| Status | Approved |
| Owner | LOHIYA-ext, Sumitra |
| Stakeholders | |
| LeanIX Link |
Introduction
Services which is provided by IAG:
Scope & Objectives
The scope of SAP Identity Access Governance (IAG) covers the processes, systems, and users involved in identity and access management across the organization. It includes:
- Governance of user access across SAP Cloud and on-premise systems.
- Access request, approval, and provisioning workflows.
- Risk analysis, role management, and segregation of duties (SoD) enforcement.
- Monitoring and reporting for compliance and audits.
- Secure de-provisioning during employee offboarding.
- Scalability to extend governance across multiple regions, business units, and applications
Primary objectives are to:
- Ensure only authorized users have the right access to critical business systems.
- Automate and centralize user access requests, approvals, and provisioning.
- Align access governance with internal policies and external regulatory requirements.
- Provide seamless identity and access management across both SAP cloud and on-premise applications.
- Detect and prevent access risks and segregation of duties conflicts before they occur.
Key Decisions and Requirements
| Description | Rationale |
|---|---|
Terminology
Application Architecture
Overview
SyWay’s SAP IAG landscape is provisioned as a SaaS tenant on SAP Business Technology Platform, with connectivity to both cloud and on-premise applications. Environment alignment (DEV, INT, UAT, PAR, TRG, PRD) is achieved through dedicated IAG tenants or integration via the IAG Bridge to SAP Access Control in corresponding landscapes, ensuring consistent separation of duties and predictable deployment across stages. The design is cloud-first and region-agnostic, centred on maintaining isolation of access governance activities per environment, while leveraging SAP-delivered SCIM connectors for supported cloud applications (e.g., Ariba, SuccessFactors, iCertis, Work Zone). Integration with SAP Cloud Identity Services (IAS/IPS) standardizes authentication and provisioning flows.
IAG Subaccount Model
Runtime: SAP IAG is delivered as a SaaS service on SAP Business Technology Platform (multi-tenant, no direct runtime selection).
Naming: syw-<area>-<env>-<region> (e.g., syw-iag-dev-eu10)
Environment codes: dev, int, uat, par, trg, prd
Application Architecture Components
| Component | Description | Deployment |
|---|---|---|
| SAP IAG Tenant | Core SaaS service on SAP BTP delivering access requests, risk analysis, provisioning workflows, and audit reporting. | Cloud (SAP BTP, multi-tenant) |
| Connectors | Pre-delivered integration content for SAP cloud applications (SuccessFactors, Ariba, iCertis SCIM, Work Zone, S/4HANA). Uses SCIM or application APIs. | Configured per IAG tenant |
| Access Risk & Policy Content | Delivered by SAP to check Segregation of Duties (SoD) conflicts and critical access; extendable by customers. | Cloud (within IAG tenant) |
| Workflow Engine | Manages approval flows for access requests; configurable per tenant. | Cloud (within IAG tenant) |
| Reporting & Audit Logs | Provides access request history, provisioning logs, and risk analysis results. | Cloud (within IAG tenant) |
| SAP Cloud Identity Services – IAS/IPS | IAS: Authentication/SSO, federation. IPS: User provisioning between source identity and IAG/target systems. | Cloud (separate services, integrated with IAG) |
Cloud Identity Services CIS
SAP Cloud Identity Services (CIS) is a core component of SAP BTP that provides centralized identity and access management across Syway's SAP landscape. Acting as a secure identity broker, CIS enables consistent authentication, user provisioning, and access control for both cloud and SAP PCE systems.
The main services include:
Identity Authentication Service: SAP Identity Authentication is a core service within the SAP Cloud Identity Services suite, offering Centralized authentication and SSO capabilities.
Key Features:
- Risk-based and two-factor authentication
- Delegated authentication to trusted external IdPs (e.g., Entra ID, JV IdPs)
- Self-service capabilities including user registration and password reset
Identity Provisioning: Automates user and role provisioning across Syway's SAP landscape, syncing data from SuccessFactors EC to CIS and Entra ID. This ensures timely access for new hires and revokes access for terminated employees, supporting compliance with industry regulations.
Identity Directory: It is the central place in SAP Cloud Identity Services where user and group data are stored and managed. It helps keep everything in one place, making it easier to handle user roles, groups, and other identity details. For Syway, it supports a wide range of users by providing a consistent and secure source of identity information. It also connects with the IPS to share this data with other systems when needed.
Global User ID integration:
SAP Cloud Connector
SAP IAG runs as a SaaS service on SAP BTP (public cloud) and S/4Hana on-prem systems are usually inside the corporate network(Firewall protected).
