SAP-IAG Admin Guide
Uploaded by
Prat ShetSAP-IAG Admin Guide
Uploaded by
Prat ShetAdministration Guide | PUBLIC
2020-11-19
SAP Cloud Identity Access Governance Admin
Guide
© 2021 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN
Content
1 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1 About This Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Terminology and Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Quick-Start Guides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3 Upgrade Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5 Onboarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
6 Solution Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
7 Initial Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7.1 Create Subaccount. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
7.2 Subscribe to SAP Identity Access Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
7.3 Maintain Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
8 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
8.1 Setting Up User Authentication and Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Maintain Users and User Groups in IAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Pre-Delivered Role Collections in SCP-IAG Tenant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Map SCP-IAG Role Collections and IAS Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Syncing User Groups from SAP Identity Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . .38
Configuring Identity Provisioning Tenant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
9 Maintaining Cloud Connector for On-Premise Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
9.1 Install the SAP Cloud Platform Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
9.2 Maintain the SAP Cloud Platform Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
9.3 Maintain Destinations for SAP Cloud Platform Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
10 Additional Services for Access Request Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
10.1 Setting Up SAP Cloud Platform Workflow Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Required Roles for SAP Cloud Platform Workflow Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Delivered Workflow Templates (read only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Setting Up Business Rules for Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
11 Integration Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
11.1 SAP SuccessFactors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
SAP Cloud Identity Access Governance Admin Guide
2 PUBLIC Content
Create Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Add SuccessFactors System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Sync User Data and Provision Access Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
11.2 HR Driven Identity Lifecycle Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Set Up Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Add SuccessFactors System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Set Up Business Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Synchronize Data Repository and Trigger Access Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
11.3 SAP ABAP (on-premise). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Prerequisites and Technical Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Maintaining Cloud Connector for On-Premise Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Schedule Provisioning Background Jobs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
11.4 SAP Ariba. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Create Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Add Ariba Instance to Access Request Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Sync User Data and Provision Access Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
11.5 SAP Fieldglass. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Create Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Add Fieldglass System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Sync User Data and Provision Access Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
11.6 SAP S/4HANA Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Configuration on SAP S/4HANA Cloud Tenant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
11.7 SAP S/4HANA (on-premise). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Install Cloud Connector and Set Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Sync User Data and Provision Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Add S/4HANA Instance to Access Request Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
11.8 Microsoft Azure Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Create Proxy System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Add Azure Instance to Access Request Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Create Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Sync User Data and Provision Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
11.9 SAP Marketing Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Create Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Add Marketing Cloud Instance to Access Request Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . .121
SAP Cloud Identity Access Governance Admin Guide
Content PUBLIC 3
Sync User Data and Provision Access Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
User ID Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
11.10 SAP Integrated Business Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Configuration in SAP Integrated Business Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Create Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Add Integrated Business Planning Instance to Access Request Systems. . . . . . . . . . . . . . . . . . 131
Sync User Data and Provision Access Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
User ID Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
11.11 SAP Analytics Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
11.12 LDAP System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
11.13 SAP Identity Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Register OAuth Client for the Identity Provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Create Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Create Proxy System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Add SAP Identity Authentication System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Manage Rule Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Sync User Data and Provision Access Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
11.14 SAP Cloud Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
SAP Cloud Platform - Cloud Foundry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
SAP Cloud Platform - NEO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
12 Business Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
12.1 Set Up Master Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Common Master Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Setting Up Master Data for Access Request Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Setting Up Master Data for the Role Design Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Setting Up Master Data for Access Analysis Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
12.2 Configuration App. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Language Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Application Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Application Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
13 Security and Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
14 Further Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
15 Support Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
SAP Cloud Identity Access Governance Admin Guide
4 PUBLIC Content
1 Getting Started
The SAP Cloud Identity Access Governance (IAG) solution is built on the SAP Cloud Platform. It uses SAP
NetWeaver APIs to fetch data from on-premise and cloud solutions, and enables you to use the following
services to create access requests, analyze risks, and design roles.
● SAP Cloud Identity Access Governance, access analysis service
● SAP Cloud Identity Access Governance, access request service
● SAP Cloud Identity Access Governance, role design service
● SAP Cloud Identity Access Governance, access certification service
● SAP Cloud Identity Access Governance, privileged access management service
1.1 About This Document
This administration guide describes the steps you need to perform as an administrator to set up and run the
SAP Cloud Identity Access Governance solution. It covers solution-specific information only. For general
information about SAP Cloud Platform, see the documentation on SAP Help Portal at https://
help.sap.com/CP.
This guide addresses the following target audience:
● System administrators
● Key users
For convenience, this guide, and the information therein, is applicable to all the IAG services. Any mention of
IAG in the documentation means the information is relevant for all the IAG services. Information that is
applicable for only a specific service will be called out accordingly.
1.2 Document History
Provides details about the changes made in each version of this document.
Date Comment
2020-11-19 ● Added new features in Privileged Access Management,
Access Request, and Access Analysis
● Updated Privileged Access Management Launchpad for
ABAP
SAP Cloud Identity Access Governance Admin Guide
Getting Started PUBLIC 5
Date Comment
2020-08-28 ● Added new features in Privileged Access Management,
Access Request, and Access Analysis
2020-07-24 ● Added a new service called Privileged Access Manage
ment
● Added a new app for Access Certification
● Updated Integration Scenarios and Security Guide
2020-02-25 ● Added applications for integration scenarios and Ac
cess Request
● Added features for Role Design Inbox
● Updated read/write transformations for SAP S/4HANA
Cloud and SAP Identity Authentication
● Updated the status checks of Access Requests
2019-11-19 ● Integration scenarios and applications for Access Anal
ysis updated
● Added Redesigned Job History Report in Access Analy
sis
● Added Unassociated Access Report in Role Design
2019-08-16 ● Added integration scenarios for SAP Analytics Cloud
and SAP Cloud Foundry
2019-05-20 ● Added information on SAP Marketing Cloud
● Updated information on SAP Integrated Business Plan
ning
2019-02-28 ● Added Quick Start Guides section
● Replaced SCI with IAS due to product name change
● Updated information for SAP Fieldglass integration
● Updated information for SAP Cloud Workflow Service
roles
2018-11-09 ● Added integration procedure for SAP Fieldglass
● Updated integration procedure for SAP Ariba
● Updated User Management [page 19]section to clarify
procedure
● Updated Setting Up User Group Sync [page 38]sec
tion to clarify procedure
2018-08-30 ● Added new SCI Group: IAG_WF_MANAGER
● Updated diagrams for integration scenarios
● Added integration scenario for SAP S/4HANA Cloud
SAP Cloud Identity Access Governance Admin Guide
6 PUBLIC Getting Started
Date Comment
2018-05-11 ● Added Integration Scenarios section.
● Reorganized information structure:
○ Moved user and authentication information from
the configuration guides to the Administrator
Guide under the User Management section.
○ Moved master data information under the Business
Configuration section.
1.3 Terminology and Conventions
Here you can find terms and concepts applicable for the SAP Cloud Identity Access Governance services. Over
time product names may change; you may see different versions of a product name within the same guide.
This topic also lists the conventions and abbreviations used.
● HCP: Abbreviation for HANA Cloud Platform. This usage is obsolete and is replaced by SCP. See SCP.
● IAG: Abbreviation for SAP Cloud Identity Access Governance. Due to the length of the full name of the
solution, for readability within this guide, we use the abbreviation "IAG".
● Identity Authentication: Shortened version of SAP Cloud Platform Identity Authentication. See also SCI.
● IAS: Updated abbreviation for SAP Cloud Platform Identity Authentication service. This is a convention
used within this guide. Due to the length of the full name of the solution, for readability, we use the
abbreviation "IAS".
● SCI: Old abbreviation for SAP Cloud Platform Identity Authentication service. (See IAS).
● SCP: Abbreviation for SAP Cloud Platform. Due to the length of the full name of the product, for readability
within this guide, we use the convention "SCP"
SAP Cloud Identity Access Governance Admin Guide
Getting Started PUBLIC 7
2 Quick-Start Guides
Scenario-based integration and configuration guides.
The following guides are provided for your convenience. Each guide provides an overview and also detailed
steps for enabling IAG services and integrating with specific target applications.
Note
These guides are to be used in conjunction with the admin guide; they do not replace the complete set of
information in the admin guide.
Scenario Description Guide
SAP Access Control 12.0 (on-premise) Using SAP Cloud Identity Access Gover AC12 to IAG Bridge Integration.pdf
to IAG and Cloud Target Applications nance as a bridge to enable creation of
access requests from SAP Access Con
trol12 (on-premise) to cloud target ap
plications.
SAP Access Analysis Service to Target Configuring SAP Cloud Identity Access IAG Access Analysis_Integration.pdf
Applications Governance, access analysis service to
analyze user access for on-premise and
cloud target applications.
SAP Cloud Identity Access Governance Admin Guide
8 PUBLIC Quick-Start Guides
3 Upgrade Schedule
Maintenance Windows for Cloud services, SAP Cloud Platform (SCP), and SAP IdentityAccess Governance
(IAG) are listed below.
Maintenance Window for Cloud Services
Maintenance Window for Cloud Services Duration
SAP Asset Manager Zero Downtime
SAP Browse Manager and Conversion Manager
SAP Cloud Platform
SAP Cloud Platform Credential Stores
SAP Connected Parking
SAP Customer Identity, B2B add-on, SAP Customer Con
sent, SAP Customer Profile
SAP Enterprising Messaging
SAP Exchange Media
SAP Fiori Cloud
SAP Global Track and Trace
SAP Merchandising
SAP TwoGo
SAP Vehicles Network
SAP Work Manager, Cloud Edition
Weekly Maintenance Windows for Cloud Services - Standard Windows
Start time in UTC per region
Region Weekday Time Timezone
MENA FRI 7pm UTC
APJ SAT 3pm UTC
Europe SAT 10pm UTC
Americas SUN 4am UTC
The maintenance windows mentioned above define the maximum scheduled downtime, which certain cloud
services only consume partially.
SAP Cloud Service – Maintenance Window for IAG
SAP Cloud Identity Access Governance Admin Guide
Upgrade Schedule PUBLIC 9
Regular Maintenance Major Upgrades
Start time in UTC per region: Americas SUN 4am Time frame in UTC per region: Americas SAT 1pm – 7pm
Up to once every month Up to four times a year
Duration: 4 hours Duration: 4 hours
SAP Cloud Identity Access Governance Admin Guide
10 PUBLIC Upgrade Schedule
4 Overview
About This Guide
This administration guide describes the steps you need to perform as an administrator to set up and run the
SAP Cloud Identity Access Governance solution. It covers solution-specific information only. For general
information about SAP Cloud Platform, see the documentation on SAP Help Portal at https://
help.sap.com/CP.
This guide addresses the following target audience:
● System administrators
● Key users
About SAP Cloud Identity Access Governance
The SAP Cloud Identity Access Governance (IAG) solution is built on the SAP Cloud Platform. It uses SAP
NetWeaver APIs to fetch data from on-premise and cloud solutions, and enables you to use the following
services to create access requests, analyze risks, and design roles.
● SAP Cloud Identity Access Governance, access analysis service
● SAP Cloud Identity Access Governance, access request service
● SAP Cloud Identity Access Governance, role design service
● SAP Cloud Identity Access Governance, access certification service
● SAP Cloud Identity Access Governance, privileged access management service
For convenience, this guide, and the information therein, is applicable to all the IAG services. Any mention of
IAG in the documentation means the information is relevant for all the IAG services. Information that is
applicable for only a specific service will be called out accordingly.
SAP Cloud Identity Access Governance Admin Guide
Overview PUBLIC 11
5 Onboarding
This guide assumes that the onboarding process has already been completed – this means that the
administrator has already access to the Global Accounts and has administrator authorization. For further
details, refer to the notification email that you received after you set up your Global Account.
For information about the onboarding process, see the SAP Cloud Platform documentation on SAP Help Portal
at https://help.sap.com/CP under Getting Started.
SAP Cloud Identity Access Governance Admin Guide
12 PUBLIC Onboarding
6 Solution Architecture
The diagram below illustrates the architectural components of SAP Cloud Identity Access Governance (IAG)
solution.
IAG is a service on the SAP Cloud Platform, it integrates with other SAP Cloud Platform services, and connects
with cloud and on-premise target applications.
Components
Component Description
Target Applications (on-Premise, cloud) This is the target system containing user data.
IAG API The IAG Services API extracts data from the target applica
tion. The API is part of NetWeaver; make sure your system
has the required NetWeaver Basis Support Packs. The API is
available for on-premise and the SAP HANA Cloud.
SAP Cloud Platform connector The cloud connector sits behind the firewall and establishes
connectivity between the SAP Cloud Platform and the target
system.
SAP Cloud Identity Access Governance Admin Guide
Solution Architecture PUBLIC 13
Component Description
IAG Services IAG services include: Access Analysis service; Access Re
quest service; Role Design service; Access Certification;
Privileged Access Management.
IAG Technical Components IAG components include: Repository, Scheduler, Reporting
and Analytics, Approval Workflow, and Users and Roles
SAP Cloud Platform Identity Authentication service Identity Authentication service is used to authenticate users
before allowing access to the IAG solution and services.
SAP Cloud Platform Workflow service Workflow service is used for automation of access requests
through the various stages of creation and approval.
SAP Cloud Platform Business Rules service Business Rules service enables embedding business deci
sions into the workflow.
SAP Cloud Platform Identity Provisioning service Identity Provisioning service allows provisioning of centrally
managed identities and their access across the enterprise
(on-premsie and cloud).
SAP Cloud Identity Access Governance Admin Guide
14 PUBLIC Solution Architecture
7 Initial Setup
SAP Cloud Identity Access Governance (IAG) 2.0 is available on the Amazon Web Service (AWS) platform.
Note
If you have already implemented or are currently implementing this solution with IAG 1.0 release in the SAP
Cloud Platform (SCP) NEO environment, message the support team by creating a support incident. Select
the component GRC-IAG and add Migration to the subject line so that SAP can contact you and guide you
with the next steps.
Prerequisites
You have access to the following:
● A SAP Cloud Platform (SCP) cockpit/subaccount in the NEO environment where your existing IAG
application is provisioned (only for existing customers who are using IAG 1.0).
● A new SCP Global Account provisioned in the Cloud Foundry environment.
● An instance of the cloud connector if you wish to use on-premise applications or the IAG Bridge scenario.
● An instance of the SAP Identity Authentication Service (IAS).
● An instance of the SAP Identity Provisioning Service (IPS).
Note
If you are an existing customer of the IAG 1.0 release, you can continue to reuse the SAP Identity
Provisioning Service (IPS) that has been provided to you. To obtain an IPS instance, create a support
ticket. To do so, select the component GRC-IAG.
SAP Cloud Identity Access Governance Admin Guide
Initial Setup PUBLIC 15
7.1 Create Subaccount
To migrate to your new environment, proceed as follows:
1. Log into your Global Account and create a new subaccount.
Note
Currently, IAG is available only on the Amazon Web Service (AWS) platform in US East (VA) and Europe
(Frankfurt) regions. Based on your current NEO subaccount region, you need to select one of the
regions to create a subaccount.
2. When creating the subaccount, you must enter a subdomain name.
The subdomain forms the first part of the URL visible in the browser.
1. It must be a unique entity in the data center where your Global Account is hosted.
2. It should connect your tenant ID and to the relevant tenant.
We suggest you use your corporate internet domain and the SAP Cloud Identity Access Governance
service that you plan to subscribe.
Example: Your corporate domain is example.com and you wish to subscribe to the test plan. To do so,
choose com-example-test as the subdomain. If you plan subscribe to other services from other
accounts in the same Global Account, you may also want to include the product in the subdomain
name: com-example-iag-test.
Select Used for production only if you wish to subscribe to the standard plan.
SAP Cloud Identity Access Governance Admin Guide
16 PUBLIC Initial Setup
Note
When you purchase a variant of SAP Cloud Identity Access Governance, you are offered both the
test and standard plans. For these plans, you must create two subaccounts in your Global Account
and subscribe to one plan in one subaccount only. Refer to the example above to choose a unique
naming convention for the subdomains for your two subaccounts.
7.2 Subscribe to SAP Identity Access Governance
After creating your subaccount, you need to subscribe to SAP Identity Access Governance (IAG).
1. Log into your Global Account as an Administrator.
2. Select the subaccount that you have created.
3. Subscribe to the IAG application.
SAP Cloud Identity Access Governance Admin Guide
Initial Setup PUBLIC 17
7.3 Maintain Administrators
After subscribing to the SAP Identity Access Governance (IAG) application, you must maintain security
administrators.
Add security administrators to your subaccount by entering their e-mail addresses instead of the user IDs.
Security administrators can add other security administrators, and manage authentication and authorization
in this subaccount, such as configuring trust to identity providers, and assigning role collections to business
users.
SAP Cloud Identity Access Governance Admin Guide
18 PUBLIC Initial Setup
8 User Management
IAG solution and its services use SAP Cloud Platform Identity Authentication Service (IAS) for user
authentication and to manage access to IAG apps. Security and permissions are maintained in groups and
roles. You control the tasks a user can perform, and the apps they can access, through the appropriate
assignment of group and role combinations to the user.
The assignment of groups and roles to users controls these three security aspects:
● Permission to access and use specific apps
● You can ensure that users can access only those apps relevant for their job function. For example, that only
administrators can access admin apps.
● Permission to perform administrative tasks
Within the framework of access governance, tasks have different levels of risk and sensitivity. You can
ensure that users can only perform administrative tasks in line with their job function. For example, only
users assigned to the Control Owners group can approve new or updated mitigation controls.
● Permission to use specific services
The IAG solution integrates with other SAP services, such as SAP Business Rules. And these services
require users have specific roles to use them.
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 19
8.1 Setting Up User Authentication and Access
The process to configure authentication and access requires you to perform configuration tasks on both the
SAP Cloud Platform tenant (SCP-IAG tenant) and the Identity Authentication service (IAS).
● Maintain users in IAS.
● Pre-delivered role collections in SCP-IAG tenant.
1. Maintain Users and User Groups in IAS [page 20]
2. Pre-Delivered Role Collections in SCP-IAG Tenant [page 22]
3. Map SCP-IAG Role Collections and IAS Group [page 32]
4. Syncing User Groups from SAP Identity Authentication Service [page 38]
5. Configuring Identity Provisioning Tenant [page 40]
8.1.1 Maintain Users and User Groups in IAS
In the IAS, tenant administrators can manage user accounts and groups.
Activity Description Procedure
Create User Create users via the Add user option in Create a New User
the administration console.
Create User Groups Create new user groups via User Create a New User Group
Groups option in the administration
console.
Note
It is mandatory to follow the User
Group Naming Guidelines and cre
ate the Required Groups provided
below.
Assign Groups to User Assign groups to a user via the adminis Assign Groups to a User
tration console for Identity Authentica
tion.
User Group Naming Guidelines
When you create these groups, you must follow this naming convention: IAG_<TYPE>_<NAME>.
In this string, the <TYPE> must be one of the delivered types shown in the table below. The <NAME> can be of
your choosing, though we recommend choosing a name that is clear and concise.
Example: IAG_WF_ADMIN
SAP Cloud Identity Access Governance Admin Guide
20 PUBLIC User Management
Group Types
Group Type Name Description
CM Control Monitor Users assigned to this group are availa
ble as control monitors, which can be
assigned during control creation.
CO Control Owner Users assigned to this group are availa
ble as control owners, which can be as
signed during control creation.
WF Workflow Assign users to this group to enable
participation in the workflow service.
RO Role Owner Users assigned to this group are availa
ble as role owners, which can be as
signed during access request.
CADM Candidate Business Role Adminstrator Users assigned to this group have ac
cess to the Candidate Business Role
Adminstration app and carry out ad
ministrative tasks.
RCA Business Role Content Approver Users can modify and approve business
roles. Users assigned to this group are
included in the dropdown list of
Business Role Content Approvers.
RAA Business Role Assignment Approver Users can approve business role as
signments. Users assigned to this
group are included in the dropdown list
of Assignment Approvers.
USER IAG Application Users Assign this group by default to all IAG
application users.
Required Groups
The following groups are required for using IAG services. Make sure you create them with the names listed
below with the same case. The name is case-sensitive.
Service Name Description
Access Request Service IAG_WF_ADMIN In the access request process, requests
go through a security stage. Users as
signed to this group are available to re
ceive and work on access requests in
this stage.
IAG_WF_DEFAULT When managers and approvers are not
available in the system, the task of re
viewing and approving a request goes
to the users assigned to this group
In the IAS tenant, create the groups as described below, and then assign the relevant users to them. These are
suggested groupings and names. In your own implementation, you can create groups that suit your needs.
As you will map these groups with the SCP groups, to make it easier to track, we recommend you use the same
group names in both IAS and SCP.
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 21
Note
You can create users in IAS or make them available on a connected LDAP server.
Note
To connect to LDAP and other services for app user, you must configure this in IAS. For more information,
see SAP Cloud Platform Identity Authentication Service.
Parent topic: Setting Up User Authentication and Access [page 20]
Next: Pre-Delivered Role Collections in SCP-IAG Tenant [page 22]
8.1.2 Pre-Delivered Role Collections in SCP-IAG Tenant
In the SCP-IAG tenant, the administrator can view the pre-delivered role collections. Refer to the tables below
for the role collections.
Note
If you are subscribing to the SAP Cloud Identity Access Governance, integration edition, refer to SAP IAG
integration edition
Role Collections for all Business Users
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_Display Destination Certificate Viewer This is the default role collections for all
business users.
