What Is SAP Work Zone, Standard Edition?

SAP Build Work Zone, standard edition enables you to create a role-based central entry point for users to access business applications and services across the organization.

As an example, the figure shows the SAP Build Work Zone, standard edition home screen with the menu, integration to recent activities, frequently used apps, manufacturing apps, and analytics apps. Note how various applications and services are integrated and arranged for easy access.

It provides role-based access and enables access to different SAP and third-party solutions in the cloud and on-premise such as SAP Analytics Cloud, SAP SuccessFactors, SAP S/4HANA, SAP S/HANA Cloud, SAP Business Suite, SAP Enterprise Portal, SAP BTP, and other SAP, custom, and third-party applications. By doing so, SAP Build Work Zone, standard edition creates a harmonized UX across a heterogenous landscape. Standard applications from various SAP solutions and side-by-side custom SAPUI5 applications and extensions hosted on SAP BTP can all be accessed through SAP Build Work Zone, standard edition. Furthermore, services for managing tasks and approvals, accessing notifications, and searching will be integrated into SAP Build Work Zone, standard edition, allowing business users to gain an easy overview of their work across multiple solutions.

The next figure shows the different parts of SAP Build Work Zone, standard edition:

1. Navigation menu: Access remote and local pages organized logically based on user roles.
2. Flexible page builder: Embed to-dos and insight cards from SAP Start.
3. Applications and tiles section: Embed all the applications connected to a work zone.
4. Integration with cloud and on-premise systems: Render content and applications from multiple cloud and on-premise systems using out-of-the-box templates.
5. Custom apps and UI cards: Create custom apps and UI cards. 

Note: As of January 2023, SAP Launchpad service was rebranded to SAP Build Work Zone, standard edition in the following areas: SAP BTP cockpit, all the product UIs, and related assets, including SAP Help Portal and SAP Discovery Center. There is no action required on the users’ part; you can lean back and enjoy the service. All the features and functionality remain the same with more being added.

We’ll explore some key facets of SAP Build Work Zone, standard edition in the following sections.

Access and Authentication

To provide a seamless UX for all integrated products and solutions, it’s necessary that the products support single sign-on (SSO) to be able to synchronize and replicate authorizations and roles across the connected systems. This can be viewed as a prerequisite or step 1 when implementing SAP Build Work Zone, standard edition.

Authentication of users within SAP BTP is handled by the Identity Authentication service, which enables secure authentication, SSO, and identity federation, as well as support for advanced authentication mechanisms such as multifactor authentication, Security Assertion Markup Language (SAML) protocols, and OpenID Connect protocols. By connecting to a SAML 2.0 corporate identity provider (IdP), all users are able to authenticate with the same identity in the cloud as well as on-premise.

One reason Identity Authentication is recommended for authentication with SAP BTP is for the support of framing. Framing lets you organize content on a web page into multiple sections or frames. SAP Build Work Zone, standard edition opens individual applications in an iFrame, which is an inline frame, so the IdP must allow for framing. Identity Authentication supports framing by default and can be configured to forward authentication requests to a corporate IdP, even when a session is already in place. If a third-party IdP is being used instead, it must allow for framing via Content-Security-Policy: frame-ancestors <Central Launchpad Domain> (recommended) or X-Frame-Options.

It’s important to note the trust relationship across the hybrid landscape. The Identity Authentication tenant is trusted by the SAP BTP subaccount as well as other SAP cloud solutions and handles all authentication requests. In turn, the Identity Authentication tenant trusts the corporate IdP and federates authentication to it. Additionally, the SAP S/4HANA or SAP Business Suite system authenticates users via SAML 2.0 or X.509 with the corporate IdP. This setup is called direct access and allows for all user identities to come from a single user store with a single set of credentials, whether the authentication takes places in the cloud or on-premise.

Another type of access is tunneled access. In this scenario, the cloud connector acts as the interface between the on-premise landscape and your cloud account on a network level. It also plays that role for authentication via principal propagation. SAP BTP forwards the identity of the logged-on user to the cloud connector via a SAML bearer token. The cloud connector then generates an X.509 certificate for that user, which is forwarded to the connected backends. Note that the configured connected systems need to accept X.509 user certificates.

Integration

The main step in implementing SAP Build Work Zone, standard edition is integrating the business content. The content that’s integrated from different products and solutions is independent with regard to the software lifecycle and launchpad content. Therefore, the content and applications will continue to exist as is with their local entry points, and the ownership stays with the products itself. SAP Build Work Zone, standard edition doesn’t replace existing entry points (e.g., local SAP Fiori launchpads or homepages) or take ownership of the content and applications. Businesses decide whether to continue using existing local entry points or to point their users to SAP Build Work Zone, standard edition. This decision can also differ depending on the user role. SAP Build Work Zone, standard edition leaves ownership and lifecycle of application resources, as well as the content model, to the integrated products. It doesn’t require harmonization of the role or authorization concept for all connected products. However, an overarching concept is needed to link users and their content with their respective roles in the connected products. In any case, SAP Build Work Zone, standard edition won’t deal with application-specific authorizations in the application systems or tenants.

