Business Trends
GRC Tuesdays: SAP Cloud Identity Access Governance Is Not SAP Access Control on the Cloud
I often meet with customers who want a cloud solution for their access governance needs, and several of these customers have engaged partners who may not be up to speed with the latest solutions SAP has to offer for access governance. Due to misunderstanding or a lack of education, I end up trying to clarify the same points in multiple meetings. So you don’t have to go through the same experiences, I thought to cover some of these items here for your convenience. Make no mistake—Google is still your friend. You can find plenty of information simply by doing a quick search and reading material from reliable sources (official SAP websites like help.sap.com).
SAP Access Control and GRC
Most of us are familiar with SAP Access Control. I refer to this solution as the “Grandpa” (mature, elder leader) of SAP’s governance, risk, and compliance (GRC) solutions since it was around when I was a consultant several years ago. Further, SAP Access Control is typically the solution that our customers adopt first to put in place a governance culture. Because of this solution’s maturity, some partners and customers refer to SAP Access Control as “GRC.” “SAP Access Control” and “GRC” are not synonymous. If someone is using these acronyms interchangeably, be wary.
If you’re an avid reader of this blog series and experienced with the GRC space, you know very well that there are more solutions in the GRC suite. In fact, personally, I begin to get concerned when partners and customers refers to SAP Access Control as GRC because it implies a limited skill set, that they may not be up to date on the latest technologies, and that there is more work to be done to educate people on the GRC suite of solutions.
SAP Cloud Identity Access Governance and GRC
I’ve come to realize that many of our customer and partners have not heard of SAP Cloud Identity Access Governance (SAP Cloud IAG) and the various services available (access risk analysis service, role design) and that other functionalities are on the roadmap. When customers and partners learn about SAP Cloud IAG, access risk analysis service service, they recognize similarities to SAP Access Control’s access risk analysis functionality and that both SAP Access Control and that specific SAP Cloud IAG service are used to examine segregation of duties, and so on.
After reviewing additional roadmap services, customers and partners sometimes draw the incorrect conclusion that SAP Access Control is “going away.” The conclusion that SAP Access Control is going away is not true. SAP Cloud Identity Access Governance is not the next iteration/version for a “cloud” SAP Access Control solution, and there is no migration path from SAP Access Control 10.1 to SAP Cloud IAG.
Access Control in the Cloud
Some customers and partners are not aware that SAP Access Control is available on the cloud as well. But yes, SAP Access Control can be deployed on the cloud. Therefore, if you want access control and you want SAP Access Control on the cloud, you should implement SAP Access Control on the cloud (i.e. Custom HANA Enterprise Cloud) . A cloud deployment of SAP Access Control would have the same features and functions as on-premise SAP Access Control. If all you want is SAP Access Control on the cloud, that does not mean that you want SAP Cloud Identity Access Governance.
I can’t stress the point enough—SAP Cloud Identity Access Governance is NOT the cloud version of SAP Access Control. Further, if you’re expecting Cloud Identity Access Governance to mimic Access Control (have the same functionalities as Access Control) your expectation is incorrect. SAP Cloud Identity Access Governance is built on the SAP Cloud Platform and has a different user-interface than SAP Access Control, due to a strong Fiori emphasis. If you’re a customer with a cloud-first strategy and looking for SaaS or thinking about adopting SAP S/4HANA Public Cloud, perhaps Cloud IAG is for you.
Lastly, if you’re interested in complementing your existing SAP Access Control landscape with SAP Cloud IAG, ask your SAP representative more about the “bridge.”
Learn More
For more information (overview, video, roadmap) about SAP Cloud Identity Access Governance, please refer to SAP Cloud Identity Access Governance and/or SAP Help.
Hi Sarah -
Thanks for the great post. One question though...If I implement Access Control on the Cloud (the HEC solution) can I integrate this with my SAP S/4HANA Cloud Edition (Public Cloud)? If yes, how?
If I implement S/4H CE and IAG, can I use IAG for my SOD Analysis?
Thanks!
Hi Bert, thanks for asking. For clarification:
1) IAG is an application purposely built on the SAP Cloud platform that integrates readily with S/4HANA Cloud Edition.
2) While IAG is not Access Control, it does help public cloud customers to perform Segregation of Duties Reporting much like SAP Access Control does for ECC, SAP S/4HANA PCE and HEC customers does.
3) We are constantly adding functionality to IAG to perform many of the functions that AC does. In the meantime, Public Cloud customers who also own SAP Access Control can investigate the Access Control Bridge solution to help streamline their journey to the cloud.
4) IAG is not AC on the cloud, but addresses Access Governance needs in the cloud. For certain customers SAP Cloud IAG can be an excellent component of your Cloud Based solution.
Hi -
Now this is really clear to me. Thanks for this answer!! 🙂
Hi Sarah,
Congratulations on writing this excellent blog on the most commonly confused topics on IAG. Thanks for clarifying on several of the topics.
Could you please help with some insights on below areas of interest from a consulting perspective.
1. Similar to Access Controls RDS (I'm aware that it's already retired), do we have an effort estimate to implement/activate IAG services on SCP? How many days? Man Hours $$ value ? Scope and Exclusions ?
2. Are there connectors available from AC 12.0 (most of the customers are asking for the latest) to IAG services ? Any pointers would help.
3. If a customer opts to implement AC on private cloud what options do they have to utilize the IAG services ?
Appreciate your time and insights on this topic.
Great blog and just right in time !
Best Regards,
Vaiyda
Hi Vaidya, Since this is an internal question, please contact Sarah directly for an answer. Thank you.
Hi Sarah,
Thanks for the excellent blog. I have a very basic question, can SAP GRC 10.1 be integrated to perform risk analysis and user access provisioning for S4/HANA on private cloud (MS Azure). Also, can be integrated simultaneously to both S4/HANA on cloud and SAP ECC on-premise.
Thanks
Jitendra
Hi there,
My company is peeling off traditional SAP modules (SAP HR, SAP SRM, god knows what next), and has implemented Successfactors and Coupa.
We implemented SAP GRC to monitor SOD risks across these SAP environments. Since they are peeling off, and we have more applications in our portfolio that are not SAP, I'm looking for solutions that can monitor SOD risks across different and disparate systems.
Can SAP Cloud IAM perform SOD risk, monitoring, and reporting across different non-SAP systems?
Thanks!
HI Alexander.To monitor SODs across non-SAP systems you may need to utilize the functionality of SAP Access Violation Management by Greenlight. SAP Access Violation Management by Greenlight is a product with multiple functionalities including :
i. Extending real-time Access Control ‘connector’ capabilities across non-SAP systems
ii. Providing Emergency Access Management for non-SAP systems
iii. Enhancing Access Control by adding line-item detail to evaluate the ‘Financial Impact of Risks’
iv. Providing accelerated mitigation capabilities to existing Access Control deployments.
Access Control is a pre-requisite for SAP Access Violation Management.
Sarah
Thank you for writing the blog, it’s informative. I have few questions.
Can GRC 12.0 handles provisions for Concur?what are the limitations if any?
What are challenges integrating GRc 12.0 with concur via IAG?
What are benefits of concur and GRC 12.0 integration apart from SOd?
Has anyone done concur > IAG integration?