Destination Configuration Viewer
Destination Subaccount Trust Viewer
Destination Viewer
EXTERNAL_PORTAL_USER
IAGDisplay_Admin
sap_scheduler_configuration_template
sap_scheduler_viewer_template
Token_Exchange_Admin
Role Collections and Associated Roles for the Access Request Service
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_Access _Request IAG_Access_RequestAccess_Request ● Create access requests
SAP Cloud Identity Access Governance Admin Guide
22 PUBLIC User Management
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
RuleRepositorySuperUser ● View status of request
● Cancel request
RuleRuntimeSuperUser
● For approvers:
○ review and approve or reject
WorkflowParticipant
access requests
○ remediate risks
● View audit logs
CIAG_Access_ Request_Admin IAG_Access_Request_AdminAc ● Setting up connections between
cess_Request the service to the target systems
● Setting up recurring jobs for the
IAG_Access_Request_AdminAdminis service
tration
● Setting up master data in the apps
IAG_Access_Request_AdminReports ● Setting up workflow service
● Setting up business rule service
iag_access_request_priority
● Setting up identity provisioning
iag_authorization_policy service
● Set IAG configurations, such as UI
iag_business_processes language
iag_configuration
iag_custom_field_groups
iag_custom_fields
iag_field_mapping
iag_maint_user_data
iag_notif_upload
iag_reason_code
RuleRepositorySuperUser
RuleRuntimeSuperUser
WorkflowAdmin
WorkflowDeveloper
CIAG_Access_ Request_ Others IAG_Access_Request_Others Ac
cess_Request_for_others
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 23
Role Collections and Associated Roles for the Role Design Service
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_Role_Designer IAG_Role_DesignerAdministration ● Business roles: create and main
tain
IAG_Role_DesignerReports ● Candidate business roles: create,
review, and approve
IAG_Role_DesignerRole_designer
CIAG_Role_Designer_Admin iag_authorization_policy ● Setting up connections between
the service to the target systems
iag_business_processes
● Setting up recurring jobs for the
iag_configuration service
● Setting up master data in the app
iag_departments ● Set IAG configurations, such as UI
language
iag_projects
● View the Role Design Audit Log
IAG_Role_Designer_AdminAdministra
tion
IAG_Role_Designer_AdminReports
IAG_Role_Designer_AdminRole_de
signer
Role Collections and Associated Roles for the Access Analysis Service
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_Access_Analysis IAG_Access_AnalysisAccess_Analysis ● Analyzing access risks
● Remediating access risks
IAG_Access_AnalysisAdministration
● Refining access
● Mitigating risks
IAG_Access_AnalysisReports
● Auditing access compliance
RuleRuntimeSuperUser
CIAG_Access_Analysis_Admin IAG_Access_Analysis_AdminAc ● Setting up connections between
cess_Analysis the service to the target systems
● Setting up recurring jobs for the
IAG_Access_Analysis_AdminAdminis service
tration
● Setting up master data in the apps
IAG_Access_Analysis_AdminReports ● Set IAG configurations, such as UI
language
iag_authorization_policy
iag_business_processes
SAP Cloud Identity Access Governance Admin Guide
24 PUBLIC User Management
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
iag_configuration
iag_functions
iag_mitigaton_control_master_data
iag_risk
iag_risk_level
iag_risk_score_policy
iag_test_plans
RuleRepositorySuperUser
RuleRuntimeSuperUser
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 25
Role Collections for the IAG Configuration Admin
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_Configuration_Admin ag_access_request_priority This role collection enables Business
Users to configure in IAG.
iag_authorization_policy
iag_business_processes
iag_configuration
IAG_Configuration_AdminAdministra-
tion
iag_custom_field_groups
iag_custom_fields
iag_field_mapping
iag_functions
iag_maint_user_data
iag_mitigaton_control_master_data
iag_notif_upload
iag_projects
iag_reason_code
iag_risk
iag_risk_level
iag_risk_score_policy
iag_test_plans
RuleRepositorySuperUser
RuleRuntimeSuperUser
WorkflowAdmin
WorkflowDeveloper
WorkflowParticipant
SAP Cloud Identity Access Governance Admin Guide
26 PUBLIC User Management
Role Collections for the IAG Super Admin
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_Super_Admin IAG_Access_Analysis_AdminAc This role collection is for Super Admin
who needs to configure and access all
cess_Analysis
the services.
IAG_Access_Analysis_AdminAdminis
tration
IAG_Access_Analysis_AdminReports
IAG_Access_AnalysisAccess_Analysis
IAG_Access_AnalysisAdministration
IAG_Access_AnalysisReports
IAG_Access_Request_AdminAc
cess_Request
IAG_Access_Request_AdminAdminis
tration
iag_access_request_priority
IAG_Access_RequestAccess_Request
IAG_Access_RequestAdministration
iag_authorization_policy
iag_business_processes
iag_configuration
iag_custom_field_groups
iag_custom_fields
iag_departments
iag_field_mapping
iag_functions
iag_maint_user_data
iag_mitigaton_control_master_data
iag_notif_upload
IAG_Privileged_AccessAdministration
IAG_Privileged_AccessPrivileged_Ac
cess_Management
IAG_Privileged_AccessPrivilegedRoles
IAG_Privileged_AccessReports
iag_projects
iag_reason_code
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 27
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
iag_risk
iag_risk_level
iag_risk_score_policy
IAG_Role_Designer_AdminAdministra
tion
IAG_Role_Designer_AdminReports
IAG_Role_Designer_AdminRole_de
signer
IAG_Role_DesignerAdministration
IAG_Role_DesignerReports
IAG_Role_DesignerRole_designer
iag_test_plans
RuleRepositorySuperUser
RuleRuntimeSuperUser
WorkflowAdmin
WorkflowDeveloper
WorkflowParticipant
Role Collections for the IAG Privileged Access Admin
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_Privileged_Access iag_configuration This role collection is for privileged ac
cess management activities.
IAG_Privileged_AccessAdministration
IAG_Privileged_AccessPrivileged_Ac
cess_Management
IAG_Privileged_AccessPrivilegedRoles
IAG_Privileged_AccessReports
iag_reason_code
Role Collections for the IAG Access Certification
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_Access_Certification_Admin IAGAccessCertificationAdmin 1. Create and edit campaign
2. View logs
WorkflowParticipant
3. Manage/coordinate campaign ac
tivities (escalate, ...)
SAP Cloud Identity Access Governance Admin Guide
28 PUBLIC User Management
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_Access_Certification_Coordina- IAGAccessCertificationCoordinator 1. Manage/coordinate campaign ac
tor tivities (escalate, ...)
WorkflowParticipant 2. View logs
CIAG_Access_Certification_Reviewer IAGAccessCertificationReviewer Review and approve or reject access
item (Role Owner, Manager, Security)
WorkflowParticipant
In the SCP-IAG tenant, the administrator can assign the role collections. For more information, refer to Assign
Role Collections.
Note
If you wish to customize your role collections, you have the option of creating and assigning them manually.
If you need a list of roles belonging to role collections for workflow management and business rules, refer to
the following links SAP Cloud Platform Workflow Management - Authorization Configuration
SAP Cloud Platform Business Rules in the Cloud Foundry Environment - Authorization Configuration
Parent topic: Setting Up User Authentication and Access [page 20]
Previous: Maintain Users and User Groups in IAS [page 20]
Next: Map SCP-IAG Role Collections and IAS Group [page 32]
8.1.2.1 SAP IAG integration edition
SAP Cloud Identity Access Governance, integration edition uses six role collections and associated roles that
are listed below.
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 29
Role Collections for all Business Users
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_INT_Display Destination Certificate Viewer This is the default role collection for all
business users.
Destination Configuration Viewer
Destination Subaccount Trust Viewer
Destination Viewer
EXTERNAL_PORTAL_USER
IAGDisplay_Admin
sap_scheduler_configuration_template
sap_scheduler_viewer_template
Token_Exchange_Admin
ü+zt
Role Collections and Associated Roles for the Access Analysis Service
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_INT_Access_Analysis IAG_Access_AnalysisAccess_Analysis ● Analyzing access risks
● Remediating access risks
IAG_Access_AnalysisAdministration
● Refining access
IAG_Access_AnalysisReports
● Mitigating risks
● Auditing access compliance
SAP Cloud Identity Access Governance Admin Guide
30 PUBLIC User Management
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_INT_Access_Analysis_Admin IAG_Access_Analysis_AdminAc ● Setting up connections between
cess_Analysis the service to the target systems
● Setting up recurring jobs for the
IAG_Access_Analysis_AdminAdminis
service
tration
● Setting up master data in the apps
IAG_Access_Analysis_AdminReports
● Set IAG configurations, such as UI
iag_authorization_policy language
iag_business_processes
iag_configuration
iag_functions
IAG_INTG_Role_Designer
iag_maint_user_data
iag_mitigaton_control_master_data
iag_risk
iag_risk_level
iag_risk_score_policy
iag_test_plans
Role Collections for the IAG Configuration Admin
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_INT_Configuration_Admin iag_authorization_policy This role collection enables business
users to configure in IAG.
iag_business_processes
iag_configuration
IAG_Configuration_AdminAdministra-
tion
iag_functions
iag_maint_user_data
iag_mitigaton_control_master_data
iag_risk
iag_risk_level
iag_risk_score_policy
iag_test_plans
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 31
Role Collections for the IAG Role Management
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_INT_Role_MGMT IAG_Role_DesignerAdministration IAG Role Management
IAG_Role_DesignerReports
Role Collections for the IAG Super Admin
Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_INT_Super_Admin IAG_Access_Analysis_AdminAc This role collection is for Super Admin
who needs to configure and access all
cess_Analysis
the services.
IAG_Access_Analysis_AdminAdminis
tration
IAG_Access_Analysis_AdminReports
IAG_Access_AnalysisAccess_Analysis
IAG_Access_AnalysisAdministration
IAG_Access_AnalysisReports
iag_authorization_policy
iag_business_processes
iag_configuration
iag_departments
iag_functions
IAG_INTG_Role_Designer
iag_maint_user_data
iag_mitigaton_control_master_data
iag_risk
iag_risk_level
iag_risk_score_policy
IAG_Role_Designer_AdminReports
IAG_Role_DesignerReports
iag_test_plans
8.1.3 Map SCP-IAG Role Collections and IAS Group
To map the SCP-IAG Role Collections to your IAS tenant, you must do the following:
SAP Cloud Identity Access Governance Admin Guide
32 PUBLIC User Management
● Set IAS as a trusted identity provider.
● Set up assertion-based groups and attributes mapping.
Parent topic: Setting Up User Authentication and Access [page 20]
Previous: Pre-Delivered Role Collections in SCP-IAG Tenant [page 22]
Next: Syncing User Groups from SAP Identity Authentication Service [page 38]
8.1.3.1 Set Up Trusted Identity Provider
IAG services use SAP Cloud Platform Identity Authentication Service (IAS) to provide user identity
authentication.
To enable IAS as your identity provider, you must set up a trust relationship between your IAS tenant and your
SAP Cloud Platform (SCP-IAG) tenant. This is done via the exchange of metadata files.
8.1.3.1.1 Generate and Download SCP Metadata File
1. Log into the SAP Cloud Platform Cockpit as administrator, and go to your tenant account.
2. Navigate to Security Trust Configuration .
3. Select SAML Metadata to download the metadata file.
Make sure to download the metadata file to a directory that is accessible by the SAP Cloud Platform
Identity Authentication Service (IAS) tenant.
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 33
For more information on Identity Authentication Service and SAP Cloud Platform trust configuration, see SAP
Cloud Identity Authentication Service.
8.1.3.1.2 Create Custom IAS Application and Upload SCP
Metadata File
On the SAP Cloud Platform Identity Authentication Service (IAS) Identity Authentication Cockpit, create a
custom application for IAG services, which will be used to establish the trust relationship with the SAP Cloud
Platform tenant.
1. On the IAS Identity Authentication Cockpit, navigate to Applications & Resources > Applications.
2. Add a custom application and save.
3. Upload the metadata from the SAP Cloud Platform tenant.
1. From the Custom Applications list, select your new custom application, and then select SAML 2.0
Configuration.
2. In the Metadata File field, browse to the location of the SCP metata file.
3. Upload the file and then save.
8.1.3.1.3 Download IAS Metadata File
1. In the SAP Cloud Platform Identity Authentication Service (IAS) tenant, navigate to Applications &
Resources Tenant Setting, and open SAML 2.0 Configuration.
2. Select Download Metadata File.
Note
Make sure you save the metadata file in a directory that is accessible for upload to the the SCP tenant.
3. Save.
For more information on Identity Authentication Service and SAP Cloud Platform trust configuration, see
SAP Cloud Identity Authentication Service.
8.1.3.1.4 Upload IAS Metadata File to SCP Tenant
1. On the SAP Cloud Platform Cockpit, navigate to Security Trust Configuration .
2. Select the new Trust Configuration.
3. In the Metadata File field, browse to the SAP Cloud Platform Identity Authentication Service (IAS)
metadafile, and upload it.
4. In the Name field enter a suitable name to identify your IAS tenant.
5. In the field Description, enter the description (optional).
SAP Cloud Identity Access Governance Admin Guide
34 PUBLIC User Management
6. Choose Parse. You should see the message Metadata parsed successfully.
7. Save.
8.1.3.2 Set Up Assertion-based IAS Groups and Role
Collection Mapping
Add Assertion Attributes
1. Log in to the Identity Authentication tenant and navigate to Applications & Resources Applications .
2. Under Custom Applications, select your custom application. (This is the application you created as part of
the procedure for setting up a trust relationship between the SAP Cloud Platform Identity Authentication
Service (SCI) tenant and the SCP tenant.)
3. Click Assertion Attributes and create the following attributes:
User Attribute Assertion Attribute
Groups Groups
(Ensure that the letter G is in upper case.)
First Name first_name
Last Name last_name
E-mail mail
4. Save.
Add Assertion-based IAS Groups and Attributes Mapping
1. Add assertion-based Groups.
1. Logon to the SAP Cloud Platform tenant, and navigate to Security > Trust Configuration > Name.
2. Select the name of the relevant identity provider (the IAS that you have already configured). For more
information, refer to Set Up Trusted Identity Provider [page 33]
3. Choose New Role Collection Mapping to create the mapping rules for the role collection mapping listed
below.
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 35
Role Collection Mapping to IAS Groups
Pre-delivered Role Collec Value - Equals to this IAS
tion Attribute Operator Group
CIAG_Access_ Analysis Groups equals IAG_Access_Analysis
CIAG_Access_ Analy Groups equals IAG_Access_Analysis_Ad
sis_Admin min
CIAG_Role_ Designer Groups equals IAG_Role_Designer
CIAG_Role_ Designer _Ad Groups equals IAG_Role_Designer_Admin
min
4. Save.
8.1.3.3 Maintaining Access to Tasks
Within the framework of access governance, tasks have different levels of risk and sensitivity. You use IAS tools
to ensure that only designated users can perform administrative tasks. For example, only users designated as
business role approvers can approve new business roles.
There are three steps in this procedure:
1. In the IAS tenant, create your groups according to the guidelines below.
2. Assign the appropriate users to the relevant groups.
3. Sync the user-group assignments.
In the IAG Fiori Launchpad, open the Job Scheduler app, and run Sync User Groups from IAS job.
For more information about creating user groups and assigning users, see the For More Information section
below.
For group naming conventions and assigning users to groups, refer to the Group Naming Guidelines section
mentioned in Maintain Users and User Groups in IAS [page 20].
Required Groups
The following groups are required. The IAG services look for these specific groups. Make sure you create them
with the names listed below with the same case. The name is case sensitive.
SAP Cloud Identity Access Governance Admin Guide
36 PUBLIC User Management
Users Assigned to the Group Can Per
Service Create these Groups form These Tasks
Access Request Service IAG_WF_MANAGER In the Create Access Request app there
is the Manager field. You assign users to
the IAG_WF_MANAGER group to make
them available for selection in this field.
Managers are responsible for approving
access requests.
Note
If a user's manager is explicitly as
signed in IAS, then the manager is
displayed in this field and is read-
only.
IAG_WF_ADMIN In the access request process, requests
go through a security stage. Users as
signed to this group are available to re
ceive and work on access requests in
this stage.
IAG_WF_DEFAULT When managers and approvers are not
available in the system, the task of re
viewing and approving a requests goes
to users assigned to this group.
Role Design Service IAG_WF_CBRRefine Users assigned to this group can refine
the proposed candidate business roles.
IAG_WF_CBRActivate Users assigned to this group can acti
vate candidate business roles.
IAG_WF_CBRReconcile Users assigned to this group can per
form tasks in the reconciliation stage of
CBR, such as provisioning and deprovi
sioning user role assignments.
Access Certification IAG_WF_ADMIN Users assigned to this group can re
ceive and work on access certification
review items in the security stage.
IAG_WF_DEFAULT When managers or role owners are not
available, the task of reviewing a user’s
access is forwarded to members of this
group.
IAG_CPG_ADMIN Users assigned to this group are able to
create and edit campaigns.
IAG_CPG_REVIEWER Users assigned to this group can be se
lected by the campaign coordinator
during the reassignment of review
items on the manage campaign page.
IAG_CPG_CO Users assigned to this group can coor
dinate campaign activities, for example,
reassign items or remind reviewers.
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 37
For More Information:
SAP Cloud Platform Identity Authentication Service - User Management
SAP Cloud Platform Identity Authentication Service - User Groups
SAP Cloud Platform Identity Authentication Service - Assign Groups to Users
8.1.4 Syncing User Groups from SAP Identity Authentication
Service
To ensure user groups information is synchronized between the SAP Identity Authentication Service (IAS) and
SAP Cloud Platform (SCP-IAG tenant) tenants, you must maintain the required system in IAS and the
destination in the SCP-IAG tenant and then run the SCI User Group Sync job in the Job Scheduler app.
Step 1: Set Up IAG Sync System as Administrator in the IAS tenant
1. Login to the IAS tenant.
2. Choose Administrators tile.
3. Press the +Add button on the left-hand panel to add a new administrator to the list.
4. Choose Add System.
5. Enter the name of the system under Name as IAG Sync.
Caution
Choose the name carefully for your system as administrator. Once created, the name cannot be
changed.
6. To be a tenant administrator, a user must be assigned to Manage Users and Manage Groups from the
following roles.
Administrator Roles
Authorization Description
Manage Applications This role gives the tenant administrator permission to
configure the applications via the administration console.
Manage Corporate Identity Providers This role gives the tenant administrator permission to
configure the identity providers via the administration
console.
Manage Users This role gives the tenant administrator permission to
manage, import and export users via the administration
console.
SAP Cloud Identity Access Governance Admin Guide
38 PUBLIC User Management
Authorization Description
Manage Groups This role gives the tenant administrator permission to cre
ate, edit and delete user groups via the administration
console.
Manage Tenant Configuration This role gives the tenant administrator permission to
manage tenant configuration and authorization assign
ments to users.
All administrator roles are assigned by default.
7. In the Configure Authorizations section, assign the Manage Users and Manage Groups option to ON, and
Save.
8. Select the IAG Sync system and click Set Password.
9. Enter a password and save (the app automatically generates a user ID.).
Note
Make a note of the user ID and password. You will use them in the next step.
Step 2: Update SCIUserGroup destination in the SCP-IAG Tenant
1. In the SCP-IAG tenant, go to the Subaccounts dropdown menu and choose your subaccount.
2. Choose Connectivity Destinations in the navigation panel.
3. Search and Select SCIUserGroup destination and click the pencil icon to edit it.
4. In the URL field, update the SCI_TENANT_ID text with IAS Tenant ID.
Ex: https://SCI_TENANT_ID.accounts.ondemand.com/service/scim/Users
5. In the User and Password fields, enter the user ID and password of IAG Sync system from IAS tenant
(configured under Users & Authorizations → Administrators), and save.
Step 3: Run SCI User Group Sync Job
1. Login the IAG launchpad and open the Job Scheduler app.
2. In the Job Name field, enter Job Name.
3. In the Job Category field, select SCI User Group Sync from the dropdown list.
4. In the Recurring Job field, select No.
5. In the Start Immediately field, select Yes.
6. Enter information in all required fields and choose Schedule Job. The job status and log can be checked in
the Job History app.
Note
To schedule a Recurring Job, refer to 2859618 for recommendation on the frequency of the jobs.
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 39
Parent topic: Setting Up User Authentication and Access [page 20]
Previous: Map SCP-IAG Role Collections and IAS Group [page 32]
Next: Configuring Identity Provisioning Tenant [page 40]
8.1.5 Configuring Identity Provisioning Tenant
The IAG solution integrates with other SAP services, such as SAP Identity Provisioning Service. These services
require users to have specific roles to use them.
Procedure
1. To enable the Identity Provisioning Service, do as follows:
1. Log on to the Neo IPS Tenant.
2. Go to Services and choose Enable Identity Provisioning.
3. Launch Identity Provisioning and choose Configure Service.
4. Choose Roles and Assign IPS_ADMIN to USER ID.
2. To configure OAuth for IPS service, carry out the following steps
1. Log on to the Neo IPS Tenant and navigate to Security.
2. Go to OAuth, choose Clients.
3. Choose Register New Client in the Clients table and create the Client by adding the parameters and values
listed below:
Parameter Value
Name IPSPROXY
Description Any
Subscription From the dropdowm menu, select XXXXX-Tenant id /
ipsproxy
ID Generated ID or any ID
Authorization Grant Client credentials
Confidential Select the checkbox
Secret Maintain the password for the ID
SAP Cloud Identity Access Governance Admin Guide
40 PUBLIC User Management
Parameter Value
Token Lifetime Leave it blank and select days
For more information, see SAP Cloud Platform Identity Provisioning Service - Access the Identity Provisioning
Service
Parent topic: Setting Up User Authentication and Access [page 20]
Previous: Syncing User Groups from SAP Identity Authentication Service [page 38]
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 41
9 Maintaining Cloud Connector for On-
Premise Scenario
SAP Cloud Connector serves as the link between on-demand applications in SAP Cloud Platform and existing
on premise systems.
The cloud Connector runs as an on-premise agent in a secured network and acts as a reverse invoke proxy
between the on premise network and SAP Cloud Platform.
For more information, see SAP Cloud Connector.
9.1 Install the SAP Cloud Platform Connector
To Install the cloud connector, view the help documentation for SAP Cloud Platform Cloud Connector, and
follow the instructions for the scenario: Connecting Cloud Applications to On-Premise Systems.
SAP Cloud Identity Access Governance Admin Guide
42 PUBLIC Maintaining Cloud Connector for On-Premise Scenario
Connecting Cloud Applications to On-Premise Systems
9.2 Maintain the SAP Cloud Platform Connector
Pre-requisite: You have already activated your user (Pxxxx) in SAP Cloud Identity and have administrator
access to this account.
Example of Admin SCI URL: https://<CompanyName>.accounts.ondemand.com/admin/
Note
For the following, maintain one SAP Cloud Platform Connector for each target system.
1. Login to your SAP Cloud Platform Connector and create a new account.
Go to Account Dashboard and click Add Account.
2. Enter the following details and save the data:
○ Landscape Host - us2.hana.ondemand.com if your cloud tenant hosted in US data center or
eu1.hana.ondemand.com if it is hosted in Europe data center
○ Account Name: <HCP account name>
○ Display Name: <Company Name>
SAP Cloud Identity Access Governance Admin Guide
Maintaining Cloud Connector for On-Premise Scenario PUBLIC 43
○ Account User: <P USER ID activated in SCI>
○ Password: <Password created for P USER ID in SCI>
3. Select the created Account and click Access Control.
4. Add system mapping for each on-premise target system.
(For SAP ERP system, enter Back-end Type = ABAP System, Protocol = RFC and system
configurations).
