# Coupa ### Overview The Veza-built connector for Coupa enables discovery of a single Coupa instance, including details for each user and their group and role memberships. See [notes and supported entities](#notes-and-supported-entities) for more details. ### Configuring Coupa To connect to Coupa’s REST API, Veza uses Oauth2 authentication based on a client id and secret. To generate a new client and credentials, log into Coupa as an admin user: 1. Go to **Setup** > **Oauth2/OpenID Connect Clients** 2. Click **Create** and pick **Client Credentials** for the **Grant type** 3. Enter the required fields and enable the scope: * `core.users.read` 4. Save the Client and note the **Client Identifier** and **Client Secret** See the [Coupa documentation](https://compass.coupa.com/en-us/products/product-documentation/integration-docs/the-coupa-core-api/transition-to-oauth-2.0-and-oidc/oauth-2.0-transition-guide) for more details. ### Configuring Coupa on the Veza Platform 1. In Veza, open the **Integrations** page. 2. Click *Add New* and pick **Coupa** as the type of integration to add 3. Enter the required information and *Save* the configuration | Field | Notes | | ----------------------- | ------------------------------------------------ | | Coupa URL | URL of the instance to connect to | | Coupa Client Identifier | OAuth Client ID | | Coupa Client Secret | OAuth Client Secret | | Role Permissions | Export of Role permissions from Coupa (Optional) | ### Notes and Supported Entities #### Roles and Permissions Veza is unable to collect role permissions automatically due to the Coupa REST API not supporting returning role permission information. By default, all Local Roles created for Coupa roles are populated with a single permission named for the role that is `Uncategorized`. Optionally, a Coupa permissions export can be uploaded when configuring the integration to map permissions to roles. When provided, this exported data is incorporated into Veza's Access Graph. **Important**: The role permissions in Veza will reflect the state of permissions as of the last uploaded export - there is no automatic synchronization with Coupa's current permissions. To create a report of Role Permissions: 1. Go to Setup > Company Setup > Permissions 2. Click "Export to" and select CSV file format The resulting CSV from Coupa should be uploaded as-is without modifications. The export should contain the following header: ```csv Controller,Action,Description,Roles ``` The CSV can be uploaded as part of the initial configuration of the Integration, and updated at any time by uploading a new CSV by editing the integration. #### Permission Name Handling Veza creates permissions by combining the `Controller` and `Action` fields from the CSV export. When the CSV contains multiple entries with identical controller-action combinations (but different descriptions or role assignments), Veza automatically appends a numeric identifier to ensure unique permission names. {% hint style="info" %} For example, if your CSV export contains: * `requisition_lines,retry_realtime_verification,To re-initiate open buy item verification.,...` * `requisition_lines,retry_realtime_verification,Retry Realtime Verification,...` Veza will create permissions named: * `requisition_lines - retry_realtime_verification - 1` * `requisition_lines - retry_realtime_verification - 2` {% endhint %} This helps to ensure all permission mappings derived from the Coupa export are preserved in Veza's Access Graph, even when Coupa contains duplicate controller-action combinations with different role assignments. #### Coupa User | Attribute | Notes | | ---------------------------------------- | ---------------------------------------------------------------- | | `authentication_method` | Authentication method user signs in by | | `created_at` | Time the user was created at | | `email` | Email address associated with User | | `invoice_approval_limit_amount` | Numeric value for invoice approval limit if set on User | | `is_active` | True if the user is active | | `login` | User's login | | `requisition_approval_limit_amount` | Numeric value for requisition approval limit if set on User | | `requisition_self_approval_limit_amount` | Numeric value for requisition self approval limit if set on User | #### Coupa Group Coupa has multiple different types of Groups. Each group is mapped to a “Local Group” with a `group_type` property set to indicate its type. Veza currently collects `User`, `Account` and `Content` groups. | Attribute | Notes | | ------------ | ------------------------------------- | | `group_type` | What type of group the local group is | | `is_active` | True if the group is active | #### Coupa Role | Attribute | Notes | | ------------- | ----------------------------------- | | `description` | Description from role | | `omnipotent` | True if Coupa role is omnipotent | | `system_role` | True if Coupa role is a system role | > Note: Only roles with users assigned are discovered by the integration. Unused roles will not appear in Veza. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/coupa.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.