What is SAP (IAG) Identity Access Governance ?

SAP Cloud Identity Access Governance (IAG) is a cloud-based solution for creating self-service requests to applications for on-premise and cloud source applications and systems.

By connecting to the IAG solution, it enables SAP Fieldglass users to initiate access requests, which are then provisioned to target applications. This leverages out-of-box authorizations and risk modeling to analyze SAP Fieldglass access requests.

The SAP Cloud Identity Access Governance (IAG) solution is built on the SAP Business Technology Platform. It uses SAP NetWeaver APIs to fetch data from on-premise and cloud solutions, and enables you to use the following services to create access requests, analyze risks, and design roles:

  • SAP Cloud Identity Access Governance, access analysis service
  • SAP Cloud Identity Access Governance, access request service
  • SAP Cloud Identity Access Governance, role design service
  • SAP Cloud Identity Access Governance, access certification service

SAP ACCESS CONTROL (GRC) VS. SAP IDENTITY ACCESS GOVERNANCE (IAG)

Before we look into the details of what the SAP IAG Bridge functionality offers, we have to understand the differences between SAP Access Control (GRC) and SAP IAG.

SAP IAG is often referred to as the SAP Access Control solution for the cloud, which in fact, it is. SAP IAG — a cloud solution running on the SAP Business Technology Platform (BTC) — does not replace SAP Access Control, but it offers similar capabilities to a broader environment (cloud) with some overlapping functions.

For example, SAP IAG can run a risk analysis against on-premise applications (similar to SAP Access Control), and offers firefighting capabilities with the Privileged Access Management (PAM) for on-premise systems (e.g., SAP ERP and SAP S/4HANA).

Additionally, SAP IAG can connect to both cloud and on-premise applications through the SAP Cloud Connector. The Cloud Connector is located on the intranet (the customer network) and establishes connectivity between the SAP Business Technology Platform (internet) and the target system (intranet).

Let’s take a look at a high-level comparison of the modules and their core functionalities.

SAP Access ControlFunctionSAP IAGFunction
Access risk analysis (ARA)Access analysis for on-premise systems, ruleset managementAccess analysisAccess analysis for on-premise and cloud, limitation to user and roles, ruleset management
Business role management (BRM)Role management and business rolesRole designBusiness roles for hybrid landscapes
Access request management (ARM)Fully customizable and extendable access request workflowsAccess requestPredefined set of workflows with limited configuration capabilities
Emergency access management (EAM)Firefighter for ABAP systemsPrivileged access managementFirefighter for ABAP systems (still in Beta version)
User access review (UAR) and SOD risk reviewCustomizable UAR and SOD risk review workflows through ARMAccess certificationCampaigns to review user access
High-Level Comparison of IAG and Access Control.

WHICH SOLUTION FOR WHICH USE CASE?

With SAP IAG and SAP Access Control, you can have three scenarios for multiple use cases. Let’s try to understand them first, before we look specifically into the bridging capability.

Scenario 1: SAP IAG Only

This scenario is for customers who want an out-of-the-box solution for access governance that runs entirely in the cloud. With this approach, you will have reduced flexibility as SAP IAG is a software as a service (SaaS) solution that only offers limited configuration capabilities. However, if you want to use standard workflows to provision users across on-premise and cloud applications, analyze cross-system access risks, perform firefighting (emergency access), as well as user access reviews, SAP IAG is the perfect solution for you.

Scenario 2: SAP Access Control Only

This scenario is for customers who primarily use on-premise applications. SAP Access Control gives you total flexibility to govern access in the on-premise landscape. Its Access Request Management (ARM) workflows are fully customizable and allow for extensive enhancements. This is one of the main limitations in SAP IAG compared to SAP Access Control.

Scenario 3: SAP IAG and SAP Access Control – SAP IAG Bridge

The SAP IAG Bridge scenario is for customers who need to govern access in a hybrid landscape (on-premise and in the cloud). The bridging scenario offers the best of both worlds combined; however, you need to implement (as well as run, service and license) two applications.

Leave a Comment