The Cloud Connector(SCC) creates a secure reverse tunnel from On-prem to SAP BTP so that IAG can call S/4HANA APIs without opening inbound firewall ports.
Flow Overview:
- IAG Tenant (on BTP) → sends provisioning requests to S/4HANA.
- Requests go via the SAP Connectivity Service (on BTP)
- The Connectivity Service talks to the Cloud Connector (SCC) running inside your corporate network.
- SCC routes the request securely to the S/4HANA On-Prem system (using HTTP/S, RFC depending on the scenario).
- Responses (success/failure of provisioning) are sent back the same way.
SAP IAG → Cloud Connector → S/4HANA On-Prem
SAP IAG to SuccessFactors Interface
Integrate SAP Identity Access Governance (IAG) with SAP SuccessFactors to:
Automate access provisioning and de-provisioning based on employee lifecycle events (Hire, Transfer, Termination).
Perform access risk analysis (SoD checks) for SF roles and permissions.
Manage access requests for SuccessFactors roles via IAG workflows.
Please refer to FS ERP-202 Read Employee Master Data from SuccessFactors into Identity Access Governance for more details on IAG to SuccessFactors Integration
Access Request Management
HR Triggers: We can integrate the SAP Cloud identity & access governance solution with HR systems. This enables changes in employee status(HR triggers) in the the SuccessFactors to initiate the access requests. The access request service converts the HR triggers to change requests, which are then provisioned to target applications.
When integrated with HR systems such as SAP SuccessFactors or SAP HCM, HR Triggers capture key personnel events—such as new hires, terminations, transfers, promotions, or leaves of absence—and automatically initiate the appropriate access management workflows within SAP IAG. These workflows can include creating, modifying, disabling, or deleting user accounts in connected target systems.
Process flow diagram of HR trigger
To automate identity and access management based on HR changes, we configure business rules in IAG that use conditional logic to decide what action to take for which type of data or event.
Prerequisite: All Master data should be in place like business roles build, ruleset and workflow configuration.
JML(Joiner, Mover, Leaver) approval flow:
SAP IAG to Ariba Interface
The main purpose of integrating SAP Identity Access Governance (IAG) with SAP Ariba is to govern, automate, and control user access to Ariba applications (like Ariba Network, Ariba Sourcing, Ariba Buying and Invoicing) from a centralized, compliant platform.
Please refer to FS ERP-287 Provision users in Ariba Sourcing based on IAG for more details on IAG to SuccessFactors Integration
User Access Review(Access certification process)
Access certification service is used for periodically reviewing and certifying access to business applications in the cloud and on-premises area. It ensures that users have optimized access based on their designation.
The Managers and designated reviewers validate access to business applications. Periodic review process can be carried out for single roles, composite roles, business roles, profiles.
Responsibilities of Campaign Administrators, Coordinators and Reviewers:
Administrator – is responsible for creating and editing campaigns.
Coordinator – is responsible for coordinating campaign activities, for example, reassign items, remind reviewers, escalating to the reviewer's manager etc.
Reviewer – is responsible for approving/rejecting user access during review stage.
Process flow of Access Certification:
Process to review user Access in SAP IAG
1.Define the review cycle: Before starting,
- Determine how often access reviews will happen (quarterly, semi-annually, annually)
- Identify which systems and which user groups are in scope (e.g., SAP ECC, S/4HANA, SuccessFactors)
2.Launch Access Review (Access Certification):In IAG Create a campaign and select the users in scope(choose users based on business area, department or system).
3. Notify Reviewers: Once the campaign is launched, Notification emails are automatically sent to reviewers, Each reviewers gets a review work item in their work inbox.
4.Perform Access Review: Reviewers log in and review each user's access:
Validate if access is still required or should be removed
Approve: If access is still required
Reject: If access is no longer needed(In this case IAG will create requests for access deprovisioning from )
Data Provisioning Agent
SAP Analytics Cloud (SAC) Agent
OpenText Connector
Network Architecture
System Landscape
SAP IAG will have 3 landscape: Development, Test and Production. Each landscape will connect to below applications.
The SAP IAG development environment will be integrated with the respective development target systems, including S/4HANA Dev, Ariba Development Tenant, and other applicable applications.
