SAP IAG Admin Guide

Administration Guide | PUBLIC
2021-08-20
SAP Cloud Identity Access Governance Admin

Guide
© 2021 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN

Content
1 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.1 About This Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Terminology and Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2 Quick-Start Guides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
3 Upgrade Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
4 Monitor License Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6 Onboarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
7 Solution Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
8 Initial Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
8.1 Subscribing to SAP Cloud Identity Access Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Creating a Subaccount. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Assigning Entitlement to the Subaccount. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Subscribing to the Subaccount. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
8.2 Feature Set A - Subscribe to SAP Cloud Identity Access Governance. . . . . . . . . . . . . . . . . . . . . . . . 20
8.3 Maintain Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
9 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
9.1 Setting Up User Authentication and Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Maintain Users and User Groups in Identity Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Pre-Delivered Role Collections on SAP BTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Mapping Role Collections to Identity Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Syncing User Groups from Identity Authentication Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
10 Maintaining Cloud Connector for On-Premise Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

10.1 Install Cloud Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
10.2 Maintain Cloud Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
10.3 Maintain Destinations for Cloud Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
11 Additional Services for Access Request Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

11.1 Setting Up SAP Cloud Platform Workflow Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Required Roles for SAP Cloud Platform Workflow Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Delivered Workflow Templates (read only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
SAP Cloud Identity Access Governance Admin Guide

2 PUBLIC Content
Setting Up Business Rules for Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
12 Integration Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
12.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
12.2 Connecting Identity Provisioning Tenant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
12.3 SAP SuccessFactors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Create Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Add SuccessFactors System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Sync User Data and Provision Access Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
12.4 HR Driven Identity Lifecycle Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Set Up Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Add SAP SuccessFactors System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Set Up Business Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Synchronize Data Repository and Trigger Access Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
12.5 SAP ABAP (on-premise). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Prerequisites and Technical Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Maintaining Cloud Connector for On-Premise Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
12.6 SAP Ariba. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Add Ariba Instance to Access Request Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
12.7 SAP Fieldglass. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Add Fieldglass System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
12.8 SAP S/4HANA Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Configuration on SAP S/4HANA Cloud Tenant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Create Destination for Identity Provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Create Proxy System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Add SAP S/4HANA Cloud System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Sync User Data and Provision Access Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
12.9 SAP S/4HANA (on-premise). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Install Cloud Connector and Set Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Sync User Data and Provision Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Add SAP S/4HANA Instance to Access Request Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
12.10 Microsoft Azure Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Content PUBLIC 3
Create Proxy System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Add Azure Instance to Access Request Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Create Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Sync User Data and Provision Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
12.11 SAP Marketing Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Configuration in SAP Marketing Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Add Marketing Cloud Instance to Access Request Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Sync User Data and Provision Access Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
User ID Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
12.12 SAP Integrated Business Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Configuration in SAP Integrated Business Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Add Integrated Business Planning Instance to Access Request Systems. . . . . . . . . . . . . . . . . . 127
User ID Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
12.13 SAP Analytics Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Process Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
12.14 LDAP System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
12.15 Identity Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Register OAuth Client for Identity Provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Create Proxy System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Add Identity Authentication System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Manage Rule Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
12.16 SAP Busines Technology Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
SAP Busines Technology Platform - Cloud Foundry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
SAP Business Technology Platform - NEO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
12.17 SAP SuccessFactors Employee Central Payroll. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Create Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Configuration in SAP Employee Central Payroll. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Configuration in SAP Cloud Identity Access Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Sync SAP SuccessFactors Employee Central Payroll Data to SAP Cloud Identity Access
Governance and Provision Access Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

4 PUBLIC Content
12.18 SCIM System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
13 Business Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

13.1 Set Up Master Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Common Master Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Setting Up Master Data for Access Request Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Setting Up Master Data for the Role Design Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Setting Up Master Data for Access Analysis Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
13.2 Configuration App. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Language Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Application Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Application Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
14 Security and Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
15 Further Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
16 Support Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Content PUBLIC 5
1 Getting Started
The SAP Cloud Identity Access Governance solution is built on the SAP Business Technology Platform (SAP
BTP). It uses SAP NetWeaver APIs to fetch data from on-premise and cloud solutions, and enables you to use
the following services to create access requests, analyze risks, and design roles.
● SAP Cloud Identity Access Governance, access analysis service

● SAP Cloud Identity Access Governance, access request service
● SAP Cloud Identity Access Governance, role design service
● SAP Cloud Identity Access Governance, access certification service
● SAP Cloud Identity Access Governance, privileged access management service
1.1 About This Document
This administration guide describes the steps you need to perform as an administrator to set up and run the
SAP Cloud Identity Access Governance solution. It covers solution-specific information only. For general
information about SAP Business Technology Platform (SAP BTP), see the documentation on SAP Help Portal
at https://help.sap.com/CP.
This guide addresses the following target audience:
● System administrators
● Key users
For convenience, this guide, and the information therein, is applicable to all the SAP Cloud Identity Access
Governance services. Any mention of SAP Cloud Identity Access Governance in the documentation means the
information is relevant for all the SAP Cloud Identity Access Governance services. Information that is
applicable for only a specific service will be called out accordingly.
1.2 Document History
Provides details about the changes made in each version of this document.

6 PUBLIC Getting Started
Date Comment
2021-03-01 ● Added Connector Type - SCIM System and Extended in

tegration support for HTTP
● Added Access Request API
● Updated Additional Services for Access Request Serv
ice
● Updated Maintaining Business Roles in Role Design
● Updated Product Overview, Create Campaigns, Access
Certification Process, and Selecting Data for a Cam
paign in Access Certification
2020-11-19 ● Added new features in Privileged Access Management,

Access Request, and Access Analysis
● Updated Privileged Access Management Launchpad for
ABAP
2020-08-28 ● Added new features in Privileged Access Management,

Access Request, and Access Analysis
2020-07-24 ● Added a new service called Privileged Access Manage

ment
● Added a new app for Access Certification
● Updated Integration Scenarios and Security Guide
2020-02-25 ● Added applications for integration scenarios and Ac

cess Request
● Added features for Role Design Inbox
● Updated read/write transformations for SAP S/4HANA
Cloud and SAP Identity Authentication
● Updated the status checks of Access Requests
2019-11-19 ● Integration scenarios and applications for Access Anal

ysis updated
● Added Redesigned Job History Report in Access Analy
sis
● Added Unassociated Access Report in Role Design
2019-08-16 ● Added integration scenarios for SAP Analytics Cloud

and SAP Cloud Foundry
2019-05-20 ● Added information on SAP Marketing Cloud

● Updated information on SAP Integrated Business Plan
ning

Getting Started PUBLIC 7
Date Comment
2019-02-28 ● Added Quick Start Guides section

● Replaced SCI with IAS due to product name change
● Updated information for SAP Fieldglass integration
● Updated information for SAP Cloud Workflow Service
roles
2018-11-09 ● Added integration procedure for SAP Fieldglass

● Updated integration procedure for SAP Ariba
● Updated User Management [page 21]section to clarify
procedure
● Updated Setting Up User Group Sync [page 40]sec
tion to clarify procedure
2018-08-30 ● Added new SCI Group: IAG_WF_MANAGER

● Updated diagrams for integration scenarios
● Added integration scenario for SAP S/4HANA Cloud
2018-05-11 ● Added Integration Scenarios section.

