Skip to Content
Technical Articles
Author's profile photo Prem Balraj

SAP Cloud Identity Access Governance – Initial Setup

You have received your welcome email titled “Initial user and access information for your SAP Cloud Identity Access Governance System”. You have received this email because the tenant setup is complete for SAP Cloud Identity Access Governance solution and want to let you know that it is available for use. Now what?

In this blog post you are going to learn all the steps needed to successfully perform the initial setup and up running.



  • A new SAP Cloud Business Technology Platform Global Account provisioned in the Cloud Foundry environment. You have already received an email from the SAP Cloud Business Technology Platform cockpit (previously called as SAP Cloud Platform) about how to access your global account in the SAP Cloud Business Technology Platform cockpit.


  • An instance of the cloud connector if you wish to use on-premise applications for the IAG Bridge scenario.
  • An instance of the SAP Cloud Identity Authentication Service (IAS).
  • An instance of the SAP Cloud Identity Provisioning Service (IPS).


Who can perform the initial setup?

The person who received the welcome email should have the full access to start the setup. In most cases, the email is sent to the person who ordered and not the person who is going to implement the solution. You may have to ask him to add your S number to the global account under Members.

Step 1: Create Subaccount

Log into your SAP BTP cockpit to access your Global Account and create a new subaccount.

  • Please make sure you create the sub domain name with your company name and environment(test or prod) to identify. This domain name will be the part of your application URL. For ex,
  • Provider and Region should be based on the below.
  • Currently, SAP Cloud Identity Access Governance is available only on
    • Amazon Web Service (AWS) platform in US East (VA) – cf-us10, Australia (Sydney) – cf-ap10, and in Europe (Frankfurt) regions – cf-eu10
    • Microsoft Azure in US West (WA) – cf-us20
    • Google Cloud Platform in US Central (IA) – cf-us30

Please check link for latest update of Region and Provider.

  • Select ‘Used for production’ option, if you want this sub account to be a production.


Step 2: Subscribe SAP Cloud Identity Access Governance application

Go to Service Marketplace and search for Identity access governance


STOP : If you do not find the application, either you do not have permission to subscribe the application or you are into wrong global account. You have to check with the user who received the welcome email to add your S number in members or you have to create an incident to GRC-IAG to check the correct global account for SAP Cloud Identity Access Governance.

If you have a license for full edition, then you will see the service as SAP Cloud Identity Governance and if you have integration edition, then you will see the service as SAP Cloud Identity Access Governance, Integration Edition.

if you see the application, then click the application and you will see two plans in the right side.

Select the test plan if your sub account is for testing and standard plan if your subaccount is for production.

Click one of the plan to create.


It will take few minutes to setup.


Once successfully completed, you will able to see the status as subscribed. If you see any error, please create an incident under GRC-IAG component.

Click the three dots at the end of the subscription line and you can able to launch the application by using ‘Go To Application’ link.


Step 3: Add Role Collections to view the tiles

When you launch the application, you may not see all the tiles. To get access to tiles, you have to add the role collections to the S user.

Make sure you have your user added.


By default, you will see the user data source as SAP ID service. You can add SAP Cloud Identity Authentication Service later.


Click the SAP ID Service link as above under Trust Configuration.

Go to Role Collection Assignment and your email address and click Assign Role Collection.

Add these role collections to get full access to IAG applications. You can add other role collections based on your need.


Now, check the application URL again and you should be able to access the application. If you still face any issues, access the application in new browser or incognito/private mode.



Please check the Administration Guide from

Note: Please share your feedback or thoughts in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Access Governance  or

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Srikanth Thavidaboina
      Srikanth Thavidaboina

      Hi Prem,

      Thank you very much for your efforts!

      I have read the guide and I was very much interested to visualize the initial setup, finally experienced with your writing. I am leaving my questions here.

      1. Who decides the Hardware sizing for setup, since I don't see such step in the setup
      2. Is there any scope for SAP BASIS through out the IAG Configuration?
      3. Why region should be EU or US?
      4. Does it mean the IAG Application is ready to configure for cloud applications after subscription?



      Author's profile photo Prem Balraj
      Prem Balraj
      Blog Post Author

      Hi Srikanth,

      1. Customers do not have access to this and it is cloud application.
      2. Yes, in case of IAG bridge scenario.
      3. Updated with latest information. Please check now.
      4. Yes.