Overview

SAP Cloud Identity and Access Governance is a Cloud based GRC solution to integrate cloud and on-premise applications. With various services in place,  access analysis service, is a service that will be used to perform the risk analysis functionality and we are focusing on integration of SAP Access Control to SAP Cloud SAP Cloud Identity and Access Governance.

Possible Scenarios 

There are so many questions regarding the risk analysis for cloud applications and how to extend the solution for existing SAP Access Control implementation. This blog post gives you a complete overview of options and steps for risk analysis for both stand alone SAP Cloud Identity and Access Governance implementation and SAP Access Control bridge scenario.

1. SAP Cloud Identity and Access Governance only option - You have only SAP Cloud Identity and Access Governance solution and wanted to integrate with cloud and on-premise solutions for risk analysis.


2. SAP Cloud Identity and Access Governance with bridge option - You have existing SAP Access Control solution with on-premise integrations and now want to integrate the cloud applications. There is no direct integration with SAP Access Control and hence you are using SAP Cloud Identity and Access Governance solution for risk analysis.

Note: Please refer the integration  and bridge documents at help.sap.com for technical details to setup the below scenarios.

Scenario 1: Risk analysis from SAP Cloud Identity Access Governance

This is a simple scenario where the risk analysis is running in SAP Cloud Identity and Access Governance for cloud and on-premise applications. Follow the below steps for getting the risk analysis results for ex, SAP Ariba.

1. Create a destination for SAP Ariba in SAP Business Technology Platform cockpit (previously called as SAP Cloud Platform)


2. Create a system entry in System tile pointing to the destination. While creating the system, make sure you enter the exact destination name you created in step 1 (case sensitive)


3. Create an incident to SAP Support for component GRC-IAG to load the ruleset for SAP Ariba.


4. If you are changing the ruleset for SAP Ariba(custom), make sure you download the standard ruleset and keep it for backup. Because, once changed you cannot get the standard one. You can also create a new business function group as say for ex, Ariba_Group and load the changed ruleset for this new group and assign the Ariba system to this group and leave the default group (SAP_ARIBA_LG) which was created by default. This way, you have two groups, one for standard and one for changed ruleset.


5. Run the Repository Sync job from Job Scheduler tile.


6. Once completed, make sure you see the Roles/Groups in Access Maintenance tile and Users in Maintain User Data tile.


7. Run the Access Analysis from Job Scheduler tile. This is not specific to any system but for all. When you schedule, it picks up all the objects that were changed after the last time the job successfully completed. When you run first time, it will take time as it runs for all the objects including roles/groups and users and for all the systems.


8. If all the above steps are completed successfully, then you can see the risk analysis reports from Access Analysis for Users and under Access Maintenance for Roles/Groups.

Scenario 2: Risk analysis from SAP Access Control via SAP Cloud Identity Access Governance

This scenario involves more steps than previous one. You have SAP Access Control and you would like to run the risk analysis for cloud applications. Risk analysis for cloud applications are not supported directly from SAP Access Control and hence the bridge scenario is used. SAP Cloud Identity and Access Governance is used as a bridge between the SAP Access Control and the cloud applications.

 Switch

The risk analysis behavior is based on SPRO configuration parameter 1090, which behaves like a switch.

• 1090 = YES
  
  
  
  • Risk analysis from Access request will get the risk analysis results from SAP Cloud Identity and Access Governance  and no analysis happens in SAP Access Control12.0 side.
  
  
  • This parameter is applicable for risk analysis for request only and not for any User/Role level analysis under Access Management or Reports and Analytics in SAP Access Control.
  
  
  • If you run the analysis in User Level analysis for ex, then the risk analysis is performed for on-premise applications inside SAP Access Control only.
  
  
  • It is advisable to run the reports in SAP Cloud Identity and Access Governance once this parameter is set to YES.
  
  
  • You have to move all the rulesets and authorization objects to SAP Cloud Identity and Access Governance to run the analysis for both cloud and on-premise solution at one place.
  
  
  
  


• 1090 = NO,
  
  
  
  • the risk analysis works as per SAP Access Control and no change.
  
