Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Integrate SAP Cloud Identity Provisioning Service with SAP Build Work Zone, standard edition for federation of business content

harjeetjudge
Product and Topic Expert
Product and Topic Expert
‎05-26-2023 10:23 PM
You may have seen an option in SAP Build Work Zone, standard edition to connect Work Zone to SAP Cloud Identity Provisioning Service (IPS).  Did you ever wonder what this option was for and how it can be used when federating content from remote content providers into SAP Build Work Zone, standard edition?


When you click the Connect button it does couple things:

  1. It will provision an SAP Cloud Identity Provisioning tenant if you don't already have one.

  2. Add target connectors in SAP Cloud Identity Provisioning Service to allow provisioning to SAP Build Work Zone standard edition.


Clicking the Connect button should show a Connected status on the screen.



If you see an error or are stuck in the connecting state, check to make sure prerequisites required for this integration are met.  The prerequisites are documented in the help guide.  Furthermore, it may still be possible to proceed even if the screen above shows an error message.  The main thing we require is access to SAP Cloud Identity Provisioning tenant that has SAP Build Work Zone, standard edition available as a target system for provisioning.  If either of these is not true for your case, log a support ticket under EP-WZ-PRV component.


To see how this integration can be used we need to setup a remote content provider for SAP Build Work Zone, standard edition.  For this blog, I am using SAP BTP ABAP Environment as the content provider and setup the integration using the steps documented in this tutorial.  When adding the content provider in Work Zone make sure "Use the Identity Provisioning service to provision user authorizations" option is enabled.  This is not covered in the tutorial but is required for the scenario I am covering in this blog.  Make note of the ID (eg. Tutorial) specified for your content provider as it's also required later on when setting up SAP Build Work Zone as a target system in SAP Cloud Identity Provisioning Service.


In my SAP BTP ABAP environment, I've exposed a few business roles to the BTP environment.  For eg, the TRAINWORKZONE role is marked Exposed to SAP BTP.

The TRAINWORKZONE roles has access to Communication Management application.


The exposed roles show up in SAP Build Work Zone standard edition and can be assigned to site to provide access to users.  As you can see in the screenshot, besides the TRAINWORKZONE role I've exposed few additional roles as well.  Each back-end role provides access to certain business apps to users that are assigned those roles in the back-end system.


What you will notice is that these roles will not be visible as role collections in your SAP BTP subaccount so there won't be an option to assign them to users through the BTP Cockpit.  This is expected since we enabled the "Use the Identity Provisioning service to provision user authorizations" option when adding SAP BTP ABAP environment as a content provider in SAP Build Work Zone.  You may be wondering than how do I control what applications users can see SAP Build Work Zone site?

To accomplish this we will need to setup Identity Provisioning service to read users and their roles from SAP BTP ABAP environment and provision to SAP Build Work Zone Standard Edition.  This process will ensure that users that access the Work Zone site can only see applications that they are authorized to use in the BTP ABAP environment.

Let's look at the process to do just that.

Prepare SAP BTP ABAP Environment for use with SAP Cloud Identity Provisioning Service

  1. Log into your SAP BTP ABAP Environment and search for Maintain Communication Users and access the application.

  2. Click New and create a new communication user.  Specify a User NameDescription, and Password.  Click Create.

  3. Access Communication Systems.

  4. Click New and specify a System ID and System Name and click Create.

  5. Specify a value for Host Name to match your IAS tenant hostname.  For eg. xxxxxxx.accounts.ondemand.com

  6. Click + under Users for Inbound Communication.

  7. Select the Communication user created earlier and click OK.

  8. Save your Communication System.

  9. Access Communication Arrangements.

  10. Click New and choose the value help icon to open up the list of available communication scenarios.

  11. Search for SAP_COM_0193 and select it from the list.  This communication scenario is relevant for Identity Provisioning integration.

  12. Specify a name for the arrangement and click Create.

  13. Use the value help icon and select the Communication System created earlier.  The User Name for inbound communication should automatically populate.  Save your configuration.

  14. Make note of the API-URL as this is required to setup SAP BTP ABAP environment as the source system in SAP Cloud Identity Provisioning Service.


