Exploring Mandatory and Default Components

The default components represent platform-level services embedded into SAP Build Work Zone. The functionality of these services is available out-of-box and cannot be decoupled from SAP Build Work Zone. This includes the following components:

• Digital Workplace Service (DWS) provides functionality to manage administrative areas, workpages, workspaces and related features and functions. It is an internal (micro)service of SAP Build Work Zone.
• Launchpad provides functionality to access SAP and third-party business applications from the user interface of SAP Build Work Zone.
• UI Theme Designer provides functionality to create custom look and feel using UI themes.
• Mobile Services are used as a foundation for the SAP Build Work Zone Advanced native mobile application.
• To access SAP and third-party business applications, SAP Build Work Zone relies on SAP Connectivity service and SAP Destination service. These services are used to pass user requests to on-premise systems, cloud systems or Enterprise Service Business platform (for example: SAP Cloud Integration or SAP API Management) as well as handle authentication between the application shell (wrapper) and Digital Workplace Service through a pre-defined destination "JAM". In the contrast to other default components, SAP Connectivity service and SAP Destination service are not directly embedded in SAP Build Work Zone: they belong to SAP BTP and are available within the subaccount.

When SAP Build Work Zone is activated in a subaccount of SAP BTP, these components will be invisible in the list of subscriptions and service instances: they are all an integral part of the solution (SAP Build Work Zone subscription) itself.

The mandatory components represent platform services required for day-to-day operations of SAP Build Work Zone and are highlighted as prerequisites during the onboarding process. The following components are considered as mandatory:

• SAP Cloud Identity Services Identity Authentication (IAS) provides mechanisms to authenticate users in SAP Build Work Zone using SAML 2.0 or OpenID Connect protocols. IAS can work as a standalone authentication solution as well as act as a proxy to corporate Identity Providers, for example: Microsoft Entra ID or Ping Identity.
• SAP Cloud Identity Service Identity Provisioning (IPS) acts as a middleware to retrieve users and authorizations from the source system and provisions them into the desired (SAP) target system. SAP Build Work Zone offers a SCIM (System for Cross-domain Identity Management) 2.0 API to manage user records and user lists for this purpose.

While both IAS and IPS are required for SAP Build Work Zone, the implementation of these services should be aligned with the corporate security architecture for SAP and third-party solutions. Outside of SAP Build Work Zone, these services are also widely used by other SAP cloud solutions, for example SAP S/4HANA Cloud and SAP SuccessFactors.

Watch the following video to learn about Digital Workplace Service (DWS) component of SAP Build Work Zone, advanced edition and SuccessFactors Work Zone.

The Admin Console is the "heart" of DWS administration. The settings available (and visible) in Admin Console depend on a number of criteria:

• Settings in the Company Area can only be managed by users with either Support Admin or Company Admin role. The company area has a lot of global settings that impact the overall use of DWS. For example, the option to allow users to invite new external users to workspaces is available in the Company Area, it cannot be configured in other Admin Areas.
• Settings in other Admin Areas can be managed by users nominated as Area Admins, with role Support Admin or Company Admin. In contrast to the Company Area, the overall set of available settings is limited and can be even further restricted by users with the Support Admin or Company Admin role.

Software products need information about users in one form or another, and SAP Build Work Zone is not an exception here. While information about the currently logged on users can be obtained from SAML Assertion or JSON Web Token within the authentication process, DWS needs information about all other users to properly show user profiles in blog posts, comments, feeds, search results, etc. This is where Identity Provisioning (IPS) plays an important role. IPS helps to extract user information from a source system, for example, SAP SuccessFactors or Microsoft Entra ID, transform the data and then create or update user profiles in DWS. DWS exposes a REST API based off the System for Cross-domain Identity Management (SCIM 2.0) specification for this purpose.

Continuing the topic of API, DWS provides OData APIs to work with its content: workpages, workspaces, feeds, forums, knowledge articles, etc. It is required to maintain some settings in the Admin Console, implement proper authentication logic in custom application and use the DWS URL to use DWS OData / SCIM APIs.

Moving forward it is necessary to understand how DWS is embedded SAP Build Work Zone (subscription). It may seem a bit tricky at first, but don’t worry! Let’s try to unpack this by walking through the loading and rendering of SAP Build Work Zone in the web browser:

• Firstly, when a user is authenticated in SAP Build Work Zone, the application shell with header bar, user menu and various system libraries are loaded.
• Secondly, the application shell calls DWS API to obtain the access token. This token is used to provide a single sign-on (SSO) experience between application shell and DWS (micro) service.
• Lastly, the application shell loads DWS with an injected access token using HTML tag <iframe>. Simply speaking it is like an application inside an application!

The figure below shows the simplified process of a page loading and rendering in SAP Build Work Zone.

Getting into the details of SAP Build Work Zone subscription and DWS will highlight that they are hosted in different datacenters, and that they have different URLs.

The figure below shows the difference between the URL of Application Shell (SAP Build Work Zone or SAP SuccessFactors Work Zone subscription in the SAP BTP subaccount) and DWS:

Fortunately, users do not need to know the two different URLs to work with SAP Build Work Zone or SAP SuccessFactors Work Zone. Their experience starts with one URL used for the subscription in SAP BTP!

