Using SCIM API for User & User List management in SAP Build Work Zone, Advanced Edition

Where does this SCIM API fit in the Work Zone landscape?

The SCIM API is utilized by SAP Identity Provisioning Service (IPS) to handle User and List management for the Digital Workplace Service component of both following variants- SAP Build Work Zone, Advanced Edition and SAP SuccessFactors Work Zone.

If you’re configuring IPS for Work Zone user provisioning, you’ll find detailed guidance in our help documentation.

SAP Build Work Zone, Advanced Edition SAP SuccessFactors Work Zone

IPS should always be used as the primary means of User provisioning & management in Work Zone.
But what if you want to go hands-on with the API yourself, for small scale user data adjustment or simply to check data? That is what we are going to cover in this blog.

Important resource to go through before attempting to use the API-> Using the SCIM API | SAP Help Portal

Key elements needed to use the SCIM API for User & List Management–

Digital Workplace (DWS) URL-> Administration Console -> Overview -> Custom Domain URL (for Jam instances not using custom domain, just the regular DC URL- jamX.sapjam.com)SCIM API Client Key: Administration Console -> OAuth Clients -> SCIM Client (will have integration URL as http://www.simplecloud.info) -> KeySCIM API Client Secret: Administration Console -> OAuth Clients -> SCIM Client (will have integration URL as http://www.simplecloud.info) -> SecretSCIM API Token URL-> https://<DWS URL>/api/v1/auth/token

[A] GETTING THE SCIM API ACCESS TOKEN

First step in using SCIM API is getting the access token.

Using any suitable tool (like Postman) POST call needs to be made to the SCIM API Token URL, passing the SCIM API Client Key & Secret. This will return the Access token.

Steps (Postman tool used for this example):

Method: POSTURL: https://<DWS URL>/api/v1/auth/tokenIn the request Body:client_id: < SCIM API Client Key >client_secret: < SCIM API Client Secret >grant_type: client_credentialsHere is what the API call looks like in Postman-
After making the call by hitting “Send”, access token returned in Response-

[B] USING THE SCIM API TO VIEW, UPDATE OR DELETE USER

User management via SCIM API will require-

Access Token: from section [A] stepsUser_UUID: Can be grabbed from the browser URL of any user profile page in Work Zone. The alphanumeric identifier at the end of the URL will be the UUid.Example URL: abcdemo.workzonehr.cfapps.us10.hana.ondemand.com/site#workzone-profile?sap-app-origin-hint=&/profile/wall/QljGDtyuvpRDK7epwV0GiUQljGDtyuvpRDK7epwV0GiUis the UUid.SCIM User API URL: https://<DWS URL>/api/v1/scim/Users/<user_uuid>

Using the above User API URL and the User UUid,

GET calls can be made to view user data.PUT calls can be made to update user data.DELETE calls can be made to delete any user from Work Zone database.

[B.1] TO VIEW ANY USER RECORD

Method: GETURL: https://< DWS URL >/api/v1/scim/Users/<user_uuid>In the request Header, Authorization = bearer <access_token>Here is what the API call looks like in Postman for one example User UUid:
And the Response after hitting “Send”

[B.2] TO UPDATE ANY USER RECORD

Method: PUTURL: https://< DWS URL >/api/v1/scim/Users/<user_uuid>In the request Header, Authorization = bearer <access_token>In the request Body, user data request payload in DWS/Jam SCIM format.Here is what the API call looks like for one example User-
If we submit this API call by hitting “Send”, the user will get updated with the payload data from the request body.

[B.3] TO DELETE ANY USER RECORD

Important: This delete operation is permanent & irreversible.

Method: DELETEURL: https://< DWS URL >/api/v1/scim/Users/<user_uuid>In the request Header, Authorization = bearer <access_token>Here is what the API call looks like for one example User UUid:
If we submit this API call by hitting “Send”, the user will get deleted

[C] USING THE SCIM API TO VIEW OR DELETE USER LIST

Access Token: from section [A] stepslist_name: Name of the Listlist_id: Has to be retrieved via API call, searching with List Name.SCIM List API URL: https://< DWS URL >/api/v1/scim/Groups/<list_id>

[C.1] GET THE LIST ID

To search List ID for any List, same steps to be followed as viewing users, [B.1] section above, only changing to API endpoint /Groups:

URL: https://< DWS URL >/api/v1/scim/Groups? filter=displayName eq “<list_name>“

The API response will have the List ID in “id” field

[C.2] VIEW A LIST

To view SCIM data for any List, same steps to be followed as viewing users, [B.1] section above, only changing to API endpoint /Groups:

URL: https://< DWS URL >/api/v1/scim/Groups/< list_id >

[C.3] DELETE A LIST

To delete any List, same steps to be followed as deleting users, [B.3] section above, only changing to API endpoint /Groups:

