Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
harjeetjudge
Product and Topic Expert
Product and Topic Expert
2,131

In my earlier blog I explain how we can use SAP Cloud Identity Provisioning Service to read users/groups from remote content provider such SAP Business Technology Platform, ABAP Environment into SAP Build Work Zone.  The advantages of why you may consider doing this are explained in my earlier blog.  There are other reasons why you may need to provision users in SAP Build Work Zone.  For eg. to leverage SAP AI service called Joule(see blog) with your SAP SuccessFactors suite requires users and groups to be provisioned from SAP SuccessFactors into SAP Build Work Zone. 

SAP Build Work Zone standard or the foundations edition recently released a user interface to search for a user and see it's assigned groups.  For more details on this feature refer to the help guide. The feature mentioned in the help guide is probably where you should start, but there are certain scenarios where it may not be sufficient and that's where we can leverage the SCIM APIs offered by Work Zone.  The purpose of this blog is to showcase how we can use the SCIM APIs of SAP Build Work Zone to read which users and groups are provisioned into SAP Build Work Zone.  SAP Build Work Zone has a standard SCIM interface we can leverage to accomplish this.

1.png

To setup the request with your rest client, follow the process below.  Exact steps might be different for other rest clients but the process should be same.

  1. Access your SAP BTP subaccount where you have an instance of SAP Build Work Zone.
  2. Click the key created for your Work Zone instance.  If you don't have a key, follow my previous blog to understand the steps on how to create a new key.1-1.png
  3. Make note of the following fields:
    • endpoints -> portal-service
    • uaa -> clientid
    • uaa -> clientsecret
    • uaa -> url
    • 2-1.png
  4. Open a rest client and configure the Get request as follows to read provisioned users from SAP Build Work Zone.  I am using Postman as my client, but you can use any other rest client of your choice.
  5. Get a new access token.4.png
  6. Use the token in your request.10.png
  7. Send the request and confirm the users are read from SAP Build Work Zone.  See screenshot below on type of user information that is returned. 6.png

For reading groups, change the URL to <portal-service>/roleMapping/scim/v1/Groups.7.png

To read a specific user, add a filter using email or externalID. For eg:

https://portal-service.cfapps.us10.hana.ondemand.com/roleMapping/scim/v1/Users?filter=emails.value eq "harjeet.judge@sap.com"

https://portal-service.cfapps.us10.hana.ondemand.com/roleMapping/scim/v1/Users?filter=externalId eq "fee8b135-502c-49dd-bf1b-10499cc05754"

It may also be useful to filter for users tied to particular providerId.  Eg.

https://portal-service.cfapps.us10.hana.ondemand.com/roleMapping/scim/v1/Users?filter=urn:ietf:params:scim:schemas:extension:2.0:mapping.providerId eq "Tutorial"

Note: By default the Identity Provisioning Service writes only minimal user attributes to SAP Build Work Zone so the user information that can be pulled back using the API is minimal.

To write a user in SAP Build Work Zone, send a POST request with the appropriate user/group payload. 

Note: A POST request from a rest client should really be only used for troubleshooting.  For actually provisioning users/groups into SAP Build Work Zone, you should be leveraging the SAP Cloud Identity Provisioning service as described in the blog link I shared earlier.  If for some reason certain users fail to provision during Identity provisioning job, in those scenarios it may be helpful to test writing that user to SAP Build Work Zone through a rest client like Postman.  See an example POST request in the screenshot below:

8.png

Happy reading!

1 Comment