To successfully log in to SAP Build Work Zone, users and assigned authorizations must be available across several components of the overall solution architecture. This includes the usual SAP BTP subaccount level user and role (collection) assignment. Furthermore, SAP Build Work Zone, advanced edition and SAP SuccessFactors Work Zone require service-specific user persistence and role assignment, both on the service level (tenant) and in the Digital Workplace Service (DWS) layer.
To access SAP Build Work Zone, advanced edition or SAP SuccessFactors Work Zone, users must be assigned to one or more default role collections that are created upon subscribing to this service on the subaccount level. Additionally, an XSUAA shadow user (to which these role collections are assigned and mapped) on the SAP BTP subaccount → Security → Users.
Shadow Users can be created in three ways. Not all are specific to SAP Build Work Zone but are uniformly used and available when using any service on the SAP BTP multi-cloud (CF) environment:
- Manually create users through the admin UI on the SAP BTP subaccount cockpit.
- Create users via the XSUAA SCIM API, for example, using the SAP Cloud Identity Services, Identity Provisioning (IPS). For this setup, a dedicated target system type is available to create, update, and remove users.
- Automatically create and update users based on the login via the connected IdP. For this to work, the create shadow users flag for the IdP trust must be enabled.
Role collections can also be assigned in multiple ways, not all specific to SAP Build Work Zone but uniformly used and available when using any service on the SAP BTP multi-cloud (CF) environment:
- Manually assign through the admin UI on the SAP BTP subaccount cockpit.
- Use attribute mapping (for example, Groups) from the connected IdP, either relying on the SAML2 assertion or OIDC token values.
- Assign through the XSUAA SCIM API, for example, using the SAP Cloud Identity Services, Identity Provisioning (IPS). For this setup, a dedicated target system type is available to assign or unassign role collections to users.