SAP Cloud Identity Access Governance Admin Guide
Uploaded by
csecsecse_csecsecseSAP Cloud Identity Access Governance Admin Guide
Uploaded by
csecsecse_csecsecseAdministration Guide | PUBLIC
2023-02-28
SAP Cloud Identity Access Governance Admin
Guide
© 2024 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN
Content
1 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.1 About This Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Terminology and Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2 Quick-Start Guides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
3 Upgrade Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
4 Monitor License Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6 Onboarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
7 Solution Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
8 Initial Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
8.1 Subscribing to SAP Cloud Identity Access Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Creating a Subaccount. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Assigning Entitlement to the Subaccount. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Subscribing to the Subaccount. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
8.2 Maintain Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
8.3 Connecting Identity Provisioning Tenant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Identity Provisioning in Neo Enviroment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Identity Provisioning on SAP Cloud Identity Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
8.4 Configuring Notification E-Mail Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
9 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
9.1 Setting Up User Authentication and Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Maintain Users and User Groups in Identity Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Pre-Delivered Role Collections on SAP BTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Mapping Role Collections to Identity Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Syncing User Groups from Identity Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
10 Maintaining Cloud Connector for On-Premise Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
10.1 Install Cloud Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
10.2 Maintain Cloud Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
10.3 Maintain Destinations for Cloud Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
11 Additional Services for Access Request Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
SAP Cloud Identity Access Governance Admin Guide
2 PUBLIC Content
11.1 Setting Up Workflow Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Delivered Workflow Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Configuring Notification E-Mail Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Setting Up Business Rules for Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
12 Additional Services for Privileged Access Management Service. . . . . . . . . . . . . . . . . . . . . . . . 73
13 Integration Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
13.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
13.2 HR Driven Identity Lifecycle Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Process Overview - Integration with SAP SuccessFactors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Process Overview - Integration with SAP Master Data Integration Service and Identity
Provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
13.3 Identity Authentication (Deprecated). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
13.4 Identity Authentication v2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
13.5 Lightweight Directory Access Protocol System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
13.6 Microsoft Entra ID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
13.7 SAP Analytics Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
13.8 SAP ABAP (on-premise). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
13.9 SAP Ariba v1_Deprecated. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
13.10 SAP Ariba v2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
13.11 SAP BTP ABAP environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
13.12 SAP Business Technology Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
SAP Busines Technology Platform - Cloud Foundry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
SAP Business Technology Platform - NEO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
13.13 SAP Concur. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
13.14 SAP Fieldglass. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
13.15 SAP Integrated Business Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Configuration in SAP Integrated Business Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Create Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
SAP Cloud Identity Access Governance Admin Guide
Content PUBLIC 3
Add Integrated Business Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Sync User Data and Provision Access Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
User ID Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
13.16 SAP Marketing Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Configuration in SAP Marketing Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Create Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Add Marketing Cloud Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Sync User Data and Provision Access Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
User ID Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
13.17 SAP Sales Cloud and SAP Service Cloud (Deprecated). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
13.18 SAP Sales Cloud and SAP Service Cloud v2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
13.19 SAP SuccessFactors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Create Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Add SuccessFactors Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Sync User Data and Provision Access Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
13.20 SAP SuccessFactors Employee Central Payroll. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
13.21 SAP S/4HANA Cloud for advanced financial closing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
13.22 SAP S/4HANA Cloud for SAP Intelligent Asset Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
13.23 SAP S/4HANA Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Configuration on SAP S/4HANA Cloud Tenant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Configuration Steps on the SAP BTP Tenant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Create Destination for Identity Provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
Add SAP S/4HANA Cloud Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Sync User Data and Provision Access Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Filter-Based on User attributes from SAP S/4HANA Cloud Application. . . . . . . . . . . . . . . . . . . 195
13.24 SAP S/4HANA (on-premise). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
13.25 SCIM Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
14 Business Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
14.1 Set Up Master Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Common Master Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Setting Up Master Data for Access Request Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Setting Up Master Data for the Role Design Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208
Setting Up Master Data for Access Analysis Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
14.2 Configuration App. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
SAP Cloud Identity Access Governance Admin Guide
4 PUBLIC Content
Language Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Application Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Application Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Business Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Approver(s) Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
15 Security and Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
16 Further Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
17 Support Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
18 Product Experience (PX) Survey. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
SAP Cloud Identity Access Governance Admin Guide
Content PUBLIC 5
1 Getting Started
The SAP Cloud Identity Access Governance solution is built on the SAP Business Technology Platform (SAP
BTP). It uses SAP NetWeaver APIs to fetch data from on-premise and cloud solutions, and enables you to use
the following services to create access requests, analyze risks, and design roles.
• SAP Cloud Identity Access Governance, access analysis service
• SAP Cloud Identity Access Governance, access request service
• SAP Cloud Identity Access Governance, role design service
• SAP Cloud Identity Access Governance, access certification service
• SAP Cloud Identity Access Governance, privileged access management service
1.1 About This Document
This administration guide describes the steps you need to perform as an administrator to set up and run
the SAP Cloud Identity Access Governance solution. It covers solution-specific information only. For general
information about SAP Business Technology Platform (SAP BTP), see the documentation on SAP Help Portal
at https://help.sap.com/CP.
This guide addresses the following target audience:
• System administrators
• Key users
For convenience, this guide, and the information therein, is applicable to all the SAP Cloud Identity Access
Governance services. Any mention of SAP Cloud Identity Access Governance in the documentation means
the information is relevant for all the SAP Cloud Identity Access Governance services. Information that is
applicable for only a specific service will be called out accordingly.
1.2 Document History
Provides details about the changes made in each version of this document.
SAP Cloud Identity Access Governance Admin Guide
6 PUBLIC Getting Started
Date Comment
2021-03-01 • Added Connector Type - SCIM System and Extended
integration support for HTTP
• Added Access Request API
• Updated Additional Services for Access Request Serv-
ice
• Updated Maintaining Business Roles in Role Design
• Updated Product Overview, Create Campaigns, Access
Certification Process, and Selecting Data for a Cam-
paign in Access Certification
2020-11-19 • Added new features in Privileged Access Management,
Access Request, and Access Analysis
• Updated Privileged Access Management Launchpad for
ABAP
2020-08-28 • Added new features in Privileged Access Management,
Access Request, and Access Analysis
2020-07-24 • Added a new service called Privileged Access Manage-
ment
• Added a new app for Access Certification
• Updated Integration Scenarios and Security Guide
2020-02-25 • Added applications for integration scenarios and Ac-
cess Request
• Added features for Role Design Inbox
• Updated read/write transformations for SAP S/4HANA
Cloud and SAP Identity Authentication
• Updated the status checks of Access Requests
2019-11-19 • Integration scenarios and applications for Access Anal-
ysis updated
• Added Redesigned Job History Report in Access Analy-
sis
• Added Unassociated Access Report in Role Design
2019-08-16 • Added integration scenarios for SAP Analytics Cloud
and SAP Cloud Foundry
2019-05-20 • Added information on SAP Marketing Cloud
• Updated information on SAP Integrated Business Plan-
ning
SAP Cloud Identity Access Governance Admin Guide
Getting Started PUBLIC 7
Date Comment
2019-02-28 • Added Quick Start Guides section
• Replaced SCI with IAS due to product name change
• Updated information for SAP Fieldglass integration
• Updated information for SAP Cloud Workflow Service
roles
2018-11-09 • Added integration procedure for SAP Fieldglass
• Updated integration procedure for SAP Ariba
• Updated User Management [page 27]section to clarify
procedure
• Updated Setting Up User Group Sync [page 47]sec-
tion to clarify procedure
2018-08-30 • Added new SCI Group: IAG_WF_MANAGER
• Updated diagrams for integration scenarios
• Added integration scenario for SAP S/4HANA Cloud
2018-05-11 • Added Integration Scenarios section.
• Reorganized information structure:
• Moved user and authentication information from
the configuration guides to the Administrator
Guide under the User Management section.
• Moved master data information under the Business
Configuration section.
1.3 Terminology and Conventions
Here you can find terms and concepts applicable for the SAP Cloud Identity Access Governance services. Over
time product names may change; you may see different versions of a product name within the same guide.
This topic also lists the conventions and abbreviations used.
• HCP: Abbreviation for HANA Cloud Platform. This usage is obsolete and is replaced by SCP. See SCP.
• IAG: Abbreviation for SAP Cloud Identity Access Governance. Due to the length of the full name of the
solution, for readability within this guide, we use the abbreviation "IAG".
• Identity Authentication: Shortened version of SAP Cloud Platform Identity Authentication. See also SCI.
• IAS: Updated abbreviation for SAP Cloud Platform Identity Authentication service. This is a convention
used within this guide. Due to the length of the full name of the solution, for readability, we use the
abbreviation "IAS".
• SCI: Old abbreviation for SAP Cloud Platform Identity Authentication service. (See IAS).
• SCP: Abbreviation for SAP Cloud Platform. Due to the length of the full name of the product, for readability
within this guide, we use the convention "SCP"
SAP Cloud Identity Access Governance Admin Guide
8 PUBLIC Getting Started
2 Quick-Start Guides
Scenario-based integration and configuration guides.
The following guides are provided for your convenience. Each guide provides an overview and also detailed
steps for enabling SAP Cloud Identity Access Governance services and integrating with specific target
applications.
Note
These guides are to be used in conjunction with the admin guide; they do not replace the complete set of
information in the admin guide.
Scenario Description Guide
SAP Access Control 12.0 (on-premise) Using SAP Cloud Identity Access Gover- IAG Bridge Cloud: SAP Access Control
to SAP Cloud Identity Access Gover- nance as a bridge to enable creation of 12.0, SAP Identity Access Governance
nance and Cloud Target Applications access requests from SAP Access Con- and Cloud Applications
trol 12.0 (on-premise) to cloud target
applications.
SAP Access Analysis Service to Target Configuring SAP Cloud Identity Access SAP Cloud Identity Access Governance,
Applications Governance, access analysis service to Access Analysis_Integration.pdf
analyze user access for on-premise and
cloud target applications.
SAP Cloud Identity Access Governance Admin Guide
Quick-Start Guides PUBLIC 9
3 Upgrade Schedule
Note
Refer to Cloud Availability Center and Cloud System Notification Subscriptions for the following:
• Relevant information on availability and maintenance of your cloud product.
• To configure, customize, and subscribe to various SAP Cloud Service notifications.
Maintenance Windows for Cloud services, SAP Business Technology Platform (SAP BTP), and SAP Cloud
IdentityAccess Governance are listed below:
Maintenance Window for Cloud Services
Maintenance Window for Cloud Services Duration
SAP Asset Manager Zero Downtime
SAP Browse Manager and Conversion Manager
SAP Business Technology Platform
SAP Credential Store
SAP Connected Parking
SAP Customer Identity, B2B add-on, SAP Customer Con-
sent, SAP Customer Profile
SAP Event Mesh
SAP Exchange Media
SAP Fiori Cloud
SAP Global Track and Trace
SAP Merchandising
SAP TwoGo
SAP Vehicles Network
SAP Work Manager, cloud edition
Weekly Maintenance Windows for Cloud Services - Standard Windows
Start time in UTC per region
Region Weekday Time Timezone
MENA FRI 7pm UTC
APJ SAT 3pm UTC
Europe SAT 10pm UTC
SAP Cloud Identity Access Governance Admin Guide
10 PUBLIC Upgrade Schedule
Region Weekday Time Timezone
Americas SUN 4am UTC
The maintenance windows mentioned above define the maximum scheduled downtime, which certain cloud
services only consume partially.
SAP Cloud Service – Maintenance Window for SAP Cloud Identity Access Governance
Regular Maintenance Major Upgrades
Start time in UTC per region: Americas SUN 4am Time frame in UTC per region: Americas SAT 1pm – 7pm
Up to once every month Up to four times a year
Duration: 4 hours Duration: 4 hours
SAP Cloud Identity Access Governance Admin Guide
Upgrade Schedule PUBLIC 11
4 Monitor License Usage
Your subscription to SAP Cloud Identity Access Governance software is based on the metric resources of users
and connections.
The SAP Cloud Identity Access Governance software is available as a full version and an integration edition.
For the full version, the Usage Metric is Monitored Users. The Usage is calculated on the basis of the number
of unique Users that customers synchronize from their on-premise and/or cloud systems. These systems are
monitored by the software.
For the integration edition, the Usage Metric is Unique Type of Connection. Based on how many application
types the customer connects to the software, the number of connections is calculated.
For more information, refer to SAP Cloud (SaaS) Application Usage .
SAP Cloud Identity Access Governance Admin Guide
12 PUBLIC Monitor License Usage
5 Overview
About This Guide
This administration guide describes the steps you need to perform as an administrator to set up and run
the SAP Cloud Identity Access Governance solution. It covers solution-specific information only. For general
information on the platform the solution runs, see SAP Business Technology Platform.
This guide addresses the following target audience:
• System administrators
• Key users
About SAP Cloud Identity Access Governance
The SAP Cloud Identity Access Governance solution is built on the SAP Business Technology Platform (SAP
BTP). It uses SAP NetWeaver APIs to fetch data from on-premise and cloud solutions, and enables you to use
the following services to create access requests, analyze risks, and design roles.
• SAP Cloud Identity Access Governance, access analysis service
• SAP Cloud Identity Access Governance, access request service
• SAP Cloud Identity Access Governance, role design service
• SAP Cloud Identity Access Governance, access certification service
• SAP Cloud Identity Access Governance, privileged access management service
For convenience, this guide, and the information therein, is applicable to all the SAP Cloud Identity Access
Governance services. Any mention of SAP Cloud Identity Access Governance in the documentation means
the information is relevant for all the SAP Cloud Identity Access Governance services. Information that is
applicable for only a specific service will be called out accordingly.
SAP Cloud Identity Access Governance Admin Guide
Overview PUBLIC 13
6 Onboarding
This guide assumes that the onboarding process has already been completed – this means that the
administrator has already access to the Global Accounts and has administrator authorization. For further
details, refer to the notification email that you received after you set up your Global Account.
For more information about the onboarding process, see SAP Business Technology Platform.
SAP Cloud Identity Access Governance Admin Guide
14 PUBLIC Onboarding
7 Solution Architecture
The diagram below illustrates the architectural components of SAP Cloud Identity Access Governance solution.
SAP Cloud Identity Access Governance is a service on the SAP Business Technology Platform (SAP BTP), it
integrates with other SAP BTP services, and connects with cloud and on-premise target applications.
Note
In the diagram, SAP Cloud Identity Access Governance is referred to as IAG for convenience.
Components
Component Description
Target Applications (on-Premise, cloud) This is the target system containing user data.
IAG API The API for SAP Cloud Identity Access Governance services
extracts data from the target application. The API is part of
SAP NetWeaver; make sure your system has the required
NetWeaver Basis Support Packs. The API is available for
on-premise and the SAP HANA Cloud.
SAP Cloud Identity Access Governance Admin Guide
Solution Architecture PUBLIC 15
Component Description
SAP BTP connector The cloud connector sits behind the firewall and establishes
connectivity between SAP BTP and the target system.
IAG Services SAP Cloud Identity Access Governance services include:
Access Analysis service; Access Request service; Role De-
sign service; Access Certification; Privileged Access Man-
agement.
Technical Components for IAG services SAP Cloud Identity Access Governance services compo-
nents include: Repository, Scheduler, Reporting and Analyt-
ics, Approval Workflow, and Users and Roles
Identity Authentication service Identity Authentication service is used to authenticate users
before allowing access to the SAP Cloud Identity Access
Governance solution and services.
SAP Workflow Management service SAP Workflow Management is used for automation of access
requests through the various stages of creation and appro-
val.
SAP Business Rules Service Business Rules Service enables embedding business deci-
sions into the workflow.
Identity Provisioning service Identity Provisioning service allows provisioning of centrally
managed identities and their access across the enterprise
(on-premsie and cloud).
SAP Cloud Identity Access Governance Admin Guide
16 PUBLIC Solution Architecture
8 Initial Setup
SAP Cloud Identity Access Governance 2.0 is available on the Amazon Web Service (AWS) platform, Microsoft
Azure and Google Cloud Platform.
For details on data centers, see Create Subaccount.
Note
If you have already implemented or are currently implementing this solution with SAP Cloud Identity
Access Governance 1.0 release in the SAP Business Technology Platform (SAP BTP), Neo environment,
message the support team by creating a support incident. Select the component GRC-IAG-OPS and add
Migration to the subject line so that SAP can contact you and guide you with the next steps.
Prerequisites
You have access to the following:
• An instance of the cloud connector if you wish to use on-premise applications or the Bridge scenario to
connect SAP Access Control to SAP Cloud Identity Access Governance.
• An instance of the Identity Authentication service. If you do not have an instance of the required type
(test or prod), create an incident toGRC-IAG-OPS and request your Identity Authentication bundle tenant.
Specify whether you need for test for prod.
• An instance of the Identity Provisioning service. If you do not have an instance of the required type (test
or prod), create an incident to GRC-IAG-OPS with the information requested here Connecting Identity
Provisioning Tenant [page 20].
8.1 Subscribing to SAP Cloud Identity Access Governance
Once you obtain your license for SAP Cloud Identity Access Governance, suitable Entitlement is assigned to
your Global Account. This Entitlement can be carried out by subscribing to a suitable subaccount.
The following three steps will guide you through the subscription process:
• Creating a subaccount for subscription
• Assigning Entitlement to the subaccount
• Subscribing to the subaccount
SAP Cloud Identity Access Governance Admin Guide
Initial Setup PUBLIC 17
8.1.1 Creating a Subaccount
Note
Currently, SAP Cloud Identity Access Governance is available only on
• Amazon Web Service (AWS) platform in US East (VA) - cf-us10, Australia (Sydney) - cf-ap10, and in
Europe (Frankfurt) regions - cf-eu10
• Microsoft Azure in US West (WA) - cf-us20
• Google Cloud Platform in US Central (IA) - cf-us30
If you are migrating from SAP Cloud Identity Access Governance 1.0, selecting a region for creating a
subaccount depends on your current region for the Neo subaccount.
Follow the steps below to create your subaccount:
1. Log into your Global Account and enter a Display Name and Description.
If you wish, you can change these two attributes at a later date.
2. Enter the relevant Provider and Region.
Refer to the note above to establish which providers are available in your region. For instance, if you are
located in Europe, enter Amazon Web Services (AWS) in the Provider field and Europe (Frankfurt) in the
Region field.
3. Enter a unique entity as a Subdomain.
The subdomain forms the first part of the URL visible in the browser, so it must be a unique entity in the
data center where your Global Account is hosted. It should connect your tenant ID and to the relevant
tenant.
We suggest you use your corporate internet domain and the SAP Cloud Identity Access Governance
service that you plan to subscribe. Depending on whether the plan is a test (Test), standard (Production),
or tandd (Cloud T&D), the Subdomain must start with a unique entity, followed by -iag- and then either
test, prod, or tandd.
The Subdomain must be unique per landscape.
Example: Your corporate domain is example.com and you wish to subscribe to the test plan. To do
so, choose com-example-test as the subdomain. If you plan subscribe to other services from other
accounts in the same Global Account, you may also want to include the product in the subdomain name:
com-example-iag-test.
Check Used for production only if you wish to subscribe to the standard plan. This information is useful for
the platform support and does not affect the behaviour of SAP Cloud Identity Access Governance.
Note
When you purchase a variant of SAP Cloud Identity Access Governance, you are offered both the test
and standard plans. For these plans, you must create two subaccounts in your Global Account and
subscribe to one plan in one subaccount only. Refer to the example above to choose a unique naming
convention for the subdomains for your two subaccounts.
8.1.2 Assigning Entitlement to the Subaccount
To access your global account follow the steps described in the section below.
SAP Cloud Identity Access Governance Admin Guide
18 PUBLIC Initial Setup
Procedure
1. Log on to the SAP BTP Cockpit and open your global account.
2. Go to Entitlements and choose Entity Assignments.
3. In the Select Entities field, select the relevant Subaccount.
4. Choose Configure Entitlements.
5. Choose the Add Service Plan button next to the Search field, select SAP Cloud Identity Access Governance
from the list of Entitlements and choose Add 1 Service Plan and Save.
You are now subscribed to SAP Cloud Identity Access Governance and it is available as your subaccount in
the Service Marketplace.
8.1.3 Subscribing to the Subaccount
After creating your subaccount, you need to subscribe to SAP Cloud Identity Access Governance.
To subscribe to the SAP Cloud Identity Access Governance solution, do the following:
1. Navigate to Subaccounts and choose the subaccount IAG Prod that you have created.
2. Go to Service Marketplace and under Intergration Suite choose SAP Cloud Identity Access Governance.
3. In the tile for SAP Cloud Identity Access Governance, choose the relevant application plan, for example,
standard.
4. Go to the three dots displayed on the right side in the column and choose Create to subscribe to this
application.
5. In the pop-up window New Instance or Subscription, select SAP Cloud Identity Access Governance as
service and the plan, for instance, standard, and choose Create.
6. To see the status of your subscription that appears as an option in the Creation in Progress window, choose
View Subscription that is displayed in Instances and Subscriptions.
7. In the Status column, the status Processing is displayed.
Once the processing is completed, the tenant database is created and the role collections for SAP Cloud
Identity Access Governance are assigned to your subaccount.
8. Once the Status changes to Subscribed, choose the Go to Application button to open the SAP Cloud
Identity Access Governance Launchpad.
Note
When you open the launchpad, it will be empty because you have not been assigned any role
collections yet that would authorize you to access any applications.
You can, however, view the Role Collections for SAP Cloud Identity Access Governance in your
subaccount. These roles are assigned to P-users originating in your tenant for Identity Authentication.
Only for very limited use cases, these roles can be assigned to S-users originating in SAP ID Service. In
general, the launchpad is only used via P-users.
Since your endusers are not authorized to retrieve the URL from the subscription screen, copy the URL
and save it, so you can communicate it to them.
SAP Cloud Identity Access Governance Admin Guide
Initial Setup PUBLIC 19
8.2 Maintain Administrators
After subscribing to the SAP Identity Access Governance application, you must maintain security
administrators.
Add security administrators to your subaccount by entering their e-mail addresses instead of the user IDs.
Security administrators can add other security administrators, and manage authentication and authorization
in this subaccount, such as configuring trust to identity providers, and assigning role collections to business
users.
8.3 Connecting Identity Provisioning Tenant
The SAP Cloud Identity Access Governance solution integrates with other SAP services, such as SAP Cloud
Identity Services - Identity Provisioning. These services require users to have specific roles to use them.
Identity Provisioning service is available as part of the bundled SAP Cloud Identity Access Governance solution.
For a successful integration, always use the Identity Provisioning tenant that is included in the bundle.
To obtain your Identity Provisioning tenant, or to have your existing bundle tenant upgraded for use with SAP
Cloud Identity Access Governance, create an incident for component GRC-IAG-OPS.
In the incident, mention the following information:
• That you request Identity Provisioning tenant from SAP Cloud Identity Access Governance bundle
• ID of the account where you have subscribed to SAP Cloud Identity Access Governance
• Whether the subscription is for test or production: specify plan test, standard, or tandd
• The URL of the Identity Authentication tenant for which you have established trust from your subscriber
account for SAP Cloud Identity Access Governance.
• S-user (ID and email address) who should be administrator in the Identity Provisioning tenant
• File separate incidents for test and production landscapes
Note
Do not use any standalone Identity Provisioning tenant or the Identity Provisioning service from SAP
Identity Access Governance (1.0) tenants (SAP BTP, Neo environment). Technically, it is still possible to use
Identity Provisioning from SAP Identity Access Governance (1.0) but not once the grace period expires.
SAP Cloud Identity Access Governance Admin Guide
20 PUBLIC Initial Setup
8.3.1 Identity Provisioning in Neo Enviroment
Prerequisites
You have the URL Identity Provisioning Tenants to log on to your Identity Provisioning launchpad. To connect
SAP Cloud Identity Access Governance to Identity Provisioning service, you need a URL for the ipsproxy API
and an OAuth client.
Note that the URL for the IPS BTP Cockpit can be derived from the URL of the Identity Provisioning UI as
follows:
https://ips-UNIQUEID.dispatcher.LANDSCAPE.hana.ondemand.com/ ->
https://account.LANDSCAPE.hana.ondemand.com/cockpit#/acc/UNIQUEID
(The LANDSCAPE part may be missing in the Identity Provisioning URL. If it is missing, leave it out in the BTP
Cockpit URL as well.)
The image below illustrates all the steps.
Procedure
To connect SAP Cloud Identity Access Governance to Identity Provisioning service, do the following:
1. Obtaining Authorization for Creating an OAuth Client in Identity Provisioning to Build the URL
SAP Cloud Identity Access Governance Admin Guide
Initial Setup PUBLIC 21
1. Go to the Identity Provisioning launchpad and log on with your S-user.
2. Double-check your user is Admin by choosing any tile in your Identity Provisioning launchpad.
3. Double-check that you have the Proxy Systems tile available in the Identity Provisioning launchpad.
4. To access your tenant for Identity Provisioning in the SAP Business Technology Platform cockpit (SAP
BTP), refer to Manage Authorizations.
2. Creating an OAuth Client
The OAuth client acts as a technical user in Identity Provisioning that SAP Cloud Identity Access
Governance uses for connecting.
To create the OAuth client, do as follows
Note
The URL for the IPS BTP Cockpit can be derived from the URL of the IPS UI as follows:
https://ips-UNIQUEID.dispatcher.LANDSCAPE.hana.ondemand.com/ ->
https://account.LANDSCAPE.hana.ondemand.com/cockpit#/acc/UNIQUEID
(The LANDSCAPE part may be missing in the IPS URL. Leave it out in the BTP Cockpit URL, too, in this
case.)
1. Select the subaccount.
2. In the navigation menu on the left, choose OAuth.
3. Note down the Token Endpoint URL that is listed in the first tab Branding in the OAuth Settings.
4. To create the OAuth Client, refer to Hybrid Scenario - SAP Identity Management.
5. Note down the Client ID and the Secret.
6. Go to Subscriptions, choose ipsproxy from the dropdown list and copy the Application URL listed below
the table or at the bottom of the page.
7. Depending on your Identity Provisioning tenant, refer to Step 3 under Procedure here Identity
Authentication.
3. Configuring a Connection from SAP Cloud Identity Access Governance to Identity Provisioning
Use the OAuth client to create an IPS_PROXY destination. See Create Destinations.
• For URL, use the Application URL mentioned in step 8 in the section Creating an OAuth client.
Remove the ipsproxy from the end and ensure that the slash (/) remains. The URL should look like
this: ...hana.ondemand.com/.
• As the credentials for Basic Authentication, use the Client ID and Secret from in step 5 in the section
Creating an OAuth client.
• For the OAuth2TokenServiceURL take the Token Endpoint that you made a note of when creating the
OAuth client and add ?grant_type=client_credentials. See table below.
Name IPS_PROXY
Type HTTP
Description IPS Destination
URL https://ipsproxyXXXXXXXXX-<<YOUR_IPS_TENANT>>.
<<DOMAIN>>.hana.ondemand.com/
Proxy Type Internet
Authentication BasicAuthentication
SAP Cloud Identity Access Governance Admin Guide
22 PUBLIC Initial Setup
User <<CLIENT_ID>>
Password <<SECRET>>
Accept application/scim+json
OAuth2TokenServiceURL https://oauthasservices-<<YOUR_IPS_TENANT>>.
<<DOMAIN>>.hana.ondemand.com/oauth2/api/v1/to-
ken?grant_type=client_credentials
GROUPSURL /Groups
serviceURL /ipsproxy/api/v1/scim/
USERSURL /Users
8.3.2 Identity Provisioning on SAP Cloud Identity Platform
Prerequisites
A SAP Identity Cloud Services bundle tenant was created or updated on the SAP Cloud Identity (SCI) platform
for use with SAP Cloud Identity Access Governance.
The URL for Identity Provisioning is as follows:
https://UNIQUEID.accounts.ondemand.com/admin
This Identity Provisioning tenant is provisioned from SCI.
Connecting Identity Provisioning on SCI
1. Go to the Identity Authentication, Users&Authorizations Administrator and enable the option
Manage Identity Provisioning for your user.
2. Open your Identity Provisioning and navigate to Security Authorizations Manage User
Authorizations Users & Authorizations Administrators .
3. In the section Users & Authorizations Administrators , Add System for Identity Provisioning and
Configure Authorizations for the Access Proxy System API. Note down the Client ID and Secret (once the
secret is generated, you cannot retrieve or change it.).
4. Navigate to the subscriber subaccount for SAP Cloud Identity Access governance in SAP BTP and create a
destination with the name IPS_PROXY as shown in the table below.
5. For the integration using IPS Proxy on Converged Cloud, destination can utilize authentication type:
BasicAuthentication or ClientCertificateAuthentication.
For BasicAuthentication, enter the Properties listed in the table below for the destination. All properties
must be entered. Some properties must be added as Additional Properties. Copy the names of all
properties as displayed. Property names and values are case sensitive.
SAP Cloud Identity Access Governance Admin Guide
Initial Setup PUBLIC 23
Name IPS_PROXY
Type HTTP
Description IPS Destination
URL https://<<YOUR_IPS_URL_BUT_WITHOUT_THE__ips>>
(For example: tenant name.hana.ondemand.com.
Proxy Type Internet
Authentication BasicAuthentication
User <<CLIENT_ID_FROM_STEP_3_ABOVE>>
Password << SECRET_FROM_STEP 3_ABOVE>>
Accept application/scim+json
GROUPSURL /Groups
serviceURL /ipsproxy/service/api/v1/scim/
USERSURL /Users
For ClientCertificateAuthentication, enter the Properties listed in the table below for the destination. All
properties must be entered. Some properties must be added as Additional Properties. Copy the names of
all properties as displayed. Property names and values are case sensitive.
Name IPS_PROXY
Type HTTP
Description IPS Destination
URL https://<<YOUR_IPS_URL_BUT_WITHOUT_THE__ips>>
(For example: tenant name.hana.ondemand.com.
Proxy Type Internet
Authentication ClientCertificateAuthentication
Key Store Location Upload your certificate file xxxx.p12
Key Store Password The password for your certificate
Accept application/scim+json
GROUPSURL /Groups
serviceURL /ipsproxy/service/api/v1/scim/
USERSURL /Users
You can bring your own certificate, generate certificate from SAP Cloud Identity or generate certificate in
SAP BTP destination UI (retrieve the certificate use the REST API provided by SAP destination service).
In SAP Cloud Identity service, you need to you load the public key of the certificate to the administrator
user (you can also use upload button).
6. Check the Use default JDK truststore checkbox.
7. Save your entries.
You can test the destination in the BTP Cockpit. However, the URL does not point to a valid API for Identity
Provisioning, andl shows green status, but HTTP 302 or similar. The test also does not validate user and
password for the same reason. Check the destination in step 8.
SAP Cloud Identity Access Governance Admin Guide
24 PUBLIC Initial Setup
8. Set up one connection to a target system of your choice. Provision some access to a test user in the
system to check that the connection works with the above settings.
8.4 Configuring Notification E-Mail Server
Note
SAP Cloud Identity Access Governane supports only SMTP server on cloud. It is recommended that you the
apply Cloud Platform Integration (CPI) approach if your SMTP server is not the standard on-cloud product,
such as Outlook 365 on Azure cloud. Refer to 3304849 .
The new Cloud Connector scenario:
1. Configure Cloud Connector
Create Cloud Connector to connect to SMTP server with the following parameters:
• Protocol: TCP
• Back-End Type: Non-SAP System
• Resources: None
2. Get email host certificate and put in Destination parameter:
• Run the following command to get SMTP server certificate:
openssl s_client -connect <mail host:25> -starttls smtp
• Convert the certificate to Base64
3. Destination change
• Use the following template to create template, bpmworkflowruntime_mail.
• Set the highlighted parameter values after the destination is created.
SAP Cloud Identity Access Governance Admin Guide
Initial Setup PUBLIC 25
Values for Creating Destination
Name=bpmworkflowruntime_mail
mail.mode=CloudConnector
Type=MAIL
ProxyType=Internet
mail.transport.protocol=smtp
mail.bpm.send.disabled=false
mail.smtp.ssl.checkserveridentity=true
mail.smtp.from=<< from email address >>
mail.server_cert=<< Base64 cert. from openssl s_client -connect <mail host:25> -starttls smtp>>
mail.smtp.starttls.enable=true
mail.smtp.starttls.required=true
mail.user=<< email host user >>
mail.password=<< email host user pw>>
mail.description=Workflow Service Mail Destination
mail.smtp.host=<<Cloud Connector Virtual Host>>
mail.smtp.port= <<Cloud Connector Virtual Port >>
mail.smtp.auth=true
Authentication=BasicAuthentication
Parent topic: Setting Up Workflow Service [page 52]
Previous: Delivered Workflow Templates [page 52]
Next: Setting Up Business Rules for Workflow [page 60]
SAP Cloud Identity Access Governance Admin Guide
26 PUBLIC Initial Setup
9 User Management
SAP Cloud Identity Access Governance solution and its services use Identity Authentication service for user
authentication and to manage access to the solution's apps. Security and permissions are maintained in
groups and role collections. You control the tasks a user can perform, and the apps they can access, through
the appropriate assignment of group and role collections to the user.
The assignment of groups and roles to users controls these three security aspects:
• Permission to access and use specific apps
• You can ensure that users can access only those apps relevant for their job function. For example, that only
administrators can access admin apps.
• Permission to perform administrative tasks
Within the framework of access governance, tasks have different levels of risk and sensitivity. You can
ensure that users can only perform administrative tasks in line with their job function. For example, only
users assigned to the Control Owners group can approve new or updated mitigation controls.
• Permission to use specific services
The SAP Cloud Identity Access Governance solution integrates with other SAP services, such as Business
Rule service. And these services require users have specific roles to use them.
9.1 Setting Up User Authentication and Access
The process to configure authentication and access requires you to perform configuration tasks on SAP
Business Technology Platform (SAP BTP) for the SAP Cloud Identity Access Governance tenant and the
Identity Authentication service.
• Maintain users in Identity Authentication.
• Pre-delivered role collections for the SAP Cloud Identity Access Governance tenant.
1. Maintain Users and User Groups in Identity Authentication [page 27]
2. Pre-Delivered Role Collections on SAP BTP [page 31]
3. Mapping Role Collections to Identity Authentication [page 42]
4. Syncing User Groups from Identity Authentication Service [page 47]
9.1.1 Maintain Users and User Groups in Identity
Authentication
In Identity Authentication, tenant administrators can manage user accounts and groups.
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 27
Activity Description Procedure
Create User Create users via the Add user option in Create a New User
the administration console.
Create User Groups Create new user groups via User Create a New User Group
Groups option in the administration
console.
Note
It is mandatory to follow the User
Group Naming Guidelines and cre-
ate the Required Groups provided
below.
Assign Groups to User Assign groups to a user via the adminis- Assign Groups to a User
tration console for Identity Authentica-
tion.
User Group Naming Guidelines
When you create these groups, you must follow this naming convention: IAG_<TYPE>_<NAME>.
In this string, the <TYPE> must be one of the delivered types shown in the table below. The <NAME> can be of
your choosing, though we recommend choosing a name that is clear and concise.
Example: IAG_WF_ADMIN
Group Types
Group Type Name Description
CM Control Monitor Users assigned to this group are availa-
ble as control monitors, which can be
assigned during control creation.
CO Control Owner Users assigned to this group are availa-
ble as default control owners, which can
be assigned during control creation.
WF Workflow Assign users to this group to enable
participation in the workflow service.
