In Feras Al-Basha and Riwa Mouawad’s previously published February 2019 blog: Mass Maintenance of Segregation of Duties in SAP S/4HANA Cloud, Identity and Access Management (IAM) within S/4HANA Cloud was the focus. This blog, a part two follow up, is targeted to key business users and implementation consultants and will focus on the Display Authorization Trace Functionality within IAM and S/4HANA Cloud Integration to Cloud Identity Access Governance.
Please note: all screenshots included in this blog are from a 1908 S/4HANA Cloud Starter System
What Exactly Is Identity and Access Management (IAM):
Identity and Access Management ensures that all business users within an organization have defined and managed roles. IAM aids in helping organizations monitor and tailor business roles to their needs and requirements. The S/4HANA Cloud Identity and Access Management Toolkit enables businesses to view information on Business Users, Business Roles, Business Catalogs, Restriction Types, Authorization Traces, and more!
What is the Display Authorization Trace Application?
The Display Authorization Trace application’s purpose and functionality is to enable users to analyze authorization trace data on a user basis to get insight on if adjustments need to be made. For instance, the Display Authorization Trace Application can be used to see if any authorizations are missing or insufficient for a user.
Display Authorization Trace Functionality:
The first step when accessing the Display Authorization Trace application is to ensure that the trace is activated:
Once the trace is activated for the user, in this case: Feras Al-Basha, trace information can be searched and information on when the last change was is available. There are many search options such as Access Category: Read, Write, Value Help, and Authorization Check Status: Successful, Failed, Filtered:
What Does the Authorization Check Status Mean?
There are three different statuses: successful, failed, and filtered. A successful status indicates that the check was successful, and a failed status indicates the check failed. A filtered status indicates that certain data is filtered out. The user can check on what business role might have affected the restriction type. For instance, a required business role might not be assigned to a user, resulting in a filtered status.
Cloud Identity Access Governance:
Advanced identity and access management segregation of duty check, and audit functionalities are available in Cloud Identity Access Governance, a product that integrates to S/4HANA Cloud. Having an integration of Cloud Identity Access Governance to S/4HANA Cloud provides a complete solution for managing and auditing identity and access management. Cloud Identify Governance not only provides a more complete functionality on segregation of duty checks and audits, but can also be used across several cloud solutions, providing the end user a simpler experience.
Key benefits include: a simplified governance of data access with secure access and minimized risk, a seamless user experience with strengthened security, and adoption identity and access governance with maintenance free updates.
For more information on product features functionality, benefits, functionality, and how to get started, please visit the landing page for Cloud Identity Governance.
Additionally, please refer to the best practice scope item on Automated Provisioning via SAP Cloud Identity Access Governance (3AB)
For a technical deep dive on the integration of Cloud Identity Access Governance please refer to the admin guide
Lastly, we invite you to explore the Identity and Access Management tag on the Activate Roadmap Viewer as previously outlined by Anand Kapadia’s blog post.
We hope this information was valuable to you and please don’t hesitate to reach out with any questions and comments! We also encourage you to share your experience with S/4HANA Cloud segregation of duties.
Feras Al-Basha, SAP
Riwa Mouawad, SAP