Technical Articles
SAP IAG Bridge – Manage Hybrid Landscapes
SAP Identity Access Governance (IAG) allows you to extend your SAP GRC Access Control to manage hybrid SAP landscapes with the IAG Bridge functionality. With the ongoing digital transformation, many of the traditional business functions shift from on-premise to the cloud. At the end of the day, the SAP customer has to deal with access governance in these hybrid landscapes.
In this article, we will take a look at the capabilities that SAP IAG Bridge offers and how you can utilize our existing infrastructure (e.g., SAP Access Control) in such hybrid scenarios.
SAP IAG Bridge functionality connects your SAP Access Control (GRC) on-premise solution with your SAP Cloud Identity Access Governance (IAG) to extend access governance functionality into the cloud.
Cloud applications often consume, manage and process data that is being exchanged between the cloud app and an on-premise application like SAP S/4HANA. Because of that, you have to be able to analyze access risks in a hybrid cross-system landscape. Analyzing these risks is a challenge, as is determining how to provision users across multiple systems through business roles. SAP IAG offers role design services that allow you to build business roles for hybrid landscapes.
IDENTITY ACCESS GOVERNANCE FOR LIFE
SAP IAG and SAP Access Control are solutions in the area of identity and access management (IAM). IAM tools must provide automated and repeatable ways to govern the identity life cycle from start to finish. Organizations must manage user identities and govern identity and access requests on-premise and in the cloud consistently and compliantly, including:
- User provisioning
- Self service
- Workflows and approval workflows
- Segregation of duties (SoD)
- Delegated administration
- Organizational management
- Role management
- Privileged user management/firefighter
- Single sign-on (SSO)
- Reporting
These capabilities and security controls are leveraged using IAG that (in a best-case scenario) integrates with and covers all types of users (employees, vendors and customers) and applications (on-premise and in the cloud) for the entire lifecycle — from hire to retire.
HR DRIVEN IDENTITY LIFECYCLE MANAGEMENT
SAP IAG offers a similar capability to the HR Trigger in SAP Access Control that allows you to automatically create access requests based on input from HR. You can integrate the SAP Cloud Identity Access Governance solution with your HR system (e.g., SAP SuccessFactors Employee Central). This enables you to capture changes to the employment status in the HR system and to initiate access requests automatically through IAG. The access request service converts the HR triggers to change requests, which are then provisioned to target applications (cloud and on-premise) through predefined business roles.
SAP ACCESS CONTROL (GRC) VS. SAP IDENTITY ACCESS GOVERNANCE (IAG)
Before we look into the details of what the SAP IAG Bridge functionality offers, we have to understand the differences between SAP Access Control (GRC) and SAP IAG.
SAP IAG is often referred to as the SAP Access Control solution for the cloud, which in fact, it is. SAP IAG — a cloud solution running on the SAP Business Technology Platform (BTC) — does not replace SAP Access Control, but it offers similar capabilities to a broader environment (cloud) with some overlapping functions.
For example, SAP IAG can run a risk analysis against on-premise applications (similar to SAP Access Control), and offers firefighting capabilities with the Privileged Access Management (PAM) for on-premise systems (e.g., SAP ERP and SAP S/4HANA).
Additionally, SAP IAG can connect to both cloud and on-premise applications through the SAP Cloud Connector. The Cloud Connector is located on the intranet (the customer network) and establishes connectivity between the SAP Business Technology Platform (internet) and the target system (intranet).
Let’s take a look at a high-level comparison of the modules and their core functionalities.
| SAP Access Control | Function | SAP IAG | Function |
| Access risk analysis (ARA) | Access analysis for on-premise systems, ruleset management | Access analysis | Access analysis for on-premise and cloud, limitation to user and roles, ruleset management |
| Business role management (BRM) | Role management and business roles | Role design | Business roles for hybrid landscapes |
| Access request management (ARM) | Fully customizable and extendable access request workflows | Access request | Predefined set of workflows with limited configuration capabilities |
| Emergency access management (EAM) | Firefighter for ABAP systems | Privileged access management | Firefighter for ABAP systems (still in Beta version) |
| User access review (UAR) and SOD risk review | Customizable UAR and SOD risk review workflows through ARM | Access certification | Campaigns to review user access |
Even though SAP IAG is not officially the direct replacement for SAP Access Control, it might serve that purpose for some customers depending on requirements. For many customers considering access governance solutions — or for those moving from a third-party to SAP — SAP IAG might offer all that’s needed. SAP IAG is capable of covering the most relevant use cases, not only for the on-premise world but also for the cloud (including access risk analysis and access provisioning).
The user interface (UI) for SAP IAG is SAP Fiori, which is the standard UI for SAP’s cloud services. SAP Fiori apps are also available for SAP Access Control. However, SAP Access Control still comes with the NetWeaver Business Client (NWBC), which is the desired UI of most administrators. Also, some of the Fiori apps are still the “old” WebDynpros that we know from the NWBC. The user experience is similar in both tools when using SAP Fiori.
