Hi Martijn,

So no special API request needed, the regular DELETE method on a user endpoint will do the job. Existing sample scripts that delete users (by user, but or by team of users) requires no updates, they all benefit from the backend API improvements. Cool hey! All the best Matthew

1. Account Operations worked fine when tried from Postman adding x-csrf-token value to header. X-csrf-token is taken from response headers of Get all users API (GET https://<Subaccount>.hcs.cloud.sap/api/v1/scim/Users?size=1&page=1)

• AdminToolKit_All_Users


• AdminToolKit_Users_Created_Recently


• AdminToolKit_Users_With_BI_Concurrent_License


• AdminToolKit_Users_With_BI_Named_User_License


• AdminToolKit_Users_With_A_Manager.


• AdminToolKit_Users_With_Manager_MANAGERID


• AdminToolKit_Users_Without_A_Manager


• AdminToolKit_Users_That_Are_Managers


• AdminToolKit_Users_That_Are_Enabled


• AdminToolKit_Users_That_Are_Disabled


• AdminToolKit_Users_With_UserID_Ending__1


• AdminToolKit_Users_With_SAP_email


• AdminToolKit_Users_Without_SAP_email


• AdminToolKit_Users_Without_a_Role_and_Without_a_Team


• AdminToolKit_Users_Without_a_Team


• AdminToolKit_Users_Without_a_Role


• AdminToolKit_Users_With_Directly_Assigned_BIAdmin_Role


• AdminToolKit_Users_With_Default_Settings


• AdminToolKit_Users_Created_Over_A_Year_Ago


• AdminToolKit_Users_That_Are_Managers_With_BI_Concurrent_License


• AdminToolKit_Users_That_Are_Disabled_With_BI_Named_User_License


• AdminToolKit_Users_In_Managment_Structure


• AdminToolKit_Users_Not_In_Managment_Structure


• AdminToolKit_Users_Without_Default_Settings

• D01 – Delete users then delete managers


• L01 – Managers with BIconcurrent to BInamed license


• L02 – Disabled users to BIconcurrent license


• L03 – Convert all BIconcurrent to BInamed license


• M01 – Reassign users of given manager to another


• R01- Swap directly assigned role for a team role


• S01 – Assign settings for recently created with default settings


• S02 – Assign settings concurrent lic for recently created w default settings


• T01 – Transport Managers then Users

const readbody                          = JSON.parse(responseBody);

const total_users_in_this_SAC_service   = readbody.totalResults;

const users_this_page                   = readbody.Resources.length;

mattshaw @MattShaw_on_BI We checked with SAP and tested API end points - api/v1/scim2/Users - Seems new end points are also not enabling us to assign a team directly to user account.

/scim2/Users/<ID> | SAP Help Portal

Any feedback as how I can make it work ?

Regards

Deepak

Thank you Matthew, great blog, very helpful!

Hello,

I am trying to build up an teste scenario and hope someone can help me at the point i am currently stuck:
Within the coding, the result written into the variable "response" is empty. Therefore, its running into a runtime error because coding tries to access the field symbol.

      target =  |https://Firma.eu10.hcs.cloud.sap/api/v1/scim/Users/"?count=50&startIndex=   {     lv_index }|.

http_method = 'GET'.



gv_http_client->send( EXCEPTIONS http_communication_failure = 1

http_invalid_state = 2

http_processing_failed = 3

http_invalid_timeout = 4

OTHERS = 5 ).



IF sy-subrc <> 0.

MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno

WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.

ENDIF.



gv_http_client->receive( EXCEPTIONS http_communication_failure = 1

http_invalid_state = 2

http_processing_failed = 3

OTHERS = 4 ).



response_data = gv_http_client->response->get_cdata( ).

The received Response Code is 200, but it seems as the response is empty.
I also tried to send a get request via postman to https://Firma.eu10.hcs.cloud.sap/api/v1/scim/Users/"?count=50&startIndex=   {  1  }|, but also get only an empty result. Does someone see why don't I get a list of user back here?