Add BTP ABAP Environment as Source System in SAP Cloud Identity Provisioning Service

  1. Access your SAP Cloud Identity Services – Identity Provisioning (IPS) tenant.

  2. Click on Source Systems.

  3. Click Add.

  4. Specify the following and click Save:

    • Type: SAP BTP ABAP Environment

    • System Name: <name of your choice>



  5. Click Properties. You will see a list of pre-created properties.

  6. Click Add to add new properties.  Use the Standard option for non-sensitive properties and Credential option for password fields.

  7. Add the additional properties below and click Save. Take a look at the help guide for the complete list of properties that are possible with SAP BTP ABAP Environment as a source system.

    • Type: HTTP

    • ProxyType: Internet

    • URL: <API-URL copied from Communication Arrangement>

    • Authentication: BasicAuthentication

    • User: <Communication User create in SAP BTP ABAP Environment>

    • Password: <Communication User password>




Prepare SAP Build Work Zone for use with SAP Cloud Identity Provisioning Service




  1. Log into your SAP BTP Subaccount where you have a subscription to SAP Build Work Zone Standard Edition.

  2. Click Instances and Subscriptions and create and click the Create button.

  3. Select SAP Build Work Zone, standard edition and choose standard instance plan.

  4. Choose your Space and specify an Instance Name.

  5. Click Next couple times and click Create.

  6. Select the newly created instance and click Create to create a new service key.

  7. Specify a Service Key Name and click Create.

  8. Click the key name.

  9. Make note of the following fields:

    • endpoints.portal-service

    • uaa.clientid

    • uaa.clientsecret

    • uaa.url




Setup SAP Build Work Zone as Target System in SAP Cloud Identity Provisioning Service

  1. Access your SAP Cloud Identity Services – Identity Provisioning (IPS) tenant.

  2. Click the Target System icon and click Add.

  3. Specify the following and click Save:

    • Type: SAP Build Work Zone, standard edition

    • System Name: <name of your choice>

    • Source System: <your SAP BTP ABAP environment source system created earlier>



  4. Under Properties, add the additional properties below and click Save. Take a look at the help guide for the complete list of properties that are possible with SAP Build Work Zone, standard edition as a target system.



      • Type: HTTP

      • ProxyType: Internet

      • URL: <endpoints.portal-service copied earlier>

      • OAuth2TokenServiceURL: <uaa.url.  Add /oauth/token at the end >

      • Authentication: BasicAuthentication

      • User: <uaa.clientid>.

      • Password: <uaa.clientsecret>

      • cflp.providerId: <ID of content provider in Work Zone>






Run the provisioning job

  1. Access your SAP Cloud Identity Services – Identity Provisioning (IPS) tenant.

  2. Click the Source System icon and click Add.

  3. Select the SAP BTP ABAP environment source system created earlier.

  4. Click the Run Now button.

  5. Click Identity Provisioning >> Job Logs and select the job.  Confirm the job executes successfully and provision users and groups to SAP Build Work Zone.


Note that there is no user interface in SAP Build Work Zone, standard edition to visualize the users and groups that were provisioned by SAP Cloud Identity Provisioning Service.

When user accesses the SAP Build Work Zone site they should only see applications they are authorized to see in SAP BTP ABAP Environment.  In my screenshot below, I authenticated using a user who is assigned the TRAINWORKZONE role in BTP ABAP environment.  They are only able to see the apps that's are exposed to users assigned the Communication Management business catalog.  If there are any changes to the authorizations made in the backend ABAP environment, they will be reflected in SAP Build Work Zone when the provisioning job is executed again.  The job can be scheduled to run on a periodic basis.



Enjoy!
9 Comments
florianbus
Contributor
‎06-02-2023 12:00 AM
0 Kudos
Hi Harjeet, great blog to follow along! Thank you.

Maybe you have a solution for the following case...

 

S/4OP - IPS - WorkZone standard (used for content federation. Now the transformation from S4OP target system does not contain the groups just the users. I wonder how I can achieve the retrieval of the groups in order to get the LP content shown. Any suggestions?

