Syensqo Identity Architecture — SAP Tooling Overview
1) Purpose
Provide a clear architectural overview of the SAP tools that enable identity and access management (IAM) across Syensqo’s cloud and on‑premise applications.
2) Scope
SAP identity governance and provisioning across cloud and on‑premise systems
Standard joiner/mover/leaver (JML) processes and access request governance
Risk and Segregation of Duties (SoD) control framework
Periodic access certifications
Connectivity, security, and operations considerations for the above
Low‑level configurations, connector parameters, rule syntax, or implementation procedures. |
3) Guiding Principles
Cloud‑first: Prefer SAP SaaS services on SAP Business Technology Platform (BTP).
Single source of identity: SuccessFactors as the workforce truth; Cloud Identity Services as the identity broker.
Business‑role model: Assign access through business roles; avoid direct technical role assignment.
Least privilege with controls: SoD, risk analysis, and periodic certifications are built‑in gates.
Standards‑based integration: Use SCIM and established SAP connectors wherever possible.
Environment isolation: Strict separation (DEV/TEST/PROD) for predictable promotion and auditability.
4) Landscape Overview
At the center is SAP Cloud Identity Access Governance (IAG), delivered as a SaaS tenant on SAP BTP. IAG integrates with SAP Cloud Identity Services (CIS)—notably Identity Authentication Service (IAS), Identity Provisioning Service (IPS), and Identity Directory—to authenticate users, propagate identity data, and orchestrate provisioning to target applications.
5) Core Services (Responsibilities)
5.1 SAP Cloud Identity Access Governance (IAG)
Access Request & Workflow: Central entry point for requesting and approving access for R2 Release. For future releases this will change to automated triggers from SuccessFactors for business roles.
Access Risk Analysis: Built‑in SoD and critical‑access checks before and after assignment.
Role Design: Business‑role centric design aligned to functions and processes.
Privileged Access: Controlled elevation for critical activities (emergency access).
Access Certification: Campaign‑based periodic reviews for ongoing entitlement validation.
Audit & Reporting: End‑to‑end traceability of requests, approvals, and provisioning events.
5.2 SAP Cloud Identity Services (CIS)
Identity Authentication Service (IAS): SSO and authentication. Federates to Microsoft Entra ID; supports risk‑based and MFA policies.
Identity Provisioning Service (IPS): Orchestrates identity and role provisioning between sources (e.g., SuccessFactors) and targets (e.g., IAG, Ariba, SAC).
Identity Directory: Central store for user and group objects used by IAS/IPS and downstream systems.
5.3 SAP BTP Connectivity & Cloud Connector (SCC)
Connectivity Service (BTP): Managed egress from IAG to enterprise networks.
SAP Cloud Connector (SCC): Secure reverse tunnel from on‑premise to BTP so IAG can reach S/4HANA APIs without opening inbound firewall ports
Key Decisions and Requirements
Description | Rationale |
|---|---|
Future Proofing | A strategic decision was made to future-proof Syensqo’s identity management platform. SAP has made it clear that its primary investment focus lies in its SaaS offerings. SAP IAG and CIS are the flagship IAM solutions within this model, providing a broad range of capabilities for SAP landscapes. Aligning with SAP’s strategic direction ensures long-term product viability and continued vendor support over the next 10–20 years. |
Standardisation | “Standard by default” is the overarching architectural principle. Standard integrations should always be prioritised over custom developments. Customisation will only be considered when standard functionality cannot meet a critical business requirement necessary for process continuity. |
Provisioning Architecture
Overview
SyWay’s SAP IAG landscape is delivered as a SaaS tenant on SAP Business Technology Platform, with the ability to connect to both cloud and on-premise systems. Environment alignment (DEV, INT, UAT, TRG, PRD) is achieved via dedicated IAG tenants in matching landscapes, ensuring consistent SoD enforcement and predictable deployments across stages. The architecture is cloud-first and region-agnostic, maintaining strict isolation of access-governance activities per environment while using SAP-delivered SCIM connectors for supported cloud apps (e.g., Ariba, SuccessFactors, iCertis, Work Zone). Integration with SAP Cloud Identity Services (IAS/IPS) standardizes provisioning flows.
IAG Subaccount Model
Runtime: SAP IAG is delivered as a SaaS service on SAP Business Technology Platform (multi-tenant, no direct runtime selection).
