Disclaimer: The insights shared in this blog are based on my personal observations and learning. They may not apply universally, and I encourage readers to conduct their own research and make an informed decision before using this content for productive use.
In the previous part of this series, we demonstrated how to build and deploy custom Joule Skills and integrate them into SAP Build Work Zone sites. However, a critical aspect of deploying these skills in a real-world environment is access control deciding who can use your custom skills and how to share them securely.
By default, only users who are explicitly granted Execute or Admin access in the shared environment can consume your deployed Joule Skills. If other users attempt to interact with the skill, they receive a generic fallback response from Joule, which doesn’t reflect the actual skill functionality.
Let’s walk through how to share your Joule Skills securely and effectively using SAP Build and SAP Cloud Identity Services.
Understanding the Access Control Behaviour
SAP Build’s environment sharing works as follows:
You can share a project with up to 10 user groups or 5 individual users.You cannot mix individual users and groups; if you do, only groups will be considered.The access types available are:Execute – Allows users to use the deployed skillAdmin – Full access to manage the environment
Option 1: Open Access for Everyone
If your use case allows, you can make the skill available to all users within your organization:
Go to the shared environment in SAP Build.Click on Share → Set General Access to Everyone with access: Execute.
This method makes the skill available to all users with access to the environment. Use with caution if the skill exposes sensitive operations or data.
Option 2: Controlled Access Using User Groups
For better governance and security, use user groups from your Cloud Identity Services (CIS) tenant:
Create a User Group in your IAS (Cloud Identity) tenant.
Assign the required users to this group (those who should have access to the skill).
In SAP Build, open the shared environment of your custom Joule Skill.
Click Share, set Type to User Group, and enter the exact name of the group you created in IAS.Set the appropriate authorization (Execute or Admin).
Refresh & Redeploy Access
Once you’ve shared with user groups:
Navigate to the Joule tab inside the environment.Click Refresh.
You’ll see a message: “Please redeploy the capability to refresh their access right.”Click on “Click here to redeploy” to apply the new access configuration.
It may take a few minutes for the redeployment to complete. Use Refresh to monitor the status.
Final Verification
After successful redeployment:
The Launch button will become active again.
Users assigned to the user group can now consume the Joule Skill from the Work Zone site.If any user still doesn’t see the expected response, try:Clearing browser cookiesUsing incognito/private mode for a fresh session
When users click Open from the response message, they will be directed to the associated application screen (if configured).
Conclusion
Access management is a vital step in rolling out custom Joule Skills at scale. Whether you want to expose your skill to all users or control access via user groups, SAP Build offers the flexibility to do both. Properly sharing and redeploying your skill ensures the right people get the right experience and keeps your environment secure and manageable.
Disclaimer: The insights shared in this blog are based on my personal observations and learning. They may not apply universally, and I encourage readers to conduct their own research and make an informed decision before using this content for productive use.In the previous part of this series, we demonstrated how to build and deploy custom Joule Skills and integrate them into SAP Build Work Zone sites. However, a critical aspect of deploying these skills in a real-world environment is access control deciding who can use your custom skills and how to share them securely.By default, only users who are explicitly granted Execute or Admin access in the shared environment can consume your deployed Joule Skills. If other users attempt to interact with the skill, they receive a generic fallback response from Joule, which doesn’t reflect the actual skill functionality. Let’s walk through how to share your Joule Skills securely and effectively using SAP Build and SAP Cloud Identity Services.Understanding the Access Control BehaviourSAP Build’s environment sharing works as follows:You can share a project with up to 10 user groups or 5 individual users.You cannot mix individual users and groups; if you do, only groups will be considered.The access types available are:Execute – Allows users to use the deployed skillAdmin – Full access to manage the environmentOption 1: Open Access for EveryoneIf your use case allows, you can make the skill available to all users within your organization:Go to the shared environment in SAP Build.Click on Share → Set General Access to Everyone with access: Execute. This method makes the skill available to all users with access to the environment. Use with caution if the skill exposes sensitive operations or data.Option 2: Controlled Access Using User GroupsFor better governance and security, use user groups from your Cloud Identity Services (CIS) tenant:Create a User Group in your IAS (Cloud Identity) tenant. Assign the required users to this group (those who should have access to the skill). In SAP Build, open the shared environment of your custom Joule Skill. Click Share, set Type to User Group, and enter the exact name of the group you created in IAS.Set the appropriate authorization (Execute or Admin). Refresh & Redeploy AccessOnce you’ve shared with user groups:Navigate to the Joule tab inside the environment.Click Refresh. You’ll see a message: “Please redeploy the capability to refresh their access right.”Click on “Click here to redeploy” to apply the new access configuration. It may take a few minutes for the redeployment to complete. Use Refresh to monitor the status. Final VerificationAfter successful redeployment:The Launch button will become active again. Users assigned to the user group can now consume the Joule Skill from the Work Zone site.If any user still doesn’t see the expected response, try:Clearing browser cookiesUsing incognito/private mode for a fresh session When users click Open from the response message, they will be directed to the associated application screen (if configured). ConclusionAccess management is a vital step in rolling out custom Joule Skills at scale. Whether you want to expose your skill to all users or control access via user groups, SAP Build offers the flexibility to do both. Properly sharing and redeploying your skill ensures the right people get the right experience and keeps your environment secure and manageable. Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog
