Introduction

SAP Cloud Identity Access Governance (IAG) is a cloud-based solution built on the SAP Business Technology Platform. Built on SAP BTP, it supports automated provisioning, SoD risk analysis, access requests, and periodic certifications.Integrated with SAP SuccessFactors, IAS, and IPS, IAG ensures users have the right access at the right time, supporting compliance, reducing risk, and aligning with Syensqo's cloud-first strategy.For Syensqo, SAP IAG would play a critical role in ensuring that users have the right access at the right time, while preventing conflicts and unauthorized activities. It not only would help maintain compliance with internal policies and regulatory frameworks but also would help to strengthen the overall security posture by delivering visibility, control, and accountability over user access.

Services which is provided by IAG:

Scope & Objectives

The scope of SAP Identity Access Governance (IAG) covers the processes, systems, and users involved in identity and access management across the organization. It includes:

• Governance of user access across SAP Cloud and on-premise systems.
• Access request, approval, and provisioning workflows.
• Risk analysis, role management, and segregation of duties (SoD) enforcement.
• Monitoring and reporting for compliance and audits.
• Secure de-provisioning during employee offboarding.
• Scalability to extend governance across multiple regions, business units, and applications

Primary objectives are to:

• Ensure only authorized users have the right access to critical business systems.
• Automate and centralize user access requests, approvals, and provisioning.
• Align access governance with internal policies and external regulatory requirements.
• Provide seamless identity and access management across both SAP cloud and on-premise applications.
• Detect and prevent access risks and segregation of duties conflicts before they occur.

Key Decisions and Requirements

Terminology

Application Architecture

Overview

SyWay’s SAP IAG landscape is provisioned as a SaaS tenant on SAP Business Technology Platform, with connectivity to both cloud and on-premise applications. Environment alignment (DEV, INT, UAT, PAR, TRG, PRD) is achieved through dedicated IAG tenants or integration via the IAG Bridge to SAP Access Control in corresponding landscapes, ensuring consistent separation of duties and predictable deployment across stages. The design is cloud-first and region-agnostic, centred on maintaining isolation of access governance activities per environment, while leveraging SAP-delivered SCIM connectors for supported cloud applications (e.g., Ariba, SuccessFactors, iCertis, Work Zone). Integration with SAP Cloud Identity Services (IAS/IPS) standardizes authentication and provisioning flows.

IAG Subaccount Model

Runtime: SAP IAG is delivered as a SaaS service on SAP Business Technology Platform (multi-tenant, no direct runtime selection).

Naming: syw-<area>-<env>-<region> (e.g., syw-iag-dev-eu10)

Environment codes: dev, int, uat, par, trg, prd

Application Architecture Components

SAP Web Dispatcher

SAP Cloud Connector

Data Provisioning Agent

SAP Analytics Cloud (SAC) Agent

OpenText Connector

Network Architecture

System Landscape

System Access

Application Security

Authentication

Authorisation

Communication Security

Data Security

Other Controls

Operation Architecture

Change and Configuration Management

Monitoring

Sizing

High Availability & Disaster Recovery

Backup/Restore

Maintenance Plan

Exceptions

See also

Change log