URL: https://< DWS URL >/api/v1/scim/Groups/< list_id >

If you’ve worked with SAP Build Work Zone, advanced edition, you might have come across the SCIM 2.0–compliant API. This API is designed for managing Users and User lists, following the common specification.Now, SCIM is a broad standard with many optional elements. SAP’s implementation focuses on the essentials, so not every optional detail is covered – but everything you need for user and list management is there. Where does this SCIM API fit in the Work Zone landscape?The SCIM API is utilized by SAP Identity Provisioning Service (IPS) to handle User and List management for the Digital Workplace Service component of both following variants- SAP Build Work Zone, Advanced Edition and SAP SuccessFactors Work Zone. If you’re configuring IPS for Work Zone user provisioning, you’ll find detailed guidance in our help documentation.SAP Build Work Zone, Advanced EditionSAP SuccessFactors Work ZoneIPS should always be used as the primary means of User provisioning & management in Work Zone.But what if you want to go hands-on with the API yourself, for small scale user data adjustment or simply to check data? That is what we are going to cover in this blog.Important resource to go through before attempting to use the API-> Using the SCIM API | SAP Help PortalKey elements needed to use the SCIM API for User & List Management-Digital Workplace (DWS) URL-> Administration Console -> Overview -> Custom Domain URL (for Jam instances not using custom domain, just the regular DC URL- jamX.sapjam.com)SCIM API Client Key: Administration Console -> OAuth Clients -> SCIM Client (will have integration URL as http://www.simplecloud.info) -> KeySCIM API Client Secret: Administration Console -> OAuth Clients -> SCIM Client (will have integration URL as http://www.simplecloud.info) -> SecretSCIM API Token URL-> https://<DWS URL>/api/v1/auth/token [A] GETTING THE SCIM API ACCESS TOKENFirst step in using SCIM API is getting the access token.Using any suitable tool (like Postman) POST call needs to be made to the SCIM API Token URL, passing the SCIM API Client Key & Secret. This will return the Access token.Steps (Postman tool used for this example):Method: POSTURL: https://<DWS URL>/api/v1/auth/tokenIn the request Body:client_id: < SCIM API Client Key >client_secret: < SCIM API Client Secret >grant_type: client_credentialsHere is what the API call looks like in Postman-After making the call by hitting “Send”, access token returned in Response- [B] USING THE SCIM API TO VIEW, UPDATE OR DELETE USER User management via SCIM API will require-Access Token: from section [A] stepsUser_UUID: Can be grabbed from the browser URL of any user profile page in Work Zone. The alphanumeric identifier at the end of the URL will be the UUid.Example URL: abcdemo.workzonehr.cfapps.us10.hana.ondemand.com/site#workzone-profile?sap-app-origin-hint=&/profile/wall/QljGDtyuvpRDK7epwV0GiUQljGDtyuvpRDK7epwV0GiUis the UUid.SCIM User API URL: https://<DWS URL>/api/v1/scim/Users/<user_uuid>Using the above User API URL and the User UUid,GET calls can be made to view user data.PUT calls can be made to update user data.DELETE calls can be made to delete any user from Work Zone database. [B.1] TO VIEW ANY USER RECORDMethod: GETURL: https://< DWS URL >/api/v1/scim/Users/<user_uuid>In the request Header, Authorization = bearer <access_token>Here is what the API call looks like in Postman for one example User UUid:And the Response after hitting “Send”[B.2] TO UPDATE ANY USER RECORDMethod: PUTURL: https://< DWS URL >/api/v1/scim/Users/<user_uuid>In the request Header, Authorization = bearer <access_token>In the request Body, user data request payload in DWS/Jam SCIM format.Here is what the API call looks like for one example User-If we submit this API call by hitting “Send”, the user will get updated with the payload data from the request body.[B.3] TO DELETE ANY USER RECORDImportant: This delete operation is permanent & irreversible.Method: DELETEURL: https://< DWS URL >/api/v1/scim/Users/<user_uuid>In the request Header, Authorization = bearer <access_token>Here is what the API call looks like for one example User UUid:If we submit this API call by hitting “Send”, the user will get deleted [C] USING THE SCIM API TO VIEW OR DELETE USER LIST Access Token: from section [A] stepslist_name: Name of the Listlist_id: Has to be retrieved via API call, searching with List Name.SCIM List API URL: https://< DWS URL >/api/v1/scim/Groups/<list_id>[C.1] GET THE LIST IDTo search List ID for any List, same steps to be followed as viewing users, [B.1] section above, only changing to API endpoint /Groups: URL: https://< DWS URL >/api/v1/scim/Groups? filter=displayName eq “<list_name>”The API response will have the List ID in “id” field[C.2] VIEW A LISTTo view SCIM data for any List, same steps to be followed as viewing users, [B.1] section above, only changing to API endpoint /Groups:URL: https://< DWS URL >/api/v1/scim/Groups/< list_id >[C.3] DELETE A LISTTo delete any List, same steps to be followed as deleting users, [B.3] section above, only changing to API endpoint /Groups:URL: https://< DWS URL >/api/v1/scim/Groups/< list_id > Read More Technology Blog Posts by SAP articles

#SAP

#SAPTechnologyblog