RO Role Owner Users assigned to this group can be se-
lected as Role Owner in the under Ac-
cess Maintenance app when editing the
role in the SAP Cloud Identity Access
Goverrnance launchpad.
CADM Candidate Business Role Adminstrator Users assigned to this group have ac-
cess to the Candidate Business Role
Adminstration app and carry out ad-
ministrative tasks.
SAP Cloud Identity Access Governance Admin Guide
28 PUBLIC User Management
Group Type Name Description
RCA Business Role Content Approver Users can modify and approve busi-
ness roles. Users assigned to this group
are included in the dropdown list of
Business Role Content Approvers.
RAA Business Role Assignment Approver Users can approve business role as-
signments. Users assigned to this
group are included in the dropdown list
of Assignment Approvers.
USER IAG Application Users Assign this group by default to all appli-
cation users for SAP Cloud Identity Ac-
cess Governance.
Required Groups
The following groups are required for using SAP Cloud Identity Access Governance services. Make sure you
create them with the names listed below with the same case. The name is case-sensitive.
In the Identity Authentication tenant, create the groups as described below, and then assign the relevant users
to them. These are suggested groupings and names. In your own implementation, you can create groups that
suit your needs.
Note
You can create users in Identity Authentication or make them available on a connected LDAP server.
Note
To connect to LDAP and other services for app user, you must configure this in Identity Authentication. For
more information, see SAP Cloud Identity Services - Identity Authentication.
Required Groups
The following groups are required. The SAP Cloud Identity Access Governance services look for these specific
groups. Make sure you create them with the names listed below with the same case. The name is case
sensitive.
Users Assigned to the Group can Per-
Service Create these Groups form these Tasks
Access Analysis Service IAG_WF_RISKOWNERS Risk owner approvers are assigned to
the IAG_WF_RISKOWNERS group in
Identity Authentication.
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 29
Users Assigned to the Group can Per-
Service Create these Groups form these Tasks
Access Request Service IAG_WF_MANAGER In the Create Access Request app there
is the Manager field. You assign users to
the IAG_WF_MANAGER group to make
them available for selection in this field.
Managers are responsible for approving
access requests.
Note
If a user's manager is explicitly as-
signed in Identity Authentication,
then the manager is displayed in
this field and is read-only.
IAG_WF_ADMIN In the access request process, requests
go through a security stage. Users as-
signed to this group are able to receive
and work on access requests in this
stage.
Users assigned to this group can also
receive and work on access requests for
Privileged Access Management.
IAG_WF_DEFAULT When managers and approvers are not
available in the system, the task of re-
viewing and approving a requests goes
to users assigned to this group.
IAG_CO_DEFAULT These groups are mandatory for the in-
tegration edition and for the bridge sce-
IAG_CM_DEFAULT
nario between SAP Access Control and
SAP Cloud Identity Access Governance.
IAG_USER Required for access request.
Role Design Service IAG_WF_CBRRefine Users assigned to this group can refine
the proposed candidate business roles.
IAG_WF_CBRActivate Users assigned to this group can acti-
vate candidate business roles.
IAG_WF_CBRReconcile Users assigned to this group can per-
form tasks in the reconciliation stage of
CBR, such as provisioning and deprovi-
sioning user role assignments.
IAG_RCA_DEFAULT Business Role Default Content Ap-
prover
IAG_RAA_DEFAULT Business Role Default Assignment Ap-
prover
Access Certification IAG_WF_ADMIN Users assigned to this group can re-
ceive and work on access certification
review items in the security stage.
SAP Cloud Identity Access Governance Admin Guide
30 PUBLIC User Management
Users Assigned to the Group can Per-
Service Create these Groups form these Tasks
IAG_WF_DEFAULT When managers or role owners are not
available, the task of reviewing a user’s
access is forwarded to members of this
group.
IAG_CPG_ADMIN Users assigned to this group are able to
create and edit campaigns.
IAG_CPG_CO Users assigned to this group can coor-
dinate campaign activities, for example,
reassign items or remind reviewers.
Parent topic: Setting Up User Authentication and Access [page 27]
Next: Pre-Delivered Role Collections on SAP BTP [page 31]
9.1.2 Pre-Delivered Role Collections on SAP BTP
In the tenant for SAP Cloud Identity Access Governance on SAP BTP, the administrator can view the
pre-delivered role collections. The role collections CIAG_Display, CIAG_Access_Certification_Admin, and
CIAG_Super_Admin are primarily required to gain full access to the apps in SAP Identity Cloud Access
Governance. Refer to the tables below for the role collections.
Note
If you are subscribing to the SAP Cloud Identity Access Governance, integration edition, refer to SAP Cloud
Identity Access Governance, integration edition
Role Collections for all Business Users
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Display Destination Certificate Viewer This is the default role collection. It in-
cluded roles that are needed by the
Destination Configuration Viewer framework. They are grouped under a
single role collection and must be as-
Destination Subaccount Trust Viewer signed to all business users.
Destination Viewer
EXTERNAL_PORTAL_USER
IAGDisplay_Admin
sap_scheduler_configuration_template
sap_scheduler_viewer_template
Token_Exchange_Admin
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 31
Role Collections and Associated Roles for the Access Request Service
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Access_Request IAG_Access_RequestAccess_Request • Create access requests
• View status of request
RuleRepositorySuperUser
• Cancel request
RuleRuntimeSuperUser • For approvers:
• review and approve or reject
WorkflowParticipant access requests
• remediate risks
Note
To create a new role collection,
for instance, ZIAG_ARQ_WF_AP-
PROVE role, carry out the steps be-
low:
1. In the SAP BTP cockpit, go to
Role Collections and define a
new role.
2. Choose the role collection you
created and edit it.
3. Under Role Name, select the
WorkflowAdmin Role and add it
to the role collection.
4. Map this new role collec-
tion with the existing group
(CIAG_Access_Request) or a
new Identity Authentication
group in SAP BTP.
CIAG_Access_Request_Admin IAG_Access_Request_AdminAc- • Setting up connections between
cess_Request the service to the target systems
• Setting up recurring jobs for the
IAG_Access_Request_AdminAdminis- service
tration
• Setting up master data in the apps
IAG_Access_Request_AdminReports • Setting up workflow service
iag_access_request_priority
• Setting up Business Rule service
• Setting up Identity Provisioning
iag_authorization_policy service
• Set configurations for SAP Cloud
iag_business_processes
Identity Access Governance, such
iag_configuration as UI language
iag_custom_field_groups
SAP Cloud Identity Access Governance Admin Guide
32 PUBLIC User Management
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
iag_custom_fields
iag_field_mapping
iag_maint_user_data
iag_notif_upload
iag_reason_code
RuleRepositorySuperUser
RuleRuntimeSuperUser
WorkflowAdmin
WorkflowDeveloper
CIAG_Access_ Request_Others IAG_Access_Request_Others Ac-
cess_Request_for_others
Role Collections and Associated Roles for the Role Design Service
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Role_Designer IAG_Role_DesignerAdministration • Business roles: create and main-
tain
IAG_Role_DesignerReports • Candidate business roles: create,
review, and approve
IAG_Role_DesignerRole_designer
CIAG_Role_Designer_Admin iag_authorization_policy • Setting up connections between
the service to the target systems
iag_business_processes
• Setting up recurring jobs for the
iag_configuration service
• Setting up master data in the app
iag_departments • Set configurations for SAP Cloud
Identity Access Governance, such
iag_projects
as UI language
IAG_Role_Designer_AdminAdministra- • View the Role Design Audit Log
tion
IAG_Role_Designer_AdminReports
IAG_Role_Designer_AdminRole_de-
signer
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 33
Role Collections and Associated Roles for the Access Analysis Service
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Access_Analysis IAG_Access_AnalysisAccess_Analysis • Analyzing access risks
• Remediating access risks
IAG_Access_AnalysisAdministration
• Refining access
IAG_Access_AnalysisReports • Mitigating risks
• Auditing access compliance
RuleRuntimeSuperUser
CIAG_Access_Analysis_Admin IAG_Access_Analysis_AdminAc- • Setting up connections between
cess_Analysis the service to the target systems
• Setting up recurring jobs for the
IAG_Access_Analysis_AdminAdminis- service
tration
• Setting up master data in the apps
IAG_Access_Analysis_AdminReports • Set configurations for SAP Cloud
Identity Access Governance, such
iag_authorization_policy as UI language
iag_business_processes
iag_configuration
iag_functions
iag_mitigaton_control_master_data
iag_risk
iag_risk_level
iag_risk_score_policy
iag_test_plans
RuleRepositorySuperUser
RuleRuntimeSuperUser
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Access_Analysis_Enh IAG_Access_AnalysisAccess_Analy- • Analyzing access risks
sis_Enh • Remediating access risks
• Refining access
RuleRuntimeSuperUser
• Mitigating risks
• Auditing access compliance
SAP Cloud Identity Access Governance Admin Guide
34 PUBLIC User Management
Associated Roles for the Role Collec-
Assign this Role Collection tion Description
CIAG_Access_Analysis_MCA iag_blanket_mitigations IAG Access Analysis Mitigation Control
Assignments
iag_invalid_mitigations
Role Collections for the Configuration Admin
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Configuration_Admin iag_access_request_priority This role collection enables Business
Users to configure in SAP Cloud Iden-
iag_authorization_policy tity Access Governance.
iag_business_processes
iag_configuration
IAG_Configuration_AdminAdministra-
tion
iag_custom_field_groups
iag_custom_fields
iag_field_mapping
iag_functions
iag_maint_user_data
iag_mitigaton_control_master_data
iag_notif_upload
iag_projects
iag_reason_code
iag_risk
iag_risk_level
iag_risk_score_policy
iag_test_plans
RuleRepositorySuperUser
RuleRuntimeSuperUser
WorkflowAdmin
WorkflowDeveloper
WorkflowParticipant
CIAG_Administrator_v1 iag_connector_type
CIAG_Job_Scheduler_Admin IAGSchedulerAdmin
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 35
Role Collections for the Super Admin
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Super_Admin IAG_Access_Analysis_AdminAc- This role collection is for Super Admin
who needs to configure and access all
cess_Analysis
the services.
IAG_Access_Analysis_AdminAdminis-
tration
IAG_Access_Analysis_AdminReports
IAG_Access_AnalysisAccess_Analysis
IAG_Access_AnalysisAdministration
IAG_Access_AnalysisReports
IAG_Access_Request_AdminAc-
cess_Request
IAG_Access_Request_AdminAdminis-
tration
iag_access_request_priority
IAG_Access_RequestAccess_Request
IAG_Access_RequestAdministration
iag_authorization_policy
iag_business_processes
iag_configuration
iag_custom_field_groups
iag_custom_fields
iag_departments
iag_field_mapping
iag_functions
iag_maint_user_data
iag_mitigaton_control_master_data
iag_notif_upload
IAG_Privileged_AccessAdministration
IAG_Privileged_AccessPrivileged_Ac-
cess_Management
IAG_Privileged_AccessPrivilegedRoles
IAG_Privileged_AccessReports
iag_projects
iag_reason_code
SAP Cloud Identity Access Governance Admin Guide
36 PUBLIC User Management
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
iag_risk
iag_risk_level
iag_risk_score_policy
IAG_Role_Designer_AdminAdministra-
tion
IAG_Role_Designer_AdminReports
IAG_Role_Designer_AdminRole_de-
signer
IAG_Role_DesignerAdministration
IAG_Role_DesignerReports
IAG_Role_DesignerRole_designer
iag_test_plans
RuleRepositorySuperUser
RuleRuntimeSuperUser
WorkflowAdmin
WorkflowDeveloper
WorkflowParticipant
iag_massupdate
CIAG_Job_Scheduler_Admin IAGSchedulerAdmin
CIAG_Administrator_v1 iag_connector_type
Role Collections for the Privileged Access Admin (deprecated)
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Privileged_Access iag_configuration This role collection is for privileged ac-
cess management activities.
IAG_Privileged_AccessAdministration
IAG_Privileged_AccessPrivileged_Ac-
cess_Management
IAG_Privileged_AccessPrivilegedRoles
IAG_Privileged_AccessReports
iag_reason_code
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 37
Assign BTP Authorization Roles To perform these tasks
IAG_Privileged_Access_Monitoring_Review_Inbox Accessing Privileged Access Monitoring Review Inbox
IAG_Privileged_Access_Sessions Accessing PAM Execute Sessions
IAG_Maintain_Privileged_Access Accessing Maintain Privileged Access
IAG_Privileged_Access_Report Accessing Privileged Access Monitoring Report
IAG_Privileged_Access_Execute Accessing PAM Execute sessions
IAG_Privileged_Access_Inbox Accessing Privileged Access Inbox
IAG_Privileged_Access_Provisioning_Report Accessing Privileged Access Provisioning Report
Role Collections for the Access Certification
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Access_Certification_Admin IAGAccessCertificationAdmin 1. Create and edit campaign
2. View logs
WorkflowParticipant
3. Manage/coordinate campaign ac-
tivities (escalate, ...)
CIAG_Access_Certification_Coordina- IAGAccessCertificationCoordinator 1. Manage/coordinate campaign ac-
tor tivities (escalate, ...)
WorkflowParticipant 2. View logs
CIAG_Access_Certification_Reviewer IAGAccessCertificationReviewer Review and approve or reject access
item (Role Owner, Manager, Security)
WorkflowParticipant
In the tenant for SAP Cloud Identity Access Governance, the administrator can assign the role collections. For
more information, refer to Assign Role Collections.
Note
If you wish to customize your role collections, you have the option of creating and assigning them manually.
If you need a list of roles belonging to role collections for workflow management and business rules, refer to
the following links SAP Workflow Management - Authorization Configuration
SAP Business Rules Service for the Cloud Foundry Environment - Authorization Configuration
Parent topic: Setting Up User Authentication and Access [page 27]
Previous: Maintain Users and User Groups in Identity Authentication [page 27]
Next: Mapping Role Collections to Identity Authentication [page 42]
SAP Cloud Identity Access Governance Admin Guide
38 PUBLIC User Management
9.1.2.1 SAP Cloud Identity Access Governance, integration
edition
SAP Cloud Identity Access Governance, integration edition uses six role collections and associated roles that
are listed below.
Role Collections for all Business Users
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_INT_Display Destination Certificate Viewer This is the default role collection. It in-
cluded roles that are needed by the
Destination Configuration Viewer framework. They are grouped under a
single role collection and must be as-
Destination Subaccount Trust Viewer signed to all business users.
Destination Viewer
EXTERNAL_PORTAL_USER
IAGDisplay_Admin
sap_scheduler_configuration_template
sap_scheduler_viewer_template
Token_Exchange_Admin
Role Collections and Associated Roles for the Access Analysis Service
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks/Description
CIAG_INT_Access_Analysis IAG_Access_AnalysisAccess_Analysis • Analyzing access risks
IAG_Access_AnalysisAdministration
• Remediating access risks
• Refining access
IAG_Access_AnalysisReports
• Mitigating risks
• Auditing access compliance
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 39
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks/Description
CIAG_INT_Access_Analysis_Admin IAG_Access_Analysis_AdminAc- • Setting up connections between
cess_Analysis the service to the target systems
IAG_Access_Analysis_AdminAdminis-
• Setting up recurring jobs for the
service
tration
• Setting up master data in the apps
IAG_Access_Analysis_AdminReports
• Set configurations for SAP Cloud
iag_authorization_policy Identity Access Governance, such
as UI language
iag_business_processes
iag_configuration
iag_functions
IAG_INTG_Role_Designer
iag_maint_user_data
iag_mitigaton_control_master_data
iag_risk
iag_risk_level
iag_risk_score_policy
iag_test_plans
CIAG_INT_Access_Analysis_MCA iag_blanket_mitigations IAG Access Analysis Mitigation Control
Assignments
iag_invalid_mitigations
SAP Cloud Identity Access Governance Admin Guide
40 PUBLIC User Management
Role Collections for the Configuration Admin
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_INT_Configuration_Admin iag_authorization_policy This role collection enables business
users to configure in SAP Cloud Identity
iag_business_processes Access Governance.
iag_configuration
IAG_Configuration_AdminAdministra-
tion
iag_functions
iag_maint_user_data
iag_mitigaton_control_master_data
iag_risk
iag_risk_level
iag_risk_score_policy
iag_test_plans
CIAG_INT_Job_Scheduler_Admin IAGSchedulerAdmin
Role Collections for the Role Management
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_INT_Role_MGMT IAG_Role_DesignerAdministration Role Management
IAG_Role_DesignerReports
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 41
Role Collections for the Super Admin
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_INT_Super_Admin IAG_Access_Analysis_AdminAc- This role collection is for Super Admin
who needs to configure and access all
cess_Analysis
the services.
IAG_Access_Analysis_AdminAdminis-
tration
IAG_Access_Analysis_AdminReports
IAG_Access_AnalysisAccess_Analysis
IAG_Access_AnalysisAdministration
IAG_Access_AnalysisReports
iag_authorization_policy
iag_business_processes
iag_configuration
iag_departments
iag_functions
IAG_INTG_Role_Designer
iag_maint_user_data
iag_mitigaton_control_master_data
iag_risk
iag_risk_level
iag_risk_score_policy
IAG_Role_Designer_AdminReports
IAG_Role_DesignerReports
iag_test_plans
CIAG_INT_Administrator_v1 iag_connector_type
9.1.3 Mapping Role Collections to Identity Authentication
To map the Role Collections to your Identity Authentication tenant, you must do the following:
• Set Identity Authentication as a trusted identity provider.
• Set up assertion-based groups and attributes mapping.
Parent topic: Setting Up User Authentication and Access [page 27]
Previous: Pre-Delivered Role Collections on SAP BTP [page 31]
SAP Cloud Identity Access Governance Admin Guide
42 PUBLIC User Management
Next: Syncing User Groups from Identity Authentication Service [page 47]
9.1.3.1 Manually Establish Trust and Federation Between
UAA and Identity Authentication
SAP Cloud Identity Access Governance services use Identity Authentication to provide user identity
authentication.
Before you can start using the solution, you must federate your SAP Identity Access Service tenant with the
subscriber subaccount for SAP Cloud Identity Access Governance. This is a simple exchange of certificates;
however, some special settings must be implemented for optimum usability of the software.
9.1.3.1.1 Download the SAML Metadata File for the
Subscriber Subaccount
1. Go to the SAP BTP cockpit, and open your subscriber subaccount.
2. In the menu panel on the left side, choose Security and Trust Configuration .
3. Download the SAML Metadata file for the subaccount.
The file is downloaded with a name that contains the subdomain of the subaccount. The name makes it
easier to find the file for uploading it at a later date.
9.1.3.1.2 Create Application in Identity Authentication and
Upload SAP BTP Metadata File
In the Identity Authentication cockpit, create a custom application for SAP Cloud Identity Access Governance
services, which are used to establish the trust relationship with the SAP Business Technology Platform tenant
(SAP BTP).
1. In the Identity Authentication cockpit, navigate to Applications & Resources > Applications.
2. Add a custom application and save.
Note
For ease of use, the application and the subaccount should have the same name.
3. Upload the metadata from the SAP BTP tenant.
1. From the Custom Applications list, select your new custom application, and then select SAML 2.0
Configuration.
2. In the Metadata File field, browse to the location of the SAP BTP metadata file.
3. Upload the file and save.
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 43
9.1.3.1.3 Set Up Assertion-based Groups for
IdentityAuthentication and Role Collection
Mapping
Attributes
Note
Make sure that the Application in Identity Authentication contains ONLY the attributes listed in the table in
Step 3. The Subject Name Identifier (SNI) MUST be User ID.
1. Log in to the Identity Authentication tenant and navigate to Applications & Resources Applications .
2. Under Applications, select your application for SAP Cloud Identity Access Governance (This is the
application you created as part of the procedure for setting up a trust relationship between the Identity
Authentication service tenant and the SAP Cloud Identity Access Governance application on SAP BTP.).
3. Go to Trust and choose Attributes and make sure only the following attributes are defined:
Name Value
Groups Groups
(Ensure that the letter G is in upper case.)
first_name First Name
last_name Last Name
mail Email
4. Remove other attributes and save.
Add Assertion-based Identity Authentication Groups and Attributes Mapping
1. Add assertion-based Groups.
1. Logon to the SAP-BTP tenant, and navigate to Security > Trust Configuration > Name.
2. Select the name of the relevant identity provider (the Identity Authentication that you have already
configured). For more information, refer to Manually Establish Trust and Federation Between UAA and
Identity Authentication [page 43].
3. Go to Role Collection Mapping and choose New Role Collection Mapping to create the mapping rules.
Some examples of role collections that must be mapped are listed below.
SAP Cloud Identity Access Governance Admin Guide
44 PUBLIC User Management
Note
If role collections values are unavailable in the Identity Authentication system, you need to
manually create them. Other role collections listed here
Pre-Delivered Role Collections on SAP BTP [page 31] must be mapped in the same manner as the
examples listed below.
Role Collection Mapping to Identity Authentication Groups
Value - Equals to this
Pre-delivered Role Collec- Identity Authentication
tion Attribute Operator Group
CIAG_Access_ Analysis Groups equals IAG_Access_Analysis
CIAG_Access_ Analy- Groups equals IAG_Access_Analysis_Ad-
sis_Admin min
CIAG_Role_ Designer Groups equals IAG_Role_Designer
CIAG_Role_ Designer _Ad- Groups equals IAG_Role_Designer_Admin
min
4. Save.
9.1.3.1.4 Download SAML Metadata File for Identity
Authentication
1. In the Identity Authentication cockpit, navigate to Tenant Settings SAML 2.0 Configuration .
2. In the SAML 2.0 Configuration , in the Identity Provider Settings, go to Signing Certificate at the bottom of
the page to down the metadata file.
3. Rename the file. Use the tenant ID of the Identity Authentication Service for this purpose.
4. In the field Description, enter the description (optional).
5. Choose Parse. You should see the message Metadata parsed successfully.
6. Save.
9.1.3.1.5 Add new Trust Configuration for the SAP Cloud
Identity Access Governance Subaccount
1. Go to the SAP BTP cockpit, and open your subscriber subaccount.
2. In the menu panel on the left side, choose Security , Trust Configuration, and New Trust Configuration.
3. Upload the SAML Metadata file
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 45
4. Enter a meaningful Name, Description, and Link Text for User Logon. For instance, the tenant ID of the
Identity Authentication Service.
5. Save your entries.
Disable the Default Identity Provider
To avoid a disambiguation page when opening the SAP Cloud Identity Access Governance Launchpad, you
need to disable the Default Identity Provider for logon.
1. To edit, choose the Pencil button.
2. Check the box Available for User Logon and save your entry.
You should now see your Identity Authentication Service tenant Available for User Login.
9.1.3.2 Establish Trust and Federation Between UAA and
Identity Authentication
For enabling trust with a tenant of SAP Cloud Identity Services - Identity Authentication, the service creates an
OpenID Connect (OIDC) application in Identity Authentication to represent your subaccount.
For more information, refer to Map User Attributes from a Corporate Identity Provider for Business Users.
9.1.3.3 Maintaining Access to Tasks
Within the framework of access governance, tasks have different levels of risk and sensitivity. You use Identity
Authentication tools to ensure that only designated users can perform administrative tasks. For example, only
users designated as business role approvers can approve new business roles.
There are three steps in this procedure:
1. In the Identity Authentication tenant, create your groups according to the guidelines below.
2. Assign the appropriate users to the relevant groups.
3. Sync the user-group assignments.
In the Fiori launchpad for SAP Cloud Identity Access Governance, open the Job Scheduler app, and run
Sync User Groups from IAS job.
For more information about creating user groups and assigning users, see the For More Information section
below.
For group naming conventions and assigning users to groups, refer to the Required Group Guidelines section
mentioned in Maintain Users and User Groups in Identity Authentication [page 27].
For group naming conventions and assigning users to groups, refer to the Group Naming Guidelines section
mentioned in Maintain Users and User Groups in Identity Authentication [page 27].
SAP Cloud Identity Access Governance Admin Guide
46 PUBLIC User Management
For More Information:
SAP Cloud Identity Services - Identity Authentication - User Management
SAP Cloud Identity Services - Identity Authentication - User Groups
SAP Cloud Identity Services - Identity Authentication - Assign Groups to Users
9.1.4 Syncing User Groups from Identity Authentication
Service
To ensure user groups information is synchronized between the Identity Authentication service tenant and the
tenant for SAP Cloud Identity Access Governance on SAP Business Technology Platform (SAP BTP), you must
maintain the required system in Identity Authentication and the destination in the tenant for SAP Cloud Identity
Access Governance and then run the SCI User Group Sync job in the Job Scheduler app.
Note
SCIM REST API , also known as IAS API vI, is deprecated. Now, Identity Directory SCIM REST API, also
called IAS API v2, is used. Both these APIs can be connected via IPS_PROXY. For connecting SAP Cloud
Identity Access Governance solution via IPS_Proxy, refer to Connecting Identity Provisioning Tenant [page
20].
Step 1: Set Up IAG Sync System as Administrator in the Identity
Authentication tenant
1. Login to the Identity Authentication tenant.
2. Choose Administrators app.
3. Press the +Add button on the left-hand panel to add a new administrator to the list.
4. Choose Add System.
5. Enter the name of the system under Name such as IAG Sync.
Caution
Choose the name carefully for your system as administrator. Once created, the name cannot be
changed.
6. To be a tenant administrator, a user must be assigned to Manage Users and Manage Groups from the
following roles.
Administrator Roles
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 47
Authorization Description
Manage Applications This role gives the tenant administrator permission to
configure the applications via the administration console.
Manage Corporate Identity Providers This role gives the tenant administrator permission to
configure the identity providers via the administration
console.
Manage Users This role gives the tenant administrator permission to
manage, import and export users via the administration
console.
Manage Groups This role gives the tenant administrator permission to cre-
ate, edit and delete user groups via the administration
console.
All administrator roles are assigned by default.
7. Select the IAG Sync system and choose Secrets.
8. Add Secret and Save (the app automatically generates a Client ID).
Note
Make a note of the Client ID and Client Secret. You will use them in the next step.
Step 2: Create SCIUserGroup destination in the Tenant for SAP Cloud
Identity Access Governance on SAP BTP (For IAS API vI - deprecated)
1. In the tenant for SAP Cloud Identity Access Governance, go to the Subaccounts dropdown menu and
choose your subaccount.
2. Choose Connectivity Destinations in the navigation panel.
3. Create SCIUserGroup destination and choose the pencil icon to edit it.
Enter the properties listed below:
*Name SCIUserGroup
Type HTTP
Description SCI User Group Service
*URL https://SCI_TENANT_ID.accounts.ondemand.com/serv-
ice/scim/Users (replace SCI_TENANT_ID with your Iden-
tity Authentication instance name)
Proxy Type Internet
Authentication: BasicAuthentication
SAP Cloud Identity Access Governance Admin Guide
48 PUBLIC User Management
User User ID from the Identity Authentication tenant (config-
ured under Users & Authorizations → Administrators)
Password Password of the IAG Sync system from the Identity Au-
thentication tenant (configured under Users & Authoriza-
tions → Administrators)
If you use Identity Directory SCIM REST API ( IAS API v2), you need to connect via IPS_Proxy. For more
information, see Identity Provisioning on SAP Cloud Identity Platform [page 23].
To use IAS API v2, you need to specify the system UUID for IPS_PROXY. For this, a new parameter
called Identity Directory System ID is to be configured in Configuration Application Parameters
Configuration Group Application User Source . If this parameter is configured, you can read application
user data through destination IPS_PROXY based on IAS API v2. If this parameter is not configured, you will
keep reading application user data via the current destination SCIUserGroup which is based on IAS API v1.
Step 3: Run SCI User Group Sync Job
1. Login the SAP Cloud Identity Access Governance launchpad and open the Job Scheduler app.
2. In the Job Name field, enter the Job Name.
3. In the Job Category field, select SCI User Group Sync from the dropdown list.
4. In the Recurring Job field, select No.
5. In the Start Immediately field, select Yes.
6. Enter information in all required fields and choose Schedule Job. The job status and log can be checked in
the Job History app.
Note
To schedule a Recurring Job, refer to 2859618 for recommendation on the frequency of the jobs.
Parent topic: Setting Up User Authentication and Access [page 27]
Previous: Mapping Role Collections to Identity Authentication [page 42]
SAP Cloud Identity Access Governance Admin Guide
User Management PUBLIC 49
10 Maintaining Cloud Connector for On-
Premise Scenario
SAP Cloud Connector serves as the link between on-demand applications in SAP Business Technology
Platform (SAP BTP), and existing on-premise systems.
The Cloud Connector runs as an on-premise agent in a secured network and acts as a reverse invoke proxy
between the on-premise network and SAP BTP.
For more information, see Cloud Connector.
10.1 Install Cloud Connector
To Install the Cloud Connector, view the help documentation for SAP BTP Cloud Connectivity, and follow the
instructions for the scenario:
Connecting Cloud Application to On-Premise Systems.
10.2 Maintain Cloud Connector
Prerequisite: You have already activated your user for SAP Cloud Identity Access Governance and have
administrator access to the subaccount.
Example of URL for Admin Identity Authentication: https://<CompanyName>.accounts.ondemand.com/
admin/
Note
For the following, maintain one Cloud Connector for each target system.
1. Login to your Cloud Connector. To set up the cloud connector for your on-premise system, follow the steps
described here.
2. Select the created subaccount, choose Cloud-to-On Premise and then navigate to Access Control.
3. Add system mapping for each on-premise target system.
(For SAP ERP system, enter Back-end Type = ABAP System, Protocol = RFC and system
configurations). Refer to Configure Access Control (RFC).
SAP Cloud Identity Access Governance Admin Guide
50 PUBLIC Maintaining Cloud Connector for On-Premise Scenario
4. Select the above system mapping and add function module name as follows :
Function Name Naming Policy
SIAG Prefix
RFC_READ_TABLE Exact name
For more information, see SAP BTP Connectivity .
10.3 Maintain Destinations for Cloud Connector
In the SAP BTP cockpit, maintain destinations for each target system to enable communication via the Cloud
Connector.
For on premise systems, make sure to select the Proxy Type OnPremise.
Parameter Value
Name Optional
Type RFC
Description Optional
Proxy Type OnPremise
User Connection user or RFCUSER1
Password Enter the password for the connection user
Under Additional Properties, add the following:
jco.client.ashost Enter host name of the server
jco.client.client Enter client number, for example,100
jco.client.lang Enter language, for instance, EN
jco.client.sysnr Enter your system number
jco.destination.pool_capacity Enter pool capacity, for example, 6
For more information about using the destination service, see the following SAP Cloud Platform
documentation: Configure Destinations from the Cockpit
Note
Only HTTP destinations are relevant for the destination service. For more information, see the following
documentation: Create HTTP Destinations
SAP Cloud Identity Access Governance Admin Guide
Maintaining Cloud Connector for On-Premise Scenario PUBLIC 51
11 Additional Services for Access Request
Service
To fully utilize the access request service you must configure SAP Cloud Identity Services - Identity
Provisioning. It helps provision access requests to target systems. To obtain your Identity Provisioning tenant,
or to have your existing bundle tenant upgraded for use with SAP Cloud Identity Access Governance, create an
incident for component GRC-IAG-OPS.
11.1 Setting Up Workflow Service
1. Delivered Workflow Templates [page 52]
The access request service includes the following non-modifiable out-of-the-box workflow templates.
2. Configuring Notification E-Mail Server [page 25]
3. Setting Up Business Rules for Workflow [page 60]
11.1.1 Delivered Workflow Templates
The access request service includes the following non-modifiable out-of-the-box workflow templates.
Note
You can upload both notification and workflow templates via the Template Upload app. Refer also to
Prerequisites [page 61]
Delivered Workflow Templates are listed below.
Workflow Template (path name) Behavior
Manager - Role Owner - Security Owner The access request goes to the following roles for approval
before it is provisioned:
• manager
• role owner
• security owner
SAP Cloud Identity Access Governance Admin Guide
52 PUBLIC Additional Services for Access Request Service
Workflow Template (path name) Behavior
Manager - Role Owner - Risk Owner - Security Owner The access request goes to the following roles for approval
before it is provisioned:
• manager
• role owner
• risk Owner
• security owner
Note
Risk Owner stage is to be skipped if there are no risks for
the access requested.
Manager - Security Owner The access request goes to the following roles for approval
before it is provisioned:
• manager
• security owner
Manager Only The access request goes only to the manager for approval
before it is provisioned.
Auto Path The access request goes to an automated approval process
and proceeds directly to provisioning without any additional
manual approval steps.The access request goes only to the
manager for approval before it is provisioned.
Security Only The access request goes only to the security owner for ap-
proval before it is provisioned.
Role Owner - Security The access request goes to the following roles for approval
before it is provisioned:
• role owner
• security owner
Role Owner - Manager The access request goes to the following roles for approval
before it is provisioned:
• role owner
• manager
Role Owner Only The access request goes only to the role owner for approval
before it is provisioned.
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 53
Custom Workflow Templates
To create a custom workflow template, you can choose one, two, three or all four stages listed below:
• Manager
• Security
• Role owner
• Risk owner
Example of configuring your own workflow:
After entering Name and Description in the AttributesThe access request goes only to the manager for approval
before it is section, you need to create a stage.
In the Stage section, go to the + sign and select Manger and Security as stages.
Once you have selected the two stages in the Available Stages column, the Stage Name, Stage Description, and
Stage Sequence are displayed in the Selected Stage column.
Choose Apply to save your entries.
Email Notification Templates
The access request service delivers out-of-the-box notification emails. The notifications are sent for the
following events:
Notification to be Sent on Following Scenarios
Notify Request Created
Notify Approvers
Notify Request Rejected
Notify Provisioned
Notify Partial Provisioned
Notify User Provisioned
Notify User Provision Failed
Notify Request Cancelled
Parent topic: Setting Up Workflow Service [page 52]
Next: Configuring Notification E-Mail Server [page 25]
SAP Cloud Identity Access Governance Admin Guide
54 PUBLIC Additional Services for Access Request Service
11.1.1.1 Auto Approval Stage for Auto Provisioning
Access requests for which auto approval paths are selected do not require additional approvals from approvers
and are automatically sent for provisioning.
In the Workflow Template app, the pre-delivered auto approval path (autopath) is listed on the Workflow
Templates screen.
Procedure
To create an auto approval path, follow these steps:
1. Go to the Template Upload app and upload the required Standard Template. This step is necessary before
applying the auto path.
2. Once the path has been successfully uploaded via the Template Upload feature, it is published to the
Workflow service.
3. The published path is now ready to be used in the Business Rule.
The following examples illustrate the benefits of this feature.
Example
When a request is created to delete all line items, the request can be automatically approved, and
provisioned using autopath. This automated process eliminates the need for manual approval and enables
efficient handling of the deletion request.
Example
If several hundred requests are generated daily and manual approval processes are not required, these
requests can be handled through autopath and automatically provisioned. This approach enables efficient
and streamlined processing of the requests without the need for manual intervention.
11.1.1.2 Workflow Configuration for Initiator
Different workflow paths can be applied to various types of requests based on the attributes of the request
and the requesting user. This capability enables customized routing and processing of requests according to
specific criteria and attributes, providing a more tailored and efficient workflow.
The differentiation of PathName for each access request is achieved by defining the corresponding business
rule within the BTP Business Services. This allows for the customization of PathName based on specific
conditions and criteria defined in the business rule.
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 55
Defining Business Rules
• If the business rules for access requests have already been defined and no different paths are required,
there is no need to make any changes to those existing business rule (RequestTypeRule). They can
continue to be utilized as is without any modifications.
