SAP Gateway User Provisioning Service
In today’s world of SAP, UI5/FIORI applications are pre-dominantly replacing all possible end-user transactions (SO/PO/billing document creation) that are being used as regular SAP GUI T-codes. Business transactions along with many reports are now accessible on multiple devices (Laptop/ Tab/ Mobile) as lightweight applications. To accomplish this, the end-user should now have a user account in SAP Gateway system to access the UI5/ FIORI applications in the front-end. The number of end-users might vary depending on the size of the business. In case of a large number of end-users, it is highly difficult for the SAP security team to manage (create/update/terminate) and assign the necessary roles (required applications) for each user account manually.
To reduce the efforts, we have built a simple ODATA service that can be accessed from any ticketing tool like ServiceNow and automate creation/updating/termination of user accounts and their roles at the same time.
We need to understand the importance of confidentiality in sharing the password and key information of the end-user. Considering this, we have designed the service call with the following features:
- Identifying data that is mandatory to create/update/terminate in SAP and making this information mandatory in service call
- Making sure the newly created password is not sent in RESPONSE to this service call. Only newly created User ID is sent in RESPONSE (We can restrict this as well based on the requirement)
- Approver’s (Manager or above) email address is mandatory in this service call so that the credentials can be sent separately in an email directly from SAP
- Approver will receive credentials on email only when the domain name after ‘@’ in his email is matched to the Client domain.
Example – If the client is Amazon with a domain as amazon.com then email should contain “firstname.lastname@example.org “. This is also configurable if the requestee allows sending to the different email address (different domain).
- Custom table to configure the roles that are okay to be exposed outside SAP world.
- Service to access these roles so that the requestee can select the roles that are required for his user account
- A custom table which will store all the requests with success/failure flags, credentials for the successful new user creation and approver email
- A custom program that runs in the background which will pick only new successfully created records and sends an email to the approver.
Below standard SAP BAPIs are used to create/update/terminate a user account in SAP and made few fields mandatory in the Service Call.
- Create/modify new user account using the standard BAPI – BAPI_USER_CREATE1
Mandatory fields are username, login data, password, address, defaults (date, decimal, time formats) based on country
- Terminate the account by updating the last working day as Account End date using standard BAPI – BAPI_USER_CHANGE
- Create/ Modify roles for a user account is BAPI_USER_ACTGROUPS_ASSIGN.
Advantages of using this service
- Easy to integrate with any ticketing tool which can access ODATA services.
- For business admins or managers, this solution will help to get a quick access to the system. For external users like short term contractors who work in plants/yards/shipping points, they do not have to go through the long process of raising a ticket, waiting for approvals etc.
- Easy to terminate the access with a future date as the termination date.
License Type – We must make sure to choose the right license type while creating the user account as it involves the cost to the customer for each license.
Before implementing this solution, get the appropriate license(s) from SAP security team, get it configured in the backend and use them as per your requirement. Never create a user account with a null value, this will create the user as some default license in SAP and cause an issue to the customer.
Flow Diagram to Explain the Process
Access Request Process (Used ServiceNow Ticketing Tool for better understanding of our Solution):
Termination Request Process (used ServiceNow Ticketing Tool for better understanding of our Solution):
“Time is precious, use it wisely” – SAP Gateway User Provisioning Service will help the security team to handle user accounts faster and more efficiently when the accounts are of similar type and are in bulk.
Contact for further details
Santosh C Marapalli
Team Lead – ERP SAP (Technical)