Sync SAP BW Roles to SAC Team

Challenge

SAP Analytics Cloud is getting more important within SAP Landscape when it comes to visualizing data from the customer ecosystem. With that there is also a major increase in user administration and management. Especially if you want to synchronize your BW Roles with a SAC Team to easily maintain the rights to a functional folder structure, there is currently no built-in way to bring your BW Roles and assigned Users to a Team in SAC.

In my role as a solution consultant for almost 10 years this issue has come up with customers starting with SAP Analytics Cloud, but also with customers using the product for quite some time.

With the SCIM User Management API it is now possible to create teams and assign Users programmatically. But there is still some steps to overcome in order to synchronize the role assignments from your leading system like SAP Business Warehouse.

If you want to know more about the API, please check out the documentation.

https://help.sap.com/viewer/298f82da4b184d1fb825b7ffe365e94a/release/en-US/b687e9589b834a2db872414b0b8d3a12.html

Objective

This How-To will not primarily focus on the Authentication Setup, because this is mentioned in several other Blog Posts, but I wanted to point out the main topics in making OAuth2.0 work, because troubleshooting can be quite frustrating and time consuming.

However, I will provide you an ABAP report utilizing the SCIM API to bring your Roles to a Team in SAP Analytics Cloud and synchronize the user assignment. This can be useful if you have a fresh SAP Analytics Cloud system and just want to use the same roles and authorization assignments from SAP Business Warehouse. You can also schedule the report to sync on a daily basis. Removed users from the role in SAP BW will also be removed from the team assignment.

Solution

  1. Create OAuth 2.0 Client in SAP Analytics Cloud
  2. Create and Configuration of OAuth 2.0 Profile in SAP
  3. Authorization for OAuth 2.0
  4. Whitelisting Http Calls to SAP Analytics Cloud in SAP
  5. ABAP Report

1. Create OAuth 2.0 Client in SAP Analytics Cloud

  • Go to Administration -> App Integration -> Add a new OAuth Client
  • Purpose = Interactive Usage and API Access
  • Access = User Provisioning
  • Redirect URL: https://<host_name>:<https_port>\sap\public\bc\sec\oauth2\client\redirect?sap-client=<client_id>
Fig. 1

2. Creation and Configuration of OAuth 2.0 Profile in SAP

https://blogs.sap.com/2020/12/18/configuring-oauth-2.0-and-creating-an-abap-program-that-uses-oauth-2.0-client-api/

3. Authorization for OAuth 2.0

Make sure the user (executing the report) has the following authorization assigned.

https://help.sap.com/docs/SAP_NETWEAVER_AS_ABAP_752/916a7da9481e4265809f28010a113a6a/6f679081b5444f91bf68e600025c2cf6.html?locale=en-US

4. Whitelisting Http Calls to SAC in SAP

Transaction: UCONCOCKPIT

https://help.sap.com/docs/SAP_NETWEAVER_750/1ca554ffe75a4d44a7bb882b5454236f/1bf4b153a58644c6b6ee618e95af3b3e.html?version=7.5.21

5. ABAP Report

The Abap program is hosted on GitHub and contains six methods to sync your roles.

  • Getting the assigned users from a role in BW you want to create a team from.
    • Name of BW Role
  • Connect with OAuth
  • Get all users from SAC.
  • Connect Users through email address or by user id (selection screen choice)
  • Create a Team. (If the team already exists, only user sync is triggered)
  • Assign the Users to the created Team.
Fig. 2

Please check out the coding on the public github repository. (Feedback is welcome.)

https://github.com/zpartner/SCIM_API_SYNC_BW_ROLE/blob/main/src/zscim_create_team_git.prog.abap

Program Screen:

Fig. 3

How does the user matching work?

If you have selected the Email Address matching the tables “usr21” and “adr6” are joined to get the email address information which will be matched with email addresses from SAC Users.

When User ID is selected the User id (bname) from table “usr21” is matched with the user id from SAP Analytics Cloud.

Result:

Team is created and the respective Users are assigned to the team. If the Team already exists, it will sync all relevant users. Removed Users in BW role will then also be removed from team.

After program execution you will get an overview of the BW User Count (assigned to role), the SAC User count (total number of users on your system). Furthermore, the program states whether a team was created or just synchronized. Also, the total number of assigned users is shown within the last message.

Fig. 4

Additional Note:

Team Folder is automatically created and can be deleted within the system view.

Fig. 5

Conclusion

With that solution you are able to synchronize BW Roles and Users with SAP Analytics Cloud Teams and Users. Going one step further could lead to a harmonization of roles in SAP BW with Teams in SAP Analytics Cloud having SAP BW as the place to maintain roles for end-users for both systems. A good architecture of BW Roles with a consistent naming concept could help a lot to reach that goal.

Please let me know if you have any questions about this Blog or you would have more features requests regarding this topic. Your feedback is appreciated.

If you liked this Blog Post, make sure to follow. Next Blog will cover the Export API integrating data from SAP Analytics Cloud to SAP BW.

Thanks!