• If different paths are required, manually create business rules, such as to define data object called
RequestAttributes and to define a business rule called AttributesRule under Modeling Rules. For details,
refer toData Object: RequestAttributes [page 66] and Modeling Rules [page 69].
• Even if a new business rule, AttributesRule, is defined and conditions are maintained within it,
theRequestTypeRule serves as a fallback option. If no conditions in the AttributesRule rule are met, the
RequestTypeRule is used as the default rule to determine the appropriate path for the request. This
ensures that if none of the conditions in the new rule are satisfied, the system can still fall back on the
existing RequestTypeRule for path determination.
• SAP also provides standard business rules for uploading initial business rule projects. If you require these
rules, contact the SAP support team.
• If existing customers choose to upload the business rules, they need to manually re-enter the current
conditions for theRequestTypeRule. This is necessary to ensure that the previously defined conditions are
properly transferred and retained in the uploaded templates.
New customers need to establish and maintain the conditions of their business rules from scratch. This
involves creating and defining the necessary conditions for their specific requirements, as pre-existing
conditions or rules are not available to them.
The following illustrate the workflow configuration for intiator.
Example
To enable auto path functionality for a "DELETE" request, you should configure the AttributesRule with the
following values:
1. Set the value of requestType to 'DELETE' to specify the request type as a "DELETE" request.
2. Set the value of PathName to 'autopath' to define the desired auto path to be applied for the "DELETE"
requests.
Note
'DELETE" means all line items in the request are marked as 'REMOVE'. The request does not split, it
follows the path for assign.
By assigning these values in the AttributesRule, the system recognizes and applies the specified auto path,
'autopath', whenever a "DELETE" request is created.
Example
To apply 'roleapproveronly' to request reason ‘1’ and priority ‘1’, you should configure the AttributesRule with
the following values:
1. Set the value of reasonCode to ‘1’ to specify the request reason as a "1" of the request.
2. Set the value of priority to ‘1’ to specify the request priority as a "1" of the request.
3. Set the value of PathName to 'roleapproveronly' to define the desired path to be applied for the
requests of reason of “1” and priority of ‘1’.
SAP Cloud Identity Access Governance Admin Guide
56 PUBLIC Additional Services for Access Request Service
By assigning these values in the AttributesRule, the system recognizes and applies the specified the path
'roleapproveronly', whenever a request of reason of “1” and priority of ‘1’ is created.
Note
The AttributesRule is designed to apply only to requests created from the UI and HR Trigger Event.
Requests created through API calls default to the RequestTypeRule and are not affected by the
AttributesRule.
11.1.1.3 Dynamic Risk Owner Determinator
To dynamically determine the current risk owner stage approver, a new approach introduces a dynamic risk
owner determinator. This determinator assigns the risk owner stage approver based on business rules that
evaluate both risk and user attributes when an access request is created.
Dynamic determination of the risk owner is an optional configuration for assigning owners to risk owner stages
in access requests. If no business rule service is defined for this purpose, the process for determining the
current risk owner for the stage remains unchanged.
When a business rule is configured and risk owners are determined using a decision table, these owners
become the approvers for the access request stage. However, if a business rule is configured but no risk owners
are determined via the decision table, the process for determining the current risk owner for the stage remains
unchanged.
Note
The names of Data Objects of and Business Rule Services must be exactly as specified, while other names
may be chosen flexibly. The attribute names are case-sensitive.
The approverId in the decision table must be a valid P-number or P-numbers associated with IAG users.
An invalid P-number or P-numbers will result in no risk owner being assigned to the stage, thus preventing
approval of the access request for that stage.
The approverId in the decision table can be defined either as a single user (e.g., 'P000000') or as multiple
users in string format separated by commas (e.g., 'P000000,P000001').
The dynamic risk owner determination relies on the following attributes:
Risk Attributes:
• riskId: Risk ID
• riskLevel: Risk Level
• riskBusinessProcess: Risk Business Process
User Attributes:
• department: Department
• company: Company
• userGroup: User Group
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 57
• jobCode: Job Code
• location: Location
• division: Division
• plant: Plant
Configuration of Business Rule Service
The business rule is defined within the IAGWorkflowBusinessRule project.
1. Data Objects
• Define a data object named RiskOwnerAttributes
Name Label Description Business Data Typ
department Department Department String
company Company Company String
userGroup UserGroup User Group String
jobCode JobCode Job Code String
location Location Location String
division Division Division String
riskId RiskId Risk Id String
riskLevel RiskLevel Risk Level String
riskBusiness Process RiskBusinessProcess Risk Business Process String
2. Data Objects
• Define a data object named RiskOwnerApprover
Name Label Description Business Data Typ
approverId ApproverId Approver Id String
riskId RiskId Risk Id String
3. Rule Services
• Define a rule service named RiskOwnerDeterminator
Name Usage
RiskOwnerAttributes Input
RiskOwnerApprover Output
4. Rules
• Define a rule named RiskOwnerRule using a decision table. In this decision table:
• Use the data object RiskOwnerAttributes as condition expressions.
• Use the data object RiskOwnerApprover to define results.
SAP Cloud Identity Access Governance Admin Guide
58 PUBLIC Additional Services for Access Request Service
Result Attributes Access Default Value
riskId Hidden riskId of the RiskOwnerAttributes
approverId Editable ‘’
5. Rulesets
• Define a rule set named RiskOwnerRuleSet and associate it with the rule service
RiskOwnerDeterminator.
• Include the rule set RiskOwnerRule with the rule set.
6. Activate all business rule definitions, deploy the business rule service, and you're ready to proceed.
11.1.2 Configuring Notification E-Mail Server
Note
SAP Cloud Identity Access Governane supports only SMTP server on cloud. It is recommended that you the
apply Cloud Platform Integration (CPI) approach if your SMTP server is not the standard on-cloud product,
such as Outlook 365 on Azure cloud. Refer to 3304849 .
The new Cloud Connector scenario:
1. Configure Cloud Connector
Create Cloud Connector to connect to SMTP server with the following parameters:
• Protocol: TCP
• Back-End Type: Non-SAP System
• Resources: None
2. Get email host certificate and put in Destination parameter:
• Run the following command to get SMTP server certificate:
openssl s_client -connect <mail host:25> -starttls smtp
• Convert the certificate to Base64
3. Destination change
• Use the following template to create template, bpmworkflowruntime_mail.
• Set the highlighted parameter values after the destination is created.
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 59
Values for Creating Destination
Name=bpmworkflowruntime_mail
mail.mode=CloudConnector
Type=MAIL
ProxyType=Internet
mail.transport.protocol=smtp
mail.bpm.send.disabled=false
mail.smtp.ssl.checkserveridentity=true
mail.smtp.from=<< from email address >>
mail.server_cert=<< Base64 cert. from openssl s_client -connect <mail host:25> -starttls smtp>>
mail.smtp.starttls.enable=true
mail.smtp.starttls.required=true
mail.user=<< email host user >>
mail.password=<< email host user pw>>
mail.description=Workflow Service Mail Destination
mail.smtp.host=<<Cloud Connector Virtual Host>>
mail.smtp.port= <<Cloud Connector Virtual Port >>
mail.smtp.auth=true
Authentication=BasicAuthentication
Parent topic: Setting Up Workflow Service [page 52]
Previous: Delivered Workflow Templates [page 52]
Next: Setting Up Business Rules for Workflow [page 60]
11.1.3 Setting Up Business Rules for Workflow
The access request service integrates with SAP Cloud Platform Business Rules Service. You use the SAP Cloud
Platform Business Rules service to define the stages, path, and other workflow rules used by access request
service to move request items through the stages of an access request.
1. Prerequisites [page 61]
2. Introduction [page 61]
3. Process Overview [page 62]
SAP Cloud Identity Access Governance Admin Guide
60 PUBLIC Additional Services for Access Request Service
4. Creating a Project [page 63]
5. Modeling Data Objects [page 63]
6. Modeling a Rule Service [page 67]
7. Modeling Rules [page 69]
8. Defining Rulesets [page 71]
9. Deploying a Rule Service [page 72]
Parent topic: Setting Up Workflow Service [page 52]
Previous: Configuring Notification E-Mail Server [page 25]
11.1.3.1 Prerequisites
SAP Cloud Identity Access Goverance offers pre-delivered business rules. To access these rules, create a
support ticket. To do so, select the component GRC-IAG.
If, however, you wish to create or edit your own objects, follow the steps described below:
Procedure
1. Login to the SAP Identity Access Governance launchpad.
2. Open the Configuration app.
3. On the Configuration Type screen, navigate to Business Rule and choose Launch on the bottom right.
4. The Manage Projects screen is displayed as shown in the image below.
Parent topic: Setting Up Business Rules for Workflow [page 60]
Next: Introduction [page 61]
11.1.3.2 Introduction
SAP Cloud Identity Access Governance, access request service integrates with SAP Cloud Platform Workflow
Service and SAP Cloud Platform Business Rules Service.
You use the SAP Cloud Platform Business Rules service to define the path and other workflow rules used by
access request service to move request items through the stages of an access request.
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 61
No configuration is required for the workflow.
Parent topic: Setting Up Business Rules for Workflow [page 60]
Previous: Prerequisites [page 61]
Next: Process Overview [page 62]
11.1.3.2.1 Concepts
SAP Cloud Platform Business Rules uses the following concepts:
• Project: A container that holds business rule entities such as, data objects, rules, rulesets, and rule
services.
• Data objects: It describe the data and serve as data carrier in the context or the result of an expression.
• Rule: It is the technical representation of a simple business rule to be applied to a particular business case.
It defines a business logic that, once evaluated against live data, leads to a decision. A decision table is a
tabular representation of related rules.
• Ruleset: A collection of rules to be processed in a particular business case. It serves as an entry point for
rule processing, and links a rule service to a collection of rules.
• Rule service: An interface or end point that enables an application to invoke a decision logic.
11.1.3.3 Process Overview
To model and deploy SAP Cloud Platform Business Rules:
1. Create a project
2. Add data objects with attributes that represent your application context.
3. Model rule services to perform operations.
4. Model your business logic using business rules. Define the condition constraints and the results to be
returned for different business logic.
SAP Cloud Identity Access Governance Admin Guide
62 PUBLIC Additional Services for Access Request Service
5. Configure the ruleset by grouping the related rules together and assigning them to a rule service.
Parent topic: Setting Up Business Rules for Workflow [page 60]
Previous: Introduction [page 61]
Next: Creating a Project [page 63]
11.1.3.4 Creating a Project
1. Go to the Business Rule Editor.
2. On the Manage Projects screen add the project as follows.
Project Name: IAGWorkflowBusinessRule
Description: IAG Workflow Business Rule
3. Save.
For more information, see SAP Cloud Platform Business Rules - Creating Projects.
Parent topic: Setting Up Business Rules for Workflow [page 60]
Previous: Process Overview [page 62]
Next: Modeling Data Objects [page 63]
11.1.3.5 Modeling Data Objects
1. On the Manage Projects screen, select the IAGWorkflowBusinessRule project.
2. On the following screen, select the Data Objects tab and create data objects per the table below.
Data Objects
Name Description Type
Request Request Structure
RequestUser Request User Structure
RequestAccess Request Access Structure
WorkflowPath Workflow Path Structure
WorkflowApprover Workflow Approver Structure
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 63
Name Description Type
RequestAttributes Attributes of access request Structure
Note
For each data object, you must add attributes, associations, and mappings per the respective tables.
For instructions how to navigate the screen, see SAP Cloud Platform Business Rules - Modeling Data Objects.
Parent topic: Setting Up Business Rules for Workflow [page 60]
Previous: Creating a Project [page 63]
Next: Modeling a Rule Service [page 67]
11.1.3.5.1 Data Object: Request
Type: Structure
Attributes
Name Description Business Data Type
createdBy Created By String
workflowstage Workflow Stage String
priority Priority String
requestNumber Request Number String
requestType Request Type String
Associations
Association Map- Association Map-
Target Data Object pings: Source Attrib- pings: Target Attrib-
Name Description Name ute ute
RequestedAccess RequestedAccess RequestAccess requestNumber requestNumber
RequestedUser RequestedUser RequestUser requestNumber requestNumber
SAP Cloud Identity Access Governance Admin Guide
64 PUBLIC Additional Services for Access Request Service
Mappings
Target Runtime Target Runtime Variant
Java Cloud
11.1.3.5.2 Data Object: RequestUser
Type: Structure
For this data object, there are no Associations.
Attributes
Name Description Business Data Type
managerId Manager ID String
department Department String
requestNumber Request Number String
company Company String
position Position String
location Location String
Mappings
Target Runtime Target Runtime Variant
Java Cloud
11.1.3.5.3 Data Object: RequestAccess
Type: Structure
For this data object, there are no Associations.
Attributes
Name Description Business Data Type
accessType Access Type String
action Action String
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 65
Name Description Business Data Type
system System String
requestNumber Request Number String
Mappings
Target Runtime Target Runtime Variant
Java Cloud
11.1.3.5.4 Data Object: RequestAttributes
Type: Structure
For this data object, there are no Associations.
Attributes
Name Description Business Data Type
priority Priority of Access Request String
reasonCode Reason of Access Request String
requestType Request Type String
createdBy Created By String
position Position of Requestor String
company Company of Requestor String
managerId Manager of Requestor String
division Division of Requestor String
department Department of Requestor String
costCenter Cost Center of Requestor String
Mappings
Target Runtime Target Runtime Variant
Java Cloud
SAP Cloud Identity Access Governance Admin Guide
66 PUBLIC Additional Services for Access Request Service
11.1.3.5.5 Data Object: WorkflowPath
Type: Structure
For this data object, there are no Associations.
Attributes
Name Description Business Data Type
PathName Path Name String
Mappings
Target Runtime Target Runtime Variant
Java Cloud
11.1.3.5.6 Data Object: WorkflowApprover
Type: Structure
For this data object, there are no Associations.
Attributes
Name Description Business Data Type
ApproverID Approver ID String
Mappings
Target Runtime Target Runtime Variant
Java Cloud
11.1.3.6 Modeling a Rule Service
1. On the Manage Projects screen, select the IAGWorkflowBusinessRule project.
2. On the following screen, select the Rule Services tab and create rule services per the table below.
Rule Services
Name Description
WorkflowApprover Workflow Approver
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 67
Name Description
IAGWorkflowAccessRequestInitiator IAG Workflow Access Request Initiator
Note
For each rule service, you must add Execution Contexts and Target Runtimes per the respective tables
below.
Rule Service: WorkflowApprover
Execution Context
Name Usage
Request Input
RequestUser Input
WorkflowApprover Result
Target Runtimes
Target Runtime Target Runtime Variant
Java Cloud
Rule Service: IAGWorkflowAccessRequestInitiator
Execution Context
Name Usage
Request Input
RequestUser Input
RequestAccess Input
WorkflowPath Result
RequestAttributes Input
SAP Cloud Identity Access Governance Admin Guide
68 PUBLIC Additional Services for Access Request Service
Target Runtimes
Target Runtime Target Runtime Variant
Java Cloud
For instructions how to navigate the screen, see Model a Rule Service.
Parent topic: Setting Up Business Rules for Workflow [page 60]
Previous: Modeling Data Objects [page 63]
Next: Modeling Rules [page 69]
11.1.3.7 Modeling Rules
1. On the Manage Projects screen, select the IAGWorkflowBusinessRule project.
2. On the following screen, select the Rules tab and create rules per the table below.
Rules
Name Description Type Hit Policy Result Data Object
RequestTypeRule Request Type Rule Decision Table First Match WorkflowPath
WorkflowApprover Workflow Approver Decision Table First Match WorkflowApprover
AttributesRuler Attributes Ruler Decision Table First Match WorkflowPath
Note
After AttributesRule is defined, it should be added to PathRuleset.
3. Click Validate to check whether the rule modeled is valid.
4. To activate the rule, after saving, click Edit > Activate.
Note
For each rule, you must add a Decision Table per the information in the topic: Decision Tables [page 70].
We recommend you read this more detailed topic for instructions how to create the decision tables and the
Rule Expression Language, see SAP Cloud Platform Business Rules - Modeling Rules.
Parent topic: Setting Up Business Rules for Workflow [page 60]
Previous: Modeling a Rule Service [page 67]
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 69
Next: Defining Rulesets [page 71]
11.1.3.7.1 Configuring Workflow Templates
The access request service is delivered with the following workflow templates. You can use them to choose
which roles are required to approve an access request before it is provisioned.
To select the workflow used by the business rule service:
1. In your project, select the Rules tab, and edit the rule: RequestTypeRule.
2. For the decision table, change the PathName to one of the workflow templates.
3. In your project, select the Rules tab, and edit the rule: AttributesRule.
For the decision table, change the PathName to one of the workflow templates.
Delivered Workflow Templates
Workflow Template (PathName) Behavior
'mangerrolesecuritypath' The access request goes to the following roles for approval
before it is provisioned:
• manager
• role owner
• security owner
'accessrequestmangersecuritywf' The access request goes to the following roles for approval
before it is provisioned:
• manager
• security owner
SECURITY' The access request goes only to the manager for approval
before it is provisioned.
‘autopath’ The access request goes to an automated approval process
and proceeds directly to provisioning without any additional
manual approval steps.
11.1.3.7.2 Decision Tables
For each rule, you must add a Decision Table per the respective tables below.
SAP Cloud Identity Access Governance Admin Guide
70 PUBLIC Additional Services for Access Request Service
Rule: RequestTypeRule
Decision Table
If Then
requestType of the Request is equal to PathName
'CHANGE' 'mangerrolesecuritypath'
Rule: WorkflowApprover
Decision Table
If Then
workflowstage of the Request is equal to ApproverID
'MANAGER' managerID of the RequestedUser of a Request
Rule: AttributesRule
Decision Table
If Then
reason- priority crea- reques- costCen- position company depart- division manage- Path-
of the Re- tedBy of tType of ter of the of the Re- of the Re- ment of of the Re- rId of the
Code of Name
questAt- the Re- the Re- Reques- questAt- questAt- the Re- questAt- Reques-
the Re-
tributes questAt- questAt- tAttri- tributes tributes questAt- tributes tAttri-
questAt- is like tributes tributes butes is is like is like tributes is like butes is
tributes is like is like like is like like
is like
Note
The Fixed Operator of each Condition Expression in the decision table should be “is like”. And the value of
the field can be put ‘%’ to match any values.
11.1.3.8 Defining Rulesets
1. On the Manage Projects screen, select the IAGWorkflowBusinessRule project.
2. On the following screen, select the Rulesets tab and create rulesets per the table below.
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Access Request Service PUBLIC 71
Rulesets
Name Description Rule Service Rule
ApproverRuleset Approver Rule Set WorkflowApprover WorkflowApprover
PathRuleset Path Rule Set IAGWorkflowAccessReques- RequestTypeRule
tInitiator
PathRuleset Path Rule Set Attributes Rule
3. Click Validate to check whether the rule set is valid.
4. To activate the rule set, after saving, click Edit > Activate.
For instructions on navigating the screen and creating the rulesets, see Ruleset.
Parent topic: Setting Up Business Rules for Workflow [page 60]
Previous: Modeling Rules [page 69]
Next: Deploying a Rule Service [page 72]
11.1.3.9 Deploying a Rule Service
1. On the Manage Projects screen, select the IAGWorkflowBusinessRule project.
2. On the following screen, choose the Rule Service tab.
3. Select the following rule services and click Deploy.
• WorkflowApprover
• IAGWorkflowAccessRequestInitiator
For more information see, SAP Cloud Platform Business Rules - Deploying a Rule Service.
Parent topic: Setting Up Business Rules for Workflow [page 60]
Previous: Defining Rulesets [page 71]
SAP Cloud Identity Access Governance Admin Guide
72 PUBLIC Additional Services for Access Request Service
12 Additional Services for Privileged Access
Management Service
The Privileged Access Management service includes the following fixed out-of-the-box workflow templates.
Workflow Templates for PAM Access Request and PAM
Review Logs Procedure
Manager – Role Owner - Security The PAM access request goes to the following roles for ap-
proval before it is provisioned:
• manager
• role owner
• security
Manager - Security The PAM access request goes to the following roles for ap-
proval before it is provisioned:
• manager
• security
Manager only The PAM access request goes only to the manager for ap-
proval before it is provisioned
Security only The PAM access request goes only to security for approval
before it is provisioned.
Role Owner – Security The PAM access request goes to the following roles for ap-
proval before it is provisioned:
• role owner
• security
Note
PAM Review Request process supports only the work-
flow template for privilegeaccessreview.
Role Owner - Manager The PAM access request goes to the following roles for ap-
proval before it is provisioned:
• role owner
• manager
Role Owner only The PAM access request goes only to the role owner for
approval before it is provisioned.
Email Notification Templates
Access Request for Privileged Access Management
SAP Cloud Identity Access Governance Admin Guide
Additional Services for Privileged Access Management Service PUBLIC 73
The PAM access request service delivers out-of-the-box notification emails. Users are notified for both
scenarios: self-service request and create request for others.
These templates are applicable for all connector types.
Notifications are sent for the following Scenarios
Notify Requestor that access request submitted for approval
Notify Approvers that access request waiting for approval
Notify Requestor that access request rejected
Notify Requestor that access request approved
SAP Cloud Identity Access Governance Admin Guide
74 PUBLIC Additional Services for Privileged Access Management Service
13 Integration Scenarios
You can connect the SAP Cloud Identity Access Governance solution to cloud products and on-premise
systems that are listed on the left side.
13.1 Overview
The SAP Cloud Identity Access Governance solution offers multiple core services that help streamline identity
and access management. You can use individual services independently or combine them with others. With
this product, you can also integrate cloud applications that belong to SAP and its partners. In addition,
customers whose primary system is SAP Access Control 12.0 can use the Cloud Bridge scenario to access
the same services or applications in the cloud environment. This is a multi-tenant product built on top of SAP
Business Technology Platform (SAP BTP) and SAP’s proprietary HANA database.
SAP Cloud Identity Access Governance is available as a cloud bundle solution. It includes two other services –
Identity Provisioning and Identity Authentication that are essential for successfully configuring the product.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 75
Identity Authentication service
To manage access to applications belonging to SAP Cloud Identity Access Governance, it is important to
authenticate users. The Identity Authentication service simplifies the access as you can choose from various
authentication mechanisms, single sign-on, on-premise integration, and self-service options. For more details,
see What is Identity Authentication?
You also need this service when configuring the cloud scenario for your on-premise product - SAP Access
Control 12.0. Refer to IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications.
Identity Provisioning service
You use this service to provision users and groups for connecting various target cloud applications to SAP
Cloud Identity Access Governance.
For more information, see Connecting Identity Provisioning Tenant [page 20].
Note
To identify which integration scenarios require an Identity Provisioning tenant, refer to the individual
scenarios listed in the menu on the left.
Cloud Connector
To connect to on-premise applications /ABAP systems, you require cloud connectors.
For more information, refer to Cloud Connector.
13.2 HR Driven Identity Lifecycle Management
You can integrate the SAP Cloud Identity Access Governance solution with your HR systems. This enables
changes in employee status (HR triggers) in the HR system to initiate access requests. The access request
service converts the HR triggers to change requests, which are then provisioned to target applications. For
details on termination of users, refer to Event Trigger API.
SAP Cloud Identity Access Governance supports the following two HR-driven events:
• SAP SuccessFactors Process Overview - Integration with SAP SuccessFactors [page 76]
• Integration of SAP Master Data Integration Service (MDI) and Identity Provisioning
13.2.1 Process Overview - Integration with SAP
SuccessFactors
There are three overall steps to enable HR trigger integration between SAP SuccessFactors and the SAP Cloud
Identity Access Governance solution and its services:
SAP Cloud Identity Access Governance Admin Guide
76 PUBLIC Integration Scenarios
1. In the SAP Business Technology Platform (SAP BTP), set up one destination to connect to the SAP
SuccessFactors tenant.
2. Use the SAP Business Rules Service to define the rules for converting user changes from SAP
SuccessFactors to access requests.
3. Run the Job Scheduler for the HR Trigger job and to sync user data for SAP SuccessFactors.
13.2.1.1 Prerequisites
You have the following:
• An administrator account for tenant on SAP BTP (Identity Authentication)
• Authenticated user for SAP SuccessFactors system for the Company ID
• SAP SuccessFactors API EmpJob need to have userNav personKeyNav userAccountNav user
data model relation enabled.
• Enter the authenticated user (technical user) for SAP SuccessFactors system followed by Company ID
such as <UserID@CompanyID>. Refer to SAP Note 2937881 .
• An administrator account for target applications. Ex: SAP S/4HANA Cloud
• An administrator account for Identity Provisioning
• For user authentication in SAP S/4HANA CE target applications, user replication to Identity Authentication
must be taken into account.
For configuring related events in SAP SuccessFactors Employee Central such as the ones listed below, refer to
the corresponding links:
Concurrent Employment:
New Hire, Concurrent Hire, Job Change, Termination, Retirement, Rehire. For more information, see:
Configuring Events
Global Assignment:
• Home Assignment: Away from global assignment, Back from global assignment
• Global Assignment: Add global assignment, End global assignment, Obsolete global assignment
For more information, see: Creating Events Reasons for Global Assignments
Contingent Worker:
Start contingent worker, End contingent worker. For more information, see: Configuring ECWK and SCWK for
Contingent Workers
13.2.1.2 Set Up Destinations
Connection to SuccessFactors Source System [SuccessFactorsEC]
You must enter the destination names exactly as described. If you have already created the destination with the
name SuccessFactorsEC, then you do not require a new one. If not, then you must create a destination and use
the name SuccessFactorsEC. Refer to Create Destinations [page 173].
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 77
13.2.1.3 Add SAP SuccessFactors Application
Log into the launchpad for SAP Cloud Identity Access Governance and create an instance for SAP
SuccessFactors in the Applications app.
Note
You can ignore these steps, if you have already created this instance.
1. Log into the launchpad and open the Applications app.
2. Enter Name, Description and select Application Type, select SAP SuccessFactors.
3. In the SCP Destination field, enter the name of the SuccessFactors Source System defined in the SAP
BTP tenant Destination. Ex: SuccessFactorsEC.
4. Save.
13.2.1.4 Set Up Business Rules
SAP Cloud Identity Access Goverance offers pre-delivered business rules. To access these rules, create a
support ticket. To do so, select the component GRC-IAG.
If, however, you wish to edit your own objects, follow the steps described below:
Procedure
1. Login to the SAP Cloud Identity Access Governance launchpad.
2. Open the Configuration app.
3. On the Configuration Type screen, navigate to Business Rule and choose Launch on the bottom right.
4. The Manage Projects screen is displayed as shown in the image below.
1. Process Overview [page 79]
2. Edit a Project [page 79]
3. Create Data Objects [page 80]
4. Create a Rule Service [page 83]
5. Create Rules [page 83]
6. Deploy the Rule Service [page 88]
SAP Cloud Identity Access Governance Admin Guide
78 PUBLIC Integration Scenarios
13.2.1.4.1 Process Overview
To model and deploy SAP Cloud Platform Business Rules:
1. Create a project
2. Add data objects with attributes that represent your application context.
3. Model rule services to perform operations.
4. Model your business logic using business rules. Define the condition constraints and the results to be
returned for different business logic.
5. Configure the ruleset by grouping the related rules together and assigning them to a rule service.
Parent topic: Set Up Business Rules [page 78]
Next: Edit a Project [page 79]
13.2.1.4.2 Edit a Project
Maintain a project with the name: IAGSFHRFieldChanges only if you wish to make any
changes.The project is the overall container for the related business rules and objects.
Note
Make sure the name is exact.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 79
Activate the project.
Parent topic: Set Up Business Rules [page 78]
Previous: Process Overview [page 79]
Next: Create Data Objects [page 80]
13.2.1.4.3 Create Data Objects
Data objects define the input and output structures for the rule.
In the IAGSFHRFieldChanges project, go to the Data Objects tab, and create the following data objects:
• UserHRFields for the input fields. This is the data coming from SuccessFactors.
• Access for the output fields. This is the data for the access requests.
Note
You define the data objects as input or output in the Create Rule Service [page 83] step. Data objects and
attributes are case-sensitive.
Create them as type Structure and set them as Active.
SAP Cloud Identity Access Governance Admin Guide
80 PUBLIC Integration Scenarios
Add Attributes for UserHRFields Data Object
Open the UserHRFields data object and add attributes for the data coming from SuccessFactors.
List of Attributes for UserHRFields Data Object
Name Description Business Data Type
userId User ID String
businessUnit Business Unit String
company Company String
department Department String
division Division String
jobCode Job code String
position Position String
status Status String
event Event String
startDate Start Date String
endDate End Date String
location Location String
costCenter Cost Center String
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 81
Name Description Business Data Type
managerId Manager ID String
Add Attributes for Access Data Object
Open the Access data object and add attributes for the data to be used in creating access requests.
List of Attributes for Access Data Object
Name Description Business Data Type
system Application system String
name Access name String
type Type String
Parent topic: Set Up Business Rules [page 78]
Previous: Edit a Project [page 79]
Next: Create a Rule Service [page 83]
SAP Cloud Identity Access Governance Admin Guide
82 PUBLIC Integration Scenarios
13.2.1.4.4 Create a Rule Service
1. From the IAGSFHRFieldChanges project, click Rule Service, and create the IAGRequestAccessData rule
service.
2. Under the Vocabulary section, add two vocabulary objects. From the dropdown, select the data objects you
defined earlier, and select the Usage.
For the UserHRFields data object, select Input usage.
For the Access data object, select Result usage.
Parent topic: Set Up Business Rules [page 78]
Previous: Create Data Objects [page 80]
Next: Create Rules [page 83]
13.2.1.4.5 Create Rules
In Rules, you create a decision table based on input and the desired results. You can create multiple rules, as
suits your needs.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 83
1. From the IAGSRHRFieldChanges project, click Rules, and then create a new rule.
2. Make sure for Type, you select Decision Table, and for Mode you select Advanced.
3. Click Create. The New Rule screen is displayed. At the bottom of the screen click Start building the table in
Settings to start building your decision table.
Building the Decision Table
The decision table is the core of the access request rule. Here you define the conditions and results that take
the user change information from SuccessFactors and convert them into access requests and provisioning
actions.
This is an explanation of how the information on the Decision Table Settings screen relates to the decision table
itself.
• The Condition Expressions are the "If" columns in the decision table. You can enter multiple condition
expressions. They appear as rows.
SAP Cloud Identity Access Governance Admin Guide
84 PUBLIC Integration Scenarios
Note
You cannot enter values for the conditions in the Decision Table Settings screen; you can enter values in
the next step in the decision table itself.
• The Result settings are the "Then" columns in the decision table.
Note
You can enter values for results in the Decision Table Settings screen. You can also edit them in the
decision table itself.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 85
1. In the Decision Table Settings, configure the conditions to determine the data to pull in.
• Hit Policy sets the parameters the rule uses when matching results from the conditions.
• Conditions Expressions is where you define the input data relevant for the request. The attributes in the
dropdown list are pulled from the UserHRFields data object.
• Result is where you define output values. Click the dropdown list and select the Access data object. You
can use three Access Types:
• TR - Technical Role
• BR - Business Role
• CR - Composite Role
• GP - Group
• SYS - Application
Note
The Default Value field are optional and can be left blank.
2. Click Apply. The New Rule screen and the new decision table are displayed.
3. To define the values for decision table, click Add Row.
In the If column, enter the values for the conditions.
Note
These values must match the values from the SuccessFactors tenant, such as (ACE_US), and so on.
SAP Cloud Identity Access Governance Admin Guide
86 PUBLIC Integration Scenarios
The graphic is an example illustrating that for businessUnit ACE_US, create a request for System123.
Note
Ensure the data and fields match the data and fields in the SuccessFactors tenant.
4. Click Save and Activate.
Set Up Rulesets
The final step for setting up a rule is to configure and activate the ruleset. Resets enable you to group multiple
rules in one collection. Even if you have only one rule, you still need to add it to a ruleset and activate it.
1. On the IAGSFHRFieldChanges project page, click Rulesets, and then click the plus sign to add a new
ruleset.
2. On the New Ruleset screen, click the Rule Service dropdown list, and select IAGRequestAccessData.
3. In the Rules section, click the plus sign to select from the rules you defined.
4. Save and activate the ruleset.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 87
Parent topic: Set Up Business Rules [page 78]
Previous: Create a Rule Service [page 83]
Next: Deploy the Rule Service [page 88]
13.2.1.4.6 Deploy the Rule Service
1. From the IAGSFHRFieldChanges project, click Rule Service.
2. Select the IAGRequestAccessData rule service and click Deploy.
For more information see, SAP Cloud Platform Business Rules - Deploying a Rule Service.
Parent topic: Set Up Business Rules [page 78]
Previous: Create Rules [page 83]
13.2.1.5 Synchronize Data Repository and Trigger Access
Requests
Log into the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app, and run the
following jobs:
• Repository Sync to synchronize the user data, permission roles and permission groups from the SAP
SuccessFactors system.
1. In the Job Name field, enter Job Name.
2. In the Job Category field, select Repository Sync.
3. In the Recurring Job field, select No.
4. In the Start Immediately field, select Yes.
5. In the Application Type field, select SAP SuccessFactors.
6. In the Application field, select Application.
7. Choose Schedule Job. The job status and log can be checked in the Job History app.
Note
To schedule a Recurring Job for both the Repository Sync and HR Triggers, refer to the SAP
Note 2859618 for recommendation on the frequency of the jobs.
SAP Cloud Identity Access Governance Admin Guide
88 PUBLIC Integration Scenarios
• HR Trigger to create access requests based on changes to employee record in source system, and then
provision to target systems since its last run.
1. In the Job Name field, enter Job Name.
2. In the Job Category field, select HR Triggers.
3. In the Recurring Job field, select No.
4. In the Start Immediately field, select Yes.
5. Click Schedule Job button. The job status and log can be checked in the Job History app.
When an employee in SAP SuccessFactors is terminated or retired, the HR Triggers in SAP Cloud Identity Access
Governance capture the event to deprovision the roles and users in the corresponding systems. HR Triggers are
repeatedly executed to capture the event.
Note
When you schedule the HR triggers job for the first time, the last sync date is the date when your
tenant was onboarded or subscribed to SAP Cloud Identity Access Governance. All HR trigger/events
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 89
will be extracted between this last sync date and the current time when the job is scheduled to run. For
subsequent job runs, the last sync date will the date of the most recent job execution.
13.2.2 Process Overview - Integration with SAP Master Data
Integration Service and Identity Provisioning
An HR trigger integration can also be carried out between SAP Master Data Integration Service/Identity
Provisioning and SAP Cloud Identity Access Governance.
13.2.2.1 Prerequisites
You have the following:
• An administrator account for tenant on SAP BTP for Identity Authentication
• An administrator account for Identity Provisioning
• An administrator account for SAP Master Data Integration service (MDI)
• Use the SAP Business Rules Service to define the rules for converting user changes from SAP
SuccessFactors to access requests.
13.2.2.2 Set Up Business Rules
Refer to Set Up Business Rules [page 78].
13.2.2.3 Set Up Services
Both source and target systems must be created in Identity Provisioning to use the SAP Cloud Identity Access
Governance solution.
Prerequisites
• Set up system for SAP SuccessFactors. Refer to Integrating SAP SuccessFactors Employee Central with
SAP Master Data Integration.
• Set up system for Identity Provisioning.