Naming: syw-<area>-<env>-<region> (e.g., syw-iag-dev-eu10)
Environment codes: dev, int, uat, trg, prd
Application Architecture Components
| Component | Description | Deployment |
|---|---|---|
| SAP IAG Tenant | Core SaaS service on SAP BTP delivering access requests, risk analysis, provisioning workflows, and audit reporting. | Cloud (SAP BTP, multi-tenant) |
| Connectors | Pre-delivered integration content for SAP cloud applications (SuccessFactors, Ariba, iCertis SCIM, Work Zone, S/4HANA). Uses SCIM or application APIs. | Configured per IAG tenant |
| Access Risk & Policy Content | Delivered by SAP to check Segregation of Duties (SoD) conflicts and critical access; extendable by customers. | Cloud (within IAG tenant) |
| Workflow Engine | Manages approval flows for access requests; configurable per tenant. | Cloud (within IAG tenant) |
| Reporting & Audit Logs | Provides access request history, provisioning logs, and risk analysis results. | Cloud (within IAG tenant) |
| SAP Cloud Identity Services – IAS/IPS | IAS: Authentication/SSO, federation. IPS: User provisioning between source identity and IAG/target systems. | Cloud (separate services, integrated with IAG) |
| SAP Cloud Connector | Secure reverse tunnel from on‑premise to BTP so IAG can reach S/4HANA APIs without opening inbound firewall ports | On Prem |
Global User ID integration:
As Syensqo continues to modernize its operations and expand its digital ecosystem, SAP solutions are playing an increasingly central role across multiple business domains. With the organisation’s landscape becoming more cloud-based and integrated, maintaining a consistent identity framework across systems is essential.
- Accurate User Identification: Ensuring that the same individual is recognized seamlessly across SAP applications is fundamental to delivering secure authentication, appropriate authorization, and a unified user experience.
- Unique attribute with character length considered as some systems have a shorter character length for the user ID field (e.g. SAP S/4 HANA).
- Future Proofing for AI-Driven Capabilities: Consistency in user identity is also critical for AI-driven tools such as SAP Joule (the digital assistant) and SAP Task Center, both of which rely on harmonized user identities to operate effectively.
- A single user ID ensures cross system Segregation of Duties analysis is possible without any manual intervention and complex user mapping logic.
By using the field Person ID from Success Factors to map to the Global ID field in IAS/IdDS via IPS, we will be able to maintain the unique user identifier across all downstream applications without the need to maintain complex local user mapping routines.
As a minimum, the below user attributes will be mapped from Success Factors and transformed to IAS/IdDS.
The transformation will also need to consider other attributes such as group association and other user attributes as these can be used for filtering, conditional authentication and other security policies.
Application | Field Name IAS | IAS Technical Name | Source | Success Factors | Example |
SAP CIS | Global User ID | TBC | SF | Person ID | XXXX1234 |
SAP CIS | Status | TBC | SF | status | Active |
SAP CIS | First Name | TBC | SF | First name | abcd |
SAP CIS | Last Name | TBC | SF | Last name | Xxxxolola |
SAP CIS | TBC | SF |
The Global ID represents a single unique user identifier across all systems and platforms for the user.
The transformation logic in IPS is crucial for creating and maintaining the global user ID. By mapping attributes consistently, IPS ensures that the correct global user ID is assigned and used, linking user identities and attributes across different systems, even if the user's username or email differs in each system.
Interfaces and Connectors
SAP IAG → Cloud Connector → S/4HANA On-Prem
SAP IAG to SuccessFactors Interface
Integrate SAP Identity Access Governance (IAG) with SAP SuccessFactors to:
Automate access provisioning and de-provisioning based on employee lifecycle events (Hire, Transfer, Termination).
Perform access risk analysis (SoD checks) for SF roles and permissions.
Manage access requests for SuccessFactors roles via IAG workflows.
Please refer to FS ERP-202 Read Employee Master Data from SuccessFactors into Identity Access Governance for more details on IAG to SuccessFactors Integration
SAP IAG to Ariba Interface
The main purpose of integrating SAP Identity Access Governance (IAG) with SAP Ariba is to govern, automate, and control user access to Ariba applications (like Ariba Network, Ariba Sourcing, Ariba Buying and Invoicing) from a centralized, compliant platform.
