Global User ID in SAP Build Work Zone

Global User ID in SAP Build Work Zone
Estimated read time 11 min read

The Global User ID (userUUID) plays a important role in integration scenarios, acting as a consistent user identifier across system landscapes. This is especially important for scenarios like API-based notification services, where a common identifier ensures seamless data flow and user correlation.

There are two approaches for implementing the Global User ID, but we recommend the first of the two:

Approach 1:

Use SAP Cloud Identity Services – Identity Authentication and Identity Provisioning to generate and distribute Global User ID. In this case, the attribute is automatically generated by Identity Authentication at user creation. Its value is populated in the Global User ID field for every newly created, imported or provisioned user. After that, Identity Provisioning distributes it to various SAP applications.

Approach 2:

Use your own value for Global User ID and distribute it to SAP applications with SAP Cloud Identity Services. In this case the Identity Authentication is used as a user store, it receives the value in the Global User ID field for every newly created, imported or provisioned user. After that, Identity Provisioning distributes it to various SAP applications. Because the Global User ID field cannot be empty, if you do not provide a value for Global User ID, Identity Authentication generates one for your users. When distributing your own value without SAP Cloud Identity Services, you use your existing identity management processes to provision it to SAP applications (see  the dotted line in the diagram below).

 

Prerequisites and usage

Users must have Identity Authentication and Identity Provisioning configured in their landscape.The Global User ID identifier is immutable and unique across technology layers such as user interfaces, APIs, and security tokens, as well as across products and lines of business.It is recommended to use the Global User ID of SAP Cloud Identity Services – Identity Authentication as the federation identifier.Identity Authentication hosts the Global User ID while Identity Provisioning provisions the Global User ID to other systems in the user’s landscape.

 

How to leverage Global ID in SAP Build Work Zone

Provisioning the Global User ID

First, the Global ID is provisioned to SAP Build Work Zone via SCIM API, and consequently transferred to SAP Build Work Zone, as to any other SAP solution, via Identity Provisioning. This applies to both:

Role-mapping for content providers within SAP Build Work Zone, all editions as an alternative to role collection-based mapping. See here for more details.Digital Workplace Service (DWS) persistence layer specific to SAP Build Work Zone, advanced edition and SAP SuccessFactors Work Zone. This process is part of the Work Zone onboarding. More details about this can be found here.

The Global User ID is transferred (in both scenarios) via the target system transformation / mapping in Identity Provisioning. Using the provided (default) transformation from the SAP Build Work Zone help guide will ensure the attribute is provisioned as required. You will need to verify that the Identity Provisioning source system (for example Cloud Identity) has the Global User ID available.

For example, SAP Build Work Zone, advanced edition target system:

 

Trust Setup and Subject Name Identifier

It is recommended to use the Global User ID as the subject name identifier for the trust setup – for both the BTP Subaccount level and direct trust with SAP Build Work Zone. If you want to learn more about the direct OpenID Connect-based trust setup, please see the following blog.

Depending on the configuration of the ‘JAM’ destination, specifically the userIdSource property, it will also require the Global User ID in additional fields – specifically the SCIM.userName. To learn more about the authentication flow and corresponding field usage, please see here.

 

Verify Global User ID information in SAP Build Work Zone (advanced)

To verify the Global ID is properly created in the SAP Build Work Zone, advanced edition / SAP SuccessFactors Work Zone, you can check the users using and directly modifying when needed, the SCIM API. This is the same API also utilized by Identity Provisioning (Work Zone target system). When using the API, you can find the Global User ID stored in a dedicated field in the SCIM user record:

For more details related to the SCIM API of advanced edition, how to connect to it, and more, please see the dedicated section in the help guide.

Finally, you can run a report in SAP Build Work Zone administration console by selecting the Company User Detail report (for both internal and external users). This will provide you with the list of all users provisioned to the system and the user values for SCIM.userName, SCIM.id (and others) which can be used as filters / parameters in the SCIM API. Note that in the report the User ID refers to the SCIM.userName and the Uuid refers to SCIM.id.

 

Use Cases

Global User ID plays an important role in SAP Build Work Zone, especially in integration scenarios. For instance, in SAP Task Center, the Global User ID functions as a correlation attribute, linking user identities across different systems. This ensures that tasks from multiple systems can be reliably associated with the same user, enabling a unified task management experience. The integration with the Central Notification Service, which allows Work Zone users to access notifications from various systems, also requires the Global User ID mapping.

Details on this integration setup can be found here (for Task Center) & here (for Notifications).

Another worth mentioning use case is Guided Experiences, where the Global User ID is needed to communicate between SAP Business Technology Platform (BTP)SAP Build Process Automation (SBPA), and SAP Build Work Zone. This is instrumental for the UI Wizard in SAP Build Work Zone to retrieve and utilise processes created in SBPA, streamlining workflows and ensuring smooth integration across systems.

