GRC Tuesdays: SAP Cloud Identity Access Governance Is Not SAP Access Control on the Cloud
I often meet with customers who want a cloud solution for their access governance needs, and several of these customers have engaged partners who may not be up to speed with the latest solutions SAP has to offer for access governance. Due to misunderstanding or a lack of education, I end up trying to clarify the same points in multiple meetings. So you don’t have to go through the same experiences, I thought to cover some of these items here for your convenience. Make no mistake—Google is still your friend. You can find plenty of information simply by doing a quick search and reading material from reliable sources (official SAP websites like help.sap.com).
SAP Access Control and GRC
Most of us are familiar with SAP Access Control. I refer to this solution as the “Grandpa” (mature, elder leader) of SAP’s governance, risk, and compliance (GRC) solutions since it was around when I was a consultant several years ago. Further, SAP Access Control is typically the solution that our customers adopt first to put in place a governance culture. Because of this solution’s maturity, some partners and customers refer to SAP Access Control as “GRC.” “SAP Access Control” and “GRC” are not synonymous. If someone is using these acronyms interchangeably, be wary.
If you’re an avid reader of this blog series and experienced with the GRC space, you know very well that there are more solutions in the GRC suite. In fact, personally, I begin to get concerned when partners and customers refers to SAP Access Control as GRC because it implies a limited skill set, that they may not be up to date on the latest technologies, and that there is more work to be done to educate people on the GRC suite of solutions.
SAP Cloud Identity Access Governance and GRC
I’ve come to realize that many of our customer and partners have not heard of SAP Cloud Identity Access Governance (SAP Cloud IAG) and the various services available (access risk analysis service, role design) and that other functionalities are on the roadmap. When customers and partners learn about SAP Cloud IAG, access risk analysis service service, they recognize similarities to SAP Access Control’s access risk analysis functionality and that both SAP Access Control and that specific SAP Cloud IAG service are used to examine segregation of duties, and so on.
After reviewing additional roadmap services, customers and partners sometimes draw the incorrect conclusion that SAP Access Control is “going away.” The conclusion that SAP Access Control is going away is not true. SAP Cloud Identity Access Governance is not the next iteration/version for a “cloud” SAP Access Control solution, and there is no migration path from SAP Access Control 10.1 to SAP Cloud IAG.
Access Control in the Cloud
Some customers and partners are not aware that SAP Access Control is available on the cloud as well. But yes, SAP Access Control can be deployed on the cloud. Therefore, if you want access control and you want SAP Access Control on the cloud, you should implement SAP Access Control on the cloud (i.e. Custom HANA Enterprise Cloud) . A cloud deployment of SAP Access Control would have the same features and functions as on-premise SAP Access Control. If all you want is SAP Access Control on the cloud, that does not mean that you want SAP Cloud Identity Access Governance.
I can’t stress the point enough—SAP Cloud Identity Access Governance is NOT the cloud version of SAP Access Control. Further, if you’re expecting Cloud Identity Access Governance to mimic Access Control (have the same functionalities as Access Control) your expectation is incorrect. SAP Cloud Identity Access Governance is built on the SAP Cloud Platform and has a different user-interface than SAP Access Control, due to a strong Fiori emphasis. If you’re a customer with a cloud-first strategy and looking for SaaS or thinking about adopting SAP S/4HANA Public Cloud, perhaps Cloud IAG is for you.
Lastly, if you’re interested in complementing your existing SAP Access Control landscape with SAP Cloud IAG, ask your SAP representative more about the “bridge.”