Introduction
Imagine you’re trying to automate user provisioning in SAP Analytics Cloud (SAC) using the SCIM API. You’ve got your data ready — names, emails, roles — but wait! You can’t just walk in and create users. SAC is a secure system with a tough gatekeeper, and before you do anything, you need to understand how OAuth works in this world.
Let’s walk through this with a story 📖 — because tech can be fun too!
🎭 Characters in Our Story
You – An admin or developer who wants to create users in SAC.
SAC Guard – The security gatekeeper of SAP Analytics Cloud.
Token Shop – A place (OAuth server) where you exchange your credentials for an access token.
Chapter 1: You Arrive at the Gate
You: “Hi! I want to go inside SAC and create some users using the SCIM API.”
SAC Guard: “Whoa, not so fast! Who are you? Do you have a permission slip (token)? We don’t let just anyone in!”
You: “Umm… no, but I have a Client ID and Secret. My boss gave them to me.”
SAC Guard: “That’s not enough. Go to the Token Shop and exchange that ID and Secret for a token.”
Chapter 2: Visiting the Token Shop
The Token Shop is actually the OAuth server. It verifies that you are trusted, and hands you an access token in return.
Request Token
You make a POST request to the OAuth token endpoint (e.g.):
POST https://<oauth-server>/oauth/token
With the following form data:
grant_type=client_credentials
client_id=<your_client_id>
client_secret=<your_client_secret>
Token Shop: “Here you go! Your access token is valid for 1 hour. Use this to talk to SAC.”
Chapter 3: Back at the SAC Gate
You: “Hey Guard! I have my access token now. Look!”
SAC Guard: “Perfect! Now you’re allowed to call the SCIM API and create users. Carry on!”
Example SCIM API Call:
POST https://<sac-tenant>/api/scim/Users
Authorization: Bearer <access_token>
Content-Type: application/json
{
“userName”: “john.doe@example.com”,
“name”: {
“givenName”: “John”,
“familyName”: “Doe”
},
“emails”: [
{
“value”: “john.doe@example.com”,
“primary”: true
}
]
}
SAC accepts your request and the user is created!
Chapter 4: One Hour Later…
SAC Guard: “Sorry, your token has expired. Please get a new one from the Token Shop.”
Just like a movie ticket, your access token has a limited validity (usually 1 hour). Once it expires, you need to repeat the process and get a new one.
Chapter 5: Key Takeaways (The Real Lesson)OAuth is a protocol that controls access.You use a Client ID + Secret to ask the OAuth server (Token Shop) for an access token.SAP Analytics Cloud (SAC) will only accept API calls if you present a valid access token.This entire mechanism protects SAC from unauthorized access and enforces security in automation.For automation, consider scripting token generation and refreshing every hour (or using a refresh token if supported).
Conclusion
This story-based analogy helps demystify OAuth in the context of SAP Analytics Cloud user provisioning. Think of OAuth as a polite but firm doorman system that ensures only the right guests enter — and only if they’re on time.
So next time you see “401 Unauthorized” from the SAC SCIM API, don’t panic — just visit the Token Shop again.
Reference: Thought inspired from @Matthew_Shaw the automation using the SCIM API.
https://github.com/SAP-samples/analytics-cloud-scim-api-samples . Matthew user guide has a lot of detail in it and also troubleshooting steps, that might be helpful and worth a visit.
IntroductionImagine you’re trying to automate user provisioning in SAP Analytics Cloud (SAC) using the SCIM API. You’ve got your data ready — names, emails, roles — but wait! You can’t just walk in and create users. SAC is a secure system with a tough gatekeeper, and before you do anything, you need to understand how OAuth works in this world.Let’s walk through this with a story 📖 — because tech can be fun too!🎭 Characters in Our StoryYou – An admin or developer who wants to create users in SAC.SAC Guard – The security gatekeeper of SAP Analytics Cloud.Token Shop – A place (OAuth server) where you exchange your credentials for an access token.Chapter 1: You Arrive at the GateYou: “Hi! I want to go inside SAC and create some users using the SCIM API.”SAC Guard: “Whoa, not so fast! Who are you? Do you have a permission slip (token)? We don’t let just anyone in!”You: “Umm… no, but I have a Client ID and Secret. My boss gave them to me.”SAC Guard: “That’s not enough. Go to the Token Shop and exchange that ID and Secret for a token.”Chapter 2: Visiting the Token Shop The Token Shop is actually the OAuth server. It verifies that you are trusted, and hands you an access token in return.Request TokenYou make a POST request to the OAuth token endpoint (e.g.): POST https://<oauth-server>/oauth/token With the following form data:grant_type=client_credentialsclient_id=<your_client_id>client_secret=<your_client_secret>Token Shop: “Here you go! Your access token is valid for 1 hour. Use this to talk to SAC.” Chapter 3: Back at the SAC GateYou: “Hey Guard! I have my access token now. Look!” SAC Guard: “Perfect! Now you’re allowed to call the SCIM API and create users. Carry on!”Example SCIM API Call: POST https://<sac-tenant>/api/scim/UsersAuthorization: Bearer <access_token>Content-Type: application/json{“userName”: “john.doe@example.com”,”name”: {“givenName”: “John”,”familyName”: “Doe”},”emails”: [{“value”: “john.doe@example.com”,”primary”: true}]} SAC accepts your request and the user is created!Chapter 4: One Hour Later…SAC Guard: “Sorry, your token has expired. Please get a new one from the Token Shop.”Just like a movie ticket, your access token has a limited validity (usually 1 hour). Once it expires, you need to repeat the process and get a new one.Chapter 5: Key Takeaways (The Real Lesson)OAuth is a protocol that controls access.You use a Client ID + Secret to ask the OAuth server (Token Shop) for an access token.SAP Analytics Cloud (SAC) will only accept API calls if you present a valid access token.This entire mechanism protects SAC from unauthorized access and enforces security in automation.For automation, consider scripting token generation and refreshing every hour (or using a refresh token if supported).ConclusionThis story-based analogy helps demystify OAuth in the context of SAP Analytics Cloud user provisioning. Think of OAuth as a polite but firm doorman system that ensures only the right guests enter — and only if they’re on time.So next time you see “401 Unauthorized” from the SAC SCIM API, don’t panic — just visit the Token Shop again. Reference: Thought inspired from @Matthew_Shaw the automation using the SCIM API.https://github.com/SAP-samples/analytics-cloud-scim-api-samples . Matthew user guide has a lot of detail in it and also troubleshooting steps, that might be helpful and worth a visit. Read More Technology Blog Posts by Members articles
#SAP
#SAPTechnologyblog
