SAP Password reset tool using Azure Logic App, SAP PO/Integration Suite and ABAP

Recently while working on Azure Logic App, I felt we can make use of Office 365 email connector to automate a few manual processes.

I thought, why not create a password reset tool?

So, I designed a Logic App that picks up email from a specific folder(outlook) and passes on the information to SAP ECC6 via SAP PO, finally using the ABAP program user password is reset/unlocked and messages are returned back to the sender by the Logic App.

Develop a logic app in Azure that is connected with an outlook account(in the real world email must be a service account) and look for new emails.

Outlook%20connector%20configuration

Outlook connector configuration

  • Emails are looked at under the Password Reset folder every 10 seconds, so any new email that comes in will be immediately picked up.

Make sure the email body is in a specific format (end-users need to be trained about the email body format), otherwise parsing at the logic app will fail and the correct format will be returned back the sender.

Default email format(JSON)

{

“User”: {

“Client”: “230”,

“UNAME”: “MOHAMM4A”,

“email”: ”

“action” : “unlock”

}

}

Email%20body%20parsing

Email body parsing

  • whenever an email trigger invokes, it will have a unique Message-Id. using message-id reply is sent back to the same email sender.

As soon as the parsing completes, a proper JSON structure request will be created and hit the SAP PO REST adapter endpoint using HTTP connector in Logic App.

HTTP%20connector

HTTP connector

SAP PO or Integration Suite configuration:

In our DEV SAP ECC6, we have 2 clients(100 and 230), so the end-user needs to specify the proper client in the email body. once the payload is received in SAP PO it will be converted to XML by the REST adapter.

1. Develop ID objects in SAP PO with one REST sender adapter and 2 SOAP adapters(XI protocol) for two clients.

SAP%20PO%20ID%20objects

SAP PO ID objects

2. In the ICO, I have added conditions in the receiver determination so that based on the client its business system can be invoked for a password reset.

ICO%20-%20Receiver%20determination

ICO – Receiver determination

3. Create ESR objects, thus the structure appears in SPROXY for ABAP coding.ESR%20objects

ESR objects

4. Mapping in ESR is straightforward (one-to-one mapping).

Message%20Mapping

Message Mapping

We are done with the SAP PO configuration.

If anyone is using SAP Integration suite, we can completely ignore Azure Logic App. It is a known thing that not everyone will be using Azure in their organization, hence we will be performing all the operations in SAP.

SAP Integration Suite IFlow

  • In my case I have used XI adapter. cloud connector was already in place, so I directly hit my ECC system. (reference: Configuring Scenario Using the XI Receiver Adapter)
  • I reused the same SAP PO generated Service Interface in ECC.
  • It is also possible to connect via SOAMANAGER.
  • IFlow can be found at my Git Repository.

Password reset IFlow

Sender MAIL adapter is connected to my email account via IMAP and polls from the folder CPI at an interval of 10 seconds.

sender%20mail%20adapter

sender mail adapter

Once we have an email in the folder. It will pick, process it and change the email to read from unread.

For the purpose of sending the sender’s email ID along with the request payload for unlocking/reset, I’ve extracted the adapter header parameter(FROM) using a groovy script and passed it to ECC by forming a payload in the content modifier.

Finally, the response from ECC must be returned to the sender via receiver email adapter.

Receiver%20email%20configuration

Receiver email configuration

SAP ABAP development:-

1. Generate proxy for the service provider in t-code SPROXY.Service%20Proxy%20Proxy

Service Proxy Proxy

2. Once we generate a proxy, An ABAP class will be generated.Auto%20generated%20ABAP%20class

Auto-generated ABAP class

3. We can either code in the same method or create a separate class where all the operations can be performed. I have created a separate class*(SE24) and did all the validations and password reset/unlock operation.

4. The most important thing is, how are we getting user details from SAP? to do this we can make use of standard BAPI: BAPI_USER_GET_DETAIL where we pass user-id(UNAME from email) as an exporting parameter and return user address details and SCN(secure network communication data )

BAPI_USER_GET_DETAIL

BAPI_USER_GET_DETAIL

  • ls_address-e_mail will be holding the email address of the user in SAP.
  • the returned email(BAPI returned) will be validated against the sender’s email address (coming from Logic App or SAP Integration Suite).
  • if the email-id in SAP doesn’t match with the email sender’s email-id, then a reply will be sent back to the sender.
  • Otherwise, based on the action(UNLOCK/RESET) program will either reset or unlock the user’s password

5. The user details can be seen in transaction code SU01.

6. I have added a few validations within the ABAP code before resetting/unlocking the user.

  • There would be situations when the BASIS team will lock all the users during system maintenance, during such situations users shouldn’t be allowed to unlock. (if the status of usr02-uflag is 32 & 66 then it is locked by the administrator)
  • person who leaves the organization should not be allowed to reset/unlock. (usr02-class will hold user class)
  • email-sender needs to specify the correct user-id in the email body.

7. After validating and getting details from SAP, we can go ahead and reset/unlock users based on their choice.

8. Finally, using standard BAPI: BAPI_USER_UNLOCK user can be unlocked.

BAPI_USER_UNLOCK%20-%20To%20unlock%20user

BAPI_USER_UNLOCK – To unlock user

9. If the choice is to reset, we can use BAPI: BAPI_USER_CHANGE.

  • I have used FM-GENERAL_GET_RANDOM_STRING to generate a random 8 character password and concatenated “@1” to it strong.
  • By passing a new string and username into FM-BAPI_USER_CHANGE, the password will be reset, and the response will be returned back to SAP PO –> Logic App –> email.

10. We are done with the ABAP development.

Note: Validations are based on my own understanding post discussing with the security team, you can add as many validations you want. Also, If you have any suggestions regarding validations please write in the comment section.

Now, It’s time to test our tool 🙂

Test:1 – If is user tries to reset his password

New%20password%20is%20generated%20and%20email%20is%20received%20as%20a%20reply

A new password is generated and email is received as an email reply

Test 2: If the user tries to unlock.

User%20was%20not%20locked%20in%20SAP%2C%20so%20proper%20response%20was%20returned%20back%20to%20the%20sender

User was not locked in SAP, so a proper response was returned back to the sender

Test 3: Few more validations.

Invalid%20action%20and%20invalid%20email%20validations

Invalid action and invalid email validations

Test 4: In case the email body is not correct, the default email template will be returned as an email response.

Invalid%20email%20body

Invalid email body

Monitoring:-

Azure Logic App

Logic%20App

Logic App

Invalid%20JSON%20logs

Invalid JSON

HTTP%20connector

HTTP connector

SAP PO:

SAP%20PO%20Message%20Monitor

SAP PO Message Monitor

SAP ECC6 Logs:

For the audit log purpose, I have added logs in ABAP SLG1 for each password reset request.

Logs in ECC can be checked in the SLG1 transaction code.

SLG1%20log

SLG1 log

SAP Integration Suite:

SAP%20IS%20Message%20Log

SAP IS Message Log

Email%20picked%20and%20responded%20by%20SAP%20Integration%20Suite

Email picked and responded by SAP Integration Suite

Conclusion:-

One can only leverage on SAP Integration Suite if you do not want to use Logic App (I’ve done for my own experiment)

The only drawback of using SAP IS is, we cannot respond back to the same email using MAIL adapter. whereas in Logic App I was able to do.