SAP Cloud Identity Access Governance (IAG) | Overview and Integration Capabilities

SAP Cloud Identity Access Governance (SAP Cloud IAG, often referred to as SAP IAG) is a cloud service from SAP Cloud Platform (SCP). It offers similar functionality to, but does not replace, SAP Access Control, part of SAP’s GRC solutions. 

The service offers a range of identity and access management capabilities, including (among others) self-service access requests for on-premise and cloud applications, access risk analysis, and role design. Each of the services that come with SAP Cloud IAG can work independently or in combination with one and another.

SAP Cloud IAG Overview

SAP Cloud IAG offers five core features:

  • Access Analysis
  • Role Design
  • Access Request
  • Access Certification (not yet released)
  • Privileged Access Management (not yet released)

You can refer to the SAP Road Maps to see the release schedule for upcoming features.

Access Analysis Service 

The Access Analysis Service enables you to detect and remediate segregation of duties (SoD) and critical access risks. 

The access analysis overview dashboard allows you to review the risk across the landscape by displaying the users who have a high risk score based on the critical actions they have executed. 

Further, you can dive into mitigated risks to see which users have compensating controls assigned. You can also display the defined business processes based on their risk level and similar metrics.

SAP Cloud IAG - Access Analysis Overview
SAP Cloud IAG – Access Analysis Overview

Access Request Service

The Access Request Service integrates with additional SAP Cloud Platform services to utilize workflow management, provisioning, and business logic. SAP Cloud IAG provides compliant provisioning of user access to various on-premise and cloud applications.

SAP Cloud IAG - Create Access Request
SAP Cloud IAG – Create Access Request

Role Design Service

The role design service enables you to define and maintain compliant business roles directly in SAP Cloud IAG in order to optimize role definition and streamline governance. It also provides risk metrics and usage trends within a business role in order to evaluate the impact it has on end-users (so that role adjustments can be made).

SAP Cloud IAG - Edit Business Roles
SAP Cloud IAG – Edit Business Roles

Access Certification Service (Planned for Future Release)

The Access Certification Service allows you to review user access, roles, risks and mitigation controls for on-premise and cloud applications. When an employee’s job changes, it is important to review and remediate their authorizations.

Accumulated access often leads to security risks, so periodic recertification of a user’s access helps establish a governance process to stay compliant.

Privileged Access Management Service (Planned for Future Releases)

The Privileged Access Management service enables you to monitor access to sensitive and critical transactions, giving you better insight into how users with elevated authorizations are interacting with your organization’s data.

Additionally, SAP plans to leverage machine-learning capabilities to help differentiate suspicious and fraudulent activity from normal behavior. This will become a key feature for reviewers in the assessment and auditing of log files.

Key Capabilities of SAP Cloud Identity Access Governance:

  • Secure environment for managing identities.
  • Dashboard-based user interface based on the familiar SAP Fiori user experience.
  • Instant visibility into access issues with drill-down capabilities.
  • Comprehensive access governance.
  • Simple, seamless and transparent processes.
  • Up-to-date and scalable solutions.

IAG Bridge

The SAP Cloud IAG Bridge provides a powerful tool to extend your on-premise SAP Access Control. 

SAP Cloud IAG Bridge offers:

  • Connectivity to cloud applications.
  • Cross-application access risk analysis, including cloud applications, by using SAP Cloud IAG (Access Analysis Service)
  • Remediation process with access refinement functions.
  • Role Designer to build business roles based on current assignments.

A disconnect in system landscapes and business applications leads to additional work when it comes to support, customizations and integrations. With the SAP Cloud IAG Bridge, we can connect those two worlds to achieve better governance and fully comply with regulations. 

In the age of digitalization, new business models, and a cloud-first strategy, organizations face the challenge of managing access and authorizations in the cloud and on-premise systems.

The SAP Identity Access Governance bridge concept offers an intuitive way to extend SAP Access Control. With this extension, you can group cloud applications under one compliance domain, easily connect to cloud applications, and extend your cross-application risk analysis into the cloud.