Please refer to FS ERP-287 Provision users in Ariba Sourcing based on IAG for more details on IAG to SuccessFactors Integration
JML (Joiner, Movers & Leavers)
HR Triggers (Design):
The SAP Cloud Identity Access Governance (IAG) solution will be integrated with the HR system (SAP SuccessFactors/SAP HCM). Changes in employee status will generate HR triggers in SuccessFactors that will automatically initiate SAP IAG Access Request workflows. The Access Request service will convert each HR trigger into a change request, which will be provisioned to the connected target applications.
When integrated, HR Triggers will capture personnel events—new hire, termination, transfer, promotion, and leave of absence—and will automatically execute the corresponding access actions in SAP IAG, including creation, modification, disabling, or deletion of user accounts across target systems.
Process flow diagram of HR trigger
To automate identity and access management based on HR changes, we configure business rules in IAG that use conditional logic to decide what action to take for which type of data or event.
Prerequisite: All Master data should be in place like business roles build, ruleset and workflow configuration.
JML(Joiner, Mover, Leaver) approval flow:
Recertification
User Access Review(Access certification process)
Access certification service is used for periodically reviewing and certifying access to business applications in the cloud and on-premises area. It ensures that users have optimized access based on their designation.
The Managers and designated reviewers validate access to business applications. Periodic review process can be carried out for single roles, composite roles, business roles, profiles.
Responsibilities of Campaign Administrators, Coordinators and Reviewers:
Administrator – is responsible for creating and editing campaigns.
Coordinator – is responsible for coordinating campaign activities, for example, reassign items, remind reviewers, escalating to the reviewer's manager etc.
Reviewer – is responsible for approving/rejecting user access during review stage.
Process flow of Access Certification:
Process to review user Access in SAP IAG
1.Define the review cycle: Before starting,
- Determine how often access reviews will happen (quarterly, semi-annually, annually)
- Identify which systems and which user groups are in scope (e.g., SAP ECC, S/4HANA, SuccessFactors)
2.Launch Access Review (Access Certification):In IAG Create a campaign and select the users in scope(choose users based on business area, department or system).
3. Notify Reviewers: Once the campaign is launched, Notification emails are automatically sent to reviewers, Each reviewers gets a review work item in their work inbox.
4.Perform Access Review: Reviewers log in and review each user's access:
Validate if access is still required or should be removed
Approve: If access is still required
Reject: If access is no longer needed(In this case IAG will create requests for access deprovisioning from
Network Architecture
NA
System Landscape
SAP IAG will have 3 landscape: Development, Test and Production. Each landscape will connect to below applications.
The SAP IAG development environment will be integrated with the respective development target systems, including S/4HANA Dev, Ariba Development Tenant, and other applicable applications.
Upstream Sources (into IAG)
Source | Purpose | Protocol / Feed | Key Attributes | Notes |
SuccessFactors (HR) | Workforce lifecycle (join/move/leave), manager, org | OData/API feed to identity layer consumed by IAG | Person ID, Employment Type, Manager, Cost Center, Country | HR remains golden source for demographics; IAG consumes normalized identities |
Entra ID | Directory groups / device or context attributes (optional) | Graph API / CSV (if used) | UPN, mail, groups | Not authoritative for provisioning; used for context enrichment only |
Connected Applications (via IPS)
Correlation: All targets must match on externalId = globalUserId. Where externalId is not supported, use a stable custom attribute (documented per connector).