Kind regards,
FH

Hello Matthew, thank you for your answer. I tested also that link. Response was 200 (with authorisation ok). It seems for me as this is okay. Just the result ist as following:

<html>



<head>

	<link rel="shortcut icon" href="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" />

	<script>

		document.cookie="fragmentAfterLogin="+encodeURIComponent(location.hash)+";path=/;Secure;SameSite=None;";document.cookie="locationAfterLogin="+encodeURIComponent(location.href.split('#')[0].split(location.host)[1])+";path=/;Secure;SameSite=None;";document.cookie="signature=NWmnEXGGJ7hdkeQKH%2FoGMzb3Zxk%3D;path=/;Secure;SameSite=None;";location="https://companyname-1.authentication.eu10.hana.ondemand.com/oauth/authorize?response_type=code&client_id=sb-approuter-sac-saceu10!t3650&redirect_uri=https%3A%2F%2Fs-companyname-1.eu10.hcs.cloud.sap%2Fsso%2Flogin%2Fcallback"

	</script>

</head>



</html>

It is not even JSON (I explicitly requested Content-type: application/json). For me, it looks as there as an additional Authorisation step before getting the requested JSON response. Have you ever encountered that problem?

Kind regards,
FH

Please ignore my previous question 😁. Found the answer

Hi, Matthew.

This is the most active blog I have followed and I love the interaction below your blogs. I have a customer who has set up the SAC SSO, user mapping, role SAML mapping, and team SAML mapping. In this case, the SAC user attribute is always synchronized with the Azure IDP. And we have a question of overwriting: Do you know which modification method can overwrite the User attributes or Team assignment against the SAML synchronization?

Many thanks, Wu Dongxue

Hi Wu,

Many thanks for your feedback 🙂

I'm not entirely sure I've understood the question, but here goes...

... you are mapping attributes from SAML into SAP Analytics Cloud but you want to change what attributes are mapped so you can change them? (I think this is your question).

I hope this diagram I've just created will help. You can see the 'security-users' screen and it shows a 'link' icon for all the attributes that are mapped.

In my example, the email address is the property the users are identified with and you can see that by the icon on that column. If you had 'USERID' or 'CUSTOM' then that icon will be on a different column and it will match what is set in the 'menu-system-administration-Security-SAML SSO-Step 3-User Attribute'. (If you are using 'CUSTOM' then another column 'SAML MAPPING' will be shown in the menu-security-users screen).

The thing you are mapping users on, in my case email, is a property you can edit it, if and only if, its email or custom. If its USERID, then you can't edit that because USERIDs are editable.

The other things you are mapping 'First Name', 'Last Name', 'Display Name' are, by default, not editable because these are mapped from your custom IdP. That button (1) 'Map SAML User Properties' enables you to edit what is mapped, or not.

If you open that dialogue to show the 'Property Map Definitions', you can optionally delete any or all of these mappings. In my example, I've deleted the 'displayName' mapping (2) (3) and I then pressed save (4).

As the 'Display Name' is now not mapped, the 'link' icon next to the column is removed and I can also edit this value for a user unlike before (5). I can always re-map the attribute back, after I've made an ah-hoc change if I wanted to.

There's recently been a change to what can be stored in the 'Display Name' and it might mean this value isn't updated. Basically characters  < and > are now not allowed. Though there's a small bug when comma (,) and brackets and dot (.) and at sign (@) are also not allowed, but that should be resolved soon. Product Support are best to advise for your service as it depends!

Does this help?

Matthew

Hello

Sorry for this quick reply (on annual leave) but your question is simple.

Please visit https://blogs.sap.com/2023/07/05/sap-analytics-cloud-changes-with-managing-licenses-q3-2023/ and https://blogs.sap.com/2020/03/10/sap-analytics-cloud-managing-licenses-with-roles-and-teams/ for an faq on this exact question. I will be updating the user guide for these samples to reflect the changes in the API later.

Many thanks Matthew

Hi Mattias

I'm so very keen to get this out ASAP. I've just finished a bit more testing and it seems pretty good now.

Whilst it will be a little while until I have written and updated the user guide I thought I'd share a 'BETA' version of this new sample collection.

