Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert

Quite recently I needed to use the REST APIs to manage users/groups programmatically with eSAC (embedded SAP Analytics Cloud)

And to my astonishment I hit a roadblock when trying to create or modify users (POST and PUT verbs). Even if I followed the documentation I would always get a 403 (forbidden) error code.

Then I realised this is also happening with other REST APIs like the story management as well.

Why 403 with x-csrf-token present ?

When using the User Management SCIM REST APIs with SAP Analytics Cloud to modify users you must provide the x-csrf-token header obtained with a previous SCIM API GET call (with the x-csrf-token header set to 'fetch').

That's documented. What is not documented is that in order to be able to validate the x-csrf-token you must add a session cookie header as well.

The x-csrf-token is valid for as long as its session is valid thus if the session cookie header is missing in any POST/PUT/PATCH/DELETE REST API call the x-csrf-token validity cannot be asserted and the call will return 403 (forbidden) error code.

That's very nicely explained in the following blog: How CSRF tokens work in SAP web services


403 Conclusion.

For instance, when using Postman version with Postman Interceptor, the cookies (there may be several of them) from the set-cookie response header will be most likely added [by Postman Interceptor itself] from the preceding GET call to the next POST/PUT/PATCH/DELETE call.

But, if you are like me and need to write your own code or prefer using a different testing framework like SAP API Business Hub, this will likely not happen automatically.

The session cookie generated in a GET call is a server side cookie (HTTP-only, secure and same site none) available in the set-cookie response header.

  • I recommend you initially grab the entire content of the GET response set-cookie header.

  • if there is more than one cookie you may just need the JSESSIONID cookie content…

  • Then manually add it as your cookie header in your POST/PUT depicted in the below code snippet:

// retrieve the cookies and the x_csrf_token with any GET SCIM API call
var x_csrf_token_ = response.headers["x-csrf-token"];
var setcookies_ = response.headers["set-cookie"];

// Here go the headers for any POST/PUT/PATCH/DELETE SCIM API call
headers: {
"Authorization": 'Bearer ' + logonToken, // mandatory
//"Accept": "application/json",
"Content-Type": "application/json",
"Cookie": setcookies_, // mandatory: from the preceding GET API call
'x-sap-sac-custom-auth': 'true', // mandatory: at least with eSAC
"X-Csrf-Token" : x_csrf_token_ // mandatory: from the preceding GET API call


Additional resources.

Issues with CSRF token and how to solve them

SAP Analytics Cloud User and Team Provisioning API 

SAP Analytics Cloud SCIM (/api/v1/scim/)

2867938 - How to use SCIM API within SAP Analytics Cloud when using Azure AD as custom SAML provider

Implement X-CSRF pattern | Microsoft Docs

CSRF Token handling in SAP API Management | SAP Blogs