● Reorganized information structure:
○ Moved user and authentication information from
the configuration guides to the Administrator
Guide under the User Management section.
○ Moved master data information under the Business
Configuration section.
1.3 Terminology and Conventions
Here you can find terms and concepts applicable for the SAP Cloud Identity Access Governance services. Over
time product names may change; you may see different versions of a product name within the same guide.
This topic also lists the conventions and abbreviations used.
● HCP: Abbreviation for HANA Cloud Platform. This usage is obsolete and is replaced by SCP. See SCP.
● IAG: Abbreviation for SAP Cloud Identity Access Governance. Due to the length of the full name of the
solution, for readability within this guide, we use the abbreviation "IAG".
● Identity Authentication: Shortened version of SAP Cloud Platform Identity Authentication. See also SCI.
● IAS: Updated abbreviation for SAP Cloud Platform Identity Authentication service. This is a convention
used within this guide. Due to the length of the full name of the solution, for readability, we use the
abbreviation "IAS".
● SCI: Old abbreviation for SAP Cloud Platform Identity Authentication service. (See IAS).
● SCP: Abbreviation for SAP Cloud Platform. Due to the length of the full name of the product, for readability
within this guide, we use the convention "SCP"

8 PUBLIC Getting Started
2 Quick-Start Guides
Scenario-based integration and configuration guides.
The following guides are provided for your convenience. Each guide provides an overview and also detailed
steps for enabling SAP Cloud Identity Access Governance services and integrating with specific target
applications.
 Note
These guides are to be used in conjunction with the admin guide; they do not replace the complete set of
information in the admin guide.
Scenario Description Guide
SAP Access Control 12.0 (on-premise) Using SAP Cloud Identity Access Gover IAG Bridge Cloud: SAP Access Control
to SAP Cloud Identity Access Gover nance as a bridge to enable creation of 12.0, SAP Identity Access Governance
nance and Cloud Target Applications access requests from SAP Access Con and Cloud Applications
trol 12.0 (on-premise) to cloud target
applications.
SAP Access Analysis Service to Target Configuring SAP Cloud Identity Access SAP Cloud Identity Access Governance,
Applications Governance, access analysis service to Access Analysis_Integration.pdf
analyze user access for on-premise and
cloud target applications.

Quick-Start Guides PUBLIC 9
3 Upgrade Schedule
Maintenance Windows for Cloud services, SAP Business Technology Platform (SAP BTP), and SAP Cloud
IdentityAccess Governance are listed below.
Maintenance Window for Cloud Services
Maintenance Window for Cloud Services Duration
SAP Asset Manager Zero Downtime
SAP Browse Manager and Conversion Manager
SAP Business Technology Platform
SAP Credential Store
SAP Connected Parking
SAP Customer Identity, B2B add-on, SAP Customer Con

sent, SAP Customer Profile
SAP Event Mesh
SAP Exchange Media
SAP Fiori Cloud
SAP Global Track and Trace
SAP Merchandising
SAP TwoGo
SAP Vehicles Network
SAP Work Manager, cloud edition
Weekly Maintenance Windows for Cloud Services - Standard Windows
Start time in UTC per region
Region Weekday Time Timezone
MENA FRI 7pm UTC
APJ SAT 3pm UTC
Europe SAT 10pm UTC
Americas SUN 4am UTC
The maintenance windows mentioned above define the maximum scheduled downtime, which certain cloud
services only consume partially.
SAP Cloud Service – Maintenance Window for SAP Cloud Identity Access Governance

10 PUBLIC Upgrade Schedule
Regular Maintenance Major Upgrades
Start time in UTC per region: Americas SUN 4am Time frame in UTC per region: Americas SAT 1pm – 7pm
Up to once every month Up to four times a year
Duration: 4 hours Duration: 4 hours

Upgrade Schedule PUBLIC 11
4 Monitor License Usage
Your subscription to SAP Cloud Identity Access Governance software is based on the metric resources of users
and connections.
The SAP Cloud Identity Access Governance software is available as a full version and an integration edition.
For the full version, the Usage Metric is Monitored Users. The Usage is calculated on the basis of the number of
unique Users that customers synchronize from their on-premise and/or cloud systems. These systems are
monitored by the software.
For the integration edition, the Usage Metric is Unique Type of Connection. Based on how many application
types the customer connects to the software, the number of connections is calculated.
For more information, refer to SAP Cloud (SaaS) Application Usage .

12 PUBLIC Monitor License Usage
5 Overview
About This Guide
This administration guide describes the steps you need to perform as an administrator to set up and run the
SAP Cloud Identity Access Governance solution. It covers solution-specific information only. For general
information on the platform the solution runs, see SAP Business Technology Platform.
This guide addresses the following target audience:
● System administrators
● Key users
About SAP Cloud Identity Access Governance
The SAP Cloud Identity Access Governance solution is built on the SAP Business Technology Platform (SAP
BTP). It uses SAP NetWeaver APIs to fetch data from on-premise and cloud solutions, and enables you to use
the following services to create access requests, analyze risks, and design roles.
● SAP Cloud Identity Access Governance, access analysis service

● SAP Cloud Identity Access Governance, access request service
● SAP Cloud Identity Access Governance, role design service
● SAP Cloud Identity Access Governance, access certification service
● SAP Cloud Identity Access Governance, privileged access management service
For convenience, this guide, and the information therein, is applicable to all the SAP Cloud Identity Access
Governance services. Any mention of SAP Cloud Identity Access Governance in the documentation means the
information is relevant for all the SAP Cloud Identity Access Governance services. Information that is
applicable for only a specific service will be called out accordingly.

Overview PUBLIC 13
6 Onboarding
This guide assumes that the onboarding process has already been completed – this means that the
administrator has already access to the Global Accounts and has administrator authorization. For further
details, refer to the notification email that you received after you set up your Global Account.
For more information about the onboarding process, see SAP Business Technology Platform.

14 PUBLIC Onboarding
7 Solution Architecture
The diagram below illustrates the architectural components of SAP Cloud Identity Access Governance solution.
SAP Cloud Identity Access Governance is a service on the SAP Business Technology Platform (SAP BTP), it
integrates with other SAP BTP services, and connects with cloud and on-premise target applications.
 Note
In the diagram, SAP Cloud Identity Access Governance is referred to as IAG for convenience.
Components
Component Description
Target Applications (on-Premise, cloud) This is the target system containing user data.
IAG API The API for SAP Cloud Identity Access Governance services
extracts data from the target application. The API is part of
SAP NetWeaver; make sure your system has the required
NetWeaver Basis Support Packs. The API is available for on-
premise and the SAP HANA Cloud.
SAP BTP connector The cloud connector sits behind the firewall and establishes
connectivity between SAP BTP and the target system.

Solution Architecture PUBLIC 15
Component Description
IAG Services SAP Cloud Identity Access Governance services include: Ac
cess Analysis service; Access Request service; Role Design
service; Access Certification; Privileged Access Manage
ment.
Technical Components for IAG services SAP Cloud Identity Access Governance services compo
nents include: Repository, Scheduler, Reporting and Analyt
ics, Approval Workflow, and Users and Roles
Identity Authentication service Identity Authentication service is used to authenticate users

before allowing access to the SAP Cloud Identity Access
Governance solution and services.
SAP Workflow Management service SAP Workflow Management is used for automation of access
requests through the various stages of creation and appro
val.
SAP Business Rules Service Business Rules Service enables embedding business deci
sions into the workflow.
Identity Provisioning service Identity Provisioning service allows provisioning of centrally

managed identities and their access across the enterprise
(on-premsie and cloud).

16 PUBLIC Solution Architecture
8 Initial Setup
SAP Cloud Identity Access Governance 2.0 is available on the Amazon Web Service (AWS) platform and
Microsoft Azure.
For details on data centers, see Create Subaccount.
 Note
If you have already implemented or are currently implementing this solution with SAP Cloud Identity
Access Governance 1.0 release in the SAP Business Technology Platform (SAP BTP), Neo environment,
message the support team by creating a support incident. Select the component GRC-IAG and add
Migration to the subject line so that SAP can contact you and guide you with the next steps.
Prerequisites
You have access to the following:
● A SAP BTP cockpit/Global Account in the Neo environment where your existing application for SAP Cloud
Identity Access Governance is provisioned (only for existing customers who are using SAP Cloud Identity
Access Governance 1.0).
● An instance of the cloud connector if you wish to use on-premise applications or the Bridge scenario to
connect SAP Access Control to SAP Cloud Identity Access Governance.
● An instance of the Identity Provisioning service.
 Note
Identity Provisioning service is available as part of the bundled SAP Cloud Identity Access Governance
solution. For a successful integration, always use the Identity Provisioning tenant that is included in the
bundle.
Do not use any standalone Identity Provisioning tenant or the Identity Provisioning service from former
SAP Identity Access Governance tenants in SAP BTP, Neo environment. Although technically it is
possible to use both options, but implementing any one of them hampers integration, as other bundled
products come preconfigured with the Identity Provisioning tenant.
To obtain your Identity Provisioning tenant, or to have your existing bundle tenant upgraded for use
with SAP Cloud Identity Access Governance, create an incident for component GRC-IAG-OPS.
In the incident, mention the following information:

