In this blog, I will demonstrate how to use the SAP Concur User Identity and Provisioning API to retrieve a list of active users.

https://developer.concur.com/api-reference/profile/v4.identity.html

https://developer.concur.com/api-reference/user-provisioning/v4.user-provisioning.html

There are a few steps we need to follow, such as obtaining an access token and using it to retrieve the list of active users and their assigned roles.

Obtain the Access Token

To access the Authentication Admin page in the Concur portal, log in to https://us2.concursolutions.com and go to Administration > Company > Authentication Admin.

Select OAuth 2.0 Application Management.

To proceed, either select an existing Client ID or click on “Create New App” to create a new one.

It is important to verify that the necessary permissions (called “scopes”) are in place.

Here is the list of scopes that I used.

To create the access token, go back to the Authentication Administration page and click on “Company Request Token”.

Enter the Client ID in the App ID field and click on “Submit”.

After submitting, you will receive the Company UUID and Company Request Token. It is important to note that the request token has a lifespan of 24 hours and must be exchanged for a refresh token and access token by the application owner before it expires.

To refresh the token using Postman, enter the following information:

• client_id: Client ID
• client_secret: Client Secret
• grant_type: password
• username: Company UUID
• password: Company Request Token
• credtype: authtoken
• URL: https://us2.api.concursolutions.com/oauth2/v0/token

You will get the company JWT or access_token which has the token lifetime of 1 hour and can be used to call Concur APIs.

The refresh_token has a validity of six months. For more information on how to use and refresh it, please refer to the documentation.

Retrieve the list of Active Users

To obtain a list of active users, you can use this API endpoint.

https://us2.api.concursolutions.com/users/?offset=0&limit=100&isactive=true

In the Authorisation tab, choose Bearer token and enter the access_token (company JWT token) from the previous step.

While you may be able to use other endpoints, you may encounter a 504 gateway timeout error frequently.

https://us.api.concursolutions.com/profile/identity/v4/Users?count=100&startIndex=2

Retrieve the Assigned Role

To obtain the assigned role for a user, you will need to first retrieve the user’s ID using the Get API.

https://us2.api.concursolutions.com/profile/identity/v4/Users?filter=userName eq “<userid>”

From the above screenshot the user ID is adb2df64–008e-41d0–8e41–0424068a875a. Use this API to get the list of roles assigned.

https://us2.api.concursolutions.com/profile/spend/v4/Users/<user_id>

If a role has been assigned to the user, it will be visible in the entity urn:ietf:params:scim:schemas:extension:spend:2.0:Role.

I created a NodeJS script that retrieves a list of active users and stores it in a JSON file in order to automate this process.

https://github.com/ferrygun/sapconcur_extract_active_user