  
  • In this case only on-premise systems and SF system is supported in SAP Access Control. Cloud applications are not supported even if you have SIAG setup for cloud applications.
  
  
  • Simply, there is no change in behavior from existing functionality.
  
  
  
  

Follow the below steps to run the risk analysis for all applications including on-premise and cloud using bridge scenario

1. You have the connector created and assigned to SAP Cloud Identity and Access Governance connector type in SPRO configurations in SAP Access Control. This is a similar step as any other on-premise systems you set up in SAP Access Control.  Please check the steps in SAP Cloud Identity and Access Governance Bridge document for complete details.


2. Make sure Scenario 1 Risk analysis from SAP Cloud Identity Access Governance is completely setup and running for cloud applications.


3. Create a new destination for SAP Access Control system as ABAP RFC type in SAP Business Technology Platform cockpit (previously called as SAP Cloud Platform),


4. Create a new system for type SAP Access Control under Systems tile for the destination created in the previous step.


5. You have to move the rulesets for on-premise applications from SAP Access Control to SAP Cloud Identity and Access Governance by running Access Control - Risk Definition Sync job from Job Scheduler for the system created above. This will bring all the logical group, connectors, rulesets loaded in SAP Access Control. If you are using the SAP Cloud Identity and Access Governance only for risk analysis, then do not create any logical group or connectors in SAP Cloud Identity and Access Governance.


6. You have to move the Mitigation Controls for on-premise applications from SAP Access Control to SAP Cloud Identity and Access Governance by running Access Control - Mitigation Control Transfer job from Job Scheduler for Access Control system. This will bring all the mitigation controls defined in SAP Access Control to SAP Cloud Identity and Access Governance.


7. Run the Repository Sync job for  SAP Access Control system to bring all the objects and authorization from SAP Access Control to SAP Cloud Identity and Access Governance . This is used for running the risk analysis.
   
   
   
   1. SAP Access Control may not have Authorization data for the corresponding objects. Hence, you may have to run the repository sync for on-premise systems with Role/Profile Authorization data option selected in repository sync job in SAP Access Control.  This also provides Value Help during Function creation in SAP Cloud Identity and Access Governance.
   
   
   2. You must select the Role Import option also in Repository Sync join in SAP Access Control. This option takes care of the BRM role import and hence you don't need to setup the roles manually in BRM.
   
   
   
   


8. Run the Access Analysis job under Job Scheduler.

 

How risk analysis works in SAP Cloud Identity and Access Governance ?

• Risk analysis results are not running when you request instead it is analyzed and the reports are ready to consume. This is the fundamental difference on how risk analysis works in SAP Access Control and SAP Cloud Identity and Access Governance.


• You need to schedule a recurring job for Repository Sync for all the systems including the SAP Access Control and other cloud applications based on your need.


• You need to schedule a recurring job for Access Analysis. This runs for all the systems.


• Please schedule the above jobs based on your need and how frequent the objects are changed in the connected systems. It is not advisable to run frequently like every 5mins.


• Based on the above jobs, the risk analysis results are updated.


• If there is any change in the ruleset, then risk analysis job will run for all objects and it will take time even though there are no object changes in the connected systems.

Where do you see the results?

• You can check the risk analysis results for groups/roles under Access Maintenance tile in SAP Cloud Identity and Access Governance.


• You can check the risk analysis results for Users under Access Analysis and Analyze User Access tile in SAP Cloud Identity and Access Governance.


• You can check the violations in Access request from SAP Access Control.

Conclusion

The above explanation should have given you a complete picture of how this whole integration works. Based on this, you can setup your risk analysis solution and this is a functional overview only. For more details document on how to setup the bridge solution, you should check the help.sap.com for SAP Cloud Identity Access Governance.

References

Please check the below documents from https://help.sap.com/viewer/product/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE

• (IAG Bridge) SAP Access Control 12.0 (on-premise) to IAG and Cloud Target Application


• Integration Scenarios

 

Note: Please share your feedback or thoughts in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Access Governance  or https://answers.sap.com/tags/01200615320800000796