SAP Knowledge Base Article - Public

3271959 - Cannot create or modify a user in SAP Analytics Cloud SCIM User Provisioning API due to a 403 Forbidden response status code


When attempting to create a User to <SAC-Tenant>/api/v1/scim/Users it does not succeed and the following response code is received.

    "timestamp": <Date>,
    "status": 403,
    "error": "Forbidden",
    "path": "/api/v1/scim/Users"


  • SAP Analytics Cloud 2022.24.0
  • API-Environment - Postman

Reproducing the Issue

  1. Navigate to SAC tenant -> System -> Administration -> App Integration
  2. Click on 'Add a New OAuth Client' under OAuth Clients.
  3. Provide a name, select the purpose as Interactive Usage and API Access and then select 'User Provisioning' from the access drop down menu list.
  4. From Postman perform a POST Request to the token URL (Found on App Integration page) with ?grant_type=client_credentials at the end. Select the Authorization tab (next to params) and select the type of authentication to 'Basic Auth' and enter the ClientID and Secret (Auto populated after creating OAuth Client) in the username and password fields.
  5. If successful, you will return a JSON object with the following properties: - access_token: string, token_type: string, expires_in: number, scope: string, jti: string. Retrieve the access token that will be used in the next request to the API URL.
  6.  Perform a GET request to <SAC-Tenant>/api/v1/scim/Users and include the following headers: Authorization - Bearer <access_token>, x-sap-sac-custom-auth: true, x-csrf-token: fetch.
  7. If successful status code of 200, click on the headers tab that is 2 across from the response body and retrieve the the string value of the x-csrf-token.
  8. Perform a POST request to <SAC-Tenant>/api/v1/scim/Users and include the following headers: Authorization - Bearer <access_token>, x-sap-sac-custom-auth: true, x-csrf-token: <string> retrieved from previous GET request network headers. If this final header is not included or misspelt, the described error in the symptom will occur. 
  9. Click on the body tab next to headers on the right beneath the URL bar, beneath this select raw and then at the far right change the drop down option from text to JSON.
  10. In the text editor, populate the fields with the following request schema:
        "schemas": [
        "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
            "manager": {
                "managerId": ""


There are insufficient or incorrect values in the header objects in the request.


Please include 'x-csrf-token' in the headers request to complete the operation successfully.

See Also


SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, sap analyst cloud, connected, failure, stopped, sap analyst cloud,, predictive analytics (analysis), data analysis (analytics) tools, analytics tools, sap analytics cloud, data literacy, advanced analytics, data democratization, analytics software, real time analytics, self service analytics, advanced data analytics, analytics as a service, analytics cloud / cloud analytics, saas analytics, cloud bi, enterprise planning, cloud data analytics, cloud based analytics, analytics cloud platform, modern analytics, real time analysis, cloud analytics solution(s), what is sap analytics cloud, cloud analytics tools, analytics in the cloud, cloud analytics software epm, business intelligence, api, scim, user provisioning
, KBA , LOD-ANA-ADM , SAC Administration , Problem


SAP Analytics Cloud 1.0