Create additional users in SAP Data Intelligence trial (with vctl)

Ok, so assuming you got your SAP Data Intelligence 3.0 trial (see more details in the post by Dimitri Vorobiev) running and you are the one having administrator (user system in tenant system) access to it.

Tutorials assume you keep using the admin user for all the exercises, but you want more people from your team/organization to be able learning how to develop data-intensive applications without sharing the admin user and password with them. That’s, at least, my case. And I plan to resolve it by creating separate DI developer (I name them didevXX) users.

I will use SAP Data intelligence’s CLI utility vctl, because — as DJ Adams keeps saying — “The future is terminal🙂

Get vctl utility

Thanks to Gianluca De Lorenzo who already covered vctl in his post Zen and the Art of SAP Data Intelligence. Episode 3: vctl, the hidden pearl you must know!

So, I logon to my SAP Data Intelligence system tenant as a system user and open System Management. And then go to the Help icon to download VCTL.

From the pop-up pick the right version for your OS. I am using MacOS, so I pick Darwin and download the utility to my ~/Tools folder.

And because I am using macOS Catalina version I need to remove the extended attribute Catalina assigned this attribute to the file because it was downloaded from the web.

ls -l@ vctl
xattr -d vctl


One more step — make it executable.

chmod u+x vctl

Who am I?

./vctl whoami

…returns Error: invalid session. Did you login? Has your session expired? as I am not logged in yet.

./vctl login --help
./vctl login system system --insecure
./vctl whoami

I had to use --insecure option, as a host in the Trial is using a self-signed certificate.

Hint: If you have kubectl installed and its context is set to the Data Intelligence’s K8s cluster, then you can get the ingress host name from kubectl get ingress -n datahub -o=jsonpath='{.items[0].status.loadBalancer.ingress[0].hostname}'.

Use it in the login command:

./vctl login https://$(kubectl get ingress -n datahub  -o=jsonpath='{.items[0].status.loadBalancer.ingress[0].hostname}') system system --insecure

Once login is successful the connection info is stored in the file ~/.vsystem/.vsystem_conn.

Create a tenant

I am going to create a separate tenant learning, but if you want users to access all connections and data pre-configured for tutorials, then you should create new users in the existing default tenant.

./vctl tenant create --help
./vctl tenant create learning
./vctl tenant set-strategy learning sdi-default-extension-strategy

should return Successfully created tenant "learning" and Successfully set strategy "sdi-default-extension-strategy" for tenant "learning".

Create a user

./vctl user create --help
./vctl user create learning didev00 Welcome20 member

…should return Successfully created user "learning/didev00".

It created a member (not an admin) user didev00 in the tenant learning with the password Welcome20 (although I understand many might say 2020 is not that welcoming…)

Assign policies to a user

./vctl policy --help
./vctl policy list-policies --tenant learning
./vctl policy assign sap.dh.metadata --tenant learning didev00
./vctl policy assign sap.dh.developer --tenant learning didev00

Now this user can logon into your SAP Data Intelligence trial to start learning and experimenting 🖥.

The script to create developer users

Obviously, creating all users manually can be annoying, so here is a quick and dirty (i.e.  no checks for errors, or if running user is logged and has authorizations) bash script


while getopts n:t:p: option
  case "${option}"
    n) NRTOTAL=${OPTARG};;
    p) DEVPWD=${OPTARG};;


for i in $(eval echo {1..${NRTOTAL}})
  nr=$(printf "%02d" $i)
  echo "${didevnr} out of ${NRTOTAL} being created..."
  ./vctl user create ${DITENANT} ${didevnr} ${DEVPWD} member
  ./vctl policy assign sap.dh.metadata --tenant ${DITENANT} ${didevnr}
  ./vctl policy assign sap.dh.developer --tenant ${DITENANT} ${didevnr}

By default, it creates 3 users with the password SAPDI30trial in the default tenant.

These defaults can be changed by providing parameters from the command line:

  • -n number of users to create starting from didev01
  • -t tenant
  • -p new user’s password (same for all newly created users)
./ -n 2 -t learning -p P@$$w0rd$

As I am not an expert in Bash scripts, any suggestions for improvement are welcome! Or if you want to rework it to PowerShell script and to share in comments — please do so!

I hope you find it useful,
-Vitaliy (aka @Sygyzmundovych)


Original Article:

Related blogs


Please enter your comment!
Please enter your name here