○ That you request Identity Provisioning tenant from SAP Cloud Identity Access Governance bundle
○ ID of the account where you have subscribed to SAP Cloud Identity Access Governance
○ Whether the subscription is for a test or production (standard) landscape
○ S-user (ID and email address) who should be administrator in the Identity Provisioning tenant
○ File separate incidents for test and production landscapes

Initial Setup PUBLIC 17
● An instance of the Identity Authentication service. If you do not have an instance, create an incident as
mentioned in the Note above.
8.1 Subscribing to SAP Cloud Identity Access Governance
Using cloud management tools feature set B to subscribe to SAP Cloud Identity Access Governance means
that you only see your feature set B global account on SAP Business Technology Platform (SAP BTP).
Once you obtain your license for SAP Cloud Identity Access Governance, suitable Entitlement is assigned to
your Global Account. This Entitlement can be carried out by subscribing to a suitable subaccount.
The following three steps will guide you through the subscription process:
● Creating a subaccount for subscription

● Assigning Entitlement to the subaccount
● Subscribing to the subaccount
8.1.1 Creating a Subaccount
 Note
Currently, SAP Cloud Identity Access Governance is available only on
● Amazon Web Service (AWS) platform in US East (VA) - cf-us20, Australia (Sydney), and in Europe
(Frankfurt) regions - cf-eu10
● Microsoft Azure in US West (WA) - cf-us20
If you are migrating from SAP Cloud Identity Access Governance 1.0, selecting a region for creating a
subaccount depends on your current region for the Neo subaccount.
To migrate to your new environment, proceed as follows:
Migrating to the New Environment - New Subaccount
Follow the steps below to create your subaccount
1. Log into your Global Account and enter a Display Name and Description.
If you wish, you can change these two attributes at a later date.
2. Enter the relevant Provider and Region.
Refer to the note above to establish which providers are available in your region. For instance, if you are
located in Europe, enter Amazon Web Services (AWS) in the Provider field and Europe (Frankfurt) in the
Region field.
3. Enter a unique entity as a Subdomain.
The subdomain forms the first part of the URL visible in the browser, so it must be a unique entity in the
data center where your Global Account is hosted. It should connect your tenant ID and to the relevant
tenant.
We suggest you use your corporate internet domain and the SAP Cloud Identity Access Governance
service that you plan to subscribe. Depending on whether the plan is a test (Test), standard (Production),

18 PUBLIC Initial Setup
or tandd (Cloud T&D), the Subdomain must start with a unique entity, followed by -iag- and then either
test, prod, or tandd.
The Subdomain must be unique per landscape.
Example: Your corporate domain is example.com and you wish to subscribe to the test plan. To do so,
choose com-example-test as the subdomain. If you plan subscribe to other services from other accounts
in the same Global Account, you may also want to include the product in the subdomain name: com-
example-iag-test.
Check Used for production only if you wish to subscribe to the standard plan. This information is useful for
the platform support and does not affect the behaviour of SAP Cloud Identity Access Governance.
 Note
When you purchase a variant of SAP Cloud Identity Access Governance, you are offered both the test
and standard plans. For these plans, you must create two subaccounts in your Global Account and
subscribe to one plan in one subaccount only. Refer to the example above to choose a unique naming
convention for the subdomains for your two subaccounts.
8.1.2 Assigning Entitlement to the Subaccount
To access your global account follow the steps described in the section below.
Procedure
1. Log on to the SAP BTP Cockpit and open your global account.
2. Go to Entitlements and choose Entity Assignments.
3. In the Show field, Subaccounts is displayed and in the Subaccounts field, the attribute IAG Prod. appears.
Choose Go.
4. Choose the Add Service Plan button next to the Search field, select SAP Cloud Identity Access Governance
from the service list and choose Add 1 Service Plan and Save.
You are now subscribed to SAP Cloud Identity Access Governance and it is available as your subaccount in
the Service Marketplace.
8.1.3 Subscribing to the Subaccount
After creating your subaccount, you need to subscribe to SAP Cloud Identity Access Governance.
To subscribe to the SAP Cloud Identity Access Governance solution, do the following:
1. Navigate to Subaccounts and choose the subaccount IAG Prod that you have created.
2. Go to Service Marketplace and under Intergration Suite choose SAP Cloud Identity Access Governance.
3. In the tile for SAP Cloud Identity Access Governance, choose the relevant application plan, for example,
standard.
4. Go to the three dots displayed on the right side in the column and choose Create to subscribe to this
application.
5. In the pop-up window New Instance or Subscription, select SAP Cloud Identity Access Governance as
service and the plan, for instance, standard, and choose Create.

Initial Setup PUBLIC 19
6. To see the status of your subscription that appears as an option in the Creation in Progress window, choose
View Subscription that is displayed in Instances and Subscriptions.
7. In the Status column, the status Processing is displayed.
Once the processing is completed, the tenant database is created and the role collections for SAP Cloud
Identity Access Governance are assigned to your subaccount.
8. Once the Status changes to Subscribed, choose the Go to Application button to open the SAP Cloud
Identity Access Governance Launchpad.
 Note
When you open the launchpad, it will be empty because you have not been assigned any role
collections yet that would authorize you to access any applications.
You can, however, view the Role Collections for SAP Cloud Identity Access Governance in your
subaccount. These roles are assigned to P-users originating in your tenant for Identity Authentication.
Only for very limited use cases, these roles can be assigned to S-users originating in SAP ID Service. In
general, the launchpad is only used via P-users.
Since your endusers are not authorized to retrieve the URL from the subscription screen, copy the URL
and save it, so you can communicate it to them.
8.2 Feature Set A - Subscribe to SAP Cloud Identity Access

Governance
After creating your subaccount, you need to subscribe to SAP Cloud Identity Access Governance.
1. Log into your Global Account as an Administrator.

2. Select the subaccount that you have created.
3. In the left-hand panel, go to Services Service Marketplace SAP Cloud Identity Access Governance .
8.3 Maintain Administrators
After subscribing to the SAP Identity Access Governance application, you must maintain security
administrators.
Add security administrators to your subaccount by entering their e-mail addresses instead of the user IDs.
Security administrators can add other security administrators, and manage authentication and authorization
in this subaccount, such as configuring trust to identity providers, and assigning role collections to business
users.

20 PUBLIC Initial Setup
9 User Management
SAP Cloud Identity Access Governance solution and its services use Identity Authentication service for user
authentication and to manage access to the solution's apps. Security and permissions are maintained in
groups and roles. You control the tasks a user can perform, and the apps they can access, through the
appropriate assignment of group and role combinations to the user.
The assignment of groups and roles to users controls these three security aspects:
● Permission to access and use specific apps

● You can ensure that users can access only those apps relevant for their job function. For example, that only
administrators can access admin apps.
● Permission to perform administrative tasks
Within the framework of access governance, tasks have different levels of risk and sensitivity. You can
ensure that users can only perform administrative tasks in line with their job function. For example, only
users assigned to the Control Owners group can approve new or updated mitigation controls.
● Permission to use specific services
The SAP Cloud Identity Access Governance solution integrates with other SAP services, such as Business
Rule service. And these services require users have specific roles to use them.
9.1 Setting Up User Authentication and Access
The process to configure authentication and access requires you to perform configuration tasks on SAP
Business Technology Platform (SAP BTP) for the SAP Cloud Identity Access Governance tenant and the
Identity Authentication service.
● Maintain users in Identity Authentication.

● Pre-delivered role collections for the SAP Cloud Identity Access Governance tenant.
1. Maintain Users and User Groups in Identity Authentication [page 21]

2. Pre-Delivered Role Collections on SAP BTP [page 25]
3. Mapping Role Collections to Identity Authentication [page 35]
4. Syncing User Groups from Identity Authentication Service [page 40]
9.1.1 Maintain Users and User Groups in Identity

Authentication
In Identity Authentication, tenant administrators can manage user accounts and groups.

