SAP Knowledge Base Article - Public

2253200 - How to restrict the API access of a specific user by IP addresses

Symptom

This KBA will explain how you can restrict the API access of your API user based on IP addresses or an IP range.

This means that the user will only be able to access the API when the API call is sent from the IP addresses added to the list.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

  • SAP SuccessFactors HXM Suite
    • OData API
    • SFAPI

Reproducing the Issue

Cause

Resolution

  1. Go to Admin Center > Password & Login Policy Settings

    login_policy.png

  2. Select the "Set API login exceptions..." option

    set_api_exceptions.png

  3. A list with all existing users which already have this restriction applied will be shown.
    1. If you want to edit an existing user, search for it in the list and click on the edit button on "Action" column

      edit_button.png

    2. If you want to add a new user restriction, click on the "Add" button at the top

      add_button.png

  4. The following details will be asked:
    • Username: provide the username of the API user
    • Maximum password age (days): the number of days the password of the user will be valid. If you want it to never expire, you can provide the value -1.
    • IP address restrictions: add all IP addresses that will be allowed to access the API. You can also provide IP ranges.
      Note: please make sure to provide the IP addresses in a valid format, refer to the KBA 2251980 for more details.

      creation.png

  5. Click on "Save & Close".

After that, only calls sent by those IP addresses will be allowed to access the API servers when using that user.


Note: in the "Password & Login Policy Settings" screen, you'll be able to see this message:

"Enabling or disabling this feature will force ALL users to change their passwords"

message.png

Please note that this message is only applicable to the "Maximum Password Age (in days)" field above it, it is not applicable to the "Set API login exceptions..." steps that were covered by this KBA.

See Also

OData API Help Portal: Restricting API Access by IP Addresses or IP Address Ranges

Keywords

Allow list, allowlist, restriction, ip, range, exceptions, Set API login exceptions, Password & Login Policy Settings, -1 , KBA , LOD-SF-INT-ODATA , OData API Framework , LOD-SF-INT-API , API & Adhoc API Framework , How To

Product

SAP SuccessFactors HCM Suite all versions