Application | Category | Connector / Protocol | Provisioned Objects | SSO | UAR Reviewer | Remediation Mode | Notes |
Ariba | SAP Cloud (Procurement) | SCIM 2.0 | Users, Groups/Roles & Realm assignments | SAML via IAS | App Owner | Auto via IPS | Map company codes / purchasing orgs via role attributes |
iCertis | CLM | SCIM 2.0 | Users & Groups | OIDC/SAML via IAS | App Owner | Auto via IPS | Validate group → permission mapping with Legal |
SAC – Reporting/Planning | SAP Analytics Cloud | SCIM 2.0 | Users, Teams & Roles | SAML via IAS | Role Owner | Auto via IPS | Team/role design aligned to BI governance |
Build WorkZone | SAP BTP | SCIM 2.0 | Users & Groups | SAML via IAS | App Owner | Auto via IPS | Align with corporate portal taxonomy |
Advanced Financial Cockpit (AFC) | Finance | SCIM 2.0 | Users & Roles | SAML via IAS | Role Owner | Auto via IPS | Sensitive finance roles → 2‑stage review |
PAPM Cloud | Profitability & Performance Mgmt | SCIM 2.0 | Users & Roles | SAML via IAS | Role Owner | Auto via IPS | Ensure environment/tenant scoped roles |
RAM | Asset mgmt | SCIM 2.0 / API | Users & Roles | SAML via IAS | App Owner | Auto via IPS | Confirm role hierarchy with Plant ops |
Asset Performance Management (APM) | EAM analytics | SCIM 2.0 | Users & Roles | SAML via IAS | Role Owner | Auto via IPS | Tag sensitive telemetry access |
Global Track & Trace (GTT) | Logistics | SCIM 2.0 | Users & Roles | SAML via IAS | App Owner | Auto via IPS | Geo access scoping (regions/partners) via attributes |
S/4HANA + GTS (Embedded) | SAP Private Cloud (via RISE) | IPS → CIC → Cloud Connector → SAP | Users, Roles (PFCG) | SAML for Fiori; SAPGUI SSO | Role Owner | Auto via IPS (where supported) | GTS co‑hosted; use plant/company filters; RFC/SNC secured |
SAP IAG | SAP Identity Management | SCIM 2.0 | Business Roles | SAML via IAS | Role Owner | Auto via IPS |
System Access
Work Zone
All user access to SyWay systems will have one central landing zone in the form of SAP WorkZone.
System Access User Flow
Application Security
Authentication Approach (SP‑Initiated SSO)
SyWay standardizes Single Sign-On (SSO) across the SAP Business Technology Platform (BTP) using region-specific SAP Identity Authentication Service (IAS) tenants federated with Microsoft Entra ID. Each BTP subaccount designates its respective IAS tenant as the trusted identity provider, ensuring consistent and secure user authentication.
All interactive user logins are Service Provider (SP)–initiated:
Authentication between BTP subaccounts or services and IAS uses OpenID Connect (OIDC).
Federation from IAS to Microsoft Entra ID is established via SAML 2.0.
For non-interactive authentication and system-to-system communication, SyWay adopts modern standards based on the target system’s capability:
OAuth 2.0 (including Client Credentials Grant)
OAuth2 SAML Bearer Assertion
Mutual TLS (mTLS)
Basic authentication is permitted only as an exception where modern protocols are not supported; such cases must be formally documented and approved. Principal Propagation is enabled wherever supported to maintain user context across connected systems.
Human, SP‑Initiated SSO
| System / SaaS (in scope) | Audience | SP‑Initiated | App → IAS Protocol | IAS → Entra Protocol | Entra CA/MFA Applied | Notes |
|---|---|---|---|---|---|---|
| SAP BTP Cockpit & Subaccounts | End users / Admins | Yes | OIDC | SAML 2.0 | TBD | IAS is default IdP per region. |
| SAP Build Work Zone | End users | Yes | OIDC (preferred) or SAML 2.0 (per capability) | SAML 2.0 | TBD | Choose OIDC where supported. |
| SAP Business Application Studio (BAS) | Developers | Yes | OIDC | SAML 2.0 | TBD | Same IdP path as end users. |
| SAP Integration Suite (Cloud Integration UI) | Admins | Yes | OIDC (preferred) or SAML 2.0 | SAML 2.0 | TBD | Runtime APIs handled in Matrix 2. |
| SAP API Management (Designer/Portal UI) | Admins / Devs | Yes | OIDC (preferred) or SAML 2.0 | SAML 2.0 | TBD | |
| SAP Analytics Cloud | Analysts | Yes | SAML 2.0 | SAML 2.0 | TBD | Typical pattern is SAML via IAS. |
