Explaining the Provisioning of Users and Roles in SAP Build Work Zone

To successfully log in to SAP Build Work Zone, users and assigned authorizations need to be available across several components of the overall solution architecture. This includes the usual SAP BTP subaccount level user, and role (collection) assignment. Furthermore, SAP Build Work Zone and SAP SuccessFactors Work Zone additionally require service-specific user persistence and role assignment, both on the service level (tenant) as well as within the Digital Workplace Service (DWS) layer.

To be able to access SAP Build Work Zone or SAP SuccessFactors Work Zone, users must be assigned to one or more default role collections that are created upon subscribing to this service on the subaccount level. Additionally, an XSUAA shadow user (to which these role collections are assigned and mapped) on the SAP BTP subaccount → Security → Users.

Shadow Users can be created in three ways, not all of which are specific to SAP Build Work Zone, but are uniformly used and available when using any service on the SAP BTP multi-cloud (CF) environment:

Role collections can also be assigned in multiple ways, not all specific to SAP Build Work Zone but uniformly used and available when using any service on the SAP BTP multi-cloud (CF) environment:

Note

All options outlined above for shadow user creation and role collection assignment, are supported for SAP Build Work Zone or SAP SuccessFactors Work Zone, although the automatic creation of shadow users and mapping based on the Groups assertion attribute is suggested in the documentation as the default setup.

As explained in previous units, specifically the one covering different integration scenarios, connecting to so-called content providers is one key integration mechanism to make different business apps available to users in SAP Build Work Zone. In the context of this content provider configuration, the role assignment (referring to the roles in the source system mapped to roles in the SAP Build Work Zone content manager) is an important aspect. There are two options available for assigning those content provider roles inside SAP Build Work Zone:

• Roles are automatically created as role collections on the SAP BTP subaccount following a specific syntax or prefix. The assignment to those roles is then done, as outlined in an earlier lesson.
• Directly assign the roles inside of SAP Build Work Zone, using a dedicated API. This presents one of two REST APIs based on the System for Cross-domain Identity Management (SCIM 2.0) specification.

For this second option, the SCIM API is used to create a base SCIM user record alongside the SCIM groups representing the required roles from the source system, for example, SAP S/4HANA. The default for using this API, is the SAP Cloud Identity Services, Identity Provisioning (IPS) with a dedicated connector available for these role assignments. Alternatively, the API can be connected to, from any other external client. It is not limited to the usage of IPS. The following graphic outlines the different options the API provides for this purpose.

SAP Build Work Zone exposes two REST APIs based off the System for Cross-domain Identity Management (SCIM 2.0) specification*. This first API is specifically leveraged for the role assignment in the content manager, optionally available in the context of integrating with external content providers.

While the usage of content providers and the related SCIM API for role mapping is optional, and will depend on the integration scope, the creation of users and role assignment in the Digital Workplace Service (DWS) is mandatory even for the initial login to SAP Build Work Zone. As outlined earlier in this unit, this is to be understood as complementary to the XSUAA shadow users and role collection assignments.

To support this requirement, SAP Build Work Zone also provides a second REST API based on the System for Cross-domain Identity Management (SCIM 2.0) specification. Similarly, with the first API discussed in the previous lesson, the SAP Build Work Zone implementation doesn't cover all possible optional elements of the SCIM 2.0 specification.

The two entities, Users and Groups from the SCIM API, are represented in the SAP Build Work Zone product as either internal or external users, or imported user lists, respectively.

When connecting to this SCIM API, it is important to use the Digital Workplace Service (DWS) URL, not the SAP Build Work Zone subscription URL from SAP BTP. The authentication for the SAP Build Work Zone SCIM API is done using 2-legged OAuth. For this reason, only the automatically created OAuth client "Workzone API Client" can be used. The client details are provided during the SAP Build Work Zone / SAP SuccessFactors Work Zone onboarding wizard, and then in the Administration Console → External integrations → OAuth Clients.

Remember, the DWS URL relates to the overall SAP Build Work Zone URL as follows:

The default for using this API, is the SAP Cloud Identity Services, Identity Provisioning (IPS) with a dedicated connector available for these role assignments. Alternatively, the API can be connected to, from any other external client. It is not limited to the usage of IPS. The following API endpoints and operations are supported.

SAP Build Work Zone exposes two REST APIs based off the System for Cross-domain Identity Management (SCIM 2.0) specification*. This second API is specifically leveraged user, and user list management in the Digital Workplace (DWS) layer, and is mandatory for the initial login to the system.

In addition to creating basic user profiles and user lists, there are several special features and considerations in the context of using this SCIM API: