SAP IAG Bridge – Manage Hybrid Landscapes
SAP Identity Access Governance (IAG) allows you to extend your SAP GRC Access Control to manage hybrid SAP landscapes with the IAG Bridge functionality. With the ongoing digital transformation, many of the traditional business functions shift from on-premise to the cloud. At the end of the day, the SAP customer has to deal with access governance in these hybrid landscapes.
In this article, we will take a look at the capabilities that SAP IAG Bridge offers and how you can utilize our existing infrastructure (e.g., SAP Access Control) in such hybrid scenarios.
SAP IAG Bridge functionality connects your SAP Access Control (GRC) on-premise solution with your SAP Cloud Identity Access Governance (IAG) to extend access governance functionality into the cloud.
Cloud applications often consume, manage and process data that is being exchanged between the cloud app and an on-premise application like SAP S/4HANA. Because of that, you have to be able to analyze access risks in a hybrid cross-system landscape. Analyzing these risks is a challenge, as is determining how to provision users across multiple systems through business roles. SAP IAG offers role design services that allow you to build business roles for hybrid landscapes.
Identity Access Governance for Life
SAP IAG and SAP Access Control are solutions in the area of identity and access management (IAM). IAM tools must provide automated and repeatable ways to govern the identity life cycle from start to finish. Organizations must manage user identities and govern identity and access requests on-premise and in the cloud consistently and compliantly, including:
- User provisioning
- Self service
- Workflows and approval workflows
- Segregation of duties (SoD)
- Delegated administration
- Organizational management
- Role management
- Privileged user management/firefighter
- Single sign-on (SSO)
These capabilities and security controls are leveraged using IAG that (in a best-case scenario) integrates with and covers all types of users (employees, vendors and customers) and applications (on-premise and in the cloud) for the entire lifecycle — from hire to retire.
HR Driven Identity Lifecycle Management
SAP IAG offers a similar capability to the HR Trigger in SAP Access Control that allows you to automatically create access requests based on input from HR. You can integrate the SAP Cloud Identity Access Governance solution with your HR system (e.g., SAP SuccessFactors Employee Central). This enables you to capture changes to the employment status in the HR system and to initiate access requests automatically through IAG. The access request service converts the HR triggers to change requests, which are then provisioned to target applications (cloud and on-premise) through predefined business roles.
SAP Access Control (GRC) vs. SAP Identity Access Governance (IAG)
Before we look into the details of what the SAP IAG Bridge functionality offers, we have to understand the differences between SAP Access Control (GRC) and SAP IAG.
SAP IAG is often referred to as the SAP Access Control solution for the cloud, which in fact, it is. SAP IAG — a cloud solution running on the SAP Business Technology Platform (BTC) — does not replace SAP Access Control, but it offers similar capabilities to a broader environment (cloud) with some overlapping functions.
For example, SAP IAG can run a risk analysis against on-premise applications (similar to SAP Access Control), and offers firefighting capabilities with the Privileged Access Management (PAM) for on-premise systems (e.g., SAP ERP and SAP S/4HANA).
Additionally, SAP IAG can connect to both cloud and on-premise applications through the SAP Cloud Connector. The Cloud Connector is located on the intranet (the customer network) and establishes connectivity between the SAP Business Technology Platform (internet) and the target system (intranet).
Let’s take a look at a high-level comparison of the modules and their core functionalities.
|SAP Access Control||Function||SAP IAG||Function|
|Access risk analysis (ARA)||Access analysis for on-premise systems, ruleset management||Access analysis||Access analysis for on-premise and cloud, limitation to user and roles, ruleset management|
|Business role management (BRM)||Role management and business roles||Role design||Business roles for hybrid landscapes|
|Access request management (ARM)||Fully customizable and extendable access request workflows||Access request||Predefined set of workflows with limited configuration capabilities|
|Emergency access management (EAM)||Firefighter for ABAP systems||Privileged access management||Firefighter for ABAP systems (still in Beta version)|
|User access review (UAR) and SOD risk review||Customizable UAR and SOD risk review workflows through ARM||Access certification||Campaigns to review user access|
Even though SAP IAG is not officially the direct replacement for SAP Access Control, it might serve that purpose for some customers depending on requirements. For many customers considering access governance solutions — or for those moving from a third-party to SAP — SAP IAG might offer all that’s needed. SAP IAG is capable of covering the most relevant use cases, not only for the on-premise world but also for the cloud (including access risk analysis and access provisioning).