SAP Cloud Identity Access Governance Admin Guide
90 PUBLIC Integration Scenarios
Setting up the Source System
To set up the source system, carry out the following steps:
1. Go to Identity Provisioning and navigate to the Source System app.
2. Choose Details and enter the values listed in the table below.
Details
Name Value
Type SAP Master Data Integration
System Name <Name of source system>
Destination Name
Description <Description of source system>
3. In the Transformations section, enter the default values.
4. Under Properties, enter the following values (these values are required for MDI to connect to Identity
Provisioning):
Properties
Name Value
Authentication BasicAuthentication
ips.trace.identity.failed true
OAuth2TokenServiceURL uaa.url + “oauth/token”
Password uaa.clientsecret
ProxyType Internet
Type HTTP
URL url
User uaa.clientid
5. Under Jobs, select the relevant action – Run Now or Schedule for the Job Type and Read Job or Resync Job.
Setting up the Target System
To set up the source system, carry out the following steps:
1. Go to Identity Provisioning and navigate to the Target System app.
2. Choose Details and enter the values listed in the table below.
Details
Name Value
System Type IAG Events
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 91
Name Value
System Name <target system name>
Destination Name
Description <Description of target system>
3. For the Source System, enter MDI read.
4. In the Transformations section, enter the default values.
5. Under Properties, enter the following values (these values are required for MDI to connect to Identity
Provisioning):
Properties
Name Value
Authentication BasicAuthentication
ips.trace.identity.failed <true|false>
OAuth2TokenServiceURL <<Link of the OAuth for the service>
Password <Enter password>
ProxyType Internet
Type HTTP
URL <Enter the service URL>
User <Enter your username>
6. Under Jobs, select the relevant action – Run Now or Schedule for the Job Type and Read Job or Resync Job.
13.3 Identity Authentication (Deprecated)
The information in this section describes the procedure for connecting the Identity Authentication to the SAP
Cloud Identity Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-
based solution for creating self-service requests to applications for on-premise and cloud source applications
and systems. By connecting to the solution, it enables the Identity Authentication users to initiate access
requests, which are then provisioned to target applications.
13.3.1 Process Overview
There are three overall steps to enable integration between the Identity Authentication system and the SAP
Cloud Identity Access Governance solution and its services:
1. In the cockpit for the SAP Business Technology Platform (SAP BTP), set up destination for the Identity
Authentication system.
2. In the SAP Cloud Identity Access Governance launchpad, use the Applications app to create an instance for
the Identity Authentication system.
SAP Cloud Identity Access Governance Admin Guide
92 PUBLIC Integration Scenarios
3. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
13.3.1.1 Create Proxy System
Prerequisite
To register OAuth Client for Identity Provisioning, refer toConnecting Identity Provisioning Tenant [page 20].
Create a proxy system to enable the Identity Authentication system to connect with SAP BTP.
1. Log into the SAP BTP cockpit, open your Identity Provisioning Launchpad.
2. Add a proxy system for the Identity Authentication and select Save; the Type should be Identity
Authentication.
The service generates a URL for the proxy system specified for Identity Authentication. The external ID is
included in the URL.
Note
Copy the external application ID and use it to set up the Identity Authentication instance in the
Applications app in the next section Add Identity Authentication System
.
3. Select Properties and add the following properties
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 93
Authentication BasicAuthentication
Note
Basic Authentication is supported for Identity Authen-
tication API v1. For certificate-based authentication,
use Identity Authentication API v2 via Identity Pro-
visioning. Refer toIdentity Authentication v2 [page
100].
ips.trace.failed.entity content false
Password Password of the User
ProxyType Internet
Type HTTP
URL Enter the URL for the Identity Authentication tenant
User Enter the Login User Name
1. To obtain the URL for Identity Authentication, go to SAP BTP Trust Application Identity
Provider .
2. For the property User, enter the technical user name configured for the Identity Authentication. This
name is automatically generated.
Example: <Technical ID>
3. For the property Password, enter the password for the technical user.
4. Default read and write transformations are generated.
SAP Cloud Identity Access Governance Admin Guide
94 PUBLIC Integration Scenarios
Modify the following transformations for SAP Cloud Identity Access Governance to read and provision:
Read Transformation Write Transformation
{ {
"user": { "user": {
"mappings": [ "condition":
{ "($.emails.length() > 0) &&
"sourcePath": "$", ($.name.familyName EMPTY false)",
"targetPath": "$" "mappings": [
}, {
{ "sourcePath": "$",
"sourcePath": "$.id", "targetPath": "$"
"targetVariable": },
"entityIdSourceSystem" {
}, "sourcePath":
{ "$.groups",
"sourceVariable":
"entityBaseLocation", "preserveArrayWithSingleElement":
"targetPath": true,
"$.meta.location", "optional": true,
"targetVariable": "targetPath":
"entityLocationSourceSystem", "$.corporateGroups"
"functions": [ },
{ {
"type": "sourceVariable":
"concatString", "entityIdTargetSystem",
"suffix": "$ "targetPath": "$.id"
{entityIdSourceSystem}" },
} {
] "constant": true,
}, "targetPath":
{ "$.active"
"targetPath": },
"$.hasPassword", {
"type": "remove" "constant": "true",
}, "targetPath":
{ "$.sendMail",
"targetPath": "scope":
"$.groups[*].display", "createEntity"
"type": "remove" },
}, {
{ "constant": "true",
"condition": "targetPath":
"$.displayName EMPTY true", "$.mailVerified",
"targetPath": "scope":
"$.displayName", "createEntity"
"type": "remove" },
}, {
{ "constant":
"sourcePath": "disabled",
"$.timeZone", "targetPath":
"optional": true, "$.passwordStatus",
"targetPath": "scope":
"$.timezone" "createEntity"
}, },
{ {
"sourcePath": "$ "constant":
['urn:ietf:params:scim:schemas:extens "employee",
ion:enterprise:2.0:User'] "targetPath":
['employeeNumber']", "$.userType"
"optional": true, },
"targetPath": "$ {
['urn:ietf:params:scim:schemas:extens
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 95
Read Transformation Write Transformation
ion:enterprise:2.0:User'] "targetPath":
['employeeNumber']" "$.groups",
}, "type": "remove"
{ },
"sourcePath": "$ {
['urn:ietf:params:scim:schemas:extens "sourcePath": "$
ion:enterprise:2.0:User'] ['urn:ietf:params:scim:schemas:extens
['costCenter']", ion:enterprise:2.0:User']",
"optional": true, "optional": true,
"targetPath": "$ "targetPath": "$
['urn:ietf:params:scim:schemas:extens ['urn:ietf:params:scim:schemas:extens
ion:enterprise:2.0:User'] ion:enterprise:2.0:User']"
['costCenter']" },
}, {
{ "sourcePath":
"sourcePath": "$ "$.timezone",
['urn:ietf:params:scim:schemas:extens "optional": true,
ion:enterprise:2.0:User'] "targetPath":
['organization']", "$.timeZone"
"optional": true, }
"targetPath": "$ ],
['urn:ietf:params:scim:schemas:extens "scimEntityEndpoint": "Users"
ion:enterprise:2.0:User'] },
['organization']" "group": {
}, "mappings": [
{ {
"sourcePath": "$ "sourceVariable":
['urn:ietf:params:scim:schemas:extens "entityIdTargetSystem",
ion:enterprise:2.0:User'] "targetPath": "$.id"
['division']", },
"optional": true, {
"targetPath": "$ "sourcePath":
['urn:ietf:params:scim:schemas:extens "$.displayName",
ion:enterprise:2.0:User'] "targetPath":
['division']" "$.displayName"
}, },
{ {
"sourcePath": "$ "sourcePath":
['urn:ietf:params:scim:schemas:extens "$.displayName",
ion:enterprise:2.0:User'] "targetPath": "$
['department']", ['urn:sap:cloud:scim:schemas:extensio
"optional": true, n:custom:2.0:Group']['name']",
"targetPath": "$ "scope":
['urn:ietf:params:scim:schemas:extens "createEntity",
ion:enterprise:2.0:User'] "functions": [
['department']" {
}, "type":
{ "replaceAllString",
"sourcePath": "$ "regex": "[\
['urn:ietf:params:scim:schemas:extens \s\\p{Punct}]",
ion:enterprise:2.0:User']['manager']
['value']", "replacement": "_"
"optional": true, }
"targetPath": "$ ]
['urn:ietf:params:scim:schemas:extens },
ion:enterprise:2.0:User']['manager'] {
['value']" "sourcePath": "$
}, ['urn:sap:cloud:scim:schemas:extensio
{ n:custom:2.0:Group']['name']",
"sourcePath": "$ "optional": true,
['urn:ietf:params:scim:schemas:extens "targetPath": "$
ion:enterprise:2.0:User']['manager'] ['urn:sap:cloud:scim:schemas:extensio
['displayName']", n:custom:2.0:Group']['name']"
},
SAP Cloud Identity Access Governance Admin Guide
96 PUBLIC Integration Scenarios
Read Transformation Write Transformation
"optional": true, {
"targetPath": "$ "sourcePath": "$
['urn:ietf:params:scim:schemas:extens ['urn:sap:cloud:scim:schemas:extensio
ion:enterprise:2.0:User']['manager'] n:custom:2.0:Group']['description']",
['displayName']" "optional": true,
}, "targetPath": "$
{ ['urn:sap:cloud:scim:schemas:extensio
"sourcePath": "$ n:custom:2.0:Group']['description']"
['urn:sap:cloud:scim:schemas:extensio },
n:custom:2.0:User']", {
"optional": true, "sourcePath":
"targetPath": "$ "$.members",
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:User']" "preserveArrayWithSingleElement":
}, true,
{ "optional": true,
"sourcePath": "targetPath":
"$.company", "$.members"
"optional": true, }
"targetPath": "$ ],
['urn:ietf:params:scim:schemas:extens "scimEntityEndpoint":
ion:enterprise:2.0:User'] "Groups"
['organization']" }
} }
],
"scimEntityEndpoint": "Users"
},
"group": {
"mappings": [
{
"sourcePath": "$.id",
"targetPath": "$.id",
"targetVariable":
"entityIdSourceSystem"
},
{
"sourceVariable":
"entityBaseLocation",
"targetPath":
"$.meta.location",
"targetVariable":
"entityLocationSourceSystem",
"functions": [
{
"type":
"concatString",
"suffix": "$
{entityIdSourceSystem}"
}
]
},
{
"constant":
"urn:ietf:params:scim:schemas:core:2.
0:Group",
"targetPath":
"$.schemas[0]"
},
{
"sourcePath": "$
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:Group']['name']",
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 97
Read Transformation Write Transformation
"targetPath":
"$.displayName"
},
{
"sourcePath":
"$.members",
"preserveArrayWithSingleElement":
true,
"optional": true,
"targetPath":
"$.members"
},
{
"constant":
"urn:sap:cloud:scim:schemas:extension
:custom:2.0:Group",
"targetPath":
"$.schemas[1]"
},
{
"sourcePath": "$
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:Group']['name']",
"targetPath": "$
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:Group']['name']"
},
{
"sourcePath": "$
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:Group']['description']",
"optional": true,
"targetPath": "$
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:Group']['description']"
}
],
"scimEntityEndpoint":
"Groups"
}
}
13.3.1.2 Create Destinations
In the SAP BTP, create IPS_PROXY, if not already created, for the IAG tenant.
To do so, refer to Connecting Identity Provisioning Tenant and Identity Provisioning on SAP Cloud Identity
Platform.
13.3.1.3 Add Identity Authentication Application
Create an application for Identity Authentication in the Applications app.
SAP Cloud Identity Access Governance Admin Guide
98 PUBLIC Integration Scenarios
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for Identity Authentication. For Application Type, select Identity Authentication.
3. In the SCP Destination field, enter the name of the Identity Provisioning destination (IPS_PROXY) created
in the previous section Create Destination.
4. Enter the external system ID marked in the previous step Create Proxy System and save your entries.
13.3.1.4 Manage Ruleset
Note
This topic is relevant only for HR Driven Identity Lifecycle Management.
To create a user in Identity Authentication for single sign-on, pre-delivered business rules for your tenant must
be accessed via a URL and workflow templates must be uploaded.
Procedure
1. Go to the SAP Cloud Identity Access Governance launchpad.
2. Navigate to Configuration.
3. Go to Projects and choose Launch.
4. Go to IAGSFHRFieldChanges to access the Decision Table.
5. In the Decision Table, enter the following:
Status System Type
t IAS tenant name SYS
6. Create a new rule and select Validate.
7. Go to Rule Select, select the business rule and Deploy.
8. Add the business rule to the ruleset.
9. Redeploy the rule services.
13.3.1.5 Sync User Data and Provision Access Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app.
In the Job Category dropdown list, schedule the following jobs:
• Repository Sync to synchronize the relevant data from the Identity Authentication to the access request
service.
In the Application Type dropdown list, select the Identity Authentication.
In the Applications dropdown list, select the configured Identity Authentication Application.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 99
• Provisioning to initiate the provisioning of access requests.
13.4 Identity Authentication v2
The information in this section describes the procedure for connecting Identity Authentication to the SAP
Cloud Identity Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-
based service for creating self-service requests to applications for on-premise and cloud source applications
and systems. By connecting to the SAP Cloud Identity Access Governance solution, it enables Identity
Authentication users to initiate access requests, which are then provisioned to target applications.
13.4.1 Process Overview
There are three overall steps to enable integration between the Identity Authentication system and the SAP
Cloud Identity Access Governance solution and its services:
1. In the Identity Provisioning service, create a proxy system to connect to Identity Authentication system
using IAS SCIM API version 2.
2. In the SAP BTP cockpit, set up destination for Identity Provisioning (destination name IPS_PROXY)
3. In the SAP Cloud Identity Access Governance launchpad, use the Applications app to create an instance for
Identity Authentication v2.
4. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
13.4.1.1 Create Proxy System
To create and configure a proxy system for Identity Authentication using IAS SCIM API version 2, refer to
Identity Authentication.
In IPS proxy system configuration, Select Properties and add the following properties:
Authentication BasicAuthentication
ias.api.version 2
ias.support.patch.operation true
ips.trace.failed.entity.content false
Password Password of the User
ProxyType Internet
Type HTTP
SAP Cloud Identity Access Governance Admin Guide
100 PUBLIC Integration Scenarios
URL Enter the URL for the Identity Authentication tenant
User Enter the Login User Name
Modify read and write transformations as suggested below:
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 101
Read Transformation Write Transformation
{ {
"user": { "user": {
"mappings": [ "mappings": [
{ {
"sourcePath": "$.id", "sourceVariable":
"targetPath": "$.id", "entityIdTargetSystem",
"targetVariable": "targetPath": "$.id"
"entityIdSourceSystem" },
}, {
{ "constant": [
"sourceVariable":
"entityBaseLocation", "urn:ietf:params:scim:schemas:core:2.0
"targetPath": :User",
"$.meta.location",
"targetVariable": "urn:ietf:params:scim:schemas:extensio
"entityLocationSourceSystem", n:enterprise:2.0:User",
"functions": [
{ "urn:ietf:params:scim:schemas:extensio
"type": n:sap:2.0:User"
"concatString", ],
"suffix": "$ "targetPath":
{entityIdSourceSystem}" "$.schemas"
} },
] {
}, "sourcePath":
{ "$.userName",
"sourcePath": "optional": true,
"$.schemas", "targetPath":
"$.userName"
"preserveArrayWithSingleElement": },
true, {
"targetPath": "sourcePath":
"$.schemas" "$.emails[*].value",
},
{ "preserveArrayWithSingleElement":
"sourcePath": true,
"$.userName", "targetPath":
"optional": true, "$.emails[?(@.value)]"
"targetPath": },
"$.userName", {
"sourcePath":
"correlationAttribute": true "$.userType",
}, "optional": true,
{ "targetPath":
"condition": "$.userType"
"$.userName EMPTY true", },
"sourcePath": "$ {
['urn:ietf:params:scim:schemas:extensi "sourcePath":
on:sap:2.0:User']['userId']", "$.name.givenName",
"targetPath": "optional": true,
"$.userName" "targetPath":
}, "$.name.givenName"
{ },
"sourcePath": {
"$.emails[*].value", "sourcePath":
"$.name.middleName",
"preserveArrayWithSingleElement": "optional": true,
true, "targetPath":
"targetPath": "$.name.middleName"
"$.emails[?(@.value)]" },
}, {
{ "sourcePath":
"$.name.familyName",
SAP Cloud Identity Access Governance Admin Guide
102 PUBLIC Integration Scenarios
Read Transformation Write Transformation
"sourcePath": "optional": true,
"$.emails[0].value", "targetPath":
"targetPath": "$.name.familyName"
"$.emails[0].value" },
}, {
{ "sourcePath":
"sourcePath": "$.name.honorificPrefix",
"$.emails[?(@.primary== true)].value", "optional": true,
"targetPath":
"correlationAttribute": true "$.name.honorificPrefix"
}, },
{ {
"sourcePath": "sourcePath":
"$.active", "$.addresses",
"targetPath":
"$.active" "preserveArrayWithSingleElement":
}, true,
{ "optional": true,
"sourcePath": "targetPath":
"$.userType", "$.addresses",
"optional": true, "functions": [
"targetPath": {
"$.userType" "function":
}, "putIfAbsent",
{ "key": "type",
"sourcePath":
"$.name.givenName", "defaultValue": "work"
"optional": true, },
"targetPath": {
"$.name.givenName" "condition":
}, "(@.type NIN ['work', 'home'])",
{ "function":
"sourcePath": "putIfPresent",
"$.name.middleName", "key": "type",
"optional": true,
"targetPath": "defaultValue": "work"
"$.name.middleName" }
}, ],
{ "defaultValue": []
"sourcePath": },
"$.name.familyName", {
"optional": true, "sourcePath":
"targetPath": "$.locale",
"$.name.familyName" "optional": true,
}, "targetPath":
{ "$.locale"
"sourcePath": },
"$.name.honorificPrefix", {
"optional": true, "sourcePath":
"targetPath": "$.phoneNumbers",
"$.name.honorificPrefix"
}, "preserveArrayWithSingleElement":
{ true,
"sourcePath": "optional": true,
"$.addresses", "targetPath":
"$.phoneNumbers"
"preserveArrayWithSingleElement": },
true, {
"optional": true, "sourcePath":
"targetPath": "$.displayName",
"$.addresses" "optional": true,
}, "targetPath":
{ "$.displayName"
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 103
Read Transformation Write Transformation
"sourcePath": },
"$.locale", {
"optional": true, "sourcePath": "$
"targetPath": ['urn:ietf:params:scim:schemas:extensi
"$.locale" on:sap:2.0:User']['validFrom']",
}, "optional": true,
{ "targetPath": "$
"sourcePath": ['urn:ietf:params:scim:schemas:extensi
"$.phoneNumbers", on:sap:2.0:User']['validFrom']"
},
"preserveArrayWithSingleElement": {
true, "sourcePath": "$
"optional": true, ['urn:ietf:params:scim:schemas:extensi
"targetPath": on:sap:2.0:User']['validTo']",
"$.phoneNumbers" "optional": true,
}, "targetPath": "$
{ ['urn:ietf:params:scim:schemas:extensi
"sourcePath": on:sap:2.0:User']['validTo']"
"$.timeZone", },
"optional": true, {
"targetPath": "sourcePath": "$
"$.timezone" ['urn:ietf:params:scim:schemas:extensi
}, on:enterprise:2.0:User']
{ ['employeeNumber']",
"sourcePath": "optional": true,
"$.displayName", "targetPath": "$
"optional": true, ['urn:ietf:params:scim:schemas:extensi
"targetPath": on:enterprise:2.0:User']
"$.displayName" ['employeeNumber']"
}, },
{ {
"ignore": true, "sourcePath": "$
"sourcePath": ['urn:ietf:params:scim:schemas:extensi
"$.sourceSystem", on:enterprise:2.0:User']
"targetPath": ['costCenter']",
"$.sourceSystem" "optional": true,
}, "targetPath": "$
{ ['urn:ietf:params:scim:schemas:extensi
"sourcePath": on:enterprise:2.0:User']
"$.groups", ['costCenter']"
},
"preserveArrayWithSingleElement": {
true, "sourcePath": "$
"optional": true, ['urn:ietf:params:scim:schemas:extensi
"targetPath": on:enterprise:2.0:User']
"$.groups" ['organization']",
}, "optional": true,
{ "targetPath": "$
"targetPath": ['urn:ietf:params:scim:schemas:extensi
"$.groups[*].display", on:enterprise:2.0:User']
"type": "remove" ['organization']"
}, },
{ {
"condition": "sourcePath": "$
"$.displayName EMPTY true", ['urn:ietf:params:scim:schemas:extensi
"targetPath": on:enterprise:2.0:User']['division']",
"$.displayName", "optional": true,
"type": "remove" "targetPath": "$
}, ['urn:ietf:params:scim:schemas:extensi
{ on:enterprise:2.0:User']['division']"
"sourcePath": "$ },
['urn:ietf:params:scim:schemas:extensi {
SAP Cloud Identity Access Governance Admin Guide
104 PUBLIC Integration Scenarios
Read Transformation Write Transformation
on:enterprise:2.0:User'] "sourcePath": "$
['employeeNumber']", ['urn:ietf:params:scim:schemas:extensi
"optional": true, on:enterprise:2.0:User']
"targetPath": "$ ['department']",
['urn:ietf:params:scim:schemas:extensi "optional": true,
on:enterprise:2.0:User'] "targetPath": "$
['employeeNumber']" ['urn:ietf:params:scim:schemas:extensi
}, on:enterprise:2.0:User']
{ ['department']"
"sourcePath": "$ },
['urn:ietf:params:scim:schemas:extensi {
on:enterprise:2.0:User'] "sourcePath": "$
['costCenter']", ['urn:ietf:params:scim:schemas:extensi
"optional": true, on:enterprise:2.0:User']['manager']
"targetPath": "$ ['value']",
['urn:ietf:params:scim:schemas:extensi "optional": true,
on:enterprise:2.0:User'] "targetPath": "$
['costCenter']" ['urn:ietf:params:scim:schemas:extensi
}, on:enterprise:2.0:User']['manager']
{ ['value']"
"sourcePath": "$ },
['urn:ietf:params:scim:schemas:extensi {
on:enterprise:2.0:User'] "sourcePath": "$
['organization']", ['urn:ietf:params:scim:schemas:extensi
"optional": true, on:enterprise:2.0:User']['manager']
"targetPath": "$ ['displayName']",
['urn:ietf:params:scim:schemas:extensi "optional": true,
on:enterprise:2.0:User'] "targetPath": "$
['organization']" ['urn:ietf:params:scim:schemas:extensi
}, on:enterprise:2.0:User']['manager']
{ ['displayName']"
"sourcePath": "$ },
['urn:ietf:params:scim:schemas:extensi {
on:enterprise:2.0:User']['division']", "sourcePath":
"optional": true, "$.active",
"targetPath": "$ "optional": true,
['urn:ietf:params:scim:schemas:extensi "targetPath":
on:enterprise:2.0:User']['division']" "$.active",
}, "defaultValue": true
{ },
"sourcePath": "$ {
['urn:ietf:params:scim:schemas:extensi "constant": false,
on:enterprise:2.0:User'] "targetPath": "$
['department']", ['urn:ietf:params:scim:schemas:extensi
"optional": true, on:sap:2.0:User']['sendMail']",
"targetPath": "$ "scope":
['urn:ietf:params:scim:schemas:extensi "createEntity"
on:enterprise:2.0:User'] },
['department']" {
}, "sourcePath":
{ "$.emails",
"sourcePath": "$
['urn:ietf:params:scim:schemas:extensi "preserveArrayWithSingleElement":
on:enterprise:2.0:User']['manager'] true,
['value']", "targetPath": "$
"optional": true, ['urn:ietf:params:scim:schemas:extensi
"targetPath": "$ on:sap:2.0:User']['emails']",
['urn:ietf:params:scim:schemas:extensi "scope":
on:enterprise:2.0:User']['manager'] "createEntity",
['value']" "functions": [
}, {
{ "function":
"putIfAbsent",
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 105
Read Transformation Write Transformation
"sourcePath": "$ "key":
['urn:ietf:params:scim:schemas:extensi "verified",
on:enterprise:2.0:User']['manager']
['displayName']", "defaultValue": true
"optional": true, }
"targetPath": "$ ]
['urn:ietf:params:scim:schemas:extensi },
on:enterprise:2.0:User']['manager'] {
['displayName']" "targetPath": "$
}, ['urn:ietf:params:scim:schemas:extensi
{ on:sap:2.0:User']['emails'][*]
"sourcePath": "$ ['type']",
['urn:sap:cloud:scim:schemas:extension "type": "remove"
:custom:2.0:User']", },
"optional": true, {
"targetPath": "$ "constant":
['urn:sap:cloud:scim:schemas:extension "disabled",
:custom:2.0:User']" "targetPath": "$
}, ['urn:ietf:params:scim:schemas:extensi
{ on:sap:2.0:User']['passwordDetails']
"sourcePath": ['status']",
"$.company", "scope":
"optional": true, "createEntity"
"targetPath": "$ },
['urn:ietf:params:scim:schemas:extensi {
on:enterprise:2.0:User'] "constant": 39,
['organization']" "targetPath": "$
}, ['urn:ietf:params:scim:schemas:extensi
{ on:sap:2.0:User']['sourceSystem']",
"sourcePath": "$ "scope":
['urn:ietf:params:scim:schemas:extensi "createEntity"
on:sap:2.0:User']", },
"optional": true, {
"targetPath": "$ "constant":
['urn:ietf:params:scim:schemas:extensi "employee",
on:sap:2.0:User']" "targetPath":
} "$.userType"
], },
"scimEntityEndpoint": "Users" {
}, "sourcePath":
"group": { "$.timezone",
"mappings": [ "optional": true,
{ "targetPath":
"sourcePath": "$.id", "$.timeZone"
"targetPath": "$.id", },
"targetVariable": {
"entityIdSourceSystem" "constant":
}, "userName",
{ "targetVariable":
"sourceVariable": "entityCorrelationAttributeName"
"entityBaseLocation", },
"targetPath": {
"$.meta.location", "sourcePath":
"targetVariable": "$.userName",
"entityLocationSourceSystem", "targetVariable":
"functions": [ "entityCorrelationAttributeValue"
{ },
"type": {
"concatString", "sourcePath":
"suffix": "$ "$.Operations",
{entityIdSourceSystem}"
} "preserveArrayWithSingleElement":
] true,
SAP Cloud Identity Access Governance Admin Guide
106 PUBLIC Integration Scenarios
Read Transformation Write Transformation
}, "targetPath":
{ "$.Operations",
"sourcePath": "$ "scope": "patchEntity"
['urn:sap:cloud:scim:schemas:extension },
:custom:2.0:Group']['name']", {
"targetPath": "sourcePath":
"$.displayName" "$.schemas",
},
{ "preserveArrayWithSingleElement":
"sourcePath": true,
"$.displayName", "targetPath":
"targetPath": "$.schemas",
"$.description" "scope": "patchEntity"
}, }
{ ],
"sourcePath": "$ "scimEntityEndpoint": "Users"
['urn:sap:cloud:scim:schemas:extension },
:custom:2.0:Group']['description']", "group": {
"optional": true, "mappings": [
"targetPath": {
"$.description" "sourceVariable":
}, "entityIdTargetSystem",
{ "targetPath": "$.id"
"sourcePath": },
"$.members", {
"sourcePath":
"preserveArrayWithSingleElement": "$.Operations",
true,
"optional": true, "preserveArrayWithSingleElement":
"targetPath": true,
"$.members" "targetPath":
}, "$.Operations",
{ "scope": "patchEntity"
"sourcePath": },
"$.schemas", {
"sourcePath":
"preserveArrayWithSingleElement": "$.schemas",
true,
"targetPath": "preserveArrayWithSingleElement":
"$.schemas" true,
} "targetPath":
], "$.schemas",
"scimEntityEndpoint": "Groups" "scope": "patchEntity"
} },
} {
"constant": [
"urn:ietf:params:scim:schemas:core:2.0
:Group",
"urn:sap:cloud:scim:schemas:extension:
custom:2.0:Group"
],
"targetPath":
"$.schemas"
},
{
"sourcePath":
"$.displayName",
"targetPath":
"$.displayName"
},
{
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 107
Read Transformation Write Transformation
"sourcePath":
"$.members",
"preserveArrayWithSingleElement":
true,
"optional": true,
"targetPath":
"$.members"
},
{
"sourcePath":
"$.displayName",
"targetPath": "$
['urn:sap:cloud:scim:schemas:extension
:custom:2.0:Group']['name']",
"scope":
"createEntity",
"functions": [
{
"type":
"replaceAllString",
"regex": "[\
\s\\p{Punct}]",
"replacement": "_"
}
]
},
{
"sourcePath": "$
['urn:sap:cloud:scim:schemas:extension
:custom:2.0:Group']['name']",
"optional": true,
"targetPath": "$
['urn:sap:cloud:scim:schemas:extension
:custom:2.0:Group']['name']",
"scope":
"createEntity"
},
{
"sourcePath": "$
['urn:sap:cloud:scim:schemas:extension
:custom:2.0:Group']['description']",
"optional": true,
"targetPath": "$
['urn:sap:cloud:scim:schemas:extension
:custom:2.0:Group']['description']"
}
],
"scimEntityEndpoint": "Groups"
}
}
13.4.1.2 Create Destinations
In the SAP BTP, create destination IPS_PROXY, if not already created, for the SAP Cloud Identity Access
Governance tenant.
SAP Cloud Identity Access Governance Admin Guide
108 PUBLIC Integration Scenarios
To do so, refer to Connecting Identity Provisioning Tenant and Identity Provisioning on SAP Cloud Identity
Platform.
13.4.1.3 Add Identity Authentication Application
Create an application for Identity Authentication v2 environment in the Applications app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for Identity Authentication v2. For Application Type, select Identity Authentication
v2.
3. Enter the external system ID marked in the previous step Create Proxy System and Save.
13.4.1.4 Sync User Data and Provision Access Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category
dropdown list, schedule the following jobs:
• Repository Sync to synchronize the relevant data from Identity Authentication.
• In the Application Type dropdown list, select Identity Authentication v2.
• In the Applications dropdown list, select the configured Identity Authentication v2 system.
• Provisioning to initiate the provisioning of access requests.
13.4.1.5 Migrating from IAS v1 to IAS v2
To convert an existing IAS v1 application to IAS v2, do as follows:
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Select the existing application with application type IAS v1 and choose Edit.
3. Change External Application ID in the previous section Create Proxy System and Save.
4. This conversion is irreversible. After conversion, you must run Repository Sync for this application to
update data.
13.5 Lightweight Directory Access Protocol System
The information in this section describes the procedure for connecting Lightweight Directory Access Protocol
(LDAP) to the SAP Cloud Identity Access Governance solution and its services.
SAP Cloud Identity Access Governance is a cloud-based solution for creating self-service requests to
applications for on-premise and cloud source applications and systems. By connecting to the solution, it
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 109
enables users of the SAP Cloud Identity Access Governance to initiate access requests, which are then
provisioned to target applications.
Note
Currently, we only support Microsoft Lightweight Directory Access Protocol (Microsoft Active Directory).
Additionally, only users in the top organization unit on the LDAP server can be provisioned. The users can
then be assigned to or removed from groups.
13.5.1 Process Overview
There are three overall steps to integrate the LDAP system with the SAP Cloud Identity Access Governance
solution and its services.
Procedure
1. In the SAP Business Technology Platform (SAP BTP) cockpit, set up destination for the LDAP application.
2. In the SAP Cloud Identity Access Governance launchpad, use the Applications app to create an instance for
the LDAP system.
3. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
13.5.1.1 Create Proxy System
Create a proxy system to connect the LDAP system with the SAP Business Technology Platform (SAP BTP).
Procedure
1. Log into the SAP BTP cockpit, go to your tenant instance, and open Services Identity Provisioning
Go To Service Proxy System .
2. Add a proxy system for the LDAP system and select Microsoft Active Directory or LDAP based on the target
LDAP system type.
3. Properties should have ldap.group.path and ldap.user.path.
Name Value
ips.trace.failed entity. content: false
SAP Cloud Identity Access Governance Admin Guide
110 PUBLIC Integration Scenarios
ldap.group.path : LDAP path to group
ldap.respond.with.resource.after.create true
ldap.respond.with.resource.after.update true
ldap.user.path: LDAP path to group
To create and configure a proxy system for LDAP, refer to LDAP Server.
For creating and configuring a proxy system for Microsoft Active Directory, go to Microsoft Active
Directory.
4. Save to create the proxy system.
5. Copy the external system ID from the URL and use it to set up the LDAP instance in the Applications app in
the next step.
13.5.1.2 Create Destinations
In SAP BTP, create a destination for your LDAP instance.
In the SAP BTP, create IPS_PROXY, if not already created, for the SAP Cloud Identity Access Goverance tenant.
To do so, refer to Identity Provisioning on SAP Cloud Identity Platform.
13.5.1.3 Add LDAP Application
Create an application for LDAP in the SAP Cloud Identity Access Governance launchpad.
Procedure
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for LDAP. For Application Type, select Lightweight Directory Access Protocol.
3. In the HCP Destination field, enter the name of the LDAP destination created in the above step for the LDAP
instance.
4. Enter the external system ID marked in previous step Create Proxy System and save your entries.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 111
13.5.1.4 Create Cloud Connector
In the cloud connector system, create the cloud connector.
Procedure
1. Log into the Cloud Connector system.
2. In the tenant subaccount, select your tenant and select Cloud to On-Premise.
3. Add a new entry in the Mapping Virtual To Internal System section with the following properties:
Back-end Type Non-SAP System
Protocol LDAP
Internal Host URL of the LDAP server
Internal Port LDAP server port
4. Select Check Availability of Internal Host to ensure the host is reachable.
13.5.1.5 Sync User Data and Provision Access Requests
In SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app.
In the Job Category dropdown list, schedule the following jobs:
• Repository Sync to synchronize the relevant data from LDAP to the access request service.
In the Application Type dropdown list, select Lightweight Directory Access Protocol.
In the Applications dropdown list, select the configured LDAP application.
• Provisioning to initiate the provisioning of access requests.
13.6 Microsoft Entra ID
The information in this section describes the procedure for connecting Microsoft Entra ID to the SAP Cloud
Identity Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-based
service for creating self-service requests to applications for on-premise and cloud source applications and
systems. By connecting to the SAP Cloud Identity Access Governance solution, end users can initiate access
requests for Microsoft Azure, which are then provisioned to the Microsoft Entra ID application.
SAP Cloud Identity Access Governance Admin Guide
112 PUBLIC Integration Scenarios
13.6.1 Process Overview
There are four overall steps to enable integration between Microsoft Entra ID and the SAP Cloud Identity
Access Governance solution and its services:
1. In the Identity Provisioning, create a proxy system for the Microsoft Entra ID system.
2. In the SAP BTP cockpit, set up destination for Identity Provisioning (destination name IPS_PROXY).
3. In the SAP Cloud Identity Access Governance launchpad, use the Applications app to create an instance for
Microsoft Entra ID.
4. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
to provision the access requests.
