Introduction
I can see most of the customers are going for a centralized Identity management so that they can manage their access provisioning and managing roles centrally for different cloud applications using API’s.
This can be implemented with the help of API’s over the SCIM protocol. In this blog I will discuss only SAP CPI (Cloud Process Integration ) Platform/Tenant access provisioning and managing users using API’s.
Pre-Requisite
You should have SCP Cockpit access with Administrator role to create API Client.
Implementation
The OAuth 2.0 Authentication mechanism is enabled for all the
Platform Authorization Management API’s.
- In order to call API methods you will need access token, so create an OAuth client.
- Make sure “readAccountMembers” and ”manageAccountMembers” scope is assigned while creating the OAuth Client.
In Order to create OAuth Client,Logon to SCP Cockpit
Make a note of Client ID and Client Secret which was created in the above steps.
Get an Access token with the help of below API:
URL: https://api.<region>.hana.ondemand.com/oauth2/apitoken/v1?grant_type=client_credentials
Method-POST
Platform API to get all users from the tenant/platform using API
URL :
https://api.
<Region>.hana.ondemand.com/authorization/v1/platform/accounts/<sub-account-name>/Users
Method-GET
Platform API to get specific user details from the tenant/platform using API
URL : https://api.<Region>.hana.ondemand.com/authorization/v1/platform/accounts/<sub-account-name>/Users/<user-id>
Method-GET
Platform API to add new user to the tenant/platform using API
URL : https://api.<Region>.hana.ondemand.com/authorization/v1/platform/accounts/<sub-account-name>/Users
Method-POST
Headers-Content-type: application/scim+json
Body-
Sample Structure of an user:
You can also refer the sample structure from
SAP Help .
{
"schemas": [
"urn:sap:cloud:scim:schemas:extension:custom:2.0:UserExt",
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "S0012345678",
"name": {
"familyName": "FirstName",
"givenName": "LasstName"
},
"emails": [
{
"value": "firstname.lastname@domain.com",
"primary": true
}
],
"roles": [
{
"value": "Developer",
"primary": false,
"type": "Predefined"
},
{
"value": "ReadOnly",
"primary": false,
"type": "Predefined"
}
]
}
Platform API to Remove/Delete the user from tenant/platform using API
URL : https://api.<Region>.hana.ondemand.com/authorization/v1/platform/accounts/<sub-account-name>/Users/<user-id>
Method-DELETE
Conclusion
The Idea is to cover only platform access provisioning and managing users through API.
We can make use of these APIs in those scenarios where other cloud applications are willing to integrate and mange access provisioning with SAP CPI.
Providing the customized service by designing iFlows to consumers will restrict the operations in a secured manner rather than providing APIs and OAuth details to the consumers directly.
You also can manage roles,groups for the platform users by consuming Authorization Management
REST APIs
References
Authorization Management API
https://api.hana.ondemand.com/authorization/v1/documentation
Platform Authorization Management API:
https://help.sap.com/viewer/ea72206b834e4ace9cd834feed6c0e09/Cloud/en-US/eb01a9f3ecad4a41a6033855ca6...
Hope this blog served its purpose !! Please do try to access these APIs and do let me know your thoughts.
Regards,
Prabhugoud Gogi