1. Download it now from GitHub
2. Import the new '665 AdminToolKit' collection into Postman App
3. Re-use an existing environment, BUT you might need to create a new OAuth client inside SAP Analytics Cloud. Why? Because this new update uses more than just the SCIM API 'service'. It also uses the 'Activities' and 'Story Listing'. So, if your existing OAuth client doesn't have these, you'll need to create a new one, with these services. It means the OAuth needs 3 services: SCIM, Activities and StoryListing. Once it has these 3, be sure to update your username/password client/secret inside your Postman Environment. (I will later create a 'test' to validate it, but not got the time for that now).
4. Run any of the sample data files. You'll find one that does them all!

A few bits of info to share until I write it up properly:

• It uses the SCIMv2 API to create teams, and this means the teams it creates will no longer be created with a team folder. Instead, any teams are created without a team folder.
• There are a good number of new 'tests' and the 'master template' data file has them all. However, with so many it was annoying to list them all. So almost all the fields are now optional, only 3 fields in the data file are mandatory: file_team, file_team_displayname and file_users_action. The sample data files provide great examples of what you can now omit which makes the files so much easier to read and use.

The new fields and conditions you can set are:

"file_action_users_created_recently": false,

"file_users_created_recently_in_days": 8,





"file_action_users_created_more_than_days_ago": false,

"file_users_created_more_than_days": 30,





"file_action_users_with_most_recent_login_at_least_days_ago": true,

"file_users_with_with_most_recent_login_at_least_days": 30,





"file_action_users_with_most_recent_login_within_last_days": true,

"file_users_with_with_most_recent_login_within_last_days": 7,





"file_action_users_with_fewer_logins_than": false,

"file_users_with_fewer_logins_than": 10,





"file_action_users_with_greater_logins_than": false,

"file_users_with_greater_logins_than": 100,





"file_action_users_with_fewer_logins_within_last_days": false,

"file_action_users_with_greater_logins_within_last_days": false,





"file_users_with_logins_within_last_days": 7,





"file_action_users_with_private_folder_content": false,

"file_action_users_without_private_folder_content": false,





"file_action_users_that_created_public_content": false,

"file_action_users_that_did_not_create_public_content": false

I need to write this up properly, but in short, these should explain themselves quite well. However, a few notes:

• if "file_action_users_with_fewer_logins_within_last_days" or "file_action_users_with_greater_logins_within_last_days" is true, then the value "file_users_with_logins_within_last_days" is used as the test for the tests "file_action_users_with_fewer_logins_than" and "file_action_users_with_greater_logins_than"

As you may expect, I've put a lot of thought into this, and these parameters allow for a great number of complex use cases, that actually are best explained and described by the sample data files. But to give you an idea, you can do things like: users that have not logged-in in the last 30 days, have 2 or fewer logins within the last 90 days, and were created over 30 days ago. You can then go on and make a more complex set of users, such as filtering out users that have public or private content.

The sample data file includes 'dormant' users:

• 665 sample - 33 - AdminToolKit_Users_Dormant_A__Created_3_Months_No_Recent_Login_Fewer_Than_3_Logins_Last_3_Months
• 665 sample - 34 - AdminToolKit_Users_Dormant_B__Dormant_A_Plus_No_Private_Folder_Content
• 665 sample - 35 - AdminToolKit_Users_Dormant_C__Dormant_B_Plus_No_Public_Folder_Content
• 665 sample - 36 - AdminToolKit_Users_Dormant_D__Dormant_C_Plus_Are_Not_Managers
• 665 sample - 37 - AdminToolKit_Users_Dormant_E__Dormant_D_Plus_Are_Activated
• 665 sample - 38 - AdminToolKit_Users_Dormant_F__Dormant_E_Plus_Are_Named_Licensed

You'll find the description in each of these data files provides a good summary of what they do.

It means, most can use re-use any one of these 'Domant' User sets and you'll be good to go. I've tried to do all the hard work and thinking so you don't need to.

file_action_users_that_created_public_content

When Public content is identified, it's only stories, applications, digital boardrooms, templates and insights. Sadly the API doesn't allow to models or other object types at the moment. This setting is handy, because it will identify users that created public content and could be the owner of such content. The biggest problem though, is that models are not identified.

file_action_users_with_private_folder_content

Users with Private content are identified by some logic that's not very obvious! There is no API that allows us to get the list of content from a user's personal folder.

