Technical Articles
SAP GRC Access Request for Cloud systems
Overview
SAP Cloud Identity and Access Governance is a Cloud based GRC solution to integrate cloud and on-premise applications. Access Request service is a service that will be used to perform the access request functionality and we are focusing on integration of SAP Access Control to SAP Cloud SAP Cloud Identity Access Governance.
Possible Scenarios
There are so many questions regarding the Access Request for cloud applications and how to extend the solution for existing SAP Access Control implementation. This blog post gives you a complete overview of options and steps for Access Request for both standalone SAP Cloud Identity Access Governance implementation and SAP Access Control bridge scenario.
- SAP Cloud Identity Access Governance only option – You have only SAP Cloud Identity Access Governance solution and wanted to integrate with cloud and on-premise solutions for access request.
- SAP Cloud Identity Access Governance with bridge option – You have existing SAP Access Control solution with on-premise integrations and now want to integrate the cloud applications. There is no direct integration with SAP Access Control and hence you are using SAP Cloud Identity Access Governance solution for access request.
Note: Please refer the integration and bridge documents at help.sap.com for technical details to setup the below scenarios.
Scenario 1: Access Request in SAP Cloud Identity Access Governance
This is a simple scenario where the Access Request service in SAP Cloud Identity Access Governance is used for cloud and on-premise applications. Follow the below steps for provisioning to on-premise and cloud applications such as SAP Ariba.
Prerequisite – SAP Cloud Identity Authentication Service setup is completed under Trust Configuration in SAP Business Technology Platform cockpit (previously called as SAP Cloud Platform). For more information, check the User Management section in Administration Guide.
- Create an incident to SAP Support for component GRC-IAG to load the default business rule for workflow.
- Upload the Workflow Templates from Template Upload tile under Administration.
- Create a destination for target application, for ex, SAP Ariba in SAP Business Technology Platform cockpit (previously called as SAP Cloud Platform)
- Create a system entry in System tile pointing to the destination. While creating the system, make sure you enter the exact destination name you created in step 1 (case sensitive)
- Run the SCI User Group Sync Job to get all the user to group mapping. This is important step for getting approvers. Before running the job, make sure you have the relevant user groups assigned to the approvers in SAP Cloud Identity Authentication Service. The user group details are available in Admin guide under User Management section.
- Run the Repository Sync job from Job Scheduler tile for SAP Ariba, for ex. This needs to be done to get the existing assignments for the users and the groups to be requested in request.
- Once completed, make sure you see the Roles/Groups in Access Maintenance tile and Users in Maintain User Data tile.
- Make sure the Common Master Data and Master Data for Access request is completed as per the Admin Guide under Business Configuration.
- Create a request for group assignment and submit for approval. By default, it will go to 3 stage process (manager, Role Owner and Security). You can change to Manager only or Manager-Security Owner path.
- After the approval process is completed, you can find the request with the provisioning items in Provisioning Report tile. The provisioning process is not automatic.
- Schedule the recurring Provisioning Job from Job Scheduler to provision the items in target application.
- You can check the status in Provisioning Report and in case of any failures, you can reprocess the provisioning items and schedule the job again. You must run the provisioning job to process the failed attempts if you have not setup the recurring job.
Scenario 2: Access Request from SAP Access Control via SAP Cloud Identity Access Governance
You have SAP Access Control and you would like to provision for cloud applications. Provisioning for cloud applications are not supported directly from SAP Access Control and hence the bridge scenario is used. SAP Cloud Identity Access Governance is used as a bridge between the SAP Access Control and the cloud applications.
Prerequisite:
- Working workflow setup for SAP Access Control.
- IAG_PROVISION_STATUS_UPDATE_SRV service in SICF is activated.
- SAP Cloud Connector is setup for SAP Access Control system.
- Two connectors (BRIDGE_SOD_AUTH and BRIDGE_SOD_CHECK) setup as part of bridge solution and the parameters 1091 and 1092 set.
- Third connector in SM59 should be created for Target Cloud system, ex ARIBA_DEST. The name should be same as the target connector name in System tile in SAP Cloud Identity Access Governance.
- The repository sync was completed in SAP Cloud Identity Access Governance with data populated in Access Maintenance and Maintain User Data as per Scenario 1.