User Management PUBLIC 21
Activity Description Procedure
Create User Create users via the Add user option in Create a New User
the administration console.
Create User Groups Create new user groups via User Create a New User Group
Groups option in the administration

console.
 Note
It is mandatory to follow the User
Group Naming Guidelines and cre
ate the Required Groups provided
below.
Assign Groups to User Assign groups to a user via the adminis Assign Groups to a User
tration console for Identity Authentica
tion.
User Group Naming Guidelines
When you create these groups, you must follow this naming convention: IAG_<TYPE>_<NAME>.
In this string, the <TYPE> must be one of the delivered types shown in the table below. The <NAME> can be of
your choosing, though we recommend choosing a name that is clear and concise.
Example: IAG_WF_ADMIN
Group Types
Group Type Name Description
CM Control Monitor Users assigned to this group are availa

ble as control monitors, which can be
assigned during control creation.
CO Control Owner Users assigned to this group are availa

ble as control owners, which can be as
signed during control creation.
WF Workflow Assign users to this group to enable

participation in the workflow service.
RO Role Owner Users assigned to this group are availa

ble as role owners, which can be as
signed during access request.
CADM Candidate Business Role Adminstrator Users assigned to this group have ac
cess to the Candidate Business Role
Adminstration app and carry out ad
ministrative tasks.
RCA Business Role Content Approver Users can modify and approve business
roles. Users assigned to this group are
included in the dropdown list of
Business Role Content Approvers.

22 PUBLIC User Management
Group Type Name Description
RAA Business Role Assignment Approver Users can approve business role as
signments. Users assigned to this
group are included in the dropdown list
of Assignment Approvers.
USER IAG Application Users Assign this group by default to all appli
cation users for SAP Cloud Identity Ac
cess Governance.
Required Groups
The following groups are required for using SAP Cloud Identity Access Governance services. Make sure you
create them with the names listed below with the same case. The name is case-sensitive.
In the Identity Authentication tenant, create the groups as described below, and then assign the relevant users
to them. These are suggested groupings and names. In your own implementation, you can create groups that
suit your needs.
As you will map these groups with the SAP BTP groups, to make it easier to track, we recommend you use the
same group names in both Identity Authentication and SAP BTP.
 Note
You can create users in Identity Authentication or make them available on a connected LDAP server.
 Note
To connect to LDAP and other services for app user, you must configure this in Identity Authentication. For
more information, see SAP Cloud Identity Services - Identity Authentication.
Required Groups
The following groups are required. The SAP Cloud Identity Access Governance services look for these specific
groups. Make sure you create them with the names listed below with the same case. The name is case
sensitive.

Users Assigned to the Group can Per
Service Create these Groups form these Tasks
Access Request Service IAG_WF_MANAGER In the Create Access Request app there
is the Manager field. You assign users to
the IAG_WF_MANAGER group to make
them available for selection in this field.
Managers are responsible for approving
access requests.
 Note
If a user's manager is explicitly as
signed in Identity Authentication,
then the manager is displayed in
this field and is read-only.
IAG_WF_ADMIN In the access request process, requests

go through a security stage. Users as
signed to this group are available to re
ceive and work on access requests in
this stage.
IAG_WF_DEFAULT When managers and approvers are not

available in the system, the task of re
viewing and approving a requests goes
to users assigned to this group.
Role Design Service IAG_WF_CBRRefine Users assigned to this group can refine
the proposed candidate business roles.
IAG_WF_CBRActivate Users assigned to this group can acti

vate candidate business roles.
IAG_WF_CBRReconcile Users assigned to this group can per

form tasks in the reconciliation stage of
CBR, such as provisioning and deprovi
sioning user role assignments.
Access Certification IAG_WF_ADMIN Users assigned to this group can re

ceive and work on access certification
review items in the security stage.
IAG_WF_DEFAULT When managers or role owners are not

available, the task of reviewing a user’s
access is forwarded to members of this
group.
IAG_CPG_ADMIN Users assigned to this group are able to

create and edit campaigns.
IAG_CPG_REVIEWER Users assigned to this group can be se

lected by the campaign coordinator
during the reassignment of review
items on the manage campaign page.
IAG_CPG_CO Users assigned to this group can coor

dinate campaign activities, for example,
reassign items or remind reviewers.

Parent topic: Setting Up User Authentication and Access [page 21]
Next: Pre-Delivered Role Collections on SAP BTP [page 25]
9.1.2 Pre-Delivered Role Collections on SAP BTP
In the tenant for SAP Cloud Identity Access Governance on SAP BTP, the administrator can view the pre-
delivered role collections. The role collections CIAG_Display, CIAG_Access_Certification_Admin, and
CIAG_Super_Admin are primarily required to gain full access to the apps in SAP Identity Cloud Access
Governance. Refer to the tables below for the role collections.
 Note
If you are subscribing to the SAP Cloud Identity Access Governance, integration edition, refer to SAP Cloud
Identity Access Governance, integration edition
Role Collections for all Business Users

Associated Roles for the Role Collec
Assign this Role Collection tion To perform these tasks
CIAG_Display Destination Certificate Viewer This is the default role collections for all
business users.
Destination Configuration Viewer
Destination Subaccount Trust Viewer
Destination Viewer
EXTERNAL_PORTAL_USER
IAGDisplay_Admin
sap_scheduler_configuration_template
sap_scheduler_viewer_template
Token_Exchange_Admin
Role Collections and Associated Roles for the Access Request Service
CIAG_Access _Request IAG_Access_RequestAccess_Request ● Create access requests

● View status of request
RuleRepositorySuperUser
● Cancel request
● For approvers:
RuleRuntimeSuperUser
○ review and approve or reject
access requests
○ remediate risks

WorkflowParticipant ● View audit logs
CIAG_Access_ Request_Admin IAG_Access_Request_AdminAc ● Setting up connections between

cess_Request the service to the target systems
● Setting up recurring jobs for the
IAG_Access_Request_AdminAdminis service
tration
● Setting up master data in the apps
IAG_Access_Request_AdminReports ● Setting up workflow service

● Setting up Business Rule service
iag_access_request_priority
● Setting up Identity Provisioning
iag_authorization_policy service
● Set configurations for SAP Cloud
iag_business_processes Identity Access Governance, such
iag_configuration as UI language
iag_custom_field_groups
iag_custom_fields
iag_field_mapping
iag_maint_user_data
iag_notif_upload
iag_reason_code
WorkflowAdmin
WorkflowDeveloper
CIAG_Access_ Request_ Others IAG_Access_Request_Others Ac

cess_Request_for_others
Role Collections and Associated Roles for the Role Design Service
CIAG_Role_Designer IAG_Role_DesignerAdministration ● Business roles: create and main

tain
IAG_Role_DesignerReports ● Candidate business roles: create,
review, and approve
IAG_Role_DesignerRole_designer

CIAG_Role_Designer_Admin iag_authorization_policy ● Setting up connections between

the service to the target systems
iag_business_processes
iag_configuration service
● Setting up master data in the app
iag_departments ● Set configurations for SAP Cloud
Identity Access Governance, such
iag_projects
as UI language
● View the Role Design Audit Log
IAG_Role_Designer_AdminAdministra
tion
IAG_Role_Designer_AdminReports
IAG_Role_Designer_AdminRole_de
signer
Role Collections and Associated Roles for the Access Analysis Service
CIAG_Access_Analysis IAG_Access_AnalysisAccess_Analysis ● Analyzing access risks

● Remediating access risks
IAG_Access_AnalysisAdministration
● Refining access
● Mitigating risks
IAG_Access_AnalysisReports
● Auditing access compliance
CIAG_Access_Analysis_Admin IAG_Access_Analysis_AdminAc ● Setting up connections between

cess_Analysis the service to the target systems
IAG_Access_Analysis_AdminAdminis service
tration
IAG_Access_Analysis_AdminReports ● Set configurations for SAP Cloud
Identity Access Governance, such
iag_authorization_policy as UI language

iag_configuration
iag_functions
iag_mitigaton_control_master_data
iag_risk
iag_risk_level
iag_risk_score_policy
iag_test_plans

Role Collections for the Configuration Admin
CIAG_Configuration_Admin ag_access_request_priority This role collection enables Business

