This guide explains how to configure the BC_EXT_APPJOB_MANAGEMENT OData API to use OAuth 2.0 authentication with SAP S/4 HANA private cloud

SAP

SAP Hana

1. Enable OAuth for the OData Service

· Run transaction /IWFND/MAINT_SERVICE (Service Maintenance).

· Open the Service Catalog and locate the BC_EXT_APPJOB_MANAGEMENT service (or the technical service name it’s published under).

· In the OAuth 2.0 section:

o Enable "Enable OAuth for Service" (or equivalent).

o Assign the correct OAuth 2.0 scope (or use the default scope for this service).

· Save and activate the service if required.

---

2. Create a Technical Integration User (Client ID / Client Secret)

· Run SU01.

· Create a technical user (e.g. for the OAuth client):

o Set User type to System (to avoid GUI logon).

o Assign a complex password — this will be the Client Secret.

o The user name will be used as Client ID.

· Assign the authorizations required for application job management (e.g. roles that allow calling BC_EXT_APPJOB_MANAGEMENT and related objects). If a standard role exists for “External Application Job Management” or “SAP_COM_0326”, use that; otherwise create a role with the needed authorizations.

---

3. Register OAuth 2.0 Client (Client Credentials)

· Run SOAUTH2 (OAuth 2.0 Client Configuration).

· Create a new OAuth 2.0 client (or edit the one used for this API):

o Grant type: enable Client Credentials.

o Client ID: same as the technical user from step 2 (or link to that user).

o Client Secret: use the password of that user (or the secret you maintain for this client).

· Ensure the client is allowed to request tokens for the scope used by BC_EXT_APPJOB_MANAGEMENT.

· Save.

You need authorizations for OAuth config (e.g. S_OA2C_CL, S_OA2C_OBJ).

---

4. Activate OAuth ICF Services

· Run SICF.

· Under default_host → sap → bc → sec → oauth2:

o Token: e.g. .../sap/bc/sec/oauth2/token — must be activated.

o Authorize: e.g. .../sap/bc/sec/oauth2/authorize — activate if you use authorization code flow; for Client Credentials only, token is enough.

· Confirm no errors in the activation log.

---

5. Token and API URLs (Private Cloud)

· Token URL (Client Credentials): https://<your-s4-host>/sap/bc/sec/oauth2/token?sap-client=<client>

· BC_EXT_APPJOB_MANAGEMENT base URL (example): https://<your-s4-host>/sap/opu/odata/sap/BC_EXT_APPJOB_MANAGEMENT?sap-client=<client>

Replace <your-s4-host> and <client> with your S/4 host and system client.

---

6. Calling the API with OAuth

1. Get access token (Client Credentials):

o POST to the token URL above.

o Content-Type: application/x-www-form-urlencoded

o Body: grant_type=client_credentials&client_id=<Client ID>&client_secret=<Client Secret>

o Optional: scope=<scope> if the service uses a specific scope.

2. Use the returned access_token in the Authorization header for BC_EXT_APPJOB_MANAGEMENT: Authorization: Bearer <access_token>

---

7. Communication Scenario (If Used in Your Landscape)

For S/4 HANA Cloud-style setup, the Application Job Management API is often associated with communication scenario SAP_COM_0326. In private cloud, your system may use:

· Communication arrangements and communication users, or

· Direct OAuth client + technical user as above.

If your basis team uses Communication Management (e.g. SM30 / customizing for SAP_COM_0326):

· Create a Communication System and Communication User for the client that calls the API.

· Create a Communication Arrangement for SAP_COM_0326 and assign that system/user.

· Ensure the arrangement allows OAuth 2.0 and that the same technical user (or linked OAuth client) is used as in SOAUTH2.

So: either you configure OAuth directly in SOAUTH2 + technical user, or you use the communication scenario and align the OAuth client/user with that arrangement.

---

8. Checklist

Step Where What

OAuth for

service /IWFND/MAINT_SERVICE Enable OAuth and set scope for BC_EXT_APPJOB_MANAGEMENT

Technical user SU01 System user, password = Client Secret, authorizations for job API

OAuth client SOAUTH2 Client Credentials, Client ID = user, scope for service

ICF SICF Activate .../sap/bc/sec/oauth2/token (and authorize if needed)

Communication Customizing / SM30 If used: SAP_COM_0326 arrangement and user aligned with OAuth

---

9. Documentation to Double-Check

· SAP Help: “Enabling OAuth 2.0 Authentication for OData Services” (for your S/4 release).

· SAP API Business Hub (api.sap.com): search for BC_EXT_APPJOB_MANAGEMENT and open the “Authentication” / “Security” section for the exact scope and recommended method (e.g. Client Credentials vs SAML Bearer).

· KBA / SAP Notes: search for “BC_EXT_APPJOB_MANAGEMENT” and “OAuth” or “SAP_COM_0326” for your S/4 HANA private cloud version.