SAP Build Work Zone, standard edition can integrate multiple SAP S/4HANA systems of different versions, applications built using different UI technologies (e.g., SAPUI5, Web Dynpro ABAP, SAP GUI for HTML), and URL-based applications. SAP Build Work Zone, standard edition supports three kinds of content integration:

• Content package: Content packages contain content items such as SAPUI5 cards. A content package is created in SAP Business Application Studio, delivered as a ZIP file, and deployed into SAP Build Work Zone, standard edition.
• Manual integration: The administrator builds content structure manually and manages configuration for each application within the SAP Build Work Zone, standard edition content manager by pointing to the app on the source system. On-premise SAP S/4HANA apps and SAP S/4HANA Cloud apps deployed on SAP BTP, Cloud Foundry environment or SAP BTP, ABAP environment can be integrated using manual integration. App types such as SAPUI5, SAP GUI for HTML, and Web Dynpro ABAP, as well as URL and dynamic URL apps, can be integrated using templates.
• Content federation: The content administrator of the provider (e.g., SAP S/4HANA system) manages application configuration and content structure and then exposes the configuration and content structure based on the common data model format.

Note: SAP established the common data model format to simplify and standardize the integration. The common data model defines an exchange format for products that facilitates the integration of the products’ local content structure into the launchpad.

The administrator selects the federated content from the provider system and assigns roles to the relevant launchpad site and users. The content definition, lifecycle, and storage remain under the control of the product. Two kinds of content federation are available:

• If the content to be integrated is deployed to the SAP BTP, Cloud Foundry environment, then SAP BTP itself acts as the content provider, and the content federation runs as subscription based. The subaccount running SAP Build Work Zone, standard edition requires a subscription to the content provider account.
• In content federation scenarios where an on-premise system, such as SAP S/4HANA, acts as the content provider, the content federation runs as destination based. The subaccount running SAP Build Work Zone, standard edition requires a configured destination to the content provider.

Tools and Services

SAP Build Work Zone, standard edition provides tools for the content administrator to manage content, which are shown in the figure below. The site directory and site editor are used to manage sites, which are created for end users to access content. The content within sites is managed through the content manager. The provider manager is where you can manage content providers. Content providers expose business content that you can integrate into your launchpad sites. Error logs, system aliases, user capabilities, display options, and other general configurations can be managed in settings.

The next figure shows the Site Directory that is used to create and maintain SAP Build Work Zone, standard edition sites. A site alias can also be maintained here, which helps define a meaningful name for a site versus referencing it through the cryptic unique ID. For example, the site URL that includes the full site ID is https://<domain>/site?siteId=<siteid>#Shell-home. Using a site alias, the same URL can be called using https://<domain>/site/<sitealias>#Shell-home.

Below shows the Site Settings through which you can configure the following:

• General: Some of the settings here are for informational purposes only and can’t be edited, such as unique ID, created date, created by, last modified date, and last modified by. There are other settings, such as the name of the site and description, that can be edited and maintained by the administrator.
• Browser Settings: Browser settings determine if the application can use browser features. Turning on the Optimized Site Loading setting lets the application use the browser cache, and turning on Browser Feature Access lets the application use browser features such as camera and geo location.
• User Capabilities: These settings determine if the end user can make changes to their settings at runtime. For example, turning on Theme Selection and Language Selection lets the user change the theme and language.
• Display: Display settings determine how and what site features are displayed on screen, at runtime, in the shell header, or in the User Actions Menu. For example, Launchpad View Mode lets you determine if groups or pages and spaces are displayed, and Search in Shell Header determines if the search field should appear in the shell header.

The next figure shows the Content Manager screen, where you perform manual content integration.

By clicking the Create button, you can add apps, catalogs, groups, pages, roles, and spaces. Clicking the Content Explorer button allows you to browse the available content for integration.

If you select one of the application items, you’ll arrive at the New App configuration screen in the Content Manager, as shown in the following figure. Here, you can create the content and adjust the configuration of general properties, navigation, visualization, and translation.

The next figure shows the Content Explorer screen, where you can see an overview of connected content providers. Content providers expose business content that you can integrate into your launchpad sites.

Below shows the Channel Manager screen, where you can add, configure, and manage connections to content providers. You can see the list of content providers defined in this subaccount, the tile and description, the unique ID within the subaccount, and the design-time and runtime destinations (defines the location from which to obtain the resources needed to run the federated apps in design time and runtime). You can also see the status of the content provider (if it’s active or not).

The Channel Manager screen also has content packages, which bundle related artifacts to install a functionality set to SAP Build Work Zone. The following content artifact types are supported: workspace templates, cards, and workflows. The SAP Build Work Zone administrator can install content packages. Within the Content Package application, they can search for centrally delivered packages or upload custom packages. A developer can create content artifacts within his SAP Build Work Zone account and bundle them.

Finally, the last figure shows the Settings screen, which includes error logs, notifications, alias mappings, security headers, identity provisioning, and more.

Editor’s note: This post has been adapted from a section of the book SAP Business Technology Platform by Smitha Banda, Shibaji Chandra, and Chun Aun Gooi.