Users to configure in SAP Cloud Iden
iag_authorization_policy tity Access Governance.
iag_configuration
IAG_Configuration_AdminAdministra-
tion
iag_custom_fields
iag_field_mapping
iag_functions
iag_maint_user_data
iag_notif_upload
iag_projects
iag_reason_code
iag_risk
iag_risk_level
iag_test_plans
WorkflowAdmin
WorkflowDeveloper
WorkflowParticipant
CIAG_Administrator_v1 iag_connector_type

Role Collections for the Super Admin
CIAG_Super_Admin IAG_Access_Analysis_AdminAc This role collection is for Super Admin

who needs to configure and access all
cess_Analysis
the services.
IAG_Access_Analysis_AdminAdminis
tration
IAG_Access_Analysis_AdminReports
IAG_Access_AnalysisAccess_Analysis
IAG_Access_Request_AdminAc
cess_Request
IAG_Access_Request_AdminAdminis
tration
iag_access_request_priority
IAG_Access_RequestAccess_Request
IAG_Access_RequestAdministration
iag_authorization_policy
iag_configuration
iag_custom_fields
iag_departments
iag_field_mapping
iag_functions
iag_maint_user_data
iag_notif_upload
IAG_Privileged_AccessAdministration
IAG_Privileged_AccessPrivileged_Ac
cess_Management
IAG_Privileged_AccessPrivilegedRoles
IAG_Privileged_AccessReports
iag_projects
iag_reason_code

iag_risk
iag_risk_level
IAG_Role_Designer_AdminAdministra
tion
IAG_Role_Designer_AdminRole_de
signer
IAG_Role_DesignerAdministration
IAG_Role_DesignerReports
IAG_Role_DesignerRole_designer
iag_test_plans
WorkflowAdmin
WorkflowDeveloper
WorkflowParticipant
CIAG_Administrator_v1 iag_connector_type
Role Collections for the Privileged Access Admin

CIAG_Privileged_Access iag_configuration This role collection is for privileged ac

cess management activities.
IAG_Privileged_AccessAdministration
IAG_Privileged_AccessPrivileged_Ac
cess_Management
IAG_Privileged_AccessPrivilegedRoles
IAG_Privileged_AccessReports
iag_reason_code

Role Collections for the Access Certification
CIAG_Access_Certification_Admin IAGAccessCertificationAdmin 1. Create and edit campaign

2. View logs
WorkflowParticipant
3. Manage/coordinate campaign ac
tivities (escalate, ...)
CIAG_Access_Certification_Coordina- IAGAccessCertificationCoordinator 1. Manage/coordinate campaign ac

tor tivities (escalate, ...)
WorkflowParticipant 2. View logs
CIAG_Access_Certification_Reviewer IAGAccessCertificationReviewer Review and approve or reject access

item (Role Owner, Manager, Security)
WorkflowParticipant
In the tenant for SAP Cloud Identity Access Governance, the administrator can assign the role collections. For
more information, refer to Assign Role Collections.
 Note
If you wish to customize your role collections, you have the option of creating and assigning them manually.
If you need a list of roles belonging to role collections for workflow management and business rules, refer to
the following links SAP Workflow Management - Authorization Configuration
SAP Business Rules Service for the Cloud Foundry Environment - Authorization Configuration
Previous: Maintain Users and User Groups in Identity Authentication [page 21]
Next: Mapping Role Collections to Identity Authentication [page 35]
9.1.2.1 SAP Cloud Identity Access Governance, integration

edition
SAP Cloud Identity Access Governance, integration edition uses six role collections and associated roles that
are listed below.

Role Collections for all Business Users
CIAG_INT_Display Destination Certificate Viewer This is the default role collection for all
business users.
Destination Configuration Viewer
Destination Subaccount Trust Viewer
Destination Viewer
EXTERNAL_PORTAL_USER
IAGDisplay_Admin
sap_scheduler_configuration_template
sap_scheduler_viewer_template
Token_Exchange_Admin
ü+zt
Role Collections and Associated Roles for the Access Analysis Service
CIAG_INT_Access_Analysis IAG_Access_AnalysisAccess_Analysis ● Analyzing access risks

● Remediating access risks
● Refining access
● Mitigating risks
● Auditing access compliance

CIAG_INT_Access_Analysis_Admin IAG_Access_Analysis_AdminAc ● Setting up connections between

cess_Analysis the service to the target systems
service
tration
● Set configurations for SAP Cloud
iag_authorization_policy Identity Access Governance, such
as UI language
iag_configuration
iag_functions
IAG_INTG_Role_Designer
iag_maint_user_data
iag_risk
iag_risk_level
iag_test_plans
Role Collections for the Configuration Admin

CIAG_INT_Configuration_Admin iag_authorization_policy This role collection enables business

users to configure in SAP Cloud Identity
iag_business_processes Access Governance.
iag_configuration
IAG_Configuration_AdminAdministra-
tion
iag_functions
iag_maint_user_data
iag_risk
iag_risk_level
iag_test_plans
CIAG_INT_Administrator_v1 iag_connector_type

Role Collections for the Role Management
CIAG_INT_Role_MGMT IAG_Role_DesignerAdministration Role Management
Role Collections for the Super Admin

CIAG_INT_Super_Admin IAG_Access_Analysis_AdminAc This role collection is for Super Admin

who needs to configure and access all
cess_Analysis
the services.
tration
IAG_Access_AnalysisAccess_Analysis
iag_authorization_policy
iag_configuration
iag_departments
iag_functions
IAG_INTG_Role_Designer
iag_maint_user_data
iag_risk
iag_risk_level
iag_test_plans
CIAG_INT_Administrator_v1 iag_connector_type
9.1.3 Mapping Role Collections to Identity Authentication
To map the Role Collections to your Identity Authentication tenant, you must do the following:

● Set Identity Authentication as a trusted identity provider.
● Set up assertion-based groups and attributes mapping.
Previous: Pre-Delivered Role Collections on SAP BTP [page 25]
Next: Syncing User Groups from Identity Authentication Service [page 40]
9.1.3.1 Federating Identity Authentication Tenant
SAP Cloud Identity Access Governance services use Identity Authentication to provide user identity
authentication.
Before you can start using the solution, you must federate your SAP Identity Access Service tenant with the
subscriber subaccount for SAP Cloud Identity Access Governance. This is a simple exchange of certificates;
however, some special settings must be implemented for optimum usability of the software.
9.1.3.1.1 Download the SAML Metadata File for the

Subscriber Subaccount
1. Go to the SAP BTP cockpit, and open your subscriber subaccount.

2. In the menu panel on the left side, choose Security and Trust Configuration .
3. Download the SAML Metadata file for the subaccount.
The file is downloaded with a name that contains the subdomain of the subaccount. The name makes it
easier to find the file for uploading it at a later date.
9.1.3.1.2 Create Application in Identity Authentication and

Upload SAP BTP Metadata File
In the Identity Authentication cockpit, create a custom application for SAP Cloud Identity Access Governance
services, which are used to establish the trust relationship with the SAP Business Technology Platform tenant
(SAP BTP).
1. In the Identity Authentication cockpit, navigate to Applications & Resources > Applications.
2. Add a custom application and save.
 Note
For ease of use, the application and the subaccount should have the same name.

3. Upload the metadata from the SAP BTP tenant.
1. From the Custom Applications list, select your new custom application, and then select SAML 2.0
Configuration.
2. In the Metadata File field, browse to the location of the SAP BTP metadata file.
3. Upload the file and save.
9.1.3.1.3 Set Up Assertion-based Groups for

IdentityAuthentication and Role Collection
Mapping
Add Assertion Attributes
1. Log in to the Identity Authentication tenant and navigate to Applications & Resources Applications .
2. Under Custom Applications, select your custom application. (This is the application you created as part of
the procedure for setting up a trust relationship between the Identity Authentication service tenant and the
SAP BTP tenant.)
3. Choose Assertion Attributes and create the following attributes:
User Attribute Assertion Attribute
Groups Groups
(Ensure that the letter G is in upper case.)
First Name first_name
Last Name last_name
E-mail mail
4. Save.
Add Assertion-based Identity Authentication Groups and Attributes Mapping
1. Add assertion-based Groups.

