3165353 - How to Configure IPS to connect to SAP Analytics Cloud (SAC)

Symptom

There are different types of user provisioning for SAP Analytics Cloud:

Through the SAC UI
SAML
SCIM API.

The IPS tool uses the SCIM API to provision users in SAC. The advantage of using SCIM user provisioning over SAML provisioning is that when using SAML, new users are created, and changes are made only during login. The SCIM API, on the other hand, makes changes on the backend when they happen, so updates occur without requiring a user login.

SAP IPS (Identity Provisioning Service) provides an out of the box connector for SAP Analytics Cloud. The main use case of IPS is to read users and groups from a source system and provision them to a target system. Filtering and/or mapping can be applied during job execution. The main benefit of SAP IPS is that you don’t have to write an app specific for managing users - IPS calls the SCIM API for you.

Environment

SAP Analytics Cloud (Enterprise) 2021.20.12

Resolution

In SAP IPS go to “Source Systems” and click “Add”.
Fill out the information under “Details” tab: source system type, name. Optional: destination name and description. Then click “Save”.
Set up communication between IPS and source system (looking at Identity Authentication here) and configure your authentication method (certificate or basic).

In Identity Authentication go to Administrators -> Add new system. This adds a new administrator of type System.
Assign Manage Users and Manage Groups authorization roles to your technical user.
For Basic Authentication, configure your password and user ID will be generated for you. You need to remember password and generated ID to complete the next step.

For more information on adding an Administrator - see here

If you are using another source system type, look for it in the menu - Source Systems and follow the steps to create a User ID and Password for the next step.

Go to “Properties” tab and click on “Edit”. Select “+” to add more properties.

Here is the list of properties to add if using Identity Authentication as your source system with Basic Authentication (no certificate):

Authentication	Basic Authentication
Password	Password of Identity Authentication technical user
Proxy Type	Internet
Type	HTTP
URL	URL of your Identity Authentication tenant
User	User ID of Identity Authentication technical user

For additional properties - see here. If you are using another source system type, look for it in the Source Sytems Menu.

Now we move on to the target system. We will be setting SAP Analytics Cloud as your target system. Go to Target System page in SAP IPS and click "Add".
Fill out the details and click "Save"
Now go to your SAC tenant and add a new OAuth Client. For steps to follow - see here. Make sure to select

Purpose: API Provisioning

Access: User Provisioning

Also make to remember your secret, OAuth Client ID, and Token URL for the next step

Go to the "Properties" tab and click "Edit", then add the following properties by clicking on the "+"

Add the following properties:

Authentication	Basic Authentication
ips.http.header.x-ignore-roles-if-missing	true or false (See note below*)
OAuth2TokenServiceURL	URL of the access token provider service
Password	Client secret from Step 7
ProxyType	Internet
Type	HTTP
URL	URL for your SAP Analytics Cloud system
User	Client ID from Step 7

(*) When you are updating users/groups, the SCIM API is expecting to get the assigned roles. This property defines whether the role assignments in SAP Analytics Cloud will be removed or not as a result of an update operation. In order to keep the roles unchanged. Setting this to true keeps the roles unchange. More details in kbase 3092730

Additional Resources:

Additional help for configuring the SAC Tenant as a target can be found here
How to run user provisioning jobs can be found here
SAP IPS Documentation can be found here

Keywords

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, sap analyst cloud, connected, failure, stopped, sap analyst cloud, https://hcs.cloud.sap, https://hanacloudservices.cloud.sap, https://cloudanalytics.accounts.ondemand.com, https://hanacloudservices-us.accounts.ondemand.com, https://www.sap.com, https://help.sap.com, predictive analytics (analysis), data analysis (analytics) tools, analytics tools, sap analytics cloud, data literacy, advanced analytics, data democratization, analytics software, real time analytics, self service analytics, advanced data analytics, analytics as a service, analytics cloud / cloud analytics, saas analytics, cloud bi, enterprise planning, cloud data analytics, cloud based analytics, analytics cloud platform, modern analytics, real time analysis, cloud analytics solution(s), what is sap analytics cloud, cloud analytics tools, analytics in the cloud, cloud analytics software, SCIM, IPS , KBA , LOD-ANA-ADM , SAC Administration , BC-IAM-IPS , Identity Provisioning Service (IPS) , Problem

Product

SAP Analytics Cloud 1.0

3165353 - How to Configure IPS to connect to SAP Analytics Cloud (SAC)

Symptom

Environment

Resolution

See Also

Keywords

Product

Legal

Follow