SAP Cloud Identity Access Governance (IAG) | Overview and Integration Capabilities
SAP Cloud Identity Access Governance (SAP Cloud IAG, often referred to as SAP IAG) is a cloud service from SAP Business Technology Platform (BTP) Cloud Platform (SCP). It offers similar functionality to – but does not replace – SAP Access Control (often referred to as SAP GRC), part of SAP’s GRC solutions. With SAP Cloud IAG, you can streamline identity and access management (IAM) in complex on-premise and cloud environments. You can improve IAM and compliance practices with an intuitive, dashboard-driven interface and a simplified experience in the cloud.
The service offers a range of identity and access management capabilities, including (among others) self-service access requests for on-premise and cloud applications, access risk analysis, and role design. Each of the services that come with SAP Cloud IAG can work independently or in combination with one and another.
Table of Contents
SAP Cloud IAG Overview
SAP Cloud IAG offers five core features:
- Access Analysis
- Role Design
- Access Request
- Access Certification
- Privileged Access Management
You can refer to the SAP Road Maps to see the release schedule for upcoming features.
Access Analysis Service
The Access Analysis Service enables you to detect and remediate segregation of duties (SoD) and critical access risks.
The access analysis overview dashboard allows you to review the risk across the landscape by displaying the users who have a high risk score based on the critical actions they have executed.
Further, you can dive into mitigated risks to see which users have compensating controls assigned. You can also display the defined business processes based on their risk level and similar metrics.
SAP Cloud IAG comes with rulesets for various applications including SAP S/4HANA, SAP Fiori, SAP ERP/ECC, but also SAP cloud solutions like SAP SuccessFactors, SAP Ariba, etc. With SAP Cloud IAG, you can run continuous access analysis and use real-time insights to support access compliance management.
Access Request Service
The Access Request Service integrates with additional SAP Cloud Platform services to utilize workflow management, provisioning, and business logic. SAP Cloud IAG provides compliant provisioning of user access to various on-premise and cloud applications.
Role Design Service
The role design service enables you to define and maintain compliant business roles directly in SAP Cloud IAG in order to optimize role definition and streamline governance. It also provides risk metrics and usage trends within a business role in order to evaluate the impact it has on end-users (so that role adjustments can be made).
Access Certification Service
The Access Certification Service allows you to review user access, roles, risks and mitigation controls for on-premise and cloud applications. When an employee’s job changes, it is important to review and remediate their authorizations.
Accumulated access often leads to security risks, so periodic recertification of a user’s access helps establish a governance process to stay compliant. With SAP Cloud IAG, periodic user access reviews (UAR) can be streamlined using so-called Campaigns.
Privileged Access Management Service
The Privileged Access Management service enables you to monitor access to sensitive and critical transactions, giving you better insight into how users with elevated authorizations are interacting with your organization’s data. This functionality is similar to the Firefighter as part of the Emergency Access Management (EAM) module of SAP Access Control (GRC).
Additionally, SAP plans to leverage machine-learning capabilities to help differentiate suspicious and fraudulent activity from normal behavior. This will become a key feature for reviewers in the assessment and auditing of log files.
Key Capabilities of SAP Cloud Identity Access Governance:
- Secure environment for managing identities in various SAP applications.
- Dashboard-based user interface based on the familiar SAP Fiori user experience.
- Instant visibility into access issues with drill-down capabilities.
- Comprehensive access governance.
- Simple, seamless and transparent processes.
- Up-to-date and scalable solutions.
IAG Bridge
The SAP Cloud IAG Bridge provides a powerful tool to extend your on-premise SAP Access Control GRC 12.0.
SAP Cloud IAG Bridge offers:
- Connectivity to cloud applications.
- Cross-application access risk analysis, including cloud applications, by using SAP Cloud IAG (Access Analysis Service)
- Remediation process with access refinement functions.
- Role Designer to build business roles based on current assignments.
A disconnect in system landscapes and business applications leads to additional work when it comes to support, customizations and integrations. With the SAP Cloud IAG Bridge, we can connect those two worlds to achieve better governance and fully comply with regulations.
In the age of digitalization, new business models, and a cloud-first strategy, organizations face the challenge of managing access and authorizations in the cloud and on-premise systems.
The SAP Identity Access Governance bridge concept offers an intuitive way to extend SAP Access Control. With this extension, you can group cloud applications under one compliance domain, easily connect to cloud applications, and extend your cross-application risk management and analysis into the cloud.
Furthermore, the Role Design Service allows you to extract proposals based on assignments to build stable and powerful business roles.
Other key features that the SAP Cloud IAG Bridge concept offers:
- Synchronize master data from SAP Access Control to SAP Cloud IAG, including:
- Access risk definitions
- Mitigating controls
- The connectivity to target on-premise applications from SAP Access Control.
- The connectivity to various cloud applications (e.g., Ariba, SAP S/4HANA Public Cloud, etc.).
- Cross-system risks between on-prem and the cloud.
- Connectors to SAP’s cloud solutions.