5. Select the above system mapping and add function module name as prefix with SIAG.
For more information, see SAP Cloud Platform Connector.
9.3 Maintain Destinations for SAP Cloud Platform
Connector
In the SAP Cloud Platform Cockpit, maintain destinations for each target system to enable communication via
the SAP Cloud Platform Connector.
For on premise systems, make sure to select the Proxy Type OnPremise.
For more information about using the destination service, see the following SAP Cloud Platform
documentation: Configure Destinations from the Cockpit
Note
Only HTTP destinations are relevant for the destination service. For more information, see the following
documentation: Create HTTP Destinations
SAP Cloud Identity Access Governance Admin Guide
44 PUBLIC Maintaining Cloud Connector for On-Premise Scenario
10 Additional Services for Access Request
Service
The access request service integrates with additional SAP Cloud Platform services to utilize workflow
management, provisioning, and business logic. You must configure the following additional services to fully
utilize the access request service:
● SAP Cloud Platform Business Rule Management service to provide decision making and business logic
● SAP Cloud Platform Workflow service to enable the movement of access requests to owners, approvers,
etc. and through stages, such as creation, review, approval, etc.
● SAP Cloud Platform Identity Provisioning service (Identity Provisioning service) to provision access
requests to target systems
10.1 Setting Up SAP Cloud Platform Workflow Service
1. Required Roles for SAP Cloud Platform Workflow Service [page 45]
2. Delivered Workflow Templates (read only) [page 46]
The access request service includes three non-modifiable out-of-the-box workflow templates.
3. Setting Up Business Rules for Workflow [page 48]
10.1.1 Required Roles for SAP Cloud Platform Workflow
Service
The SAP Cloud Platform Workflow service is delivered with three apps that enable you to maintain the
workflow.
To access and use the Workflow Definition and Workflow Instances apps, assign to them the following workflow
roles:
● WorkflowContextViewer (global role)
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 45
● WorkflowContextAdmin:
● WorkflowViewer
To learn more about the required roles and additional available roles, see the SAP Cloud Platform Workflow
Service security guide.
Parent topic: Setting Up SAP Cloud Platform Workflow Service [page 45]
Next: Delivered Workflow Templates (read only) [page 46]
10.1.2 Delivered Workflow Templates (read only)
The access request service includes three non-modifiable out-of-the-box workflow templates.
Note
The information herein is provided for your information only. The SAP operations team configure and
deploy the workflow and notification templates.
Delivered Workflow Templates
Workflow Template (path name) Behavior
Manager - Role Owner - Security Owner The access request goes to the following roles for approval
before it is provisioned:
● manager
● role owner
● security owner
Manager - Security Owner The access request goes to the following roles for approval
before it is provisioned:
● manager
● security owner
Manager Only The access request goes only to the manager for approval
before it is provisioned.
Email Notification Templates
The access request service delivers out-of-the-box notification emails. The notifications are sent for the
following events:
Notification to be Sent on Following Scenarios
Notify Request Created
SAP Cloud Identity Access Governance Admin Guide
46 PUBLIC Additional Services for Access Request Service
Notification to be Sent on Following Scenarios
Notify Approvers
Notify Request Rejected
Notify Provisioned
Parent topic: Setting Up SAP Cloud Platform Workflow Service [page 45]
Previous: Required Roles for SAP Cloud Platform Workflow Service [page 45]
Next: Setting Up Business Rules for Workflow [page 48]
10.1.2.1 Editing or Creating Mail Notification Template
To create a new mail notification template, follow these steps. If you need to change the content of the
delivered mail notificadtion template, you can directly edit the template in Web IDE Full Stack.
1. Open SAP Web IDE Full-Stack.
2. Follow the instructions to create a new workflow project.
3. Follow the Project Name naming convention when creating new workflow project:
○ Project name is the Scenario ID and two-digit ISO language code separated by “_”
○ Project name is NOT case sensitive.
Scenario Scenario ID Example Project Name
Notify Request Created notifyRequestCreated notifyRequestCreated_EN,
notifyRequestCreated_PT
Notify Approvers notifyApprover notifyApprover_EN,
notifyApprover_DE
Notify Request Rejected notifyRequestRejected notifyRequestRejected_EN,
notifyRequestRejected_FR
Notify Provisioned notifyuserprovisioned Notifyuserprovisioned_en,
notifyuserprovisioned_pt
4. Locate the created workflow project, containing a workflow template, under Workflows subfolder.
5. Add Mail Task to the workflow template. Refer to Configure Mail Tasks.
6. In the Mail Task Properties area, choose the Details tab.
7. Enter the following content into the To, CC, and BCC fields:
○ To: ${context.to}
○ CC: ${context.cc}
○ BCC: ${context.bcc}
8. In Subject and Mail Body fields, enter your content.
9. For dynamic content, use the following fields:
○ Request Id: ${context.requestId}
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 47
○ User Full Name: ${context.userName}
For example, a mail subject with Request Id can be entered as follows: Your access request $
{context.requestId} has been successfully submitted.
10. Save your newly created workflow project.
11. To deploy the workflow project, right-click on workflow template and select Deploy Deploy to SAP
Cloud Platform Workflow .
10.1.3 Setting Up Business Rules for Workflow
The access request service integrates with SAP Cloud Platform Business Rules Service. You use the SAP Cloud
Platform Business Rules service to define the stages, path, and other workflow rules used by access request
service to move request items through the stages of an access request.
1. Prerequisite [page 48]
2. Introduction [page 49]
3. Process Overview [page 49]
4. Creating a Project [page 50]
5. Modeling Data Objects [page 51]
6. Modeling a Rule Service [page 54]
7. Modeling Rules [page 55]
8. Defining Rulesets [page 57]
9. Deploying a Rule Service [page 58]
Parent topic: Setting Up SAP Cloud Platform Workflow Service [page 45]
Previous: Delivered Workflow Templates (read only) [page 46]
10.1.3.1 Prerequisite
SAP Cloud Identity Access Goverance offers pre-delivered business rules. To access these rules, create a
support ticket. To do so, select the component GRC-IAG.
If, however, you wish to create or edit your own objects, follow the steps described below:
Procedure
1. Login to the SAP Identity Access Governance launchpad.
2. Open the Configuration app.
3. On the Configuration Type screen, navigate to Business Rule and choose Launch on the bottom right.
4. The Manage Projects screen is displayed as shown in the image below.
SAP Cloud Identity Access Governance Admin Guide
48 PUBLIC Additional Services for Access Request Service
Parent topic: Setting Up Business Rules for Workflow [page 48]
Next: Introduction [page 49]
10.1.3.2 Introduction
SAP Cloud Identity Access Governance, access request service integrates with SAP Cloud Platform Workflow
Service and SAP Cloud Platform Business Rules Service.
You use the SAP Cloud Platform Business Rules service to define the path and other workflow rules used by
access request service to move request items through the stages of an access request.
No configuration is required for the workflow.
Parent topic: Setting Up Business Rules for Workflow [page 48]
Previous: Prerequisite [page 48]
Next: Process Overview [page 49]
10.1.3.2.1 Concepts
SAP Cloud Platform Business Rules uses the following concepts:
● Project: A container that holds business rule entities such as, data objects, rules, rulesets, and rule
services.
● Data objects: It describe the data and serve as data carrier in the context or the result of an expression.
● Rule: It is the technical representation of a simple business rule to be applied to a particular business case.
It defines a business logic that, once evaluated against live data, leads to a decision. A decision table is a
tabular representation of related rules.
● Ruleset: A collection of rules to be processed in a particular business case. It serves as an entry point for
rule processing, and links a rule service to a collection of rules.
● Rule service: An interface or end point that enables an application to invoke a decision logic.
10.1.3.3 Process Overview
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 49
To model and deploy SAP Cloud Platform Business Rules:
1. Create a project
2. Add data objects with attributes that represent your application context.
3. Model rule services to perform operations.
4. Model your business logic using business rules. Define the condition constraints and the results to be
returned for different business logic.
5. Configure the ruleset by grouping the related rules together and assigning them to a rule service.
Parent topic: Setting Up Business Rules for Workflow [page 48]
Previous: Introduction [page 49]
Next: Creating a Project [page 50]
10.1.3.4 Creating a Project
1. Login to your SAP Cloud Platform Cockpit tenant account, navigate to Services > Business Rules, and click
Business Rule Editor.
2. On the Manage Projects screen add the project as follows.
Project Name: IAGWorkflowBusinessRule
Description: IAG Workflow Business Rule
3. Save.
For more information, see SAP Cloud Platform Business Rules - Creating Projects.
Parent topic: Setting Up Business Rules for Workflow [page 48]
Previous: Process Overview [page 49]
Next: Modeling Data Objects [page 51]
SAP Cloud Identity Access Governance Admin Guide
50 PUBLIC Additional Services for Access Request Service
10.1.3.5 Modeling Data Objects
1. On the Manage Projects screen, select the IAGWorkflowBusinessRule project.
2. On the following screen, select the Data Objects tab and create data objects per the table below.
Data Objects
Name Description Type
Request Request Structure
RequestUser Request User Structure
RequestAccess Request Access Structure
WorkflowPath Workflow Path Structure
WorkflowApprover Workflow Approver Structure
Note
For each data object, you must add attributes, associations, and mappings per the respective tables.
For instructions how to navigate the screen, see SAP Cloud Platform Business Rules - Modeling Data Objects.
Parent topic: Setting Up Business Rules for Workflow [page 48]
Previous: Creating a Project [page 50]
Next: Modeling a Rule Service [page 54]
10.1.3.5.1 Data Object: Request
Type: Structure
Attributes
Name Description Business Data Type
createdBy Created By String
workflowstage Workflow Stage String
priority Priority String
requestNumber Request Number String
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 51
Name Description Business Data Type
requestType Request Type String
Associations
Association Map Association Map
Target Data Object pings: Source Attrib pings: Target Attrib
Name Description Name ute ute
RequestedAccess RequestedAccess RequestAccess requestNumber requestNumber
RequestedUser RequestedUser RequestUser requestNumber requestNumber
Mappings
Target Runtime Target Runtime Variant
Java Cloud
10.1.3.5.2 Data Object: RequestUser
Type: Structure
For this data object, there are no Associations.
Attributes
Name Description Business Data Type
managerId Manager ID String
department Department String
requestNumber Request Number String
company Company String
position Position String
location Location String
Mappings
Target Runtime Target Runtime Variant
Java Cloud
SAP Cloud Identity Access Governance Admin Guide
52 PUBLIC Additional Services for Access Request Service
10.1.3.5.3 Data Object: RequestAccess
Type: Structure
For this data object, there are no Associations.
Attributes
Name Description Business Data Type
accessType Access Type String
action Action String
system System String
requestNumber Request Number String
Mappings
Target Runtime Target Runtime Variant
Java Cloud
10.1.3.5.4 Data Object: WorkflowPath
Type: Structure
For this data object, there are no Associations.
Attributes
Name Description Business Data Type
PathName Path Name String
Mappings
Target Runtime Target Runtime Variant
Java Cloud
10.1.3.5.5 Data Object: WorkflowApprover
Type: Structure
For this data object, there are no Associations.
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 53
Attributes
Name Description Business Data Type
ApproverID Approver ID String
Mappings
Target Runtime Target Runtime Variant
Java Cloud
10.1.3.6 Modeling a Rule Service
1. On the Manage Projects screen, select the IAGWorkflowBusinessRule project.
2. On the following screen, select the Rule Services tab and create rule services per the table below.
Rule Services
Name Description
WorkflowApprover Workflow Approver
IAGWorkflowAccessRequestInitiator IAG Workflow Access Request Initiator
Note
For each rule service, you must add Execution Contexts and Target Runtimes per the respective tables
below.
Rule Service: WorkflowApprover
Execution Context
Name Usage
Request Input
RequestUser Input
WorkflowApprover Result
Target Runtimes
Target Runtime Target Runtime Variant
Java Cloud
SAP Cloud Identity Access Governance Admin Guide
54 PUBLIC Additional Services for Access Request Service
Rule Service: IAGWorkflowAccessRequestInitiator
Execution Context
Name Usage
Request Input
RequestUser Input
RequestAccess Input
WorkflowPath Result
Target Runtimes
Target Runtime Target Runtime Variant
Java Cloud
For instructions how to navigate the screen, see SAP Cloud Platform Business Rules - Modeling a Rule Service.
Parent topic: Setting Up Business Rules for Workflow [page 48]
Previous: Modeling Data Objects [page 51]
Next: Modeling Rules [page 55]
10.1.3.7 Modeling Rules
1. On the Manage Projects screen, select the IAGWorkflowBusinessRule project.
2. On the following screen, select the Rules tab and create rules per the table below.
Rules
Name Description Type Hit Policy Result Data Object
RequestTypeRule Request Type Rule Decision Table First Match WorkflowPath
WorkflowApprover Workflow Approver Decision Table First Match WorkflowApprover
3. Click Validate to check whether the rule modeled is valid.
4. To activate the rule, after saving, click Edit > Activate.
Note
For each rule, you must add a Decision Table per the information in the topic: Decision Tables [page 56].
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 55
We recommend you read this more detailed topic for instructions how to create the decision tables and the
Rule Expression Language, see SAP Cloud Platform Business Rules - Modeling Rules.
Parent topic: Setting Up Business Rules for Workflow [page 48]
Previous: Modeling a Rule Service [page 54]
Next: Defining Rulesets [page 57]
10.1.3.7.1 Configuring Workflow Templates
The access request service (beta) is delivered with the following workflow templates. You can use them to
choose which roles are required to approve an access request before it is provisioned.
To select the workflow used by the business rule service:
1. In your project, select the Rules tab, and edit the rule: RequestTypeRule.
2. For the decision table, change the PathName to one of the workflow templates.
Delivered Workflow Templates
Workflow Template (PathName) Behavior
'mangerrolesecuritypath' The access request goes to the following roles for approval
before it is provisioned:
● manager
● role owner
● security owner
'accessrequestmangersecuritywf' The access request goes to the following roles for approval
before it is provisioned:
● manager
● security owner
SECURITY' The access request goes only to the manager for approval
before it is provisioned.
10.1.3.7.2 Decision Tables
For each rule, you must add a Decision Table per the respective tables below.
SAP Cloud Identity Access Governance Admin Guide
56 PUBLIC Additional Services for Access Request Service
Rule: RequestTypeRule
Decision Table
If Then
requestType of the Request is equal to PathName
'CHANGE' 'mangerrolesecuritypath'
Rule: WorkflowApprover
Decision Table
If Then
workflowstage of the Request is equal to ApproverID
'MANAGER' managerID of the RequestedUser of a Request
10.1.3.8 Defining Rulesets
1. On the Manage Projects screen, select the IAGWorkflowBusinessRule project.
2. On the following screen, select the Rulesets tab and create rulesets per the table below.
Rulesets
Name Description Rule Service Rule
ApproverRuleset Approver Rule Set WorkflowApprover WorkflowApprover
PathRulset Path Rule Set IAGWorkflowAccessReques- RequestTypeRule
tInitiator
3. Click Validate to check whether the rule set is valid.
4. To activate the rule set, after saving, click Edit > Activate.
For instructions on navigating the screen and creating the rulesets, see SAP Cloud Platform Business Rules -
Defining Rulesets.
Parent topic: Setting Up Business Rules for Workflow [page 48]
Previous: Modeling Rules [page 55]
Next: Deploying a Rule Service [page 58]
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 57
10.1.3.9 Deploying a Rule Service
1. On the Manage Projects screen, select the IAGWorkflowBusinessRule project.
2. On the following screen, choose the Rule Service tab.
3. Select the following rule services and click Deploy.
○ WorkflowApprover
○ IAGWorkflowAccessRequestInitiator
For more information see, SAP Cloud Platform Business Rules - Deploying a Rule Service.
Parent topic: Setting Up Business Rules for Workflow [page 48]
Previous: Defining Rulesets [page 57]
SAP Cloud Identity Access Governance Admin Guide
58 PUBLIC Additional Services for Access Request Service
11 Integration Scenarios
You can connect the SAP Cloud Identity Access Governance, access request service to the following cloud
products and on-premise systems.
● SAP SuccessFactors [page 60]
● HR Driven Identity Lifecycle Management [page 62]
● SAP ABAP (on-premise) [page 78]
● SAP Ariba [page 85]
● SAP Fieldglass [page 88]
● SAP S/4HANA Cloud [page 91]
● SAP S/4HANA (on-premise) [page 111]
● Microsoft Azure Platform [page 114]
● SAP Marketing Cloud [page 119]
● SAP Integrated Business Planning [page 124]
● SAP Analytics Cloud [page 134]
● SAP Cloud Platform - Cloud Foundry [page 152]
● LDAP System [page 138]
● SAP Identity Authentication [page 142]
● SAP Cloud Platform - NEO [page 155]
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 59
11.1 SAP SuccessFactors
You can configure integration for SAP SuccessFactors with SAP Cloud Identity Access Governance solution and
its services (Access Request, Access Analysis, and Role Design). This enables users to create access requests,
design business roles, and analysis access risks for on-premise and on-cloud applications and systems.
Applications Integration of Applications with SAP SAP Cloud Identity Access Gover
Cloud Identity Access Governance nance
SAP SuccessFactors Services:
SAP ABAP (on-premise) Access Request Service
SAP Ariba Access Analysis Service
SAP Fieldglass Provisioning from SAP Cloud Identity Access Certification
Access Governance to various Appli
cations Role Design
SAP S/4 HANA Cloud
SAP S/4 HANA (on-premise)
SAP Cloud Identity Access Governance Admin Guide
60 PUBLIC Integration Scenarios
Microsoft Azure Platform
11.1.1 Create Destinations
Log into the SCP cockpit and navigate to your tenant. In the left-hand pane click Connectivity
Destinations .
Create the following destinations.
Connection to SuccessFactors Source System [SuccessFactorsEC]
This destination describes the SAP SuccessFactors system where the HR user information is stored, is the
source system
Note
If you are using this as a source system, you must enter the destination names exactly as described.
Otherwise, you can enter any desired name.
SuccessFactorsEC
Enter the following:
Name: SuccessFactorsEC.
Type: HTTP.
Description: <Any Description>.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 61
URL: Enter the URL for the SuccessFactors system API Service, for example,https://
12preview.sapsf.eu/
Note
2215682
Proxy Type: Internet.
Authentication: BasicAuthentication
User: Enter the authenticated user for SuccessFactors system followed by Company ID such as
<UserID@CompanyID>
Use default JDK truststore checkbox is checked.
For information on how to use the destination service, see: Configure Destinations from the Cockpit
Note
Only HTTP destinations are relevant for the destination service. For information on creating HTTP
connections, see: Create HTTP Destinations
11.1.2 Add SuccessFactors System
Create an instance for SAP SuccessFactors in the Systems app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for SAP SuccessFactors. For System Type, select SAP SuccessFactors.
3. In the HCP Destination field, enter the name of the SAP Cloud Platform destination for SAP
SuccessFactors.
4. Save.
11.1.3 Sync User Data and Provision Access Requests
In the access request service launchpad, open the Job Scheduler app, and run the following jobs:
● Repository Sync to synchronize the user data from the SAP SuccessFactors tenant.
In the System Type field, select SAP SuccessFactors.
● Provisioning to synchronize the user data from the SAP SuccessFactors tenant.
11.2 HR Driven Identity Lifecycle Management
You can integrate the SAP Cloud Identity Access Governance solution with your HR systems. This enables
changes in employee status (HR triggers) in the HR system to initiate access requests. The access request
SAP Cloud Identity Access Governance Admin Guide
62 PUBLIC Integration Scenarios
service converts the HR triggers to change requests, which are then provisioned to target applications. The
illustration below shows a high level process flow with SAP SuccessFactors as the HR system.
11.2.1 Process Overview
There are three overall steps to enable HR trigger integration between SAP SuccessFactors and the SAP Cloud
Identity Access Governance solution and its services:
1. In the SAP Cloud Platform, set up one destination to connect to the SAP SuccessFactors tenant.
2. Use the SAP Cloud Platform Business Rules service to define the rules for converting user changes from
SAP SuccessFactors to access requests.
3. Run the Job Scheduler for the HR Trigger job and to sync user data for SAP SuccessFactors.
11.2.2 Prerequisites
You have the following:
● An administrator account for tenant on SAP Cloud Platform (IAS)
● Authenticated user for SuccessFactors system for the Company ID
● SuccessFactors API EmpJob need to have userNav personKeyNav userAccountNav user data
model relation enabled.
● Enter the authenticated user (technical user) for SuccessFactors system followed by Company ID such as
<UserID@CompanyID>. Refer to SAP Note 2937881 .
● An administrator account for target applications. Ex: S/4HANA Cloud
● An administrator account for Identity Provisioning Service (IPS)
● For user authentication in SAP S/4HANA CE target applications, user replication to SAP Identity
Authentication Service (IAS) must be taken into account.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 63
For configuring related events in SFEC such as the ones listed below, refer to the corresponding links:
Concurrent Employment:
New Hire, Concurrent Hire, Job Change, Termination, Retirement, Rehire. For more information, see:
Configuring Events
Global Assignment:
● Home Assignment: Away from global assignment, Back from global assignment
● Global Assignment: Add global assignment, End global assignment, Obsolete global assignment
For more information, see: Creating Events Reasons for Global Assignments
Contingent Worker:
Start contingent worker, End contingent worker. For more information, see: Configuring ECWK and SCWK for
Contingent Workers
11.2.3 Set Up Destinations
Note
You must enter the destination names exactly as described. If you have already created a destination, then
you do not require a new one. If not, then you must create a destination and use the name specified below.
Connection to SuccessFactors Source System [SuccessFactorsEC]
This destination describes the SAP SuccessFactors system where the HR user information is stored, which is
the source system.
1. In the SCP-IAG tenant, go to the Subaccounts dropdown menu and choose your subaccount.
2. Choose Connectivity Destinations .
3. Choose New Destination and add the parameters and values given below.
Parameter Value
Name SuccessFactorsEC
Type HTTP
Description (Optional) Enter a meaningful description.
URL Enter the URL for the SuccessFactors system API Service
such as <https://apisuccessfactors.com/> For more infor
mation, see 2215682 and/or SAP SuccessFactors HXM
Suite OData API: Reference Guide
Proxy Type Internet
Authentication BasicAuthentication
User Enter the authenticated user (technical user) for Success
Factors system followed by Company ID such as
<UserID@CompanyID>
SAP Cloud Identity Access Governance Admin Guide
64 PUBLIC Integration Scenarios
Parameter Value
Password Enter the password of the authenticated user
4. Select the Use default JDK truststore checkbox.
5. Save your entries.
11.2.4 Add SuccessFactors System
Log into the IAG launchpad and create an instance for SAP SuccessFactors in the Systems app.
