Recently I have been working with a client requirement where users need to be provisioned in SAP IBP from the Identity and Access management (for example IdM). SAP IBP user provisioning can be done via standard SOAP or OData APIs, which needs to be enabled before making an API call.
The complete process can be automated if using a middleware(for example SAP CPI) to get the request from IAM and calling the IBP APIs in sequence for user provisioning. We will use Potman client to make IBP APIs call.
The scope of this document covers the below scenarios
- Creation of Employee and User profile
- User roles assignment in replace mode
- User lock
- Query business user
- Permission filter creation
- Permission filter to user assignment
- Permission filter to user assignment deletion
- Extract existing users, roles and permission filters
In order to consume SAP IBP APIs, first the communication system, user and arrangement setup is mandatory to authenticate and authorize the incoming requests
Prerequisite Logged in user must have administrator role in IBP to perform the below steps
Let's go step by step on how to create the Communication System
Communication System
- IBP home screen --> search for communication system tile
- Create a new communication system as shown in Figure 1
Hostname: Enter the hostname for the consumer system
Figure 1
Now, create a new communication user for the Inbound communication as shown in Figure 2,
Figure 2
Authentication type can be a basic authentication(Plain username and password) or certificate-based communication(SSL Client certs)
Figure 3
Note: Save the userId and password as it will be used later for all API calls
Communication system and user setup are completed as shown in Figure 4.
Figure 4
Communication Arrangements
IBP home screen --> Search for communication arrangements tile and create a new arrangement
Figure 5
Now, select the relevant communication scenario which needs to be used(Figure 6). "SAP_COM_0069" - Permission Filter Integration and "SAP_COM_0093" - Identity Management Integration.
Figure 6
Figure 7
Provide a relevant name for the communication arrangement(Figure 7) and assign the communication system and user created earlier as shown in figure 8.
Figure 8
Repeat the same steps and create an arrangement for SAP_COM_0093. Final communication arrangements should look like as shown in figure 9
Figure 9
Note down the service URLs for both communication arrangements.
Once the initial communication setup is done, IBP APIs are ready to consume. Let's start to make SOAP and OData calls to IBP APIs using the 'API_User' userId and password.
Employee and User profile creation: In case of a new hire or creating a new record for a user in SAP IBP, this service can be used with mandatory parameters passed in the request.
URL:
https://{IBP-TenantId}-api.scmibp.ondemand.com/sap/bc/srt/scs_ext/sap/managebusinessuserinHeaders: Authorization: Basic {Base64 encoded{UserId:Password}} Content-Type: text/xml
Figure 11
Figure 12
actionCode: ‘01’ for new employee record creation. Following values can be used as per the requirement. '01' – Create | '02' – Update
BusinessPartnerRoleCode: Only business partner role code 'BUP003' (Employee) is supported
User roles assignment: Once the employee and user record are created, the next step is to provision the user with proper authorization by assigning the business roles.
URL:
https://{IBP-TenantId}-api.scmibp.ondemand.com/sap/bc/srt/scs_ext/sap/managebusinessuserinHeaders: Authorization: Basic {Base64 encoded{UserId:Password}} Content-Type: text/xml
Figure 13
actionCode: ‘02’ for updating the employee record with user role assignment
roleListCompleteTransmissionIndicator – ‘true’ (this replace all the existing roles and assign new roles if provided in the request)
RoleName – Name of the role to be assigned (multiple entries in case of multiple roles to be assigned)
User Lock: This scenario covers the user record locking, in case the user is no longer required to access the IBP application.
URL:
https://{IBP-TenantId}-api.scmibp.ondemand.com/sap/bc/srt/scs_ext/sap/managebusinessuserinHeaders: Authorization: Basic {Base64 encoded{UserId:Password}} Content-Type: text/xml
Figure 14
PersonExternalID – Person to be locked
LockedIndicator – ‘X’ in case locking the user, keep it blank in case of unlocking
roleListCompleteTransmissionIndicator – ‘true’ (it will Replace all the existing roles and assign new roles if provided in the request)
Query Business Users: A complete list of users with the roles assigned can be retrieved by below query business users call.
URL:
https://{IBP-TenantId}-api.scmibp.ondemand.com/sap/bc/srt/scs_ext/sap/querybusinessuserin Headers: Authorization: Basic {Base64 encoded{UserId:Password}} Content-Type: text/xml
Figure 15
Permission Filter creation: Permission filters define the set of data the user can view and work with. As per the API documentation, Permission filter is also known as Visibility Filter. To create a permission filter called “TEST_PF” (assuming one does not already exist), the payload must include the three attributes in JSON format.
Note: For HTTP POST/PUT/DELETE operations, x-csrf-token is mandatory and can be fetched with HTTP GET as shown below
Figure 16
Copy the csrf token and use in the HTTP POST as below
URL:
https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV/VisibilityFilters(‘TEST_PF’)
Headers: Authorization: Basic {Base64 encoded{UserId:Password}} and x-csrf-token: {token}
Figure 17
Permission filter to User Assignment: Once Permission filter is created, user or user group can be assigned on that permission filter
URL:
https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV/UserAssignments
Headers: Authorization: Basic {Base64 encoded{UserId:Password}} and x-csrf-token: {token}
Figure 18
Note: The UserId in the assignment is the IBP internal user ID code, not the username. To get these values refer to extract users call.
Permission filter to user assignment deletion: In case of user assignment deletion for a permission filter, HTTP DELETE operation is required with valid x-csrf-token.
URL:
https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV /UserAssignments(VisibilityFilterID='TEST_PF',UserId='CB123456789')
Headers: Authorization: Basic {Base64 encoded{UserId:Password}} and x-csrf-token: {token}
URL Parameters: UserId - IBP internal user code, which can be fetched from extract users call and VisibilityFilterID - Permission filter id, which can be fetched from extract PFs call
Figure 19
Extract Users, Business Roles, and Permission filters: The below API calls can be useful when there is a need to extract the existing users, business roles and permission filters.
Extract Users
URL:
https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV/Users?
Headers: Authorization: Basic {Base64 encoded{UserId:Password}}
Figure 20
Extract permission filters
URL:
https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV/VisibilityFilters?
Headers: Authorization: Basic {Base64 encoded{UserId:Password}}
Figure 21
Extract business roles
URL:
https://{IBP-TenantId}-api.scmibp.ondemand.com/sap /opu/odata/IBP/VISIBILITY_FILTER_SRV/BusinessRoles?
Headers: Authorization: Basic {Base64 encoded{UserId:Password}}
References:
Manage business user
https://help.sap.com/viewer/c154a4d95870416ea0af012a6ddae2d8/1902.500/en-US/640fb5fa26664a7486de073b...
Permission filter
https://help.sap.com/viewer/da797ae2bf6246d58abd417f24915d55/1808/en-US/8458185263a34de884e0edf1e197...
Note: All the above content is based on personal learning from SAP help and SAP official documentation, comments, and suggestions are always welcome. Happy Integrating!