Upstream Sources (into IAG)
Source | Purpose | Protocol / Feed | Key Attributes | Notes |
SuccessFactors (HR) | Workforce lifecycle (join/move/leave), manager, org | OData/API feed to identity layer consumed by IAG | Person ID, Employment Type, Manager, Cost Center, Country | HR remains golden source for demographics; IAG consumes normalized identities |
Entra ID | Directory groups / device or context attributes (optional) | Graph API / CSV (if used) | UPN, mail, groups | Not authoritative for provisioning; used for context enrichment only |
Connected Applications (via IPS)
Correlation: All targets must match on externalId = globalUserId. Where externalId is not supported, use a stable custom attribute (documented per connector).
Application | Category | Connector / Protocol | Provisioned Objects | SSO | UAR Reviewer | Remediation Mode | Notes |
Ariba | SAP Cloud (Procurement) | SCIM 2.0 | Accounts, Groups/Roles, Realm assignments | SAML via IAS | App Owner | Auto via IPS | Map company codes / purchasing orgs via role attributes |
iCertis | CLM | SCIM 2.0 | Accounts, Groups | OIDC/SAML via IAS | App Owner | Auto via IPS | Validate group → permission mapping with Legal |
CRM (e.g., Salesforce) | SaaS CRM | SCIM 2.0 (or vendor API) | Accounts, Profiles, Permission sets | SAML/OIDC via IAS | App Owner | Export to ITSM if write not available | Prefer SCIM; if API quotas apply, schedule batch windows |
SAC – Reporting/Planning | SAP Analytics Cloud | SCIM 2.0 | Accounts, Teams, Roles | SAML via IAS | Role Owner | Auto via IPS | Team/role design aligned to BI governance |
Build WorkZone | SAP BTP | SCIM 2.0 | Accounts, Groups | SAML via IAS | App Owner | Auto via IPS | Align with corporate portal taxonomy |
Advanced Financial Cockpit (AFC) | Finance | SCIM 2.0 | Accounts, Roles | SAML via IAS | Role Owner | Auto via IPS | Sensitive finance roles → 2‑stage review |
PAPM Cloud | Profitability & Performance Mgmt | SCIM 2.0 | Accounts, Roles | SAML via IAS | Role Owner | Auto via IPS | Ensure environment/tenant scoped roles |
RAM | Asset mgmt | SCIM 2.0 / API | Accounts, Roles | SAML via IAS | App Owner | Auto via IPS | Confirm role hierarchy with Plant ops |
Asset Performance Management (APM) | EAM analytics | SCIM 2.0 | Accounts, Roles | SAML via IAS | Role Owner | Auto via IPS | Tag sensitive telemetry access |
Global Track & Trace (GTT) | Logistics | SCIM 2.0 | Accounts, Roles | SAML via IAS | App Owner | Auto via IPS | Geo access scoping (regions/partners) via attributes |
S/4HANA / GTS | SAP On‑prem (via RISE/BTP) | IPS → CIC → Cloud Connector → SAP | Users, Roles (PFCG), Business Roles | SAML for Fiori; SAPGUI SSO | Role Owner | Auto via IPS (where supported) | GTS co‑hosted; use plant/company filters; RFC/SNC secured |
System Access
Application Security
Authentication
SyWay standardises Single Sign-On on SAP BTP using region-specific SAP Identity Authentication Service (IAS) tenants federated to Microsoft Entra ID. Each BTP subaccount trusts its regional IAS tenant as the default identity provider; interactive sign-in between BTP subaccounts/services and IAS uses OIDC, while federation from IAS to Entra ID uses SAML 2.0. Conditional Access in Entra (including MFA and session controls) governs user access to BTP applications. Developer tooling (e.g., BAS/Build Code/CLI) follows the same IAS ↔ Entra flow—no separate SAP ID service identities. For service-to-service calls and Destinations, SyWay adopts standards supported by each target: OAuth 2.0 (including client credentials), OAuth2 SAML Bearer Assertion, or mutual TLS; Basic authentication is permitted only where a service does not support modern methods, and such exceptions are documented. Principal propagation is used where supported by the back-end/service pair.
Authorisation
Business roles represent a high-level grouping of access aligned to specific job functions or responsibilities within the organization. Instead of assigning individual permissions or technical roles directly to users, business roles provide a simplified and standardized way to manage access. Each business role will bundle the necessary access components required to perform a particular role, supporting consistency, ease of provisioning, and alignment with governance and compliance requirements.
Business Roles should be defined to act as process driven components that deviate from HR job titles.
Key benefits:
- Supports modeling of business roles that aggregate technical roles or permissions from multiple systems
- Roles can be built to reflect job functions, departments, or business processes
- The service performs real-time SoD checks during role creation or modification
- Designed roles can go through workflow approvals before activation.
