| Status | Approved |
| Owner | LOHIYA-ext, Sumitra |
| Stakeholders | |
| LeanIX Link |
Syensqo Identity Architecture — SAP Tooling Overview
1) Purpose
Provide a clear architectural overview of the SAP tools that enable identity and access management (IAM) across Syensqo’s cloud and on‑premise applications.
2) Scope
SAP identity governance and provisioning across cloud and on‑premise systems
Standard joiner/mover/leaver (JML) processes and access request governance
Risk and Segregation of Duties (SoD) control framework
Periodic access certifications
Connectivity, security, and operations considerations for the above
Out of Scope
Low‑level configurations, connector parameters, rule syntax, or implementation procedures.
3) Guiding Principles
Cloud‑first: Prefer SAP SaaS services on SAP Business Technology Platform (BTP).
Single source of identity: SuccessFactors as the workforce truth; Cloud Identity Services as the identity broker.
Business‑role model: Assign access through business roles; avoid direct technical role assignment.
Least privilege with controls: SoD, risk analysis, and periodic certifications are built‑in gates.
Standards‑based integration: Use SCIM and established SAP connectors wherever possible.
Environment isolation: Strict separation (DEV/TEST/PROD) for predictable promotion and auditability.
4) Landscape Overview
At the center is SAP Cloud Identity Access Governance (IAG), delivered as a SaaS tenant on SAP BTP. IAG integrates with SAP Cloud Identity Services (CIS)—notably Identity Authentication Service (IAS), Identity Provisioning Service (IPS), and Identity Directory—to authenticate users, propagate identity data, and orchestrate provisioning to target applications.
5) Core Services (Responsibilities)
5.1 SAP Cloud Identity Access Governance (IAG)
Access Request & Workflow: Central entry point for requesting and approving access for R2 Release. For future releases this will change to automated triggers from SuccessFactors for business roles.
Access Risk Analysis: Built‑in SoD and critical‑access checks before and after assignment.
Role Design: Business‑role centric design aligned to functions and processes.
Privileged Access: Controlled elevation for critical activities (emergency access).
Access Certification: Campaign‑based periodic reviews for ongoing entitlement validation.
Audit & Reporting: End‑to‑end traceability of requests, approvals, and provisioning events.
5.2 SAP Cloud Identity Services (CIS)
Identity Authentication Service (IAS): SSO and authentication. Federates to Microsoft Entra ID; supports risk‑based and MFA policies.
Identity Provisioning Service (IPS): Orchestrates identity and role provisioning between sources (e.g., SuccessFactors) and targets (e.g., IAG, Ariba, SAC).
Identity Directory: Central store for user and group objects used by IAS/IPS and downstream systems.
5.3 SAP BTP Connectivity & Cloud Connector (SCC)
Connectivity Service (BTP): Managed egress from IAG to enterprise networks.
SAP Cloud Connector (SCC): Secure reverse tunnel from on‑premise to BTP so IAG can reach S/4HANA APIs without opening inbound firewall ports
Key Decisions and Requirements
Description | Rationale |
|---|---|
Future Proofing | A strategic decision was made to future-proof Syensqo’s identity management platform. SAP has made it clear that its primary investment focus lies in its SaaS offerings. SAP IAG and CIS are the flagship IAM solutions within this model, providing a broad range of capabilities for SAP landscapes. Aligning with SAP’s strategic direction ensures long-term product viability and continued vendor support over the next 10–20 years. |
Standardisation | “Standard by default” is the overarching architectural principle. Standard integrations should always be prioritised over custom developments. Customisation will only be considered when standard functionality cannot meet a critical business requirement necessary for process continuity. |
Provisioning Architecture
Overview
SyWay’s SAP IAG landscape is delivered as a SaaS tenant on SAP Business Technology Platform, with the ability to connect to both cloud and on-premise systems. Environment alignment (DEV, INT, UAT, TRG, PRD) is achieved via dedicated IAG tenants in matching landscapes, ensuring consistent SoD enforcement and predictable deployments across stages. The architecture is cloud-first and region-agnostic, maintaining strict isolation of access-governance activities per environment while using SAP-delivered SCIM connectors for supported cloud apps (e.g., Ariba, SuccessFactors, iCertis, Work Zone). Integration with SAP Cloud Identity Services (IAS/IPS) standardizes provisioning flows.