| SAP SuccessFactors | HR / Managers | Yes | SAML 2.0 | SAML 2.0 | TBD | SAML from Entra |
| SAP Ariba | Procurement | Yes | SAML 2.0 | SAML 2.0 | TBD | SAML from Entra |
| SAP S/4HANA + GTS (Embedded) Cloud (private) | Business users | Yes | SAML 2.0 | SAML 2.0 | TBD | Typical pattern is SAML via IAS. |
Non‑Interactive / Service‑to‑Service & Destinations
| Scenario / Target | Authentication Pattern | Protocol / Grant | Credentials / Tokens | Secret Storage & Controls | Principal Prop |
|---|---|---|---|---|---|
| BTP app → SAP SaaS API (e.g., SuccessFactors OData, Ariba APIs) | Server‑to‑server | OAuth 2.0 Client Credentials (preferred) or OAuth2 SAML Bearer Assertion | Client ID/secret; JWT or SAML assertion | BTP Destination service or Credential Store; rotation & vaulting | N/A |
| BTP app → SAP S/4HANA (on‑prem) via Cloud Connector | End‑user context | Principal Propagation (user JWT → X.509 / ticket) | Short‑lived user‑bound credential | Managed by Cloud Connector trust; cert rotation | Yes (preferred) |
| BTP service → BTP service (intra‑platform) | Service‑to‑service | OAuth 2.0 Client Credentials | JWT access token | Service key / Credential Store | N/A |
| API Management → Backend | Gateway‑to‑service | mTLS and/or OAuth 2.0 | Client certificate and/or JWT | Certificate management with rotation | Optional |
| Legacy/3rd‑party target lacking modern auth | Exception path | Basic Auth (documented exception) | Username/password | Destination service with strong rotation; CA compensating controls | No |
Conditional Access policies TBD. Nothing currently in scope. |
Authorisations
Business roles represent a high-level grouping of access aligned to specific job functions or responsibilities within the organization. Instead of assigning individual permissions or technical roles directly to users, business roles provide a simplified and standardized way to manage access. Each business role will bundle the necessary access components required to perform a particular role, supporting consistency, ease of provisioning, and alignment with governance and compliance requirements.
Business Roles should be defined to act as process driven components that deviate from HR job titles.
Key benefits:
- Supports modelling of business roles that aggregate technical roles or permissions from multiple systems
- Roles can be built to reflect job functions, departments, or business processes
- The service performs real-time SoD checks during role creation or modification
- Designed roles can go through workflow approvals before activation.
Communication Security
The below table shows the in scope systems for Syway and the encryption protocols used to secure communication between each system.
| System / Integration | User/Web (HTTP[S]) — Encryption Protocol | System‑to‑System — Encryption Protocol | SAP↔SAP (RFC/IDoc/HTTP) — Encryption Protocol | Authentication & Notes (summary) |
|---|---|---|---|---|
| Ariba | TLS 1.3 ▶ / TLS 1.2 | TLS 1.3 ▶ / TLS 1.2 + mTLS (for inbound B2B/API) | Via HTTP only → TLS 1.3 ▶ / TLS 1.2 | SSO via IAS (SAML/OIDC). APIs through SIS with OAuth 2.0; cXML/REST over HTTPS. |
| SuccessFactors | TLS 1.3 ▶ / TLS 1.2 | TLS 1.3 ▶ / TLS 1.2 (OData/SFAPI) | HTTP only → TLS 1.3 ▶ / TLS 1.2 | SSO via IAS. System calls use OAuth 2.0 (client credentials) via SIS. |
| SAP BTP (subaccount & services) | TLS 1.3 ▶ / TLS 1.2 | TLS 1.3 ▶ / TLS 1.2; BTP↔SCC tunnel uses mTLS | To on‑prem ABAP via SCC: TLS 1.3 ▶ / TLS 1.2 | SSO via IAS; service‑to‑service tokens (JWT/OAuth). |
| iCertis → SAP | N/A (end‑user in iCertis) | TLS 1.3 ▶ / TLS 1.2 + mTLS | To S/4 via HTTP: TLS 1.3 ▶ / TLS 1.2 | OAuth 2.0 to SAP APIs via SIS; avoid raw RFC. |
| SAP → SuccessFactors | N/A | TLS 1.3 ▶ / TLS 1.2 (OData) | HTTP only → TLS 1.3 ▶ / TLS 1.2 | OAuth 2.0 via CIS. |
| IAS → Entra (federation) | TLS 1.3 ▶ / TLS 1.2 (browser redirects) | N/A | N/A | SAML 2.0 (signed; encrypt assertions where supported) or OIDC (JWS; JWE optional). |
| PAPM Cloud (BTP) | TLS 1.3 ▶ / TLS 1.2 | TLS 1.3 ▶ / TLS 1.2; mTLS to on‑prem via SCC | To S/4 via HTTP: TLS 1.3 ▶ / TLS 1.2 | OAuth 2.0; principal propagation via SCC when needed. |
