Supply Chain Management Blogs by Members
Learn about SAP SCM software from firsthand experiences of community members. Share your own post and join the conversation about supply chain management.
cancel
Showing results for 
Search instead for 
Did you mean: 
aman175105
Explorer
7,823
Recently I have been working with a client requirement where users need to be provisioned in SAP IBP from the Identity and Access management (for example IdM). SAP IBP user provisioning can be done via standard SOAP or OData APIs, which needs to be enabled before making an API call.

The complete process can be automated if using a middleware(for example SAP CPI) to get the request from IAM and calling the IBP APIs in sequence for user provisioning. We will use Potman client to make IBP APIs call.

The scope of this document covers the below scenarios

  • Creation of Employee and User profile

  • User roles assignment in replace mode

  • User lock

  • Query business user

  • Permission filter creation

  • Permission filter to user assignment

  • Permission filter to user assignment deletion

  • Extract existing users, roles and permission filters


In order to consume SAP IBP APIs, first the communication system, user and arrangement setup is mandatory to authenticate and authorize the incoming requests

Prerequisite Logged in user must have administrator role in IBP to perform the below steps

Let's go step by step on how to create the Communication System

Communication System

  1. IBP home screen --> search for communication system tile

  2. Create a new communication system as shown in Figure 1


Hostname: Enter the hostname for the consumer system


Figure 1


Now, create a new communication user for the Inbound communication as shown in Figure 2,


Figure 2


Authentication type can be a basic authentication(Plain username and password) or certificate-based communication(SSL Client certs)


Figure 3


Note: Save the userId and password as it will be used later for all API calls

Communication system and user setup are completed as shown in Figure 4.


Figure 4


 

Communication Arrangements

IBP home screen --> Search for communication arrangements tile and create a new arrangement


Figure 5


Now, select the relevant communication scenario which needs to be used(Figure 6). "SAP_COM_0069" - Permission Filter Integration and "SAP_COM_0093" - Identity Management Integration.


Figure 6



Figure 7


Provide a relevant name for the communication arrangement(Figure 7) and assign the communication system and user created earlier as shown in figure 8.


Figure 8


Repeat the same steps and create an arrangement for SAP_COM_0093. Final communication arrangements should look like as shown in figure 9


Figure 9


Note down the service URLs for both communication arrangements.



Once the initial communication setup is done, IBP APIs are ready to consume. Let's start to make SOAP and OData calls to IBP APIs using the 'API_User' userId and password.

 

Employee and User profile creation: In case of a new hire or creating a new record for a user in SAP IBP, this service can be used with mandatory parameters passed in the request.

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap/bc/srt/scs_ext/sap/managebusinessuserinHeaders: Authorization: Basic {Base64 encoded{UserId:Password}}  Content-Type: text/xml


Figure 11



Figure 12


actionCode: ‘01’ for new employee record creation. Following values can be used as per the requirement. '01' – Create |  '02' – Update BusinessPartnerRoleCode: Only business partner role code 'BUP003' (Employee) is supported

 

User roles assignment: Once the employee and user record are created, the next step is to provision the user with proper authorization by assigning the business roles.

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap/bc/srt/scs_ext/sap/managebusinessuserinHeaders: Authorization: Basic {Base64 encoded{UserId:Password}}  Content-Type: text/xml


Figure 13


actionCode: ‘02’ for updating the employee record with user role assignment                                                                                                      roleListCompleteTransmissionIndicator – ‘true’ (this replace all the existing roles and assign new roles if provided in the request)                                    RoleName – Name of the role to be assigned (multiple entries in case of multiple roles to be assigned)

 

User Lock: This scenario covers the user record locking, in case the user is no longer required to access the IBP application.

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap/bc/srt/scs_ext/sap/managebusinessuserinHeaders: Authorization: Basic {Base64 encoded{UserId:Password}} Content-Type: text/xml


Figure 14


PersonExternalID – Person to be locked                                                        LockedIndicator – ‘X’ in case locking the user, keep it blank in case of unlocking                                                                                                        roleListCompleteTransmissionIndicator – ‘true’ (it will Replace all the existing roles and assign new roles if provided in the request)

 

Query Business Users: A complete list of users with the roles assigned can be retrieved by below query business users call.

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap/bc/srt/scs_ext/sap/querybusinessuserin Headers: Authorization: Basic {Base64 encoded{UserId:Password}}              Content-Type: text/xml


Figure 15


 

Permission Filter creation: Permission filters define the set of data the user can view and work with. As per the API documentation, Permission filter is also known as Visibility Filter. To create a permission filter called “TEST_PF” (assuming one does not already exist), the payload must include the three attributes in JSON format.

Note: For HTTP POST/PUT/DELETE operations, x-csrf-token is mandatory and can be fetched with HTTP GET as shown below


Figure 16


Copy the csrf token and use in the HTTP POST as below

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV/VisibilityFilters(‘TEST_PF’)  Headers: Authorization: Basic {Base64 encoded{UserId:Password}} and x-csrf-token: {token}


Figure 17


 

Permission filter to User Assignment: Once Permission filter is created, user or user group can be assigned on that permission filter

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV/UserAssignments                        Headers: Authorization: Basic {Base64 encoded{UserId:Password}} and x-csrf-token: {token}


Figure 18


Note: The UserId in the assignment is the IBP internal user ID code, not the username. To get these values refer to extract users call.

 

Permission filter to user assignment deletion: In case of user assignment deletion for a permission filter, HTTP DELETE operation is required with valid x-csrf-token.

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV /UserAssignments(VisibilityFilterID='TEST_PF',UserId='CB123456789')      Headers: Authorization: Basic {Base64 encoded{UserId:Password}} and x-csrf-token: {token}

URL Parameters: UserId - IBP internal user code, which can be fetched from extract users call and VisibilityFilterID - Permission filter id, which can be fetched from extract PFs call


Figure 19


 

Extract Users, Business Roles, and Permission filters: The below API calls can be useful when there is a need to extract the existing users, business roles and permission filters.

Extract Users

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV/Users?                                          Headers: Authorization: Basic {Base64 encoded{UserId:Password}}


Figure 20


Extract permission filters

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV/VisibilityFilters?                            Headers: Authorization: Basic {Base64 encoded{UserId:Password}}


Figure 21


Extract business roles

URL: https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV/BusinessRoles?                            Headers: Authorization: Basic {Base64 encoded{UserId:Password}}



 

References:

Manage business user https://help.sap.com/viewer/c154a4d95870416ea0af012a6ddae2d8/1902.500/en-US/640fb5fa26664a7486de073b...

Permission filter https://help.sap.com/viewer/da797ae2bf6246d58abd417f24915d55/1808/en-US/8458185263a34de884e0edf1e197...

Note: All the above content is based on personal learning from SAP help and SAP official documentation, comments, and suggestions are always welcome. Happy Integrating!
2 Comments
Labels in this area