IAG Subaccount Model
Runtime: SAP IAG is delivered as a SaaS service on SAP Business Technology Platform (multi-tenant, no direct runtime selection).
Naming: syw-<area>-<env>-<region> (e.g., syw-iag-dev-eu10)
Environment codes: dev, int, uat, trg, prd
Application Architecture Components
| Component | Description | Deployment |
|---|---|---|
| SAP IAG Tenant | Core SaaS service on SAP BTP delivering access requests, risk analysis, provisioning workflows, and audit reporting. | Cloud (SAP BTP, multi-tenant) |
| Connectors | Pre-delivered integration content for SAP cloud applications (SuccessFactors, Ariba, iCertis SCIM, Work Zone, S/4HANA). Uses SCIM or application APIs. | Configured per IAG tenant |
| Access Risk & Policy Content | Delivered by SAP to check Segregation of Duties (SoD) conflicts and critical access; extendable by customers. | Cloud (within IAG tenant) |
| Workflow Engine | Manages approval flows for access requests; configurable per tenant. | Cloud (within IAG tenant) |
| Reporting & Audit Logs | Provides access request history, provisioning logs, and risk analysis results. | Cloud (within IAG tenant) |
| SAP Cloud Identity Services – IAS/IPS | IAS: Authentication/SSO, federation. IPS: User provisioning between source identity and IAG/target systems. | Cloud (separate services, integrated with IAG) |
| SAP Cloud Connector | Secure reverse tunnel from on‑premise to BTP so IAG can reach S/4HANA APIs without opening inbound firewall ports | On Prem |
Global User ID integration:
As Syensqo continues to modernize its operations and expand its digital ecosystem, SAP solutions are playing an increasingly central role across multiple business domains. With the organisation’s landscape becoming more cloud-based and integrated, maintaining a consistent identity framework across systems is essential.
- Accurate User Identification: Ensuring that the same individual is recognized seamlessly across SAP applications is fundamental to delivering secure authentication, appropriate authorization, and a unified user experience.
- Unique attribute with character length considered as some systems have a shorter character length for the user ID field (e.g. SAP S/4 HANA).
- Future Proofing for AI-Driven Capabilities: Consistency in user identity is also critical for AI-driven tools such as SAP Joule (the digital assistant) and SAP Task Center, both of which rely on harmonized user identities to operate effectively.
- A single user ID ensures cross system Segregation of Duties analysis is possible without any manual intervention and complex user mapping logic.
By using the field Person ID from Success Factors to map to the Global ID field in IAS/IdDS via IPS, we will be able to maintain the unique user identifier across all downstream applications without the need to maintain complex local user mapping routines.
As a minimum, the below user attributes should be mapped from Success Factors and transformed to IAS/IdDS.
The transformation will also need to consider other attributes such as group association and other user attributes as these can be used for filtering, conditional authentication and other security policies.
Application | Field Name IAS | IAS Technical Name | Source | Success Factors | Example |
SAP CIS | Global User ID | TBC | SF | Person ID | XXXX1234 |
SAP CIS | Status | TBC | SF | status | Active |
SAP CIS | First Name | TBC | SF | First name | abcd |
SAP CIS | Last Name | TBC | SF | Last name | Xxxxolola |
SAP CIS | TBC | SF |
The Global ID concept is not to be confused with SSO as the email address still being used as the unique user attribute used in the SAML Assertion for SSO.
The Global ID represents a single unique user identifier across all systems and platforms for the user.
The transformation logic in IPS is crucial for creating and maintaining the global user ID. By mapping attributes consistently, IPS ensures that the correct global user ID is assigned and used, linking user identities and attributes across different systems, even if the user's username or email differs in each system.