1. Logon to the SAP-BTP tenant, and navigate to Security > Trust Configuration > Name.
2. Select the name of the relevant identity provider (the Identity Authentication that you have already
configured). For more information, refer to Federating Identity Authentication Tenant [page 36].
3. Choose New Role Collection Mapping to create the mapping rules. Some examples of role collections
that must be mapped are listed below.

 Note
If role collections values are unavailable in the Identity Authentication system, you need to
manually create them. Other role collections listed here
Pre-Delivered Role Collections on SAP BTP [page 25] must be mapped in the same maner as the
examples listed below.
Role Collection Mapping to Identity Authentication Groups
Value - Equals to this

Pre-delivered Role Collec Identity Authentication
tion Attribute Operator Group
CIAG_Access_ Analysis Groups equals IAG_Access_Analysis
CIAG_Access_ Analy Groups equals IAG_Access_Analysis_Ad

sis_Admin min
CIAG_Role_ Designer Groups equals IAG_Role_Designer
CIAG_Role_ Designer _Ad Groups equals IAG_Role_Designer_Admin

min
4. Save.
9.1.3.1.4 Download SAML Metadata File for Identity

Authentication
1. In the Identity Authentication cockpit, navigate to Tenant Settings SAML 2.0 Configuration .
2. In the SAML 2.0 Configuration , in the Identity Provider Settings, go to Signing Certificate at the bottom of
the page to down the metadata file.
3. Rename the file. Use the tenant ID of the Identity Authentication Service for this purpose.
4. In the field Description, enter the description (optional).
5. Choose Parse. You should see the message Metadata parsed successfully.
6. Save.
9.1.3.1.5 Add new Trust Configuration for the SAP Cloud

Identity Access Governance Subaccount
1. Go to the SAP BTP cockpit, and open your subscriber subaccount.

2. In the menu panel on the left side, choose Security , Trust Configuration, and New Trust Configuration.
3. Upload the SAML Metadata file

4. Enter a meaningful Name, Description, and Link Text for User Logon. For instance, the tenant ID of the
Identity Authentication Service.
5. Save your entries.
Disable the Default Identity Provider
To avoid a disambiguation page when opening the SAP Cloud Identity Access Governance Launchpad, you
need to disable the Default Identity Provider for logon.
1. To edit, choose the Pencil button.

2. Check the box Available for User Logon and save your entry.
You should now see your Identity Authentication Service tenant Available for User Login.
9.1.3.2 Maintaining Access to Tasks
Within the framework of access governance, tasks have different levels of risk and sensitivity. You use Identity
Authentication tools to ensure that only designated users can perform administrative tasks. For example, only
users designated as business role approvers can approve new business roles.
There are three steps in this procedure:
1. In the Identity Authentication tenant, create your groups according to the guidelines below.
2. Assign the appropriate users to the relevant groups.
3. Sync the user-group assignments.
In the Fiori launchpad for SAP Cloud Identity Access Governance, open the Job Scheduler app, and run
Sync User Groups from IAS job.
For more information about creating user groups and assigning users, see the For More Information section
below.
For group naming conventions and assigning users to groups, refer to the Required Group Guidelines section
mentioned in Maintain Users and User Groups in Identity Authentication [page 21].
For group naming conventions and assigning users to groups, refer to the Group Naming Guidelines section
mentioned in Maintain Users and User Groups in Identity Authentication [page 21].
For More Information:
SAP Cloud Identity Services - Identity Authentication - User Management
SAP Cloud Identity Services - Identity Authentication - User Groups
SAP Cloud Identity Services - Identity Authentication - Assign Groups to Users

9.1.4 Syncing User Groups from Identity Authentication
Service
To ensure user groups information is synchronized between the Identity Authentication service tenant and the
tenant for SAP Cloud Identity Access Governance on SAP Business Technology Platform (SAP BTP), you must
maintain the required system in Identity Authentication and the destination in the tenant for SAP Cloud Identity
Access Governance and then run the SCI User Group Sync job in the Job Scheduler app.
Step 1: Set Up IAG Sync System as Administrator in the Identity

Authentication tenant
1. Login to the Identity Authentication tenant.

2. Choose Administrators tile.
3. Press the +Add button on the left-hand panel to add a new administrator to the list.
4. Choose Add System.
5. Enter the name of the system under Name as IAG Sync.
 Caution
Choose the name carefully for your system as administrator. Once created, the name cannot be
changed.
6. To be a tenant administrator, a user must be assigned to Manage Users and Manage Groups from the
following roles.
Administrator Roles
Authorization Description
Manage Applications This role gives the tenant administrator permission to

configure the applications via the administration console.
Manage Corporate Identity Providers This role gives the tenant administrator permission to
configure the identity providers via the administration
console.
Manage Users This role gives the tenant administrator permission to

manage, import and export users via the administration
console.
Manage Groups This role gives the tenant administrator permission to cre
ate, edit and delete user groups via the administration
console.

Authorization Description
Manage Tenant Configuration This role gives the tenant administrator permission to
manage tenant configuration and authorization assign
ments to users.
All administrator roles are assigned by default.
7. In the Configure Authorizations section, assign the Manage Users and Manage Groups option to ON, and
Save.
8. Select the IAG Sync system and click Set Password.
9. Enter a password and save (the app automatically generates a user ID).
 Note
Make a note of the user ID and password. You will use them in the next step.
Step 2: Create SCIUserGroup destination in the Tenant for SAP Cloud

Identity Access Governance on SAP BTP
1. In the tenant for SAP Cloud Identity Access Governance, go to the Subaccounts dropdown menu and
choose your subaccount.
2. Choose Connectivity Destinations in the navigation panel.
3. Create SCIUserGroup destination and choose the pencil icon to edit it.
Enter the properties listed below:
*Name SCIUserGroup
Type HTTP
Description SCI User Group Service
*URL https://SCI_TENANT_ID.accounts.ondemand.com/serv
ice/scim/Users (replace SCI_TENANT_ID with your Iden
tity Authentication instance name)
Proxy Type Internet
Authentication: BasicAuthentication
User User ID from the Identity Authentication tenant (config-

ured under Users & Authorizations → Administrators)
Password Password of the IAG Sync system from the Identity Au
thentication tenant (configured under Users & Authoriza
tions → Administrators)

Step 3: Run SCI User Group Sync Job
1. Login the SAP Cloud Identit Access Governance launchpad and open the Job Scheduler app.
2. In the Job Name field, enter Job Name.
3. In the Job Category field, select SCI User Group Sync from the dropdown list.
4. In the Recurring Job field, select No.
5. In the Start Immediately field, select Yes.
6. Enter information in all required fields and choose Schedule Job. The job status and log can be checked in
the Job History app.
 Note
To schedule a Recurring Job, refer to 2859618 for recommendation on the frequency of the jobs.
Previous: Mapping Role Collections to Identity Authentication [page 35]

10 Maintaining Cloud Connector for On-
Premise Scenario
SAP Cloud Connector serves as the link between on-demand applications in SAP Business Technology
Platform (SAP BTP), and existing on premise systems.
The cloud Connector runs as an on-premise agent in a secured network and acts as a reverse invoke proxy
between the on premise network and SAP BTP.
For more information, see Cloud Connector.
10.1 Install Cloud Connector
To Install the cloud connector, view the help documentation for SAP BTP Cloud Connectivity, and follow the
instructions for the scenario:
Connecting Cloud Application to On-Premise Systems.
10.2 Maintain Cloud Connector
Prerequisite: You have already activated your user (Pxxxx) in SAP Cloud Identity Access Governance and have
administrator access to this account.
Example of Admin IAS URL: https://<CompanyName>.accounts.ondemand.com/admin/
 Note
For the following, maintain one Cloud Connector for each target system.
1. Login to your Cloud Connector and create a new account.

Go to Account Dashboard and choose Add Account.
2. Enter the following details and save the data:
○ Landscape Host - us2.hana.ondemand.com if your cloud tenant hosted in US data center or
eu1.hana.ondemand.com if it is hosted in Europe data center
○ Account Name: <HCP account name>
○ Display Name: <Company Name>
○ Account User: <P USER ID activated in IAS
○ Password: <Password created for P USER ID in IAS>
3. Select the created Account and choose Access Control.