| Asset Performance Management (APM, BTP) | TLS 1.3 ▶ / TLS 1.2 | TLS 1.3 ▶ / TLS 1.2; mTLS to on‑prem via SCC | To S/4 via HTTP: TLS 1.3 ▶ / TLS 1.2 | OAuth 2.0; events/APIs via SIS. |
| Global Track & Trace (GTT, BTP) | TLS 1.3 ▶ / TLS 1.2 | TLS 1.3 ▶ / TLS 1.2 + mTLS (B2B endpoints) | To S/4 via HTTP: TLS 1.3 ▶ / TLS 1.2 | OAuth 2.0; IP allow‑listing on B2B endpoints. |
| S/4HANA + GTS (Embedded) (ABAP) | TLS 1.3 ▶ / TLS 1.2 (ICM) | HTTP APIs: TLS 1.3 ▶ / TLS 1.2 | SNC (CommonCryptoLib) for RFC/DIAG (privacy protection); IDoc via TLS 1.3 ▶ / TLS 1.2 or RFC+SNC | SSO via IAS (SAML) or SPNEGO; STRUST PSEs hardened. |
| SAP Analytics Cloud (SAC) | TLS 1.3 ▶ / TLS 1.2 | Live connections via SCC/Web Dispatcher: TLS 1.3 ▶ / TLS 1.2 | To S/4/HANA on‑prem via SCC: TLS 1.3 ▶ / TLS 1.2 | SSO via IAS; principal propagation as applicable. |
TLS 1.2+ = TLS 1.2 or higher (prefer TLS 1.3 where supported) • mTLS = Mutual TLS (client + server certs) • SNC = SAP Secure Network Communications (CommonCryptoLib) for RFC/DIAG • IAS = SAP Identity Authentication Service • Entra = Microsoft Entra ID (Azure AD) • SCC = SAP Cloud Connector • SIS/CPI = SAP Integration Suite (Cloud Integration) • PP = Principal Propagation |
Data Security
Data security in our landscape is about enforcing least privilege so that only authorized users can perform approved actions on the specific data they’re entitled to see. I will implement a layered access‑control model that combines RBAC, ABAC, and Groups. RBAC will define business roles and the precise permissions each role grants (the what a user can do). ABAC will add fine‑grained, context‑aware rules that filter data by attributes such as Nationality, location, company code, region, business unit, asset, or document owner (the which records a role can act on and under what conditions). Groups—managed centrally in the IdP—will streamline assignment and lifecycle (the who gets which roles), support separation of duties, and simplify provisioning and reviews. Together, this model delivers defence‑in‑depth: roles gate capabilities, attributes constrain data scope, and groups keep access manageable, auditable, and adaptable as the organization changes.
| System | RBAC | ABAC | Groups/Teams | Notes (how it’s enforced) |
|---|---|---|---|---|
| Ariba | ✅ | ☐ | ✅ | Permissions are assigned via user groups; access is controlled by group‑based permissions (RBAC via groups). (SAP Help Portal) |
| iCertis | ✅ | ☐ | ✅ | Security groups & role–action mapping govern feature/data access; groups are the primary container. (iciwikiapac.icertis.com) |
| SAC – Reporting/Planning | ✅ | ✅ | ✅ | Roles/privileges + teams; Data Access Control and model privacy apply dimension‑member (row‑level) restrictions. (SAP Help Portal) |
| Build Work Zone | ✅ | ☐ | ✅ | BTP role collections + Work Zone roles; group‑based space/content permissions across components. (SAP Learning) |
| Advanced Financial Cockpit (AFC) | ✅ | ☐ | ✅ | Static role templates and scoped user roles; owner groups used in process governance. (SAP Help Portal) |
| PAPM Cloud | ✅ | ✅ | ✅ | BTP role templates + data/analytic privileges (e.g., region/team) and teams; fine‑grained data locks. (SAP Help Portal) |
| RAM (Risk & Assurance Management) | ✅ | ☐ | ✅ | Role‑based access within RAM; organizations typically map IdP groups to roles/controls. (SAP) |
| Asset Performance Management (APM) | ✅ | ✅ | ✅ | Standard role collections + Attribute‑Based Access Control Role Template for data scoping (site/asset, etc.). (SAP Help Portal) |
| Global Track & Trace (GTT) | ✅ | ✅ | ✅ | Role collections and attribute‑based authorization for document access (e.g., party/shipper). (SAP Help Portal) |
| S/4HANA + GTS (Embedded) | ✅ | ✅ | (opt) | PFCG roles + authorization objects with org‑level fields |
| SAP IAG | ✅ | ☐ | ✅ | Role/authorization policies inside IAG; IAS/IdP groups commonly used to assign business roles. (SAP Help Portal) |
| NextLabs | ☐ | ✅ | ✅ | ABAC is the core (policy‑driven, attribute‑centric); |