SAP Cloud Connector
SAP IAG runs as a SaaS service on SAP BTP (public cloud) and S/4Hana on-prem systems are usually inside the corporate network(Firewall protected).
The Cloud Connector(SCC) creates a secure reverse tunnel from On-prem to SAP BTP so that IAG can call S/4HANA APIs without opening inbound firewall ports.
Flow Overview:
- IAG Tenant (on BTP) → sends provisioning requests to S/4HANA.
- Requests go via the SAP Connectivity Service (on BTP)
- The Connectivity Service talks to the Cloud Connector (SCC) running inside your corporate network.
- SCC routes the request securely to the S/4HANA On-Prem system (using HTTP/S, RFC depending on the scenario).
- Responses (success/failure of provisioning) are sent back the same way.
SAP IAG → Cloud Connector → S/4HANA On-Prem
SAP IAG to SuccessFactors Interface
Integrate SAP Identity Access Governance (IAG) with SAP SuccessFactors to:
Automate access provisioning and de-provisioning based on employee lifecycle events (Hire, Transfer, Termination).
Perform access risk analysis (SoD checks) for SF roles and permissions.
Manage access requests for SuccessFactors roles via IAG workflows.
Please refer to FS ERP-202 Read Employee Master Data from SuccessFactors into Identity Access Governance for more details on IAG to SuccessFactors Integration
Access Request Management
HR Triggers: We can integrate the SAP Cloud identity & access governance solution with HR systems. This enables changes in employee status(HR triggers) in the the SuccessFactors to initiate the access requests. The access request service converts the HR triggers to change requests, which are then provisioned to target applications.
When integrated with HR systems such as SAP SuccessFactors or SAP HCM, HR Triggers capture key personnel events—such as new hires, terminations, transfers, promotions, or leaves of absence—and automatically initiate the appropriate access management workflows within SAP IAG. These workflows can include creating, modifying, disabling, or deleting user accounts in connected target systems.
Process flow diagram of HR trigger
To automate identity and access management based on HR changes, we configure business rules in IAG that use conditional logic to decide what action to take for which type of data or event.
Prerequisite: All Master data should be in place like business roles build, ruleset and workflow configuration.
JML(Joiner, Mover, Leaver) approval flow:
SAP IAG to Ariba Interface
The main purpose of integrating SAP Identity Access Governance (IAG) with SAP Ariba is to govern, automate, and control user access to Ariba applications (like Ariba Network, Ariba Sourcing, Ariba Buying and Invoicing) from a centralized, compliant platform.
Please refer to FS ERP-287 Provision users in Ariba Sourcing based on IAG for more details on IAG to SuccessFactors Integration
User Access Review(Access certification process)
Access certification service is used for periodically reviewing and certifying access to business applications in the cloud and on-premises area. It ensures that users have optimized access based on their designation.
The Managers and designated reviewers validate access to business applications. Periodic review process can be carried out for single roles, composite roles, business roles, profiles.
Responsibilities of Campaign Administrators, Coordinators and Reviewers:
Administrator – is responsible for creating and editing campaigns.
Coordinator – is responsible for coordinating campaign activities, for example, reassign items, remind reviewers, escalating to the reviewer's manager etc.
Reviewer – is responsible for approving/rejecting user access during review stage.
Process flow of Access Certification:
Process to review user Access in SAP IAG
1.Define the review cycle: Before starting,
- Determine how often access reviews will happen (quarterly, semi-annually, annually)
- Identify which systems and which user groups are in scope (e.g., SAP ECC, S/4HANA, SuccessFactors)
2.Launch Access Review (Access Certification):In IAG Create a campaign and select the users in scope(choose users based on business area, department or system).
3. Notify Reviewers: Once the campaign is launched, Notification emails are automatically sent to reviewers, Each reviewers gets a review work item in their work inbox.
4.Perform Access Review: Reviewers log in and review each user's access:
Validate if access is still required or should be removed
Approve: If access is still required
Reject: If access is no longer needed(In this case IAG will create requests for access deprovisioning from )
Data Provisioning Agent
SAP Analytics Cloud (SAC) Agent
OpenText Connector
Network Architecture
System Landscape
SAP IAG will have 3 landscape: Development, Test and Production. Each landscape will connect to below applications.
