Follow this procedure to set up SAP Analytics Cloud as a source system.
-
In SAP Analytics Cloud, you have enabled a custom SAML Identity Provider, for which User Attribute is set to Custom SAML User Mapping. To learn how, see: Enabling a Custom SAML Identity Provider
-
Add an OAuth client with authorization grant Client Credentials. To learn how, see: Managing OAuth Clients and Trusted Identity Providers
SAP Analytics Cloud is an all-in-one cloud product offered as software as a service for business intelligence, planning, and predictive analytics.
You can use Identity Provisioning to configure SAP Analytics Cloud as a source system where you can read users and groups and provision them to target systems of your choice. The source system consumes SCIM 2.0 API provided by SAP Analytics Cloud.
There are two versions of the SAP Analytics Cloud SCIM API. They are handled by thesac.api.version property as follows:
-
When the value is set to
1or the property is not defined (typical for systems created before versioning was introduced on April 10, 2023), SAP Analytics Cloud SCIM API version 1 is used. This is the default value. -
When the value is set to
2- SAP Analytics Cloud SCIM API version 2 is used. This version is released with enhancements, such as: reading groups is not ignored in the default read transformation.
For more information on the differences between SAP Analytics Cloud SCIM API version 1 and 2, see Managing Users and Teams.
For more information on how to update to version 2, see Update Connector Version.
-
Access the Identity Provisioning UI.
-
Sign in to the administration console of SAP Cloud Identity Services and navigate to Identity Provisioning > Source Systems.
-
Add SAP Analytics Cloud as a source system. For more information, see Add New Systems.
-
Choose the Properties tab to configure the connection settings for your system.
If your tenant is running on SAP BTP, Neo environment, you can create a connectivity destination in your subaccount in the SAP BTP cockpit, and then select it from the Destination Name combo box in your Identity Provisioning User Interface.
If one and the same property exists both in the cockpit and in the Properties tab, the value set in the Properties tab is considered with higher priority.
We recommend that you use the Properties tab. Use a connectivity destination only if you need to reuse one and the same configuration for multiple provisioning systems.
Mandatory Properties
Property Name
Description & Value
TypeEnter: HTTP
URLEnter the URL to your SAP Analytics Cloud system without adding the path information.
ProxyTypeEnter: Internet
AuthenticationEnter: BasicAuthentication
UserEnter the client ID to retrieve the OAuth access token for SAP Analytics Cloud.
Password(Credential) Enter the client secret to retrieve the OAuth access token for SAP Analytics Cloud.
OAuth2TokenServiceURLEnter the URL of the access token provider service for your SAP Analytics Cloud instance.
This token URL is listed in the OAuth Clients section of the App Integration page. For more information, refer to Authorize API Access for OAuth Clients in Manage OAuth Clients
(Optional)
sac.api.versionHandles the version of SAP Analytics Cloud SCIM API.
Possible values:
-
1 - Indicates that SAP Analytics Cloud SCIM API version 1 is used.
-
2 - Indicates that SAP Analytics Cloud SCIM API version 2 is used.
Default value: 1
To learn what additional properties are relevant to this system, see List of Properties. You can use the main search, or filter properties by the Name or System Type columns.
-
-
Configure the transformations.
Transformations are used to map the user attributes from the data model of the source system to the data model of the target system, and the other way around. The Identity Provisioning offers a default transformation for the SAP Analytic Cloud source system, whose settings are displayed under the Transformations tab after saving its initial configuration.
You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Analytic Cloud system. For more information, see: Manage Transformations
SAP Analytics Cloud REST API: Managing Users and Teams
Managing Users and Teams → api/v1/scim
Managing Users and Teams → api/v1/scim2
Default transformation for SAP Analytic Cloud SCIM API version 1:
{ "user": { "mappings": [ { "sourcePath": "$.schemas", "targetPath": "$.schemas", "preserveArrayWithSingleElement": true }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.userName", "targetPath": "$.userName", "correlationAttribute": true }, { "sourcePath": "$.name", "targetPath": "$.name" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName" }, { "sourcePath": "$.active", "targetPath": "$.active" }, { "sourcePath": "$.emails", "targetPath": "$.emails", "preserveArrayWithSingleElement": true }, { "sourcePath": "$.emails[?(@.primary== true)].value", "correlationAttribute": true }, { "sourcePath": "$.roles", "targetPath": "$.roles", "preserveArrayWithSingleElement": true }, { "sourcePath": "$.groups", "targetPath": "$.groups", "preserveArrayWithSingleElement": true, "functions": [ { "condition": "'%sac.group.prefix%' !== 'null'", "function": "concatString", "applyOnElements": true, "applyOnAttribute": "display", "prefix": "%sac.group.prefix%" } ] }, { "sourcePath": "$['urn:scim:schemas:extension:enterprise:1.0']['manager']['managerId']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']" } ] }, "group": { "ignore": true, "mappings": [ { "sourcePath": "$.schemas", "targetPath": "$.schemas", "preserveArrayWithSingleElement": true }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "functions": [ { "condition": "'%sac.group.prefix%' !== 'null'", "function": "concatString", "prefix": "%sac.group.prefix%" } ] }, { "sourcePath": "$.members", "targetPath": "$.members", "preserveArrayWithSingleElement": true }, { "sourcePath": "$.roles", "targetPath": "$.roles", "preserveArrayWithSingleElement": true } ] } }Default transformation for SAP Analytic Cloud SCIM API version 2:
{ "user": { "mappings": [ { "sourcePath": "$.schemas", "targetPath": "$.schemas", "preserveArrayWithSingleElement": true }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.userName", "targetPath": "$.userName", "correlationAttribute": true }, { "sourcePath": "$.name", "targetPath": "$.name", "optional": true }, { "sourcePath": "$.externalId", "targetPath": "$.externalId", "optional": true }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "optional": true }, { "sourcePath": "$.active", "targetPath": "$.active" }, { "sourcePath": "$.emails", "targetPath": "$.emails", "preserveArrayWithSingleElement": true }, { "sourcePath": "$.emails[?(@.primary== true)].value", "correlationAttribute": true }, { "sourcePath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:user-custom-parameters']", "targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:user-custom-parameters']" }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']", "optional": true }, { "sourcePath": "$.roles", "targetPath": "$.roles", "preserveArrayWithSingleElement": true, "optional": true }, { "sourcePath": "$.groups", "targetPath": "$.groups", "preserveArrayWithSingleElement": true, "optional": true, "functions": [ { "condition": "'%sac.group.prefix%' !== 'null'", "function": "concatString", "applyOnElements": true, "applyOnAttribute": "display", "prefix": "%sac.group.prefix%" } ] } ] }, "group": { "mappings": [ { "sourcePath": "$.schemas", "targetPath": "$.schemas", "preserveArrayWithSingleElement": true }, { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "functions": [ { "condition": "'%sac.group.prefix%' !== 'null'", "function": "concatString", "prefix": "%sac.group.prefix%" } ] }, { "sourcePath": "$.members", "targetPath": "$.members", "optional": true, "preserveArrayWithSingleElement": true }, { "sourcePath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']", "targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-roles']", "optional": true }, { "sourcePath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-custom-parameters']", "targetPath": "$['urn:sap:params:scim:schemas:extension:sac:2.0:group-custom-parameters']", "optional": true } ] } } -
Now, add a target system to provision users and groups into it. Choose from: Target Systems
- Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications.
- Now, start an identity provisioning job. For more information, see Monitor Provisioning Job Logs.