Note
You can ignore these steps, if you have already created this instance.
1. Log into IAG launchpad and open the Systems app.
2. Enter Name, Description and select System Type, select SAP SuccessFactors.
3. In the SCP Destination field, enter the name of the SuccessFactors Source System defined in SCP-IAG
tenant Destination. Ex: SuccessFactorsEC.
4. Save.
11.2.5 Set Up Business Rules
You use the SAP Cloud Platform Business Rules service to define the rules and structures for processing user
data from SuccessFactors and creating access requests.
1. In the SCP-IAG tenant, go to the Subaccounts dropdown menu and choose your subaccount.
2. Choose Services Business Rules in the navigation panel.
3. Click Manage Rules Project in Take Action list.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 65
1. Process Overview [page 66]
2. Define a Project [page 67]
3. Create Data Objects [page 68]
4. Create a Rule Service [page 71]
5. Create Rules [page 71]
6. Deploy the Rule Service [page 76]
11.2.5.1 Process Overview
To model and deploy SAP Cloud Platform Business Rules:
SAP Cloud Identity Access Governance Admin Guide
66 PUBLIC Integration Scenarios
1. Create a project
2. Add data objects with attributes that represent your application context.
3. Model rule services to perform operations.
4. Model your business logic using business rules. Define the condition constraints and the results to be
returned for different business logic.
5. Configure the ruleset by grouping the related rules together and assigning them to a rule service.
Parent topic: Set Up Business Rules [page 65]
Next: Define a Project [page 67]
11.2.5.2 Define a Project
Create a project with the name: IAGSFHRFieldChanges. The project is the overall container for the related
business rules and objects.
Note
Make sure the name is exact.
Activate the project.
Parent topic: Set Up Business Rules [page 65]
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 67
Previous: Process Overview [page 66]
Next: Create Data Objects [page 68]
11.2.5.3 Create Data Objects
Data objects define the input and output structures for the rule.
In the IAGSFHRFieldChanges project, go to the Data Objects tab, and create the following data objects:
● UserHRFields for the input fields. This is the data coming from SuccessFactors.
● Access for the output fields. This is the data for the access requests.
Note
You define the data objects as input or output in the Create Rule Service [page 71] step. Data objects and
attributes are case-sensitive.
Create them as type Structure and set them as Active.
SAP Cloud Identity Access Governance Admin Guide
68 PUBLIC Integration Scenarios
Add Attributes for UserHRFields Data Object
Open the UserHRFields data object and add attributes for the data coming from SuccessFactors.
List of Attributes for UserHRFields Data Object
Name Description Business Data Type
userId User ID String
businessUnit Business Unit String
company Company String
department Department String
division Division String
jobCode Job code String
position Position String
status Status String
event Event String
startDate Start Date String
endDate End Date String
location Location String
costCenter Cost Center String
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 69
Name Description Business Data Type
managerId Manager ID String
Add Attributes for Access Data Object
Open the Access data object and add attributes for the data to be used in creating access requests.
List of Attributes for Access Data Object
Name Description Business Data Type
system Application system String
name Access name String
type Type String
Parent topic: Set Up Business Rules [page 65]
Previous: Define a Project [page 67]
Next: Create a Rule Service [page 71]
SAP Cloud Identity Access Governance Admin Guide
70 PUBLIC Integration Scenarios
11.2.5.4 Create a Rule Service
1. From the IAGSFHRFieldChanges project, click Rule Service, and create the IAGRequestAccessData rule
service.
2. Under the Vocabulary section, add two vocabulary objects. From the dropdown, select the data objects you
defined earlier, and select the Usage.
For the UserHRFields data object, select Input usage.
For the Access data object, select Result usage.
Parent topic: Set Up Business Rules [page 65]
Previous: Create Data Objects [page 68]
Next: Create Rules [page 71]
11.2.5.5 Create Rules
In Rules, you create a decision table based on input and the desired results. You can create multiple rules, as
suits your needs.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 71
1. From the IAGSRHRFieldChanges project, click Rules, and then create a new rule.
2. Make sure for Type, you select Decision Table, and for Mode you select Advanced.
3. Click Create. The New Rule screen is displayed. At the bottom of the screen click Start building the table in
Settings to start building your decision table.
Building the Decision Table
The decision table is the core of the access request rule. Here you define the conditions and results that take
the user change information from SuccessFactors and convert them into access requests and provisioning
actions.
This is an explanation of how the information on the Decision Table Settings screen relates to the decision table
itself.
● The Condition Expressions are the "If" columns in the decision table. You can enter multiple condition
expressions. They appear as rows.
SAP Cloud Identity Access Governance Admin Guide
72 PUBLIC Integration Scenarios
Note
You cannot enter values for the conditions in the Decision Table Settings screen; you can enter values in
the next step in the decision table itself.
● The Result settings are the "Then" columns in the decision table.
Note
You can enter values for results in the Decision Table Settings screen. You can also edit them in the
decision table itself.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 73
1. In the Decision Table Settings, configure the conditions to determine the data to pull in.
○ Hit Policy sets the parameters the rule uses when matching results from the conditions.
○ Conditions Expressions is where you define the input data relevant for the request. The attributes in the
dropdown list are pulled from the UserHRFields data object.
○ Result is where you define output values. Click the dropdown list and select the Access data object. You
can use three Access Types:
○ TR - Technical Role
○ BR - Business Role
○ CR - Composite Role
○ GP - Group
○ SYS - Application
Note
The Default Value field are optional and can be left blank.
2. Click Apply. The New Rule screen and the new decision table are displayed.
3. To define the values for decision table, click Add Row.
In the If column, enter the values for the conditions.
Note
These values must match the values from the SuccessFactors tenant, such as (ACE_US), and so on.
SAP Cloud Identity Access Governance Admin Guide
74 PUBLIC Integration Scenarios
The graphic is an example illustrating that for businessUnit ACE_US, create a request for System123.
Note
Ensure the data and fields match the data and fields in the SuccessFactors tenant.
4. Click Save and Activate.
Set Up Rulesets
The final step for setting up a rule is to configure and activate the ruleset. Resets enable you to group multiple
rules in one collection. Even if you have only one rule, you still need to add it to a ruleset and activate it.
1. On the IAGSFHRFieldChanges project page, click Rulesets, and then click the plus sign to add a new
ruleset.
2. On the New Ruleset screen, click the Rule Service dropdown list, and select IAGRequestAccessData.
3. In the Rules section, click the plus sign to select from the rules you defined.
4. Save and activate the ruleset.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 75
Parent topic: Set Up Business Rules [page 65]
Previous: Create a Rule Service [page 71]
Next: Deploy the Rule Service [page 76]
11.2.5.6 Deploy the Rule Service
1. From the IAGSFHRFieldChanges project, click Rule Service.
2. Select the IAGRequestAccessData rule service and click Deploy.
For more information see, SAP Cloud Platform Business Rules - Deploying a Rule Service.
Parent topic: Set Up Business Rules [page 65]
Previous: Create Rules [page 71]
11.2.6 Synchronize Data Repository and Trigger Access
Requests
Log into the IAG launchpad, open the Job Scheduler app, and run the following jobs:
● Repository Sync to synchronize the user data, permission roles and permission groups from the SAP
SuccessFactors system.
1. In the Job Name field, enter Job Name.
2. In the Job Category field, select Repository Sync.
3. In the Recurring Job field, select No.
4. In the Start Immediately field, select Yes.
5. In the System Type field, select SAP SuccessFactors.
6. In the System field, select System.
7. Choose Schedule Job. The job status and log can be checked in the Job History app.
Note
To schedule a Recurring Job for both the Repository Sync and HR Triggers, refer to the SAP Note
2859618 for recommendation on the frequency of the jobs.
SAP Cloud Identity Access Governance Admin Guide
76 PUBLIC Integration Scenarios
● HR Trigger to create access requests based on changes to employee record in source system, and then
provision to target systems since its last run.
1. In the Job Name field, enter Job Name.
2. In the Job Category field, select HR Triggers.
3. In the Recurring Job field, select No.
4. In the Start Immediately field, select Yes.
5. Click Schedule Job button. The job status and log can be checked in the Job History app.
When an employee in SAP SuccessFactors is terminated or retired, the HR Triggers in SAP Cloud Identity Access
Governance capture the event to deprovision the roles and users in the corresponding systems. HR Triggers are
repeatedly executed to capture the event.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 77
11.3 SAP ABAP (on-premise)
The information in this section covers the scenario of the SAP Cloud Identity Access Governance solution and
its services connecting to SAP ABAP (on-premise) applications. The following graphic illustrates the solution
fetching data from SAP ABAP target applications that reside behind a firewall, and using SAP Cloud Platform
Identity Authentication for user authentication.
The information in this section describes the procedure for connecting SAP ABAP (on-premise) applications to
the access request service. By connecting to the access request service, it enables SAP ABAP (on-premise)
users to use the self-service access requests, auto-provisioning, and auditable workflows. The graphic below
SAP Cloud Identity Access Governance Admin Guide
78 PUBLIC Integration Scenarios
illustrates this integration.
11.3.1 Prerequisites and Technical Requirements
This document assumes the following prerequisites have been completed:
● You have upgraded the target system to one of the supported NetWeaver versions and support packs.
● You have created the required RFC user.
● Your SAP Cloud Platform and SAP Cloud Platform Identity Authentication Service (SCI) tenant accounts
have been created by SAP, and you have received the respective tenant account information and activation
notification.
11.3.1.1 Required NetWeaver Basis Support Packs
You must have upgraded the target system to one of the supported NetWeaver versions and support packs.
The IAG Services Data Extractor API is included in the following NetWeaver versions and support packs.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 79
NetWeaver Version Support Pack
NW 700 SP34
NW 701 SP19
NW 702 SP19
NW 710 SP21
NW 711 SP16
NW 730 SP16
NW 731 SP19
NW 740 SP16
NW 750 SP04
NW751 SP02
11.3.1.2 Required RFC User for IAG Services on Target System
An RFC user is needed in the target SAP system to allow communication with IAG services using the SAP Cloud
Platform.
Create an RFC user with the authorization objects and values listed in the table below.
RFC Authorization Objects
Object Description Authorization Fields Value
S_RFC Authorization check for RFC ACTVT 16
Access
RFC_NAME SIAG
BAPT RFC1
SDIF SDIFRUNTIME SDTX
SUSR
SUUS
SU_USER
SYST
SYSU
RFC_TYPE FUGR
SAP Cloud Identity Access Governance Admin Guide
80 PUBLIC Integration Scenarios
Object Description Authorization Fields Value
S_TCODE Authorization check at trans TCD SU01
action start
S_TABU_DIS Table maintenance ACTVT 3
DICBERCLS &NC& SC
SS
ZV&G
ZV&H
ZV&N
S_TOOLS_EX Tools Performance Monitor AUTH S_TOOLS_EX_A
S_GUI Authorization for GUI activi ACTVT S_GUI
ties
S_USER_AGR Authorizations: role check ACTVT *
ACT_GROUP *
S_USER_AUT User Master Maintenance: ACTVT *
Authorizations
AUTH *
OBJECT *
S_USER_GRP User Master Maintenance: ACTVT *
User Group
CLASS *
S_USER_PRO User Master Maintenance ACTVT *
Authorization Profile PROFILE *
S_USER_SAS User Master Maintenance: ACTVT 01
System-Specific Assign
06
ments
22
ACT_GROUP *
CLASS *
PROFILE *
SUBSYSTEM *
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 81
Object Description Authorization Fields Value
S_USER_SYS User Master Maintenance: ACTVT 78
System for Central User
Maintenance SUBSYSTEM *
S_USER_TCD Authorizations: transactions TCD *
in roles
S_USER_VAL Authorizations: filed values in AUTH_FIELD *
roles
AUTH_VALUE *
OBJECT *
S_DEVELOP ABAP Workbench ACTVT *
DEVCLASS SUSO
OBJNAME SIAG*
OBJTYPE FUGR
OBJTYPE *
11.3.2 Maintaining Cloud Connector for On-Premise Scenario
SAP Cloud Connector serves as the link between on-demand applications in SAP Cloud Platform and existing
on premise systems.
The cloud Connector runs as an on-premise agent in a secured network and acts as a reverse invoke proxy
between the on premise network and SAP Cloud Platform.
For more information, see SAP Cloud Connector.
1. Install the SAP Cloud Platform Connector [page 82]
2. Maintain the SAP Cloud Platform Connector [page 83]
3. Maintain Destinations for SAP Cloud Platform Connector [page 84]
11.3.2.1 Install the SAP Cloud Platform Connector
To Install the cloud connector, view the help documentation for SAP Cloud Platform Cloud Connector, and
follow the instructions for the scenario: Connecting Cloud Applications to On-Premise Systems.
SAP Cloud Identity Access Governance Admin Guide
82 PUBLIC Integration Scenarios
Connecting Cloud Applications to On-Premise Systems
Parent topic: Maintaining Cloud Connector for On-Premise Scenario [page 82]
Next: Maintain the SAP Cloud Platform Connector [page 83]
11.3.2.2 Maintain the SAP Cloud Platform Connector
Pre-requisite: You have already activated your user (Pxxxx) in SAP Cloud Identity and have administrator
access to this account.
Example of Admin SCI URL: https://<CompanyName>.accounts.ondemand.com/admin/
Note
For the following, maintain one SAP Cloud Platform Connector for each target system.
1. Login to your SAP Cloud Platform Connector and create a new account.
Go to Account Dashboard and click Add Account.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 83
2. Enter the following details and save the data:
○ Landscape Host - us2.hana.ondemand.com if your cloud tenant hosted in US data center or
eu1.hana.ondemand.com if it is hosted in Europe data center
○ Account Name: <HCP account name>
○ Display Name: <Company Name>
○ Account User: <P USER ID activated in SCI>
○ Password: <Password created for P USER ID in SCI>
3. Select the created Account and click Access Control.
4. Add system mapping for each on-premise target system.
(For SAP ERP system, enter Back-end Type = ABAP System, Protocol = RFC and system
configurations).
5. Select the above system mapping and add function module name as prefix with SIAG.
For more information, see SAP Cloud Platform Connector.
Parent topic: Maintaining Cloud Connector for On-Premise Scenario [page 82]
Previous: Install the SAP Cloud Platform Connector [page 82]
Next: Maintain Destinations for SAP Cloud Platform Connector [page 84]
11.3.2.3 Maintain Destinations for SAP Cloud Platform
Connector
In the SAP Cloud Platform Cockpit, maintain destinations for each target system to enable communication via
the SAP Cloud Platform Connector.
For on premise systems, make sure to select the Proxy Type OnPremise.
For more information about using the destination service, see the following SAP Cloud Platform
documentation: Configure Destinations from the Cockpit
SAP Cloud Identity Access Governance Admin Guide
84 PUBLIC Integration Scenarios
Note
Only HTTP destinations are relevant for the destination service. For more information, see the following
documentation: Create HTTP Destinations
Parent topic: Maintaining Cloud Connector for On-Premise Scenario [page 82]
Previous: Maintain the SAP Cloud Platform Connector [page 83]
11.3.3 Schedule Provisioning Background Jobs
You must schedule a job to initiate the provisioning process.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Job Scheduler app.
2. Select the job category Provisioning, fill in the required attributes, and click Schedule Job.
11.4 SAP Ariba
The information in this section describes the procedure for connecting SAP Ariba to the SAP Cloud Identity
Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-based solution
for creating self-service requests to applications for on-premise and cloud source applications and systems. By
connecting to the solution, it enables SAP Ariba users to initiate access requests, which are then provisioned to
target applications.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 85
Prerequisites
Ensure you have completed enablement and configuration for the SAP Cloud Identity Access Governance
solution.
Note
The integration of SAP Cloud Identity Access Governance and SAP Ariba solutions is based on the Master
Data Native Interface (MDNI). This integration is currently available for SAP Ariba Buying and SAP Ariba
Strategic Sourcing applications. Support for other SAP Ariba solutions is possible; this depends, however,
on the synchronization options between the respective SAP Ariba solution and SAP Ariba Buying and SAP
Ariba Sourcing applications. Refer to the SAP Ariba documentation to determine if such options exist for
your scenario.
11.4.1 Process Overview
There are three overall steps to enable integration between SAP Ariba solutions and the SAP Cloud Identity
Access Governance solution and its service.:
1. In the SAP Cloud Platform, set up destination for the SAP Ariba solution.
2. In the access request service, use the Systems app to create an instance for the SAP Ariba solution.
SAP Cloud Identity Access Governance Admin Guide
86 PUBLIC Integration Scenarios
3. In the access request service, use the Job Scheduler app to sync user data and provision access requests.
11.4.2 Create Destinations
In the SAP Cloud Platform, create destinations for your SAP Ariba instance.
1. Log into the SAP Cloud Platform cockpit, and go to your tenant.
2. In the left-hand pane, click Connectivity Destinations , and then click New Destination.
3. Create a destination for the SAP Ariba instance, and add the following properties listed in the table below.
Note
You may need to manually add the property field if it is not automatically displayed.
Caution
It is very important to accurately enter the text strings as specified below. We recommending copying
and pasting them.
*Name ARIBA_DEST
Type: HTTP
Description: Ariba Sync
*URL Enter the URL of the SAP Ariba instance
Proxy Type Internet
Authentication: BasicAuthentication
User: Userid access MDNI service in ariba (You need to get this
from Ariba by creation Service request)
Password: Password for the user
apiKey Generated Api Key
fetchGroups /mdni/erpintegration/api/fetchGroups
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 87
fetchUsers /mdni/erpintegration/api/fetchUsers
objectName User
serviceURL https://<Ariba Open API service
url>/api/mds-integration-job/v1/prod/
integrationJobs?
tenantId AN-Id provided as part of the Ariba system
uploadXMLUserData /mdni/erpintegration/api/uploadXMLData
4. Make sure Use default JDK truststore is checked.
11.4.3 Add Ariba Instance to Access Request Systems
Create an instance for SAP Ariba in the Systems app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for SAP Ariba. For System Type, select SAP Ariba.
3. In the HCP Destination field, enter the name of the SAP Cloud Platform destination for SAP Ariba.
4. Save.
11.4.4 Sync User Data and Provision Access Requests
In the access request service launchpad, open the Job Scheduler app. In the Job Category dropdown, schedule
the following jobs:
● Repository Sync to synchronize the relevant data from SAP Ariba to the access request service.
In the System dropdown, select SAP Ariba.
● Provisioning to initiate the provisioning of access requests.
11.5 SAP Fieldglass
The information in this section describes the procedure for connecting SAP Fieldglass to the SAP Cloud
Identity Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-based
solution for creating self-service requests to applications for on-premise and cloud source applications and
systems. By connecting to the IAG solution, it enables SAP Fieldglass users to initiate access requests, which
are then provisioned to target applications. This leverages out-of-box authorizations and risk modeling to
analyze SAP Fieldglass access requests.
Note
You can assign one role per user.
SAP Cloud Identity Access Governance Admin Guide
88 PUBLIC Integration Scenarios
Prerequisites
Ensure you have completed enablement and configuration for the SAP Cloud Identity Access Governance
solution.
11.5.1 Process Overview
There are three overall steps to enable integration between SAP Fieldglass and the SAP Cloud Identity Access
Governance solution and its services:
1. In the SAP Cloud Platform, set up destination for the SAP Fieldglass solution.
2. In the access request service, use the Systems app to create an instance for the SAP Fieldglass solution.
3. In the access request service, use the Job Scheduler app to sync user data and provision access requests.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 89
11.5.2 Create Destinations
In the SAP Cloud Platform, create destinations for your SAP Fieldglass instance.
1. Log into the SAP Cloud Platform cockpit, and go to your tenant.
2. In the left-hand pane, click Connectivity Destinations , and then click New Destination.
3. Create a destination for the SAP Fieldglass instance, using the following constraints.
Caution
It is very important to accurately enter the text strings as specified below. We recommending copying
and pasting them.
*Name FieldGlassDest
Type: HTTP
Description: Field Glass Destination
*URL Enter the URL of the SAP Fieldglass instance
Proxy Type Internet
Authentication: BasicAuthentication
User: Name of the user SCP uses to access the SAP Fieldglass
instance.
Password: Password for the user
accessToken /api/oauth2/v2.0/token?
grant_type=client_credentials&response_
type=token
SAP Cloud Identity Access Governance Admin Guide
90 PUBLIC Integration Scenarios
apiUser /api/vc/connector/apiUser
getRole /api/vc/connector/Standard User Role
Download
getRoleDetail /api/vc/connector/Standard User Role
Detail Download?__p1=
getUser /api/vc/connector/User Download
x-ApplicationKey Enter the application key from the SAP Fieldglass in
stance.
4. Make sure Use default JDK truststore is checked.
11.5.3 Add Fieldglass System
Create an instance for SAP Fieldglass in the access request service Systems app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for SAP Fieldglass. For System Type, select SAP Fieldglass.
3. In the HCP Destination field, enter the name of the SAP Cloud Platform destination for the SAP Fieldglass
instance.
4. Save.
11.5.4 Sync User Data and Provision Access Requests
In the access request service launchpad, open the Job Scheduler app. In the Job Category dropdown, schedule
the following jobs:
● Repository Sync to synchronize the relevant data from SAP Fieldglass to the access request service.
In the System dropdown, select SAP Fieldglass.
● Provisioning to initiate the provisioning of access requests.
11.6 SAP S/4HANA Cloud
The information in this section describes the procedure for connecting your SAP S/4HANA Cloud tenant to the
SAP Cloud Identity Access Governance solution (IAG). This connection allows SAP S/4HANA Cloud users to
use the IAG services such as access request, access analysis, and features such as auto-provisioning, and
auditable workflows.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 91
As illustrated in the diagram below, this connection enables the IAG solution to replicate data from the S/
4HANA Cloud tenant, and then provision user role assignments to target applications.
The procedure consists of configuration steps on the S/4HANA Cloud tenant, and on the SAP Cloud Platform
(SCP) tenant for IAG. The following is a summary of the procedure steps. For details, see the respective
sections.