WHICH SOLUTION FOR WHICH USE CASE?
With SAP IAG and SAP Access Control, you can have three scenarios for multiple use cases. Let’s try to understand them first, before we look specifically into the bridging capability.
Scenario 1: SAP IAG Only
This scenario is for customers who want an out-of-the-box solution for access governance that runs entirely in the cloud. With this approach, you will have reduced flexibility as SAP IAG is a software as a service (SaaS) solution that only offers limited configuration capabilities. However, if you want to use standard workflows to provision users across on-premise and cloud applications, analyze cross-system access risks, perform firefighting (emergency access), as well as user access reviews, SAP IAG is the perfect solution for you.
Scenario 2: SAP Access Control Only
This scenario is for customers who primarily use on-premise applications. SAP Access Control gives you total flexibility to govern access in the on-premise landscape. Its Access Request Management (ARM) workflows are fully customizable and allow for extensive enhancements. This is one of the main limitations in SAP IAG compared to SAP Access Control.
Scenario 3: SAP IAG and SAP Access Control – SAP IAG Bridge
The SAP IAG Bridge scenario is for customers who need to govern access in a hybrid landscape (on-premise and in the cloud). The bridging scenario offers the best of both worlds combined; however, you need to implement (as well as run, service and license) two applications.
SAP IAG BRIDGE
The SAP Cloud IAG Bridge provides a powerful tool for extending your on-premise SAP Access Control 12.0 to a broader spectrum of applications (on-premise and cloud). The IAG Bridge functionality is also a great way to leverage your investment in SAP Access Control to make it future-proof. Often, customers have invested heavily in SAP Access Control to adjust it to their needs, but are now faced with access governance challenges that go beyond the standard offerings. The IAG Bridge functionality can close that gap.
SAP Cloud IAG Bridge offers:
- Connectivity to cloud applications.
- Cross-application access risk analysis (including cloud applications) by using SAP Cloud IAG (Access Analysis Service).
- Remediation process with access refinement functions to optimize user access.
- Role Designer to build business roles.
A disconnect in system landscapes and business applications leads to additional work when it comes to supporting customizations and integrations. With the SAP Cloud IAG Bridge, we can connect those two worlds to achieve better governance and fully comply with regulations.
The SAP Cloud Identity Access Governance bridge concept offers an intuitive way to extend SAP Access Control and save your investment. With this extension, you can group cloud applications under one compliance domain, easily connect to cloud applications, and extend your cross-application risk analysis into the cloud.
Other key features that the SAP Cloud IAG Bridge concept offers include:
- Synchronization of master data from SAP Access Control to SAP Cloud IAG, including access risk definitions and mitigating controls.
- Connectivity to target on-premise applications from SAP Access Control.
- Connectivity to various cloud applications (e.g., SAP Ariba, SAP S/4HANA Cloud, etc.).
- Handling of cross-system risks between on-prem and the cloud.
With the SAP Cloud IAG Bridge, you can extend your current SAP Access Control installation without compromising on functionality, access governance, or other compliance requirements.
INTEGRATION SCENARIOS FOR HYBRID LANDSCAPES
As mentioned above, the IAG Bridge scenario allows you to extend SAP Access Control into the cloud through SAP IAG. Let’s take a closer look at the two most common scenarios.
CLOUD DRIVEN APPROACH
In the cloud-driven approach, SAP IAG handles all the access governance scenarios without SAP Access Control, optionally utilizing SAP Identity Management (IDM) to provision to non-SAP applications that SAP IAG cannot handle itself.
In this scenario, SAP IAG takes care of the risk analysis, access requests, firefighting, etc., without the need for the on-premise GRC installation.
This is a typical scenario for customers who don’t have extensive requirements for workflows, or for customers who are just starting with access governance solutions. It’s a future-proof and evolving approach that will see many improvements over the next couple of years. Additionally, SAP IAG can be integrated with SAP SuccessFactors employee central to govern the user lifecycle processes, similar to the integration with SAP Access Control.
HYBRID APPROACH
The hybrid approach is the most desired approach for existing SAP Access Control customers. With this approach, we can utilize the best of both worlds and leverage our existing SAP Access Control implementation.
For example, SAP IAG is used for cross-system risk analysis (utilizing the power of the cloud application) and SAP Access Control with extensively-customizable access request workflows.
In this scenario, SAP IAG provisions the cloud systems and SAP Access Control provisions the on-premise. The workflows run in SAP Access Control (yes, you can request cloud applications) and thus allows for extensive customization.
To govern the user lifecycle, you can integrate with SAP SuccessFactors Employee Central by utilizing the HR Trigger for the joiner, mover and leaver processes.
How does the hybrid approach work for the end-user? The end user remains on the SAP Access Control and can continue to access the system through the NetWeaver Business Client (NWBC) or SAP Fiori. The workflows run in SAP Access Control but the provisioning automatically goes through SAP IAG when provisioning cloud systems, and directly from SAP Access Control when provisioning on-promise systems.