13.6.1.1 Create Proxy System
To create and configure a proxy system for Microsoft Entra ID, refer to Microsoft Entra ID.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 113
In IPS proxy system configuration, modify read and write transformations as suggested below:
Read Transformation Write Transformation
{ {
"user": { "user": {
"condition": "mappings": [
"$.userPrincipalName EMPTY false", {
"mappings": [ "sourcePath":
{ "$.onPremisesImmutableId",
"sourcePath": "$.id", "optional": true,
"targetPath": "$.id", "targetPath":
"targetVariable": "$.onPremisesImmutableId"
"entityIdSourceSystem" },
}, {
{ "sourcePath":
"sourceVariable": "$.active",
"entityBaseLocation", "optional": true,
"targetPath": "targetPath":
"$.meta.location", "$.accountEnabled"
"targetVariable": },
"entityLocationSourceSystem", {
"functions": [ "sourcePath":
{ "$.userName",
"type": "optional": true,
"concatString", "targetPath":
"suffix": "$ "$.mailNickname"
{entityIdSourceSystem}" },
} {
] "sourcePath":
}, "$.emails[0].value",
{ "optional": true,
"constant": "targetPath": "$.mail"
"urn:ietf:params:scim:schemas:core:2.0 },
:User", {
"targetPath": "sourcePath":
"$.schemas[0]" "$.displayName",
}, "optional": true,
{ "targetPath":
"sourcePath": "$.displayName"
"$.mail", },
"targetPath": {
"$.emails[0].value", "sourcePath":
"$.name.givenName",
"correlationAttribute": true "optional": true,
}, "targetPath":
{ "$.givenName"
"sourcePath": },
"$.userPrincipalName", {
"targetPath": "sourcePath":
"$.userName", "$.name.familyName",
"optional": true,
"correlationAttribute": true "targetPath":
}, "$.surname"
{ },
"sourcePath": {
"$.displayName", "sourcePath":
"optional": true, "$.addresses[0].locality",
"targetPath": "optional": true,
"$.displayName" "targetPath": "$.city"
}, },
{ {
"sourcePath": "sourcePath":
"$.mailNickname", "$.addresses[0].country",
SAP Cloud Identity Access Governance Admin Guide
114 PUBLIC Integration Scenarios
Read Transformation Write Transformation
"optional": true, "optional": true,
"targetPath": "targetPath":
"$.externalId", "$.country"
},
"correlationAttribute": true {
}, "sourcePath":
{ "$.userName",
"sourcePath": "targetPath":
"$.givenName", "$.userPrincipalName",
"optional": true, "scope":
"targetPath": "createEntity",
"$.name.givenName" "functions": [
}, {
{ "type":
"sourcePath": "concatString",
"$.surname", "suffix":
"optional": true, "@%aad.domain.name%"
"targetPath": }
"$.name.familyName" ]
}, },
{ {
"sourcePath": "constant": "true",
"$.mobilePhone", "targetPath":
"optional": true, "$.accountEnabled",
"targetPath": "scope":
"$.phoneNumbers[0].value" "createEntity"
}, },
{ {
"condition": "sourcePath":
"$.mobilePhone EMPTY false", "$.active",
"constant": "mobile", "optional": true,
"targetPath": "targetPath":
"$.phoneNumbers[0].type" "$.accountEnabled",
}, "scope":
{ "createEntity"
"sourcePath": },
"$.businessPhones[0]", {
"optional": true, "sourcePath":
"targetPath": "$.userName",
"$.phoneNumbers[1].value" "targetPath":
}, "$.mailNickname",
{ "scope":
"condition": "createEntity"
"$.businessPhones.length() > 0", },
"constant": "work", {
"targetPath": "sourcePath":
"$.phoneNumbers[1].type" "$.displayName",
}, "targetPath":
{ "$.displayName",
"sourcePath": "scope":
"$.groups", "createEntity"
},
"preserveArrayWithSingleElement": {
true, "targetPath":
"optional": true, "$.passwordProfile.password",
"targetPath": "scope":
"$.groups" "createEntity",
} "functions": [
], {
"scimEntityEndpoint": "Users" "type":
}, "randomPassword",
"group": {
"mappings": [ "passwordLength": 16,
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 115
Read Transformation Write Transformation
{
"constant": "minimumNumberOfLowercaseLetters": 1,
"urn:ietf:params:scim:schemas:core:2.0
:Group", "minimumNumberOfUppercaseLetters": 1,
"targetPath":
"$.schemas[0]" "minimumNumberOfDigits": 1,
},
{ "minimumNumberOfSpecialSymbols": 0
"sourcePath": "$.id", }
"targetPath": "$.id", ]
"targetVariable": },
"entityIdSourceSystem" {
}, "constant": false,
{ "targetPath":
"sourceVariable": "$.passwordProfile.forceChangePassword
"entityBaseLocation", NextSignIn",
"targetPath": "scope":
"$.meta.location", "createEntity"
"targetVariable": }
"entityLocationSourceSystem", ],
"functions": [ "scimEntityEndpoint": "Users"
{ },
"type": "group": {
"concatString", "mappings": [
"suffix": "$ {
{entityIdSourceSystem}" "sourcePath": "$",
} "targetPath": "$",
] "scope": "patchEntity"
}, },
{ {
"sourcePath": "sourceVariable":
"$.displayName", "entityIdTargetSystem",
"targetPath": "targetPath": "$.id",
"$.displayName" "scope": "patchEntity"
}, },
{ {
"sourcePath": "sourceVariable":
"$.members", "entityIdTargetSystem",
"targetPath": "$.id"
"preserveArrayWithSingleElement": },
true, {
"optional": true, "sourcePath":
"targetPath": "$.displayName",
"$.members" "optional": true,
}, "targetPath":
{ "$.displayName"
"constant": "value", },
"optional": true, {
"targetPath": "sourcePath":
"$.members[*].id", "$.displayName",
"type": "rename" "targetPath":
} "$.displayName",
], "scope":
"scimEntityEndpoint": "Groups" "createEntity"
} },
} {
"sourcePath":
"$.externalId",
"targetPath":
"$.mailNickname",
"scope":
"createEntity"
},
SAP Cloud Identity Access Governance Admin Guide
116 PUBLIC Integration Scenarios
Read Transformation Write Transformation
{
"constant": true,
"targetPath":
"$.mailEnabled",
"scope":
"createEntity"
},
{
"constant": false,
"targetPath":
"$.securityEnabled",
"scope":
"createEntity"
},
{
"constant": "Unified",
"targetPath":
"$.groupTypes[0]",
"scope":
"createEntity"
}
],
"scimEntityEndpoint": "Groups"
}
}
13.6.1.2 Create Destinations
In the SAP BTP, create destination IPS_PROXY, if not already created, for the SAP Cloud Identity Access
Governance tenant.
To do so, refer to Connecting Identity Provisioning Tenant and Identity Provisioning on SAP Cloud Identity
Platform.
13.6.1.3 Add Microsoft Entra ID Application
Create an application for Microsoft Entra ID in the Applications app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for Microsoft Entra ID. For Application Type, select Microsoft Entra ID.
3. Enter the external system ID marked in the section Create Proxy System for Microsoft Entra ID and Save.
See Create Proxy System [page 146].
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 117
13.6.1.4 Sync User Data and Provision Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category
dropdown list, schedule the following jobs:
• Repository Sync to synchronize the relevant data from Microsoft Entra ID to SAP Cloud Identity Access
Governance.
• In the Application Type dropdown list, select Microsoft Entra ID.
• In the Applications dropdown list, select the configured Microsoft Entra ID application.
• Provisioning to initiate the provisioning of access requests.
13.7 SAP Analytics Cloud
The information in this section describes the procedure for connecting SAP Analytics Cloud to the SAP Cloud
Identity Access Governance solution and its services.
SAP Cloud Identity Access Governance is a cloud-based solution for creating self-service requests to
applications for on-premise and cloud source applications and systems. By connecting to the SAP Cloud
Identity Access Governance solution, end users can initiate access requests for SAP Analytics Cloud, which are
then provisioned to the SAP Analytics Cloud application.
13.7.1 Process Overview
There are three overall steps to enable integration between SAP Analytics Cloud system and the SAP Cloud
Identity Access Governance solution and its services:
1. In the SAP BTP cockpit set up destination for the SAP Analytics Cloud system.
2. In the SAP Cloud Identity Access Governance launchpad, use the Applications app to create an instance for
the SAP Analytics Cloud system.
3. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
SAP Cloud Identity Access Governance Admin Guide
118 PUBLIC Integration Scenarios
13.7.1.1 Create Proxy System
Create a proxy system to enable SAP Analytics Cloud to connect with the SAP Business Technology Platform
(SAP BTP).
Procedure
1. Log into the SAP BTP cockpit, open the Identity Provisioning Launchpad.
2. Add a proxy system for SAP Analytics Cloud and save; the Type should be SAP Analytics Cloud.
3. Copy the external application ID and use it to set up the SAP Analytics Cloud instance in the Applications
app in the next step. See the example below.
4. Choose Properties and add all the following properties:
Authentication BasicAuthentication
csrf.token.path /api/v1/scim/Users?count=1
ips.trace.failed.entity.content true
OAuth2TokenServiceURL OAuth token service for SAC system that needs to be con-
figured in the SAC system.
Password Enter your password
ProxyType Internet
scim.api.csrf.protection enabled
TrustAll True
Type HTTP
URL Enter the URL for the SAC tenant
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 119
User Enter UserName for SAC
The OAUTH2 service token can be generated in the SAC system. Choose System Administration App
Integration Add a new OAuth Client . For more information, refer to Manage OAuth Clients.
5. Default read and write transformations are generated. Modify the following transformations for SAP Cloud
Identity Access Governance to read and write:
SAP Cloud Identity Access Governance Admin Guide
120 PUBLIC Integration Scenarios
Read Transformation Write Transformation
{ {
"user": { "user": {
"mappings": [ "mappings": [
{ {
"sourcePath": "sourcePath":
"$.schemas", "$.schemas",
"preserveArrayWithSingleElement": "preserveArrayWithSingleElement":
true, true,
"targetPath": "optional": true,
"$.schemas" "targetPath":
}, "$.schemas"
{ },
"sourcePath": "$.id", {
"targetPath": "$.id", "sourceVariable":
"targetVariable": "entityIdTargetSystem",
"entityIdSourceSystem" "targetPath": "$.id"
}, },
{ {
"sourceVariable": "sourcePath": "$.id",
"entityBaseLocation", "type": "remove"
"targetPath": },
"$.meta.location", {
"targetVariable": "sourcePath":
"entityLocationSourceSystem", "$.userName",
"functions": [ "targetPath":
{ "$.userName"
"type": },
"concatString", {
"suffix": "$ "sourcePath":
{entityIdSourceSystem}" "$.name",
} "optional": true,
] "targetPath":
}, "$.name"
{ },
"sourcePath": {
"$.userName", "sourcePath":
"targetPath": "$.displayName",
"$.userName" "optional": true,
}, "targetPath":
{ "$.displayName"
"sourcePath": },
"$.name", {
"targetPath": "sourcePath":
"$.name" "$.active",
}, "optional": true,
{ "targetPath":
"sourcePath": "$.active"
"$.displayName", },
"targetPath": {
"$.displayName" "sourcePath":
}, "$.emails",
{
"sourcePath": "preserveArrayWithSingleElement":
"$.active", true,
"targetPath": "targetPath":
"$.active" "$.emails"
}, },
{ {
"sourcePath": "sourcePath":
"$.emails", "$.roles",
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 121
Read Transformation Write Transformation
"preserveArrayWithSingleElement": "preserveArrayWithSingleElement":
true, true,
"targetPath": "optional": true,
"$.emails" "targetPath":
}, "$.roles"
{ },
"sourcePath": {
"$.roles", "sourcePath":
"$.groups",
"preserveArrayWithSingleElement":
true, "preserveArrayWithSingleElement":
"targetPath": true,
"$.roles" "optional": true,
}, "targetPath":
{ "$.groups"
"sourcePath": },
"$.groups", {
"sourcePath": "$
"preserveArrayWithSingleElement": ['urn:ietf:params:scim:schemas:extens
true, ion:enterprise:2.0:User']['manager']
"targetPath": ['value']",
"$.groups" "optional": true,
}, "targetPath": "$
{ ['urn:scim:schemas:extension:enterpri
"sourcePath": "$ se:1.0']['manager']['managerId']"
['urn:scim:schemas:extension:enterpri }
se:1.0']['manager']['managerId']", ],
"targetPath": "$ "scimEntityEndpoint": "Users"
['urn:ietf:params:scim:schemas:extens },
ion:enterprise:2.0:User']['manager'] "group": {
['value']" "condition": "($.id EMPTY
} false) || ($.displayName EMPTY
], false)",
"scimEntityEndpoint": "Users" "mappings": [
}, {
"group": { "sourcePath":
"mappings": [ "$.schemas",
{
"sourcePath": "$.id", "preserveArrayWithSingleElement":
"targetPath": "$.id", true,
"targetVariable": "optional": true,
"entityIdSourceSystem" "targetPath":
}, "$.schemas"
{ },
"sourceVariable": {
"entityBaseLocation", "condition":
"targetPath": "$.displayName EMPTY false",
"$.meta.location", "sourcePath":
"targetVariable": "$.displayName",
"entityLocationSourceSystem", "targetPath": "$.id"
"functions": [ },
{ {
"type": "condition": "$.id
"concatString", EMPTY false",
"suffix": "$ "sourcePath": "$.id",
{entityIdSourceSystem}" "targetPath": "$.id"
} },
] {
}, "sourcePath":
{ "$.description",
"sourcePath": "$.id", "optional": true,
"targetPath":
"$.displayName"
SAP Cloud Identity Access Governance Admin Guide
122 PUBLIC Integration Scenarios
Read Transformation Write Transformation
"targetPath": },
"$.displayName" {
}, "sourcePath":
{ "$.roles",
"sourcePath":
"$.displayName", "preserveArrayWithSingleElement":
"targetPath": true,
"$.description" "optional": true,
}, "targetPath":
{ "$.roles"
"sourcePath": },
"$.members", {
"sourcePath":
"preserveArrayWithSingleElement": "$.members",
true,
"targetPath": "preserveArrayWithSingleElement":
"$.members" true,
}, "optional": true,
{ "targetPath":
"sourcePath": "$.members"
"$.schemas", }
],
"preserveArrayWithSingleElement": "scimEntityEndpoint":
true, "Groups"
"targetPath": }
"$.schemas" }
},
{
"sourcePath":
"$.roles",
"preserveArrayWithSingleElement":
true,
"targetPath":
"$.roles"
}
],
"scimEntityEndpoint":
"Groups"
}
}
13.7.1.2 Create Destinations
In the SAP BTP, create IPS_PROXY, if not already created, for the IAG tenant.
To do so, refer to Identity Provisioning on SAP Cloud Identity Platform.
13.7.1.3 Add SAP Analytics Cloud Application
Create an application for SAP Analytics Cloud in the Applications app.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 123
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for SAP Analytics Cloud. For Application Type, select SAP Analytics Cloud.
3. In the SCP Destination field, enter the name of the IPS destination created in the above step for the SAP
Analytics Cloud instance.
4. Enter the external system ID marked in previous step Create Proxy System and Save.
13.7.1.4 Sync User Data and Provision Access Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Schedulerapp.
In the Job Category dropdown list, schedule the following jobs:
• Repository Sync to synchronize the relevant data from SAP Analytics Cloud to the access request service.
In the Application Type dropdown list, select SAP Analytics Cloud. In the Application dropdown list,
select the configured Analytics Cloud application.
• Provisioning to initiate the provisioning of access requests.
Note
You can only assign groups to a user because it is not possible to directly assign roles.
13.8 SAP ABAP (on-premise)
The information in this section covers the scenario of the SAP Cloud Identity Access
Governance solution and its services connecting to SAP ABAP (on-premise) applications. The
following graphic illustrates the solution fetching data from SAP ABAP target applications
SAP Cloud Identity Access Governance Admin Guide
124 PUBLIC Integration Scenarios
that reside behind a firewall, and using Identity Authentication for user authentication.
The information in this section describes the procedure for connecting SAP ABAP (on-premise) applications
to the access request service. By connecting to the access request service, it enables SAP ABAP (on-premise)
users to use the self-service access requests, auto-provisioning, and auditable workflows. The graphic below
illustrates this integration.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 125
13.8.1 Process Overview
There are three overall steps to enable integration between SAP ABAP on-premise systems and the SAP Cloud
Identity Access Governance solution and its services:
1. In the SAP Business Technology Platform (SAP BTP), set up destination for the SAP ABAP on-premise
system.
2. In the SAP Cloud Identity Access Governance launchpad, use the Applications app to create an instance for
the SAP ABAP on-premise system.
3. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
13.8.1.1 Prerequisites and Technical Requirements
This document assumes the following prerequisites have been completed:
• You have upgraded the target system to one of the supported NetWeaver versions and support packs.
• You have created the required RFC user.
• Your SAP Business Technology Platform (SAP BTP) and Identity Authentication tenant accounts have
been created by SAP, and you have received the respective tenant account information and activation
notification.
SAP Cloud Identity Access Governance Admin Guide
126 PUBLIC Integration Scenarios
• To install and connect Connectors, refer to the topic Maintaining Cloud Connector for On-Premise Scenario
[page 50].
13.8.1.1.1 Required NetWeaver Basis Support Packs
You must have upgraded the target system to one of the supported NetWeaver versions and support packs.
The IAG Services Data Extractor API is included in the following NetWeaver versions and support packs.
NetWeaver Version Support Pack
NW 700 SP34
NW 701 SP19
NW 702 SP19
NW 710 SP21
NW 711 SP16
NW 730 SP16
NW 731 SP19
NW 740 SP16
Note
This is the oldest supported version for Privileged Ac-
cess Management service. To use the service, ensure
that you either have this version or higher versions. (To
access the service, create an Influence ticket).
NW 750 SP32
NW751 SP20
NW752 SP16
NW753 SP14
NW754 SP12
NW755 SP10
NW756 SP08
NW757 SP06
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 127
NetWeaver Version Support Pack
NW758 SP03
13.8.1.2 Install Cloud Connector and Set Destinations
If you have not already done so, install the SAP Business Technology Platform (SAP BTP) Connector to enable
secure communication between the access request service and the SAP ABAP on-premise system.
Make sure to select the Proxy Type OnPremise.
For Prerequisites, refer to the topic Prerequisites and Technical Requirements [page 126].
For the procedure, refer to the topic Maintaining Cloud Connector for On-Premise Scenario [page 50].
13.8.1.3 Add SAP ABAP Application
Create an application for SAP ABAP in the Applications app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for SAP ABAP. For Application Type, select ERP.
3. In the HCP Destination field, enter the name of the SAP ABAP destination from SAP Business Technology
Platform (SAP BTP) and Save.
13.8.1.4 Sync User Data and Provision Access Requests
You must schedule a job to initiate the provisioning process.
• Repository Sync to synchronize the relevant data from SAP ERP to the access request service.
• In the Application dropdown, select SAP ERP.
• In the Applications dropdown, select the configured SAP ERP.
• Provisioning to initiate the provisioning of access requests.
13.9 SAP Ariba v1_Deprecated
The information in this section describes the procedure for connecting SAP Ariba v1 to the SAP Cloud Identity
Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-based solution
for creating self-service requests to applications for on-premise and cloud source applications and systems. By
SAP Cloud Identity Access Governance Admin Guide
128 PUBLIC Integration Scenarios
connecting to the SAP Cloud Identity Access Governance solution, end users can initiate access requests for
SAP Ariba v1, which are then provisioned to the SAP Ariba v1 application.
Prerequisites
Ensure you have completed enablement and configuration for the SAP Cloud Identity Access Governance
solution.
Note
The integration of SAP Cloud Identity Access Governance and SAP Ariba solutions is based on the Master
Data Native Interface (MDNI). This integration is currently available for SAP Ariba Buying and SAP Ariba
Strategic Sourcing applications. Support for other SAP Ariba solutions is possible; this depends, however,
on the synchronization options between the respective SAP Ariba solution and SAP Ariba Buying and SAP
Ariba Sourcing applications. Refer to the SAP Ariba documentation to determine if such options exist for
your scenario.
13.9.1 Process Overview
There are three overall steps to enable integration between SAP Ariba solutions and the SAP Cloud Identity
Access Governance solution and its service:
1. In the SAP Business Technology Platform (SAP BTP), set up destination for the SAP Ariba solution.
2. In the SAP Cloud Identity Access Governance launchpad, use the Applications app to create an instance for
the SAP Ariba solution.
3. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
13.9.1.1 Create Destinations
In SAP BTP, create destinations for your SAP Ariba instance.
1. Log into the SAP BTP cockpit, and go to your tenant.
2. In the left-hand pane, choose Connectivity Destinations , and then choose New Destination.
3. Create a destination for the SAP Ariba instance, and add the following properties listed in the table below.
Note
You may need to manually add the property field if it is not automatically displayed.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 129
Caution
It is very important to accurately enter the text strings as specified below. We recommending copying
and pasting them.
Name* ARIBA_DEST
Type: HTTP
Description: Ariba Sync
URL* Enter the URL of the SAP Ariba instance
For EU: https://eu.mu.ariba.com
For US: https://mu.ariba.com
ProxyType Internet
Authentication: BasicAuthentication
User: User ID access MDNI service in SAP Ariba (You need to get
this from SAP Ariba by creation Service request)
Password: Password for the user
apiKey Generated Api Key (Master Data Integration Job Status
API for Operational Procurement)
fetchGroups /mdni/erpintegration/api/fetchGroups
fetchUsers /mdni/erpintegration/api/fetchUsers
objectName User
serviceURL For EU:eu.openapi.ariba.com/api/
mds-integration-job/v1/prod/
integrationJobs?
For US:openapi.ariba.com/api/
mds-integration-job/v1/prod/
integrationJobs?
tenantId AN-Id provided as part of the Ariba system
uploadXMLUserData /mdni/erpintegration/api/uploadXMLData
4. Make sure Use default JDK truststore is checked.
13.9.1.2 Add SAP Ariba Application
Create a system for SAP Ariba in the Applications app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for SAP Ariba. For Application Type, select SAP Ariba.
3. In the HCP Destination field, enter the name of the SAP BTP destination for SAP Ariba and Save.
SAP Cloud Identity Access Governance Admin Guide
130 PUBLIC Integration Scenarios
13.9.1.3 Sync User Data and Provision Access Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category
dropdown, schedule the following jobs:
• Repository Sync to synchronize the relevant data from SAP Ariba to the access request service.
In the Application dropdown, select SAP Ariba.
• Provisioning to initiate the provisioning of access requests.
13.10 SAP Ariba v2
The information in this section describes the procedure for connecting SAP Ariba v2 to the SAP Cloud Identity
Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-based solution
for creating self-service requests to applications for on-premise and cloud source applications and systems.
By connecting to the SAP Cloud Identity Access Governance solution, end users can initiate access requests
for SAP Ariba via IPS_Proxy, which are then provisioned to the SAP Ariba application. For more details, refer to
3228340 .
13.10.1 Process Overview
IPS_Proxy is used to integrate SAP Ariba solutions V2 with SAP Cloud Identity Access Governance.
There are three overall steps to enable the integration:
1. In the SAP Business Technology Platform (SAP BTP), set up destination for SAP Ariba V2 .
2. In the SAP Cloud Identity Access Governance launchpad, use the Application app to create an instance for
the SAP Ariba V2.
3. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
13.10.1.1 Create Proxy System
To create and configure a proxy system for SAP Ariba Applications, refer to SAP Ariba Applications.
Note
If SAP Ariba system is configured using parent/child realms where users and groups are fully replicated
from parent to child, the IPS Proxy is to be configured with the parent realm. The Admin for the Ariba realm
needs to set up user and group replications between the parent and child realms. For more information,
refer to the SAP Ariba configuration guide. If a child realm has different users and groups from its parent
realm, it needs a separate system configured with the child realm directly.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 131
13.10.1.2 Create Destinations
In the SAP BTP, create IPS_Proxy, if not already created, for the SAP Cloud Identity Access Governance tenant.
To do so, refer to Connecting Identity Provisioning Tenant and Identity Provisioning on SAP Cloud Identity
Platform.
13.10.1.3 Add Ariba Application
Create an application for SAP Ariba v2 in the Applications app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for SAP Ariba. For Application Type, select SAP Ariba V2.
3. Enter the External System ID marked in the previous section Create Proxy System and Save.
13.10.1.4 Sync User Data and Provision Access Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category
dropdown, schedule the following jobs:
• Repository Sync to synchronize the relevant data from SAP Ariba Applications to the access request
service.
• In the Application Type dropdown list, select SAP Ariba v2.
• In the Applications dropdown, select the configured SAP Ariba v2.
• Provisioning to initiate the provisioning of access requests.
13.10.1.5 Migrating from Ariba v1 to Ariba v2
To convert an existing Ariba v1 system to Ariba v2, do as follows:
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Select the existing application with application type Ariba and choose Edit.
3. Change External Application ID in the previous section Create Proxy System and Save.
4. This conversion is irreversible. After conversion, you must run Repository Sync for this system to update
data.
SAP Cloud Identity Access Governance Admin Guide
132 PUBLIC Integration Scenarios
13.11 SAP BTP ABAP environment
The information in this section describes the procedure for connecting SAP BTP ABAP environment to the
SAP Cloud Identity Access Governance solution and its services. SAP Cloud Identity Access Governance
is a cloud-based service for creating self-service requests to applications for on-premise and cloud source
applications and systems. By connecting to the SAP Cloud Identity Access Governance solution, end users can
initiate access requests for SAP BTP ABAP environment, which are then provisioned to the SAP BTP ABAP
application.
13.11.1 Process Overview
There are four overall steps to enable integration between SAP BTP ABAP environment and the SAP Cloud
Identity Access Governance solution and its services:
1. In the Identity Provisioning service, create a proxy system to connect to SAP BTP ABAP environment
system.
2. In the SAP BTP cockpit set up destination for Identity Provisioning (destination name IPS_PROXY).
3. In the SAP Cloud Identity Access Governance launchpad, use the Systems app to create an instance for
SAP BTP ABAP environment.
4. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data
and provision access requests.
13.11.1.1 Create Proxy System
To create and configure a proxy system for SAP BTP ABAP environment, refer to SAP BTP ABAP environment -
SAP Help Portal.
13.11.1.2 Create Destinations
In the SAP BTP, create destination IPS_PROXY, if not already created, for the IAG tenant. To do so, refer to
Connecting Identity Provisioning Tenant.
13.11.1.3 Add SAP BTP ABAP environment Application
Create an application for SAP BTP ABAP environment in the Applications app.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 133
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for SAP BTP ABAP environment. For Application Type, select SAP BTP ABAP
environment.
3. Enter the external system ID marked in the previous step Create Proxy System and Save.
13.11.1.4 Sync User Data and Provision Access Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category
dropdown list, schedule the following jobs:
• Repository Sync to synchronize the relevant data from SAP BTP ABAP environment to SAP Cloud Identity
Access Governance.
• In the Application Type dropdown list, select SAP BTP ABAP environment.
• In the Applications dropdown list, select the configured SAP BTP ABAP environment system.
• Provisioning to initiate the provisioning of access requests.
13.12 SAP Business Technology Platform
The information in this section describes the procedure for connecting the SAP Business Technology Platform
(SAP BTP) to the SAP Cloud Identity Access Governance solution and its services.
This section provides details for connecting the following platforms to the SAP Cloud Identity Access
Governance:
• SAP BTP - Cloud Foundry
• SAP BTP - Neo
13.12.1 SAP Busines Technology Platform - Cloud Foundry
The information in this section describes the procedure for connecting Cloud Foundry to the SAP Cloud
Identity Access Governance solution and its services.
SAP Cloud Identity Access Governance is a cloud-based solution for creating self-service requests to
applications for on-premise and cloud source applications and systems. By connecting to the SAP Cloud
Identity Access Governance solution, end users can initiate access requests for Cloud Foundry, which are then
provisioned to the Cloud Foundry application.
SAP Cloud Identity Access Governance Admin Guide
134 PUBLIC Integration Scenarios
13.12.1.1 Process Overview
There are three overall steps to enable integration between SAP Business Technology Platform (SAP BTP) and
the SAP Cloud Identity Access Governance solution and its services:
1. In the SAP BTP cockpit set up destination for Cloud Foundry.
2. In the SAP Cloud Identity Access Governance launchpad, use the Systems app to create an instance for
Cloud Foundry.
3. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
13.12.1.1.1 Create Proxy System
Create a proxy system to enable Cloud Foundry to connect with the SAP BTP cockpit.
1. Log into the SAP BTP cockpit, open your Identity Provisioning Launchpad.
2. Copy the external application ID and use it to set up the Cloud Foundry instance in the Applications app.
3. Add a proxy system for Cloud Foundry and choose Save. The Type should be SAP BTP XS Advanced UAA.
For more details, refer to SAP BTP XS Advanced UAA (Cloud Foundry).
Type SAP BTP XS Advanced UAA (Cloud Foundry)
System Name Enter any name
Destination Name
Description XSUAA test system
4. Choose Properties and add all the relevant properties from Step 6 listed here: SAP BTP XS Advanced UAA
(Cloud Foundry).
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 135
13.12.1.1.2 Create Destinations
In the SAP BTP, create IPS_PROXY, if not already created, for the IAG tenant.
To do so, refer to Connecting Identity Provisioning Tenant and Identity Provisioning on SAP Cloud Identity
Platform.
13.12.1.1.2.1 Create Destination for Data-Level Extraction
To synchronize SAP BTP authorizations and for a comprehensive and accurate SoD analysis, you can
effectively extract and analyze data-level authorizations for BTP application roles and users.
You can extract the following data via the existing SAP BTP synchronization job:
• Role-Based Data Authorization: The system allows you to extract data-level authorizations for all
BTP (Business Technology Platform) application roles. This includes detailed information about the
permissions and data access levels assigned to each role.
• User-Specific Authorization: The system enables the extraction of data-level authorizations for individual
users based on their assigned BTP application roles.
• Scheduled Extraction: The system allows the scheduling of regular data extraction processes, ensuring
that up-to-date data is available for ongoing SoD analysis.
To synchronize SAP BTP authorizations, you need the following two configurations in your tenant for the new
application:
1. Create a new subscription
2. Create a new destination to access Cloud Foundry / BTP system
To create a new subscription, do the following:
New Subscription
Attributes Attribute entries
Service Authorization and Trust Management Service
Plan apiaccess
Runtime Environment Cloud Foundry
Space <dummy space in the consumer tenant>
Instance Name <any name>
To create the new destination, enter the following information:
New Destination
Attributes Attribute Entries
Name <any name>
Type HTTP
SAP Cloud Identity Access Governance Admin Guide
136 PUBLIC Integration Scenarios
Attributes Attribute Entries
Description <any description>
URL <apiurl from the subscription above>
Proxy Type Internet
Authentication BasicAuthentication
User <client id from the subscription above>
Password <client secret from the subscription above>
Fill out the entries for Additional Properties as follows:
accessToken /oauth/token?grant_type=client_credentials&re-
sponse_type=token
authURL <url from the subscription above>
getRoleCollections /sap/rest/authorization/v2/rolecollections
getRoleDetail /sap/rest/authorization/v2/roles
Run the repository synchronization job for the new application that you created. This will synchronize the
repository data just it was done in the old Cloud Foundry / BTP application. In addition, the authorization data
will also be synchronized.
13.12.1.1.3 Add Cloud Foundry System
Create a system for Cloud Foundry in the Applications app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create a system for Cloud Foundry. For Applications Type, select Cloud Foundry.
3. Enter the external application ID mentioned in step 2 in the section Create Proxy system and Save.
13.12.1.1.4 Sync User Data and Provision Access Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category
dropdown list, schedule the following jobs:
• Repository Sync to synchronize the relevant data from Cloud Foundry to the access request service.
In the System Type dropdown list, select Cloud Foundry.
In the System dropdown list, select the configured Cloud Foundry System.
• Provisioning to initiate the provisioning of access requests.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 137
13.12.2 SAP Business Technology Platform - NEO
The information in this section describes the procedure for connecting the SAP Business Technology (SAP
BTP) to the SAP Cloud Identity Access Governance solution and its services. SAP Cloud Identity Access
Governance is a cloud-based solution for creating self-service requests to applications for on-premise and
cloud source applications and systems. By connecting to the SAP Cloud Identity Access Governance solution,
end users can initiate access requests for NEO, which are then provisioned to the NEO application.
13.12.2.1 Process Overview
There are three overall steps to enable integration between the SAP BTP and the SAP Cloud Identity Access
Governance solution and its services:
1. In the SAP BTP cockpit, set up destination for the Identity Provisioning service to integrate SAP BTP with
the SAP Cloud Identity Access Governance solution.
2. In the access request service, use the Systems app to create an instance for the SAP BTP.
3. In the access request service, use the Job Scheduler app to sync user data and provision access requests.
13.12.2.1.1 Register OAuth Client for the Identity Provisioning
1. Open your subaccount in the SAP Cloud Platform cockpit.
2. Register a new OAuth client for the subscription to the ipsproxy application:
1. Go to Security OAuth Clients.
2. Select Register New Client.
3. From the Subscription combo box, select <provider_subaccount>/ipsproxy.
SAP Cloud Identity Access Governance Admin Guide
138 PUBLIC Integration Scenarios
4. From the Authorization Grant combo box, select Client Credentials.
5. In the Secret field, enter a password (client secret) and remember it. You will need it later for the
repository configuration in the external system.
6. Copy/paste and save (in a notepad) the generated client ID. You will need it later, too.
3. Assign role IPS_PROXY_USER to the OAuth client:
1. From the left-side navigation, select Subscriptions.
2. Under the Java Applications section, select ipsproxy.
3. From the left-side navigation, select Roles.
4. Assign role IPS_PROXY_USER to the newly created OAuth client. Choose Assign and enter
oauth_client_<client_ID>, where <client_ID> is the one you have saved in the previous step.
13.12.2.1.2 Create Proxy System
Create a proxy system to connect with the SAP Business Technology Platform (SAP BTP).
1. Log into the SAP BTP cockpit, go to your tenant instance, and open Services Identity Provisioning
Go To Service Proxy System .
2. Add a proxy system for the SAP BTP and select Save; the Type should be SAP BTP Java/HTML5 Apps.
3. Copy the external application ID and use it to set up the SAP BTP instance
in the Applications app in the next section Add SAP BTP. See example below.
.
4. Select Properties and add the following properties:
hcp.application.names some-app-name
hcp.patch.response.with.resource true
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 139
hcp.read.group.roles true
Note
Ignore this parameter if Identity Provisioning and the
actual system, for instance, SAP Cloud Identity Ac-
cess Governance, which is defined as proxy in Identity
Provisioning, are in different regions. For more infor-
mation, refer to: Identity Provisioning - List of Propert-
iers.
ips.trace.failed.entity.content true
OAuth2TokenServiceURL https://api.<hostname>/oauth2/apitoken/v1
Hostname can be retrieved from the URL of your SAP BTP
tenant or refer to https://me.sap.com/notes/ 2418879
Example: api.eu2.hana.ondemand.com is for EU (Frank-
furt) datacenter
Password Enter the password
ProxyType Internet
Type HTTP
URL https://api.<hostname>/authorization/v1/ac-
counts/<tenantid>
Here, tenantid can be retrieved from the Technical Name
found in the subaccount.
User User enters the relevant GUID
Authentication BasicAuthentication
1. To obtain the Admin user for SAP BTP, go to Security OAuth Platform API .
2. To create oAuthclient for oAuth Platform API, select Authorization Management.
3. For the property Password, enter the password for the technical user.
4. Default read and write transformations are generated.
To modify the transformations for SAP Cloud Identity Access Governance to read and provision,
go to: https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/
dac4ec8c4ffc4aad9077623d885a03ef.html
13.12.2.1.3 Create Destinations
In the SAP BTP, create destinations for Identity Provisioning.