On the S/4HANA Cloud tenant do the following:
1. Create a communication user.
2. Create a communication system.
3. Create a communication arrangement, one for each communication scenario.
On the SAP Cloud Platform tenant, do the following:
1. Configuration a destination for the SAP S/4HANA Cloud tenant.
2. Run the sync job to replicate data from the SAP S/4HANA Cloud tenant.
Configuration on SAP S/4HANA Cloud Tenant [page 92]
11.6.1 Configuration on SAP S/4HANA Cloud Tenant
The information in this section describes the prerequisites and procedures you carry out on SAP S/4 HANA
Cloud to enable the integration with the access request service.
Prerequisites
You must have completed the following prerequisites before you can begin the configuration tasks.
● Your SAP S/4HANA Cloud user has been assigned the business catalog SAP_CORE_BC_COM.
SAP Cloud Identity Access Governance Admin Guide
92 PUBLIC Integration Scenarios
● You can use the business role template SAP_BR_ADMINISTRATOR.
● You have a signed SSL certificate from Verisign for your tenant or you can use basic authentication (user ID
and password) [optional].
The certificate is used to enable secure communication between the SAP S/4HANA Cloud tenant and the
SAP Cloud Platform tenant for IAG.
Procedure
The configuration steps include the following:
1. Create a communication user and assign to it the SSL certificate.
2. Create a communication system to represent the SCP tenant account.
3. Create a communication arrangement, one for each communication scenario.
○ SAP_COM_0066 for replication of data
○ SAP_COM_0193 for provisioning
For more information on creating communication users and communication arrangements, see
Communication Management.
11.6.1.1 Create Communication User
Create a communication user and upload the SSL certificate. The uses the private key to enable secure
communication.
Note
For more information, refer to: SAP Cloud Identity Provisioning Service.
Option 1: SSL Certificate
1. Log onto your SAP S/4HANA Cloud tenant, and open group Communication Management.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 93
2. Open Maintain Communication Users and choose New to create a Communication User
Value Parameter
User Name Enter a user name. Ex: IAG-INTEGRATION
Description Enter a meaningful description.
Password Enter a password and remember for later step.
Tip
Create a password via Propose Password to receive a
password which satisfies the password rules.
3. Choose Upload Certificate and select the SSL Client Certificate from Verisign.
4. Choose Create.
Option 2: Basic Authentication
1. Log onto your SAP S/4HANA Cloud tenant, and open group Communication Management.
SAP Cloud Identity Access Governance Admin Guide
94 PUBLIC Integration Scenarios
2. Open Maintain Communication Users and choose New to create a Communication User.
Value Parameter
User Name Enter a user name. Ex: IAG-INTEGRATION
Description Enter a meaningful description.
Password Enter a password and remember for later step.
Tip
Create a password via Propose Password to receive a
password which satisfies the password rules.
11.6.1.2 Create Communication System
Create a new communication system to represent your SCP-IAG tenant account.
Option 1: SSL Certificate
1. Start the app Communication Systems and choose New to create a Communication System representing
your SCP-IAG tenant account.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 95
2. Choose a System ID and System Name to represent your SAP Cloud Platform account.
3. Choose Create.
4. Enter the hostname of your SCP-IAG Provider Tenant ID. Enter only the hostname without protocol and
path. For example: xxxxx.us2.hana.ondemand.com.
5. Choose Save.
6. In the User for Inbound Communication section, choose the + button.
7. Select Authentication Method as SSL Client Certificate and add the communication user you created in the
previous step for the SSL Certificate option.
SAP Cloud Identity Access Governance Admin Guide
96 PUBLIC Integration Scenarios
Option 2: Basic Authentication
Note
Maintaining User for Outbound Communication is optional.
1. Start the Communication Systems app and choose New to create a Communication System representing
your SCP-IAG tenant account.
2. Choose a System ID and System Name to represent your SAP Cloud Platform account.
3. Choose Create.
4. Enter the hostname of your SCP-IAG Provider Tenant ID. Enter only the hostname without protocol and
path. For example: xxxxx.us2.hana.ondemand.com.
5. Choose Save.
6. In the User for Inbound Communication section, choose the + button.
7. Select Authentication Method as User ID and Password and add the communication user you created in the
previous step for the Basic Authentication option.
8. In the User for Outbound Communication section, choose the + button.
9. Select Authentication Method as User ID and Password and add the communication user you created in the
previous step for the Basic Authentication option.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 97
11.6.1.3 Create Communication Arrangement
Create a communication arrangement, one for each communication scenario. Two scenarios are available.
● SAP_COM_0066 for replication of data
● SAP_COM_0093 for provisioning
You may choose to implement one or both. To implement both, complete all the steps in this procedure to
create a communication arrangement for one, and then repeat the procedure again to create an arrangement
for the other.
1. Start the app Communication Arrangements, and click New Scenario .
2. Select a communication scenario, such as the following:
Example:
3. Select the Communication System you created in the previous step.
The other data is defined by the system.
SAP Cloud Identity Access Governance Admin Guide
98 PUBLIC Integration Scenarios
4. Save the communication arrangement.
To implement another communication arrangement, repeat the procedure.
11.6.1.4 Configuration Steps on the SCP-IAG Tenant
The information in this section describes the prerequisites and procedures you carry out on SAP Cloud
Platform tenant to enable the connection with the SAP S/4HANA Cloud tenant.
Prerequisites
You must have completed the following prerequisites before you can begin the configuration tasks:
● You have completed the configuration steps for the SAP S/4HANA Cloud tenant.
● You have the SSL certificate from your SAP S/4HANA tenant (applicable for only certificate based).
11.6.1.4.1 Create New Destination on the SCP-IAG Tenant
Create a new destination using Client Certificate Authentication or Basic Authentication.
Option 1: Client Certificate Authentication
1. In the SCP-IAG tenant, go to the Subaccounts dropdown menu and choose your subaccount.
2. Choose Connectivity Destinations in the navigation panel.
3. Click New Destination and create the following destination.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 99
Parameter Value
Name Enter a meaningful name.
Type HTTP
Description (Optional) Enter a meaningful description.
URL The service URL from the communication arrangement.
Proxy Type Internet
Authentication ClientCertificateAuthentication
4. Choose New Property and select sap-client and enter S4HANA client value.
5. Choose Upload and Delete Certificate link to upload the SSL certificate for your S/4HANA tenant. Select
the file location for the S/4HANA certificate. (This is the public key (xxxx.p12) generated from the private
key for the user in S/4 HANA.)
1. From the Key Store Location drop-down menu, select your keystore.
2. In the Key Store Password, enter the keystore password
6. Select the Use default JDK truststore checkbox.
7. Save your entries.
Option 2: Basic Authentication
1. In the SCP-IAG tenant, go to the Subaccounts dropdown menu and choose your subaccount.
2. Choose Connectivity Destinations in the navigation panel.
3. Click New Destination and create the following destination.
SAP Cloud Identity Access Governance Admin Guide
100 PUBLIC Integration Scenarios
Parameter Value
Name Enter a meaningful name.
Type HTTP
Description (Optional) Enter a meaningful description.
URL Enter the URL for the SAP S/4HANA Cloud system Serv
ice such as < https://xxxx.s4hana.ondemand.com>
Proxy Type Internet
Authentication Basic Authentication
User The name of the communication user you have in the SAP
S/4HANA Cloud tenant.
Password The password for the communication user.
4. Choose New Property and select sap-client and enter S4HANA client value.
Parameter Value
sap-client Enter the SAP S/4HANA Cloud system client.
WRITE Enter the SAP S/4HANA service: /sap/bc/srt/
scs_ext/sap/managebusinessuserin
5. Select the Use default JDK truststore checkbox.
6. Save your entries.
11.6.1.5 Identity Provisioning Service for SAP S/4HANA
Cloud
IAG services use OAuth to protect communication between the IAG Provisioning and SAP S/4HANA Cloud.
Note
Since SAP Identity Provisioning Service runs in the NEO environment, the configurations described below
must be performed in the NEO subaccount under which IPS is subscribed. For more information, refer to
the link for SAP Identity Provisioning Service provided at the bottom of this page.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 101
Step 1: Register OAuth Client ipsproxy service
1. In the SCP-IAG tenant, go to the Subaccounts dropdown menu and choose your subaccount.
2. Choose Security OAuth in the navigation panel.
3. Switch to the Clients tab.
4. Choose Register New Client in the Clients table and create the following client by adding the parameters
and values given below.
Parameter Value
Name Enter a meaningful name.
Description (Optional) Enter a meaningful description.
Subscription Select <provider account>/ipsproxy´.
ID Enter the OAuth Client ID User.
Authorization Grant Client Credentials.
Confidential Select the checkbox.
Secret <Maintain the password for the ID>.
Token Lifetime Leave it empty for infinite.
Step 2: Assign the IPS_PROXY_USER role to the OAuth client
1. In the SCP-IAG tenant, go to the Subaccounts dropdown menu and choose your subaccount.
2. Choose Applications Subscriptions in the navigation panel.
3. Choose the application ipsproxy in the Subscriped Java Applications table.
4. Choose Roles in the navigation panel.
5. Select IPS_PROXY_USER role and choose Assign to add User ID.
6. Enter the OAuth Client ID created in the previous step.
7. Choose Assign.
For more information, see SAP Identity Provisioning Service
11.6.1.5.1 Create Destination for SAP Identity Provisioning
Service
In the SAP Cloud Platform (SCP), create destinations for your SAP Identity Provisioning Service.
1. In the SCP-IAG tenant, go to the Subaccounts dropdown menu and choose your subaccount.
2. Choose Connectivity Destinations in the navigation panel.
3. Choose New Destination and create the following destination.
SAP Cloud Identity Access Governance Admin Guide
102 PUBLIC Integration Scenarios
Note
It is very important to accurately enter the text strings as specified below. We recommend copying and
pasting them.
Parameter Value
*Name IPS_PROXY
Type HTTP
Description IPS Destination
*URL Enter the URL of the IPS Instance (example: https://
ipsproxyaebd32f83-a90504729.hana.ondemand.com
Proxy Type Internet
Authentication BasicAuthentication
*User Enter the OAuth Client ID Authenticated User
Note
This user is configured in Security OAuth
Clients for service ipsproxy
Password <Password of the User>
4. Choose New Property and select sap-client and enter S4HANA client value.
Parameter Value
Accept application/scim+json
*OAuth2TokenServiceURL Enter the URL for the OAUTH Token endpoint suffixed with
grant_type=client_credentials such as <https://oauthas
services-<SubscriptionTenant ID><Regional Host>//
oauth2/api/v1/token?grant_type=client_credentials>
Note
The OAuth Token Endpoint URL can be found in
Security OAuth OAuth URLs
GROUPSURL /Groups
serviceURL /ipsproxy/api/v1/scim/
USERSURL /Users
5. Save your entries.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 103
11.6.1.5.2 Create Proxy System
Step 1: Assign role IPS_ADMIN to the user by following the below steps:
1. In the SCP-IAG tenant, go to the Subaccounts dropdown menu and choose your subaccount.
2. Choose Services Identity Provisioning in the navigation panel.
3. Click Configure Service.
4. Choose Roles in the navigation panel.
5. Select IPS_ADMIN role and click Assign to add User ID.
6. Click Assign.
Note
Add the SCP-IAG Tenant Admin so that the user can later perform Step 2 mentioned below.
Step 2: Create a proxy system to connect SAP S4/HANA Cloud with the SCP-IAG tenant.
1. In the SCP-IAG tenant, go to the Subaccounts dropdown menu and choose your subaccount.
2. Choose Services Identity Provisioning in the navigation panel.
3. Click Go to Service.
4. Add a proxy system for SAP S/4HANA Cloud.
5. Select Type as SAP S/4HANA Cloud.
6. Enter the System Name, Description and Destination Name.
The Destination Name is the destination created in the previous section Create Destination for the S/
4HANA Cloud system.
SAP Cloud Identity Access Governance Admin Guide
104 PUBLIC Integration Scenarios
7. Modify the following transformations for IAG to read and provision:
Read Transformation Write Transformation
{ {
"user": { "user": {
"mappings": [ "mappings": [
{ {
"sourcePath": "sourcePath": "$
"$.personID", ['urn:ietf:params:scim:schemas:extens
"targetPath": "$.id", ion:enterprise:2.0:User']
"targetVariable": ['employeeNumber']",
"entityIdSourceSystem" "targetPath":
}, "$.personExternalID"
{ },
"sourcePath": {
"$.user.role[*].roleName", "sourceVariable":
"entityIdTargetSystem",
"preserveArrayWithSingleElement": "targetPath":
true, "$.personID"
"optional": true, },
"targetPath": {
"$.groups[?(@.value)]" "targetPath":
}, "$.businessPartnerRoleCode",
{ "type":
"sourceVariable": "valueMapping",
"entityBaseLocation", "sourcePaths": [
"targetPath": "$.userType"
"$.meta.location", ],
"targetVariable": "defaultValue":
"entityLocationSourceSystem", "BUP003",
"functions": [ "valueMappings": [
{ {
"type": "key": [
"concatString",
"suffix": "$ "Employee"
{entityIdSourceSystem}" ],
}
] "mappedValue": "BUP003"
}, },
{ {
"sourcePath": "key": [
"$.personalInformation.firstName",
"optional": true, "Freelancer"
"targetPath": ],
"$.name.givenName"
}, "mappedValue": "BBP010"
{ },
"sourcePath": {
"$.personalInformation.lastName", "key": [
"optional": true, "Service
"targetPath": Performer"
"$.name.familyName" ],
},
{ "mappedValue": "BBP005"
"sourcePath": }
"$.personalInformation.middleName", ]
"optional": true, },
"targetPath": {
"$.name.middleName" "sourceVariable":
}, "currentDate",
{ "targetPath":
"$.validityPeriod.startDate",
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 105
Read Transformation Write Transformation
"sourcePath": "scope":
"$.personalInformation.personFullName "createEntity"
", },
"optional": true, {
"targetPath": "constant":
"$.name.formatted" "9999-12-31",
}, "targetPath":
{ "$.validityPeriod.endDate",
"sourcePath": "scope":
"$.user.userName", "createEntity"
"optional": true, },
"targetPath": {
"$.userName", "sourcePath":
"$.name.givenName",
"correlationAttribute": true "optional": true,
}, "targetPath":
{ "$.personalInformation.firstName"
"constant": true, },
"targetPath": {
"$.active" "sourcePath":
}, "$.name.familyName",
{ "optional": true,
"condition": "targetPath":
"$.user.lockedIndicator == 'X'", "$.personalInformation.lastName"
"constant": false, },
"optional": true, {
"targetPath": "sourcePath":
"$.active" "$.name.middleName",
}, "optional": true,
{ "targetPath":
"sourcePath": "$.personalInformation.middleName"
"$.workplaceInformation.emailAddress" },
, {
"optional": true, "sourcePath":
"targetPath": "$.name.formatted",
"$.emails[0].value", "optional": true,
"targetPath":
"correlationAttribute": true "$.personalInformation.personFullName
}, "
{ },
"sourcePath": {
"$.user.logonLanguageCode", "sourcePath":
"optional": true, "$.userName",
"targetPath": "targetPath":
"$.locale" "$.user.userName"
}, },
{ {
"sourcePath": "sourcePath":
"$.personExternalID", "$.locale",
"optional": true, "optional": true,
"targetPath": "targetPath":
"$.personExternalID", "$.user.logonLanguageCode"
},
"correlationAttribute": true {
}, "sourcePath":
{ "$.groups[*].value",
"targetPath":
"$.timeZone", "preserveArrayWithSingleElement":
"type": true,
"valueMapping", "optional": true,
"sourcePaths": [ "targetPath":
"$.user.role[?(@.roleName)]"
"$.user.timeZoneCode" },
{
SAP Cloud Identity Access Governance Admin Guide
106 PUBLIC Integration Scenarios
Read Transformation Write Transformation
], "sourcePath":
"defaultValue": "$.emails[0].value",
"Europe/Berlin", "optional": true,
"valueMappings": [ "targetPath":
{ "$.workplaceInformation.emailAddress"
"key": [ },
"UTC" {
], "condition":
"$.active == false",
"mappedValue": "Etc/UTC" "constant": "X",
}, "targetPath":
{ "$.user.lockedIndicator"
"key": [ }
"EST" ],
], "scimEntityEndpoint": "Users"
},
"mappedValue": "America/New_York" "group": {
}, "mappings": [],
{ "scimEntityEndpoint":
"key": [ "Groups"
"UTC+8" }
], }
"mappedValue": "Asia/Shanghai"
},
{
"key": [
"BRAZIL"
],
"mappedValue": "America/Sao_Paulo"
},
{
"key": [
"MSTNO"
],
"mappedValue": "America/Phoenix"
},
{
"key": [
"AUSNSW"
],
"mappedValue": "Australia/Sydney"
},
{
"key": [
"BRZLEA"
],
"mappedValue": "America/Sao_Paulo"
},
{
"key": [
"WDFT"
],
"mappedValue": "Europe/Berlin"
},
{
"key": [
"JAPAN"
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 107
Read Transformation Write Transformation
],
"mappedValue": "Asia/Tokyo"
},
{
"key": [
"ISRAEL"
],
"mappedValue": "Asia/Jerusalem"
},
{
"key": [
"UTC+4"
],
"mappedValue": "Asia/Dubai"
},
{
"key": [
"EST_"
],
"mappedValue": "America/Toronto"
},
{
"key": [
"RUS03"
],
"mappedValue": "Europe/Moscow"
},
{
"key": [
"UTC+3"
],
"mappedValue": "Asia/Riyadh"
}
]
},
{
"targetPath":
"$.userType",
"type":
"valueMapping",
"sourcePaths": [
"$.businessPartnerRoleCode"
],
"defaultValue":
"Employee",
"valueMappings": [
{
"key": [
"BBP005"
],
"mappedValue": "Service Performer"
},
{
"key": [
"BUP003"
SAP Cloud Identity Access Governance Admin Guide
108 PUBLIC Integration Scenarios
Read Transformation Write Transformation
],
"mappedValue": "Employee"
},
{
"key": [
"BBP010"
],
"mappedValue": "Freelancer"
}
]
}
],
"scimEntityEndpoint": "Users"
},
"group": {
"mappings": [
{
"sourcePath": "$.ID",
"targetPath": "$.id",
"targetVariable":
"entityIdSourceSystem"
},
{
"sourceVariable":
"entityBaseLocation",
"targetPath":
"$.meta.location",
"targetVariable":
"entityLocationSourceSystem",
"functions": [
{
"type":
"concatString",
"suffix": "$
{entityIdSourceSystem}"
}
]
},
{
"constant":
"urn:ietf:params:scim:schemas:core:
2.0:Group",
"targetPath":
"$.schemas[0]"
},
{
"sourcePath": "$.ID",
"targetPath":
"$.displayName"
},
{
"sourcePath":
"$.to_BusinessUserAssignment.results"
,
"preserveArrayWithSingleElement":
true,
"optional": true,
"targetPath":
"$.members"
},
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 109
Read Transformation Write Transformation
{
"targetPath":
"$.members[*].__metadata",
"type": "remove"
},
{
"constant": "value",
"targetPath":
"$.members[*].PersonID",
"type": "rename"
},
{
"constant": "user",
"targetPath":
"$.members[*].type"
}
],
"scimEntityEndpoint":
"Groups"
}
}
8. Save your entries.
Note
Copy the external system ID and use it to set up the SAP S4/HANA Cloud instance in the Systems app in
the next section Add SAP S/4HANA Cloud System.
11.6.1.5.3 Add SAP S/4HANA Cloud System
Create an instance for the SAP S/4HANA Cloud system in the access request service Systems app.
Creating a new system
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for SAP S/4HANA Cloud. For the System Type, select SAP S/4HANA Cloud.
3. In the HCP Destination field, enter the System name of the S/4HANA Cloud destination created in the
previous section Create Destination.
4. Enter the external system ID which was marked in previous section Create Proxy System.
5. Save your entries.
Updating an existing S/4HANA Cloud System
Note
Perform the below steps only if S/4HANA Cloud System is created in IAG prior to 1911 release.
1. Select the S/4HANA Cloud system configured in the previous release.
2. Select Edit.
3. Enter the external system ID which was marked in previous section Create Proxy System.
SAP Cloud Identity Access Governance Admin Guide
110 PUBLIC Integration Scenarios
4. Save your entries.
11.6.1.5.4 Sync User Data and Provision Access Request
In the IAG launchpad, open the Job Scheduler app and schedule the following job:
● Repository Sync to synchronize the relevant data from SAP Identity Authentication to the access request
service.
1. In the Job Name field, enter Job Name.
2. In the Job Category field, select Repository Sync.
3. In the Recurring Job field, select No.
4. In the Start Immediately field, select Yes.
5. In the System Type field, select SAP S4/HANA Cloud.
6. In the System field, select System.
7. Click Schedule Job button. The job status and log can be checked in the Job History app.
Note
To schedule a Recurring Job for both Repository Sync and Provisioning, refer to 2859618 for
recommendation on the frequency of the jobs.
● Provisioning to initiate the provisioning of access requests.
1. In the Job Name field, enter Job Name.
2. In the Job Category field, select Repository Sync.
3. In the Recurring Job field, select No.
4. In the Start Immediately field, select Yes.
5. Click Schedule Job button. The job status and log can be checked in the Job History app.
11.7 SAP S/4HANA (on-premise)
The information in this section describes the procedure for connecting SAP S/4HANA On-Premise to the SAP
Cloud Identity Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-
based service for creating self-service requests to applications for on-premise and cloud source applications
and systems. By connecting to the IAG solution, it enables SAP S/4HANA On-Premise users to initiate access
requests, which are then provisioned to target applications.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 111
Prerequisites
Ensure you have completed enablement and configuration for the SAP Cloud Identity Access Governance
solution.
11.7.1 Process Overview
There are three overall steps to enable integration between SAP S/4HANA on-premise systems and the SAP
Cloud Identity Access Governance solution and its services:
1. In the SAP Cloud Platform, set up destination for the S/4HANA on-premise system.
2. In the access request service, use the Systems app to create an instance for the S/4HANA on-premise
system.
3. In the access request service, use the Job Scheduler app to sync user data and provision access requests.
SAP Cloud Identity Access Governance Admin Guide
112 PUBLIC Integration Scenarios
11.7.2 Install Cloud Connector and Set Destinations
If you have not already done so, insteall the SAP Cloud Platform Connector to enable secure communication
between the access request service and the SAP S/4HANA on-premise system.
Make sure to select the Proxy Type OnPremise.
For the procedure, refer to the topic Maintaining Cloud Connect for On-Premise Scenario [page 42].
11.7.3 Sync User Data and Provision Requests
In the access request service launchpad, open the Job Scheduler app, and schedule the following jobs:
● Repository Sync to synchronize the relevant data from SAP S/4HANA system to the access request
service.
