How to Export All Users (with Origins) from All SAP BTP Subaccounts via CLI Automation

How to Export All Users (with Origins) from All SAP BTP Subaccounts via CLI Automation
Estimated read time 8 min read

Introduction

If you manage a large SAP BTP Global Account, you may find it challenging to export a full user inventory—especially when your environment is segmented into multiple subaccounts and utilizes various identity provider origins (multiple trusts). The SAP BTP Cockpit does not offer a single “Export All Users” button at the global account level.

This blog demonstrates how to efficiently extract all users and their identity origins across all BTP subaccounts using the SAP BTP Command Line Interface (btp CLI) and PowerShell scripting.

Prerequisites

btp CLI: Ensure you have downloaded and installed `btp.exe` (the SAP BTP CLI). [Download Link]Login Required: Log in to your SAP BTP Global Account using the CLI: btp loginOpen a CMD window and enter:

Permissions: Your user should have sufficient permissions (Global Account Admin, Directory Admin, Subaccount Admin) to view users in the target scopes.Windows PowerShell: The script example uses PowerShell, but similar logic can be implemented in Bash or Python.Working Directory: Place your files in `C:BTP` (or another folder of your choice).

Folder Structure

Suggested folder contents:

C:BTPbtp.exe *(SAP BTP CLI executable)*
C:BTPbtp-all-users-with-origins.ps1 *(PowerShell script for extraction)*

 

PowerShell Script Overview

The script will:
– List all directories and subaccounts in your global account.
– For each subaccount, fetch all users and their identity provider origins.
– Aggregate results into a CSV file for easy analysis and reporting.

After logging in, Open Powershell Window and again change the folder to C:BTP and run the PowerShell script with the following command: .btp-all-users-with-origins.ps1

Conclusion

Automating the extraction of all users (with IdP origins) from SAP BTP’s global landscape is made possible via the btp CLI and PowerShell scripting. This approach helps admins map, reconcile, and audit user access efficiently, overcoming cockpit UI limitations.

Feel free to adapt or extend the script for additional reporting, periodic scheduled runs, or integration with ITSM tools.

Code for PowerShell Script:

 

##————————————————————————————————————————————————-

# PowerShell Script: btp-all-users-with-origins.ps1
#
# This script fetches all subaccounts, extracts all IDP origin keys,
# and then fetches all users from each subaccount for each origin key
# using the IDP via “–of-idp <originKey>”.
# The user details are saved to all_users_detailed_with_origins.csv.

# Output CSV header (includes IDP origin)
“subaccount_guid,subaccount_name,originKey,userUUID,email,roles,lastLogin” | Out-File -Encoding UTF8 all_users_detailed_with_origins.csv

# Step 1: List all subaccounts and extract subaccount GUIDs and names
Write-Host “Fetching subaccounts…”
.btp list accounts/subaccount > subaccounts.txt

$subaccounts = @()
$subLines = Get-Content subaccounts.txt | Select-Object -Skip 4
foreach ($line in $subLines) {
if ($line.Trim() -eq “”) { continue }
if ($line -match ‘^([a-f0-9-]{36})s+(.+)$’) {
$subaccounts += @{
guid = $matches[1]
name = $matches[2]
}
}
}

# Step 2: Gather all IDP origin keys from all subaccounts (combine)
$idpOriginSet = @{}

foreach ($subaccount in $subaccounts) {
Write-Host “Fetching IDP trusts for: $($subaccount.name) ($($subaccount.guid))…”
.btp list security/trust –subaccount $($subaccount.guid) > idp_trusts.txt

$trustLines = Get-Content idp_trusts.txt | Select-Object -Skip 1
foreach ($trust in $trustLines) {
$trust = $trust.Trim()
if ($trust -match ‘(?<OriginKey>([a-zA-Z0-9.-]+|sap.default))s+(Active|Inactive)$’) {
$originKey = $matches[‘OriginKey’]
if ($originKey) { $idpOriginSet[$originKey] = $true }
}
}
}
$idpOriginList = $idpOriginSet.Keys

