Integration User for Odata services in SAP Cloud f...

former_member1115 · ‎2019 Dec 03

Dear Community members,

Note: Current post strictly provides steps for SAP Cloud for Customer (SAP Sales Cloud and SAP Service Cloud).

With the 1911 release of SAP Cloud for Customer, SAP has provided capability to use integration or technical user for Odata services.

Odata Services - 1911

With A2X services being deprecated from February 2020, customers and partners are requested to move their A2X and SOAP services to Odata. But with Odata services we have had to use basic authentication with a Business User. This causes concerns when the password expires, leading to failure of the integration.

You can read more on this here.

https://apps.support.sap.com/sap/support/knowledge/public/en/2325562

Below, we will see how we can use a technical user for basic authentication and Certificate based authentication for Odata services.

Create a new Communication system. Maintain the host name.

Create Communication arrangement for standard Communication Scenario: OData Services for Business Objects

Select the services which you wish to enable under technical data. In the next image you can see that the technical user is generated.

The technical user created above can be used for basic authentication as well.

Further, we have similar steps as with SOAP services.

Click on edit credentials and create and download a key pair. (a *.p12 extension file will be downloaded)

Add the key pair file to your CPI tenant under manage keystore.

Configure the Odata adapter as follows.

Maintain the address of the service you wish to call, and the alias saved in the previous step.

Select authentication method as Client Certificate or Basic authentication.

Note: CSRF token is not needed as we are using a technical user.

In case of Client certificate, provide the name of the *.p12 file which you saved in keystore.

In case of Basic authentication, deploy a credential artifact in CPI with the technical user created above, and provide the credential name.

Download the edmx file from the metadata URL.

https://myNNNNN.crm.ondemand.com/sap/c4c/odata/v1/c4codataapi/$metadata

and configure the request query.

Using a technical user provides better security and prevents failure of integrations due to expiration of password.

You can get more details on this here.

https://github.com/SAP/C4CODATAAPIDEVGUIDE

Edit:

For certain services like: accounthierarchylist, businesspartnerrelationship... if you use CSRF token, you'll get error "Inconsistent Authorization: Re-activate Communication Arrangement." This is an authorization error. In Odata services authorization occurs via a workcenter view which is also assigned to the access user. And because such services don't have WoCview assigned due to which reading metadata causes issue.

To resolve this error, remove the CSRF fetch as it is not needed with a communication user, or assign a workcenter view which can accessed by the access user (in case of business user).

Regards

Praveen Dwivedi

catalin_duta · ‎2020 Feb 28

In case anyone runs into the same issue that I did:

when you go into the settings of the Communication Arrangement, under Services Used - you might not see all of your custom OData services

go into OData Service Explorer, edit the corresponding service

expand the Header and assign a WOCV

I know it's counter-intuitive because the technical user does not have a business role, i.e. no restrictions, but at least it works.

Suchita92 · ‎2020 May 12

Hi praveenkumardwivedisap ,

Firstly, thanks for the excellent blog. I wish this was documented in the C4C guides too.

You have an edit on your blog where you mentioned about error “Inconsistent Authorization: Re-activate Communication Arrangement.”

I am getting this error for my custom OData service - despite I have assigned it to the communication arrangement.

I get this error only when I do a GET to my custom OData with Technical User (maintained for the communication arrangement). The Authentication is Basic and with User ID and Password defined on Communication arrangement. When I test with POSTMAN, I get the same error. But if I user the GET via POSTMAN with any other business user details , I do not get this error.

The test on custom OData via OData explorer is also fine. So means, system has a problem only when I do a GET on my custom OData with technical user.

Do you know how to solve this error ?

Thanks,

Suchita

former_member1115 · ‎2020 May 12

Hi Suchita, This issue occurs when no WoCView is assigned to the service.

Check if WoCView is assigned to your custom Odata service entity types.

Alternatively, you are fetching CSRF token to GET data, this is not needed for technical user. Remove CSRF token fetch.

Suchita92 · ‎2020 May 12

Hi praveenkumardwivedisap ,

Thanks for your reply .

My issue is now solved. There are two placed for WoCV assignment on OData – on Header and on Property. I was doing it only on Property and that was it problem (as header is always collapsed so didn't realised it) .

The got resolved once the header WoCV is maintained.

Regards,

Suchita

nerevar · ‎2020 May 28

Hello,

By any chance, is it possible to do so with SAP ByDesign?

Thanks/Regards

former_member1115 · ‎2020 Jun 11

Hi Maxime

Being on the same architecture, it should be possible. Although, I haven’t tried it in a ByD system.

Hopefully you must have already tried it out already by now.

Praveen

Jacques-Antoine · ‎2021 Jan 07

Edit: nerevar

From 2102 version of SAP ByDesign (ByD)), we are now able to create a Technical User in order to consume OData endpoints, as it is possible in SAP C4C.

Enjoy!

Thank you for your attention

mario_fliegner · ‎2021 Jun 18

Hi,

I'm trying to update a Product via https://api.sap.com/api/API_PRODUCT_SRV/ OData service (for example the product text) using Communication Arrangement SAP_COM_0077. I've also created a Communication User with password. However, the OData service does not update anything but return with "Matl master maintenance not possible for transaction chosen (TKSTATUS)":

        <application>

            <component_id>LO-MD-MM</component_id>

            <service_namespace>/SAP/</service_namespace>

            <service_id>API_PRODUCT_SRV</service_id>

            <service_version>0001</service_version>

        </application>

This looks like the Communication User do not have the permission for the transaction!? The same issue I get for all OData services from the mentioned Communication Arrangement which tries to update the Business Objects (POST, PATCH). It works fine for any GET requests to retrieve data.

As we're in the SAP managed Cloud, there is no way to maintain the users permissions. Any thoughts? Maybe I'm doing something wrong?

senthil_kumar29 · ‎2021 Jun 25

Hi Praveen,

I have outbound OData call from C4C, and getting 403 forbidden with csrf token missing issue.

As I see your blog works well for Inbound in C4C. do you have a solution for C4C Outbound calls?

Thanks

Sam

former_member1115 · ‎2021 Jul 07

hello Sam

403 error means the service call isn't authorized to access the target system. You need to check in your target system for the issue.

Also, for any kind of POST or PATCH calls, CSRF token is needed. try adding the CSRF token to the message header of your service call. Without CSRF token, you won't be able to use POST or PATCH.

Regards

Praveen

lubos_krajcir · ‎2022 Dec 09

Hello All,

Can I ask you, which WoCV did you assign for your technical users? Also, will the POST / PUT action work for technical user?

Thank you very much

Regards

Ľuboš

stefaniaZ · ‎2023 Mar 17

Hi maf1981

I have the same problem as you, how did you solve it?

Thanks

Stefania

Integration User for Odata services in SAP Cloud for Customer

SAP Cloud for Customer Integration with ERP and CRM: How-to Guides and E-Learning

SAP User IDs? What’s the difference? Find out more here…

SAP Hybris Cloud for Customer - All About Integration (No Longer Updated)