Maintaining Cloud Connector for On-Premise Scenario PUBLIC 43
4. Add system mapping for each on-premise target system.
(For SAP ERP system, enter Back-end Type = ABAP System, Protocol = RFC and system
configurations).
5. Select the above system mapping and add function module name as prefix with SIAG.
For more information, see SAP BTP Connectivity .
10.3 Maintain Destinations for Cloud Connector
In the SAP BTP cockpit, maintain destinations for each target system to enable communication via the Cloud
Connector.
For on premise systems, make sure to select the Proxy Type OnPremise.
For more information about using the destination service, see the following SAP Cloud Platform
documentation: Configure Destinations from the Cockpit
 Note
Only HTTP destinations are relevant for the destination service. For more information, see the following
documentation: Create HTTP Destinations

44 PUBLIC Maintaining Cloud Connector for On-Premise Scenario
11 Additional Services for Access Request
Service
The access request service integrates with additional SAP Cloud Platform services to utilize workflow
management, provisioning, and business logic. You must configure the following additional services to fully
utilize the access request service:
● SAP Cloud Platform Business Rule Management service to provide decision making and business logic
● SAP Cloud Platform Workflow service to enable the movement of access requests to owners, approvers,
etc. and through stages, such as creation, review, approval, etc.
● SAP Cloud Platform Identity Provisioning service (Identity Provisioning service) to provision access
requests to target systems
11.1 Setting Up SAP Cloud Platform Workflow Service
1. Required Roles for SAP Cloud Platform Workflow Service [page 45]
2. Delivered Workflow Templates (read only) [page 46]
The access request service includes three non-modifiable out-of-the-box workflow templates.
3. Setting Up Business Rules for Workflow [page 47]
11.1.1 Required Roles for SAP Cloud Platform Workflow

Service
The SAP Cloud Platform Workflow service is delivered with three apps that enable you to maintain the
workflow.
To access and use the Workflow Definition and Workflow Instances apps, assign to them the following workflow
roles:
● WorkflowContextViewer (global role)

Additional Services for Access Request Service PUBLIC 45
● WorkflowContextAdmin:
● WorkflowViewer
To learn more about the required roles and additional available roles, see the SAP Cloud Platform Workflow
Service security guide.
Parent topic: Setting Up SAP Cloud Platform Workflow Service [page 45]
Next: Delivered Workflow Templates (read only) [page 46]
11.1.2 Delivered Workflow Templates (read only)
The access request service includes three non-modifiable out-of-the-box workflow templates.
 Note
The information herein is provided for your information only. The SAP operations team configure and
deploy the workflow and notification templates. Refer also to Prerequisites [page 47]
Delivered Workflow Templates
Workflow Template (path name) Behavior
Manager - Role Owner - Security Owner The access request goes to the following roles for approval
before it is provisioned:
● manager
● role owner
● security owner
Manager - Security Owner The access request goes to the following roles for approval
● manager
● security owner
Manager Only The access request goes only to the manager for approval
before it is provisioned.
Email Notification Templates
The access request service delivers out-of-the-box notification emails. The notifications are sent for the
following events:
Notification to be Sent on Following Scenarios
Notify Request Created

46 PUBLIC Additional Services for Access Request Service
Notification to be Sent on Following Scenarios
Notify Approvers
Notify Request Rejected
Notify Provisioned
Previous: Required Roles for SAP Cloud Platform Workflow Service [page 45]
Next: Setting Up Business Rules for Workflow [page 47]
11.1.3 Setting Up Business Rules for Workflow
The access request service integrates with SAP Cloud Platform Business Rules Service. You use the SAP Cloud
Platform Business Rules service to define the stages, path, and other workflow rules used by access request
service to move request items through the stages of an access request.
1. Prerequisites [page 47]

2. Introduction [page 48]
3. Process Overview [page 49]
4. Creating a Project [page 49]
5. Modeling Data Objects [page 50]
6. Modeling a Rule Service [page 53]
7. Modeling Rules [page 54]
8. Defining Rulesets [page 56]
9. Deploying a Rule Service [page 57]
Previous: Delivered Workflow Templates (read only) [page 46]
11.1.3.1 Prerequisites
SAP Cloud Identity Access Goverance offers pre-delivered business rules. To access these rules, create a
support ticket. To do so, select the component GRC-IAG.
If, however, you wish to create or edit your own objects, follow the steps described below:
Procedure

1. Login to the SAP Identity Access Governance launchpad.
2. Open the Configuration app.
3. On the Configuration Type screen, navigate to Business Rule and choose Launch on the bottom right.
4. The Manage Projects screen is displayed as shown in the image below.
Parent topic: Setting Up Business Rules for Workflow [page 47]
Next: Introduction [page 48]
11.1.3.2 Introduction
SAP Cloud Identity Access Governance, access request service integrates with SAP Cloud Platform Workflow
Service and SAP Cloud Platform Business Rules Service.
You use the SAP Cloud Platform Business Rules service to define the path and other workflow rules used by
access request service to move request items through the stages of an access request.
No configuration is required for the workflow.
Previous: Prerequisites [page 47]
Next: Process Overview [page 49]
11.1.3.2.1 Concepts
SAP Cloud Platform Business Rules uses the following concepts:
● Project: A container that holds business rule entities such as, data objects, rules, rulesets, and rule
services.
● Data objects: It describe the data and serve as data carrier in the context or the result of an expression.
● Rule: It is the technical representation of a simple business rule to be applied to a particular business case.
It defines a business logic that, once evaluated against live data, leads to a decision. A decision table is a
tabular representation of related rules.

● Ruleset: A collection of rules to be processed in a particular business case. It serves as an entry point for
rule processing, and links a rule service to a collection of rules.
● Rule service: An interface or end point that enables an application to invoke a decision logic.
11.1.3.3 Process Overview
To model and deploy SAP Cloud Platform Business Rules:
1. Create a project
2. Add data objects with attributes that represent your application context.
3. Model rule services to perform operations.
4. Model your business logic using business rules. Define the condition constraints and the results to be
returned for different business logic.
5. Configure the ruleset by grouping the related rules together and assigning them to a rule service.
Previous: Introduction [page 48]
Next: Creating a Project [page 49]
11.1.3.4 Creating a Project
1. Go to the Business Rule Editor.

2. On the Manage Projects screen add the project as follows.
Project Name: IAGWorkflowBusinessRule
Description: IAG Workflow Business Rule
3. Save.
For more information, see SAP Cloud Platform Business Rules - Creating Projects.

Previous: Process Overview [page 49]
Next: Modeling Data Objects [page 50]
11.1.3.5 Modeling Data Objects
1. On the Manage Projects screen, select the IAGWorkflowBusinessRule project.

2. On the following screen, select the Data Objects tab and create data objects per the table below.
Data Objects
Name Description Type
Request Request Structure
RequestUser Request User Structure
RequestAccess Request Access Structure
WorkflowPath Workflow Path Structure
WorkflowApprover Workflow Approver Structure
 Note
For each data object, you must add attributes, associations, and mappings per the respective tables.
For instructions how to navigate the screen, see SAP Cloud Platform Business Rules - Modeling Data Objects.
Previous: Creating a Project [page 49]
Next: Modeling a Rule Service [page 53]
11.1.3.5.1 Data Object: Request
Type: Structure

Attributes
Name Description Business Data Type
createdBy Created By String
workflowstage Workflow Stage String
priority Priority String
requestNumber Request Number String
requestType Request Type String
Associations
Association Map Association Map

Target Data Object pings: Source Attrib pings: Target Attrib
Name Description Name ute ute
RequestedAccess RequestedAccess RequestAccess requestNumber requestNumber
RequestedUser RequestedUser RequestUser requestNumber requestNumber
Mappings
Target Runtime Target Runtime Variant
Java Cloud
11.1.3.5.2 Data Object: RequestUser
Type: Structure
For this data object, there are no Associations.
Attributes
managerId Manager ID String
department Department String
company Company String
position Position String
location Location String

