cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

WorkZone Administration Console Access denied

Go to solution
Misaljevic
Discoverer

on ‎05-13-2022 2:50 PM

Hi experts,

i am currently working on WorkZone Poc.

I followed the onboarding documentation
https://help.sap.com/docs/WZ/b03c84105ff74f809631e494bd612e83/f8c6eab5b9c8437f9367271863ac90eb.html?...

and also crosschecked the blog

https://blogs.sap.com/2021/03/30/enhance-the-digital-workplace-experience-using-sap-work-zone-setup-...

Within the IAS the groups are created and also my user is within the Workzone_Admin group:

The IPS source system (IAS) job is also running without errors:

I can access the WorkZone and everything seems ok but i am not getting access to Administration Console
(Missing in the User Menu and Access denied when accessing from the App Finder):

I am out of ideas, what could be wrong?

Thank you!

Sakib

Show replies
Show replies
patrickwenger
Participant
‎09-01-2022 2:15 PM
0 Kudos

in case you are still interested: The first user that is authenticated by Work Zone gets administration permissions by default. You may want to ask your admin if the happen to authenticate to work zone. However, there is another way to set up administration permissions. You can use the SCIM API. You can only use one of the two. There is a switch in the administration cockpit where you can deside wheter to set the rights manually or by SCIM.

regards,

Patrick

Answer
View Entire Topic
mattredfig
Participant
‎12-15-2022 8:57 AM

Hi - I had this same problem and after hours of troubleshooting I figured out what was wrong.

It seems that the Transformation added by default to the Work Zone Target System in the Identity Provisioning Service for Administrator role was incorrect. It came in as:

{
   "condition": "$.groups[?(@.value == 'Workzone_Admin')] EMPTY false",
   "constant": "Administrator",
   "targetPath": "$.roles[0].value"
}

But in the documentation florian.buech provided, it shows it should be:

{
   "condition": "$.groups[?(@.display == 'Workzone_Admin')] EMPTY false",
   "constant": "Administrator",
   "targetPath": "$.roles[0].value"
}

Which I assume would work... except that the default Source System (IAS idp) outbound transformation includes:

{
   "targetPath": "$.groups[*].display",
   "type": "remove"
},

I'm not 100% familiar with the mapping syntax, but it seems clear this would remove the `display` value from `groups` on the way out of the Source System (IAS), meaning the Target System (WZ) cannot read and react to it as expected.

So when I went back to the Target System (Work Zone) and set the condition for `value` equal to the UUID of the Group (found in the `Users & Authorizations -> User Groups` path in IAS cockpit under property `Group ID`) which fixed it, finally:

{
   "condition": "$.groups[?(@.value == '<Group ID UUID>')] EMPTY false",
   "constant": "Administrator",
   "targetPath": "$.roles[0].value"
}

I really think SAP should fix either the defaults in the IPS or at the very least mention this in the documentation for Work Zone onboarding.

Show replies
Show replies
mattredfig
Participant
‎12-15-2022 9:05 AM
0 Kudos

FYI - this might require a subsequent Source System `RESYNC` job from the IPS. I'm not 100% clear yet on the delineation between assertion vs. propagation of users & attributes with IPS

Janek_Niefeldt
Explorer
3 weeks ago
0 Kudos
Excellent find. I was running into the same issue and "hard-coded" usernames into the target mapping. Your solution solved this issue... (It is 2024 now and SAP still did not update their documentation... oh well...)
Ask a Question