Tutorial: Configure SAP Analytics Cloud for automatic user provisioning
This tutorial describes the steps you need to perform in SAP Cloud Identity Services, SAP Analytics Cloud, and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and deprovisions users and groups to SAP Analytics Cloud using the Microsoft Entra provisioning service and SAP Cloud Identity Services. For important details on what Microsoft Entra provisioning does, how it works, and frequently asked questions, see Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID.
Capabilities supported
- Create users in SAP Analytics Cloud to enable single sign-on to SAP Analytics Cloud
- Remove users in SAP Analytics Cloud when they do not require access anymore
- Keep user attributes synchronized between Microsoft Entra ID and SAP Analytics Cloud
Prerequisites
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
- A Microsoft Entra tenant
- One of the following roles: Application Administrator, Cloud Application Administrator, or Application Owner.
- An SAP Analytics Cloud and SAP Cloud Identity Services tenant
- A user account on SAP Identity Provisioning admin console with Admin permissions. Make sure you have access to the proxy systems in the Identity Provisioning admin console. If you don't see the Proxy Systems tile, create an incident for component BC-IAM-IPS to request access to this tile.
- An OAuth client with authorization grant Client Credentials in SAP Analytics Cloud. For more information, see Managing OAuth Clients and Trusted Identity Providers
Note
This integration is also available to use from Microsoft Entra US Government Cloud environment. You can follow the steps in this article and configure it in the same way as you do from public cloud.
Step 1: Plan your provisioning deployment
- Learn about how the provisioning service works.
- Determine who is in scope for provisioning.
- Determine what data to map between Microsoft Entra ID and SAP Analytics Cloud.
Step 2: Configure SAP Analytics Cloud to support SSO with Microsoft Entra ID
To configure single sign-on (SSO), follow the instructions in the SAP Cloud Analytics SSO tutorial.
Step 3: Configure user and group provisioning
First, create Microsoft Entra groups for your SAP business roles used in SAP Analytics Cloud.
Then, in SAP Cloud Identity Services provisioning, configure Microsoft Entra ID as a source to bring users and groups from Microsoft Entra ID to SAP Cloud Identity Services and map the created groups to your SAP business roles. For more information, see provision users from Microsoft Azure AD to SAP Cloud Identity Services - Identity Authentication.
Select the users who need access to SAP Analytics Cloud. Give them app role assignments to the application used for SSO configured at step 2, and also assign them as members of the Microsoft Entra groups.
Note
Start small. Test with a small set of users and groups before rolling out to everyone. Check the users have the right access in SAP downstream targets and when they sign in, they have the right roles.
Next steps
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for