This is good overall document. I working in HYBRID approach for SAP Analytic CLoud provisioning. Once its done will create document and perhaps attach in your blog.
I am looking for a document on connecting IAG bridge to GRC 12.0. Can you please upload it if it is available.
Siddhesh Pai - I have completed the whole setup and, Please find below link of my blog. I will appreciate your response.
https://blogs.sap.com/2022/01/04/iag-bridge-integration-with-ariba-buying-and-invoicing-part-1/#
Hi Trinetra, I have a similar requirement regarding the user provisioning to SAC. I would be very interested to hear how did you integrate GRC to SAC? Only with IAG bridge and IDM? Thanks!
Hi, you can go through my detailed blog here
https://blogs.sap.com/2022/01/24/grc-integration-with-sap-analytics-cloud-iag-bridge-concept/
Thanks Alessandro for the very well written and explained article. Just a quick question, do you know if IAG integration with Concur is now available as shown in the image above?
Hi Jefferson,
not yet - this is a mistake on my side when I created the image. Concur is not yet supported. I will keep you posted when I know more.
Regards, Alessandro
Hi Alessandro,
Thank you for the blogpost.
In the section, 'CLOUD DRIVEN APPROACH', can SAPIDM call IAG for risk analysis. For this to happen, are there initial load jobs available for IAG, which can be run in IDM. And if yes, from where can i get this initial load jobs. Will these be given when importing the IAG repository.
In the section, 'HYBRID APPROACH', you have mentioned ' The workflows run in SAP Access Control (yes, you can request cloud applications)'. So, this means Cloud applications are defined as Connectors in GRC AC 12. Or would they be defined as IAG bridge. Because there are no Cloud applications available in the standard list of connectors in GRC AC 12.
Regards
Plaban
Thanks for the great article Alessandro. I am looking for a documentation on connecting IAG bridge to GRC. Is it available anywhere. Also, I wanted to know how easy/complex it is to set up?
We had a requirement to connect Ariba to GRC 12.0, hence I was looking for IAG bridge integration with GRC 12.0
Thanks,
Siddhesh Pai
I completed the setup for ARIBA integration using IAG bridge I will say it’s a complex setup where you will need help from SAP ARIBA team as well.
Also IAG user creation setup for ARIBA is not end to end and I am currently working with sap to resolve and find solution.
Thanks,
Trinetra
Hi Trinetra, We are also embarking in a project with or ARIBA integration using IAG bridge . Can I please reach out to you and learn from your experience?
Similar problems here. we tried to follow the steps in the official Bridge documentation and IAG admin guide integration scenario but seem to get stuck on BTP to Ariba connection
Jos Henssen - You can follow my blog below.
https://blogs.sap.com/2022/01/04/iag-bridge-integration-with-ariba-buying-and-invoicing-part-1/
Sure Kostas,
Share your email ID, will help whenever possible.
Hi Alexandro,
Thanks for your blog.
I have a question, what is the solution that sap recommends to provision users in microsoft 365, can it be done with Access Control or IAG?
Thanks
PLABAN SAHOO : You can define Cloud App connectors in GRC 12. It will be of type HTTP to external server and same has been described in IAG integration with GRC on help.sap portal. You need to define the cloud app connector (e.g. SAP Ariba) in SAP BTP platform, then define the same in IAG under SYSTEMs tile and then define the same name in GRC 12 with SM59.
Siddhesh/Trinetra: AC to IAG bridge integration guide:
https://help.sap.com/doc/4835e84042834e6c96bfa35f5d7609aa/1902/en-US/AC%20to%20IAG%20Bridge_Integration.pdf
There are plenty of guides, videos on sap learning hub portal if you have access to.
Regards
Tushar M
Hi Alessandro,
Thank you for such a wonderful post, very helpful for people like us who are new, working in IAG Bridge Hybrid model.
I have a question. If we have existing GRC 12.0 system, and we are using GRC workflows, on-premise rulesets, controls and all and we are integrating it with Ariba. SAC, SF HR triggers, how does the master data setup look like?
Example: The S4 ruleset that are uploaded in GRC, we consider it to move to IAG after sync. The controls which are in GRC - are being synced to IAG with different user ID P* which are present there, and similar. Business roles are being synced.
Ariba ruleset is in IAG, but how does the master data setup work?
Does it mean, that risk analysis, controls assignment, Business roles owners, controls owners, monitors, all must be in IAG and no local data on GRC? As the user ID naming is different in IAG and in GRC, the sync picks up IAG user ID.
The reason I am asking this question is : we may need to move all the data to IAG depending on how it works and what are other users' experiences on this part?
Any pointers are highly appreciated.
Thank you very much in advance.
Best Regards,
Sabita
Thanks for providing valuable information on SAP GRC products.IAG integration with Concur is now available as shown in the image above?
Hello, really good Blog, one aspect I am interested is about "how to License it?"
Thanks
Martin.