Maybe you have had already the chance to work with SAP HANA Cloud Platform and were asking yourself, how to manage users, roles and groups in a convenient automatic way rather than maintaining the users manually. I case you did, let me use the chance give you a small introduction how to use the Authorization Management REST API provided by SAP HANA Cloud Platform.
Let me clearly emphasis that this API can manage Predefined & Custom roles but not Account Member Roles
To consume this REST API, you need to obtain OAuth client credentials (client ID and secret) from your account in the SAP HANA Cloud Platform. For that, enable the Beta features in your account.
Once done you can generate a global Oauth Client for your account.
Remember the Client ID & Secret as you will need them in the next step to obtain the OAuth Access Token. The Client ID can be seen as an user id and the Client Secret is the password. There is quite a good documentation in place how to tackle the first hurdle, obtaining the OAuth access token. Refer to the official SAP HANA Cloud Documentation. I want to give you a brief overview how to manage that with an API Client test tool. The goal is to have a light weighted user life-cycle.
Pretty straight forward and a common user life-cycle scenario, isn't it.
Assuming you have obtained the OAuth Client and Client Secret, we can start by Encoding those into a Base-64 encoded string.
POST https://api.<landscape_ host>/OAuth2/apitoken/v1?grant_type=client_credentials
Authenticate by Basis Authentication
Update the HTTP Headers Authorization:
Basic <Base-64 encoded <ClientID>:<ClientSecret>>
You receive a response like this:
{
"access_token": "b29c79e3859d25aa62c234494eda33b9",
"token_type": "Bearer",
"expires_in": 1500,
"scopes": [
"hcp.manageAuthorizationSettings",
"hcp.readAuthorizationSettings"
]
}
Eh voila, this is your OAuth Access token for the next 1500ms. The response is a JSON object, whose access_token value is the one which makes you happy.
You received an access_token in the previous step. Use this token in all future request until the token expires.
<!-- HTTPS Request -->
GET https://api.hanatrial.ondemand.com/authorization/v1/accounts/{accountName}/users/roles/?userId=GOOFY
Headers: Authorization: Bearer b29c79e3859d25aa62c234494eda33b9
List of assigned roles for user Goofy
<!-- HTTPS response object as JSON Object-->
{ "roles": [
{
"name": "ProjectMember",
"applicationName": "dispatcher",
"providerAccount": "services"
} ]
}
To confirm the result simply jump to your HCP Account.
It's a bit hard to maintain the JSON String in the HTTP Body. You can also add the user to multiple roles, just enhance the JSON Array properly. If all is working fine you will receive an 200 response code as success message.
PUT https://api.hanatrial.ondemand.com/authorization/v1/accounts/{accountName}/users/roles/?userId=GOOFY
Headers:
Authorization: Bearer b29c79e3859d25aa62c234494eda33b9
Content-Type:application/json
{ "roles": [
{
"name": "Administrator",
"applicationName":"testd0xxxxx",
"providerAccount": "{accountName}"
} ]
}
Let's check the assignment in the HCP Account again.
The pitfall with this request was to get the correct roles concatenated. There are two sets of roles available in the HCP. These are roles defined using the Cockpit and roles defined in the web.xml of an application.
Provider Account Name | Application Name | Role | comment |
---|---|---|---|
Services | dispatcher | YourRole | roles defined using the Cockpit |
yourAccount | yourApplication | YourRole | roles defined in the web.xml of an application |
d0xxxxxtrial | testd0xxxxx | Administrator | role is used for the current scenario |
DELETE https://api.hanatrial.ondemand.com/authorization/v1/accounts/{accountName}/users/roles/
?userId=GOOFY&roles=Administrator@d0xxxxxtrial:testd0xxxxx
Headers: Authorization: Bearer b29c79e3859d25aa62c234494eda33b9
Ok, that's nice but whats next? How can I use this API now for my daily work? Well, we developed an HCP connector to enable the internal SAP IdM doing the role provisioning with the same quality as for all on-prem system within the company.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
40 | |
25 | |
17 | |
14 | |
8 | |
7 | |
7 | |
7 | |
6 | |
6 |