Hi guys,
This blog will cover a client requirement where users need to be created and provisioned in SAP Analytics Cloud(SAC) from the Identity and Access management (for example IdM). SAC user provisioning can be done via standard SAC REST APIs, which needs to be enabled before making an API call.
The complete process can be automated if using a middleware (for example SAP CPI) to get the request from IAM and calling the SAC APIs in sequence for user creation and provisioning. We will use Postman client to make APIs call.
The scope of this document covers the below scenarios
- User creation
- User update
- User delete
- Teams creation
- Teams update
- Users and teams extraction
In order to consume SAC APIs, first, an application client needs to create, to authenticate and authorize the incoming requests.
Let's start with the creation of an application. Go to System -> Administrator -> app integration
Note: Logged in user should have proper admin role to perform below steps
Create a new OAuth client
- Enter some meaningful name for the app user
- OAuth client id name (will be visible in the API logs)
- Select “API access” from the drop-down
- Access scope will be “User provisioning”
- Enter the secret, which will be used for the authentication
- Lifetime for the secret expiry
- Lifetime for the access token generated by OAuth server
After specifying all details, click add(note down the OAuth client Id and secret)
Note down the Token URL as this will be used to make the first call and obtain the access token. Now, we are all set to do the API calls.
Test Case 1: User Creation
- Request access token
- Fetch CSRF token
- Create a user with optional parameters
Perform the below steps in sequence
Request Access Token
- This must be done via the tenant Token URL.
- The OAuth Client ID and Secret and must be provided as part of the request
If OAuth authorization is successful, the returned token can be used to access the API
Fetch CSRF token
POST, PUT, and DELETE requests to the API can be made only after getting a valid CSRF token. To get the CSRF token, do a GET request to one of the SAC API (/Users or /Groups)
URL: https://
<SAC.TenantId>.
<region>.sapanalytics.cloud/api/v1/scim/Groups OR
URL: https://
<SAC.TenantId>.
<region>.sapanalytics.cloud/api/v1/scim/Users
Tip: HEAD operation can be used to avoid response payload.
Create a user
Users in SAC can be created with or without optional parameters as below.
POST: https://
<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users
Header section:
x-sap-sac-custom-auth = true
x-csrf-token = <<x-csrf-token from step 2>>
Content-Type = application/json
Authorization = Bearer <<Access Token from step 1>>
Body section:
username: a unique name for the user
emails: unique primary email id for the user
roles: multiple roles can be assigned by adding multiple role names in the request
isConcurrent: manage the concurrent license type
managerId: user id should exist in the system before assigning it as a manager
Note: userName and email must be unique while creating a new user in SAC.
Response: If a user creation call is successful, the API response will be “210 Created”
Verify the results in SAC, go to Security/Users.
Test Case 2: User update
Perform the below steps in sequence
- Request access token: As explained earlier
- Fetch CSRF token: As explained earlier
- Update a user
Update a user
Note: This call always works in upsert mode. Meaning, existing user information will be overwritten with the new one.
PUT: https:// <SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users/AGUPTA
Header section:
x-sap-sac-custom-auth = true
x-csrf-token = <<x-csrf-token>>
Content-Type = application/json
Authorization = Bearer <<Access Token>>
Response: If user update call is successful, the API response will be “200 OK”
Verify the results in SAC, go to Security/Users.
Test Case 3: User delete
Perform the below steps in sequence
- Request access token: As explained earlier
- Fetch CSRF token: As explained earlier
- Delete a user
Delete a user
Note: User which is to be deleted should not be an active manager in SAC
DELETE:
https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users/AGUPTA
Header section:
x-sap-sac-custom-auth = true
x-csrf-token = <<x-csrf-token>>
Content-Type = application/json
Authorization = Bearer <<Access Token>>
Response: If user delete call is successful, the API response will be “204 No Content”
Test Case 4: Group(teams) creation
Perform the below steps in sequence
- Request access token: As explained earlier
- Fetch CSRF token: As explained earlier
- Create a team
POST:
https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups
Header section:
x-sap-sac-custom-auth = true
x-csrf-token = <<x-csrf-token from step 2>>
Content-Type = application/json
Authorization = Bearer <<Access Token from step 1>>
Body section:
id: a unique name for the group(team)
displayName: display name for the group(team)
roles: multiple roles can be assigned by adding multiple role names in the request
members: multiple members can be assigned by adding multiple member names in the request
Response: If group(teams) creation call is successful, the API response will be “201 Created”
Verify the results in SAC, go to Security/Teams
Test Case 5: Teams update
Perform the below steps in sequence
- Request access token: As explained earlier
- Fetch CSRF token: As explained earlier
- Update a team
Note: This call always works in upsert mode. Meaning, existing teams information will be overwritten with the new one
PUT:
https://<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups/Teams1
Header section:
x-sap-sac-custom-auth = true
x-csrf-token = <<x-csrf-token from step 2>>
Content-Type = application/json
Authorization = Bearer <<Access Token from step 1>>
Response: If teams update call is successful, the API response will be “200 OK”
Note: Users added in the teams will inherit the roles assigned to that teams
Test Case 6: User and Group(teams) extraction
Perform the below steps in sequence
- Request access token: As explained earlier
- Get call for user or team extraction
Header section:
Authorization = Bearer <<Access Token from step 1>>
Get all SAC users: https://
<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users
Get specific SAC user: https://
<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users/AGUPTA
Get specific SAC user with Filter conditions:
https://
<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Users?filter=username eq “AGUPTA”
Get all SAC teams: https://
<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups
Get specific SAC team: https://
<SAC.TenantId>.<region>.sapanalytics.cloud/api/v1/scim/Groups/Teams1
References:
https://help.sap.com/viewer/298f82da4b184d1fb825b7ffe365e94a/release/en-US/b687e9589b834a2db872414b0...
Note: All the above content is based on personal learning from SAP help and SAP official documentation, comments, and suggestions are always welcome. Happy Integrating!
🙂