Introduction to Identity Provisioning service

SAP Cloud Identity Services - Identity Provisioning (IPS) is a core service of SAP Business Technology Platform. It is used to provision identities and their authorizations between source and target systems.

The source system is the system that stores the user information for example SAP S/4HANA, SAP SuccessFactors, etc. The target system is the system where this information is consumed / sent to, in this case SAP Build Work Zone.  Identity Provisioning is a central service that can be used to connect a variety of SAP cloud/on-premise and other selected 3rd party systems.

Integration of SAP Build Work Zone with Identity Authentication (IAS)

It is recommended to set up the SAP BTP platform-level trust and it is required to have OIDC-based trust on the subaccount-level established using the 'establish trust' feature. This allows applications like SAP Build Work Zone to integrate directly with IAS. If other trusted Identity Providers (IdPs) are configured on the subaccount level, temporarily disable them during the initial setup.

Once you have the above prerequisites ready, configuring the direct integration with IAS is done using a few simple steps. An administrator can do this easily through the Work Zone's Design Time UI from the Site Manager > Settings > Identity Authentication screen. As shown in the screenshot below.

After the setup has been completed successfully, the below screes will show meaning that the dedicated application in IAS will be created.

If you want to learn more about the integration of SAP Build Work Zone with SAP Cloud Identity services and different trust levels, please head over to this blogpost. 

Exploring Role Assignments in Identity Provisioning service

Connecting to content providers is a key integration mechanism to make different business apps available to users in SAP Build Work Zone. For the configuration of content provider, the role assignment is a core aspect. There are two options available for assigning those content provider roles inside SAP Build Work Zone:

1. Roles are automatically created as role collections on the SAP BTP subaccount following a specific syntax or prefix. The role assignment is done afterwards.
2. Roles are directly assigned inside SAP Build Work Zone, using a dedicated API. This presents one of two REST APIs based on the System for Cross-domain Identity Management (SCIM 2.0) specification. The SCIM API is used to create a base SCIM user record alongside the SCIM groups representing the required roles from the source system. The default for using this API is the IPS with a dedicated connector available for these role assignments. As an alternative, the API can be connected to from any other external client.

What is new?

Administrators can now explore the role assignments that are provisioned by the Identity Provisioning service. The prerequisite is that you have configured the integration with the Identity Provisioning service and the status of the connector is Connected. It is available is all SAP Build Work Zone editions including SAP Start, SAP Build Work Zone, standard edition, SAP Build Work Zone, advanced edition and SAP SuccessFactors Work Zone.

This new capability is available in the site manager under Settings > Identity Provisioning screen as shown below.

This enhancement allows the administrator to explore all the roles that were assigned to specific users and provisioned by the Identity Provisioning service. The roles returned by the search include the content roles, which are also available in the Content Manager table, as well as assigned Derived roles and Composite roles which are not visible in the Content Manager table.

To search for users, one can either use email address or Global User ID to see role assignments. The table of role assignments contains the information as stated below.

Role ID: This is the role that is directly assigned to the content for example an app, group or catalog and to the site. The same role ID is also visible in the Content Manager table. To be able to view content in the site, the user must be assigned to this role directly or indirectly via derived/composite roles.

Composite/Derived role ID: Derived and Composite roles can be assigned to ABAP applications by the content provider. These roles are not visible in the Content Manager table. Composite roles combine several single roles into one menu. When a user is assigned to a composite role, they're indirectly assigned to multiple single roles. Derived roles are single roles that have inherited authorization characteristics from a “master” parent role.

Provider ID: The system ID of the remote content provider.

Provisioned on: The date when the role was first provisioned to SAP Build Work Zone. Note that this date doesn’t change when the role is updated.

Value proposition for SAP Build Work Zone administrators

This new enhancement of exploring role assignments provisioned by the Identity Provisioning service offers administrators a highly effective and user-friendly method for troubleshooting. It allows administrators to see what roles a user has been assigned to. The filter helps them explore the data that was previously hidden behind the scenes. This feature enables our Work Zone administrators to manage data more efficiently.

Learn more!

• Check out the roadmap for more information on new product features
• Learn more about SAP Build Work Zone on: sap.com & SAP Community
• Learning Journey and Certification: Implement and Administer SAP Build Work Zone | SAP Learning
• Discovery Center missions: standard & advanced edition
• Reference architectures: Cloud leading Identity Lifecycle / Cloud leading Identity Lifecycle Authorizations