Virtual Workspaces
Reduce complexity by segregating your data with virtual workspaces.
Overview
With virtual Workspaces, you can control at the individual fact sheet level, which users can "read" (view/see) and "write" (edit/update) that particular fact sheet. There are several Use Cases for this functionality. One of the most powerful is the creation of seamless separation of a workspace into two or more "workspaces" or "views" which are tailored to specific groups/departments.
Here's an example of how you can segregate data using virtual workspaces. Consider a workspace that contains numerous fact sheets. When a user signs in, they are initially presented with all of these fact sheets, which can be overwhelming and potentially irrelevant to their specific role. However, with virtual workspaces, you can organize data in such a way that users only see fact sheets that are relevant to them. Virtual workspaces allow an organization to create tailored views that filter data down to a detailed level, significantly improving the user experience and efficiency.
You can create these customized views based on concepts that align with your specific use cases. For example, you might segregate views by brand, region (such as Americas, Asia, Europe, and so on), or department. This ensures that users only interact with the data that's most relevant to their roles, making their tasks more manageable and efficient. By leveraging virtual workspaces, you can enhance user productivity, improve data management, and provide a more personalized user experience.
In the following image, you can see an example of how you can segregate data by brand using virtual workspaces. By creating separate virtual workspaces for each brand, you can restrict specific user groups from accessing information that is not relevant to them.
In the example below, the decision was made to create virtual workspaces based on the concept of departments. Signing into SAP LeanIX as a user assigned to "Finance", I see a tailored view of only those Business Capabilities, Applications, etc., that are assigned to Finance. In addition, this continues within Reporting, where I automatically (without the use of filters), see only those fact sheets assigned to Finance.
Configuring Virtual Workspaces
With virtual workspaces, you can control which fact sheet can be viewed (Read Access) and edited (Write Access).
A virtual workspace is represented by an Access Control Entity (ACE), which, through the Identity Provider, is assigned to the user and managed on fact sheets. The available ACEs can be configured in the Administration area of the workspace. In order to implement Virtual Workspaces, your organization needs to have SSO configured, and in addition, your Identify Provider needs to be set to External IDP. Please see the documentation on External IDPs.
After ensuring that your Identity Provider is set up as External IDP. The next steps are to create the Access Control List (groups), and then assign them to fact sheets.
Creating an Access Control List
In order to get started, you need to decide what concept to use in order to create your virtual workspaces. Do you need to group users by Region or Department? Once that decision is made, access the Administration area and select Access Control.
Continuing on with the same example, you can see below, that several other Access Controls have been created in addition to "Finance". The Access Control List is where you define each group that you will be utilizing to assign access to. Again you can choose whichever concept makes the most sense for your Use Case; instead of Departments, you can use Regions or Brands.
Assigning Access Control to Fact Sheets
In order to divide a workspace into virtual workspaces, you will need to assign "read" (who can view this fact sheet) and write (who can edit this fact sheet) access to each fact sheet. This can be done relatively easily utilizing the Import/Export. Simply follow the normal process you use in order to Export/Import and select "Read Access", and "Write Access" from the table view.
In addition, just like with any other attribute (field), you can also assign read and write access to each fact sheet individually. Only Administrators have access to the subsection below. In addition, other users are not even able to see this subsection.
You can assign as many Access Control Lists as you need to; you are not limited to associating just one Access Control List per fact sheet.
Now, this fact sheet is only viewable to users assigned to the "Finance" Access Control List. In addition, they are the only users who can edit this fact sheet.
If you leave the Read access blank for a fact sheet that means that ALL users can view that fact sheet. Similarly, if you leave write access blank, that means that ALL users can edit that fact sheet.
If you have defined an Access Control List like Finance under Read Access, and Write access was blank. That would mean that Finance users would be able to Read and Write this fact sheet.
SSO Configuration
As previously explained, virtual workspaces require that your SSO be set-up as External IDP. The main difference between this option and the other option (there are only two), is that with this option, you send the "role" to assign to each user, from your system (meaning you do not manage the Role within SAP LeanIX).
With the addition of virtual workspaces, your SSO will need to be updated. A new attribute with the name of entryACI needs to be created. The value for that attribute, for each user needs to be defined within your SSO system. For example following the user who is assigned to "Finance". This means that the entryACI for this user would be populated with "finance", while the role is populated with MEMBER.
Take note that the entryACI in this case is in "lower case letters", this is because in the Access Control List (Administration>Access Control) within SAP LeanIX. The ID is defined as "finance", while the display Name is defined as "Finance".
Your SSO will continue to send us the "role" attribute. This does Not need to be changed. The role attribute is where you define, which of the 3 standard roles, each user is assigned. The three standard roles are MEMBER, VIEWER, and ADMIN.
The standard authorization model, works hand and hand with virtual workspaces. The authorization model (in general) works at the fact sheet type level, to allow you to define read, write, update, delete access and more at an attribute level (examples of attributes are description, functional fit) on each fact sheet TYPE (examples of fact sheet TYPES are Application and ITComponent). Although the standard authorization model is very flexible, it is not possible to control read and write access to individual fact sheets. This is where virtual workspaces comes in.
The IDs defined in the Access Control List within SAP LeanIX (Administration>Access Control), which are then assigned to fact sheets. Must match what your SSO system is sending as the value within the "attribute" of entryACI.
Upkeep of Access Control
It's exciting that maintenance should be relatively minor in nature. In the configuration you can choose for each fact sheet type if new fact sheets are created unrestricted or if the users ACL is inherited to the read and write restriction of this new fact sheet. For example: When a user assigned to Finance creates a new fact sheet, that fact sheet will automatically have Read and Write access set to "Finance".
Use Cases
Segregate your virtual workspace by legal entities. Allow users to only see fact sheets that belong to their Legal Entity.
Segregate your virtual workspace by teams. Allow users to only edit fact sheets belonging to their team.
Hide highly sensitive fact sheets from unauthorized users. In acquisition and merger scenarios for example, tag fact sheets according to affected Legal Entities.
Scenario 1: Unrestricted
This means that all new fact sheets of the type will be visible and editable for every user of the workspace, i.e. both Read Access and Write Access are black.
As a result all users can collaborate on all fact sheets of that type. Also, you only can create a relation if you have "Write Access" to both fact sheets.
Scenario 2: Write Restricted
All new fact sheets of the type will be visible for every user of the workspace, i.e., "Read Access" is being kept empty. The "Write Access" field will be assigned with the values that a user creating the fact sheet has: E.g. if a user has the ACE "Marketing", then the "Write Access" field will hold the value "Marketing" and therefore only be editable by other users having the ACE "Marketing".
As a result all users can view all fact sheets of that type but only edit "their" fact sheets.
Scenario 3: Read & Write Restricted
All new fact sheets of the type will only be visible and editable for users of the respective virtual workspace. The fields "Read Access" and "Write Access" field will be assigned with the values that a user creating the fact sheet has: E.g. if a user has the ACE "Marketing", then both "Read Access" and "Write Access" field will hold the value "Marketing" and therefore only be viewable and editable by other users having the ACE "Marketing".
As a result only users of the respective virtual workspace can view and edit fact sheets of that type for their virtual workspace.
Updated about 2 months ago