The SAP IAG development environment will be integrated with the respective development target systems, including S/4HANA Dev, Ariba Development Tenant, and other applicable applications.
Upstream Sources (into IAG)
Source | Purpose | Protocol / Feed | Key Attributes | Notes |
SuccessFactors (HR) | Workforce lifecycle (join/move/leave), manager, org | OData/API feed to identity layer consumed by IAG | Person ID, Employment Type, Manager, Cost Center, Country | HR remains golden source for demographics; IAG consumes normalized identities |
Entra ID | Directory groups / device or context attributes (optional) | Graph API / CSV (if used) | UPN, mail, groups | Not authoritative for provisioning; used for context enrichment only |
Connected Applications (via IPS)
Correlation: All targets must match on externalId = globalUserId. Where externalId is not supported, use a stable custom attribute (documented per connector).
Application | Category | Connector / Protocol | Provisioned Objects | SSO | UAR Reviewer | Remediation Mode | Notes |
Ariba | SAP Cloud (Procurement) | SCIM 2.0 | Accounts, Groups/Roles, Realm assignments | SAML via IAS | App Owner | Auto via IPS | Map company codes / purchasing orgs via role attributes |
iCertis | CLM | SCIM 2.0 | Accounts, Groups | OIDC/SAML via IAS | App Owner | Auto via IPS | Validate group → permission mapping with Legal |
CRM (e.g., Salesforce) | SaaS CRM | SCIM 2.0 (or vendor API) | Accounts, Profiles, Permission sets | SAML/OIDC via IAS | App Owner | Export to ITSM if write not available | Prefer SCIM; if API quotas apply, schedule batch windows |
SAC – Reporting/Planning | SAP Analytics Cloud | SCIM 2.0 | Accounts, Teams, Roles | SAML via IAS | Role Owner | Auto via IPS | Team/role design aligned to BI governance |
Build WorkZone | SAP BTP | SCIM 2.0 | Accounts, Groups | SAML via IAS | App Owner | Auto via IPS | Align with corporate portal taxonomy |
Advanced Financial Cockpit (AFC) | Finance | SCIM 2.0 | Accounts, Roles | SAML via IAS | Role Owner | Auto via IPS | Sensitive finance roles → 2‑stage review |
PAPM Cloud | Profitability & Performance Mgmt | SCIM 2.0 | Accounts, Roles | SAML via IAS | Role Owner | Auto via IPS | Ensure environment/tenant scoped roles |
RAM | Asset mgmt | SCIM 2.0 / API | Accounts, Roles | SAML via IAS | App Owner | Auto via IPS | Confirm role hierarchy with Plant ops |
Asset Performance Management (APM) | EAM analytics | SCIM 2.0 | Accounts, Roles | SAML via IAS | Role Owner | Auto via IPS | Tag sensitive telemetry access |
Global Track & Trace (GTT) | Logistics | SCIM 2.0 | Accounts, Roles | SAML via IAS | App Owner | Auto via IPS | Geo access scoping (regions/partners) via attributes |
S/4HANA / GTS | SAP On‑prem (via RISE/BTP) | IPS → CIC → Cloud Connector → SAP | Users, Roles (PFCG), Business Roles | SAML for Fiori; SAPGUI SSO | Role Owner | Auto via IPS (where supported) | GTS co‑hosted; use plant/company filters; RFC/SNC secured |
System Access
Application Security
Authentication
SyWay standardises Single Sign-On on SAP BTP using region-specific SAP Identity Authentication Service (IAS) tenants federated to Microsoft Entra ID. Each BTP subaccount trusts its regional IAS tenant as the default identity provider; interactive sign-in between BTP subaccounts/services and IAS uses OIDC, while federation from IAS to Entra ID uses SAML 2.0. Conditional Access in Entra (including MFA and session controls) governs user access to BTP applications. Developer tooling (e.g., BAS/Build Code/CLI) follows the same IAS ↔ Entra flow—no separate SAP ID service identities. For service-to-service calls and Destinations, SyWay adopts standards supported by each target: OAuth 2.0 (including client credentials), OAuth2 SAML Bearer Assertion, or mutual TLS; Basic authentication is permitted only where a service does not support modern methods, and such exceptions are documented. Principal propagation is used where supported by the back-end/service pair.