Lastly, when creating UI integration cards, the Global User ID is also provided / exposed as user context and can be referenced by the developer of the UI Cards. More details on this built-in card context is available in the SAP-samples GitHub repository:

 

For more info please check:

Help Guide: https://help.sap.com/docs/build-work-zone-advanced-edition/sap-build-work-zone-advanced-edition/run-configurator

Learning Journey & Certification: https://learning.sap.com/learning-journeys/implement-and-administer-sap-build-work-zone/explaining-the-authentication-flow-of-sap-build-work-zone

 

 

 

 

​ The Global User ID (userUUID) plays a important role in integration scenarios, acting as a consistent user identifier across system landscapes. This is especially important for scenarios like API-based notification services, where a common identifier ensures seamless data flow and user correlation.There are two approaches for implementing the Global User ID, but we recommend the first of the two:Approach 1:Use SAP Cloud Identity Services – Identity Authentication and Identity Provisioning to generate and distribute Global User ID. In this case, the attribute is automatically generated by Identity Authentication at user creation. Its value is populated in the Global User ID field for every newly created, imported or provisioned user. After that, Identity Provisioning distributes it to various SAP applications.Approach 2:Use your own value for Global User ID and distribute it to SAP applications with SAP Cloud Identity Services. In this case the Identity Authentication is used as a user store, it receives the value in the Global User ID field for every newly created, imported or provisioned user. After that, Identity Provisioning distributes it to various SAP applications. Because the Global User ID field cannot be empty, if you do not provide a value for Global User ID, Identity Authentication generates one for your users. When distributing your own value without SAP Cloud Identity Services, you use your existing identity management processes to provision it to SAP applications (see  the dotted line in the diagram below). Prerequisites and usageUsers must have Identity Authentication and Identity Provisioning configured in their landscape.The Global User ID identifier is immutable and unique across technology layers such as user interfaces, APIs, and security tokens, as well as across products and lines of business.It is recommended to use the Global User ID of SAP Cloud Identity Services – Identity Authentication as the federation identifier.Identity Authentication hosts the Global User ID while Identity Provisioning provisions the Global User ID to other systems in the user’s landscape. How to leverage Global ID in SAP Build Work ZoneProvisioning the Global User IDFirst, the Global ID is provisioned to SAP Build Work Zone via SCIM API, and consequently transferred to SAP Build Work Zone, as to any other SAP solution, via Identity Provisioning. This applies to both:Role-mapping for content providers within SAP Build Work Zone, all editions as an alternative to role collection-based mapping. See here for more details.Digital Workplace Service (DWS) persistence layer specific to SAP Build Work Zone, advanced edition and SAP SuccessFactors Work Zone. This process is part of the Work Zone onboarding. More details about this can be found here.The Global User ID is transferred (in both scenarios) via the target system transformation / mapping in Identity Provisioning. Using the provided (default) transformation from the SAP Build Work Zone help guide will ensure the attribute is provisioned as required. You will need to verify that the Identity Provisioning source system (for example Cloud Identity) has the Global User ID available.For example, SAP Build Work Zone, advanced edition target system: Trust Setup and Subject Name IdentifierIt is recommended to use the Global User ID as the subject name identifier for the trust setup – for both the BTP Subaccount level and direct trust with SAP Build Work Zone. If you want to learn more about the direct OpenID Connect-based trust setup, please see the following blog.Depending on the configuration of the ‘JAM’ destination, specifically the userIdSource property, it will also require the Global User ID in additional fields – specifically the SCIM.userName. To learn more about the authentication flow and corresponding field usage, please see here. Verify Global User ID information in SAP Build Work Zone (advanced)To verify the Global ID is properly created in the SAP Build Work Zone, advanced edition / SAP SuccessFactors Work Zone, you can check the users using and directly modifying when needed, the SCIM API. This is the same API also utilized by Identity Provisioning (Work Zone target system). When using the API, you can find the Global User ID stored in a dedicated field in the SCIM user record:For more details related to the SCIM API of advanced edition, how to connect to it, and more, please see the dedicated section in the help guide.Finally, you can run a report in SAP Build Work Zone administration console by selecting the Company User Detail report (for both internal and external users). This will provide you with the list of all users provisioned to the system and the user values for SCIM.userName, SCIM.id (and others) which can be used as filters / parameters in the SCIM API. Note that in the report the User ID refers to the SCIM.userName and the Uuid refers to SCIM.id. Use CasesGlobal User ID plays an important role in SAP Build Work Zone, especially in integration scenarios. For instance, in SAP Task Center, the Global User ID functions as a correlation attribute, linking user identities across different systems. This ensures that tasks from multiple systems can be reliably associated with the same user, enabling a unified task management experience. The integration with the Central Notification Service, which allows Work Zone users to access notifications from various systems, also requires the Global User ID mapping.Details on this integration setup can be found here (for Task Center) & here (for Notifications).Another worth mentioning use case is Guided Experiences, where the Global User ID is needed to communicate between SAP Business Technology Platform (BTP), SAP Build Process Automation (SBPA), and SAP Build Work Zone. This is instrumental for the UI Wizard in SAP Build Work Zone to retrieve and utilise processes created in SBPA, streamlining workflows and ensuring smooth integration across systems.Lastly, when creating UI integration cards, the Global User ID is also provided / exposed as user context and can be referenced by the developer of the UI Cards. More details on this built-in card context is available in the SAP-samples GitHub repository: For more info please check:Help Guide: https://help.sap.com/docs/build-work-zone-advanced-edition/sap-build-work-zone-advanced-edition/run-configuratorLearning Journey & Certification: https://learning.sap.com/learning-journeys/implement-and-administer-sap-build-work-zone/explaining-the-authentication-flow-of-sap-build-work-zone      Read More Technology Blogs by SAP articles 

#SAP

#SAPTechnologyblog

Avatar for

You May Also Like

More From Author