1. Log into the SAP BTP cockpit and go to your tenant.
2. In the left-hand pane, select Connectivity Destination New Destination .
SAP Cloud Identity Access Governance Admin Guide
140 PUBLIC Integration Scenarios
Note
It is very important to accurately enter the text strings as specified below. We recommend copying and
pasting them.
Parameter Value
Name* IPS_PROXY
Type HTTP
Description IPS Destination
URL* Enter the URL of the IPS Instance
Proxy Type Internet
Authentication BasicAuthentication
User* <Name of the User to access IPS>
Password <Password of the User>
Accept application/scim+json
OAuth2TokenServiceURL* <OAUTH Token URL>?grant_type=client_credentials
GROUPSURL /Groups
serviceURL /ipsproxy/api/v1/scim/
USERSURL /Users
3. Note
The URL can be copied from the SAP BTP-Subscriptions-ipsproxy-Application URLs. After copying the
URL, remove /ipsproxy from the URL.
Select ipsproxy to get the Application URL.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 141
4. User is the Client ID configured through the SAP BTP - Security OAUTH Clients for service
IPSProxy (or) it is the same as configured in the previous section.
5. OAuth2TokenServiceURL can be copied from SAP BTP-Security-OAuth-
Token EndPoint.https://oauthasservices-TENANTID.int.sap.eu2.hana.ondemand.com/oauth2/api/v1/
token?grant_type=client_credentials
13.12.2.1.4 Add SAP Business Technology Platform
Create an application for the SAP BTP in theApplications app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create a system for SAP BTP. For Application Type, select SAP Cloud Platform.
3. In the SCP Destination field, enter the name of the IPS destination (IPS_PROXY) created in the previous
section Create Destination.
4. Enter the external application ID marked in the previous step Create Proxy System.
5. Save your entries.
13.12.2.1.5 Sync User Data and Provision Access Requests
In the access request service launchpad, open the Job Scheduler app.
In the Job Category dropdown list, schedule the following jobs:
• Repository Sync to synchronize the relevant data from the SAP BTP to the access request service.
In the System Type dropdown list, select the SAP BTP.
In the System dropdown list, select the configuredSAP BTP.
• Provisioning to initiate the provisioning of access requests.
13.13 SAP Concur
The information in this section describes the procedure for connecting SAP Concur to the SAP Cloud Identity
Access Governance solution and its services.
SAP Cloud Identity Access Governance Admin Guide
142 PUBLIC Integration Scenarios
SAP Cloud Identity Access Governance is a cloud-based solution for creating self-service requests to
applications for on-premise and cloud source applications and systems. By connecting to the SAP Cloud
Identity Access Governance solution, end users can initiate access requests for SAP Concur, which are then
provisioned to the SAP Concur application.
13.13.1 Process Overview
There are three overall steps to enable integration between SAP Business Technology Platform (SAP BTP) and
the SAP Cloud Identity Access Governance solution and its services:
1. In the SAP BTP cockpit, set up destination for SAP Concur.
2. In the SAP Cloud Identity Access Governance launchpad, use the Applications app to create an instance for
SAP Concur.
3. In the SAP Cloud Identity Access Governance launchpad, open theJob Scheduler app to sync user data and
provision access requests.
13.13.1.1 Create Destinations
In SAP BTP, create a destination for your SAP Concur instance.
To configure the destination, add the following properties:
Name* CONCUR
Type HTTP
Description Concur Destination
URL* <Enter SAP Concur API URL>
For example: https://us.api.concursolutions.com
ProxyType Internet
Authentication OAuth2RefreshToken
Use mTLS for token retrieval This box remains unchecked.
Client ID* <Enter the generated Concur Client ID> (see note below)
Client Secret <Enter the generated Concur Client Secret> (see note be-
low)
Token Service URL Type* Dedicated
Token Service URL* <Enter the SAP Concur token URL> (see note below)
Note
For more information, refer to SAP Concur .
For required setup in SAP Concur (API, scopes), refer to User Provisioning Service .
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 143
Enter the following additional properties:
CompanyEntityCode <Enter the registered Company Entity Code from SAP Con-
cur>
CompanyUUID <Enter the registered Company UUID from SAP Concur>
RefreshToken <Enter the generated refresh token from SAP Concur>
Check the Use default JDK truststore box.
13.13.1.2 Add SAP Concur Application
Create an application for SAP Concur in the Applications app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for SAP Concur. For Application Type, select SAP Concur.
3. In the HCP Destination field, enter the name of SAP Concur destination from SAP Business Technology
Platform (SAP BTP) and Save.
13.13.1.3 Sync User Data and Provision Access Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category
dropdown list, schedule the following jobs:
• Repository Sync to synchronize the relevant data from SAP Concur to the access request service.
In the Application Type dropdown list, select SAP Concur.
In the Application dropdown list, select the configured SAP Concur application.
• Provisioning to initiate the provisioning of access requests.
Pre-delivered Custom Fields
To create Identity users for SAP Concur, there are 4 mandatory custom fields that are pre-delivered with
the field mapping and are cleared for provisioning.
These fields are: REIMBURSEMENT_TYPE, LOCALE, REIMBURSEMENT_CURRENCY, and COUNTRY.
Note
To configure the custom fields for Concur-Bridge scenario, refer to 3137551 and 3146713 .
13.14 SAP Fieldglass
The information in this section describes the procedure for connecting SAP Fieldglass to the SAP Cloud
Identity Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-based
SAP Cloud Identity Access Governance Admin Guide
144 PUBLIC Integration Scenarios
solution for creating self-service requests to applications for on-premise and cloud source applications and
systems. By connecting to the SAP Cloud Identity Access Governance solution, end users can initiate access
requests for SAP Fieldglass, which are then provisioned to the SAP Fieldglass application. This leverages
out-of-box authorizations and risk modeling to analyze SAP Fieldglass access requests.
Note
You can assign one role per user.
Prerequisites
Ensure you have completed enablement and configuration for the SAP Cloud Identity Access Governance
solution.
13.14.1 Process Overview
There are four steps to enable integration between SAP Fieldglass and the SAP Cloud Identity Access
Governance solution and its services:
1. Create two destinations for the SAP Fieldglass solution.
2. In the SAP Cloud Identity Access Governance launchpad, use the Systems app to create an instance for the
SAP Fieldglass solution.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 145
3. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
4. Migrate from Non-Identity Provisioning-based SAP Fieldglass to Identity Provisioning-based SAP Fieldglass
(only applicable for systems created before October 2022).
Note
SAP FieldGlass user has exactly one role assignment. If no role is assigned, it is the default role. If one new
role is assigned, the prior role assignment is removed.
13.14.1.1 Create Proxy System
To create and configure a proxy system for SAP BTP Fieldglass environment, refer to SAP Fieldglass .
1. Open your Identity Provisioning Launchpad in the navigation panel.
2. Add a proxy system for SAP Fieldglass.
3. Select Type as SAP Fieldglass.
4. Enter the Application Name and Description.
5. Copy the External Application ID and use it to set up the SAP Fieldglass System in the Applications app in
the next section Add SAP Fieldglass System. See example below:
6. In the Properties section, enter the following values:
Authentication BasicAuthentication
ips.trace.failed.entity. content true
OAuth2TokenServiceURL https://<Service URL>/api/oauth2/v2.0/token
Password Password of the User
ProxyType Internet
SAP Cloud Identity Access Governance Admin Guide
146 PUBLIC Integration Scenarios
Type HTTP
URL Specify your SAP Fieldglass environment URL.
For example: https://abc123.fgvms.com
User Enter the Login User Name
x-ApplicationKey (Optional) <API key of the service>
7. To read and write transformations, modify the sample transformations for SAP Cloud Identity Access
Governance below.
Note
Since the 'division' field is mandatory for provisioning users to SAP Fieldglass, there are two ways to
obtain this value:
• Custom Field in SAP Cloud Identity Access Governance solution:: The 'division' value can be
obtained from the individual access request as a custom field defined in IAG. If the custom field is
populated, it will be used for provisioning
• Default Value in Write Transformation: Alternatively, a default value can be set in the write
transformation. If a default value is defined, it will be used for the 'division' field during provisioning.
It's important to note that if a custom field value is passed from the access request, it overwrites the
default value defined in the transformation.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 147
Read Transformation Write Transformation
{ {
"user": { "user": {
"mappings": [ "mappings": [
{ {
"sourcePath": "$.id", "sourceVariable":
"targetPath": "$.id", "entityIdTargetSystem",
"targetVariable": "targetPath": "$.id"
"entityIdSourceSystem" },
}, {
{ "sourcePath":
"sourceVariable": "$.userName",
"entityBaseLocation", "targetPath":
"targetPath": "$.userName",
"$.meta.location", "scope":
"targetVariable": "createEntity"
"entityLocationSourceSystem", },
"functions": [ {
{ "sourcePath":
"type": "$.name",
"concatString", "optional": true,
"suffix": "$ "targetPath":
{entityIdSourceSystem}" "$.name"
} },
] {
}, "sourcePath":
{ "$.displayName",
"sourcePath": "optional": true,
"$.userName", "targetPath":
"targetPath": "$.displayName"
"$.userName", },
{
"correlationAttribute": true "sourcePath":
}, "$.active",
{ "optional": true,
"sourcePath": "targetPath":
"$.name", "$.active"
"optional": true, },
"targetPath": {
"$.name" "sourcePath":
}, "$.title",
{ "optional": true,
"sourcePath": "targetPath":
"$.displayName", "$.title"
"optional": true, },
"targetPath": {
"$.displayName" "sourcePath":
}, "$.locale",
{ "optional": true,
"sourcePath": "targetPath":
"$.active", "$.locale"
"optional": true, },
"targetPath": {
"$.active" "sourcePath":
}, "$.emails",
{
"sourcePath": "preserveArrayWithSingleElement":
"$.title", true,
"optional": true, "targetPath":
"targetPath": "$.emails"
"$.title" },
}, {
{ "sourcePath":
"$.emails[0].value",
SAP Cloud Identity Access Governance Admin Guide
148 PUBLIC Integration Scenarios
Read Transformation Write Transformation
"sourcePath": "targetPath":
"$.locale", "$.emails[0].value"
"optional": true, },
"targetPath": {
"$.locale", "sourcePath":
"functions": [ "$.emails[0].type",
{ "optional": true,
"type": "targetPath":
"substring", "$.emails[0].type",
"defaultValue":
"beginIndex": 0, "work"
"endIndex": 2 },
} {
] "sourcePath":
}, "$.emails[0].primary",
{ "optional": true,
"sourcePath": "targetPath":
"$.emails", "$.emails[0].primary",
"defaultValue": true
"preserveArrayWithSingleElement": },
true, {
"targetPath": "sourcePath":
"$.emails" "$.timezone",
}, "optional": true,
{ "targetPath":
"sourcePath": "$.timezone"
"$.emails[0].value", },
"targetPath": {
"$.emails[0].value" "sourcePath":
}, "$.addresses",
{
"sourcePath": "preserveArrayWithSingleElement":
"$.emails[?(@.primary== true,
true)].value", "optional": true,
"targetPath":
"correlationAttribute": true "$.addresses"
}, },
{ {
"sourcePath": "sourcePath": "$
"$.timezone", ['urn:ietf:params:scim:schemas:extens
"optional": true, ion:enterprise:2.0:User']
"targetPath": ['employeeNumber']",
"$.timezone" "optional": true,
}, "targetPath": "$
{ ['urn:ietf:params:scim:schemas:extens
"sourcePath": ion:enterprise:2.0:User']
"$.addresses", ['employeeNumber']"
},
"preserveArrayWithSingleElement": {
true, "sourcePath": "$
"optional": true, ['urn:ietf:params:scim:schemas:extens
"targetPath": ion:enterprise:2.0:User']
"$.addresses" ['costCenter']",
}, "optional": true,
{ "targetPath": "$
"sourcePath": ['urn:ietf:params:scim:schemas:extens
"$.groups", ion:enterprise:2.0:User']
['costCenter']"
"preserveArrayWithSingleElement": },
true, {
"optional": true, "sourcePath": "$
"targetPath": ['urn:ietf:params:scim:schemas:extens
"$.groups" ion:enterprise:2.0:User']
['organization']",
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 149
Read Transformation Write Transformation
}, "optional": true,
{ "targetPath": "$
"sourcePath": ['urn:ietf:params:scim:schemas:extens
"$.schemas", ion:enterprise:2.0:User']
['organization']"
"preserveArrayWithSingleElement": },
true, {
"targetPath": "sourcePath": "$
"$.schemas" ['urn:ietf:params:scim:schemas:extens
}, ion:enterprise:2.0:User']
{ ['division']",
"sourcePath": "$ "optional": true,
['resourceExtensions'] "targetPath": "$
['urn:ietf:params:scim:schemas:extens ['urn:ietf:params:scim:schemas:extens
ion:enterprise:2.0:User'] ion:enterprise:2.0:User']
['employeeNumber']", ['division']",
"optional": true, "defaultValue":
"targetPath": "$ "DLAB"
['urn:ietf:params:scim:schemas:extens },
ion:enterprise:2.0:User'] {
['employeeNumber']" "sourcePath": "$
}, ['urn:ietf:params:scim:schemas:extens
{ ion:enterprise:2.0:User']
"sourcePath": "$ ['department']",
['resourceExtensions'] "optional": true,
['urn:ietf:params:scim:schemas:extens "targetPath": "$
ion:enterprise:2.0:User'] ['urn:ietf:params:scim:schemas:extens
['costCenter']", ion:enterprise:2.0:User']
"optional": true, ['department']"
"targetPath": "$ },
['urn:ietf:params:scim:schemas:extens {
ion:enterprise:2.0:User'] "sourcePath": "$
['costCenter']" ['urn:ietf:params:scim:schemas:extens
}, ion:enterprise:2.0:User']['manager']
{ ['value']",
"sourcePath": "$ "optional": true,
['resourceExtensions'] "targetPath": "$
['urn:ietf:params:scim:schemas:extens ['urn:ietf:params:scim:schemas:extens
ion:enterprise:2.0:User'] ion:enterprise:2.0:User']['manager']
['organization']", ['value']"
"optional": true, },
"targetPath": "$ {
['urn:ietf:params:scim:schemas:extens "sourcePath": "$
ion:enterprise:2.0:User'] ['urn:ietf:params:scim:schemas:extens
['organization']" ion:enterprise:2.0:User']['manager']
}, ['displayName']",
{ "optional": true,
"sourcePath": "$ "targetPath": "$
['resourceExtensions'] ['urn:ietf:params:scim:schemas:extens
['urn:ietf:params:scim:schemas:extens ion:enterprise:2.0:User']['manager']
ion:enterprise:2.0:User'] ['displayName']"
['division']", },
"optional": true, {
"targetPath": "$ "sourcePath": "$
['urn:ietf:params:scim:schemas:extens ['urn:ietf:params:scim:schemas:extens
ion:enterprise:2.0:User'] ion:sap:2.0:User']['userUuid']",
['division']" "optional": true,
}, "targetPath": "$
{ ['urn:ietf:params:scim:schemas:extens
"sourcePath": "$ ion:sap:2.0:User']['userUuid']"
['resourceExtensions'] }
['urn:ietf:params:scim:schemas:extens ],
"scimEntityEndpoint": "Users"
},
SAP Cloud Identity Access Governance Admin Guide
150 PUBLIC Integration Scenarios
Read Transformation Write Transformation
ion:enterprise:2.0:User'] "group": {
['department']", "skipOperations": [
"optional": true, "create",
"targetPath": "$ "delete"
['urn:ietf:params:scim:schemas:extens ],
ion:enterprise:2.0:User'] "mappings": [
['department']" {
}, "sourceVariable":
{ "entityIdTargetSystem",
"sourcePath": "$ "targetPath": "$.id"
['resourceExtensions'] },
['urn:ietf:params:scim:schemas:extens {
ion:enterprise:2.0:User']['manager'] "sourcePath": "$",
['value']", "targetPath": "$",
"optional": true, "scope":
"targetPath": "$ "patchEntity"
['urn:ietf:params:scim:schemas:extens },
ion:enterprise:2.0:User']['manager'] {
['value']" "sourcePath":
}, "$.displayName",
{ "targetPath":
"sourcePath": "$ "$.displayName"
['resourceExtensions'] },
['urn:ietf:params:scim:schemas:extens {
ion:enterprise:2.0:User']['manager'] "sourcePath":
['displayName']", "$.members",
"optional": true,
"targetPath": "$ "preserveArrayWithSingleElement":
['urn:ietf:params:scim:schemas:extens true,
ion:enterprise:2.0:User']['manager'] "optional": true,
['displayName']" "targetPath":
}, "$.members"
{ }
"sourcePath": "$ ],
['resourceExtensions'] "scimEntityEndpoint":
['urn:ietf:params:scim:schemas:extens "Groups"
ion:enterprise:2.0:User'] }
['organization']", }
"optional": true, "defaultValue": Here is an example
"targetPath": "$ in the write transformation for the
['urn:ietf:params:scim:schemas:extens division portion:
ion:enterprise:2.0:User'] ……
['organization']" {
}, "sourcePath": "$
{ ['resourceExtensions']
"sourcePath": "$ ['urn:ietf:params:scim:schemas:extens
['resourceExtensions'] ion:enterprise:2.0:User']
['urn:ietf:params:scim:schemas:extens ['division']",
ion:sap:2.0:User']['userUuid']", "optional": true,
"optional": true, "targetPath": "$
"targetPath": "$ ['urn:ietf:params:scim:schemas:extens
['urn:ietf:params:scim:schemas:extens ion:enterprise:2.0:User']
ion:sap:2.0:User']['userUuid']" ['division']",
} "defaultValue":
], “<default value of the division>”
"scimEntityEndpoint": "Users" },
}, ……
"group": { This approach ensures that the
"mappings": [ 'division' field is populated
{ correctly during provisioning,
"sourcePath": "$.id", either using the custom field value
"targetPath": "$.id", or the default value if no custom
value is provided.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 151
Read Transformation Write Transformation
"targetVariable": "<DLAB>" is defined as a default
"entityIdSourceSystem" value Business Unit
},
{
"sourceVariable":
"entityBaseLocation",
"targetPath":
"$.meta.location",
"targetVariable":
"entityLocationSourceSystem",
"functions": [
{
"type":
"concatString",
"suffix": "$
{entityIdSourceSystem}"
}
]
},
{
"sourcePath":
"$.displayName",
"targetPath":
"$.displayName"
},
{
"sourcePath":
"$.members",
"preserveArrayWithSingleElement":
true,
"optional": true,
"targetPath":
"$.members"
},
{
"constant": "User",
"preserveArrayWithSingleElement":
true,
"optional": true,
"targetPath":
"$.members[*].type"
},
{
"sourcePath":
"$.schemas",
"preserveArrayWithSingleElement":
true,
"targetPath":
"$.schemas"
}
],
"scimEntityEndpoint":
"Groups"
}
}
8. Save your entries.
SAP Cloud Identity Access Governance Admin Guide
152 PUBLIC Integration Scenarios
13.14.1.2 Create Destinations
For SAP Fieldglass, the following two destinations are required:
• IPS_PROXY
In the SAP BTP, create destination IPS_PROXY, if not already created, for the IAG tenant.
To do so, refer to Connecting Identity Provisioning Tenant [page 20] and Identity Provisioning on SAP Cloud
Identity Platform.
• Direct connection to SAP Fieldglass
To connect directly to SAP Fieldglass, follow the procedure described below:
In the SAP Business Technology Platform (SAP BTP), create destination to provision to SAP Fieldglass.
1. Log into the SAP BTP cockpit, and go to your tenant.
2. In the left-hand pane, choose Connectivity Destinations , and then choose New Destination.
3. Create a destination for the SAP Fieldglass instance, using the following constraints.
Caution
It is very important to accurately enter the text strings as specified below. We recommending copying
and pasting them.
Name* FieldGlassDest
Type: HTTP
Description: Field Glass Destination
URL* Enter the URL of the SAP Fieldglass instance
Proxy Type Internet
Authentication: BasicAuthentication
User*: Name of the user SAP BTP uses to access the SAP Field-
glass instance.
Password: Password for the user
accessToken /api/oauth2/v2.0/token?grant_type=client_creden-
tials&response_type=token
getRoleDetail /api/vc/connector/Standard User Role Detail Download?
__p1=
4. Make sure Use default JDK truststore is checked.
In the SAP Business Technology Platform (SAP BTP), create destination to provision to SAP Fieldglass.
To do so, refer to Connecting Identity Provisioning Tenant [page 20] and Identity Provisioning on SAP Cloud
Identity Platform.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 153
13.14.1.3 Add Fieldglass Application
Create an application for SAP Fieldglass in the Applications app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for SAP Fieldglass. For Application Type, select SAP Fieldglass.
3. In the HCP Destination field, enter the name of the SAP BTP destination for the SAP Fieldglass instance.
4. Enter the external system ID which was marked in previous sectionCreate Proxy System for SAP
FieldGlass and Save.
13.14.1.4 Sync User Data and Provision Access Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category
dropdown, schedule the following jobs:
• Repository Sync to synchronize the relevant data from SAP Fieldglass to the access request service.
In the Application dropdown, select SAP Fieldglass.
• Provisioning to initiate the provisioning of access requests.
Note
When you provision access requests, you cannot add or delete default access in SAP Fieldglass. In
addition, you can assign multiple roles in SAP Fieldglass.
Note
For SAP Fieldglass-Bridge scenario, refer to 3169844 .
13.14.1.5 Migrating from Non-Identity Provisioning-based
SAP Fieldglass to Identity Provisioning-based SAP
Fieldglass
To migrate to the Fieldglass application using Identity Provisioning, do the following:
1. Select the SAP Fieldglass application configured in the previous release.
2. Choose Edit.
3. Enter the external system ID which was marked in previous section Create Proxy System .
4. Save your entries.
SAP Cloud Identity Access Governance Admin Guide
154 PUBLIC Integration Scenarios
13.15 SAP Integrated Business Planning
The information in this section describes the procedure for connecting SAP Integrated Business Planning to
the SAP Cloud Identity Access Governance solution and its services. SAP Cloud Identity Access Governance
is a cloud-based solution for creating self-service requests to applications for on-premise and cloud source
applications and systems. By connecting to the SAP Cloud Identity Access Governance solution, end users
can initiate access requests for SAP Integrated Business Planning, which are then provisioned to the SAP
Integrated Business Planning application.
Prerequisites
Ensure you have completed enablement and configuration for the SAP Cloud Identity Access Governance
solution.
13.15.1 Process Overview
There are four overall steps to enable integration between SAP Integrated Business Planning solution and the
SAP Cloud Identity Access Governance solution and its service:
1. In the SAP Integrated Business solution, carry out the required configuration tasks and steps.
2. In the SAP Business Technology Platform (SAP BTP), set up destination for the SAP Integrated Business
Planning solution.
3. In the SAP Cloud Identity Access Governance launchpad, use the Applications app to create an instance for
the SAP Integrated Business Planning solution.
4. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
13.15.2 Configuration in SAP Integrated Business Planning
The information in this section describes the prerequisites and procedures you carry out in SAP Integrated
Business Planning to enable the integration with the access request service.
Prerequisites
You must have completed the following prerequisites before you can begin the configuration tasks.
• Your user for SAP Integrated Business Planning has been assigned the business catalog
SAP_CORE_BC_COM.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 155
• You can use the business role template SAP_BR_ADMINISTRATOR.
• You have a signed SSL certificate from Verisign for your tenant [optional].
The certificate is used to enable secure communication between SAP Integrated Business Planning and
the SAP BTP tenant for SAP Cloud Identity Access Governance.
Procedure
The configuration steps include the following:
1. Create a communication user and assign to it the SSL certificate.
2. Create a communication system to represent the SAP BTP tenant account.
3. Create a communication arrangement, one for each communication scenario.
• SAP_COM_0066 for replication of data
• SAP_COM_0093 for provisioning
13.15.2.1 Create Communication User
Create a communication user and upload the SSL certificate. The uses the private key to enable secure
communication.
Option 1: SSL Certificate
1. Log onto your SAP Integrated Business Planning, and open group Communication Management.
2. Open Maintain Communication Users and choose New to create a Communication User
Value Parameter
User Name Enter a user name. Ex: IAG-INTEGRATION
Description Enter a meaningful description.
Password Enter a password and remember for later step.
Tip
Create a password via Propose Password to receive a
password which satisfies the password rules.
3. Choose Upload Certificate and select the SSL Client Certificate. To select the certificate, refer to
2801396 . For SAP IBP-specific communication, go to Secure Communication for Inbound Integration.
4. Choose Create.
Option 2: Basic Authentication
1. Log onto your SAP Integrated Business Planning, and open group Communication Management.
2. Open Maintain Communication Users and choose New to create a Communication User
SAP Cloud Identity Access Governance Admin Guide
156 PUBLIC Integration Scenarios
Value Parameter
User Name Enter a user name. Ex: IAG-INTEGRATION
Description Enter a meaningful description.
Password Enter a password and remember for later step.
Tip
Create a password via Propose Password to receive a
password which satisfies the password rules.
3. Choose Create.
13.15.2.2 Create Communication System
Create a new communication system to represent your SAP BTP tenant account for SAP Cloud Access Identity
Governance.
Option 1: SSL Certificate
1. Start the app Communication Systems and choose New to create a Communication System representing
your SAP BTP tenant account for SAP Cloud Access Identity Governance.
2. Choose a Application ID and Application Name to represent your SAP BTP account.
3. Choose Create.
4. Enter the hostname of your Provider Tenant ID for SAP Cloud Identity Access Governance. Enter only the
hostname without protocol and path. For example: xxxxx.us2.hana.ondemand.com.
5. Choose Save.
6. In the User for Inbound Communication section, choose the + button.
7. Select Authentication Method as SSL Client Certificate and add the communication user you created in the
previous step for SSL Certificate option.
Option 2: Basic Authentication
Note
Maintaining User for Outbound Communication is optional.
1. Start the Communication Systems app and choose New to create a Communication System representing
your tenant account for SAP Cloud Identity Access Governance.
2. Choose a Application ID and Application Name to represent your SAP BTP account.
3. Choose Create.
4. Enter the hostname of your Provider Tenant ID for SAP Cloud Identity Access Governance. Enter only the
hostname without protocol and path. For example: xxxxx.us2.hana.ondemand.com.
5. Choose Save.
6. In the User for Inbound Communication section, choose the + button.
7. Select Authentication Method as User ID and Password and add the communication user you created in
the previous step for Basic Authentication option.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 157
13.15.2.3 Create Communication Arrangement
Create a communication arrangement, one for each communication scenario. Two scenarios are available.
• SAP_COM_0066 for replication of data
• SAP_COM_0093 for provisioning
You may choose to implement one or both. To implement both, complete all the steps in this procedure to
create a communication arrangement for one, and then repeat the procedure again to create an arrangement
for the other.
1. Start the app Communication Arrangements, and choose New Scenario .
2. Select a communication scenario.
3. Select the Communication System you created in the previous step.
The other data is defined by the system.
4. Save the communication arrangement.
To implement another communication arrangement, repeat the procedure.
13.15.3 Create Destinations
In the SAP Business Technology Platform (SAP BTP), create destinations for your SAP Integrated Business
Planning instance.
1. Log in to the SAP BTP cockpit and go to your tenant.
2. In the left-hand pane, click Connectivity Destinations , and then choose New Destination.
3. Create a destination for the SAP Integrated Business Planning instance, and add the following properties
listed in the table below.
Note
You may need to manually add the property field if it is not automatically displayed.
Caution
It is very important to accurately enter the text strings as specified below. We recommend copying and
pasting them.
Name IBPCLOUD
Type: HTTP
Description: SAP Integrated Business Planning
Destination
URL* Example: https://myXXXXXX-api.scmibp.ondemand.com
ProxyType Internet
SAP Cloud Identity Access Governance Admin Guide
158 PUBLIC Integration Scenarios
Authentication: BasicAuthentication
Client Certificate authentication is another option that is
now supported. To use this option, you need to create the
application type SAPIBP_SCIM.
User* Name of the communication user created in the previous
step.
Password: Password for the user
sap-client Integrated Business Planning client
WRITE /sap/bc/srt/scs_ext/sap/
managebusinessuserin (for exam-
ple, client number 100).
4. Make sure Use default JDK truststore is checked.
13.15.4 Add Integrated Business Application
Create an application for SAP Integrated Business Planning in the Applications app.
1. Log in to the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for SAP Integrated Business Planning. For Application Type, select SAP Integrated
System Planning.
3. In the HCP Destination field, enter the name of the SAP Cloud Platform destination for SAP Integrated
Business Planning and Save.
13.15.5 Sync User Data and Provision Access Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category
dropdown list, schedule the following jobs:
• Repository Sync to synchronize the relevant data from SAP Integrated Business Planning to the access
request service.
In the Application dropdown list, select the SAP Integrated Business Planning system defined in
the previous section.
• Provisioning to initiate the provisioning of access requests.
13.15.6 User ID Mapping
Configuration for User ID to Login Name mapping:
• Open the Configuration app from the Administration group in the SAP Cloud Identity Access Governance
Fiori launchpad. Make sure there is an entry for USERIDGROUP as shown below.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 159
Custom Field Configuration:
1. Open SAP Cloud Identity Access Goverance launchpad in a Web browser.
2. Go to IAG Administration, Custom Field Groups, and open this app.
3. Choose + sign to create a new Custom Field Group and make the following entries.
Name IBP_Group
Description IBP_Group
Process Access Request
Entity Type Application Type
Entity Type Value Select the SAP Integrated Business Planning
from the F4 Help dialog window.
Status Select the checkbox
4. Save your entries.
5. Go to the Custom Field app in the Administration app.
6. Choose the + icon to create a new custom field.
7. On the next screen, provide the following inputs:
Name IBP_USERNAME
Description IBP_USERNAME
Label UserName
Input Type Select Input Text
Data Type Select String
Field Length 40
Status Select the checkbox
8. On the next tab, choose the Custom Field Group created in the first step. Save the custom field using Save
button at the bottom.
9. In the Field Mapping app, create a new field mapping between the IAG custom field and SAP Integrated
Business Planning field.
SAP Cloud Identity Access Governance Admin Guide
160 PUBLIC Integration Scenarios
After creating this configuration, there will be a new custom field in Access Request which will read the
login name from the authentication system (example: Identity Authenication). This will be blank if the login
name is not maintained. In this case, it will use the same P-number for the user provisioning.
13.16 SAP Marketing Cloud
The information in this section describes the procedure for connecting SAP Marketing Cloud to the SAP Cloud
Identity Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-based
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 161
solution for creating self-service requests to applications for on-premise and cloud source applications and
systems. By connecting to the SAP Cloud Identity Access Governance solution, end users can initiate access
requests for SAP Marketing Cloud, which are then provisioned to the SAP Marketing Cloud application.
Prerequisites
Ensure you have completed enablement and configuration for the SAP Cloud Identity Access Governance
solution.
13.16.1 Process Overview
There are three overall steps to enable integration between SAP Marketing Cloud solutions and the SAP Cloud
Identity Access Governance solution and its service:
1. In the SAP Business Technology Platform (SAP BTP), set up destination for the SAP Marketing Cloud
solution.
2. In the SAP Cloud Identity Access Governance launchpad, use the Applications app to create an instance for
the SAP Marketing Cloud solution.
3. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
13.16.2 Configuration in SAP Marketing Cloud
The information in this section describes the prerequisites and procedures you carry out in SAP Marketing
Cloud to enable the integration with the access request service.
Prerequisites
You must have completed the following prerequisites before you can begin the configuration tasks.
• Your user for SAP Marketing Cloud has been assigned the business catalog SAP_CORE_BC_COM.
• You can use the business role template SAP_BR_ADMINISTRATOR.
• You have a signed SSL certificate from Verisign for your tenant [optional].
The certificate is used to enable secure communication between SAP Marketing Cloud and the SAP BTP
tenant for SAP Cloud Identity Access Governance.
SAP Cloud Identity Access Governance Admin Guide
162 PUBLIC Integration Scenarios
Procedure
The configuration steps include the following:
1. Create a communication user and assign to it the SSL certificate.
2. Create a communication system to represent the SAP BTP tenant account.
3. Create a communication arrangement, one for each communication scenario.
• SAP_COM_0066 for replication of data
• SAP_COM_0193 for provisioning
13.16.2.1 Create Communication User
Create a communication user and upload the SSL certificate. The uses the private key to enable secure
communication.
Option 1: SSL Certificate
1. Log onto your SAP Marketing Cloud, and open group Communication Management.
2. Open Maintain Communication Users and choose New to create a Communication User
Value Parameter
User Name Enter a user name. Ex: IAG-INTEGRATION
Description Enter a meaningful description.
Password Enter a password and remember for later step.
Tip
Create a password via Propose Password to receive a
password which satisfies the password rules.
3. Choose Upload Certificate and select the SSL Client Certificate and select the SSL Client Certificate. To
select the certificate, refer to 2801396 .
4. Choose Create.
Option 2: Basic Authentication
1. Log onto your SAP Marketing Cloud, and open group Communication Management.
2. Open Maintain Communication Users and choose New to create a Communication User
Value Parameter
User Name Enter a user name. Ex: IAG-INTEGRATION
Description Enter a meaningful description.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 163
Value Parameter
Password Enter a password and remember for later step.
Tip
Create a password via Propose Password to receive a
password which satisfies the password rules.
3. Choose Create.
13.16.2.2 Create Communication System
Create a new communication system to represent your tenant account for SAP Cloud Identity Access
Governance.
Option 1: SSL Certificate
1. Start the app Communication Systems and choose New to create a Communication System representing
your tenant account for SAP Cloud Identity Access Governance.
2. Choose a System ID and System Name to represent your SAP BTP account.
3. Choose Create.
4. Enter the hostname of your Provider Tenant ID for SAP Cloud Identity Access Governance. Enter only the
hostname without protocol and path. For example: xxxxx.us2.hana.ondemand.com.
5. Choose Save.
6. In the User for Inbound Communication section, choose the + button.
7. Select Authentication Method as SSL Client Certificate and add the communication user you created in the
previous step for SSL Certificate option.
Option 2: Basic Authentication
Note
Maintaining User for Outbound Communication is optional.
1. Start the Communication Systems app and click New to create a Communication System representing your
tenant account for SAP Cloud Identity Access Governance.
SAP Cloud Identity Access Governance Admin Guide
164 PUBLIC Integration Scenarios
2. Choose a System ID and System Name to represent your SAP BTP account.
3. Choose Create.
4. Enter the hostname of your Provider Tenant ID. Enter only the hostname without protocol and path. For
example: xxxxx.us2.hana.ondemand.com.
5. Choose Save.
6. In the User for Inbound Communication section, choose the + button.
7. Select Authentication Method as User ID and Password and add the communication user you created in
the previous step for Basic Authentication option.
13.16.2.3 Create Communication Arrangement
Create a communication arrangement, one for each communication scenario. Two scenarios are available.
• SAP_COM_0066 for replication of data
• SAP_COM_0193 for provisioning
You may choose to implement one or both. To implement both, complete all the steps in this procedure to
create a communication arrangement for one, and then repeat the procedure again to create an arrangement
for the other.
1. Start the app Communication Arrangements, and click New Scenario .
2. Select a communication scenario:
3. Select the Communication System you created in the previous step.
The other data is defined by the system.
4. Save the communication arrangement.
To implement another communication arrangement, repeat the procedure.
13.16.3 Create Destinations
In SAP BTP, create destinations for your SAP Marketing Cloud instance.
