accounts/<subaccount>/Users
We have got the host name from part 1, but what is a bit unclear is what the value to go in the subaccount path of the URL. This will be the technical name of the tenant. You can find this on the tile for the tenant in the cockpit of the global account.
Open a new tab in Postman and paste in the URL to get the users. From the Authorization tab, select the "Bearer" option from the dropdown and use the "access_token" value that was generated in the previous step
Click the "Send" button to get the users
I have selected my identity on this tenant where you can see my metadata, email address and roles.
Obviously the resulting response is much larger as this will have all the users on the tenant.
This concludes how to get the list of users and roles on a tenant.
Next time we will look at accessing the Audit log and in particular how to access the audit log for Cloud Platform Integration.
Whilst we have documented this in on help.sap.com it is still not clear how to actually do this so to save you some time we will work through an example.
Since SAP has move towards adopting open standards we do this in two parts. The first is to generate an oAuth token and then the second is to access the users.
For the next exercises you will need to use either PostMan or CuRL to make HTTP requests as the basis for getting access is HTTP, making it easy to implement in what ever language or tooling you would like.
Part 1: Creating the oAuth token.
This part is documented here. However lets work it through to get the token.
We login to our tenant and goto the "OAuth" tab under the "Security" submenu on the right.
Select the "Platform API" tab under "Auth Settings" as we will use this to create the oAuth token.
Click on the "Create API Client" button to bring up a form to allow common authorizations to be selected.
As we noted in the documentation the "Account Member Management" scope is required to access the member information in the tenant. Check the checkbox next to the scope, supply a description and click the "Save" button on the bottom right to create the API client.
This will generate a client id and a client secret which need to be be saved somewhere. A tip to note is that the text can be selected here and copied to the clipboard.
Once you have saved off the ClientId and the Client Secret, click the OK button. If you forgot to save these details then you will have to regenerate a new client and secret with the relevant scopes.
We will now use this to generate an oAuth token that can be used with the authorization API.
The URL we will use will be
https://api.eu1.hana.ondemand.com/oauth2/apitoken/v1?grant_type=client_credentials
This URL is for the data center my tenant is in and I want a client credentials token. In the link to the documentation above, there are a list of data centres.
Open the Postman app and put in your URL to generate an oAuth Token. Click on the "Authorization tab" and select the "Basic Auth" option from the dropdown since we want to generate a token.
Note that you would expect this to normally be a GET request but it is infact a POST request.
Click the "Send" button to make the request and get a response.
You need to now save the access_token property as this will form the basis for the authentication when accessing the API in the next section.
Part 2: Getting a list of users.
Now we have an oAuth token, we can get access to the members API when accessing the tenant.
This process is documented here but let us continue and show a worked example for using the API.
The documentation says we need to use
https://api.<SAP Cloud Platform host>/authorization/v1/platform/accounts/<subaccount>/Users
We have got the host name from part 1, but what is a bit unclear is what the value to go in the subaccount path of the URL. This will be the technical name of the tenant. You can find this on the tile for the tenant in the cockpit of the global account.
Open a new tab in Postman and paste in the URL to get the users. From the Authorization tab, select the "Bearer" option from the dropdown and use the "access_token" value that was generated in the previous step
Click the "Send" button to get the users
I have selected my identity on this tenant where you can see my metadata, email address and roles.
Obviously the resulting response is much larger as this will have all the users on the tenant.
This concludes how to get the list of users and roles on a tenant.
Next time we will look at accessing the Audit log and in particular how to access the audit log for Cloud Platform Integration.
- SAP Managed Tags:
1 Comment
