Skip to Content
Technical Articles
Author's profile photo Trinetra Bhushan

GRC Integration with SAP Analytics Cloud Using IAG Bridge Concept

As explained in my previous blog of “IAG Integration with ARIBA” the steps required to complete End to End Integration of GRC IAG Bridge to any target cloud application is 5 step process. The Step 3 to 5 will follow the same configuration with minor tweaks depending on Cloud Applications.

The first step of any integration is to integrate SAP Cloud Identity Access Governance and Target cloud application, here I will talk about integration of IAG with SAP Analytic Cloud.

Before we start going into details of it we have to understand that all IAG integration can be broadly defined as two types:

  1. Using Identity Provisioning Service : Some Cloud application like SAC can not directly connects to IAG ,In these integration scenarios we have to use IPS Connectivity as well to perform provisioning.
  2. Direct IAG : Most of the IAG integration scenarios can directly integrate with IAG without IPS.

To understand more about IPS we need to understand what is IAG Bundle Licensing.

SAP Cloud Identity Access Governance is available as a cloud bundle solution. It includes two other services – Identity Provisioning and Identity Authentication that are essential for successfully configuring the product.

Identity Authentication service : To manage access to applications belonging to SAP Cloud Identity Access Governance, it is important to authenticate users. The Identity Authentication service simplifies the access as you can choose from various authentication mechanisms, single sign-on, on-premise integration, and self-service options. For more details, see What is Identity Authentication?

Identity Provisioning service : You use this service to provision users and groups for connecting various target cloud applications to SAP Cloud Identity Access Governance.


IPS and IAG Connection

Follow the steps listed below to build the URL :

  1. Go to the Identity Provisioning launchpad and log on with your S-user.
  2. Double-check your user is Admin by choosing any tile in your Identity Provisioning launchpad.
  3. Double-check that you have the tile Proxy Systems available in the Identity Provisioning launchpad.

Complete the integration process for SAP Cloud Identity Access Governance and SAP Analytic Cloud.

  • Configure SAP Analytic Cloud System – Add OAuth Client

Follow the path in SAP Analytic Cloud System ->Administration-> App Integration-> Oauth Client

*Make a note of OAuth Client ID it will be used in later configuration.

**Make a note of Secret it will be used in later configuration.

  • Setup in OAuth Client IPS subaccount in SAP BTP cockpit
  1. Open your subaccount in SAP BTP cockpit. (The display name of the subaccount starts with SAP_BUNDLE.)
  2. Register a new OAuth client for the subscription to the ipsproxy application. Depending on your Identity Provisioning tenant and perform below steps
    • Go to Security OAuth Clients.
    • Choose Register New Client.
    • From the Subscription combo box, select <provider_subaccount>/ipsproxy.
    • From the Authorization Grant combo box, select Client Credentials.
    • In the Secret field, enter a password (client secret)and remember it. You will need it later, for the repository configuration in the external system.
    • Copy/paste and save (in a notepad) the generated Client ID You will need it later, too.

Assign role IPS_PROXY_USER to the OAuth client. Depending on your Identity Provisioning tenant (Bundle), do the following:

  • From the left-side navigation, choose Subscriptions.
  • Under the Java Applications section, choose ipsproxy.
  • From the left-side navigation, choose Roles.
  • Choose Assign and enter oauth_client_<client_ID>.
  • For <client_ID>, enter the one you have saved in the previous main step and here it will be UserID

The second  step of any integration, In the SAP Cloud Identity Access Governance launchpad, sync the repository data from target app to the IAG repository.

Configuring a Connection from SAP Cloud Identity Access Governance to Identity Provisioning(IPS_PROXY)

  • Add Proxy system (SAC) in IPS
  • Login to IPS, Select Proxy system and add new system
  • Maintain properties, follow below URL for properties in IPS proxy system (Bundle Licensing) start from Step 4: SAC System Proxy Properties

Add System (SAC) in IAG

  1. Create a system for SAP Analytics Cloud. For System Type, select SAP Analytics Cloud.
  2. In the SCP Destination field, enter the name of the IPS destination created in  for the SAP IAG for Identity Provisioning.
  3. Add External System ID as the Last URL number you get when you add proxy system in IPS.

After completing the above steps will you be able to bring data from SAC system to IAG.

Note: Please share your feedback or thoughts in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Access Governance  or

Reference : IAG Bridge Integration with Ariba Buying (and Invoicing)

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Akash Parekh
      Akash Parekh

      Hi Bhushan,

      Excellent Blog!

      I have a question.

      In the step 2 of Add System (SAC) in IAG you mentioned In the SCP Destination field, enter the name of the IPS destination created in the above step for the SAP Analytics Cloud instance. However, as per your blog we are creating proxy system in IPS and not a destination. Also, when we are trying to add a system in IAG we are not getting SCP destination field. However we get HCP destination filed auto populated as IPS_PROXY which is destination of IPS that we have created as destination in IPS Global Account.

      Is this as expected or it should take destination that we created in IPS Global Account for SAC.


      Akash Parekh

      Author's profile photo Trinetra Bhushan
      Trinetra Bhushan
      Blog Post Author

      Hi Parekh- I have updated the post to avoid confusion, On the auto populating destination this is a new enhancement from SAP as before we have to put the name manually. I will update this once SAP confirms the same.

      Author's profile photo Vivek Nagal
      Vivek Nagal

      Excellent Blog looking forward for more in IAG and do you also have guidance for SuccessFactor Integration

      Author's profile photo Trinetra Bhushan
      Trinetra Bhushan
      Blog Post Author

      Thnaks Vivek.. Yes I am working towards creating one for SF. Appreciate your like!!

      Author's profile photo Aniruddha Rayzada
      Aniruddha Rayzada

      Kudos mate,

      Very well put together. Looking for more such interesting scenarios

      Author's profile photo Nidhi Kumari
      Nidhi Kumari

      Hello Trinetra Bhushan ,

      Is risk analysis for SAC system possible in IAG system? Do we have any standard ruleset available for SAC also like Ariba system.

      Thanks in advance.

      Author's profile photo Trinetra Bhushan
      Trinetra Bhushan
      Blog Post Author

      As if now they have not released rule set for SAC,.SAC is reporting access platform I am not sure how Rule Set will be useful here we never have one for BOBJ so I guess in future as well there will be no new addition.