● Provisioning to initiate the provisioning of access requests.
11.7.4 Add S/4HANA Instance to Access Request Systems
Create an instance for SAP S/4HANA in the access request service Systems app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for SAP S/4HANA. For System Type, select SAP S/4HANA On-Premise.
3. In the HCP Destination field, enter the name of the SAP S/4HANA destination from SAP Cloud Platform.
4. Save.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 113
11.8 Microsoft Azure Platform
The information in this section describes the procedure for connecting Microsoft Azure to the SAP Cloud
Identity Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-based
service for creating self-service requests to applications for on-premise and cloud source applications and
systems. By connecting to the IAG solution, it enables Microsoft Azure users to initiate access requests, which
are then provisioned to target applications.
11.8.1 Process Overview
There are three overall steps to enable integration between Microsoft Azure and the SAP Cloud Identity Access
Governance solution and its services:
1. In the SAP Cloud Platform Identity Provisioning service (SCIM), create a proxy system for the Microsoft
Azure system.
2. In the access request service launchpad, use the Systems app to create a system for Azure, using the
external system ID generated from step 1.
3. In the SAP Cloud Platform, create two destinations: one to generate an authentication token; one for
provisioning.
4. In the access request service, schedule jobs to synch Azure users and roles, and to provision the access
requests.
SAP Cloud Identity Access Governance Admin Guide
114 PUBLIC Integration Scenarios
11.8.2 Create Proxy System
Create a proxy system to enable Microsoft Azure to connect with the SAP Cloud Platform.
1. Log into the SAP Cloud Platform cockpit, go to your SCP tenant instance, and open Services Identity
Provisioning Go To Service Proxy System .
2. Add a proxy system for Azure and click Save.
The service generates a URL for the Azure proxy system. The external system ID is included in the
URL. (See the illustration below.)
3. Copy the external system ID, and use it to set up the Azure instance in the Systems app in the next step.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 115
11.8.3 Add Azure Instance to Access Request Systems
Create an instance for Azure in the access request service Systems app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for Azure. For System Type, select Microsoft Azure.
3. In the External System ID field, paste the ID you copied from the SCP proxy system.
4. Save.
11.8.4 Create Destinations
In the SAP Cloud Platform, create two destinations.
● IAGprovisioning_IDMOauth to generate a token for authentication.
● IAGProvisioning_SCIMService uses the token to have authentication for provisioning.
SAP Cloud Identity Access Governance Admin Guide
116 PUBLIC Integration Scenarios
Log into the SAP Cloud Platform Cockpit, go to your tenant, and then click Connectivity Destinations
New Destination .
Note
When creating the destinations, enter the name exactly as described below.
IAGprovisioning_IDMOauth
Create the IAGprovisioning_IDMOauth destination with the following details:
Field Value
Name IAGprovisioning_IDMOauth
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 117
Field Value
Type HTTP
URL
Proxy Type Internet
Authentication BasicAuthentication
Body grant_type=client_credentials
Header {"Content-Type":"application/x-www-form-
urlencoded","Authorization":"Basic
Yzk3YTY3YTEtOTUxZS0zN2NjLWJmMWUtZjgwNDlhYTMxZ
mRiOkFiY2QxMjM0","Accept":"application/json"}
IAGProvisioning_SCIMService
Create the IAGProvisioning_SCIMService destination with the following details:
Field Value
Name IAGProvisioning_SCIMService
Type HTTP
URL
Proxy Type Internet
Authentication BasicAuthentication
GroupAssignmentURL /Groups/
SAP Cloud Identity Access Governance Admin Guide
118 PUBLIC Integration Scenarios
Field Value
Header {"Accept": "application/scim+json","Content-
Type": "application/scim+json",
"Authorization": "Bearer"}
UserURL /Users
11.8.5 Sync User Data and Provision Requests
In the access request service launchpad, open the Job Scheduler app, and schedule the following jobs:
● Repository Sync to synchronize the relevant data from Azure to the access request service.
● Provisioning to initiate the provisioning of access requests.
11.9 SAP Marketing Cloud
The information in this section describes the procedure for connecting SAP Marketing Cloud to the SAP Cloud
Identity Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-based
solution for creating self-service requests to applications for on-premise and cloud source applications and
systems. By connecting to the solution, it enables SAP Marketing Cloud users to initiate access requests, which
are then provisioned to target applications.
Prerequisites
Ensure you have completed enablement and configuration for the SAP Cloud Identity Access Governance
solution.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 119
11.9.1 Process Overview
There are three overall steps to enable integration between SAP Marketing Cloud solutions and the SAP Cloud
Identity Access Governance solution and its service:
1. In the SAP Cloud Platform, set up destination for the SAP Marketing Cloud solution.
2. In the access request service, use the Systems app to create an instance for the SAP Marketing Cloud
solution.
3. In the access request service, use the Job Scheduler app to sync user data and provision access requests.
11.9.2 Create Destinations
In the SAP Cloud Platform, create destinations for your SAP Marketing Cloud instance.
1. Log in to the SAP Cloud Platform cockpit and go to your tenant.
2. In the left-hand pane, click Connectivity Destinations , and then click New Destination.
3. Create a destination for the SAP Marketing Cloud instance, and add the following properties listed in the
table below.
Note
You may need to manually add the property field if it is not automatically displayed.
Caution
It is very important to accurately enter the text strings as specified below. We recommend copying and
pasting them.
SAP Cloud Identity Access Governance Admin Guide
120 PUBLIC Integration Scenarios
*Name MKTCLOUD
Type: HTTP
Description: Marketing Cloud Destination
*URL Enter the URL of the SAP Marketing Cloud instance
Proxy Type Internet
Authentication: BasicAuthentication
User: Name of the user SCP uses to access the SAP Marketing
Cloud instance
Password: Password for the user
sap-client Marketing cloud client
WRITE /sap/bc/srt/scs/sap/
managebusinessuserin
4. Make sure Use default JDK truststore is checked.
11.9.3 Add Marketing Cloud Instance to Access Request
Systems
Create an instance for SAP Marketing Cloud in the Systems app.
1. Log in to the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for SAP Marketing Cloud. For System Type, select SAP Marketing Cloud.
3. In the HCP Destination field, enter the name of the SAP Cloud Platform destination for SAP Marketing
Cloud.
4. Save.
11.9.4 Sync User Data and Provision Access Requests
In the access request service launchpad, open the Job Scheduler app. In the Job Category dropdown list,
schedule the following jobs:
● Repository Sync to synchronize the relevant data from SAP Marketing Cloud to the access request service.
In the System dropdown list, select SAP Marketing Cloud.
● Provisioning to initiate the provisioning of access requests.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 121
11.9.5 User ID Mapping
IAG Configuration for User ID to Login Name mapping:
● Open a Configuration tile from the Administration group in the SAP Cloud Identity Access Governance (IAG)
Fiori launchpad. Make sure there is an entry for USERIDGROUP as shown below.
Custom Field Configuration:
1. Open the IAG Fiori launchpad in a Web browser.
2. Go to IAG Administration, Custom Field Groups, and open this tile.
3. Click on + sign to create a new Custom Field Group.
4. Provide a Name and Description.
5. Select the Process as Access Request.
6. Select the Entity Type as Application Type.
7. Select the Entity Type Value as SAP Marketing Cloud from the F4 Help dialog window.
8. Select the Status checkbox to make this active.
9. Save this data using the Save button.
10. Go to the Custom Field tile on the Administration tab.
11. Click on the + icon to create a new custom field.
12. On the next screen, provide the following inputs:
Name Any name
Description Any description
Label Any label
Input Type Select Input Text
SAP Cloud Identity Access Governance Admin Guide
122 PUBLIC Integration Scenarios
Data Type Select String
Field Length 40
Status Select the checkbox
13. On the next tab, choose the Custom Field Group created in the first step. Save the custom field using Save
button at the bottom.
After creating this configuration, there will be a new custom field in Access Request which will read the login
name from the authentication system (example: IAS). This will be blank if the login name is not maintained. In
this case, it will use the same P-number for the user provisioning.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 123
11.10 SAP Integrated Business Planning
The information in this section describes the procedure for connecting SAP Integrated Business Planning to
the SAP Cloud Identity Access Governance solution and its services. SAP Cloud Identity Access Governance is
a cloud-based solution for creating self-service requests to applications for on-premise and cloud source
applications and systems. By connecting to the solution, it enables SAP Integrated Business Planning users to
initiate access requests, which are then provisioned to target applications.
Prerequisites
Ensure you have completed enablement and configuration for the SAP Cloud Identity Access Governance
solution.
11.10.1 Process Overview
There are four overall steps to enable integration between SAP Integrated Business Planning solution and the
SAP Cloud Identity Access Governance solution and its service:
1. In the SAP Integrated Business solution, carry out the required configuration tasks and steps.
2. In the SAP Cloud Platform, set up destination for the SAP Integrated Business Planning solution.
3. In the access request service, use the Systems app to create an instance for the SAP Integrated Business
Planning solution.
4. In the access request service, use the Job Scheduler app to sync user data and provision access requests.
SAP Cloud Identity Access Governance Admin Guide
124 PUBLIC Integration Scenarios
11.10.2 Configuration in SAP Integrated Business Planning
The information in this section describes the prerequisites and procedures you carry out in SAP Integrated
Business Planning to enable the integration with the access request service.
Prerequisites
You must have completed the following prerequisites before you can begin the configuration tasks.
● Your user for SAP Integrated Business Planning has been assigned the business catalog
SAP_CORE_BC_COM.
● You can use the business role template SAP_BR_ADMINISTRATOR.
● You have a signed SSL certificate from Verisign for your tenant [optional].
The certificate is used to enable secure communication between SAP Integrated Business Planning and
the SAP Cloud Platform tenant for IAG.
Procedure
The configuration steps include the following:
1. Create a communication user and assign to it the SSL certificate.
2. Create a communication system to represent the SCP tenant account.
3. Create a communication arrangement, one for each communication scenario.
○ SAP_COM_0066 for replication of data
○ SAP_COM_0093 for provisioning
11.10.2.1 Create Communication User
Create a communication user and upload the SSL certificate. The uses the private key to enable secure
communication.
Option 1: SSL Certificate
1. Log onto your SAP Integrated Business Planning, and open group Communication Management.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 125
2. Open Maintain Communication Users and click New to create a Communication User
Value Parameter
User Name Enter a user name. Ex: IAG-INTEGRATION
Description Enter a meaningful description.
Password Enter a password and remember for later step.
Tip
Create a password via Propose Password to receive a
password which satisfies the password rules.
3. Click Upload Certificate and select the SSL Client Certificate from Verisign.
4. Choose Create.
Option 2: Basic Authentication
1. Log onto your SAP Integrated Business Planning, and open group Communication Management.
SAP Cloud Identity Access Governance Admin Guide
126 PUBLIC Integration Scenarios
2. Open Maintain Communication Users and click New to create a Communication User
Value Parameter
User Name Enter a user name. Ex: IAG-INTEGRATION
Description Enter a meaningful description.
Password Enter a password and remember for later step.
Tip
Create a password via Propose Password to receive a
password which satisfies the password rules.
3. Choose Create.
11.10.2.2 Create Communication System
Create a new communication system to represent your SCP-IAG tenant account.
Option 1: SSL Certificate
1. Start the app Communication Systems and click New to create a Communication System representing
your SCP-IAG tenant account.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 127
2. Choose a System ID and System Name to represent your SAP Cloud Platform account.
3. Choose Create.
4. Enter the hostname of your SCP-IAG Provider Tenant ID. Enter only the hostname without protocol and
path. For example: xxxxx.us2.hana.ondemand.com.
5. Choose Save.
6. In the User for Inbound Communication section, choose the + button.
7. Select Authentication Method as SSL Client Certificate and add the communication user you created in the
previous step for SSL Certificate option.
SAP Cloud Identity Access Governance Admin Guide
128 PUBLIC Integration Scenarios
Option 2: Basic Authentication
Note
Maintaining User for Outbound Communication is optional.
1. Start the Communication Systems app and click New to create a Communication System representing your
SCP-IAG tenant account.
2. Choose a System ID and System Name to represent your SAP Cloud Platform account.
3. Choose Create.
4. Enter the hostname of your SCP-IAG Provider Tenant ID. Enter only the hostname without protocol and
path. For example: xxxxx.us2.hana.ondemand.com.
5. Choose Save.
6. In the User for Inbound Communication section, choose the + button.
7. Select Authentication Method as User ID and Password and add the communication user you created in
the previous step for Basic Authentication option.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 129
11.10.2.3 Create Communication Arrangement
Create a communication arrangement, one for each communication scenario. Two scenarios are available.
● SAP_COM_0066 for replication of data
● SAP_COM_0093 for provisioning
You may choose to implement one or both. To implement both, complete all the steps in this procedure to
create a communication arrangement for one, and then repeat the procedure again to create an arrangement
for the other.
1. Start the app Communication Arrangements, and click New Scenario .
2. Select a communication scenario, such as the following:
Example:
3. Select the Communication System you created in the previous step.
The other data is defined by the system.
4. Save the communication arrangement.
To implement another communication arrangement, repeat the procedure.
11.10.3 Create Destinations
In the SAP Cloud Platform, create destinations for your SAP Integrated Business Planning instance.
1. Log in to the SAP Cloud Platform cockpit and go to your tenant.
SAP Cloud Identity Access Governance Admin Guide
130 PUBLIC Integration Scenarios
2. In the left-hand pane, click Connectivity Destinations , and then click New Destination.
3. Create a destination for the SAP Integrated Business Planning instance, and add the following properties
listed in the table below.
Note
You may need to manually add the property field if it is not automatically displayed.
Caution
It is very important to accurately enter the text strings as specified below. We recommend copying and
pasting them.
*Name IBPCLOUD
Type: HTTP
Description: SAP Integrated Business Planning
Destination
*URL https://myXXXXXX-api.scmibp.ondemand.com
Proxy Type Internet
Authentication: BasicAuthentication
User: Name of the user SCP uses to access the SAP Integrated
Business Planning instance
Password: Password for the user
sap-client Integrated Business Planning client
WRITE /sap/bc/srt/scs_ext/sap/
managebusinessuserin
4. Make sure Use default JDK truststore is checked.
11.10.4 Add Integrated Business Planning Instance to Access
Request Systems
Create an instance for SAP Integrated Business Planning in the Systems app.
1. Log in to the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for SAP Integrated Business Planning. For System Type, select SAP Integrated System
Planning.
3. In the HCP Destination field, enter the name of the SAP Cloud Platform destination for SAP Integrated
Business Planning.
4. Save.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 131
11.10.5 Sync User Data and Provision Access Requests
In the access request service launchpad, open the Job Scheduler app. In the Job Category dropdown list,
schedule the following jobs:
● Repository Sync to synchronize the relevant data from SAP Integrated Business Planning to the access
request service.
In the System dropdown list, select the SAP Integrated Business Planning system defined in the
previous step.
● Provisioning to initiate the provisioning of access requests.
11.10.6 User ID Mapping
IAG Configuration for User ID to Login Name mapping:
● Open a Configuration tile from the Administration group in the SAP Cloud Identity Access Governance (IAG)
Fiori launchpad. Make sure there is an entry for USERIDGROUP as shown below.
Custom Field Configuration:
1. Open the IAG Fiori launchpad in a Web browser.
2. Go to IAG Administration, Custom Field Groups, and open this tile.
3. Click on + sign to create a new Custom Field Group and make the following entries.
Name IBP_Group
Description IBP_Group
Process Access Request
Entity Type Application Type
Entity Type Value Select the SAP Integrated Business Planning
from the F4 Help dialog window.
Status Select the checkbox
4. Save your entries.
SAP Cloud Identity Access Governance Admin Guide
132 PUBLIC Integration Scenarios
5. Go to the Custom Field tile on the Administration tab.
6. Click on the + icon to create a new custom field.
7. On the next screen, provide the following inputs:
Name IBP_USERNAME
Description IBP_USERNAME
Label UserName
Input Type Select Input Text
Data Type Select String
Field Length 40
Status Select the checkbox
8. On the next tab, choose the Custom Field Group created in the first step. Save the custom field using Save
button at the bottom.
9. In the Field Mapping app, create a new field mapping between the IAG custom field and SAP Integrated
Business Planning field.
After creating this configuration, there will be a new custom field in Access Request which will read the
login name from the authentication system (example: IAS). This will be blank if the login name is not
maintained. In this case, it will use the same P-number for the user provisioning.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 133
11.11 SAP Analytics Cloud
The information in this section describes the procedure for connecting SAP Analytics Cloud to the SAP Cloud
Identity Access Governance solution and its services.
SAP Cloud Identity Access Governance is a cloud-based solution for creating self-service requests to
applications for on-premise and cloud source applications and systems. By connecting to the solution, it
enables SAP Analytics Cloud users to initiate access requests, which are then provisioned to target
applications.
SAP Cloud Identity Access Governance Admin Guide
134 PUBLIC Integration Scenarios
11.11.1 Process Overview
There are three overall steps to enable integration between SAP Analytics Cloud systems and the SAP Cloud
Identity Access Governance solution and its services:
1. In the SAP Cloud Platform, set up destination for the SAP Analytics Cloud system.
2. In the access request service, use the Systems app to create an instance for the SAP Analytics Cloud
system.
3. In the access request service, use the Job Scheduler app to sync user data and provision access requests.
11.11.1.1 Create Proxy System
Create a proxy system to enable SAP Analytics Cloud to connect with the SAP Cloud Platform.
Context
Procedure
1. Log into the SAP Cloud Platform cockpit, go to your SCP tenant instance, and open Services Identity
Provisioning Go To Service Proxy System .
2. Copy the external system ID and use it to set up the SAP Analytics Cloud instance in the Systems app in the
next step.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 135
3. Add a proxy system for SAP Analytics Cloud and click Save, the Type should be SAP Analytics Cloud.
4. Click on the Properties and add all the following properties:
The OAUTH2 service token can be generated in the SAC system. Click on System Administration App
Integration Click on Add a new OAuth Client
11.11.1.2 Create Destinations
In the SAP Cloud Platform, create destinations for your SAP Analytics Cloud instance.
1. Log into the SAP Cloud Platform cockpit and go to your tenant.
2. In the left-hand pane, Connectivity Destinations, and then select New Destination.
SAP Cloud Identity Access Governance Admin Guide
136 PUBLIC Integration Scenarios
3. Create a destination for the SAP Analytics Cloud instance, using the following constraints.
Note
It is very important to accurately enter the text strings as specified below. We recommend copying and
pasting them.
*Name IPS_PROXY
Type HTTP
Description IPS Destination
*URL Enter the URL of the IPS Instance
Proxy Type Internet
Authentication BasicAuthentication
*User Name of the User to access IPS
Password Password of the User
Accept application/scim+json
*OAuth2TokenServiceURL <OAUTH Token URL>?grant_type=client_credentials
GROUPSURL /Groups
serviceURL /ipsproxy/api/v1/scim/
USERSURL /Users
11.11.1.3 Add SAP Analytics Cloud System
Create an instance for SAP Analytics Cloud in the access request service Systems app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for SAP Analytics Cloud. For System Type, select SAP Analytics Cloud.
3. In the SCP Destination field, enter the name of the IPS destination created in the above step for the SAP
Analytics Cloud instance.
4. Enter the external system ID marked in previous step Create Proxy System.
5. Save.
11.11.1.4 Sync User Data and Provision Access Requests
In the access request service launchpad, open the Job Schedulerapp.
In the Job Category dropdown list, schedule the following jobs:
● Repository Sync to synchronize the relevant data from SAP Analytics Cloud to the access request service.
In the System Type dropdown list, select SAP Analytics Cloud. In the System dropdown list, select the
configured Analytics Cloud System.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 137
● Provisioning to initiate the provisioning of access requests.
Note
You can only assign groups to a user because it is not possible to directly assign roles.
11.12 LDAP System
The information in this section describes the procedure for connecting LDAP to the SAP Cloud Identity Access
Governance solution and its services.
SAP Cloud Identity Access Governance is a cloud-based solution for creating self-service requests to
applications for on-premise and cloud source applications and systems. By connecting to the solution, it
enables IAG users to initiate access requests, which are then provisioned to target applications.
Note
Currently, we only support Microsoft LDAP (Microsoft Active Directory). Additionally, only users in the top
organization unit on the LDAP server can be provisioned. The users can then be assigned to or removed
from groups.
SAP Cloud Identity Access Governance Admin Guide
138 PUBLIC Integration Scenarios
11.12.1 Process Overview
There are three overall steps to integrate the LDAP system with the SAP Cloud Identity Access Governance
solution and its services:
Procedure
1. In the SAP Cloud Platform cockpit, set up destination for the SAP LDAP system.
2. In the SAP Cloud Identity Access Governance launchpad, use the Systems app to create an instance for the
LDAP system.
3. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
11.12.1.1 Create Proxy System
Create a proxy system to connect the SAP LDAP system with the SAP Cloud Platform.
Procedure
1. Log into the SAP Cloud Platform cockpit, go to your SCP tenant instance, and open Services Identity
Provisioning Go To Service Proxy System .
2. Add a proxy system for the LDAP system and select Microsoft Active Directory or LDAP based on the target
LDAP system type.
3. Properties should have ldap.group.path and ldap.user.path.
Name Value
ips.trace.failed entity. content: false
ldap.group.path : LDAP path to group
ldap.respond.with.resource.after.create true
ldap.respond.with.resource.after.update true
ldap.user.path: LDAP path to group
4. Save to create the proxy system.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 139
5. Copy the external system ID from the URL and use it to set up the LDAP instance in the Systems app in the
next step.
11.12.1.2 Create Destinations
In the SAP Cloud Platform, create a destination for your LDAP instance.
Procedure
1. Log into the SAP Cloud Platform cockpit and go to your subaccount.
2. In the left-hand pane, select Destinations, and then select New Destination.
3. Create a destination for the LDAP instance, using the following properties.
Name <Your destination name>
SAP Cloud Identity Access Governance Admin Guide
140 PUBLIC Integration Scenarios
Type LDAP
URL Enter the URL of the LDAP Instance
Proxy Type OnPremise
Authentication BasicAuthentication
User User ID of the User to access LDAP
Password Password of the User
11.12.1.3 Add LDAP System
Create an instance for LDAP in the SAP Cloud Identity Access Governance launchpad.
Procedure
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for LDAP. For System Type, select LDAP.
3. In the HCP Destination field, enter the name of the LDAP destination created in the above step for the LDAP
instance.
