SAP Knowledge Base Article - Public

3165353 - How to Configure IPS to connect to SAP Analytics Cloud (SAC)

Symptom

There are different types of user provisioning for SAP Analytics Cloud:

  • Through the SAC UI

  • SAML

  • SCIM API.

The IPS tool uses the SCIM API to provision users in SAC. The advantage of using SCIM user provisioning over SAML provisioning is that when using SAML, new users are created, and changes are made only during login. The SCIM API, on the other hand, makes changes on the backend when they happen, so updates occur without requiring a user login.

SAP IPS (Identity Provisioning Service) provides an out of the box connector for SAP Analytics Cloud. The main use case of IPS is to read users and groups from a source system and provision them to a target system. Filtering and/or mapping can be applied during job execution. The main benefit of SAP IPS is that you don’t have to write an app specific for managing users - IPS calls the SCIM API for you.

Environment

  • SAP Analytics Cloud (Enterprise) 2021.20.12

Resolution

  1. In SAP IPS go to “Source Systems” and click “Add”.

    Step1.png

  2. Fill out the information under “Details” tab: source system type, name. Optional: destination name and description. Then click “Save”.

    Step2.png

  3. Set up communication between IPS and source system (looking at Identity Authentication here) and configure your authentication method (certificate or basic).

    1. In Identity Authentication go to Administrators -> Add new system. This adds a new administrator of type System.

    2. Assign Manage Users and Manage Groups authorization roles to your technical user.

    3. For Basic Authentication, configure your password and user ID will be generated for you.  You need to remember password and generated ID to complete the next step.


      Step3.png

      For more information on adding an Administrator - see here

      If you are using another source system type, look for it in the menu - Source Systems and follow the steps to create a User ID and Password for the next step.

  4. Go to “Properties” tab and click on “Edit”. Select “+” to add more properties.

    Step4.png

    Here is the list of properties to add if using Identity Authentication as your source system with Basic Authentication (no certificate):

    Authentication

    Basic Authentication

    Password

    Password of Identity Authentication technical user

    Proxy Type

    Internet

    Type

    HTTP

    URL

    URL of your Identity Authentication tenant

    User

    User ID of Identity Authentication technical user

    For additional properties - see here.  If you are using another source system type, look for it in the Source Sytems Menu.

  5. Now we move on to the target system. We will be setting SAP Analytics Cloud as your target system. Go to Target System page in SAP IPS and click "Add".

    Step5.png

  6. Fill out the details and click "Save"

    Step6.png

  7. Now go to your SAC tenant and add a new OAuth Client.  For steps to follow - see here.  Make sure to select

    Purpose: API Provisioning

    Access: User Provisioning

    Also make to remember your secret, OAuth Client ID, and Token URL for the next step

  8. Go to the "Properties" tab and click "Edit", then add the following properties by clicking on the "+"

    Step7.png

    Add the following properties:

    Authentication

    Basic Authentication

    ips.http.header.x-ignore-roles-if-missing

    true or false (See note below*)

    OAuth2TokenServiceURL

    URL of the access token provider service

    Password

    Client secret from Step 7

    ProxyType

    Internet

    Type

    HTTP

    URL

    URL for your SAP Analytics Cloud system

    User

    Client ID from Step 7

    (*) When you are updating users/groups, the SCIM API is expecting to get the assigned roles. This property defines whether the role assignments in SAP Analytics Cloud will be removed or not as a result of an update operation. In order to keep the roles unchanged.  Setting this to true keeps the roles unchange. More details in kbase 3092730

Additional Resources:

  • Additional help for configuring the SAC Tenant as a target can be found here

  • How to run user provisioning jobs can be found here

  • SAP IPS Documentation can be found here

 

See Also

Your feedback is important to help us improve our knowledge base.

Keywords

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, sap analyst cloud, connected, failure, stopped, sap analyst cloud, https://hcs.cloud.sap, https://hanacloudservices.cloud.sap, https://cloudanalytics.accounts.ondemand.com, https://hanacloudservices-us.accounts.ondemand.com, https://www.sap.com, https://help.sap.com, predictive analytics (analysis), data analysis (analytics) tools, analytics tools, sap analytics cloud, data literacy, advanced analytics, data democratization, analytics software, real time analytics, self service analytics, advanced data analytics, analytics as a service, analytics cloud / cloud analytics, saas analytics, cloud bi, enterprise planning, cloud data analytics, cloud based analytics, analytics cloud platform, modern analytics, real time analysis, cloud analytics solution(s), what is sap analytics cloud, cloud analytics tools, analytics in the cloud, cloud analytics software, SCIM, IPS , KBA , LOD-ANA-ADM , SAC Administration , Problem

Product

SAP Analytics Cloud 1.0