Tutorial: Configure SAP Analytics Cloud for automatic user provisioning
This tutorial describes the steps you need to perform in both SAP Analytics Cloud and Microsoft Entra ID to configure automatic user provisioning. When configured, Microsoft Entra ID automatically provisions and deprovisions users and groups to SAP Analytics Cloud using the Microsoft Entra provisioning service. For important details on what this service does, how it works, and frequently asked questions, see Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID.
Note
We are working with SAP to deploy a new gallery application that provides a single point to configure your SAP Analytics Cloud application.
Capabilities supported
- Create users in SAP Analytics Cloud
- Remove users in SAP Analytics Cloud when they do not require access anymore
- Keep user attributes synchronized between Microsoft Entra ID and SAP Analytics Cloud
- Single sign-on to SAP Analytics Cloud (recommended)
Prerequisites
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
- A Microsoft Entra tenant
- A user account in Microsoft Entra ID with permission to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
- A SAP Analytics Cloud tenant
- A user account on SAP Identity Provisioning admin console with Admin permissions. Make sure you have access to the proxy systems in the Identity Provisioning admin console. If you don't see the Proxy Systems tile, create an incident for component BC-IAM-IPS to request access to this tile.
- An OAuth client with authorization grant Client Credentials in SAP Analytics Cloud. To learn how, see: Managing OAuth Clients and Trusted Identity Providers
Note
This integration is also available to use from Microsoft Entra US Government Cloud environment. You can follow the steps below and configure it in the same way as you do from public cloud.
Step 1: Plan your provisioning deployment
- Learn about how the provisioning service works.
- Determine who is in scope for provisioning.
- Determine what data to map between Microsoft Entra ID and SAP Analytics Cloud.
Step 2: Configure SAP Analytics Cloud to support SSO with Microsoft Entra ID
Follow the set of instructions available for our SAP Cloud analytics SSO tutorial
Step 3: Create Microsoft Entra groups for your SAP business roles
Create Microsoft Entra groups for your SAP business roles
Step 4: Map the created groups to your SAP business roles
Go to SAP Help Portal to map the created groups to your business roles. If you get stuck, you can get further guidance from SAP Blogs
Step 5: Assign Users as members of the Microsoft Entra groups
Assign users as members of the Microsoft Entra groups and give them app role assignments
- Start small. Test with a small set of users and groups before rolling out to everyone.
Check the users have the right access in SAP downstream targets and when they sign in, they have the right roles.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for