4. Enter the external system ID marked in previous step Create Proxy System and save your entries.
11.12.1.4 Create Cloud Connector
In the cloud connector system, create the cloud connector.
Procedure
1. Log into the Cloud Connector system.
2. In the tenant subaccount, select your tenant and select Cloud to On-Premise.
3. Add a new entry in the Mapping Virtual To Internal System section with the following properties:
Back-end Type Non-SAP System
Protocol LDAP
Internal Host URL of the LDAP server
Internal Port LDAP server port
4. Select Check Availability of Internal Host to ensure the host is reachable.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 141
11.12.1.5 Sync User Data and Provision Access Requests
In SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app.
In the Job Category dropdown list, schedule the following jobs:
● Repository Sync to synchronize the relevant data from LDAP to the access request service.
In the System Type dropdown list, select LDAP.
In the System dropdown list, select the configured LDAP System.
● Provisioning to initiate the provisioning of access requests.
11.13 SAP Identity Authentication
The information in this section describes the procedure for connecting the SAP Identity Authentication to
the SAP Cloud Identity Access Governance solution and its services. SAP Cloud Identity Access Governance
(IAG) is a cloud-based solution for creating self-service requests to applications for on-premise and cloud
source applications and systems. By connecting to the solution, it enables the SAP Identity Authentication
users to initiate access requests, which are then provisioned to target applications.
11.13.1 Process Overview
There are three overall steps to enable integration between the SAP Identity Authentication system and the
SAP Cloud Identity Access Governance solution and its services:
1. In the SAP Cloud Platform cockpit, set up destination for the SAP Identity Authentication system.
2. In the access request service, use the Systems app to create an instance for the SAP Identity
Authentication system.
SAP Cloud Identity Access Governance Admin Guide
142 PUBLIC Integration Scenarios
3. In the access request service, use the Job Scheduler app to sync user data and provision access requests.
11.13.2 Register OAuth Client for the Identity Provisioning
1. Open your subaccount in the SAP Cloud Platform cockpit.
2. Register a new OAuth client for the subscription to the ipsproxy application:
1. Go to Security OAuth Clients.
2. Select Register New Client.
3. From the Subscription combo box, select <provider_subaccount>/ipsproxy.
4. From the Authorization Grant combo box, select Client Credentials.
5. In the Secret field, enter a password (client secret) and remember it. You will need it later for the
repository configuration in the external system.
6. Copy/paste and save (in a notepad) the generated client ID. You will need it later, too.
3. Assign role IPS_PROXY_USER to the OAuth client:
1. From the left-side navigation, select Subscriptions.
2. Under the Java Applications section, select ipsproxy.
3. From the left-side navigation, select Roles.
4. Assign role IPS_PROXY_USER to the newly created OAuth client. Choose Assign and enter
oauth_client_<client_ID>, where <client_ID> is the one you have saved in the previous step.
11.13.3 Create Destinations
In the SAP Cloud Platform (SCP), create destinations for your Identity Provisioning Service.
1. Log into the SAP Cloud Platform cockpit and go to your tenant.
2. In the left-hand pane, select Connectivity Destination New Destination .
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 143
Note
It is very important to accurately enter the text strings as specified below. We recommend copying and
pasting them.
Parameter Value
*Name IPS_PROXY
Type HTTP
Description IPS Destination
*URL Enter the URL of the IPS Instance
Proxy Type Internet
Authentication BasicAuthentication
*User <Name of the User to access IPS>
Password <Password of the User>
Accept application/scim+json
*OAuth2TokenServiceURL <OAUTH Token URL>?grant_type=client_credentials
GROUPSURL /Groups
serviceURL /ipsproxy/api/v1/scim/
USERSURL /Users
3. Note
The URL can be copied from the SAP Cloud Platform (SCP)-Subscriptions-ipsproxy-Application URLs.
Select ipsproxy to get the Application URL.
SAP Cloud Identity Access Governance Admin Guide
144 PUBLIC Integration Scenarios
4. User is the Client ID configured through the SAP Cloud Platform - Security OAUTH Clients for
service IPSProxy (or) it is the same as configured in the previous section.
5. OAuth2TokenServiceURL can be copied from SAP Cloud Platform(SCP)-Security-OAuth-Token
EndPoint.https://oauthasservices-TENANTID.int.sap.eu2.hana.ondemand.com/oauth2/api/v1/token?
grant_type=client_credentials
11.13.4 Create Proxy System
Create a proxy system to enable the SAP Identity Authentication system to connect with the SAP Cloud
Platform.
1. Log into the SAP Cloud Platform cockpit, go to your SCP tenant instance, and open Services Identity
Provisioning Go To Service Proxy System .
2. Add a proxy system for the SAP Identity Authentication and select Save; the Type should be SAP Cloud
Platform Identity Authentication.
The service generates a URL for the proxy system specified for the SAP Identity Authentication. The
external ID is included in the URL as displayed below.
Note
Copy the external system ID and use it to set up the SAP Identity Authentication instance in the
Systems app in the next section Add SAP Identity Authentication System
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 145
3. Select Properties and add the following properties:
1. To obtain the URL for IAS, go to SCP Trust Application Identity Provider .
2. For the property User, enter the technical user name configured for the Identity Authentication. This
name is automatically generated.
Example: <Technical ID>
3. For the property Password, enter the password for the technical user.
4. Default read and write transformations are generated.
SAP Cloud Identity Access Governance Admin Guide
146 PUBLIC Integration Scenarios
Modify the following transformations for IAG to read and provision:
Read Transformation Write Transformation
{ {
"user": { "user": {
"mappings": [ "condition":
{ "($.emails.length() > 0) &&
"sourcePath": "$", ($.name.familyName EMPTY false)",
"targetPath": "$" "mappings": [
}, {
{ "sourcePath": "$",
"sourcePath": "$.id", "targetPath": "$"
"targetVariable": },
"entityIdSourceSystem" {
}, "sourcePath":
{ "$.groups",
"sourceVariable":
"entityBaseLocation", "preserveArrayWithSingleElement":
"targetPath": true,
"$.meta.location", "optional": true,
"targetVariable": "targetPath":
"entityLocationSourceSystem", "$.corporateGroups"
"functions": [ },
{ {
"type": "sourceVariable":
"concatString", "entityIdTargetSystem",
"suffix": "$ "targetPath": "$.id"
{entityIdSourceSystem}" },
} {
] "constant": true,
}, "targetPath":
{ "$.active"
"targetPath": },
"$.hasPassword", {
"type": "remove" "constant": "true",
}, "targetPath":
{ "$.sendMail",
"targetPath": "scope":
"$.groups[*].display", "createEntity"
"type": "remove" },
}, {
{ "constant": "true",
"condition": "targetPath":
"$.displayName EMPTY true", "$.mailVerified",
"targetPath": "scope":
"$.displayName", "createEntity"
"type": "remove" },
}, {
{ "constant":
"sourcePath": "disabled",
"$.timeZone", "targetPath":
"optional": true, "$.passwordStatus",
"targetPath": "scope":
"$.timezone" "createEntity"
}, },
{ {
"sourcePath": "$ "constant":
['urn:ietf:params:scim:schemas:extens "employee",
ion:enterprise:2.0:User'] "targetPath":
['employeeNumber']", "$.userType"
"optional": true, },
"targetPath": "$ {
['urn:ietf:params:scim:schemas:extens
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 147
Read Transformation Write Transformation
ion:enterprise:2.0:User'] "targetPath":
['employeeNumber']" "$.groups",
}, "type": "remove"
{ },
"sourcePath": "$ {
['urn:ietf:params:scim:schemas:extens "sourcePath": "$
ion:enterprise:2.0:User'] ['urn:ietf:params:scim:schemas:extens
['costCenter']", ion:enterprise:2.0:User']",
"optional": true, "optional": true,
"targetPath": "$ "targetPath": "$
['urn:ietf:params:scim:schemas:extens ['urn:ietf:params:scim:schemas:extens
ion:enterprise:2.0:User'] ion:enterprise:2.0:User']"
['costCenter']" },
}, {
{ "sourcePath":
"sourcePath": "$ "$.timezone",
['urn:ietf:params:scim:schemas:extens "optional": true,
ion:enterprise:2.0:User'] "targetPath":
['organization']", "$.timeZone"
"optional": true, }
"targetPath": "$ ],
['urn:ietf:params:scim:schemas:extens "scimEntityEndpoint": "Users"
ion:enterprise:2.0:User'] },
['organization']" "group": {
}, "mappings": [
{ {
"sourcePath": "$ "sourceVariable":
['urn:ietf:params:scim:schemas:extens "entityIdTargetSystem",
ion:enterprise:2.0:User'] "targetPath": "$.id"
['division']", },
"optional": true, {
"targetPath": "$ "sourcePath":
['urn:ietf:params:scim:schemas:extens "$.displayName",
ion:enterprise:2.0:User'] "targetPath":
['division']" "$.displayName"
}, },
{ {
"sourcePath": "$ "sourcePath":
['urn:ietf:params:scim:schemas:extens "$.displayName",
ion:enterprise:2.0:User'] "targetPath": "$
['department']", ['urn:sap:cloud:scim:schemas:extensio
"optional": true, n:custom:2.0:Group']['name']",
"targetPath": "$ "scope":
['urn:ietf:params:scim:schemas:extens "createEntity",
ion:enterprise:2.0:User'] "functions": [
['department']" {
}, "type":
{ "replaceAllString",
"sourcePath": "$ "regex": "[\
['urn:ietf:params:scim:schemas:extens \s\\p{Punct}]",
ion:enterprise:2.0:User']['manager']
['value']", "replacement": "_"
"optional": true, }
"targetPath": "$ ]
['urn:ietf:params:scim:schemas:extens },
ion:enterprise:2.0:User']['manager'] {
['value']" "sourcePath": "$
}, ['urn:sap:cloud:scim:schemas:extensio
{ n:custom:2.0:Group']['name']",
"sourcePath": "$ "optional": true,
['urn:ietf:params:scim:schemas:extens "targetPath": "$
ion:enterprise:2.0:User']['manager'] ['urn:sap:cloud:scim:schemas:extensio
['displayName']", n:custom:2.0:Group']['name']"
},
SAP Cloud Identity Access Governance Admin Guide
148 PUBLIC Integration Scenarios
Read Transformation Write Transformation
"optional": true, {
"targetPath": "$ "sourcePath": "$
['urn:ietf:params:scim:schemas:extens ['urn:sap:cloud:scim:schemas:extensio
ion:enterprise:2.0:User']['manager'] n:custom:2.0:Group']['description']",
['displayName']" "optional": true,
}, "targetPath": "$
{ ['urn:sap:cloud:scim:schemas:extensio
"sourcePath": "$ n:custom:2.0:Group']['description']"
['urn:sap:cloud:scim:schemas:extensio },
n:custom:2.0:User']", {
"optional": true, "sourcePath":
"targetPath": "$ "$.members",
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:User']" "preserveArrayWithSingleElement":
}, true,
{ "optional": true,
"sourcePath": "targetPath":
"$.company", "$.members"
"optional": true, }
"targetPath": "$ ],
['urn:ietf:params:scim:schemas:extens "scimEntityEndpoint":
ion:enterprise:2.0:User'] "Groups"
['organization']" }
} }
],
"scimEntityEndpoint": "Users"
},
"group": {
"mappings": [
{
"sourcePath": "$.id",
"targetPath": "$.id",
"targetVariable":
"entityIdSourceSystem"
},
{
"sourceVariable":
"entityBaseLocation",
"targetPath":
"$.meta.location",
"targetVariable":
"entityLocationSourceSystem",
"functions": [
{
"type":
"concatString",
"suffix": "$
{entityIdSourceSystem}"
}
]
},
{
"constant":
"urn:ietf:params:scim:schemas:core:
2.0:Group",
"targetPath":
"$.schemas[0]"
},
{
"sourcePath": "$
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:Group']['name']",
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 149
Read Transformation Write Transformation
"targetPath":
"$.displayName"
},
{
"sourcePath":
"$.members",
"preserveArrayWithSingleElement":
true,
"optional": true,
"targetPath":
"$.members"
},
{
"constant":
"urn:sap:cloud:scim:schemas:extension
:custom:2.0:Group",
"targetPath":
"$.schemas[1]"
},
{
"sourcePath": "$
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:Group']['name']",
"targetPath": "$
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:Group']['name']"
},
{
"sourcePath": "$
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:Group']['description']",
"optional": true,
"targetPath": "$
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:Group']['description']"
}
],
"scimEntityEndpoint":
"Groups"
}
}
11.13.5 Add SAP Identity Authentication System
Create an instance for the SAP Identity Authentication system in the Systems app for the access request
service.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for SAP Identity Authentication. For System Type, select SAP Identity Authentication.
3. In the SCP Destination field, enter the name of the IPS destination (IPS_PROXY) created in the previous
section Create Destination.
4. Enter the external system ID marked in the previous step Create Proxy System.
5. Save your entries.
SAP Cloud Identity Access Governance Admin Guide
150 PUBLIC Integration Scenarios
11.13.6 Manage Rule Sets
To create a user in SAP Identity Authentication (IAS) for single sign-on, business rules must be defined.
Procedure
1. Go to SAP Cloud Platform Business Rules.
2. In the Data Object UserHRFields enter the attribute Status.
3. In the Decision Table, enter the following:
Status System Type
t IAS tenant name SYS
4. Create a new rule and select Validate.
5. Go to Rule Select, select the business rule and Deploy.
6. Add the business rule to the ruleset.
7. Redeploy the rule services.
11.13.7 Sync User Data and Provision Access Requests
In the access request service launchpad, open the Job Scheduler app.
In the Job Category dropdown list, schedule the following jobs:
● Repository Sync to synchronize the relevant data from the SAP Identity Authentication to the access
request service.
In the System Type dropdown list, select the SAP Identity Authentication.
In the System dropdown list, select the configured SAP Identity Authentication System.
● Provisioning to initiate the provisioning of access requests.
11.14 SAP Cloud Platform
The information in this section describes the procedure for connecting the SAP Cloud Platform (SCP) to
the SAP Cloud Identity Access Governance solution and its services.
This section provides details for connecting the following platforms to the SAP Cloud Identity Access
Governance (IAG):
● SAP Cloud Platform - Cloud Foundry
● SAP Cloud Platform - NEO
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 151
11.14.1 SAP Cloud Platform - Cloud Foundry
The information in this section describes the procedure for connecting SAP Cloud Foundry to the SAP Cloud
Identity Access Governance solution and its services.
SAP Cloud Identity Access Governance is a cloud-based solution for creating self-service requests to
applications for on-premise and cloud source applications and systems. By connecting to the solution, it
enables SAP Cloud Foundry users to initiate access requests, which are then provisioned to target applications.
11.14.1.1 Process Overview
There are three overall steps to enable integration between SAP Cloud Platform and the SAP Cloud Identity
Access Governance solution and its services:
1. In the SAP Cloud Platform cockpit set up destination for the SAP Cloud Foundry.
2. In the access request service, use the Systems app to create an instance for the SAP Cloud Foundry.
3. In the access request service, use the Job Scheduler app to sync user data and provision access requests.
SAP Cloud Identity Access Governance Admin Guide
152 PUBLIC Integration Scenarios
11.14.1.1.1 Create Proxy System
Create a proxy system to enable SAP Cloud Foundry to connect with the SAP Cloud Platform cockpit.
1. Log into the SAP Cloud Platform cockpit, go to your SCP tenant instance, and open Services Identity
Provisioning Service Proxy System .
2. Copy the external system ID and use it to set up the SAP Cloud Foundry instance in the Systems app.
3. Add a proxy system for SAP Cloud Foundry and choose Save. The Type should be SAP HANA XS
Advanced UAA Server. For more details, refer to SAP HANA XS Advanced UAA Server
Type SAP HANA XS Advanced UAA Server
System Name XSUAA
Destination Name
Description XSUAA test system
4. Choose Properties and add all the following properties:
Name Value
Authentication BasicAuthentication
ips.trace.failed.entity.content false
OAuth2TokenServiceURL OAuth token service to Cloud Foundry that needs to be configured in the
Cloud Foundry system.
Password ********************
ProxyType Internet
scim.support.patch.operation true
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 153
Name Value
Type HTTP
URL Enter the Cloud Foundry tenant URL.
User Enter Login Username
xsuaa.origin Enter the location of your identity provider
xsuaa.origin.filter.enabled true
11.14.1.1.2 Create Destinations
In the SAP Cloud Platform, create destinations for your SAP Analytics Cloud instance.
1. Log into the SAP Cloud Platform cockpit and go to your tenant.
2. In the left-hand pane, click Connectivity Destinations, and then click New Destination.
3. Create a destination for the Cloud Foundry instance, using the following constraints.
Note
It is very important to accurately enter the text strings as specified below. We recommend copying and
pasting them.
*Name IPS_PROXY
Type HTTP
Description IPS Destination
*URL Enter the URL of the IPS Instance
Proxy Type Internet
Authentication BasicAuthentication
*User Name of the User to access IPS
Password Password of the User
Accept application/scim+json
*OAuth2TokenServiceURL <OAUTH Token URL>?grant_type=client_credentials
GROUPSURL /Groups
serviceURL /ipsproxy/api/v1/scim/
USERSURL /Users
SAP Cloud Identity Access Governance Admin Guide
154 PUBLIC Integration Scenarios
11.14.1.1.3 Add SAP Cloud Foundry System
Create an instance for SAP Cloud Foundry in the access request service Systems app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for SAP Cloud Foundry. For System Type, select Cloud Foundry.
3. Enter the external system ID marked in the previous step Create Proxy system.
4. In the HCP Destination field, enter the name of the IPS destination for the SAP Cloud Foundry instance.
5. Save.
11.14.1.1.4 Sync User Data and Provision Access Requests
In the access request service launchpad, open the Job Scheduler app. In the Job Category dropdown list,
schedule the following jobs:
● Repository Sync to synchronize the relevant data from SAP Cloud Foundry to the access request service.
In the System Type dropdown list, select Cloud Foundry.
In the System dropdown list, select the configured Cloud Foundry System.
● Provisioning to initiate the provisioning of access requests.
11.14.2 SAP Cloud Platform - NEO
The information in this section describes the procedure for connecting the SAP Cloud Platform (SCP) to
the SAP Cloud Identity Access Governance solution and its services. SAP Cloud Identity Access Governance
(IAG) is a cloud-based solution for creating self-service requests to applications for on-premise and cloud
source applications and systems. By connecting to the solution, it enables the SAP Cloud Platform users to
initiate access requests, which are then provisioned to target applications.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 155
11.14.2.1 Process Overview
There are three overall steps to enable integration between the SAP Cloud Platform and the SAP Cloud Identity
Access Governance solution and its services:
1. In the SAP Cloud Platform cockpit, set up destination for the Identity Provisioning Service to integrate the
SAP Cloud Platform with the IAG solution.
2. In the access request service, use the Systems app to create an instance for the SAP Cloud Platform.
3. In the access request service, use the Job Scheduler app to sync user data and provision access requests.
11.14.2.1.1 Register OAuth Client for the Identity Provisioning
1. Open your subaccount in the SAP Cloud Platform cockpit.
2. Register a new OAuth client for the subscription to the ipsproxy application:
1. Go to Security OAuth Clients.
2. Select Register New Client.
3. From the Subscription combo box, select <provider_subaccount>/ipsproxy.
4. From the Authorization Grant combo box, select Client Credentials.
5. In the Secret field, enter a password (client secret) and remember it. You will need it later for the
repository configuration in the external system.
6. Copy/paste and save (in a notepad) the generated client ID. You will need it later, too.
3. Assign role IPS_PROXY_USER to the OAuth client:
1. From the left-side navigation, select Subscriptions.
2. Under the Java Applications section, select ipsproxy.
3. From the left-side navigation, select Roles.
4. Assign role IPS_PROXY_USER to the newly created OAuth client. Choose Assign and enter
oauth_client_<client_ID>, where <client_ID> is the one you have saved in the previous step.
11.14.2.1.2 Create Proxy System
Create a proxy system to connect with the SAP Cloud Platform.
1. Log into the SAP Cloud Platform cockpit, go to your SCP tenant instance, and open Services Identity
Provisioning Go To Service Proxy System .
2. Add a proxy system for the SAP Cloud Platform and select Save; the Type should be SAP Cloud Platform
Java/HTML5 Apps.
Note
Copy the external system ID and use it to set up the SAP Cloud Platform instance in the Systems app in
the next section Add SAP Cloud Platform.
SAP Cloud Identity Access Governance Admin Guide
156 PUBLIC Integration Scenarios
3. Select Properties and add the following properties:
hcp.application.names some-app-name
hcp.patch.response.with.resource true
hcp.read.group.roles true
ips.trace.failed.entity.content true
OAuth2TokenServiceURL https://api.<hostname>/authorization/v1/accounts/
<tenantid>
Here, tenantid can be retrieved from the Technical Name
found in the subaccount.
