Status

OwnerLOHIYA-ext, Sumitra 
Stakeholders
LeanIX Link

Introduction


SAP Cloud Identity Access Governance (IAG) is a cloud-based solution built on the SAP Business Technology Platform. Built on SAP BTP, it supports automated provisioning, SoD risk analysis, access requests, and periodic certifications.Integrated with SAP SuccessFactors, IAS, and IPS, IAG ensures users have the right access at the right time, supporting compliance, reducing risk, and aligning with Syensqo's cloud-first strategy.For Syensqo, SAP IAG would play a critical role in ensuring that users have the right access at the right time, while preventing conflicts and unauthorized activities. It not only would help maintain compliance with internal policies and regulatory frameworks but also would help to strengthen the overall security posture by delivering visibility, control, and accountability over user access.

Services which is provided by IAG:

Scope & Objectives


The scope of SAP Identity Access Governance (IAG) covers the processes, systems, and users involved in identity and access management across the organization. It includes:

  • Governance of user access across SAP Cloud and on-premise systems.
  • Access request, approval, and provisioning workflows.
  • Risk analysis, role management, and segregation of duties (SoD) enforcement.
  • Monitoring and reporting for compliance and audits.
  • Secure de-provisioning during employee offboarding.
  • Scalability to extend governance across multiple regions, business units, and applications


Primary objectives are to:

  • Ensure only authorized users have the right access to critical business systems.
  • Automate and centralize user access requests, approvals, and provisioning.
  • Align access governance with internal policies and external regulatory requirements.
  • Provide seamless identity and access management across both SAP cloud and on-premise applications.
  • Detect and prevent access risks and segregation of duties conflicts before they occur.


Key Decisions and Requirements


Description Rationale






Terminology

To provide context for application specific terminology. 

Application Architecture

Overview

SyWay’s SAP IAG landscape is provisioned as a SaaS tenant on SAP Business Technology Platform, with connectivity to both cloud and on-premise applications. Environment alignment (DEV, INT, UAT, PAR, TRG, PRD) is achieved through dedicated IAG tenants or integration via the IAG Bridge to SAP Access Control in corresponding landscapes, ensuring consistent separation of duties and predictable deployment across stages. The design is cloud-first and region-agnostic, centred on maintaining isolation of access governance activities per environment, while leveraging SAP-delivered SCIM connectors for supported cloud applications (e.g., Ariba, SuccessFactors, iCertis, Work Zone). Integration with SAP Cloud Identity Services (IAS/IPS) standardizes authentication and provisioning flows.

IAG Subaccount Model

Runtime: SAP IAG is delivered as a SaaS service on SAP Business Technology Platform (multi-tenant, no direct runtime selection).

Naming: syw-<area>-<env>-<region> (e.g., syw-iag-dev-eu10)

Environment codes: dev, int, uat, par, trg, prd


Application Architecture Components


ComponentDescriptionDeployment
SAP IAG TenantCore SaaS service on SAP BTP delivering access requests, risk analysis, provisioning workflows, and audit reporting.Cloud (SAP BTP, multi-tenant)
ConnectorsPre-delivered integration content for SAP cloud applications (SuccessFactors, Ariba, iCertis SCIM, Work Zone, S/4HANA). Uses SCIM or application APIs.Configured per IAG tenant
Access Risk & Policy ContentDelivered by SAP to check Segregation of Duties (SoD) conflicts and critical access; extendable by customers.Cloud (within IAG tenant)
Workflow EngineManages approval flows for access requests; configurable per tenant.Cloud (within IAG tenant)
Reporting & Audit LogsProvides access request history, provisioning logs, and risk analysis results.Cloud (within IAG tenant)
SAP Cloud Identity Services – IAS/IPSIAS: Authentication/SSO, federation. IPS: User provisioning between source identity and IAG/target systems.Cloud (separate services, integrated with IAG)

Cloud Identity Services CIS

SAP Cloud Identity Services (CIS) is a core component of SAP BTP that provides centralized identity and access management across Syway's SAP landscape. Acting as a secure identity broker, CIS enables consistent authentication, user provisioning, and access control for both cloud and SAP PCE systems.

The main services include:

Identity Authentication Service: SAP Identity Authentication is a core service within the SAP Cloud Identity Services suite, offering Centralized authentication and SSO capabilities.