The DWS URL information can be found in the Overview section of the Admin Console.

Knowing the DWS URL is useful for technical purposes, for example to access the SCIM API for troubleshooting users and user list provisioning, setting up integration with SAP or third-party solutions, etc.

The ‘Applications’ Launchpad is another default component of SAP Build Work Zone, advanced edition and SAP SuccessFactors Work Zone. It provides features and functions to organize a central point of access to SAP and third-party business applications, both cloud and on-premise. When it is configured, users can access all applications (that they have access to) through a dedicated Applications menu or selectively in workpages and workspaces.

While the Digital Workplace Service (DWS) represents a separate application inside SAP Build Work Zone and loaded through the HTML tag <iframe> (that has its own URL!), the Applications tab is fully embedded in the application shell.

The Launchpad provides a UI to setup and manage business applications. It is called Work Zone Manager and can be opened from the External Integrations → Business Content menu in Admin Console.

The Work Zone Manager has five menus:

Work Zone Directory

Used to manage sites. The concept of sites helps to organize more segregated access to business applications. At the date of course publication, SAP Build Work Zone, advanced edition, supports only one site that is created automatically during the onboarding procedure. Site settings allow admins to set some global parameters for SAP Build Work Zone subscription, for example, disable icons like My Inbox or Notifications, change the session timeout for SAP Build Work Zone, etc.

Content Manager

Allows admins to manage business apps, catalogs, groups, and roles. These items can be created manually or added through content federation.

Channel Manager

Allows admins to setup remote content providers. The Channel Manager is a solution that exposes content that can be integrated in SAP Build Work Zone. By default, SAP Build Work Zone has only one remote content provider — HTML5 apps from the SAP BTP subaccount.

Work Zone Configurator

Is used during the onboarding process of SAP Build Work Zone (right after execution of the Booster in SAP BTP). It is typically not used beyond this process. This menu also helps to setup the fallback authentication for DWS as part of the initial setup process.

Settings

Allows admins to maintain additional global parameters as well as access error logs.

In addition, both the DWS and the launchpad component supports integration with SAP Companion (former SAP Enable Now Web Assistant). It provides embedded in-app help at the point of need, free standard help content and guidance through difficult processes for SAP solutions! The important note is that functionality of SAP Companion and the content is delivered by target SAP solutions for the Intelligent Enterprise: launchpad component in SAP Build Work Zone just helps to consume it (meaning that content is not stored or managed by SAP Build Work Zone).

SAP Companion and SAP Enable Now belong to another big corporate domain: user learning and adoption. Typically, the implementation of SAP Enable Now and SAP Companion for company-wide user learning and adoption is done as a separate implementation project (and outside of SAP Build Work Zone and digital experience projects).

Watch the following video to learn about digital experience solutions.

Nowadays it is difficult to imagine our life without mobile devices: we use them for entertainment, education, and business. SAP Build Work Zone, advanced edition provides two options for a mobile experience.

Watch the following video to learn how SAP Build Work Zone supports a mobile experience.

Watch the following video to understand the role of mobile services, one of the default components of SAP Build Work Zone.

When there is a need to tune some parameters of the SAP Build Work Zone Advanced mobile app globally, it can be done from the mobile services cockpit (which can be accessed from the Administration Console of SAP Build Work Zone). Here are some examples of settings:

Define the client password policy used to unlock the DataVault.

The client password policy applies only to the application password that unlocks the DataVault during application initialization; it affects neither SAP Mobile Services security profiles nor the back-end security systems with which it integrates.

Password policies for back-end security systems are administered by customer information technology departments using native security administration tools.

Define the policy for locking and wiping the application running on a device.

The administrator can create locking and wiping policies for the app:

• Locking refers to locking the app on the device client. Once the app is locked, the user can unlock it by connecting to the server and authenticating. All existing data remains on the device.
• Wiping refers to resetting the application on the device. This deletes existing data on the device.

Define the policy for synchronizing application components on various channels, including Wi-Fi, mobile networks, and roaming.

This feature lets administrators control synchronization behavior for each app from the cockpit, by indicating when it is okay for data-heavy SDK components to synchronize . Eligible components include:

• Analytics
• Client resources
• Logs
• Offline OData
• and others

While there are a lot of settings to control behavior of mobile apps used with SAP Build Work Zone, the look and feel of the app cannot be customized. For instance, it is not possible to add a company logo to the mobile app using standard configuration capabilities. However, SAP provides the source code for Mobile Development Kit (MDK) for SAP Mobile Services. The source code can be used to create and publish a custom mobile application. The details for where to download source code and how to start development are published on the SAP Help Portal.

It is also worth mentioning that mobile services component is just a platform for SAP Build Work Zone mobile apps: it is not a Mobile Device Management (MDM) solution. Therefore, it does not provide MDM specific capabilities, for example, deployment of SAP Build Work Zone mobile app to all corporate mobile devices centrally.

Considering the different options for mobile experience for SAP Build Work Zone, the obvious question is when to use each option?

The following table gives orientation, when to use what tool. On the left side, the focus is on contribution, the right side is more oriented towards consumption.