SAP Cloud Identity Access Governance (IAG) | Overview and Integration Capabilities

SAP Cloud Identity Access Governance (SAP Cloud IAG, often referred to as SAP IAG) is a cloud service from SAP Business Technology Platform (BTP) Cloud Platform (SCP). It offers similar functionality to – but does not replace – SAP Access Control (often referred to as SAP GRC), part of SAP’s GRC solutions. With SAP Cloud IAG, you can streamline identity and access management (IAM) in complex on-premise and cloud environments. You can improve IAM and compliance practices with an intuitive, dashboard-driven interface and a simplified experience in the cloud.

The service offers a range of identity and access management capabilities, including (among others) self-service access requests for on-premise and cloud applications, access risk analysis, and role design. Each of the services that come with SAP Cloud IAG can work independently or in combination with one and another.

SAP Cloud IAG Overview

SAP Cloud IAG offers five core features:

  • Access Analysis
  • Role Design
  • Access Request
  • Access Certification
  • Privileged Access Management

You can refer to the SAP Road Maps to see the release schedule for upcoming features.

Access Analysis Service 

The Access Analysis Service enables you to detect and remediate segregation of duties (SoD) and critical access risks. 

The access analysis overview dashboard allows you to review the risk across the landscape by displaying the users who have a high risk score based on the critical actions they have executed. 

Further, you can dive into mitigated risks to see which users have compensating controls assigned. You can also display the defined business processes based on their risk level and similar metrics.

SAP Cloud IAG comes with rulesets for various applications including SAP S/4HANA, SAP Fiori, SAP ERP/ECC, but also SAP cloud solutions like SAP SuccessFactors, SAP Ariba, etc. With SAP Cloud IAG, you can run continuous access analysis and use real-time insights to support access compliance management.

SAP Cloud IAG - Access Analysis Overview
SAP Cloud IAG – Access Analysis Overview

Access Request Service

The Access Request Service integrates with additional SAP Cloud Platform services to utilize workflow management, provisioning, and business logic. SAP Cloud IAG provides compliant provisioning of user access to various on-premise and cloud applications.

SAP Cloud IAG - Create Access Request
SAP Cloud IAG – Create Access Request

Role Design Service

The role design service enables you to define and maintain compliant business roles directly in SAP Cloud IAG in order to optimize role definition and streamline governance. It also provides risk metrics and usage trends within a business role in order to evaluate the impact it has on end-users (so that role adjustments can be made).

SAP Cloud IAG - Edit Business Roles
SAP Cloud IAG – Edit Business Roles

Access Certification Service

The Access Certification Service allows you to review user access, roles, risks and mitigation controls for on-premise and cloud applications. When an employee’s job changes, it is important to review and remediate their authorizations.

Accumulated access often leads to security risks, so periodic recertification of a user’s access helps establish a governance process to stay compliant. With SAP Cloud IAG, periodic user access reviews (UAR) can be streamlined using so-called Campaigns.

SAP Cloud IAG – Manage Active Campaigns

Privileged Access Management Service

The Privileged Access Management service enables you to monitor access to sensitive and critical transactions, giving you better insight into how users with elevated authorizations are interacting with your organization’s data. This functionality is similar to the Firefighter as part of the Emergency Access Management (EAM) module of SAP Access Control (GRC).

Additionally, SAP plans to leverage machine-learning capabilities to help differentiate suspicious and fraudulent activity from normal behavior. This will become a key feature for reviewers in the assessment and auditing of log files.

SAP Cloud IAG – Privileged Access Monitoring

Key Capabilities of SAP Cloud Identity Access Governance:

  • Secure environment for managing identities in various SAP applications.
  • Dashboard-based user interface based on the familiar SAP Fiori user experience.
  • Instant visibility into access issues with drill-down capabilities.
  • Comprehensive access governance.
  • Simple, seamless and transparent processes.
  • Up-to-date and scalable solutions.

IAG Bridge

The SAP Cloud IAG Bridge provides a powerful tool to extend your on-premise SAP Access Control GRC 12.0. 

SAP Cloud IAG Bridge offers:

  • Connectivity to cloud applications.
  • Cross-application access risk analysis, including cloud applications, by using SAP Cloud IAG (Access Analysis Service)
  • Remediation process with access refinement functions.
  • Role Designer to build business roles based on current assignments.

A disconnect in system landscapes and business applications leads to additional work when it comes to support, customizations and integrations. With the SAP Cloud IAG Bridge, we can connect those two worlds to achieve better governance and fully comply with regulations. 

In the age of digitalization, new business models, and a cloud-first strategy, organizations face the challenge of managing access and authorizations in the cloud and on-premise systems.

The SAP Identity Access Governance bridge concept offers an intuitive way to extend SAP Access Control. With this extension, you can group cloud applications under one compliance domain, easily connect to cloud applications, and extend your cross-application risk management and analysis into the cloud.

Furthermore, the Role Design Service allows you to extract proposals based on assignments to build stable and powerful business roles.

SAP Cloud IAG Bridge - Overview (Source: sap.com)
SAP Cloud IAG Bridge – Overview (Source: sap.com)

Other key features that the SAP Cloud IAG Bridge concept offers:

  • Synchronize master data from SAP Access Control to SAP Cloud IAG, including:
    • Access risk definitions
    • Mitigating controls
  • The connectivity to target on-premise applications from SAP Access Control.
  • The connectivity to various cloud applications (e.g., Ariba, SAP S/4HANA Public Cloud, etc.).
  • Cross-system risks between on-prem and the cloud.
  • Connectors to SAP’s cloud solutions.