The user interface (UI) for SAP IAG is SAP Fiori, which is the standard UI for SAP’s cloud services. SAP Fiori apps are also available for SAP Access Control. However, SAP Access Control still comes with the NetWeaver Business Client (NWBC), which is the desired UI of most administrators. Also, some of the Fiori apps are still the “old” WebDynpros that we know from the NWBC. The user experience is similar in both tools when using SAP Fiori.
Which Solution for Which Use Case?
With SAP IAG and SAP Access Control, you can have three scenarios for multiple use cases. Let’s try to understand them first, before we look specifically into the bridging capability.
Scenario 1: SAP IAG Only
This scenario is for customers who want an out-of-the-box solution for access governance that runs entirely in the cloud. With this approach, you will have reduced flexibility as SAP IAG is a software as a service (SaaS) solution that only offers limited configuration capabilities. However, if you want to use standard workflows to provision users across on-premise and cloud applications, analyze cross-system access risks, perform firefighting (emergency access), as well as user access reviews, SAP IAG is the perfect solution for you.
Scenario 2: SAP Access Control Only
This scenario is for customers who primarily use on-premise applications. SAP Access Control gives you total flexibility to govern access in the on-premise landscape. Its Access Request Management (ARM) workflows are fully customizable and allow for extensive enhancements. This is one of the main limitations in SAP IAG compared to SAP Access Control.
Scenario 3: SAP IAG and SAP Access Control – SAP IAG Bridge
The SAP IAG Bridge scenario is for customers who need to govern access in a hybrid landscape (on-premise and in the cloud). The bridging scenario offers the best of both worlds combined; however, you need to implement (as well as run, service and license) two applications.
SAP IAG Bridge
The SAP Cloud IAG Bridge provides a powerful tool for extending your on-premise SAP Access Control 12.0 to a broader spectrum of applications (on-premise and cloud). The IAG Bridge functionality is also a great way to leverage your investment in SAP Access Control to make it future-proof. Often, customers have invested heavily in SAP Access Control to adjust it to their needs, but are now faced with access governance challenges that go beyond the standard offerings. The IAG Bridge functionality can close that gap.
SAP Cloud IAG Bridge offers:
- Connectivity to cloud applications.
- Cross-application access risk analysis (including cloud applications) by using SAP Cloud IAG (Access Analysis Service).
- Remediation process with access refinement functions to optimize user access.
- Role Designer to build business roles.
A disconnect in system landscapes and business applications leads to additional work when it comes to supporting customizations and integrations. With the SAP Cloud IAG Bridge, we can connect those two worlds to achieve better governance and fully comply with regulations.
The SAP Cloud Identity Access Governance bridge concept offers an intuitive way to extend SAP Access Control and save your investment. With this extension, you can group cloud applications under one compliance domain, easily connect to cloud applications, and extend your cross-application risk analysis into the cloud.
Other key features that the SAP Cloud IAG Bridge concept offers include:
- Synchronization of master data from SAP Access Control to SAP Cloud IAG, including access risk definitions and mitigating controls.
- Connectivity to target on-premise applications from SAP Access Control.
- Connectivity to various cloud applications (e.g., SAP Ariba, SAP S/4HANA Cloud, etc.).
- Handling of cross-system risks between on-prem and the cloud.
With the SAP Cloud IAG Bridge, you can extend your current SAP Access Control installation without compromising on functionality, access governance, or other compliance requirements.
Integration Scenarios for Hybrid Landscapes
As mentioned above, the IAG Bridge scenario allows you to extend SAP Access Control into the cloud through SAP IAG. Let’s take a closer look at the two most common scenarios.