Key Features:

  • Risk-based and two-factor authentication
  • Delegated authentication to trusted external IdPs (e.g., Entra ID, JV IdPs)
  • Self-service capabilities including user registration and password reset

Identity Provisioning: Automates user and role provisioning across Syway's SAP landscape, syncing data from SuccessFactors EC to CIS and Entra ID. This ensures timely access for new hires and revokes access for terminated employees, supporting compliance with industry regulations.

Identity Directory: It is the central place in SAP Cloud Identity Services where user and group data are stored and managed. It helps keep everything in one place, making it easier to handle user roles, groups, and other identity details. For Syway, it supports a wide range of users by providing a consistent and secure source of identity information. It also connects with the IPS to share this data with other systems when needed.

Global User ID integration: 


SAP Cloud Connector

SAP IAG runs as a SaaS service on SAP BTP (public cloud) and S/4Hana on-prem systems are usually inside the corporate network(Firewall protected).

The Cloud Connector(SCC) creates a secure reverse tunnel from On-prem to SAP BTP so that IAG can call S/4HANA APIs without opening inbound firewall ports.


Flow Overview:

  • IAG Tenant (on BTP) → sends provisioning requests to S/4HANA.
  • Requests go via the SAP Connectivity Service (on BTP)
  • The Connectivity Service talks to the Cloud Connector (SCC) running inside your corporate network.
  • SCC routes the request securely to the S/4HANA On-Prem system (using HTTP/S, RFC depending on the scenario).
  • Responses (success/failure of provisioning) are sent back the same way.

    SAP IAG → Cloud Connector → S/4HANA On-Prem



SAP IAG to SuccessFactors Interface

Integrate SAP Identity Access Governance (IAG) with SAP SuccessFactors to:

  • Automate access provisioning and de-provisioning based on employee lifecycle events (Hire, Transfer, Termination).

  • Perform access risk analysis (SoD checks) for SF roles and permissions.

  • Manage access requests for SuccessFactors roles via IAG workflows.

Please refer to FS ERP-202 Read Employee Master Data from SuccessFactors into Identity Access Governance for more details on IAG to SuccessFactors Integration 


SAP IAG to Ariba Interface

The main purpose of integrating SAP Identity Access Governance (IAG) with SAP Ariba is to govern, automate, and control user access to Ariba applications (like Ariba Network, Ariba Sourcing, Ariba Buying and Invoicing) from a centralized, compliant platform.

Please refer to FS ERP-287 Provision users in Ariba Sourcing based on IAG for more details on IAG to SuccessFactors Integration 




Data Provisioning Agent


SAP Analytics Cloud (SAC) Agent


OpenText Connector


Network Architecture

Optional Section if  application requires a network design. 

System Landscape

SAP IAG  will have 3 landscape: Development, Test and Production. Each landscape will connect to below applications.

The SAP IAG development environment will be integrated with the respective development target systems, including S/4HANA Dev, Ariba Development Tenant, and other applicable applications.

 

Upstream Sources (into IAG)

Source

Purpose

Protocol / Feed

Key Attributes

Notes

SuccessFactors (HR)

Workforce lifecycle (join/move/leave), manager, org

OData/API feed to identity layer consumed by IAG

Person ID, Employment Type, Manager, Cost Center, Country

HR remains golden source for demographics; IAG consumes normalized identities

Entra ID

Directory groups / device or context attributes (optional)

Graph API / CSV (if used)

UPN, mail, groups

Not authoritative for provisioning; used for context enrichment only

 

Connected Applications (via IPS)

Correlation: All targets must match on externalId = globalUserId. Where externalId is not supported, use a stable custom attribute (documented per connector).


Application

Category

Connector / Protocol

Provisioned Objects

SSO

UAR Reviewer

Remediation Mode

Notes

Ariba

SAP Cloud (Procurement)

SCIM 2.0

Accounts, Groups/Roles, Realm assignments

SAML via IAS

App Owner

Auto via IPS

Map company codes / purchasing orgs via role attributes

iCertis

CLM

SCIM 2.0

Accounts, Groups

OIDC/SAML via IAS

App Owner

Auto via IPS

Validate group → permission mapping with Legal

CRM (e.g., Salesforce)

SaaS CRM

SCIM 2.0 (or vendor API)