Furthermore, the Role Design Service allows you to extract proposals based on assignments to build stable and powerful business roles.

SAP Cloud IAG Bridge - Overview (Source:
SAP Cloud IAG Bridge – Overview (Source:

Other key features that the SAP Cloud IAG Bridge concept offers:

  • Synchronize master data from SAP Access Control to SAP Cloud IAG, including:
    • Access risk definitions
    • Mitigating controls
  • The connectivity to target on-premise applications from SAP Access Control.
  • The connectivity to various cloud applications (e.g., Ariba, SAP S/4HANA Public Cloud, etc.).
  • Cross-system risks between on-prem and the cloud.

With the SAP Cloud IAG Bridge, you can extend your current SAP Access Control installation without compromising on functionality, access governance or other compliance requirements.

Integrated Identity Access Governance for Hybrid Landscapes

SAP Cloud Platform (SCP) offers a variety of services related to identity and access management (IAM). In the age of digitalization, new business models and cloud-first strategies, customers face new challenges when it comes to the identity lifecycle.

Employees (end-users) require access in various systems, which can become extremely complex in a hybrid landscape with both on-premise and cloud applications.

SAP Cloud Platform offers three main services to manage the identity lifecycle:

  • SAP Cloud Internet Access Governance (SAP Cloud IAG) to analyze access risks and segregation of duties (SoD) issues.
  • SAP Cloud Platform Identity Authentication Service (IAS) to authenticate users to the cloud applications.
  • SAP Cloud Platform Identity Provisioning Service (IPS) to provision users to cloud applications.

The three services integrate with each other to provide a holistic solution to identity and access management challenges.

You can seamlessly achieve access governance across the hybrid landscape, automate access request approval, automate provisioning based on HR events, expand your systems for key business applications between on-premise and the cloud, and natively integrate with SAP S/4HANA to get access to rule content and support for new authorization models.

Business Benefits

SAP Cloud Identity Access Governance offers Software as a Service (SaaS), which enables companies to comprise several distinct identity management and access governance capabilities. Each of these can be used separately to address specific business needs and can also be integrated with native applications based on the SAP Cloud Platform.

You have the flexibility to use one, many or all the services, depending on your business requirements. SAP Cloud IAG being a cloud-based solution, it can be easily extended across your enterprise to meet your demands.

Frequently Asked Questions

Below is a list of frequently asked questions in regard to SAP Cloud IAG.

Can you integrate SAP SuccessFactors with SAP Cloud IAG?

You can integrate SAP Cloud IAG with SAP SuccessFactors with the above-mentioned services.

Can you integrate SAP Ariba with SAP Cloud IAG?

You can integrate SAP Cloud IAG with SAP Ariba with the above-mentioned services.

Can you integrate SAP Concur with SAP Cloud IAG?

At the moment, IAG does not support SAP Concur integration. You can always check new developments on

Does SAP Cloud IAG replace SAP Access Control (GRC)?

SAP Cloud Internet Access Governance (IAG) is not SAP Access Control on the cloud nor does it replace SAP Access Control (GRC). SAP Cloud IAG offers services similar to SAP Access Control and can be integrated with the latter. 

Can you deploy SAP Access Control (GRC) to the cloud?

You can deploy SAP Access Control (GRC) to the cloud. Cloud deployment of SAP Access Control offers the same features and functionalities as an on-premise installation. You can deploy on platforms like the SAP HANA Enterprise Cloud (HEC), Amazon’s AWS, Google Cloud, Microsoft Azure, etc.


SAP Cloud Identity Access Governance services enable organizations to manage digital identities across all applications and services. With a company-wide global identity system, businesses can create a unique user experience and secure the applications that drive the success of your business growth.

Learn more about SAP Cloud IAG:

Alessandro Banzer
Latest posts by Alessandro Banzer (see all)

Get in touch with us!

Do you have questions about our products?

+41 43 422 8803
[email protected]
+49 7656 9888 155
[email protected]
+1 855 594 84 64
[email protected]
+44 1454 838 785
[email protected]