1. Log in to the SAP BTP cockpit and go to your tenant.
2. In the left-hand pane, click Connectivity Destinations , and then click New Destination.
3. Create a destination for the SAP Marketing Cloud instance, and add the following properties listed in the
table below.
Note
You may need to manually add the property field if it is not automatically displayed.
Caution
It is very important to accurately enter the text strings as specified below. We recommend copying and
pasting them.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 165
Name* MKTCLOUD
Type: HTTP
Description: Marketing Cloud Destination
URL* Enter the URL of the SAP Marketing Cloud instance
Proxy Type Internet
Authentication: BasicAuthentication
User*: Name of the SAP BTP user uses to access the SAP Mar-
keting Cloud instance
Password: Password for the user
sap-client Marketing cloud client
WRITE /sap/bc/srt/scs/sap/
managebusinessuserin
4. Make sure Use default JDK truststore is checked.
13.16.4 Add Marketing Cloud Application
Create an application for SAP Marketing Cloud in the Applications app.
1. Log in to the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for SAP Marketing Cloud. For Application Type, select SAP Marketing Cloud.
3. In the HCP Destination field, enter the name of the SAP BTP destination for SAP Marketing Cloud and Save.
13.16.5 Sync User Data and Provision Access Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category
dropdown list, schedule the following jobs:
• Repository Sync to synchronize the relevant data from SAP Marketing Cloud to the access request service.
In the Application dropdown list, select SAP Marketing Cloud.
• Provisioning to initiate the provisioning of access requests.
13.16.6 User ID Mapping
Configuration of User ID to Login Name mapping for SAP Cloud Identity Access Governance:
• Open a Configuration tile from the Administration group in the SAP Cloud Identity Access Governance Fiori
launchpad. Make sure there is an entry for USERIDGROUP as shown below.
SAP Cloud Identity Access Governance Admin Guide
166 PUBLIC Integration Scenarios
Custom Field Configuration:
1. Open the Fiori launchpad in a Web browser.
2. Go to IAG Administration, Custom Field Groups, and open this tile.
3. Choose on + sign to create a new Custom Field Group.
4. Provide a Name and Description.
5. Select the Process as Access Request.
6. Select the Entity Type as Application Type.
7. Select the Entity Type Value as SAP Marketing Cloud from the F4 Help dialog window.
8. Select the Status checkbox to make this active.
9. Save this data using the Save button.
10. Go to the Custom Field tile on the Administration tab.
11. Choose on the + icon to create a new custom field.
12. On the next screen, provide the following inputs:
Name Any name
Description Any description
Label Any label
Input Type Select Input Text
Data Type Select String
Field Length 40
Status Select the checkbox
13. On the next tab, choose the Custom Field Group created in the first step. Save the custom field using Save
button at the bottom.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 167
After creating this configuration, there will be a new custom field in Access Request which will read the login
name from the authentication system (example: Identity Authentication). This will be blank if the login name is
not maintained. In this case, it will use the same P-number for the user provisioning.
SAP Cloud Identity Access Governance Admin Guide
168 PUBLIC Integration Scenarios
13.17 SAP Sales Cloud and SAP Service Cloud (Deprecated)
The information in this section describes the procedure for connecting SAP Sales Cloud and SAP Service Cloud
(C4C) to the SAP Cloud Identity Access Governance solution and its services.
SAP Cloud Identity Access Governance is a cloud-based solution for creating self-service requests to
applications for on-premise and cloud source applications and systems. By connecting to the SAP Cloud
Identity Access Governance solution, end users can initiate access requests for SAP Sales Cloud and SAP
Service Cloud, which are then provisioned to the C4C application.
13.17.1 Process Overview
There are three overall steps to enable integration between SAP Business Technology Platform (SAP BTP) and
the SAP Cloud Identity Access Governance solution and its services:
1. In the SAP BTP cockpit set up destination for SAP Sales Cloud and SAP Service Cloud.
2. In the SAP Cloud Identity Access Governance launchpad, use the Applications app to create an instance for
SAP Sales Cloud and SAP Service Cloud.
3. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
13.17.1.1 Create Proxy System
To create and configure a proxy system for SAP Sales Cloud and SAP Service Cloud, refer to SAP Cloud Identity
Services - Identity Provisioning and Identity Provisioning on SAP Cloud Identity Platform.
13.17.1.2 Create Destinations
In SAP BTP, create a destination for your SAP Sales Cloud and SAP Service Cloud instance. To do so, refer to
Connecting Identity Provisioning Tenant and Identity Provisioning on SAP Cloud Identity Platform.
13.17.1.3 Add SAP Sales Cloud and SAP Service Cloud System
Create a system for SAP Sales Cloud and SAP Service Cloud in the Applications app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 169
2. Create a system for SAP Sales Cloud and SAP Service Cloud. For Application Type, select SAP Sales Cloud
and SAP Service Cloud.
3. Enter the external system ID marked in the previous step Create Proxy System and Save.
13.17.1.4 Sync User Data and Provision Access Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category
dropdown list, schedule the following jobs:
• Repository Sync to synchronize the relevant data from SAP Sales Cloud and SAP Service Cloud to SAP
Cloud Identity Access Governance.
In the Application Type dropdown list, select SAP Sales Cloud and SAP Service Cloud.
In the Application dropdown list, select the configured SAP Sales Cloud and SAP Service Cloud system.
• Provisioning to initiate the provisioning of access requests.
13.18 SAP Sales Cloud and SAP Service Cloud v2
The information in this section describes the procedure for connecting SAP Sales Cloud and SAP Service Cloud
(C4C) v2 to the SAP Cloud Identity Access Governance solution and its services.
SAP Cloud Identity Access Governance is a cloud-based solution for creating self-service requests to
applications for on-premise and cloud source applications and systems. By connecting to the solution, it
enables Cloud Foundry users to initiate access requests, which are then provisioned to target applications.
13.18.1 Process Overview
There are three overall steps to enable integration between SAP Sales Cloud and SAP Service Cloud v2 and the
SAP Cloud Identity Access Governance solution and its services:
1. In the SAP BTP cockpit set up destination for SAP Sales Cloud and SAP Service Cloud v2.
2. In the SAP Cloud Identity Access Governance launchpad, use the Applications app to create an instance for
SAP Sales Cloud and SAP Service Cloud v2.
3. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
Pre-requisites
• To configure SAP Cloud Platform Integration and SAP Sales Cloud and SAP Service Cloud, see: Cloud
Platform Integration for SAP Sales Cloud and SAP Service Cloud.
SAP Cloud Identity Access Governance Admin Guide
170 PUBLIC Integration Scenarios
• To set up and use the SAP Cloud for Customer Integration with Identity Provisioning via System for
Cross-domain Identity Management package, see: API Business Hub: SAP Cloud for Customer Integration
with Identity Provisioning via System for Cross-domain Identity Management .
13.18.1.1 Create Destinations
In the SAP BTP cockpit, create a destination for SAP Cloud Identity Access Goverance tenant to enable
integration with SAP Cloud Platform. Enter the following properties:
Name* <Your destination name>
Type HTTP
URL* SAP Cloud Platform Integration system URL
ProxyType Internet
Authentication BasicAuthentication
User* SAP Cloud Platform Integration user ID to connect to SAP
Cloud Platform Integration.
Password SAP Cloud Platform Integration password to connect to SAP
Cloud Platform Integration.
Accept application/scim+json
GROUPSURL /Groups
serviceURL /http
USERSURL /Users
PageSize (optional) Default value 100, suggested range between 100 to 250
13.18.1.2 Add SAP Sales Cloud and SAP Service Cloud
Application
Create an application for SAP Sales Cloud and SAP Service Cloud v2 in the Applications app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for SAP Sales Cloud and SAP Service Cloud v2. For Application Type, select SAP
Sales Cloud and SAP Service Cloud v2.
3. Enter destination name in the previous step Create Destination and Save.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 171
13.18.1.3 Sync User Data and Provision Access Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category
dropdown list, schedule the following jobs:
• Repository Sync to synchronize the relevant data from SAP Sales Cloud and SAP Service Cloud v2 to SAP
Cloud Identity Access Governance.
In the Application Type dropdown list, select SAP Sales Cloud and SAP Service Cloud v2.
In the Application dropdown list, select the configured SAP Sales Cloud and SAP Service Cloud v2
application.
If checkbox for Delta Sync is not selected, it is Full Sync mode that synchronizes all active users from the
C4C application.
If checkbox for Delta Sync is selected, it is Delta Sync mode that synchronizes the users who have change
events after the last successfully run repository sync job.
Prerequisite for running in Delta Sync mode:
The CPI/C4C iFlow (SAP Cloud for Customer Integration with Identity Provisioning via System for Cross-
domain Identity Management) needs to be upgraded to the following versions:
User Replication via SCIM - Version 1.2.3
Get User Count - version 1.0.1
• Provisioning to initiate the provisioning of access requests.
13.19 SAP SuccessFactors
You can configure integration for SAP SuccessFactors with SAP Cloud Identity Access Governance solution and
its services (Access Request, Access Analysis, and Role Design). This enables users to create access requests,
design business roles, and analysis access risks for on-premise and on-cloud applications and systems.
13.19.1 Prerequisites
You have the following:
• An administrator account for tenant on SAP BTP (Identity Authentication)
• Authenticated user for SAP SuccessFactors system for the Company ID
• SAP SuccessFactors API EmpJob need to have userNav personKeyNav userAccountNav user
data model relation enabled.
• Enter the authenticated user (technical user) for SAP SuccessFactors system followed by Company ID
such as <UserID@CompanyID>. Refer to SAP Note 2937881 .
SAP Cloud Identity Access Governance Admin Guide
172 PUBLIC Integration Scenarios
13.19.2 Create Destinations
Log into the SAP BTP cockpit and navigate to your tenant. In the left-hand pane click Connectivity
Destinations .
Create the following destinations.
Connection to SuccessFactors Source System [SuccessFactorsEC]
The source system is the destination and it describes the SAP SuccessFactors system where the HR user
information is stored.
Note
If you are using this as a source system, you must enter the destination names exactly as described.
Otherwise, you can enter any desired name.
SuccessFactorsEC
Enter the following:
Parameter Value
Name* SuccessFactorsEC
Type HTTP
Description <Any Description>
URL* Enter the URL for the SuccessFactors system API Service
such as <https://apisuccessfactors.com/> For more infor-
mation, see 2215682 and/or List of SAP SuccessFactors
API Servers.
ProxyType Internet
Authentication BasicAuthentication (Select BasicAuthentication for
the OAuth option.)
For seeing up OAuth, refer to Authentication Using OAuth
2.0.
User* Enter the authenticated user for SuccessFactors system fol-
lowed by Company ID such as <UserID@CompanyID>
APIKey To obtain this property value, refer to Manage OAuth2 Cli-
ent Applications in SuccessFactors Admin Center. (For each
field, create New Property under Additional Properties. Enter
the field as well as its corresponding values manually.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 173
Parameter Value
X509Certificate To obtain this property value, refer to Manage OAuth2 Cli-
ent Applications in SuccessFactors Admin Center. (For each
field, create New Property under Additional Properties. Enter
the field as well as its corresponding values manually. Down-
load the certificate after you registered the outh client and
take the private key part and update here.
Password Password for the SF api user. If you are using Oauth, you can
enter any characters and save it.
Use default JDK truststore checkbox is checked
For information on how to use the destination service, see: Configure Destinations from the Cockpit
Note
Only HTTP destinations are relevant for the destination service. For information on creating HTTP
connections, see: Create HTTP Destinations
13.19.3 Add SuccessFactors Application
Create an application for SAP SuccessFactors in the Applications app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create a system for SAP SuccessFactors. For Application Type, select SAP SuccessFactors.
3. In the HCP Destination field, enter the name of the SAP BTP destination for SAP SuccessFactors.
4. Save.
13.19.4 Sync User Data and Provision Access Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app, and run the following
jobs:
• Repository Sync to synchronize the user data from the SAP SuccessFactors tenant. If you need to filter
the users that are synchronized from success factor system to SAP Cloud Identity Access Governance,
you can maintain the application parameter ‘SUCCESSFACTORS_SYNC’. Refer to application parameter
section Application Parameters [page 210] for more details.
In the Application Type field, select SAP SuccessFactors.
• Provisioning the user and group assignment from the SAP SuccessFactors tenant.
SAP Cloud Identity Access Governance Admin Guide
174 PUBLIC Integration Scenarios
13.20 SAP SuccessFactors Employee Central Payroll
The information in this section describes the procedure for connecting SAP SuccessFactors Employee Central
Payroll to the SAP Cloud Identity Access Governance solution and its services.
You can synchronize users, roles, and profiles from the Employee Central Payroll to SAP Cloud Identity Access
Governance. Furthermore, you can provision users and user role assignments to the Employee Central Payroll
system.
Prerequisites
• Implement the following notes for Employee Central Payroll:
• 2951824 Rest service APIs for integration with SAP Cloud Identity Access Governance.
• 2954584 SAP IAG SICF Rest Service.
• 2958309 IAG Repository Sync Role List with the Deleted Role.
• Generate certificate if you want to use certificate instead of basic authentication.
13.20.1 Process Overview
There are four overall steps to integrate Employee Central Payroll with the SAP Cloud Identity Access
Governance solution and its services:
Procedure
• Configure an Employee Central Payroll system.
• In the SAP Business Technology Platform cockpit (SAP BTP), set up destination for the Employee Central
Payroll system.
• In the SAP Cloud Identity Access Governance launchpad, use the Applications app to create an instance for
the Employee Central Payroll system.
• In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
13.20.1.1 Create Certificate
Procedure
You can use the Cloud Identity Services - Identity Authentication to create a certificate. Use tools such as
KeyStore Explorer to convert a .p12 file to a .cer file.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 175
Note
You can ignore this step if you are using Basic Authentication for this integration scenario.
To create certificate, proceed as follows:
1. Logon to Identity Authentication.
2. Go to Applications & Resources Applications .
3. Choose an application.
4. Choose Certificate for API Authentication in the right panel.
5. In the section Generate certificate, enter Common Name and Password.
6. Choose Generate to download a cer.p12 file. You can rename it to xxxx.p12 and save it to a proper place.
Use tools such as KeyStore Explorer to convert it to a xxxx.cer file.
7. Import the xxxx.cer file to Employeee Central Payroll and map to a connection user.
13.20.1.2 Configuration in SAP Employee Central Payroll
1. Create a SICF service
• Implement 2954584 SAP IAG SICF Rest Service.
2. Create a connection user
The connection user must have the authorization in Employee Central Payroll to create/modify users,
resetting passwords and assigning/unassigning roles to users.
Refer to Required RFC User for SAP Cloud Identity Access Governance on Target SystemRequired RFC
User for SAP Cloud Identity Access Governance Services on Target System
3. Assign a role to the connection user
1. Use transaction PFCG to create a role in Employee Central Payroll and assign it to the connection user.
To create the role, use the authorization object and the field values listed below:
Authorization Object Authorization Field SIAG_ENT Authorization Field ACTVT
SIAG_SRV • AUTHOBJECT • 01
• PROFILE • 02
• ROLE • 03
• USAGE • 04
• USER • 05
• 06
2. Assign the role to the connection user.
4. Map certificate to the connection user
If you wish to use a certificate, you need to import the certificate, created in the previous step, to Employee
Central Payroll and map the certificate to the connection user in Employee Central Payroll.
SAP Cloud Identity Access Governance Admin Guide
176 PUBLIC Integration Scenarios
13.20.1.3 Configuration in SAP Cloud Identity Access
Governance
13.20.1.3.1 Create Destinations
Procedure
Configure Destination
There are two ECP host URLs: one is for Basic Authentification and the other is for Client Certificate.
1. Integration using Basic Authentication
Maintain a destination in the SAP BTP cockpit and enter the following values:
Parameter Value
Destination Type HTTP
URL Employee Central Payroll host url for Basic Authentication
Append “/sap” to the host url. (The host url is provided by
Employee Central Payroll.)
ProxyType Internet
Authentication BasicAuthentication
User Connection user in Employee Central Payroll
Password Enter the password for the connection user
Under Additional Properties, add the following:
sap-client Client number for Employee Central Payroll
servicepath siagrestapi
Save your entries.
2. Configure destination using client certificate
Maintain a destination in the SAP BTP cockpit and enter the following values:
Parameter Value
Destination Type HTTP
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 177
Parameter Value
URL Employee Central Payroll host url for Client Certificate
Append “/sap” to the host url. (The host url is provided by
Employee Central Payroll.)
ProxyType Internet
Authentication ClientCertificateAuthentication
KeyStore Location Upload the certificate xxxx.p12 you downloaded in the pre-
vious step.
KeyStore Password Enter the password when you generate the certificate.
Under Additional Properties, add the following:
sap-client Client number for Employee Central Payroll
servicepath /iagrestapi
13.20.1.3.2 Add Connector
Configuring the SAP Cloud Identity Access Governance application (Connector)
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app to create a
new system for Employee Central Payroll.
2. Enter a Application Name.
3. For Application Type, select SAP ERP.
4. Enter a Description.
5. In the SAP BTP Destination field, enter one of the name following:
• If you are using basic authentication, enter the destination you maintained for Basic Authentication.
• If you are using client certificate, enter the destination you maintained for Client Certificate
Authentication.
6. Save the system you have created.
13.20.1.4 Sync SAP SuccessFactors Employee Central Payroll
Data to SAP Cloud Identity Access Governance and
Provision Access Requests
Syncing data from Employee Central Payroll to SAP Cloud Identity Access Governance
1. In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app.
2. Enter a job name.
SAP Cloud Identity Access Governance Admin Guide
178 PUBLIC Integration Scenarios
3. In the Job Category dropdown list, select Repository Sync.
4. In the Application Type dropdown list, select SAP ERP.
5. In the Application dropdown list, select the application (connector) you created.
6. Choose Schedule Job.
Provisioning to Employee Central Payroll
Refer to the following documentation for Access Request Service.
As an application type, select SAP ERP and then choose the application with the Employee Central Payroll
system you created.
13.21 SAP S/4HANA Cloud for advanced financial closing
The procedure for connecting SAP S/4HANA Cloud for advanced financial closing (AFC) to the SAP Cloud
Identity Access Governance solution and its services is similar to the one used for SAP Business Technology
Platform – Cloud Foundry. Refer to SAP Busines Technology Platform - Cloud Foundry - SAP Help Portal to set
up the connector. Role Collections must be created in the SAP BTP Cloud Foundry cockpit and then mapped to
AFC roles.
13.22 SAP S/4HANA Cloud for SAP Intelligent Asset
Enterprise
The procedure for connecting SAP S/4HANA Cloud for SAP Intelligent Asset Management to the SAP Cloud
Identity Access Governance solution and its services is similar to the one used for SAP Business Technology
Platform – Cloud Foundry. Refer to SAP Busines Technology Platform - Cloud Foundry - SAP Help Portal to set
up the connector. Role Collections must be created in the SAP BTP Cloud Foundry cockpit and then mapped to
roles for SAP Intelligent Asset Management.
13.23 SAP S/4HANA Cloud
The information in this section describes the procedure for connecting your SAP S/4HANA Cloud tenant to
the SAP Cloud Identity Access Governance solution. This connection allows SAP S/4HANA Cloud users to
use the SAP Cloud Identity Access Governance services such as access request, access analysis, and features
such as auto-provisioning, and auditable workflows. The connection enables the SAP Cloud Identity Access
Governance solution to replicate data from the SAP S/4HANA Cloud tenant, and then provision user role
assignments to target applications.
The procedure consists of configuration steps on the SAP S/4HANA Cloud tenant, and on the SAP Business
Technology Platform (SAP BTP) tenant for SAP Cloud Identity Access Governance. The following is a summary
of the procedure steps. For details, see the respective sections.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 179
On the SAP S/4HANA Cloud tenant do the following:
1. Create a communication user.
2. Create a communication system.
3. Create a communication arrangement, one for each communication scenario.
On the SAP BTP tenant, do the following:
1. Configure two destinations for the SAP S/4HANA Cloud tenant. One for repository sync and the other for
Identity Provisioning.
2. Run the sync job to replicate data from the SAP S/4HANA Cloud tenant.
Configuration on SAP S/4HANA Cloud Tenant [page 180]
Configuration Steps on the SAP BTP Tenant [page 184]
Create Destination for Identity Provisioning [page 187]
Add SAP S/4HANA Cloud Application [page 194]
Sync User Data and Provision Access Request [page 195]
Filter-Based on User attributes from SAP S/4HANA Cloud Application [page 195]
13.23.1 Configuration on SAP S/4HANA Cloud Tenant
The information in this section describes the prerequisites and procedures you carry out on SAP S/4 HANA
Cloud to enable the integration.
Prerequisites
You must have completed the following prerequisites before you can begin the configuration tasks.
• Your SAP S/4HANA Cloud user has been assigned the business catalog SAP_CORE_BC_COM.
• You can use the business role template SAP_BR_ADMINISTRATOR.
• You have a signed SSL certificate from Verisign for your tenant or you can use basic authentication (user ID
and password) [optional].
The certificate is used to enable secure communication between the SAP S/4HANA Cloud tenant and the
SAP Business Technology Platform (SAP BTP) tenant for SAP Cloud Identity Access Governance.
Procedure
The configuration steps include the following:
1. Create a communication user and assign to it the SSL certificate.
2. Create a communication system to represent the SCP tenant account.
3. Create a communication arrangement, one for each communication scenario.
SAP Cloud Identity Access Governance Admin Guide
180 PUBLIC Integration Scenarios
• SAP_COM_0066 for replication of data
• SAP_COM_0193 for provisioning
For more information on creating communication users and communication arrangements, see
Communication Management.
13.23.1.1 Create Communication User
Create a communication user and upload the SSL certificate. The uses the private key to enable secure
communication.
Note
For more information, refer to: SAP Cloud Identity Services - Identity Provisioning.
Option 1: SSL Certificate
1. Log onto your SAP S/4HANA Cloud tenant, and open group Communication Management.
2. Open Maintain Communication Users and choose New to create a Communication User
Value Parameter
User Name Enter a user name. Ex: IAG-INTEGRATION
Description Enter a meaningful description.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 181
Value Parameter
Password Enter a password and remember for later step.
Tip
Create a password via Propose Password to receive a
password which satisfies the password rules.
3. Choose Upload Certificate and select the SSL Client Certificate from Verisign. For more information on
certificates, refer to Maintain Client Certificates.
4. Choose Create.
Option 2: Basic Authentication
1. Log onto your SAP S/4HANA Cloud tenant, and open group Communication Management.
2. Open Maintain Communication Users and choose New to create a Communication User.
Value Parameter
User Name Enter a user name. Ex: IAG-INTEGRATION
Description Enter a meaningful description.
Password Enter a password and remember for later step.
Tip
Create a password via Propose Password to receive a
password which satisfies the password rules.
SAP Cloud Identity Access Governance Admin Guide
182 PUBLIC Integration Scenarios
13.23.1.2 Create Communication System
Create a new communication system to represent your tenant account in SAP BTP.
Option 1: SSL Certificate
1. Start the app Communication Systems and choose New to create a Communication System representing
your tenant account.
2. Choose an Application ID and a Application Name to represent your SAP BTP account.
3. Choose Create.
4. Enter the hostname of your Provider Tenant ID for SAP Cloud Identity Access Governance. Enter only the
hostname without protocol and path. For example: xxxxx.us2.hana.ondemand.com.
5. Choose Save.
6. In the User for Inbound Communication section, choose the + button.
7. Select Authentication Method as SSL Client Certificate and add the communication user you created in the
previous step for the SSL Certificate option.
Option 2: Basic Authentication
Note
Maintaining User for Outbound Communication is optional.
1. Start the Communication Systems app and choose New to create a Communication System representing
your tenant account in SAP S/4HANA account.
2. Choose an Application ID and a Application Name to represent your SAP BTP account.
3. Choose Create.
4. Enter the hostname of your Provider Tenant ID for SAP Cloud Identity Access Governance. Enter only the
hostname without protocol and path. For example: xxxxx.us2.hana.ondemand.com.
5. Choose Save.
6. In the User for Inbound Communication section, choose the + button.
7. Select Authentication Method as User ID and Password and add the communication user you created in the
previous step for the Basic Authentication option.
8. In the User for Outbound Communication section, choose the + button.
9. Select Authentication Method as User ID and Password and add the communication user you created in the
previous step for the Basic Authentication option.
13.23.1.3 Create Communication Arrangement
Create a communication arrangement, one for each communication scenario. Two scenarios are available.
• SAP_COM_0066 for replication of data
• SAP_COM_0193 for provisioning
You may choose to implement one or both. To implement both, complete all the steps in this procedure to
create a communication arrangement for one, and then repeat the procedure again to create an arrangement
for the other.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 183
1. Start the app Communication Arrangements, and click New Scenario .
2. Select a communication scenario, such as the following:
Example:
3. Select the Communication System you created in the previous step.
The other data is defined by the system.
4. Save the communication arrangement.
To implement another communication arrangement, repeat the procedure.
13.23.2 Configuration Steps on the SAP BTP Tenant
The information in this section describes the prerequisites and procedures you carry out on SAP BTP tenant to
enable the connection with the SAP S/4HANA Cloud tenant for repository sync.
Prerequisites
You must have completed the following prerequisites before you can begin the configuration tasks:
• You have completed the configuration steps for the SAP S/4HANA Cloud tenant.
• You have the SSL certificate from your SAP S/4HANA tenant (applicable for only certificate based).
SAP Cloud Identity Access Governance Admin Guide
184 PUBLIC Integration Scenarios
13.23.2.1 Create New Destination for SAP S/4HANA Cloud
Create a new destination using Client Certificate Authentication or Basic Authentication.
Option 1: Client Certificate Authentication
1. In the your tenant for SAP Cloud Identity Accesss Governance, go to the Subaccounts dropdown menu and
choose your subaccount.
2. Choose Connectivity Destinations in the navigation panel.
3. Choose New Destination and create the following destination.
Parameter Value
Name Enter a meaningful name.
Type HTTP
Description (Optional) Enter a meaningful description.
URL The service URL from the communication arrangement,
such as https://xxx-api.s4hana.ondemand.com,
https://xxx-api.s4hana.cloud.sap, or https://
xxx-api.s4hana.sapcloud.cn.
Proxy Type Internet
Authentication ClientCertificateAuthentication
4. Choose New Property and select sap-client and enter SAP S/4HANA client value.
Parameter Value
sap-client Enter the SAP S/4HANA Cloud system client.
WRITE Enter the SAP S/4HANA service: /sap/bc/srt/
scs_ext/sap/managebusinessuserin
5. Choose Upload and Delete Certificate link from SAP S/4HANA to upload the SSL certificate for your
SAP S/4HANA tenant. Select the file location for the SAP S/4HANA certificate. (This is the public key
(xxxx.p12) generated from the private key for the user in SAP S/4 HANA.)
1. From the Key Store Location drop-down menu, select your keystore.
2. In the Key Store Password, enter the keystore password
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 185
6. Select the Use default JDK truststore checkbox.
7. Save your entries.
Option 2: Basic Authentication
1. In the your tenant for SAP Cloud Identity Access Governance, go to the Subaccounts dropdown menu and
choose your subaccount.
2. Choose Connectivity Destinations in the navigation panel.
3. Choose New Destination and create the following destination.
Parameter Value
Name Enter a meaningful name.
Type HTTP
Description (Optional) Enter a meaningful description.
URL The service URL from the communication arrangement,
such as https://xxx-api.s4hana.ondemand.com,
https://xxx-api.s4hana.cloud.sap, or https://
xxx-api.s4hana.sapcloud.cn.
Proxy Type Internet
Authentication Basic Authentication
User The name of the communication user you have in the SAP
S/4HANA Cloud tenant.
Password The password for the communication user.
4. Choose New Property and select sap-client and enter SAP S/4HANA Cloud client value.
SAP Cloud Identity Access Governance Admin Guide
186 PUBLIC Integration Scenarios
Parameter Value
sap-client Enter the SAP S/4HANA Cloud system client.
WRITE Enter the SAP S/4HANA service: /sap/bc/srt/
scs_ext/sap/managebusinessuserin
5. Select the Use default JDK truststore checkbox.
6. Save your entries.
13.23.3 Create Destination for Identity Provisioning
In the SAP Business Technology Platform (SAP BTP), create destination to provision to SAP S/4HANA Cloud.
To do so, refer to Connecting Identity Provisioning Tenant [page 20] and Identity Provisioning on SAP Cloud
Identity Platform.
13.23.3.1 Create Proxy System for SAP S/4HANA Cloud
Prerequisite:
To connect the SAP Cloud Identity Access Governance solution with SAP Cloud Identity Services - Identity
Provisioning, refer to Connecting Identity Provisioning.
1. Open your Identity Provisioning Launchpad in the navigation panel.
2. Add a proxy system for SAP S/4HANA Cloud.
3. Select Type as SAP S/4HANA Cloud.
4. Enter the Application Name and Description.
5. In the Properties section, enter the following values:
s4hana.cloud.skip.read.archived true
Type HTTP
User Communication user - as created here.
s4hana.cloud.api.version 1
s4hana.cloud.hr.switch.active true
Authentication BasicAuthentication
ips.date.variable.format yyyy-MM-dd
s4hana.cloud.user.roles.overwrite false
ProxyType Internet
ips.trace.failed.entity.content false
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 187
s4hana.cloud.hr.switch.dependent.role.codes BUP003, BBP010, BBP005
URL The API-URL as defined in your Communication Arrange-
ment. API-URL usually contains the "-api" suffix in host-
name comparing to application URL. Possible examples
of such URLs are: https://myXXXXXX-api.s4hana.onde-
mand.com and https://myXXXXXX-api.cloud.sap,
Password Password of the communication user
SAP Cloud Identity Access Governance Admin Guide
188 PUBLIC Integration Scenarios
6. Modify the following transformations for SAP Cloud Identity Access Governance to read and provision:
Read Transformation Write Transformation
{ {
"user": { "user": {
"mappings": [ "mappings": [
{ {
"sourcePath": "sourcePath": "$
"$.personID", ['urn:ietf:params:scim:schemas:extens
"targetPath": "$.id", ion:enterprise:2.0:User']
"targetVariable": ['employeeNumber']",
"entityIdSourceSystem" "targetPath":
}, "$.personExternalID"
{ },
"sourcePath": {
"$.user.role[*].roleName", "sourceVariable":
"entityIdTargetSystem",
"preserveArrayWithSingleElement": "targetPath":
true, "$.personID"
"optional": true, },
"targetPath": {
"$.groups[?(@.value)]" "targetPath":
}, "$.businessPartnerRoleCode",
{ "type":
"sourceVariable": "valueMapping",
"entityBaseLocation", "sourcePaths": [
"targetPath": "$.userType"
"$.meta.location", ],
"targetVariable": "defaultValue":
"entityLocationSourceSystem", "BUP003",
"functions": [ "valueMappings": [
{ {
"type": "key": [
"concatString",
"suffix": "$ "Employee"
{entityIdSourceSystem}" ],
}
] "mappedValue": "BUP003"
}, },
{ {
"sourcePath": "key": [
"$.personalInformation.firstName",
"optional": true, "Freelancer"
"targetPath": ],
"$.name.givenName"
}, "mappedValue": "BBP010"
{ },
"sourcePath": {
"$.personalInformation.lastName", "key": [
"optional": true, "Service
"targetPath": Performer"
"$.name.familyName" ],
},
{ "mappedValue": "BBP005"
"sourcePath": }
"$.personalInformation.middleName", ]
"optional": true, },
"targetPath": {
"$.name.middleName" "sourceVariable":
}, "currentDate",
{ "targetPath":
"$.validityPeriod.startDate",
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 189
Read Transformation Write Transformation
"sourcePath": "scope":
"$.personalInformation.personFullName "createEntity"
", },
"optional": true, {
"targetPath": "constant":
"$.name.formatted" "9999-12-31",
}, "targetPath":
{ "$.validityPeriod.endDate",
"sourcePath": "scope":
"$.user.userName", "createEntity"
"optional": true, },
"targetPath": {
"$.userName", "sourcePath":
"$.name.givenName",
"correlationAttribute": true "optional": true,
}, "targetPath":
{ "$.personalInformation.firstName"
"constant": true, },
"targetPath": {
"$.active" "sourcePath":
}, "$.name.familyName",
{ "optional": true,
"condition": "targetPath":
"$.user.lockedIndicator == 'X'", "$.personalInformation.lastName"
"constant": false, },
"optional": true, {
"targetPath": "sourcePath":
"$.active" "$.name.middleName",
}, "optional": true,
{ "targetPath":
"sourcePath": "$.personalInformation.middleName"
"$.workplaceInformation.emailAddress" },
, {
"optional": true, "sourcePath":
"targetPath": "$.name.formatted",
"$.emails[0].value", "optional": true,
"targetPath":
"correlationAttribute": true "$.personalInformation.personFullName
}, "
{ },
"sourcePath": {
"$.user.logonLanguageCode", "sourcePath":
"optional": true, "$.userName",
"targetPath": "targetPath":
"$.locale" "$.user.userName"
}, },
{ {
"sourcePath": "sourcePath":
"$.personExternalID", "$.locale",
"optional": true, "optional": true,
"targetPath": "targetPath":
"$.personExternalID", "$.user.logonLanguageCode"
},
"correlationAttribute": true {
}, "sourcePath":
{ "$.groups[*].value",
"targetPath":
"$.timeZone", "preserveArrayWithSingleElement":
"type": true,
"valueMapping", "optional": true,
"sourcePaths": [ "targetPath":
"$.user.role[?(@.roleName)]"
"$.user.timeZoneCode" },
{
SAP Cloud Identity Access Governance Admin Guide
190 PUBLIC Integration Scenarios
Read Transformation Write Transformation
], "sourcePath":
"defaultValue": "$.emails[0].value",
"Europe/Berlin", "optional": true,
"valueMappings": [ "targetPath":
{ "$.workplaceInformation.emailAddress"
"key": [ },
"UTC" {
], "condition":
"$.active == false",
"mappedValue": "Etc/UTC" "constant": "X",
}, "targetPath":
{ "$.user.lockedIndicator"
"key": [ }
"EST" ],
], "scimEntityEndpoint": "Users"
},
"mappedValue": "America/New_York" "group": {
}, "mappings": [],
{ "scimEntityEndpoint":
"key": [ "Groups"
"UTC+8" }
], }
"mappedValue": "Asia/Shanghai"
},
{
"key": [
"BRAZIL"
],
"mappedValue": "America/Sao_Paulo"
},
{
"key": [
"MSTNO"
],
"mappedValue": "America/Phoenix"
},
{
"key": [
"AUSNSW"
],
"mappedValue": "Australia/Sydney"
},
{
"key": [
"BRZLEA"
],
"mappedValue": "America/Sao_Paulo"
},
{
"key": [
"WDFT"
],
"mappedValue": "Europe/Berlin"
},
{
"key": [
"JAPAN"
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 191
Read Transformation Write Transformation
],
"mappedValue": "Asia/Tokyo"
},
{
"key": [
"ISRAEL"
],
"mappedValue": "Asia/Jerusalem"
},
{
"key": [
"UTC+4"
],
"mappedValue": "Asia/Dubai"
},
{
"key": [
"EST_"
],
"mappedValue": "America/Toronto"
},
{
"key": [
"RUS03"
],
"mappedValue": "Europe/Moscow"
},
{
"key": [
"UTC+3"
],
"mappedValue": "Asia/Riyadh"
}
]
},
{
"targetPath":
"$.userType",
"type":
"valueMapping",
"sourcePaths": [
"$.businessPartnerRoleCode"
],
"defaultValue":
"Employee",
"valueMappings": [
{
"key": [
"BBP005"
],
"mappedValue": "Service Performer"
},
{
"key": [
"BUP003"
SAP Cloud Identity Access Governance Admin Guide
192 PUBLIC Integration Scenarios
Read Transformation Write Transformation
],
"mappedValue": "Employee"
},
{
"key": [
"BBP010"
],
"mappedValue": "Freelancer"
}
]
}
],
"scimEntityEndpoint": "Users"
},
"group": {
"mappings": [
{
"sourcePath": "$.ID",
"targetPath": "$.id",
"targetVariable":
"entityIdSourceSystem"
},
{
"sourceVariable":
"entityBaseLocation",
"targetPath":
"$.meta.location",
"targetVariable":
"entityLocationSourceSystem",
"functions": [
{
"type":
"concatString",
"suffix": "$
{entityIdSourceSystem}"
}
]
},
{
"constant":
"urn:ietf:params:scim:schemas:core:2.
