Introduction
We got a requirement to import SAP BW roles/users in SAC to enable folder restrictions based on sites. In this blog, I will provide the steps to import SAP BW roles/users in SAC
using SAP IPS.
Some excellent blogs provide similar automated solutions using SCIM APIs, CSVs etc. Refer:
https://blogs.sap.com/2021/05/28/sap-analytics-cloud-scim-api-best-practices-and-sample-scripts/
https://blogs.sap.com/2021/12/02/sap-analytics-cloud-replicating-bw-analysis-authorizations-into-dim...
The Identity Provisioning service automates identity lifecycle processes. It helps you provision identities and their authorizations to various cloud and on-premises business applications. For more information, you can refer to a very nice blog
https://blogs.sap.com/2019/11/20/sap-identity-provisioning-ips-is-now-bundled-with-s-4hana-cloud/
Step-by-step guide
- Ensure you are subscribed to an active IPS account and have minimum cloud admin access to this subaccount in BTP. The technical name should match
- Ensure in IPS you have access to ‘Manage Identity Provisioning’, Manage on-premise and Manage Destinations access.
- Onboard the IPS subaccount on your cloud connector
- Navigate to Cloud to on-premise->Access control and create a RFC destination with the below resource. Ref: https://help.sap.com/doc/c30747989e33466e8e4f789dd9c3c81c/Cloud/en-US/Provisioning_Service.pdf
- Login in BTP and in the IPS subaccount create RFC destination of your BW system
- Select SAP Application Server ABAP and create your ABAP source system in IPS account
- In transformation Tab, put a similar condition as below to import users with specific role/pattern e.g. Import all users with role ZSAC*
{
"user": {
"ignore": false,
"condition": "($.ACTIVITYGROUPS[?(@.AGR_NAME contains 'ZSAC_')] EMPTY false)",
"mappings": [
{
"sourcePath": "$.USERNAME",
"targetVariable": "entityIdSourceSystem"
},
- In the properties tab put a filter ‘abap.role.filter’ to create Teams. E.g. ^ZSAC_.* will import all the roles which start with ZSAC as Teams in SAC
- Create a Target system as Type ‘SAP analytics cloud’, in the transformation tab ensure that the source username and target username are mapped. By default, email Id without a domain name is created as a user Id in SAC. For additional properties, please refer: https://help.sap.com/doc/c30747989e33466e8e4f789dd9c3c81c/Cloud/en-US/Provisioning_Service.pdf
{
"sourcePath": "$.userName",
"targetPath": "$.userName"
},
- Schedule the import job in IPS from the source system
- Check the job logs
- Verify the results in the SAC tenant
Thank you for your time reading this, I hope you found this useful and informative. Hopefully with this solution you will be able to connect your ABAP system with SAC for different use cases
Looking forward to hearing your thoughts!