Write-Host “Collected IDP origin keys:”
$idpOriginList | ForEach-Object { Write-Host $_ }

# Step 3: For each subaccount and each origin key, get users with origin filtering
foreach ($subaccount in $subaccounts) {
foreach ($originKey in $idpOriginList) {
Write-Host “Fetching users for subaccount: $($subaccount.name) ($($subaccount.guid)) with origin: $originKey…”
.btp list security/user –subaccount $($subaccount.guid) –of-idp $originKey > users.txt

$userLines = Get-Content users.txt | Where-Object {
($_ -match ‘S’) -and
($_ -notmatch ‘username’) -and
($_ -notmatch ‘^OK$’) -and
($_ -notmatch ‘^No users found’)
}

foreach ($userline in $userLines) {
$email = $userline.Trim()
if ($email -eq “”) { continue }

# Get user details
$userDetails = .btp get security/user $email –subaccount $($subaccount.guid) 2>&1

# Extract UUID (user ID)
$userIdLine = $userDetails | Where-Object { $_ -match ‘^id:’ }
$userUUID = if ($userIdLine) { $userIdLine -replace ‘^id:s*’, ” } else { “” }

# Extract Role Collections
$roleLines = $userDetails | Select-String -Pattern ‘^ – ‘
$roles = if ($roleLines) { ($roleLines | ForEach-Object { $_.ToString().Trim() }) -join ‘;’ } else { “” }

# Extract Last Login
$loginLine = $userDetails | Where-Object { $_ -match ‘^Last Login:’ }
$lastLogin = if ($loginLine) { $loginLine -replace ‘^Last Login:s*’, ” } else { “N/A” }

“$($subaccount.guid),$($subaccount.name),$originKey,$userUUID,$email,$roles,$lastLogin” | Out-File -Append -Encoding UTF8 all_users_detailed_with_origins.csv
}
}
}

Write-Host “DONE! Output saved to all_users_detailed_with_origins.csv”

##————————————————————————————————————————————————-

 

​ IntroductionIf you manage a large SAP BTP Global Account, you may find it challenging to export a full user inventory—especially when your environment is segmented into multiple subaccounts and utilizes various identity provider origins (multiple trusts). The SAP BTP Cockpit does not offer a single “Export All Users” button at the global account level.This blog demonstrates how to efficiently extract all users and their identity origins across all BTP subaccounts using the SAP BTP Command Line Interface (btp CLI) and PowerShell scripting.Prerequisitesbtp CLI: Ensure you have downloaded and installed `btp.exe` (the SAP BTP CLI). [Download Link]Login Required: Log in to your SAP BTP Global Account using the CLI: btp loginOpen a CMD window and enter:Permissions: Your user should have sufficient permissions (Global Account Admin, Directory Admin, Subaccount Admin) to view users in the target scopes.Windows PowerShell: The script example uses PowerShell, but similar logic can be implemented in Bash or Python.Working Directory: Place your files in `C:BTP` (or another folder of your choice).Folder StructureSuggested folder contents:C:BTPbtp.exe *(SAP BTP CLI executable)*C:BTPbtp-all-users-with-origins.ps1 *(PowerShell script for extraction)* PowerShell Script OverviewThe script will:- List all directories and subaccounts in your global account.- For each subaccount, fetch all users and their identity provider origins.- Aggregate results into a CSV file for easy analysis and reporting.After logging in, Open Powershell Window and again change the folder to C:BTP and run the PowerShell script with the following command: .btp-all-users-with-origins.ps1ConclusionAutomating the extraction of all users (with IdP origins) from SAP BTP’s global landscape is made possible via the btp CLI and PowerShell scripting. This approach helps admins map, reconcile, and audit user access efficiently, overcoming cockpit UI limitations.Feel free to adapt or extend the script for additional reporting, periodic scheduled runs, or integration with ITSM tools.Code for PowerShell Script: ##————————————————————————————————————————————————-

# PowerShell Script: btp-all-users-with-origins.ps1
#
# This script fetches all subaccounts, extracts all IDP origin keys,
# and then fetches all users from each subaccount for each origin key
# using the IDP via “–of-idp <originKey>”.
# The user details are saved to all_users_detailed_with_origins.csv.