Follow the below steps to provision for cloud applications using bridge scenario
- You have the connector created for target cloud system (ex, ARIBA_DEST) and assigned to SAP Cloud Identity Access Governance connector type in SPRO configurations in SAP Access Control. This is a similar step as any other on-premise systems you set up in SAP Access Control. Please check the steps in SAP Cloud Identity Access Governance Bridge document for complete details.
- Run the repository sync job in SAP Access Control for target connector (ex, ARIBA_DEST) with IAG import option. This will make sure that the roles are synchronized and automatically imported. You don’t need to do manual role import for role search in access request. Maintain configuration parameters 3000 to 3004 is set in SPRO before running the job.
- Create access request for cloud application and follow the workflow process.
- The risk analysis from request will go to SAP Cloud Identity Access Governance if the configuration parameter 1090 set o YES. If you set to NO, then risk analysis for cloud applications will not work.
- The mitigation date comes from SAP Cloud Identity Access Governance to mitigate the risk.
- Once the approval process is completed, based on the connector type, the provisioning will happen from SAP Access Control or SAP Cloud Identity Access Governance. If the connector type is IAG, it will send to SAP Cloud Identity Access Governance for provisioning.
- You can check the request number and the provisioning items in Provisioning Report tile.
- Run the provisioning job from Job Scheduler to provision the items.
- The job will send the provisioning status to ProvisioningStatusUpdate service from SAP Cloud Identity Access Governance through the SAP Cloud Connector.
- You can check the status in Provisioning Report and in case of any failures, you can reprocess the provisioning items and schedule the job again. You must run the provisioning job to process the failed attempts if you have not setup the recurring job.
- The access request audit log will be updated, and request will be closed.
Conclusion
The above explanation should have given you a complete picture of how this whole integration works. Based on this, you can setup your Access Request solution and this is a functional overview only. For more details document on how to setup the bridge solution, you should check the help.sap.com for SAP Cloud Identity Access Governance.
References
Please check the below documents from https://help.sap.com/viewer/product/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE
- (IAG Bridge) SAP Access Control 12.0 (on-premise) to IAG and Cloud Target Application
- Integration Scenarios
Note: Please share your feedback or thoughts in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Access Governance or https://answers.sap.com/tags/01200615320800000796
Very informative blog. Thank you Prem for sharing.
Useful information. Thanks for posting.
Hi Prem,
Thank you for posting this information, it is very useful.
Thank you
Hi Prem,
thanks for sharing the knowledge.
i have a query from Scenario 2 , point2 "Run the repository sync job in SAP Access Control for target connector (ex, ARIBA_DEST) with IAG import option. This will make sure that the roles are synchronized and automatically imported. You don’t need to do manual role import for role search in access reques...". Does this mean IAG role import option will also import the ARIBA roles/groups will be synched to IAG in the same run. For AC, the role import will still need to be executed manually, isn't it?
And the point 6 mentions "...If the connector type is IAG, it will send to SAP Cloud Identity Access Governance for provisioning.". Does this mean Provisioning is done by IAG itself and not by IAS/IPS.
Regards
Plaban
Hi Plaban,
In general, you have to use import in AC but for IAG connectors in AC, you can do both sync and import using one repository sync job.
IAG uses IPS to provision some cloud applications. The connection from AC always goes to IAG not to any other services.
Thanks,
Prem
Hi Prem, Thanks for the detailed blog. Can you please share solution for the below query.
We have IAG bridge scenario implemented with GRC 12 on premise integrated with SAP Ariba Cloud App. Role Approvers mapping to the Ariba groups under Role Maintenance get automatically overwritten whenever we run repository sync job manually to sync the new Ariba groups into GRC.
This problem causes lot of re-work or manual effort to reupload all the Ariba groups with approver mapping.
Hi Tushar,
Have you tried this note 2983144.
Thanks,
Prem
Hi Prem,
How can we integrate SAP GRC to SAP CPI Cloud application for SAP CPI user administration ?.
Thank you,
Venkat
Hi Venkat,
If CPI is hosted in BTP, then you can use BTP integration to manage user assignments.
Thanks,
Prem
Hi,
Since the mainstream maintenance of GRC 12.0 is ending by 31.12.2025 and since there is No successor product available, Is IAG would replace SAP GRC going forward?
Regards,
Sam
Hi Sam,
Our product team will update the roadmap soon.
Thanks,
Prem