Virtual Workspaces Configuration

Prerequisites

Virtual workspaces only work with SSO configured for your SAP LeanIX:

• Make sure that users are authenticated via SSO from your IdP, meaning the access to SAP LeanIX is managed by your IdP.
• Make sure that users are authorized via SSO, meaning your IdP sends the user roles (viewer, member, admin).
• Make sure you can add attributes to the SSO configuration. You need to be able to do this in later steps of the configuration. If you are not able to do this, reach out to the administrator of your IdP for the configuration.

To learn more, see Single Sign-On.

Step 1: Define User Groups for Access Control

It is important to have a solid concept of your user groups. Keep it as simple as possible to also keep the maintenance of the access control easy. It can help to draw a diagram to get an overview and leave out unnecessary details.

1. List your access control entities that will be represented by virtual workspaces.
2. Group your users and assign the required access control entities.
3. Define which user groups need read and/or write access to which fact sheets.

Step 2: Create Access Control Entities in SAP LeanIX

Configure access control entities in SAP LeanIX.

1. Navigate to Administration > Access Control.

2. Choose Add Entity.

3. Enter an access control entity ID in uppercase letters with no space. Underscores are allowed.
   Each attribute value must match the entryACI value configured in your IdP. For example, the access control value ID value FINANCE_DEPT matches the entryACI value FINANCE_DEPT.

   
   

4. Enter a Display name.
   For example: Finance
   The display name is visible in SAP LeanIX when assigning access control entities manually.

5. In the Description field, give more details as necessary to make the maintenance of access control entities easier in the future.

6. Repeat to add more access control entities.

Step 3: Update the SSO Configuration with the Access Control Attribute

In the SSO configuration, you need to add a new attribute. You do this in your IdP, for example Okta, Entra ID, or similar. The exact steps depend on your IdP. In general, access control is configured in a similar way that you assign roles. To learn more, see Single Sign-On.

1. In your IdP, create the Active Directory (AD) groups for the assignment of access control entities. Add users to the AD groups.
2. In the IdP, navigate to the SSO configuration for your SAP LeanIX application.
3. Add the new attribute entryACI.
4. Assign the entryACI values to the corresponding AD user groups.
   Ensure the attribute value is uppercase with no spaces. Underscores are allowed.
   Each attribute value must match the access control entity ID configured in SAP LeanIX. For example, the entryACI value FINANCE_DEPT matches the access control entity ID FINANCE_DEPT.
5. Verify that the IdP sends the the correct entryACI value to SAP LeanIX.
   Use one of the following options to test the entryACI values:
   • Recommended: Check the Session Details
     As this option is more precise it is recommended especially for troubleshooting.
   • Check the Profile Details

Check the Session Details

1. Choose a (test) user that has specific user group assignments or put your own user into the AD user groups.

2. Open an incognito browser window and log in to SAP LeanIX.

3. Open a new tab and open the following link, replacing the placeholder with your subdomain: https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/Session
   If the SSO configuration was successful, the access control entities are visible.

   
   

Check the Profile Details

1. Choose a (test) user that has specific user group assignments or put your own user into the AD user groups.
2. Open an incognito browser window and log in to SAP LeanIX.
3. Select the profile icon.
   If the SSO configuration was successful, the access control entities are visible.

Step 4: Configure Global Read/Write Settings for New Fact Sheets

Configuring the global access settings reduces maintenance in the future. New fact sheets are automatically created with the correct access settings.

Example: How do the global access settings work?

Let’s look at the global settings with a small example.
A member with the access control entities “Finance” and region “AMER” creates a new fact sheet. This is how the access settings for new fact sheets will be populated:

• Global unrestricted
  The fact sheet is visible to all users from all workspaces. Editing is possible for all users with the member role.
• Read & Write restricted
  The fact sheet is automatically restricted to “Finance” and region “AMER” users. All members with these access control entities can edit the fact sheet.
• Write restricted
  The fact sheet is visible to all users from all workspaces.
  Editing is automatically restricted to “Finance” and region “AMER” members.

📘

Note

The global access setting does not apply for users with the admin role.

Admins can always see all fact sheets and configure all access settings. Therefore, fact sheets created by an admin cannot be populated with access control information.

Admins always have to select the access settings when creating a new fact sheet. Otherwise the fact sheet is accessible to everyone across all virtual workspaces.

1. In SAP LeanIX, navigate to Administration > Meta Model Configuration.

2. Choose a fact sheet type.

3. Choose Edit.

4. In the configuration, choose your preferred setting from the Access Control dropdown.

   

Step 5:Assign Access Control to Existing Fact Sheets

Assigning Access Control Entities Through Import

It’s best to use the import option to assign the access control entities in bulk for a large number of existing fact sheets. To learn more, see Importing Fact Sheet Data Through Excel File.

1. Navigate to the Inventory.

2. Change to the table view.

3. Select the columns for Read access and Write access.

   

4. Export the Excel file.

5. In the Excel file, add the access control entities for each fact sheet.
   You can add more than one access control entity per fact sheet.

   

6. Import the updated Excel file.

Assigning Access Control Entities in the Inventory Table View

The table view of the inventory offers an overview of access permissions. In the table, you have quick access to a dropdown to configure access control entities for each fact sheet and easily navigate between fact sheets.

1. Navigate to the Inventory.

2. Change to the table view.

3. Select the columns for Read access and Write access.

   

4. Choose Edit.

5. Choose a field with Read access or Write access and start typing.
   The available access control entities are displayed in a dropdown. You can add more than one access control entity for each fact sheet.

   

6. Update all required fact sheets manually.

7. Choose Save.

Assigning Access Control Entities for a Single Fact Sheet

You can update the access permissions directly in the fact sheet settings.

1. Navigate to the fact sheet.

2. On the Fact Sheet tab, go to the Access Control List (optional) section.

3. Choose Edit.

4. Choose a field with Read access or Write access.
   The available access control entities are displayed in a dropdown. You can add more than one access control entity for each fact sheet.