# Output CSV header (includes IDP origin)
“subaccount_guid,subaccount_name,originKey,userUUID,email,roles,lastLogin” | Out-File -Encoding UTF8 all_users_detailed_with_origins.csv

# Step 1: List all subaccounts and extract subaccount GUIDs and names
Write-Host “Fetching subaccounts…”
.btp list accounts/subaccount > subaccounts.txt

$subaccounts = @()
$subLines = Get-Content subaccounts.txt | Select-Object -Skip 4
foreach ($line in $subLines) {
if ($line.Trim() -eq “”) { continue }
if ($line -match ‘^([a-f0-9-]{36})s+(.+)$’) {
$subaccounts += @{
guid = $matches[1]
name = $matches[2]
}
}
}

# Step 2: Gather all IDP origin keys from all subaccounts (combine)
$idpOriginSet = @{}

foreach ($subaccount in $subaccounts) {
Write-Host “Fetching IDP trusts for: $($subaccount.name) ($($subaccount.guid))…”
.btp list security/trust –subaccount $($subaccount.guid) > idp_trusts.txt

$trustLines = Get-Content idp_trusts.txt | Select-Object -Skip 1
foreach ($trust in $trustLines) {
$trust = $trust.Trim()
if ($trust -match ‘(?<OriginKey>([a-zA-Z0-9.-]+|sap.default))s+(Active|Inactive)$’) {
$originKey = $matches[‘OriginKey’]
if ($originKey) { $idpOriginSet[$originKey] = $true }
}
}
}
$idpOriginList = $idpOriginSet.Keys

Write-Host “Collected IDP origin keys:”
$idpOriginList | ForEach-Object { Write-Host $_ }

# Step 3: For each subaccount and each origin key, get users with origin filtering
foreach ($subaccount in $subaccounts) {
foreach ($originKey in $idpOriginList) {
Write-Host “Fetching users for subaccount: $($subaccount.name) ($($subaccount.guid)) with origin: $originKey…”
.btp list security/user –subaccount $($subaccount.guid) –of-idp $originKey > users.txt

$userLines = Get-Content users.txt | Where-Object {
($_ -match ‘S’) -and
($_ -notmatch ‘username’) -and
($_ -notmatch ‘^OK$’) -and
($_ -notmatch ‘^No users found’)
}

foreach ($userline in $userLines) {
$email = $userline.Trim()
if ($email -eq “”) { continue }

# Get user details
$userDetails = .btp get security/user $email –subaccount $($subaccount.guid) 2>&1

# Extract UUID (user ID)
$userIdLine = $userDetails | Where-Object { $_ -match ‘^id:’ }
$userUUID = if ($userIdLine) { $userIdLine -replace ‘^id:s*’, ” } else { “” }

# Extract Role Collections
$roleLines = $userDetails | Select-String -Pattern ‘^ – ‘
$roles = if ($roleLines) { ($roleLines | ForEach-Object { $_.ToString().Trim() }) -join ‘;’ } else { “” }

# Extract Last Login
$loginLine = $userDetails | Where-Object { $_ -match ‘^Last Login:’ }
$lastLogin = if ($loginLine) { $loginLine -replace ‘^Last Login:s*’, ” } else { “N/A” }

“$($subaccount.guid),$($subaccount.name),$originKey,$userUUID,$email,$roles,$lastLogin” | Out-File -Append -Encoding UTF8 all_users_detailed_with_origins.csv
}
}
}

Write-Host “DONE! Output saved to all_users_detailed_with_origins.csv”

##————————————————————————————————————————————————-   Read More Technology Blog Posts by Members articles 

#SAP

#SAPTechnologyblog

Avatar for

You May Also Like

More From Author