Shadow users are users that are created in the SAP BTP subaccount to map the users from the connected identity provider. Shadow users are required for users to access SAP Build Work Zone. The following methods can be used to create shadow users:
Automatic creation upon login via connected identity provider: This is the recommended and default method for creating shadow users. When a user logs in to SAP Build Work Zone for the first time using an identity provider such as SAP Cloud Identity Services, a shadow user is automatically created and assigned to the role collections that are mapped to the groups attribute in the identity provider1.
Admin UI on the SAP BTP subaccount cockpit: This is a manual method for creating shadow users. An administrator can use the SAP BTP subaccount cockpit to create and manage shadow users and assign them to role collections2.
Authorization & Trust Management Service API: This is a programmatic method for creating shadow users. An administrator can use the Authorization & Trust Management Service API to create, read, update, and delete shadow users and assign them to role collections3.
The following methods cannot be used to create shadow users:
Import from SAP SuccessFactors Employee Central: This method can be used to import users from SAP SuccessFactors Employee Central to SAP Cloud Identity Services, but not to create shadow users in the SAP BTP subaccount.
CSV file upload in the SAP BTP subaccount cockpit: This method can be used to upload users and assign them to role collections in the SAP BTP subaccount, but not to create shadow users. Shadow users are created only when the users log in via the connected identity provider. References:
1: Explaining the Authentication Flow of SAP Build Work Zone
2: Assign SAP Build Work Zone Roles to Users
3: Authorization & Trust Management Service API
: Importing Users from SAP SuccessFactors Employee Central
: Uploading Users and Assigning Them to Role Collections