0:Group",
"targetPath":
"$.schemas[0]"
},
{
"sourcePath": "$.ID",
"targetPath":
"$.displayName"
},
{
"sourcePath":
"$.to_BusinessUserAssignment.results"
,
"preserveArrayWithSingleElement":
true,
"optional": true,
"targetPath":
"$.members"
},
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 193
Read Transformation Write Transformation
{
"targetPath":
"$.members[*].__metadata",
"type": "remove"
},
{
"constant": "value",
"targetPath":
"$.members[*].PersonID",
"type": "rename"
},
{
"constant": "user",
"targetPath":
"$.members[*].type"
}
],
"scimEntityEndpoint":
"Groups"
}
}
7. Save your entries.
Note
Copy the external system ID and use it to set up the SAP S4/HANA Cloud instance in the Applications app
in the next section Add SAP S/4HANA Cloud System.
13.23.4 Add SAP S/4HANA Cloud Application
Create an application for the SAP S/4HANA Cloud in the Applications app.
Creating a new application:
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for SAP S/4HANA Cloud. For the Application Type, select SAP S/4HANA Cloud.
3. In the HCP Destination field, enter the Application name of the S/4HANA Cloud destination created in the
section Create New Destination for the Tenant.
4. Enter the external system ID which was marked in the section Create Proxy System for SAP S/4HANA
Cloud.
5. Save your entries.
Updating an existing SAP S/4HANA Cloud Application
Note
Perform the below steps only if the SAP S/4HANA Cloud Application is created in SAP Cloud Identity
Access Governance prior to 1911 release.
1. Select the SAP S/4HANA Cloud system configured in the previous release.
SAP Cloud Identity Access Governance Admin Guide
194 PUBLIC Integration Scenarios
2. Select Edit.
3. Enter the external system ID which was marked in previous section Create Proxy System for SAP S/
4HANA Cloud.
4. Save your entries.
13.23.5 Sync User Data and Provision Access Request
In the SAP Identity Access Governance launchpad, open the Job Scheduler app and schedule the following job:
• Repository Sync to synchronize the relevant data from Identity Authentication to the access request
service.
1. In theJob Name field, enter Job Name.
2. In the Job Category field, select Repository Sync.
3. In the Recurring Job field, select No.
4. In the Start Immediately field, select Yes.
5. In the Application Type field, select SAP S4/HANA Cloud.
6. In the Applications field, select Application.
7. Choose Schedule Job button. The job status and log can be checked in the Job History app.
Note
To schedule a Recurring Job for both Repository Sync and Provisioning, refer to 2859618 for
recommendation on the frequency of the jobs.
• Provisioning to initiate the provisioning of access requests.
1. In the Job Name field, enter Job Name.
2. In the Job Category field, select Provisioning.
3. In the Recurring Job field, select No.
4. In the Start Immediately field, select Yes.
5. Choose Schedule Job button. The job status and log can be checked in the Job History app.
13.23.6 Filter-Based on User attributes from SAP S/4HANA
Cloud Application
To efficiently manage synchronized users and reduce the number of users handled by SAP Cloud Identity
Access Governance, you can now filter data based on specific user attributes from the SAP S/4 Cloud
application during repository synchronization in SAP Cloud Identity Access Governance. This means, if the
users already exist in SAP Cloud Identity Access Governance they can be excluded or deleted by selecting the
Exclude option.
• Attribute-Based Filtering
Administrators can manage the filters to be applied during synchronization directly from the application
screen.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 195
• Synchronization
The selected filters are applied in real-time during the synchronization process, ensuring only the relevant
users are synchronized to SAP Cloud Identity Access Governance.
• Audit Logging
All filtering actions and attributes are logged for audit purposes, including details on the filters being
applied.
13.24 SAP S/4HANA (on-premise)
The information in this section describes the procedure for connecting SAP S/4HANA On-Premise to the SAP
Cloud Identity Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-
based service for creating self-service requests to applications for on-premise and cloud source applications
and systems. By connecting to the SAP Cloud Identity Access Governance solution, end users can initiate
access requests for SAP S/4HANA On-Premise, which are then provisioned to SAP S/4HANA On-Premise
application.
Prerequisites
Ensure you have completed enablement and configuration for the SAP Cloud Identity Access Governance
solution.
13.24.1 Process Overview
There are three overall steps to enable integration between SAP S/4HANA on-premise systems and the SAP
Cloud Identity Access Governance solution and its services:
1. In the SAP Business Technology Platform (SAP BTP), set up destination for the SAP S/4HANA on-premise
system.
2. In the SAP Cloud Identity Access Governance launchpad, use the Systems app to create an instance for the
SAP S/4HANA on-premise system.
3. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
13.24.1.1 Install Cloud Connector and Set Destinations
If you have not already done so, install the SAP Business Technology Platform (SAP BTP) Connector to enable
secure communication between the access request service and the SAP S/4HANA on-premise system.
SAP Cloud Identity Access Governance Admin Guide
196 PUBLIC Integration Scenarios
Make sure to select the ProxyType OnPremise.
For Prerequisites, refer to the topic: Prerequisites and Technical Requirements.
For the procedure, refer to the topic: Maintaining Cloud Connector for On-Premise Scenario.
13.24.1.2 Add SAP S/4HANA Application
Create an application for SAP S/4HANA in the Applications app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. Create an application for SAP S/4HANA. For Application Type, select SAP S/4HANA On-Premise.
3. In the HCP Destination field, enter the name of the SAP S/4HANA destination from SAP Business
Technology Platform (SAP BTP) and Save.
13.24.1.3 Sync User Data and Provision Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app, and schedule the
following jobs:
• Repository Sync to synchronize the relevant data from SAP S/4HANA system to the access request
service.
• Provisioning to initiate the provisioning of access requests.
13.24.1.4 Filter-Based on User attributes from S/4HANA On-
Premise Application
To efficiently manage synchronized users and reduce the number of users handled by SAP Cloud Identity
Access Governance, you can now filter data based on specific user attributes from the SAP S/4 on-premise
application during repository synchronization in SAP Cloud Identity Access Governance. This means, if the
users already exist in SAP Cloud Identity Access Governance they can be excluded or deleted by selecting the
Exclude option.
• Attribute-Based Filtering
Administrators can manage the filters to be applied during synchronization directly from the application
screen.
• Synchronization
The selected filters are applied in real-time during the synchronization process, ensuring only the relevant
users are synchronized to SAP Cloud Identity Access Governance.
• Audit Logging
All filtering actions and attributes are logged for audit purposes, including details on the filters being
applied.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 197
13.25 SCIM Application
The information in this section describes the procedure for connecting SCIM System to the SAP Cloud Identity
Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud solution
for creating self-service requests to applications for on-premise and cloud applications and systems. By
connecting to the SAP Cloud Identity Access Governance solution, end users can initiate access requests for
SCIM Application, which are then provisioned to SCIM Application.
13.25.1 Process Overview
There are five overall steps for integrating the SCIM system with the SAP Cloud Identity Access Governance
solution and its services:
1. In the Identity Provisioning service, create a proxy system to connect to the SCIM system.
2. In the SAP BTP, set up destination for Identity Provisioning (destination name IPS_PROXY).
3. In the SAP Cloud Identity Access Governance launchpad, use the Connector Type app to create a custom
connector type for the SCIM System.
4. In the SAP Cloud Identity Access Governance launchpad, use the Systems app to create an instance for the
SCIM System.
5. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
13.25.1.1 Create Proxy System
Create a proxy system to enable the SCIM System to connect with Identity Provisioning.
Procedure
1. Log into the SAP BTP cockpit, open your Identity Provisioning Launchpad.
SAP Cloud Identity Access Governance Admin Guide
198 PUBLIC Integration Scenarios
2. Copy the external application ID and use it to set up the
SCIM System instance in the Applications app in the next step.
3. Add a proxy system for the SCIM System and choose Save. For more details, refer to SCIM System.
Note
The SCIM System needs to support all standard SCIM API features, including modify the group/user
assignment via the PATCH /Groups with attribute members. For user creation, the following SCIM User
attributes are supported: username, displayName, name (givenName and familyName), emails (one
primary email).
4. Select Properties and add the following values:
Name Value
URL Enter the URL of the SCIM system
Proxy Type Internet
Authentication BasicAuthentication
User Name of the User to access SCIM system
Password Password of the User
OAuth2TokenServiceURL If you need to make OAuth authentication for the system,
enter the URL to the access token provider service for
OAuth HTTP destinations.
scim.support.patch.operation true
5. To read and provision, modify the following transformations for SAP Cloud Identity Access Governance as
follows:
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 199
Read Transformation Write Transformation
{ {
"user":{ "user":{
"mappings":[ "mappings":[
{ {
"sourcePath":"$",
"targetPath":"$" "sourceVariable":"entityIdTargetSyste
}, m",
{ "targetPath":"$.id"
"sourcePath":"$.id", },
{
"targetVariable":"entityIdSourceSyste
m" "constant":"urn:ietf:params:scim:sche
}, mas:core:2.0:User",
{
"targetPath":"$.schemas[0]"
"sourceVariable":"entityBaseLocation" },
, {
"targetPath":"$.meta.location", "sourcePath":"$.userName",
"targetVariable":"entityLocationSourc "targetPath":"$.externalId"
eSystem", },
"functions":[ {
{
"sourcePath":"$.userName",
"type":"concatString",
"suffix":"$ "targetPath":"$.userName"
{entityIdSourceSystem}" },
} {
]
}, "sourcePath":"$.displayName",
{
"targetPath":"$.displayName"
"sourcePath":"$.userName", },
{
"targetPath":"$.userName", "sourcePath":"$.name",
"targetPath":"$.name"
"correlationAttribute":true },
}, {
{
"sourcePath":"$.active",
"sourcePath":"$.emails[0].value",
"optional":true, "targetPath":"$.active"
},
"targetPath":"$.emails[0].value" {
},
{ "sourcePath":"$.emails[0]",
"sourcePath":"$.emails[?(@.primary== "targetPath":"$.emails[0]"
true)].value", },
"optional":true, {
"correlationAttribute":true "condition":"$.emails[0].length() >
} 0",
], "constant":true,
"scimEntityEndpoint":"Users"
}, "targetPath":"$.emails[0].primary"
"group":{ },
"mappings":[ {
{ "sourcePath":"$",
"sourcePath":"$", "targetPath":"$",
"targetPath":"$" "scope":"patchEntity"
}
SAP Cloud Identity Access Governance Admin Guide
200 PUBLIC Integration Scenarios
Read Transformation Write Transformation
}, ],
{ "scimEntityEndpoint":"Users"
"sourcePath":"$.id", },
"group":{
"targetVariable":"entityIdSourceSyste "mappings":[
m" {
},
{ "sourceVariable":"entityIdTargetSyste
m",
"sourceVariable":"entityBaseLocation" "targetPath":"$.id"
, },
{
"targetPath":"$.meta.location",
"constant":"urn:ietf:params:scim:sche
"targetVariable":"entityLocationSourc mas:core:2.0:Group",
eSystem",
"functions":[ "targetPath":"$.schemas[0]"
{ },
{
"type":"concatString", "sourcePath":"$.id",
"suffix":"$ "targetPath":"$.id"
{entityIdSourceSystem}" },
} {
]
} "sourcePath":"$.displayName",
],
"targetPath":"$.displayName"
"scimEntityEndpoint":"Groups" },
} {
}
"sourcePath":"$.members",
"targetPath":"$.members"
},
{
"sourcePath":"$",
"targetPath":"$",
"scope":"patchEntity"
}
],
"scimEntityEndpoint":"Groups"
}
}
13.25.1.2 Create Destinations
In the SAP BTP, create IPS_PROXY, if not already created, for the SAP Cloud Identity Access Governance
tenant.
To do so, refer to Connecting Identity Provisioning Tenant and Identity Provisioning on SAP Cloud Identity
Platform.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 201
13.25.1.3 Add Application Type
Procedure
To add your own custom connector type, do as follows:
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Application Types app.
2. To add a new connector type, select ‘+’ icon from the connector types list on the left-side.
3. Enter the following details:
Name Unique name for application type (up to CHAR32)
Description Application type description
Action Type Unique name for action type of this application type (up to
CHAR5)
Action Description Action type description
4. Save your entries.
13.25.1.4 Add SCIM Application
Create an application for the SCIM connector in the SAP Cloud Identity Access Governance launchpad
Applications app.
Procedure
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Applications app.
2. For Application Type, select the custom connector type created in previous step Add Connector Type.
3. Enter the External Application ID marked in previous step Create Proxy System.
13.25.1.5 Sync User Data and Provision Access Requests
In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category
dropdown list, schedule the following jobs:
• Repository Sync to synchronize the relevant data from SCIM System to SAP Cloud Identity Access
Governance.
SAP Cloud Identity Access Governance Admin Guide
202 PUBLIC Integration Scenarios
• In the Application Type dropdown list, select the custom connector type created in the previous section
Add Connector Type.
• In the Application dropdown list, select the configured SCIM System created in the previous section Add
SCIM System.
• Provisioning to initiate the provisioning of access requests.
SAP Cloud Identity Access Governance Admin Guide
Integration Scenarios PUBLIC 203
14 Business Configuration
This section describes how to set up the core applications of SAP Cloud Identity Accesss Governace.
14.1 Set Up Master Data
Maintain the following master data to get the full functionality of the SAP Cloud Identity Access Governance
services.
Note
The following is a comprehensive list of the required master data. Some master data may be required for
more than one service. For example: Systems is required for all the services.
Master Data Maintain the Master Data in this App
Systems Systems
Business Function Groups Business Function Groups
Business Processes Business Processes
Functions Functions
Risk Level Risk Level
Risks Risks
Rules Rules
Monitoring Groups Monitoring Groups are defined in the dentity Authentication.
Owners Owners are defined in the Identity Authentication.
Test Plans Test Plans
Mitigation Controls Mitigation Controls
Access Access Maintenance
Departments Departments
User Data Maintain User Data
SAP Cloud Identity Access Governance Admin Guide
204 PUBLIC Business Configuration
Master Data Maintain the Master Data in this App
Risk Score Policy (optional) Risk Score Policy
Access Maintenance Access Maintenance
Projects Projects
Access Request Reason Code Access Request Reason Code
Access Request Priority Access Request Priority
Common Master Data [page 205]
You must set up Master Data for all three SAP Cloud Identity Access Governance services: access
analysis service, access request service, and role design service. This topic outlines the common set-up
that is required for all three services. Set up the common master data before setting up the master
data that is specific to the services.
Setting Up Master Data for Access Request Service [page 207]
After setting up the Common Master Data, you must then set up the Master Data specific to your
services. This topic outlines the Master Data needed for Access Request.
Setting Up Master Data for the Role Design Service [page 208]
After setting up the Common Master Data, you must then set up the Master Data specific to your
services. This topic outlines the Master Data needed for the Role Design service.
Setting Up Master Data for Access Analysis Service [page 209]
After setting up the Common Master Data, you must then set up the Master Data specific to your
services. This topic outlines the Master Data needed for Access Analysis.
Related Information
Setting Up Master Data for Access Request Service [page 207]
Setting Up Master Data for the Role Design Service [page 208]
Setting Up Master Data for Access Analysis Service [page 209]
14.1.1 Common Master Data
You must set up Master Data for all three SAP Cloud Identity Access Governance services: access analysis
service, access request service, and role design service. This topic outlines the common set-up that is required
SAP Cloud Identity Access Governance Admin Guide
Business Configuration PUBLIC 205
for all three services. Set up the common master data before setting up the master data that is specific to the
services.
Common Master Data Elements
The table belows shows master data that is needed for all three SAP Cloud Identity Access Governance
services: access analysis service, access request service, and role design service.
Note
You must set up business processes first, then business subprocesses, and the relevant system. After
setting up this data, run the repository sync job for the application to populate the privileges in the Access
Maintenance app.
Dependency / Prerequi-
Master Data apps site How the Master Data is Used
Applications None App is used to define the various source and target systems
that connect with SAP Cloud Identity Access Governance. For
example, application connections must be defined for the role
source system and the user source system.
Access Maintenance Business Subprocess App is used to display and maintain different types of technical
access.
Business Processses None App is used to define your company's operational processes
such as Finance and Marketing.
Departments None App is used to create and maintain your company's depart-
ments such as Finance and Public Relations.
To complete the Master Data setup, go to the topic specific to the Services you are setting up. There are
additional setup steps for each service.
Related Information
Setting Up Master Data for Access Analysis Service [page 209]
Setting Up Master Data for Access Request Service [page 207]
Setting Up Master Data for the Role Design Service [page 208]
SAP Cloud Identity Access Governance Admin Guide
206 PUBLIC Business Configuration
14.1.2 Setting Up Master Data for Access Request Service
After setting up the Common Master Data, you must then set up the Master Data specific to your services. This
topic outlines the Master Data needed for Access Request.
The table below describes the master data elements that must be set up for the Access Request Service after
you have finished setting up the common Master Data.
Dependency / Prerequi-
Master Data App site How the Master Data is Used
Access Request Priority None App is used to define priorities for access requests.
Access Request Reason Code None App is used app to define the Reason for Request choices for
access requests
Related Information
Common Master Data [page 205]
SAP Cloud Identity Access Governance Admin Guide
Business Configuration PUBLIC 207
14.1.3 Setting Up Master Data for the Role Design Service
After setting up the Common Master Data, you must then set up the Master Data specific to your services. This
topic outlines the Master Data needed for the Role Design service.
The table below describes the master data elements that must be set up for the Role Design Service after you
have finished setting up the common Master Data.
Master Data Dependency/ Prerequisite How the Master Data is used
Projects None When companies re-engineer or create
new business roles, it is usually in the
context of a project, such as security
initiatives, or role optimaization initia-
tives.
You use this app to define such
projects. The projects are then available
in the Create Candidate Business Roles
app.
Related Information
Create Candidate Business Roles (App)
Common Master Data [page 205]
SAP Cloud Identity Access Governance Admin Guide
208 PUBLIC Business Configuration
14.1.4 Setting Up Master Data for Access Analysis Service
After setting up the Common Master Data, you must then set up the Master Data specific to your services. This
topic outlines the Master Data needed for Access Analysis.
Note
In some cases, you must define the data in the indicated order. For example, you must define business
function groups before you can define rule setup.
Master Data Details for Access Analysis Service
The table below describes the master data elements that must be set up for the Access Analysis service after
you have finished setting up the common Master Data.
Dependency / Prerequi-
Master Data App site How the Master Data is Used
Functions Business Process App is used to define and maintain functions which are a
collection of authorizations (actions and permissions). Access
risks are defined based on functions. You can also delete indi-
vidual or multiple functions.
Business Functions Group Systems App is used to assign source systems to SAP Cloud Identity
Access Governance. Source can be one or multiple systems.
Mitigation Control 1. Business Subprocess App is used to define and maintain mitigation controls which
are used to remediate and monitor access risks. You can also
2. Risks
delete individual or multiple mitigation controls.
3. Test Plans
Risks 1. Business Process App is used to create, edit, view, deactivate, or delete risks.
2. Function
3. Risk Level
Risk Level None App is used to define the criticality of a risk and the sensitivity
of a risk.
Rule Setup Business Function Group App used to establish, customize, and maintain your SoD or
critical access rules for access analysis.
Test Plans None App allows you to upload test plans for testing mitigation con-
trols. Test plans are maintained offline.
SAP Cloud Identity Access Governance Admin Guide
Business Configuration PUBLIC 209
Related Information
Common Master Data [page 205]
14.2 Configuration App
The Configuration app is intended for administrators only. It enables administrators to configure a set of
behaviors and parameters in SAP Cloud Identity Access Governance to align with business needs.
14.2.1 Language Configuration
The purpose of this functionality is to improve performance.
From the Configuration app, you can limit the languages that the data from the database is imported into SAP
Cloud Identity Access Governance.
Choose which languages are used by your company and select Apply.
These are the supported languages:
• English
• German
• Chinese
• French
• Japanese
• Portuguese
• Russian
• Spanish
• Turkish
• Czech
Note
The default is English.
14.2.2 Application Parameters
Configure your product according to your business needs.
The Application Parameters feature contains a list of configuration groups and parameters that enable you to
set certain attributes and behaviors for SAP Cloud Identity Access Governance.
SAP Cloud Identity Access Governance Admin Guide
210 PUBLIC Business Configuration
Note
The list of available configurable parameters is updated regularly.
The table below describes the current available parameters:
Configuration Group Parameter Parameter Value Description
Request Workflow All risk approvers have to The value can be either Yes If the parameter is set to No
approve or No. The default value of the current approval behavior re-
the parameter is No. mains unchanged. For example,
one of the risk owners in the stage
will approve the access. If the pa-
rameter is set toYes in the risk
owner stage of the workflow, ac-
cess will be approved only after
each risk associated with the ac-
cess has been approved by its re-
spective approvers/owners.
SUCCESSFACTORS_SYNC USER_FILTER Maintain multiple conditions This parameter allows you to fil-
ter the users from successfactor
in one filter value separated
system to SAP Cloud Identity Acc-
by ‘and’ condition.
cess Governance.
Example:
empInfo/jobInfoNav/em-
ploymentType eq 3637 and
status eq 't'
Application User Sources Identity Directory Sys-
tem ID
AR- Yes/No. If left empty or Yes This parameter applies only to ac-
QAPI_VALID_FROM_DATE_V any other value is given,
cess requests submitted by API.
ALIDATION it defaults to Yes.
If Parameter Value is Yes (or
blank): user cannot submit a re-
quest with past FROM date.
If Parameter value is No: user can
submit a request with past FROM
date.
HR_TRIGGER TERMINATION_ASSIGN- Yes or No If value is set to Yes, role (s) are
MENT removed and users are retained in
the application. If the value is No
or blank or anything other then
Yes, the users are removed from
the application along with the as-
signments.
PAMLOGSYNC LAST_SYNC_DATE_TIME YYMMDD Add date and time
SAP Cloud Identity Access Governance Admin Guide
Business Configuration PUBLIC 211
Configuration Group Parameter Parameter Value Description
Request Creation Allow multiple open ac- Yes If the value is set to No, the
cess requests for the
feature checks if there any ac-
same user
cess requests are pending for the
Created For user.
If the value is set to blank or to
the default value Yes, multiple ac-
cess requests can be created even
though access requests are pend-
ing for the user.
This parameter only applies to ac-
cess requests and not to PAM re-
quests. If you need to create PAM
requests, there are no restrictions
for creating multiple requests.
Pending access request means
that the access request status is
In Process waiting for approval or
is ready for Provisioning.
If the parameter is set to No
and there is already a pending re-
quest created for the user, a mes-
sage Request can't be submitted
as user already has a pending
request(s) will pop up if you try to
create an access request for that
user.
UserSource SourceSystem <enter the name of your Designate a User Source System
system or application> for retrieving user information
such as email address, employ-
ee's manager, etc.
Requestor Approval Requestor can approve No (default value) A requestor can approve requests
requests for others for others if the parameter value is
set to Yes. Possible values are Yes
and No.
Note
The user approval can only be
issued at the manager stage
by the manager.
RULE_UPLOAD STATUS_DATA Clear the value field if the Rule Up-
load Job is not completed and is
in running/processing status for 1
day.
SAP Cloud Identity Access Governance Admin Guide
212 PUBLIC Business Configuration
Configuration Group Parameter Parameter Value Description
Security To complete configura- No Extended authorizations for
tion before enabling it, Bridge scenario.
refer to 3155715 .
SOURCE_USER GROUP Source System for User This parameter determines the
Group source application from where
user groups are to be synced and
updated for users and is relevant
for the enhanced request form de-
livery.
USER_ANALYSIS Maximum thread count 25 User analysis processing thread
allowed for user analysis count
processing is 25.
USER_ANALYSIS_JOB JOB_STATUS New, In Process, and Com- This field value is for internal pur-
pleted poses and must not be edited.
USER_ANALYSIS_JOB IS_SEPARATE YES or NO If the parameter is set to YES, the
job is split into two jobs. One job
is for user-level analyis and the
other for role-level analysis.
USERIDGROUP USER_ID LOGIN_NAME Login name field maintained
in Identity Authentication for re-
quests.
WF_ADM_CONFIG_ID WF_ADM_USER System Whenever there is a HR trigger
event, the Requested By is the
configured user.
14.2.3 Application Users
You use the Application Users app to upload and download larger data files relevant for application users.
Procedure
1. Go to the Configuration app.
2. On the next screen, before uploading an application users file, select Download File to download a template
of the file that is available in zip format.
3. Extract the template, including the ApplicationUsers_readme.txt file.
4. Familiarize yourself with the ApplicationUsers_readme.txt file.
Add the necessary new data to the extracted files, which are in the tab-delimited text format. For ease of
use, you can open the text files in Microsoft Excel.
5. Save the text files in the tab-delimited text format and add them to a zip file.
6. To upload the zipped file as an application users file, select Upload and Process.
SAP Cloud Identity Access Governance Admin Guide
Business Configuration PUBLIC 213
7. To view log reports, proceed as follows:
1. Select Download Validation Log to check for any log validation error messages and that data entered is
correct, for instance, in length and type.
2. Select Download Processing Log to ensure that no data is missing, such as parent data before inserting
child data.
14.2.4 Business Rules
SAP Cloud Identity Access Goverance offers pre-delivered business rules. To access these rules, create a
support ticket. To do so, select the component GRC-IAG.
If, however, you wish to edit your own objects, follow the steps described below:
Procedure
1. Login to the SAP Cloud Identity Access Governance launchpad.
2. Open the Configuration app.
3. On the Configuration Type screen, navigate to Business Rule and choose Launch on the bottom right.
4. The Manage Projects screen is displayed as shown in the image below.
14.2.5 Approver(s) Mapping
Via the new upload screen interface in the Configuration app, you can upload all approver mappings. When
the download option is used, you can find more information on mappings between IAG Approvers and AC
Approvers in the readme.txt file. The mapping data is used by rule set sync job that imports either riskowner,
control owner, or control monitor from the SAP Access Control system and maps to IAG Approvers and saves
the data to the table and vice versa.
The category column includes riskowner, control owner, and control monitor. The IAG_Approver for risk owner
and control owner is P-User. For control monitor, however, a group called IAG_CM_XXX is used (XXX can be any
name).
To upload the approver mapping file, do as follows:
1. Create a txt. file with following column headers: CATEGORY, IAG_APPROVER, AC_APPROVER#HEADER#.
2. Fill in the data, for example, RISKOWNER, P999999, TEST-RIO.
3. Save the file with name IAGAPPROVERS_MAPPING and choose txt. format.
SAP Cloud Identity Access Governance Admin Guide
214 PUBLIC Business Configuration
4. Zip the file IAGAPPROVERS_MAPPING.txt and upload it.
Access Control - Mitigation Control Transfer: This job must be run after uploading the Approver mapping file.
To verify the job, go to the Mitigation Controls app.
Repository Sync: Before the risk transfer, repository sync job from SAP Access Control must be carried out to
bring the data for approvers to SAP Access Control from SAP Cloud Identity Access Governance.
Access Control - Risk Definition Sync: In addition to the rule definition, this job brings approvers from SAP
Access Control.
All the changes made to Risk definition, including risk owners are displayed in the Change Log Report.
SAP Cloud Identity Access Governance Admin Guide
Business Configuration PUBLIC 215
15 Security and Data Protection and Privacy
For SaaS customers, many of the necessary security measures are taken care of by SAP. For SAP Cloud
Identity Access Governance security information, see the Security Guide on https://help.sap.com/viewer/
product/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE.
SAP Cloud Identity Access Governance Admin Guide
216 PUBLIC Security and Data Protection and Privacy
16 Further Information
Content Location
SAP Business Technology Platform (SAP BTP) https://help.sap.com/viewer/product/CP/Cloud/en-US
SAP Cloud Identity Access Governance https://help.sap.com/viewer/p/SAP_CLOUD_IDEN-
TITY_ACCESS_GOVERNANCE
SAP Cloud Identity Access Governance Security Guide https://help.sap.com/viewer/
8927ff487e3e4520b3211167b7f06c31/latest/en-US
SAP Cloud Identity Access Governance Admin Guide
Further Information PUBLIC 217
17 Support Information
For assistance and questions, you can go to the SAP Support Portal at https://support.sap.com , and click on
Get Support button to report a new issue.
Use the following components as needed.
Service Component
access analysis service GRC-IAG-AA
access certification service GRC-IAG-CER
access request service GRC-IAG-AR
role design service GRC-IAG-RD
privileged access management service GRC-IAG-PAM
SAP Cloud Identity Access Governance Admin Guide
218 PUBLIC Support Information
18 Product Experience (PX) Survey
You can provide feedback for the product via the SAP Cloud Identity Access Governance launchpad.
This feature allows you to rate your satisfaction with the product and the usability of individual applications
directly from the user menu and share your experiences in a free-text field. Please note that no personal data
is stored. The survey explicitly states that no personal data should be entered in the free-text field. Should
personal data be entered, mechanisms exist in the background to detect and delete such data.
Note
If you or your customer are using RPA, the feedback mechanism can be deactivated for individual tenants.
The opt-out process can be processed via ServiceNow ticket on CA-PX. Find a guide on how to create
Incidents here . We recommend consulting with our team or product representative first to better
understand the benefits of feedback collection and how we can improve it for you and your end-users.
Background Information on SAP Feedback Integration:
• SAP provides mechanisms to collect feedback to enable our end-users to actively shape and improve our
products.
• There are two ways to collect user feedback:
• The feedback button in the main application menu (SAP Shellbar), which can be used by the end-user
at any time.
• Conditional pop-up surveys that invite users to provide feedback at rule-based intervals.
• All collected feedback is anonymous. There are no mechanisms or cookies that track user behavior, user
profiles, or usage. Cookie Statement.
• Centrally managed rule mechanisms ensure that feedback intervals do not overwhelm the end-user.
• There are two mechanisms that trigger a conditional pop-up survey:
• Randomly after a certain period (maximum twice in 6 months).
• After a specific task in a specific app is completed (maximum four times in 6 months).
• Users have the option to postpone the survey for several weeks (using the Ask me later option or by
closing the pop-up survey).
• After postponing three times, no further pop-up surveys will be sent for the remaining 6 months of the
survey period.
SAP Cloud Identity Access Governance Admin Guide
Product Experience (PX) Survey PUBLIC 219
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering an SAP-hosted Web site. By using
such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Videos Hosted on External Platforms
Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.
Beta and Other Experimental Features
Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities,
genders, and abilities.
SAP Cloud Identity Access Governance Admin Guide
220 PUBLIC Important Disclaimers and Legal Information
SAP Cloud Identity Access Governance Admin Guide
Important Disclaimers and Legal Information PUBLIC 221
www.sap.com/contactsap
© 2024 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form
or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for
informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for
additional trademark information and notices.
THE BEST RUN
You might also like
- Complete Mesocolic Excision and Extent of Lymphadenectomy For The Treatment of Colon CancerNo ratings yetComplete Mesocolic Excision and Extent of Lymphadenectomy For The Treatment of Colon Cancer14 pages
- Setup and Administration For SAP Cloud ALMNo ratings yetSetup and Administration For SAP Cloud ALM102 pages
- This Documentation As PDF - SAP HANA Cloud PDF100% (1)This Documentation As PDF - SAP HANA Cloud PDF1,472 pages
- Setup and Administration For SAP Cloud ALMNo ratings yetSetup and Administration For SAP Cloud ALM122 pages
- Best Practices For SAP BTP: Public 2023-03-22No ratings yetBest Practices For SAP BTP: Public 2023-03-22110 pages
- Piper Progressive Inspection 100 Hour Cycle: CheyenneNo ratings yetPiper Progressive Inspection 100 Hour Cycle: Cheyenne66 pages
- Software Asset Management: What Is It and Why Do I Need It?: A Textbook on the Fundamentals in Software License Compliance, Audit Risks, Optimizing Software License ROI, Business Practices and Life Cycle ManagementFrom EverandSoftware Asset Management: What Is It and Why Do I Need It?: A Textbook on the Fundamentals in Software License Compliance, Audit Risks, Optimizing Software License ROI, Business Practices and Life Cycle ManagementNo ratings yet
- UI5 User Guide: How to develop responsive data-centric client web applicationsFrom EverandUI5 User Guide: How to develop responsive data-centric client web applicationsNo ratings yet
- Administration Guide: Public 2023-11-25No ratings yetAdministration Guide: Public 2023-11-25454 pages
- SAP Cloud Platform Identity Authentication ServiceNo ratings yetSAP Cloud Platform Identity Authentication Service456 pages
- Security Guide For SAP Assurance and Compliance Software For SAP S4HANA - 1.5 SP00No ratings yetSecurity Guide For SAP Assurance and Compliance Software For SAP S4HANA - 1.5 SP00204 pages
- Setup and Administration For SAP Cloud ALMNo ratings yetSetup and Administration For SAP Cloud ALM98 pages
- Https Theerplearning - Com Free-Materials - 10No ratings yetHttps Theerplearning - Com Free-Materials - 10122 pages
- SAP S/4HANA Cloud 2302: Feature Scope DescriptionNo ratings yetSAP S/4HANA Cloud 2302: Feature Scope Description306 pages
- SFHCM Config Guide Getting Started EC Core en XXNo ratings yetSFHCM Config Guide Getting Started EC Core en XX50 pages
- Administrator Guide SAP Access Control 12.0 SP02No ratings yetAdministrator Guide SAP Access Control 12.0 SP0250 pages
- Hazardous Area Ventilation Sce Performance StandardNo ratings yetHazardous Area Ventilation Sce Performance Standard82 pages
- S4 Writing 3 - Letter of Advice - Language Focus T (Updated)No ratings yetS4 Writing 3 - Letter of Advice - Language Focus T (Updated)6 pages
- AROGYA ADVANCE - Pdfdisplayname AROGYA ADVANCE100% (1)AROGYA ADVANCE - Pdfdisplayname AROGYA ADVANCE2 pages
- Top 10 DAX Interview Questions and AnswersNo ratings yetTop 10 DAX Interview Questions and Answers3 pages
- 04 - RPi Pico - Measure Distance With Ultrasonic Sensor HC-SR04No ratings yet04 - RPi Pico - Measure Distance With Ultrasonic Sensor HC-SR046 pages
- 4.4 Correlation and Simple Linear RegressionNo ratings yet4.4 Correlation and Simple Linear Regression19 pages
- Railway Institute Research Center Concept PaperNo ratings yetRailway Institute Research Center Concept Paper112 pages