Password Enter the password
ProxyType Internet
Type HTTP
URL https://api.<hostname>/oauth2/apitoken/v1
Hostname can be retrieved from the URL of your SCP ten
ant or refer to https://launchpad.support.sap.com/#/
notes/ 2418879
Example: api.eu2.hana.ondemand.com is for EU (Frank
furt) datacenter
User User enters the relevant GUID
Authentication BasicAuthentication
1. To obtain the Admin user for the SAP Cloud Platform, go to Security OAuth Platform API.
2. To create oAuthclient for oAuth Platform API, select Authorization Management.
3. For the property Password, enter the password for the technical user.
4. Default read and write transformations are generated.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 157
Modify the following transformations for IAG to read and provision as follows:
Read Transformation Write Transformation
{ {
"user": { "user": {
"mappings": [ "condition":
{ "($.emails.length() > 0) &&
"sourcePath": "$", ($.name.familyName EMPTY false)",
"targetPath": "$" "mappings": [
}, {
{ "sourcePath": "$",
"sourcePath": "$.id", "targetPath": "$"
"targetVariable": },
"entityIdSourceSystem" {
}, "sourcePath":
{ "$.groups",
"sourceVariable":
"entityBaseLocation", "preserveArrayWithSingleElement":
"targetPath": true,
"$.meta.location", "optional": true,
"targetVariable": "targetPath":
"entityLocationSourceSystem", "$.corporateGroups"
"functions": [ },
{ {
"type": "sourceVariable":
"concatString", "entityIdTargetSystem",
"suffix": "$ "targetPath": "$.id"
{entityIdSourceSystem}" },
} {
] "constant": true,
}, "targetPath":
{ "$.active"
"targetPath": },
"$.hasPassword", {
"type": "remove" "constant": "true",
}, "targetPath":
{ "$.sendMail",
"targetPath": "scope":
"$.groups[*].display", "createEntity"
"type": "remove" },
}, {
{ "constant": "true",
"condition": "targetPath":
"$.displayName EMPTY true", "$.mailVerified",
"targetPath": "scope":
"$.displayName", "createEntity"
"type": "remove" },
}, {
{ "constant":
"sourcePath": "disabled",
"$.timeZone", "targetPath":
"optional": true, "$.passwordStatus",
"targetPath": "scope":
"$.timezone" "createEntity"
}, },
{ {
"sourcePath": "$ "constant":
['urn:ietf:params:scim:schemas:extens "employee",
ion:enterprise:2.0:User'] "targetPath":
['employeeNumber']", "$.userType"
"optional": true, },
"targetPath": "$ {
['urn:ietf:params:scim:schemas:extens
SAP Cloud Identity Access Governance Admin Guide
158 PUBLIC Integration Scenarios
Read Transformation Write Transformation
ion:enterprise:2.0:User'] "targetPath":
['employeeNumber']" "$.groups",
}, "type": "remove"
{ },
"sourcePath": "$ {
['urn:ietf:params:scim:schemas:extens "sourcePath": "$
ion:enterprise:2.0:User'] ['urn:ietf:params:scim:schemas:extens
['costCenter']", ion:enterprise:2.0:User']",
"optional": true, "optional": true,
"targetPath": "$ "targetPath": "$
['urn:ietf:params:scim:schemas:extens ['urn:ietf:params:scim:schemas:extens
ion:enterprise:2.0:User'] ion:enterprise:2.0:User']"
['costCenter']" },
}, {
{ "sourcePath":
"sourcePath": "$ "$.timezone",
['urn:ietf:params:scim:schemas:extens "optional": true,
ion:enterprise:2.0:User'] "targetPath":
['organization']", "$.timeZone"
"optional": true, }
"targetPath": "$ ],
['urn:ietf:params:scim:schemas:extens "scimEntityEndpoint": "Users"
ion:enterprise:2.0:User'] },
['organization']" "group": {
}, "mappings": [
{ {
"sourcePath": "$ "sourceVariable":
['urn:ietf:params:scim:schemas:extens "entityIdTargetSystem",
ion:enterprise:2.0:User'] "targetPath": "$.id"
['division']", },
"optional": true, {
"targetPath": "$ "sourcePath":
['urn:ietf:params:scim:schemas:extens "$.displayName",
ion:enterprise:2.0:User'] "targetPath":
['division']" "$.displayName"
}, },
{ {
"sourcePath": "$ "sourcePath":
['urn:ietf:params:scim:schemas:extens "$.displayName",
ion:enterprise:2.0:User'] "targetPath": "$
['department']", ['urn:sap:cloud:scim:schemas:extensio
"optional": true, n:custom:2.0:Group']['name']",
"targetPath": "$ "scope":
['urn:ietf:params:scim:schemas:extens "createEntity",
ion:enterprise:2.0:User'] "functions": [
['department']" {
}, "type":
{ "replaceAllString",
"sourcePath": "$ "regex": "[\
['urn:ietf:params:scim:schemas:extens \s\\p{Punct}]",
ion:enterprise:2.0:User']['manager']
['value']", "replacement": "_"
"optional": true, }
"targetPath": "$ ]
['urn:ietf:params:scim:schemas:extens },
ion:enterprise:2.0:User']['manager'] {
['value']" "sourcePath": "$
}, ['urn:sap:cloud:scim:schemas:extensio
{ n:custom:2.0:Group']['name']",
"sourcePath": "$ "optional": true,
['urn:ietf:params:scim:schemas:extens "targetPath": "$
ion:enterprise:2.0:User']['manager'] ['urn:sap:cloud:scim:schemas:extensio
['displayName']", n:custom:2.0:Group']['name']"
},
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 159
Read Transformation Write Transformation
"optional": true, {
"targetPath": "$ "sourcePath": "$
['urn:ietf:params:scim:schemas:extens ['urn:sap:cloud:scim:schemas:extensio
ion:enterprise:2.0:User']['manager'] n:custom:2.0:Group']['description']",
['displayName']" "optional": true,
}, "targetPath": "$
{ ['urn:sap:cloud:scim:schemas:extensio
"sourcePath": "$ n:custom:2.0:Group']['description']"
['urn:sap:cloud:scim:schemas:extensio },
n:custom:2.0:User']", {
"optional": true, "sourcePath":
"targetPath": "$ "$.members",
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:User']" "preserveArrayWithSingleElement":
}, true,
{ "optional": true,
"sourcePath": "targetPath":
"$.company", "$.members"
"optional": true, }
"targetPath": "$ ],
['urn:ietf:params:scim:schemas:extens "scimEntityEndpoint":
ion:enterprise:2.0:User'] "Groups"
['organization']" }
} }
],
"scimEntityEndpoint": "Users"
},
"group": {
"mappings": [
{
"sourcePath": "$.id",
"targetPath": "$.id",
"targetVariable":
"entityIdSourceSystem"
},
{
"sourceVariable":
"entityBaseLocation",
"targetPath":
"$.meta.location",
"targetVariable":
"entityLocationSourceSystem",
"functions": [
{
"type":
"concatString",
"suffix": "$
{entityIdSourceSystem}"
}
]
},
{
"constant":
"urn:ietf:params:scim:schemas:core:
2.0:Group",
"targetPath":
"$.schemas[0]"
},
{
"sourcePath": "$
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:Group']['name']",
SAP Cloud Identity Access Governance Admin Guide
160 PUBLIC Integration Scenarios
Read Transformation Write Transformation
"targetPath":
"$.displayName"
},
{
"sourcePath":
"$.members",
"preserveArrayWithSingleElement":
true,
"optional": true,
"targetPath":
"$.members"
},
{
"constant":
"urn:sap:cloud:scim:schemas:extension
:custom:2.0:Group",
"targetPath":
"$.schemas[1]"
},
{
"sourcePath": "$
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:Group']['name']",
"targetPath": "$
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:Group']['name']"
},
{
"sourcePath": "$
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:Group']['description']",
"optional": true,
"targetPath": "$
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:Group']['description']"
}
],
"scimEntityEndpoint":
"Groups"
}
11.14.2.1.3 Create Destinations
In the SAP Cloud Platform (SCP), create destinations for your Identity Provisioning Service.
1. Log into the SAP Cloud Platform cockpit and go to your tenant.
2. In the left-hand pane, select Connectivity Destination New Destination .
Note
It is very important to accurately enter the text strings as specified below. We recommend copying and
pasting them.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 161
Parameter Value
*Name IPS_PROXY
Type HTTP
Description IPS Destination
*URL Enter the URL of the IPS Instance
Proxy Type Internet
Authentication BasicAuthentication
*User <Name of the User to access IPS>
Password <Password of the User>
Accept application/scim+json
*OAuth2TokenServiceURL <OAUTH Token URL>?grant_type=client_credentials
GROUPSURL /Groups
serviceURL /ipsproxy/api/v1/scim/
USERSURL /Users
3. Note
The URL can be copied from the SAP Cloud Platform (SCP)-Subscriptions-ipsproxy-Application URLs.
After copying the URL, remove /ipsproxy from the URL.
Select ipsproxy to get the Application URL.
4. User is the Client ID configured through the SAP Cloud Platform - Security OAUTH Clients for
service IPSProxy (or) it is the same as configured in the previous section.
SAP Cloud Identity Access Governance Admin Guide
162 PUBLIC Integration Scenarios
5. OAuth2TokenServiceURL can be copied from SAP Cloud Platform(SCP)-Security-OAuth-Token
EndPoint.https://oauthasservices-TENANTID.int.sap.eu2.hana.ondemand.com/oauth2/api/v1/token?
grant_type=client_credentials
11.14.2.1.4 Add SAP Cloud Platform
Create an instance for the SAP Cloud Platform in the Systems app for the access request service.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for SAP Cloud Platform. For System Type, select SAP Cloud Platform.
3. In the SCP Destination field, enter the name of the IPS destination (IPS_PROXY) created in the previous
section Create Destination.
4. Enter the external system ID marked in the previous step Create Proxy System.
5. Save your entries.
11.14.2.1.5 Sync User Data and Provision Access Requests
In the access request service launchpad, open the Job Scheduler app.
In the Job Category dropdown list, schedule the following jobs:
● Repository Sync to synchronize the relevant data from the SAP Cloud Platform to the access request
service.
In the System Type dropdown list, select the SAP Cloud Platform.
In the System dropdown list, select the configured SAP Cloud Platform.
● Provisioning to initiate the provisioning of access requests.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 163
12 Business Configuration
12.1 Set Up Master Data
Maintain the following master data to get the full functionality of the SAP Cloud Identity Access Governance
services.
Note
The following is a comprehensive list of the required master data. Some master data may be required for
more than one service. For example: Systems is required for all the services.
Master Data Maintain the Master Data in this App
Application Types Application Types
Systems Systems
Business Function Groups Business Function Groups
Business Processes Business Processes
Functions Functions
Risk Level Risk Level
Risks Risks
Rules Rules
Access Types Access Types
Monitoring Groups Monitoring Groups are defined in the SAP Cloud Platform Identity Authentication serv
ice.
Owners Owners are defined in the SAP Cloud Platform Identity Authentication service.
Test Plans Test Plans
Mitigation Controls Mitigation Controls
Access Access Maintenance
SAP Cloud Identity Access Governance Admin Guide
164 PUBLIC Business Configuration
Master Data Maintain the Master Data in this App
Departments Departments
User Data Maintain User Data
Risk Score Policy (optional) Risk Score Policy
Access Maintenance Access Maintenance
Projects Projects
Access Request Reason Code Access Request Reason Code
Access Request Priority Access Request Priority
Common Master Data [page 165]
You must set up Master Data for all three SAP Cloud Identity Access Governance services: access
analysis service, access request service, and role design service. This topic outlines the common set-up
that is required for all three services. Set up the common master data before setting up the master
data that is specific to the services.
Setting Up Master Data for Access Request Service [page 167]
After setting up the Common Master Data, you must then set up the Master Data specific to your
services. This topic outlines the Master Data needed for Access Request.
Setting Up Master Data for the Role Design Service [page 168]
After setting up the Common Master Data, you must then set up the Master Data specific to your
services. This topic outlines the Master Data needed for the Role Design service.
Setting Up Master Data for Access Analysis Service [page 169]
After setting up the Common Master Data, you must then set up the Master Data specific to your
services. This topic outlines the Master Data needed for Access Analysis.
Related Information
Setting Up Master Data for Access Request Service [page 167]
Setting Up Master Data for the Role Design Service [page 168]
Setting Up Master Data for Access Analysis Service [page 169]
12.1.1 Common Master Data
You must set up Master Data for all three SAP Cloud Identity Access Governance services: access analysis
service, access request service, and role design service. This topic outlines the common set-up that is required
SAP Cloud Identity Access Governance Admin Guide
Business Configuration PUBLIC 165
for all three services. Set up the common master data before setting up the master data that is specific to the
services.
Common Master Data Elements
This image shows master data that is needed for all three SAP Cloud Identity Access Governance services:
access analysis service, access request service, and role design service.
Note
You must set up business processes first, then business subprocesses, then access maintenance.
Dependency / Prerequi
Master Data tile site How the Master Data is Used
Access Maintenance Business Subprocess App is used to display and maintain different types of technical
access.
Access Types None App is used to create and update different types of access
such as single roles, composite roles, and business roles.
Application Types None App is used to create types that categorize applications. Exam
ples of categories could be S/4HANA or HR.
Business Processses None App is used to define your company's operational processes
such as Finance and Marketing
SAP Cloud Identity Access Governance Admin Guide
166 PUBLIC Business Configuration
Dependency / Prerequi
Master Data tile site How the Master Data is Used
Departments None App is used to create and maintain your company's depart
ments such as Finance and Public Relations
Systems None App is used to define the various source and target systems
that connect with SAP Cloud Identity Access Governance. For
example, system connections must be defined for the role
source system and the user source system
To complete the Master Data setup, go to the topic specific to the Services you are setting up. There are
additional setup steps for each service.
Related Information
Setting Up Master Data for Access Analysis Service [page 169]
Setting Up Master Data for Access Request Service [page 167]
Setting Up Master Data for the Role Design Service [page 168]
12.1.2 Setting Up Master Data for Access Request Service
After setting up the Common Master Data, you must then set up the Master Data specific to your services. This
topic outlines the Master Data needed for Access Request.
The table below describes the master data elements that must be set up for the Access Request Service after
you have finished setting up the common Master Data.
Dependency / Prerequi
Master Data App site How the Master Data is Used
Access Request Priority None App is used to define priorities for access requests.
Access Request Reason Code None App is used app to define the Reason for Request choices for
access requests
SAP Cloud Identity Access Governance Admin Guide
Business Configuration PUBLIC 167
Related Information
Common Master Data [page 165]
12.1.3 Setting Up Master Data for the Role Design Service
After setting up the Common Master Data, you must then set up the Master Data specific to your services. This
topic outlines the Master Data needed for the Role Design service.
The table below describes the master data elements that must be set up for the Role Design Service after you
have finished setting up the common Master Data.
Master Data Dependency/ Prerequisite How the Master Data is used
Projects None When companies re-engineer or create
new business roles, it is usually in the
context of a project, such as security in
itiatives, or role optimaization initia
tives.
You use this app to define such
projects. The projects are then available
in the Create Candidate Business Roles
app.
SAP Cloud Identity Access Governance Admin Guide
168 PUBLIC Business Configuration
Related Information
Create Candidate Business Roles (app)
Common Master Data [page 165]
12.1.4 Setting Up Master Data for Access Analysis Service
After setting up the Common Master Data, you must then set up the Master Data specific to your services. This
topic outlines the Master Data needed for Access Analysis.
Note
In some cases, you must define the data in the indicated order. For example, you must define business
function groups before you can define rule setup.
Master Data Details for Access Analysis Service
The table below describes the master data elements that must be set up for the Access Analysis service after
you have finished setting up the common Master Data.
SAP Cloud Identity Access Governance Admin Guide
Business Configuration PUBLIC 169
Dependency / Prerequi
Master Data App site How the Master Data is Used
Functions Business Process App is used to define and maintain functions which are a col
lection of authorizations (actions and permissions). Access
risks are defined based on functions.
Business Functions Group Systems App is used to assign source systems to SAP Cloud Identity
Access Governance. Source can be one or multiple systems.
Mitigation Control Monitoring 1. Business Subprocess App is used to define and maintain mitigation controls which
are used to remediate and monitor access risks.
2. Risks
3. Test Plans
Risk Score Policy 1. Business Process App is used to create, edit, view, deactivate, or delete risks.
2. Function
3. Risk Level
Risk Level None App is used to define the criticality of a risk and the sensitivity
of a risk.
Rule Setup Business Function Group App used to establish, customize, and maintain your SoD or
critical access rules for access analysis.
Test Plans None App allows you to upload test plans for testing mitigation con
trols. Test plans are maintained offline.
Related Information
Common Master Data [page 165]
12.2 Configuration App
The Configuration app is intended for administrators only. It enables administrators to configure a set of
behaviors and parameters in IAG to align with business needs.
SAP Cloud Identity Access Governance Admin Guide
170 PUBLIC Business Configuration
12.2.1 Language Configuration
The purpose of this functionality is to improve performance.
From the Configuration app, you can limit the languages that the data from the database is imported into SAP
Cloud Identity Access Governance.
Choose which languages are used by your company and select Apply.
These are the supported languages:
● English
● German
● Chinese
● French
● Japanese
● Portuguese
● Russian
● Spanish
Note
The default is English.
12.2.2 Application Parameters
Configure your product according to your business needs.
The Application Parameters feature contains a list of configuration groups and parameters that enable you to
set certain attributes and behaviors for IAG.
Note
The list of available configurable parameters is updated regularly.
The table below describes the current available parameters:
Configuration Group Parameter Parameter Value Description
UserSource SourceSystem <enter the name of your Designate a User Source System
system or application> for retrieving user information
such as email address, employ
ee's manager, etc.
SAP Cloud Identity Access Governance Admin Guide
Business Configuration PUBLIC 171
12.2.3 Application Users
You use the Application Users app to upload and download larger data files relevant for application users.
Procedure
1. Go to the Configuration app.
2. On the next screen, before uploading an application users file, select Download File to download a template
of the file that is available in zip format.
3. Extract the template, including the ApplicationUsers_readme.txt file.
4. Familiarize yourself with the ApplicationUsers_readme.txt file.
Add the necessary new data to the extracted files, which are in the tab-delimited text format. For ease of
use, you can open the text files in Microsoft Excel.
5. Save the text files in the tab-delimited text format and add them to a zip file.
6. To upload the zipped file as an application users file, select Upload and Process.
7. To view log reports, proceed as follows:
1. Select Download Validation Log to check for any log validation error messages and that data entered is
correct, for instance, in length and type.
2. Select Download Processing Log to ensure that no data is missing, such as parent data before inserting
child data.
SAP Cloud Identity Access Governance Admin Guide
172 PUBLIC Business Configuration
13 Security and Data Protection and Privacy
For SaaS customers, many of the necessary security measures are taken care of by SAP. For SAP Cloud
Identity Access Governance security information, see the Security Guide on https://help.sap.com/viewer/
product/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE.
SAP Cloud Identity Access Governance Admin Guide
Security and Data Protection and Privacy PUBLIC 173
14 Further Information
Content Location
SAP Cloud Platform https://help.sap.com/viewer/product/CP/Cloud/en-US
SAP Cloud Identity Access Governance https://help.sap.com/viewer/p/SAP_CLOUD_IDEN
TITY_ACCESS_GOVERNANCE
SAP Cloud Identity Access Governance Security Guide https://help.sap.com/viewer/
8927ff487e3e4520b3211167b7f06c31/latest/en-US
SAP Cloud Identity Access Governance Admin Guide
174 PUBLIC Further Information
15 Support Information
For assistance and questions, you can go to the SAP Support Portal at https://support.sap.com, and click on
Report an Incident.
Use the following components as needed.
Service Component
access analysis service GRC-IAG-AA
access certification service GRC-IAG-CER
access request service GRC-IAG-AR
role design service GRC-IAG-RD
privileged access management service GRC-IAG-PAM
SAP Cloud Identity Access Governance Admin Guide
Support Information PUBLIC 175
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Videos Hosted on External Platforms
Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.
Beta and Other Experimental Features
Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.
SAP Cloud Identity Access Governance Admin Guide
176 PUBLIC Important Disclaimers and Legal Information
SAP Cloud Identity Access Governance Admin Guide
Important Disclaimers and Legal Information PUBLIC 177
www.sap.com/contactsap
© 2021 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form
or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for
informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for
additional trademark information and notices.
THE BEST RUN
You might also like
- Software Engineering a Methodical Approach 2ndNo ratings yetSoftware Engineering a Methodical Approach 2nd579 pages
- SAP Cloud Identity Access Governance Admin GuideNo ratings yetSAP Cloud Identity Access Governance Admin Guide222 pages
- Report Analysis of Inventory Management Using Elk StackNo ratings yetReport Analysis of Inventory Management Using Elk Stack105 pages
- Digital and Logic Design - Number SystemsNo ratings yetDigital and Logic Design - Number Systems63 pages
- Python and Matplotlib Essentials For Scientists and Engineers-Morgan & Claypool (2015)No ratings yetPython and Matplotlib Essentials For Scientists and Engineers-Morgan & Claypool (2015)205 pages
- Administration Guide: Public 2023-11-25No ratings yetAdministration Guide: Public 2023-11-25454 pages
- Basic Netcool Understanding - Day 2: © 2006 IBM CorporationNo ratings yetBasic Netcool Understanding - Day 2: © 2006 IBM Corporation42 pages
- Characteristics of A Good Programming LanguageNo ratings yetCharacteristics of A Good Programming Language7 pages
- Advanced SAP GRC Interview Questions and Answers - Webbopedia100% (2)Advanced SAP GRC Interview Questions and Answers - Webbopedia23 pages
- 608 Advanced Intelligent Tourist Guide SystemNo ratings yet608 Advanced Intelligent Tourist Guide System16 pages
- SAP Fiori - Security User & Authorization Concept100% (3)SAP Fiori - Security User & Authorization Concept4 pages
- Sap Ecc Security and Administration Training-Index - Ramesh50% (2)Sap Ecc Security and Administration Training-Index - Ramesh6 pages
- All-In-One PLC: KV Nano Application Guide Vol. 8No ratings yetAll-In-One PLC: KV Nano Application Guide Vol. 812 pages
- A Beginners Guide To The Post-Installation Configuration of SAP Access Control100% (2)A Beginners Guide To The Post-Installation Configuration of SAP Access Control123 pages
- SAP Cloud Identity Access Governance Initial SetupNo ratings yetSAP Cloud Identity Access Governance Initial Setup44 pages
- 3 SAP Cloud Identity Access Gov Access AnalysisNo ratings yet3 SAP Cloud Identity Access Gov Access Analysis33 pages
- SAP Interview Answer Script For SAP-Security0% (1)SAP Interview Answer Script For SAP-Security23 pages
- GRC - SAP Cloud Identity Access GovernanceNo ratings yetGRC - SAP Cloud Identity Access Governance8 pages
- GRC12 Configuring Emergency Access Management100% (1)GRC12 Configuring Emergency Access Management40 pages
- Access Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN WikiNo ratings yetAccess Request Management (ARQ) Debugging Scenarios - Governance, Risk and Compliance - SCN Wiki26 pages
- @poli@ $hack Instagram Account$ #2020# # (Hack Insta Using Our Website #EASY) (NO Verification Instant Access) # (HACK INSTAGRAM)0% (1)@poli@ $hack Instagram Account$ #2020# # (Hack Insta Using Our Website #EASY) (NO Verification Instant Access) # (HACK INSTAGRAM)3 pages
- Upgrade SAP Access Control 10.010.1 To 12.0No ratings yetUpgrade SAP Access Control 10.010.1 To 12.028 pages
- SAP IAG Vs Access Control - Which One Is Right For SAP CommunityNo ratings yetSAP IAG Vs Access Control - Which One Is Right For SAP Community10 pages
- ASUG83589 - Security and SAP Fiori Tips and Tricks As You Move From Transaction Codes To Applications-1 PDF100% (3)ASUG83589 - Security and SAP Fiori Tips and Tricks As You Move From Transaction Codes To Applications-1 PDF32 pages