Authorisation
Business roles represent a high-level grouping of access aligned to specific job functions or responsibilities within the organization. Instead of assigning individual permissions or technical roles directly to users, business roles provide a simplified and standardized way to manage access. Each business role will bundle the necessary access components required to perform a particular role, supporting consistency, ease of provisioning, and alignment with governance and compliance requirements.
Business Roles should be defined to act as process driven components that deviate from HR job titles.
Key benefits:
- Supports modeling of business roles that aggregate technical roles or permissions from multiple systems
- Roles can be built to reflect job functions, departments, or business processes
- The service performs real-time SoD checks during role creation or modification
- Designed roles can go through workflow approvals before activation.
Communication Security
Data Security
Other Controls
Operation Architecture
Change and Configuration Management
Monitoring
Sizing
High Availability & Disaster Recovery
Backup/Restore
Maintenance Plan
Exceptions
See also
Terminology
Term / Acronym | Full Form / Description |
|---|---|
SAP IAG | SAP Cloud Identity Access Governance – A SaaS solution on SAP BTP that automates provisioning, SoD analysis, access requests, and certifications. |
SAP BTP | SAP Business Technology Platform – Cloud platform where IAG and other SAP SaaS services are hosted. |
IAS | SAP Identity Authentication Service – Provides Single Sign-On (SSO), authentication, and federation with external identity providers like Microsoft Entra ID. |
IPS | SAP Identity Provisioning Service – Automates user and role provisioning between source and target systems (e.g., SuccessFactors → IAG → S/4HANA). |
CIS | SAP Cloud Identity Services – Umbrella suite including IAS, IPS, and Identity Directory for centralized identity management. |
SCIM | System for Cross-domain Identity Management – Open standard protocol for automating user provisioning and deprovisioning between cloud systems. |
SoD | Segregation of Duties – Governance principle ensuring no user can perform conflicting business functions that could lead to fraud or error. |
HR Trigger | Event in HR system (e.g., hire, transfer, termination) that initiates an identity or access workflow in IAG. |
JML | Joiner, Mover, Leaver – Framework defining user lifecycle events: onboarding, role changes, and offboarding. |
SCC | SAP Cloud Connector – Secure reverse proxy linking SAP BTP cloud services to on-premise systems like S/4HANA. |
S/4HANA | SAP S/4HANA Enterprise Suite – Core ERP system integrated with IAG for access governance and provisioning. |
Entra ID | Microsoft Entra ID (formerly Azure AD) – Enterprise identity provider used for authentication and federation with IAS. |
Access Request | Workflow-based process in IAG for requesting and approving system access. |
Access Certification | Periodic review of user access to validate ongoing need and ensure compliance. |
Business Role | Logical grouping of multiple technical roles across systems representing a job function or responsibility. |
Technical Role | Application-specific role or authorization object providing actual system access (e.g., PFCG roles in S/4HANA). |
Connectivity Service | SAP BTP service enabling IAG to communicate with on-prem systems through the Cloud Connector. |
Identity Directory | Central repository within SAP Cloud Identity Services storing user and group information for provisioning and authentication. |
Workflow Engine | Component in IAG managing approval steps for access requests and certifications. |
Access Risk Analysis | IAG process that checks access assignments against SoD and critical access rules. |
Campaign (Access Review) | A scheduled access certification exercise involving reviewers and approvers. |
IPS Job | Scheduled provisioning job that synchronizes user and role data across systems. |
BTP Subaccount | Logical container within SAP BTP hosting applications and services, isolated per environment (e.g., dev, int, prd). |
Principal Propagation | Mechanism that forwards a user’s authenticated identity across service layers for secure end-to-end communication. |