RBAC: role templates/role collections/authorization objects; ABAC: attribute‑ or dimension‑based rules (e.g. location, nationality, etc); Groups: application or IdP (IAS/Entra) groups/teams used for membership/sharing/role assignment. |
Other Controls
NAAOperation Architecture
Change and Configuration Management
Refer to Active Control documentationMonitoring
This section will include the details related to monitoring enabled for the application (System and Application monitoring)Sizing
Not in scope for this documentHigh Availability & Disaster Recovery
Not in scope for this documentBackup/Restore
Not in scope for this documentMaintenance Plan
Not in scope for this documentExceptions
This section covers any exceptions to the reference architecture. Some Applications may have limitations and may not meet the Enterprise Architecture, Reference Architecture and IT Policy guidelines. All exceptions should be included in this section.See also
NA
Terminology
Term / Acronym | Full Form / Description |
|---|---|
SAP IAG | SAP Cloud Identity Access Governance – A SaaS solution on SAP BTP that automates provisioning, SoD analysis, access requests, and certifications. |
SAP BTP | SAP Business Technology Platform – Cloud platform where IAG and other SAP SaaS services are hosted. |
IAS | SAP Identity Authentication Service – Provides Single Sign-On (SSO), authentication, and federation with external identity providers like Microsoft Entra ID. |
IPS | SAP Identity Provisioning Service – Automates user and role provisioning between source and target systems (e.g., SuccessFactors → IAG → S/4HANA). |
CIS | SAP Cloud Identity Services – Umbrella suite including IAS, IPS, and Identity Directory for centralized identity management. |
SCIM | System for Cross-domain Identity Management – Open standard protocol for automating user provisioning and deprovisioning between cloud systems. |
SoD | Segregation of Duties – Governance principle ensuring no user can perform conflicting business functions that could lead to fraud or error. |
HR Trigger | Event in HR system (e.g., hire, transfer, termination) that initiates an identity or access workflow in IAG. |
JML | Joiner, Mover, Leaver – Framework defining user lifecycle events: onboarding, role changes, and offboarding. |
SCC | SAP Cloud Connector – Secure reverse proxy linking SAP BTP cloud services to on-premise systems like S/4HANA. |
S/4HANA | SAP S/4HANA Enterprise Suite – Core ERP system integrated with IAG for access governance and provisioning. |
Entra ID | Microsoft Entra ID (formerly Azure AD) – Enterprise identity provider used for authentication and federation with IAS. |
Access Request | Workflow-based process in IAG for requesting and approving system access. |
Access Certification | Periodic review of user access to validate ongoing need and ensure compliance. |
Business Role | Logical grouping of multiple technical roles across systems representing a job function or responsibility. |
Technical Role | Application-specific role or authorization object providing actual system access (e.g., PFCG roles in S/4HANA). |
Connectivity Service | SAP BTP service enabling IAG to communicate with on-prem systems through the Cloud Connector. |
Identity Directory | Central repository within SAP Cloud Identity Services storing user and group information for provisioning and authentication. |
Workflow Engine | Component in IAG managing approval steps for access requests and certifications. |
Access Risk Analysis | IAG process that checks access assignments against SoD and critical access rules. |
Campaign (Access Review) | A scheduled access certification exercise involving reviewers and approvers. |
IPS Job | Scheduled provisioning job that synchronizes user and role data across systems. |
BTP Subaccount | Logical container within SAP BTP hosting applications and services, isolated per environment (e.g., dev, int, prd). |
Principal Propagation | Mechanism that forwards a user’s authenticated identity across service layers for secure end-to-end communication. |