 

Best Regards,

Florian
harjeetjudge
Product and Topic Expert
Product and Topic Expert
‎06-02-2023 5:51 PM
0 Kudos
It's likely because the Cloud Connector setup doesn't expose PRGN_ROLE_GETLIST resource.  Check your RFC system in the Cloud connector and add the function to the allow list.
florianbus
Contributor
‎06-04-2023 11:58 AM
0 Kudos
thx Harjeet, i missed that one
gyang001
Explorer
‎06-23-2023 11:12 AM
0 Kudos
Hi Harjeet

 

I have set up S/4OP ->IPS ->BWZ Standard Edition user/role sync but when I logon build workzone site with test user, no catalogs/pages/spaces are presented.

When I initially set up it was working for about 1 week, after I made some backend changes to the role and user and rerun the provisioning job, it does not (skipped) update the user/group in BWZ, I took out the transformation script which skips the update and rerun the provisioning job, then the update failed - yes I know in your help page, it says update is not supported, only delete and create.
      "skipOperations": [

            "update"

        ],

ok then I tried to work on how to delete the user in BWZ and recreat. I delete the user in S/4HANA OP, end dated it, rerun the read/re-sync job in IPS, nothing get reported in the job log.

With nothing else to try, I then went to delete the content provider in BWZ and recreated it back, I observed that each time I do this, the first read/re-sync job in IPS then goes successful. But even after that when I logon build workzone site with test user, no catalogs/pages/spaces are presented.

And as you said there is nowhere I can see user and roles assignment in Build Work Zone standard edition to troubleshoot any further myself.

I am basically stuck at the moment, please help if you can. Also keen to understand how should this whole solution work in reality when there will be frequent user->role assignment change and apps->role assignment change in the backend if "officially" the update function is not supported by IPS->BWZ integration.





Many Thanks

Gavin
harjeetjudge
Product and Topic Expert
Product and Topic Expert
‎07-24-2023 7:34 PM
0 Kudos
Please contact me directly via email.
apranic
Discoverer
‎01-10-2024 4:34 AM
0 Kudos
Hi,
This same situation has occurred for me also - source is sap application server abap and target is build work zone standard. I can see my user in backend ABAP system with exposed work zone role but it is skipping the user. Did you manage to resolve this ?
Ta
Anita

harjeetjudge
Product and Topic Expert
Product and Topic Expert
‎01-10-2024 10:56 PM
0 Kudos
I ran some quick tests and don't see the same thing.  I tried adding/removing a user to a role from my content provider(BTP ABAP Cloud system in my case) and see the appropriate applications based on role in the backend.  Few things to keep in mind:

  1. In WorkZone it takes a few minutes for the changes to reflect the underlying changes done in the content provider.  Make sure to click refresh on the content provider in Workzone and check the content manager to confirm the role is updated to show the correct apps.

  2. The Identity Provisioning job correctly updates the groups even though user updates are skipped.  In WorkZone standard we just really need the groups to be updated and any user added/removed from the role in content provider should be appropriately reflected with this group update.

  3. When testing, check the site home page to make sure all the apps exposed by the role are visible on the home page.  You may need to edit the home page setting in Workzone as an end user and add the tiles.


Hope this helps.

Harjeet
apranic
Discoverer
‎01-11-2024 5:42 AM
0 Kudos
Thanks for the reply Harjeet but after checking your points above while the user is created with source as ABAP and target as Work Zone the role that is assigned to the user does not seem to get assigned in Work Zone (et the error Cannot find a space assigned to you)

I dont actually even see in the provisioning job log Groups entities, just User entities.

Anyhow any advice will be much appreciated as I am a bit stuck at the moment!

ta
Anita
Nizaar_Thierens
Newcomer
‎01-30-2024 1:18 PM
0 Kudos

Have you mapped the roles to the groups as mentioned here --> SAP Build Work Zone, standard edition | SAP Help Portal

I always assumed that was needed, but reading this blog I am now doubting how backend role assigment is being exposed to BuildWorkZone.

 

 

Labels in this area
Popular Blog Posts