SAP Knowledge Base Article - Public

2253200 - How to restrict the API access of a specific user by IP addresses


This KBA will explain how you can restrict the API access of your API user based on IP addresses or an IP range.

This means that the user will only be able to access the API when the API call is sent from the IP addresses added to the list.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.


  • SAP SuccessFactors HXM Suite
    • OData API
    • SFAPI

Reproducing the Issue



  1. Go to Admin Center > Password & Login Policy Settings


  2. Select the "Set API login exceptions..." option


  3. A list with all existing users which already have this restriction applied will be shown.
    1. If you want to edit an existing user, search for it in the list and click on the edit button on "Action" column


    2. If you want to add a new user restriction, click on the "Add" button at the top


  4. The following details will be asked:
    • Username: provide the username of the API user
    • Maximum password age (days): the number of days the password of the user will be valid. If you want it to never expire, you can provide the value -1.
    • IP address restrictions: add all IP addresses that will be allowed to access the API. You can also provide IP ranges.
      Note: please make sure to provide the IP addresses in a valid format, refer to the KBA 2251980 for more details.


  5. Click on "Save & Close".

After that, only calls sent by those IP addresses will be allowed to access the API servers when using that user.

in the "Password & Login Policy Settings" screen, you'll be able to see this message:

"Enabling or disabling this feature will force ALL users to change their passwords"


Please note that this message is only applicable to the "Maximum Password Age (in days)" field above it, it is not applicable to the "Set API login exceptions..." steps that were covered by this KBA.

See Also

OData API Help Portal: Restricting API Access by IP Addresses or IP Address Ranges


Allow list, allowlist, restriction, ip, range, exceptions, Set API login exceptions, Password & Login Policy Settings, -1 , KBA , LOD-SF-INT-ODATA , OData API Framework , LOD-SF-INT-API , API & Adhoc API Framework , How To


SAP SuccessFactors HXM Suite all versions