Cloud Driven Approach
In the cloud-driven approach, SAP IAG handles all the access governance scenarios without SAP Access Control, optionally utilizing SAP Identity Management (IDM) to provision to non-SAP applications that SAP IAG cannot handle itself.
In this scenario, SAP IAG takes care of the risk analysis, access requests, firefighting, etc., without the need for the on-premise GRC installation.
This is a typical scenario for customers who don’t have extensive requirements for workflows, or for customers who are just starting with access governance solutions. It’s a future-proof and evolving approach that will see many improvements over the next couple of years. Additionally, SAP IAG can be integrated with SAP SuccessFactors employee central to govern the user lifecycle processes, similar to the integration with SAP Access Control.
The hybrid approach is the most desired approach for existing SAP Access Control customers. With this approach, we can utilize the best of both worlds and leverage our existing SAP Access Control implementation.
For example, SAP IAG is used for cross-system risk analysis (utilizing the power of the cloud application) and SAP Access Control with extensively-customizable access request workflows.
In this scenario, SAP IAG provisions the cloud systems and SAP Access Control provisions the on-premise. The workflows run in SAP Access Control (yes, you can request cloud applications) and thus allows for extensive customization.
To govern the user lifecycle, you can integrate with SAP SuccessFactors Employee Central by utilizing the HR Trigger for the joiner, mover and leaver processes.
How does the hybrid approach work for the end-user? The end user remains on the SAP Access Control and can continue to access the system through the NetWeaver Business Client (NWBC) or SAP Fiori. The workflows run in SAP Access Control but the provisioning automatically goes through SAP IAG when provisioning cloud systems, and directly from SAP Access Control when provisioning on-promise systems.
Frequently Asked Questions (FAQ)
In hybrid landscapes, we have segregation of duty risks that are beyond one system. For example, one person has the ability to execute a transaction in SAP S/4HANA (on-premise) and can execute an application on SAP Ariba (cloud) that is considered an SOD. SAP IAG allows for the analysis of cross-system risks in hybrid landscapes.
SAP IAG Integration Edition is functionality limited to access analysis, role management and user provisioning, and pricing is based on “connections.” SAP IAG Standard Edition provides complete functionality and pricing is based on “monitored users.”
SAP Cloud Identity Access Governance (IAG) provides out-of-the-box integration with many of the cloud applications such as SAP Ariba, SAP SuccessFactors, SAP S/4HANA Cloud, SAP Analytics Cloud. A full overview can be seen here:
If a customer primarily uses cloud applications then SAP IAG is the preferred application without the need of SAP Access Control. Remember, SAP IAG is a SaaS solution that allows limited customizations. If you have extensive requirements, SAP Access Control might close that gap but comes at a high price point as you have to implement both products and set up the bridge scenario.
There is a widely spread misconception about the term SAP GRC (or also referred to as GRC, GRC 12, GRC 12.0). SAP’s portfolio consists of four key topics under the broader term of GRC – enterprise risk and compliance, identity and access governance, cybersecurity and data protection and privacy, and international trade management. Often people say “SAP GRC” but they mean “SAP Access Control” as it used to be one of the core applications in the GRC portfolio. However, it is important to understand that GRC is a portfolio of applications, and SAP Access Control as well as SAP IAG are two of many products belonging to the identity and access governance topic.
SAP IAG and its services use SAP Cloud Platform Identity Authentication Service (IAS) for user authentication and to manage access to the applications. Security and permissions are maintained in groups and roles and then assigned to users. Single Sign-On (SSO) with Microsoft Azure, etc. is available through IAS, too.
SAP IAG Bridge allows you to extensively manage access governance in hybrid landscapes. Utilizing the advantages of both solutions enables you to implement strong access controls in the cloud, as well as on-premise. SAP IAG Bridge allows you to preserve your past investment in SAP Access Control to fully utilize the same capabilities in the cloud without compromising on functionality and flexibility.