cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

WorkZone Administration Console Access denied

Go to solution
Misaljevic
Discoverer

on ‎2022 May 13 2:50 PM

8,407

Hi experts,

i am currently working on WorkZone Poc.

I followed the onboarding documentation
https://help.sap.com/docs/WZ/b03c84105ff74f809631e494bd612e83/f8c6eab5b9c8437f9367271863ac90eb.html?...

and also crosschecked the blog

https://blogs.sap.com/2021/03/30/enhance-the-digital-workplace-experience-using-sap-work-zone-setup-...

Within the IAS the groups are created and also my user is within the Workzone_Admin group:

The IPS source system (IAS) job is also running without errors:

I can access the WorkZone and everything seems ok but i am not getting access to Administration Console
(Missing in the User Menu and Access denied when accessing from the App Finder):

I am out of ideas, what could be wrong?

Thank you!

Sakib

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
patrickwenger
Participant
‎2022 Sep 01 2:15 PM
0 Kudos

in case you are still interested: The first user that is authenticated by Work Zone gets administration permissions by default. You may want to ask your admin if the happen to authenticate to work zone. However, there is another way to set up administration permissions. You can use the SCIM API. You can only use one of the two. There is a switch in the administration cockpit where you can deside wheter to set the rights manually or by SCIM.

regards,

Patrick

Accepted Solutions (1)

Accepted Solutions (1)

florian_buech
Product and Topic Expert
Product and Topic Expert
‎2022 May 16 5:43 PM
0 Kudos

Thank you for posting this question with a lot of details! This issue is very likely caused by a missing attribute on the SAP Work Zone (provisioned via SCIM API / IPS) as outlined here: SCIM Provisioning | SAP Help Portal

It is either that and/or the user type being set to public (=external user) instead of employee (internal user) - only internal users can become admins; which is done via the profile attribute.

Show replies
Show replies

Answers (2)

Answers (2)

mattredfig
Participant
‎2022 Dec 15 8:57 AM

Hi - I had this same problem and after hours of troubleshooting I figured out what was wrong.

It seems that the Transformation added by default to the Work Zone Target System in the Identity Provisioning Service for Administrator role was incorrect. It came in as:

{
   "condition": "$.groups[?(@.value == 'Workzone_Admin')] EMPTY false",
   "constant": "Administrator",
   "targetPath": "$.roles[0].value"
}

But in the documentation florian.buech provided, it shows it should be:

{
   "condition": "$.groups[?(@.display == 'Workzone_Admin')] EMPTY false",
   "constant": "Administrator",
   "targetPath": "$.roles[0].value"
}

Which I assume would work... except that the default Source System (IAS idp) outbound transformation includes:

{
   "targetPath": "$.groups[*].display",
   "type": "remove"
},

I'm not 100% familiar with the mapping syntax, but it seems clear this would remove the `display` value from `groups` on the way out of the Source System (IAS), meaning the Target System (WZ) cannot read and react to it as expected.

So when I went back to the Target System (Work Zone) and set the condition for `value` equal to the UUID of the Group (found in the `Users & Authorizations -> User Groups` path in IAS cockpit under property `Group ID`) which fixed it, finally:

{
   "condition": "$.groups[?(@.value == '<Group ID UUID>')] EMPTY false",
   "constant": "Administrator",
   "targetPath": "$.roles[0].value"
}

I really think SAP should fix either the defaults in the IPS or at the very least mention this in the documentation for Work Zone onboarding.

Show replies
Show replies
mattredfig
Participant
‎2022 Dec 15 9:05 AM
0 Kudos

FYI - this might require a subsequent Source System `RESYNC` job from the IPS. I'm not 100% clear yet on the delineation between assertion vs. propagation of users & attributes with IPS

Janek_Niefeldt
Explorer
‎2024 May 10 3:18 AM
Excellent find. I was running into the same issue and "hard-coded" usernames into the target mapping. Your solution solved this issue... (It is 2024 now and SAP still did not update their documentation... oh well...)
Misaljevic
Discoverer
‎2022 May 17 9:00 AM

Thank you for the answer.

After adding following part to the target system transformation the acces to the Admin Console was granted:

{
"condition": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid'] == 'My USER UUID", "constant": "Administrator",
"targetPath": "$.roles[0].value"
}

Show replies
Show replies
former_member189842
Participant
‎2022 Aug 11 7:29 AM
0 Kudos

Thanks, this helped but this has a typo

{
"condition": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid'] == 'My USER UUID'",

"constant": "Administrator",

"targetPath": "$.roles[0].value"

}

Ask a Question