SAP Cloud Platform Integration (CPI) is one of the SAP Cloud Platform (SCP) Services. SCP administrators ideally manage CPI - Authorization groups, roles and their assignments to users through SCP Cockpit over web browser.
There is another smart way of performing Authorization Management using SAP Cloud Platform API's.
Usage of SCP - Authorization Management REST API's are not limited to CPI Service but can be extended to other Subscriptions/Services under SCP Sub-accounts. These API's can be used in cases where User Assignment needs to happen in a controlled manner to enforce security policies, audit and compliance from SAP GRC or other User Management & governance products. User Management REST API's are available in SAP Cloud Platform API
Documentation but not listed (as of now) on
SAP API Business Hub.
Let's get into action and perform authorization management on CPI using REST API's.
Manage Authorizations from SCP Cockpit - Web UI:
SCP > Sub-account > 'Security' > 'Authorizations' > 'Groups' > 'New Group' + Assign 'Roles'/'Users'
Manage Authorizations from SCP - Authorization Management API's:
Prerequisites:
Access to SCP Cockpit with Developer/Administrator role to create OAuth - Platform API Client.
SCP > Sub-account > 'Members' > 'Add Members'
Authorization Management API - Operations:
- Groups - Manage groups and their assignments to users and roles within the specified account.
- Roles - Manage roles and their assignments to users and groups in the specified account and application
- Users - Manage role and group assignments to the specified user.
Procedure:
Step 1:
Create OAuth Platform API Client Credentials - To invoke API's on SCP, OAuth client credentials are required. Client Credentials are specific to SCP Sub-account.
Step 2:
Invoke Authorization Management REST API's - Use the Bearer token retrieved from step 1 response and execute the REST method (GET/PUT/POST/DELETE) with respective API operation.
Execute the scenario:
Step 1: Create OAuth Platform API Client Credentials
SAP Cloud Platform API's are protected by OAuth 2.0 with grant type - Client Credentials. Follow the below steps to create
Platform API Client on SAP Cloud Platform.
SCP > Sub-account > 'Security' > 'OAuth' > '
Platform API' tab > 'Create API Client'
Give meaningful description to the API Client and select the scope of API's for which this the OAuth Client credentials to be used. For this exercise, let's select the checkbox 'Authorization Management' and click on save. This generates OAuth Client Credentials for consuming Platform API's as in the below snapshot. Note the Client ID & Client Secret. These will serve like User ID & Password to get OAuth token.
Now it's time to call the OAuth endpoint for platform API's and get the token which is valid only for 25 minutes. Let's use postman tool to explore the OAuth Token.
SCP Token Endpoint:
https://api.{landscapeHost}/oauth2/apitoken/v1
{landscapeHost} - this is tagged to the
region on which SCP is hosted for your account.
For this example, the CPI tenant is running on us2 region (
https://lxxxx-tmn.hci.
us2.hana.ondemand.com/itspaces/). Accordingly built the below OAuth Token endpoint URL.
Token endpoint URL:
https://api.
us2.hana.ondemand.com/oauth2/apitoken/v1?grant_type=client_credentials
Select 'Basic Auth' as the Authorization type and pass the OAuth Client Credentials generated earlier as below and execute the OAuth Endpoint URL with
POST method.
The response has the Bearer token. We will use this token to execute the Authorization management API's.
Step 2: Invoke Authorization Management REST API's
API URL extensions vary for each API operation. Refer to detailed API
documentation on Authorization Management API's. In this exercise, let's execute some of the operations and know how to interpret API Documentation & execute REST API calls.
API Endpoint URL :
https://api.{landscapeHost}/authorization/v1
Examples:
# Get Groups - To retrieve all the existing groups created, use the below API endpoint extension '/accounts/{
accountName}/groups'.
Get the
accountName of the respective SCP Sub-account under which the CPI tenant linked to & the OAuth client credentials created under.
Resolves into: https://
api.us2.hana.ondemand.com/authorization/v1/accounts/
test00500/groups
Pass the Bearer token generated in step 1 and execute GET method as below.
# Get Users - To retrieve users under each group, use the below API endpoint extension '/accounts/{accountName}/groups/users'.
Resolves into:
https://api.us2.hana.ondemand.com/authorization/v1/accounts/test00500/groups/users?groupName=ZGRP_ServiceAccounts
Pass the Bearer token generated in step 1 and execute GET method as below.
# Get Roles - To retrieve Roles assigned to each group, use the below API endpoint extension '/accounts/{accountName}/groups/roles'.
Resolves into:
https://api.us2.hana.ondemand.com/authorization/v1/accounts/test00500/groups/roles?groupName=ZGRP_Administrators
Pass the Bearer token generated in step 1 and execute GET method as below.
# Add Users - Add users to a particular existing group, use the below API endpoint extension '/accounts/{accountName}/groups/users'.
Resolves into:
https://api.us2.hana.ondemand.com/authorization/v1/accounts/test00500/groups/users?groupName=ZGRP_ServiceAccounts
Pass the Bearer token generated in step 1 and execute PUT method as below.
This REST operation added the S-User and can be validated from SCP Cockpit Web UI (shown under the section - 'Manage Authorizations from SCP Cockpit - Web UI').
With this, we know how to interpret the API documentation and execute Authorization Management REST API calls - PUT/GET.
In similar way, other API Operations and the respective methods can be executed by following the Authorization Management API
documentation.
With this understanding, we can create integration flows in CPI to manage Authorization groups, roles and users using HTTP adapter to work with these REST Operations. Such i-flows can be consumed by SAP GRC/User Management tools in a controlled manner.
Enjoy exploring API's!