Community
Technology Blog Posts by Members
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Comprehensive Overview: SCIM API for SAP Datasphere User Management

christian_willi
Participant
‎2025 Mar 12 9:00 AM
2,894

Introduction

In Q3 2024, SAP introduced the SCIM (System for Cross-domain Identity Management) API for SAP Datasphere to enhance user management through a consistent, REST-based protocol. This API currently supports the following operations:

  • CRUD (Create, Read, Update, Delete) operations for users
  • Assign users to existing roles (Note: Creating new roles via API is not supported, as mentioned in the documentation)
  • List all users
  • Retrieve API information (e.g., identity provider, available schemas, resource types)

This blog provides a detailed overview, complementing the official . Most of the examples referenced are consistent with the SAP documentation examples. Next to the documentation, the aim is to give a comprehensive overview with examples and provide a Postman collection for testing on your own.

In this Repository you can find a Postman collection to test the SCIM API.

Setup

The first step is to create an OAuth client in your SAP Datasphere tenant with the appropriate settings. Make sure to note down the Client ID and Client Secret for token retrieval.

christian_willi_10-1737645182586.png

You will also need the Token URL from the App Integration section.

christian_willi_0-1737645265053.png

Login and CSRF Token Retrieval

To obtain the bearer token, make a POST or GET request to the following endpoint:

https://<token_url>/oauth/token?grant_type=client_credentials

The request will then look like this:

christian_willi_1-1737645278360.png
  • Authorization: Use Basic Authentication with the OAuth Client ID as the username and the OAuth Client Secret as the password, both of which were obtained when creating the OAuth client.
  • Response: Upon a successful request, the response will contain the access token.

In the response we will then receive the Access Token:

christian_willi_2-1737645304779.png

Once you have obtained the access token, you can request the CSRF token by sending a GET request to the following endpoint:

https://<tenant_url>/api/v1/csrf

The request will look like this:

christian_willi_3-1737645318390.png

The request must include the following headers:

  • Authorization: Bearer <Access_Token> (the token obtained in the previous step)
  • x-sap-sac-custom-auth: true
  • x-csrf-token: fetch

The CSRF token can be found in the response header under the x-csrf-token key.

christian_willi_4-1737645331655.png

CRUD Operations

For all subsequent API requests, it is essential to include the Bearer token and the x-sap-sac-custom-auth: true header in the request.  See the header example below:

christian_willi_5-1737645346953.png

Additionally, for any PUT, POST, PATCH, or DELETE requests, you must include the retrieved CSRF token in the request header as x-csrf-token: <token>. See the header with the x-csrf-token below:

christian_willi_6-1737645391509.png

GET Users and Individual User

To get a list of all users or information about a specific user, you can use the following endpoints:

https://<tenant_url>/api/v1/scim2/Users

https://<tenant_url>/api/v1/scim2/Users/<user ID>

The response for an individual user looks like this:

christian_willi_7-1737645404697.png

Create User

To create a new user, send a POST request to the following endpoint:

https://<tenant_URL>/api/v1/scim2/Users/

In the request payload, you must provide the user details. You can also assign roles to the user at the time of creation, as shown in the sample payload below:

christian_willi_8-1737645421592.png

Note: This example is taken from the SAP documentation for consistency.

Modify User

To modify an existing user, use either a PUT or a PATCH request:

  • PUT: This request will overwrite all properties of the user with the values specified in the request payload.
  • PATCH: This request updates only the specified properties, leaving the rest unchanged.

The endpoint for user modification is as follows:

https://<tenant_url>/api/v1/scim2/Users/<user ID>

Delete User

To delete a user, you need to send a DELETE request to the following endpoint, providing the user's ID:

https://<tenant_url>/api/v1/scim2/Users/<user ID>

You can retrieve the user ID by performing a GET request to list all users.

Bulk Operations

The SCIM API also supports bulk operations, allowing you to perform multiple actions in a single request. To perform a bulk operation, send a POST request to the following endpoint:

https://<tenant_URL>/api/v1/scim2/Bulk/

For example, you can create multiple users with one API call by specifying the details in the request payload. A detailed example of a bulk operation payload can be found in the official SAP Documentation.

Conclusion

The SCIM API for SAP Datasphere enables efficient user management through a REST-based protocol, supporting CRUD operations, role assignments, and bulk actions. This blog provides an in-depth overview of the API endpoints and usage, complementing the official SAP documentation. For more detailed examples and use cases, the SAP documentation remains an invaluable resource.

 

 

 

1 Comment