Accounts, Profiles, Permission sets

SAML/OIDC via IAS

App Owner

Export to ITSM if write not available

Prefer SCIM; if API quotas apply, schedule batch windows

SAC – Reporting/Planning

SAP Analytics Cloud

SCIM 2.0

Accounts, Teams, Roles

SAML via IAS

Role Owner

Auto via IPS

Team/role design aligned to BI governance

Build WorkZone

SAP BTP

SCIM 2.0

Accounts, Groups

SAML via IAS

App Owner

Auto via IPS

Align with corporate portal taxonomy

Advanced Financial Cockpit (AFC)

Finance

SCIM 2.0

Accounts, Roles

SAML via IAS

Role Owner

Auto via IPS

Sensitive finance roles → 2‑stage review

PAPM Cloud

Profitability & Performance Mgmt

SCIM 2.0

Accounts, Roles

SAML via IAS

Role Owner

Auto via IPS

Ensure environment/tenant scoped roles

RAM

Asset mgmt

SCIM 2.0 / API

Accounts, Roles

SAML via IAS

App Owner

Auto via IPS

Confirm role hierarchy with Plant ops

Asset Performance Management (APM)

EAM analytics

SCIM 2.0

Accounts, Roles

SAML via IAS

Role Owner

Auto via IPS

Tag sensitive telemetry access

Global Track & Trace (GTT)

Logistics

SCIM 2.0

Accounts, Roles

SAML via IAS

App Owner

Auto via IPS

Geo access scoping (regions/partners) via attributes

S/4HANA / GTS

SAP On‑prem (via RISE/BTP)

IPS → CIC → Cloud Connector → SAP

Users, Roles (PFCG), Business Roles

SAML for Fiori; SAPGUI SSO

Role Owner

Auto via IPS (where supported)

GTS co‑hosted; use plant/company filters; RFC/SNC secured

System Access



Application Security

Authentication

SyWay standardises Single Sign-On on SAP BTP using region-specific SAP Identity Authentication Service (IAS) tenants federated to Microsoft Entra ID. Each BTP subaccount trusts its regional IAS tenant as the default identity provider; interactive sign-in between BTP subaccounts/services and IAS uses OIDC, while federation from IAS to Entra ID uses SAML 2.0Conditional Access in Entra (including MFA and session controls) governs user access to BTP applications. Developer tooling (e.g., BAS/Build Code/CLI) follows the same IAS ↔ Entra flow—no separate SAP ID service identities. For service-to-service calls and Destinations, SyWay adopts standards supported by each target: OAuth 2.0 (including client credentials), OAuth2 SAML Bearer Assertion, or mutual TLSBasic authentication is permitted only where a service does not support modern methods, and such exceptions are documented. Principal propagation is used where supported by the back-end/service pair. 

Authorisation

Business roles represent a high-level grouping of access aligned to specific job functions or responsibilities within the organization. Instead of assigning individual permissions or technical roles directly to users, business roles provide a simplified and standardized way to manage access. Each business role will bundle the necessary access components required to perform a particular role, supporting consistency, ease of provisioning, and alignment with governance and compliance requirements.

Business Roles should be defined to act as process driven components that deviate from HR job titles.

Key benefits:

  • Supports modeling of business roles that aggregate technical roles or permissions from multiple systems
  • Roles can be built to reflect job functions, departments, or business processes
  • The service performs real-time SoD checks during role creation or modification
  • Designed roles can go through workflow approvals before activation.


Communication Security

Provide the details of the communication security controls implemented based on the classification

Data Security

Provide the details of the data security controls implemented based on the classification

Other Controls

Provide the details of any other controls implemented based on the classification


Operation Architecture

Change and Configuration Management

This section will include the details related to change and configuration management of SAP and non-SAP systems.

Monitoring

This section will include the details related to monitoring enabled for the application (System and Application monitoring)

Sizing

Provide the details of sizing approach and the future recommendations

High Availability & Disaster Recovery

Provide the details of HA and DR. List down related metrics like RPO/RTO and availability SLA.

Backup/Restore

Provide the details of Backup/Restore. You may provide a reference to other document or attach a document, if the section contains lot of content

Maintenance Plan

Provide the details of system and application maintenance plan. This should follow the upgrade strategy


Exceptions

This section covers any exceptions to the reference architecture. Some Applications may have limitations and may not meet the Enterprise Architecture, Reference Architecture and IT Policy guidelines. All exceptions should be included in this section.


See also

Provide links or references to relevant documents for further context on this architecture decision and its impact. Listing related architectural decisions here can clarify dependencies.

Change log