With the SAP Cloud IAG Bridge, you can extend your current SAP Access Control installation without compromising on functionality, identity and access governance, or other compliance requirements.
For more details about the IAG Bridge functionality, please refer to this post SAP IAG Bridge – Manage Hybrid Landscapes.
Integrated Identity Access Governance for Hybrid Landscapes
SAP Cloud Platform (SCP) offers a variety of services related to identity and access management (IAM). In the age of digitalization, new business models, and cloud-first strategies, customers face new challenges when it comes to the identity lifecycle.
Employees (end-users) require access to various systems, which can become extremely complex in a hybrid landscape with both on-premise and cloud applications.
SAP Cloud Platform offers three main services to manage the identity lifecycle:
- SAP Cloud Internet Access Governance (SAP Cloud IAG) to analyze access risks and segregation of duties (SoD) issues.
- SAP Cloud Platform Identity Authentication Service (IAS) to authenticate users to the cloud applications.
- SAP Cloud Platform Identity Provisioning Service (IPS) to provision users to cloud applications.
The three services integrate with each other to provide a holistic solution to identity and access management challenges.
You can seamlessly achieve access governance across the hybrid landscape, automate access request approval, automate provisioning based on HR events, expand your systems for key business applications between on-premise and the cloud, and natively integrate with SAP S/4HANA to get access to rule content and support for new authorization models.
Business Benefits
SAP Cloud Identity Access Governance offers Software as a Service (SaaS), which enables companies to comprise several distinct identity management and access governance capabilities. Each of these can be used separately to address specific business needs and can also be integrated with native applications based on the SAP Cloud Platform.
You have the flexibility to use one, many or all the services, depending on your business requirements. SAP Cloud IAG being a cloud-based solution, it can be easily extended across your enterprise to meet your demands.
On-Demand Webinars
Watch our on-demand webinars and learn how you can utilize SAP Cloud IAG as well the SAP Cloud Identity Services to extend your SAP security portfolio.
The on-demand webinars are available as part of the SAP Cloud Security Madness series. Please see the details below – and access the webinars here: https://www.xiting.us/sap-cloud-security-madness/
Session 1: SAP CLOUD SECURITY OVERVIEW
Get to know the different security products in the cloud and gain insights into the security architecture with the SAP Cloud Platform (SCP).
Session 2: SAP CLOUD PLATFORM IDENTITY PROVISIONING SERVICE (IPS)
Learn how SAP Cloud Platform Identity Provisioning (IPS) works and how you can automate identity lifecycle processes with the SAP Cloud Platform (SCP). Understand how IPS allows you to provision identities and their authorizations to various cloud and on-premise business applications.
Session 3: SAP CLOUD IDENTITY ACCESS GOVERNANCE (IAG) OVERVIEW
Learn and understand what SAP Cloud Identity Access Governance (IAG) and its services offer. Get insight into the range of identity and access management capabilities, including (among others) self-service access requests for on-premise and cloud applications, access risk analysis, and role design.
Session 4: SAP CLOUD IDENTITY AND SINGLE SIGN-ON (SSO) IN THE CLOUD
Learn and understand SAP’s strategy to implement secure authentication and SSO for SaaS and PaaS using the SAP Cloud Identity Services and its services. Get insight into the range of different user authentication capabilities and typical customer scenarios.
Session 5: SAP CLOUD IAG INTEGRATION WITH SAP ACCESS CONTROL (GRC) ON-PREMISE
A disconnect in system landscapes and business applications leads to additional work when it comes to support, customizations and integrations. With the SAP Cloud IAG Bridge, we can connect those two worlds to achieve better governance and fully comply with regulations. In this webinar, learn how you can integrate SAP Cloud IAG with your SAP Access Control (GRC) on-premise installation and see a live demo of how to utilize the cloud risk analysis to extend your SAP Access Control into the cloud.
Frequently Asked Questions
Below is a list of frequently asked questions in regard to SAP Cloud IAG.
You can integrate SAP Cloud IAG with SAP SuccessFactors with the above-mentioned services.
You can integrate SAP Cloud IAG with SAP Ariba with the above-mentioned services.
At the moment, IAG does not support SAP Concur integration. You can always check new developments on roadmaps.sap.com.
SAP Cloud Internet Access Governance (IAG) is not SAP Access Control on the cloud nor does it replace SAP Access Control (GRC). SAP Cloud IAG offers services similar to SAP Access Control and can be integrated with the latter.
You can deploy SAP Access Control (GRC) to the cloud. Cloud deployment of SAP Access Control offers the same features and functionalities as an on-premise installation. You can deploy on platforms like the SAP HANA Enterprise Cloud (HEC), Amazon’s AWS, Google Cloud, Microsoft Azure, etc.
Conclusion
SAP Cloud Identity Access Governance services enable organizations to manage digital identities across all applications and services. With a company-wide global identity system, businesses can create a unique user experience and secure the applications that drive the success of your business growth.
Learn more about SAP Cloud IAG:
