Skip to Content
Product Information
Author's profile photo Saksham Minocha

SAP Cloud Identity Access Governance (IAG) Overview and Updates

SAP Cloud Identity Access Governance(IAG) is SAP’s latest innovation for Access Governance. After a highly successful SAP Access Control 12.0 release, SAP has now released some of the latest innovations on the SAP Cloud Identity Access Governance application. SAP Cloud Identity Access Governance (IAG) is a multi-tenant solution built on top of  SAP Business Technology Platform (BTP) and SAP’s proprietary HANA database.

SAP Cloud Identity Access Governance(IAG) is bundled with SAP Business Technology Platform(BTP) Identity Provisioning Service(IPS) and Identity Authentication Service(IAS).

**SAP Cloud Identity Access Governance(IAG) 2205 (May,2022) version is now released with product enhancements in the areas of Ariba Integration( via SCIM API) , Mitigation Assignment Reporting, Management of User IDs mapped through multiple cloud applications, Added authorization checks for Access Control bridge integration, Conditional UI fields and more.**

**SAP Cloud Identity Access Governance(IAG) 2202(February,2022) version is now released with product enhancements in areas of integration with SAP Concur, SAP Sales Cloud, SAP Service Cloud, SAP Advanced Financial Closing and SAP Intelligent Asset Management**

**SAP Cloud Identity Access Governance(IAG) 2108 version is released with product enhancements in areas such as customizing workflows for access management, additional properties to support OAuth 2.0 Authentication for SAP Successfactors, support for provisioning of universal unique ID(UUID) for SAP S/4HANA**

**SAP Cloud Identity Access Governance (IAG) 2105 version is released with enhancements in areas such as extending User Access Review(UAR) for cloud solutions to SAP Access Control through the AC-IAG Bridge Scenario.**

**With SAP Cloud Identity Access Governance (IAG) 2102 release customers can now integrate non-SAP solutions based on Open System for Cross-Domain Identity Management(SCIM)**

SAP Cloud Identity Access Governance (IAG) provides out of the box integration with SAP’s latest cloud applications such as SAP Ariba, SAP Successfactors, SAP S/4HANA Cloud, SAP Analytics Cloud and other cloud solutions with many more SAP and non-SAP integrations on the roadmap..

Cloud IAG Services


SAP Cloud Identity Access Governance (IAG) helps customers achieve access control and governance through the below key services:

Access Request

Access Request Service provides customers the opportunity to utilize self service access request forms for user and role provisioning into the Cloud applications along with the power of workflow driven access provisioning mechanisms along with any other features.

Role Design

The Role Design allows users to design access roles with the power of Machine Learning (ML) based algorithms to optimally define and refine the required roles with a bottom up approach.

Access Certification

The Access Certification service in the Cloud Identity Access Governance (IAG) provides the option to certify access spread across multiple cloud solutions by allowing reviewers to regularly audit and certify the roles assigned.

Access Analysis

The Access Analysis service is primarily the application meant for security administrators and compliance teams to analyze access risks across cloud applications and refine or remediate access according to the auditory requirements.

**IAG Release 2005: We have released a risk ruleset library to detect access needing Segregation of Duties in SAP Cloud applications such as SAP S/4HANA Cloud, SAP Ariba and SAP Successfactors**

Privileged Access Management

Privilege Access Management is another service which is provided in the Cloud Identity Access Governance (IAG) solution to monitor, report, audit and take action against any critical access in a critical environment such Cloud application

Cloud Identity Access Governance (IAG) is maintained by SAP DevOps which is responsible for the constant upkeep, maintenance and pushing in new enhancements.

**Privileged Access Management(PAM) is now beta-released(for ABAP connectors) in the latest IAG 2005 release for Privileged Access provisioning and privileged/emergency access monitoring(Firefighter) through the Cloud IAG application.**

SAP Access Control-IAG Bridge

The most talked about feature of Cloud Identity Access Governance (IAG) is the SAP Access Control-IAG bridge which provides customers the flexibility of continuing to use their existing SAP Access Control 12.0 environment as the primary system for Access Control and have the IAG bridge take care of the Access Control services or applications for the cloud environment.

SAP Contacts:

If you are a SAP MaxAttention/Active Attention customer, please contact your Technical Quality Manager(TQM) to know more about the SAP service offerings. For all other existing or potential SAP customers please get in touch with your SAP Account Executive(AE) for solution or service subscriptions.

SAP North America CoE Lead: Saksham Minocha

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Supreeti Singha Babu
      Supreeti Singha Babu

      Hi Saksham,

      Excellent blog content. I have a question why is user management different in IAG as compared to S/4 HANA cloud? In S/4 HANA cloud role assignment in done using the apps in S/4 HANA cloud whereas for IAG we assign the roles for the services in cloud cockpit instead of in IAG. Similarly "Intelligent asset management" also maintains role assignment via cloud cockpit. How are some cloud applications differing from others in this aspect. Hope I was able to word my question properly, any help would be greatly appreciated.


      Author's profile photo Saksham Minocha
      Saksham Minocha
      Blog Post Author

      Hi Supreeti,


      Thank you! You have worded your question very precisely.


      S/4HANA Cloud is a core ERP application and hence the structure is so. IAG is a fulfillment/compliance application for other Cloud ERP Applications and hence the structure is through SCP Cockpit. Also, if you look at the user/role management in IAG application itself there is a not a lot that you have to do.

      There might be some changes from the product side in the future releases to align the structures.


      Hope that helps.




      Author's profile photo Siddhesh Pai
      Siddhesh Pai

      Excellent Blog Saksham. Is there any documentation available on connecting IAG bridge to GRC 12.0?

      We have a requirement to connect Ariba to GRC 12.0, hence we were looking for a hybrid approach by leveraging IAG bridge with our existing GRC 12.0 .



      Siddhesh Pai

      Author's profile photo Saksham Minocha
      Saksham Minocha
      Blog Post Author

      Hi Siddhesh,

      Thanks for the nice words.

      Most of our customers have deployed using the available documentation at SAP Help portal. Please refer to the link. Hope this helps.



      Author's profile photo Praveen Vinjamuri
      Praveen Vinjamuri

      Hello Saksham!


      Nice Blog! Can we use IAG as an access management platform for other BTP services such as Integration suite, Multi-cloud, etc?




      Author's profile photo Niladri Bihari Nayak
      Niladri Bihari Nayak

      Excellent blog, How does it work with SAP SuccessFactors. SAP SF has its own security model / Role Based Permission too.





      Author's profile photo Vincent DOUX
      Vincent DOUX

      Please see the SAP IAG Help portal, integration scenario for SFSF:

      SAP SuccessFactors | SAP Help Portal




      Author's profile photo Melvin Button
      Melvin Button



      Can we use IAG to provision access to SAC SAP Analytics Cloud ? or what provisioning tool is recommended managing accesses here ?


      Regards, Mel

      Author's profile photo Vincent DOUX
      Vincent DOUX

      Hi, Yes, SAP IAG can provision access to SAC.