/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
When running API request to Successfactors OData API, below error is returned:
LGN0010 - "Basic Authentication is disabled for company <companyID> or your IP <IP address> is not authorized to access OData API. To enable Basic Authentication, grant the permission to your role at Manage Integration Tools Manage OData API Basic Authentication. To authorize your IP address for OData API access, go to API Center OData API IP Whitelisting.".
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
Environment
- SAP Successfactors HCM Suite
- OData API
Cause
- API User being used to execute the API request is lacking permissions OR
- OData API is currently disabled for the SuccessFactors instance OR
- IP or IP Range of the client where the API call is executed from is not included or listed in the API allowlisting under:
- "OData API IP Allowlisting" in API Center AND/OR
- "Password and Login Policy Settings"
Note:
- It can also be that the format of the IP allow-list is not correctly maintained. See #3 in Resolution section.
- Odata IP Allowlisting is called "OData API Basic Authentication Configuration" in Admin Center
Resolution
For #1. Provide 'Manage Odata API Basic Authentication' Permission under 'Manage Integration Tools'
- Manage Odata API Basic Authentication
For #2. In Provisioning Backend for Successfactors Instance Affected. Go to Company Settings > Under 'Web Services'. Ensure that 'Disable Odata API' is not selcted
For #3
Please check to see that both
3.1 in SF's Password and Login Policy Settings > Set API Login Exceptions. Ensure that the IP / IP Range is included in the Allow list. See below format.
> Sample Format for single IP : 10.20.30.41
> Sample Format for IP Range : 10.20.30.40-10.20.30.50
3.2 While for Odata IP Allowlisting > OData API Basic Authentication Configuration
IP range need to be listed in below format. For single IP allow list, format of single IP is same as with maintaining in 'Password and Login Policy Settings > Set API login Exception'
Sample :
To include IP Range '192.168.0.0 - 192.169.255.255',
Place them following below format then hit 'Save' butotn
192.168.*.* to cover IP Range "192.168.0.0-192.168.255.255"
and
192.169.*.* to cover IP Range "192.169.0.0-192.168.255.255"
See Also
SF Password and Login Policy Settings
SF Odata API Logon Error Codes
SF Odata API Basic Authentication Configuration or ODATA IP Allowlisting
Keywords
LGN0010, HTTP 401, responseCode=401, OData API Basic Authentication Configuration, OData API IP Allowlisting, Manage OData API Basic Authentication, Authentication Failure 401 , KBA , LOD-SF-INT-ODATA , OData API Framework , LOD-SF-INT , Integrations , Problem
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)