• So I return all the resources from the repository (but this is limited as mentioned to only stories, applications, digital boardrooms, templates and insights, but it also gets back folders)
• Then I look at the path of that resource, not the property of the resource, there is no property that says this is public or private content, or who is the owner of it.
• From the path, I determine if it's a personal folder or not by the top folder name. If the top folder is either 'Users' or 'WORKSPACE', then I grab the username from its subfolder. For example, I get ADMIN from '/Users/ADMIN Private' and '/WORKSPACE/Users/ADMIN Private'. It means this isn't foul proof and it might be some language or translation issues may exist. Feedback welcome! 😉

Login Activity

I use the activities API to query the number and last time users log in. It means this only works if the activities exist and aren't deleted. I test to check the oldest activity timestamp and abort the script if their entry is too recent for the test you want to run. In summary, don't delete any of these activity logs and for this sample script, it uses only LOGIN activities. For more on the activities log check out my other blog.

Until I've written it up, I may not be able to help much more, but hope these brief notes will help you and others with the updated version. I'd love to hear if you find a bug or some improvement. Just comment back here and I'll take a look.

I've got some other tasks to do before I can refocus on the documentation for this, but hope to get something out in September now. Sorry for the delay.

[update] Sorry forgot to mention the obvious. Once you have these teams of users created, you can then run another sample script to delete them or remove those users of that team from other teams etc. It should help manage the lifecycle of your users and in particular, help identify the users that are safe (or safer) to delete. Remember there is NO API to automatically deactivate a user. For more on the license topic and deactivating check out my updated blog 

All the very best

Matthew

Hello Mattias

I presume you managed to import the collection okay now.

As mentioned in my comment above, there are many sample collections already available that combine these kinds of conditions. For what you want, this one would be ideal (665 sample - 34 - AdminToolKit_Users_Dormant_B__Dormant_A_Plus_No_Private_Folder_Content)

The reason why you're experiencing an 'OR' between the statements is because you've not set them to be an 'AND'. This is explained in detail in my user guide. It's the field: file_multiple_action_users_operator_is_AND.

My user guide explains when and where the AND can be used. It can't be used with the 'users_that_are_managers', which is why when we need to exclude users that are managers, we perform an invert and OR the opposite since "X and Y = NOT( X or Y )". An example data file is provided.

There's no need to create 2 different teams and then do logic on them, since my AdminToolKit script supports this kind of thing in a single pass. If you want to combine teams (add, remove, replace, intersect, exclude) then you can with sample script 653-T-Uc-Utr-Oarrkie-Fcj-Es-Teams on Teams. This is explained in detail in my user guide, but as I mentioned, there's no need to do that for this use case.

[update 1Sep2023: Forgot to mention, perhaps the obvious. You can just add another entry into the data file to update the same or a different team. The data file samples I provide all use the 'replace' action, but as my user guide explains, there are many more that allow complex set operations and includes: add, remove, replace, intersect, exclude, excludeall and invert. See the guide for more info please!  One of my sample data file shows multiple entries and basically combines all the samples into one]

Kind regards, Matthew

Hello Abhishek

In the latest update to the samples, version 0.8 which I published Friday, I added 2 new collections.

SCIM 1601-All_T-List all teams and SCIM 2601-All_T-List all teams. Both list all the teams. 1601 uses version 1 of the API, and 2601 uses version 2.

Both just read and no updates are performed. The updated user guide shows examples of the output made to the Postman console, which is a list of teams, each with the number of users and roles associated with them.

Both samples do all the pagination for you. Sample 1601 has code commented out which means all the users of each team are written to the console. I've commented this code out because the Postman console becomes very slow when you write a lot of text to it. But you have the option to list all the users of each team by a very simple edit. Here's a screenshot of 1601 'Tests' for the request 'READ teams page by page':

uncomment line 70 for this sample. You could do something similar with 2601.

I think this should help?

All the best, Matthew