Comprehensive Overview: SCIM API for SAP Datasphere User Management 

Introduction 

In Q3 2024, SAP introduced the SCIM (System for Cross-domain Identity Management) API for SAP Datasphere to enhance user management through a consistent, REST-based protocol. This API currently supports the following operations: 

  • CRUD (Create, Read, Update, Delete) operations for users 
  • Assign users to existing roles (Note: Creating new roles via API is not supported, as mentioned in the documentation) 
  • List all users 
  • Retrieve API information (e.g., identity provider, available schemas, resource types) 

This blog provides a detailed overview, complementing the official SAP Documentation . Most of the examples referenced are consistent with the SAP documentation examples. Next to the documentation, the aim is to give a comprehensive overview with examples and provide a Postman collection for testing on your own. 

In this Repository you can find a Postman collection to test the SCIM API. 

Setup 

The first step is to create an OAuth client in your SAP Datasphere tenant with the appropriate settings. Make sure to note down the Client ID and Client Secret for token retrieval. 

Screenhot oauth client

You will also need the Token URL from the App Integration section.

Screenshot token URL

 

Login and CSRF Token Retrieval 

To obtain the bearer token, make a POST or GET request to the following endpoint: 

https://<token_url>/oauth/token?grant_type=client_credentials

The request will then look like this: 

Screenshot Login cURL
  • Authorization: Use Basic Authentication with the OAuth Client ID as the username and the OAuth Client Secret as the password, both of which were obtained when creating the OAuth client. 
  • Response: Upon a successful request, the response will contain the access token. 

In the response we will then receive the Access Token: 

Screenshot Access Token

Once you have obtained the access token, you can request the CSRF token by sending a GET request to the following endpoint: 

https://<tenant_url>/api/v1/csrf

The request will look like this: 

Screenshot csfr cURL

The request must include the following headers: 

  • Authorization: Bearer <Access_Token> (the token obtained in the previous step) 
  • x-sap-sac-custom-auth: true 
  • x-csrf-token: fetch 

The CSRF token can be found in the response header under the x-csrf-token key.

Screenshot response csfr

CRUD Operations 

For all subsequent API requests, it is essential to include the Bearer token and the x-sap-sac-custom-auth: true header in the request.  See the header example below: 

Screenshot get_call_header_curl


 Additionally, for any PUT, POST, PATCH, or DELETE requests, you must include the retrieved CSRF token in the request header as x-csrf-token: <token>. See the header with the x-csrf-token below: 

Screenshot post_call_header

GET Users and Individual User 

To get a list of all users or information about a specific user, you can use the following endpoints: 

https://<tenant_url>/api/v1/scim2/Users

https://<tenant_url>/api/v1/scim2/Users/<user ID> 

The response for an individual user looks like this: 

Screenshot User Response

Create User 

To create a new user, send a POST request to the following endpoint: 

https://<tenant_URL>/api/v1/scim2/Users

In the request payload, you must provide the user details. You can also assign roles to the user at the time of creation, as shown in the sample payload below:

Screenshot create user

 

Note: This example is taken from the SAP documentation for consistency. 

Modify User 

To modify an existing user, use either a PUT or a PATCH request: 

  • PUT: This request will overwrite all properties of the user with the values specified in the request payload. 
  • PATCH: This request updates only the specified properties, leaving the rest unchanged. 

The endpoint for user modification is as follows: 

https://<tenant_url>/api/v1/scim2/Users/<user ID> 

Delete User 

To delete a user, you need to send a DELETE request to the following endpoint, providing the user’s ID: 

https://<tenant_url>/api/v1/scim2/Users/<user ID> 

You can retrieve the user ID by performing a GET request to list all users. 

Bulk Operations 

The SCIM API also supports bulk operations, allowing you to perform multiple actions in a single request. To perform a bulk operation, send a POST request to the following endpoint: 

https://<tenant_URL>/api/v1/scim2/Bulk

For example, you can create multiple users with one API call by specifying the details in the request payload. A detailed example of a bulk operation payload can be found in the official SAP Documentation.

Conclusion 

The SCIM API for SAP Datasphere enables efficient user management through a REST-based protocol, supporting CRUD operations, role assignments, and bulk actions. This blog provides an in-depth overview of the API endpoints and usage, complementing the official SAP documentation. For more detailed examples and use cases, the SAP documentation remains an invaluable resource. 

Autor: Christian Willi

Christian has been working as a Business Intelligence Consultant at ZPARTNER since 2020. He is specialized in advanced SAP BW/4HANA, HANA native modeling and SAP Datasphere solutions. Christian has a strong technical background in ABAP programming, AMDP transformations, Python-based data processing. He has worked in projects in various industries and developed solutions for complex data extraction, integration and modeling.