With the SAP Cloud IAG Bridge, you can extend your current SAP Access Control installation without compromising on functionality, identity and access governance, or other compliance requirements.

For more details about the IAG Bridge functionality, please refer to this post SAP IAG Bridge – Manage Hybrid Landscapes.

Integrated Identity Access Governance for Hybrid Landscapes

SAP Cloud Platform (SCP) offers a variety of services related to identity and access management (IAM). In the age of digitalization, new business models, and cloud-first strategies, customers face new challenges when it comes to the identity lifecycle.

Employees (end-users) require access to various systems, which can become extremely complex in a hybrid landscape with both on-premise and cloud applications.

SAP Cloud Platform offers three main services to manage the identity lifecycle:

  • SAP Cloud Internet Access Governance (SAP Cloud IAG) to analyze access risks and segregation of duties (SoD) issues.
  • SAP Cloud Platform Identity Authentication Service (IAS) to authenticate users to the cloud applications.
  • SAP Cloud Platform Identity Provisioning Service (IPS) to provision users to cloud applications.

The three services integrate with each other to provide a holistic solution to identity and access management challenges.

You can seamlessly achieve access governance across the hybrid landscape, automate access request approval, automate provisioning based on HR events, expand your systems for key business applications between on-premise and the cloud, and natively integrate with SAP S/4HANA to get access to rule content and support for new authorization models.

Business Benefits

SAP Cloud Identity Access Governance offers Software as a Service (SaaS), which enables companies to comprise several distinct identity management and access governance capabilities. Each of these can be used separately to address specific business needs and can also be integrated with native applications based on the SAP Cloud Platform.

You have the flexibility to use one, many or all the services, depending on your business requirements. SAP Cloud IAG being a cloud-based solution, it can be easily extended across your enterprise to meet your demands.

On-Demand Webinars

Watch our on-demand webinars and learn how you can utilize SAP Cloud IAG as well the SAP Cloud Identity Services to extend your SAP security portfolio. 

The on-demand webinars are available as part of the SAP Cloud Security Madness series. Please see the details below – and access the webinars here: https://www.xiting.us/sap-cloud-security-madness/  

Session 1: SAP CLOUD SECURITY OVERVIEW

Get to know the different security products in the cloud and gain insights into the security architecture with the SAP Cloud Platform (SCP).

Session 2: SAP CLOUD PLATFORM IDENTITY PROVISIONING SERVICE (IPS)

Learn how SAP Cloud Platform Identity Provisioning (IPS) works and how you can automate identity lifecycle processes with the SAP Cloud Platform (SCP). Understand how IPS allows you to provision identities and their authorizations to various cloud and on-premise business applications.

Session 3: SAP CLOUD IDENTITY ACCESS GOVERNANCE (IAG) OVERVIEW

Learn and understand what SAP Cloud Identity Access Governance (IAG) and its services offer. Get insight into the range of identity and access management capabilities, including (among others) self-service access requests for on-premise and cloud applications, access risk analysis, and role design.

Session 4: SAP CLOUD IDENTITY AND SINGLE SIGN-ON (SSO) IN THE CLOUD

Learn and understand SAP’s strategy to implement secure authentication and SSO for SaaS and PaaS using the SAP Cloud Identity Services and its services. Get insight into the range of different user authentication capabilities and typical customer scenarios.

Session 5: SAP CLOUD IAG INTEGRATION WITH SAP ACCESS CONTROL (GRC) ON-PREMISE

A disconnect in system landscapes and business applications leads to additional work when it comes to support, customizations and integrations. With the SAP Cloud IAG Bridge, we can connect those two worlds to achieve better governance and fully comply with regulations. In this webinar, learn how you can integrate SAP Cloud IAG with your SAP Access Control (GRC) on-premise installation and see a live demo of how to utilize the cloud risk analysis to extend your SAP Access Control into the cloud.

Frequently Asked Questions

Below is a list of frequently asked questions in regard to SAP Cloud IAG.

Can you integrate SAP SuccessFactors with SAP Cloud IAG?

You can integrate SAP Cloud IAG with SAP SuccessFactors with the above-mentioned services.

Can you integrate SAP Ariba with SAP Cloud IAG?

You can integrate SAP Cloud IAG with SAP Ariba with the above-mentioned services.

Can you integrate SAP Concur with SAP Cloud IAG?

At the moment, IAG does not support SAP Concur integration. You can always check new developments on roadmaps.sap.com.

Does SAP Cloud IAG replace SAP Access Control (GRC)?

SAP Cloud Internet Access Governance (IAG) is not SAP Access Control on the cloud nor does it replace SAP Access Control (GRC). SAP Cloud IAG offers services similar to SAP Access Control and can be integrated with the latter. 

Can you deploy SAP Access Control (GRC) to the cloud?

You can deploy SAP Access Control (GRC) to the cloud. Cloud deployment of SAP Access Control offers the same features and functionalities as an on-premise installation. You can deploy on platforms like the SAP HANA Enterprise Cloud (HEC), Amazon’s AWS, Google Cloud, Microsoft Azure, etc.

Conclusion

SAP Cloud Identity Access Governance services enable organizations to manage digital identities across all applications and services. With a company-wide global identity system, businesses can create a unique user experience and secure the applications that drive the success of your business growth.

Learn more about SAP Cloud IAG:

Alessandro Banzer
Contact

Get in touch with us!

Do you have questions about our products?

+41 43 422 8803
[email protected]
+49 7656 8999 002
[email protected]
+1 855 594 84 64
[email protected]
+44 1454 838 785
[email protected]
Contact
Webinars

Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

Register now