Mappings
Java Cloud
11.1.3.5.3 Data Object: RequestAccess
Type: Structure
Attributes
accessType Access Type String
action Action String
system System String
Mappings
Java Cloud
11.1.3.5.4 Data Object: WorkflowPath
Type: Structure
Attributes
PathName Path Name String
Mappings
Java Cloud

11.1.3.5.5 Data Object: WorkflowApprover
Type: Structure
Attributes
ApproverID Approver ID String
Mappings
Java Cloud
11.1.3.6 Modeling a Rule Service

2. On the following screen, select the Rule Services tab and create rule services per the table below.
Rule Services
Name Description
WorkflowApprover Workflow Approver
IAGWorkflowAccessRequestInitiator IAG Workflow Access Request Initiator
 Note
For each rule service, you must add Execution Contexts and Target Runtimes per the respective tables
below.
Rule Service: WorkflowApprover
Execution Context
Name Usage
Request Input
RequestUser Input

Name Usage
WorkflowApprover Result
Target Runtimes
Java Cloud
Rule Service: IAGWorkflowAccessRequestInitiator
Execution Context
Name Usage
Request Input
RequestUser Input
RequestAccess Input
WorkflowPath Result
Target Runtimes
Java Cloud
For instructions how to navigate the screen, see SAP Cloud Platform Business Rules - Modeling a Rule Service.
Previous: Modeling Data Objects [page 50]
Next: Modeling Rules [page 54]
11.1.3.7 Modeling Rules

2. On the following screen, select the Rules tab and create rules per the table below.

Rules
Name Description Type Hit Policy Result Data Object
RequestTypeRule Request Type Rule Decision Table First Match WorkflowPath
WorkflowApprover Workflow Approver Decision Table First Match WorkflowApprover
3. Click Validate to check whether the rule modeled is valid.

4. To activate the rule, after saving, click Edit > Activate.
 Note
For each rule, you must add a Decision Table per the information in the topic: Decision Tables [page 56].
We recommend you read this more detailed topic for instructions how to create the decision tables and the
Rule Expression Language, see SAP Cloud Platform Business Rules - Modeling Rules.
Previous: Modeling a Rule Service [page 53]
Next: Defining Rulesets [page 56]
11.1.3.7.1 Configuring Workflow Templates
The access request service (beta) is delivered with the following workflow templates. You can use them to
choose which roles are required to approve an access request before it is provisioned.
To select the workflow used by the business rule service:
1. In your project, select the Rules tab, and edit the rule: RequestTypeRule.
2. For the decision table, change the PathName to one of the workflow templates.
Delivered Workflow Templates
Workflow Template (PathName) Behavior
'mangerrolesecuritypath' The access request goes to the following roles for approval
● manager
● role owner
● security owner

Workflow Template (PathName) Behavior
'accessrequestmangersecuritywf' The access request goes to the following roles for approval
● manager
● security owner
SECURITY' The access request goes only to the manager for approval
before it is provisioned.
11.1.3.7.2 Decision Tables
For each rule, you must add a Decision Table per the respective tables below.
Rule: RequestTypeRule
Decision Table
If Then
requestType of the Request is equal to PathName
'CHANGE' 'mangerrolesecuritypath'
Rule: WorkflowApprover
Decision Table
If Then
workflowstage of the Request is equal to ApproverID
'MANAGER' managerID of the RequestedUser of a Request
11.1.3.8 Defining Rulesets

2. On the following screen, select the Rulesets tab and create rulesets per the table below.

Rulesets
Name Description Rule Service Rule
ApproverRuleset Approver Rule Set WorkflowApprover WorkflowApprover
PathRulset Path Rule Set IAGWorkflowAccessReques- RequestTypeRule

tInitiator
3. Click Validate to check whether the rule set is valid.

4. To activate the rule set, after saving, click Edit > Activate.
For instructions on navigating the screen and creating the rulesets, see SAP Cloud Platform Business Rules -
Defining Rulesets.
Previous: Modeling Rules [page 54]
Next: Deploying a Rule Service [page 57]
11.1.3.9 Deploying a Rule Service

2. On the following screen, choose the Rule Service tab.
3. Select the following rule services and click Deploy.
○ WorkflowApprover
○ IAGWorkflowAccessRequestInitiator
For more information see, SAP Cloud Platform Business Rules - Deploying a Rule Service.
Previous: Defining Rulesets [page 56]

12 Integration Scenarios
You can connect the SAP Cloud Identity Access Governance, access request service to the following cloud
products and on-premise systems.
● SAP SuccessFactors [page 63]

● HR Driven Identity Lifecycle Management [page 65]
● SAP ABAP (on-premise) [page 80]
● SAP Ariba [page 86]
● SAP Fieldglass [page 89]
● SAP S/4HANA Cloud [page 92]
● SAP S/4HANA (on-premise) [page 108]
● Microsoft Azure Platform [page 110]
● SAP Marketing Cloud [page 115]
● SAP Integrated Business Planning [page 122]
● SAP Analytics Cloud [page 130]
● SAP Busines Technology Platform - Cloud Foundry [page 146]
● LDAP System [page 133]
● Identity Authentication [page 137]
● SAP Business Technology Platform - NEO [page 149]

58 PUBLIC Integration Scenarios
12.1 Overview
The SAP Cloud Identity Access Governance solution offers multiple core services that help streamline identity
and access management. You can use individual services independently or combine them with others. With
this product, you can also integrate cloud applications that belong to SAP and its partners. In addition,
customers whose primary system is SAP Access Control 12.0 can use the Cloud Bridge scenario to access the
same services or applications in the cloud environment. This is a multi-tenant product built on top of SAP
Business Technology Platform (SAP BTP) and SAP’s proprietary HANA database.
SAP Cloud Identity Access Governance is available as a cloud bundle solution. It includes two other services –
Identity Provisioning and Identity Authentication that are essential for successfully configuring the product.
Identity Authentication service
To manage access to applications belonging to SAP Cloud Identity Access Governance, it is important to
authenticated users. The Identity Authentication service simplifies the access as you can choose from various
authentication mechanisms, single sign-on, on-premise integration, and self-service options. For more details,
see What is Identity Authentication?

Integration Scenarios PUBLIC 59
You also need this service when configuring the cloud scenario for your on-premise product - SAP Access
Control 12.0. Refer to IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications.
Identity Provisioning service
You use this service to provision users and groups for connecting various target cloud applications to SAP
Cloud Identity Access Governance.
For more information, see Connecting Identity Provisioning Tenant [page 60].
Cloud Connector
To connect to on-premise applications /ABAP systems, you require cloud connectors.
For more information, refer to Cloud Connector.
12.2 Connecting Identity Provisioning Tenant
The SAP Cloud Identity Access Governance solution integrates with other SAP services, such as SAP Cloud
Identity Services - Identity Provisioning. These services require users to have specific roles to use them.
Prerequisites
 Note
The steps apply only for Identity Provisioning tenants in the following two cases:
● You were provided with tenants for your license for SAP Cloud Identity Access Governance in Cloud
Foundry. Or
● The tenants were provisioned from another bundle, and upgraded for use with SAP Cloud Identity
Access Governance.
The steps do not work for Identity Provisioning tenants obtained from a former version of SAP Cloud
Identity Access Governance solution in a SAP-managed SAP Cloud Platform neo tenant. Such tenants are
not to be used with your license for SAP Cloud Identity Access Governance in Cloud Foundry.
You have the URL to log on to your Identity Provisioning launchpad. To connect SAP Cloud Identity Access
Governance to Identity Provisioning service, you need a URL for the ipsproxy API and an OAuth client.
The image below illustrates all the steps.

Authorize yourself to Create an OAuth Client in Identity Provisioning
Follow the steps listed below to build the URL :
1. Go to the Identity Provisioning launchpad and log on with your S-user.

2. Double-check your user is Admin by choosing any tile in your Identity Provisioning launchpad.
3. Double-check that you have the tile Proxy Systems available in the Identity Provisioning launchpad.
4. To access your tenant for Identity Provisioning in the SAP Business Technology Platform cockpit (SAP
BTP), refer to Manage Authorizations.
Creating an OAuth Client
The OAuth client acts as a technical user in Identity Provisioning that SAP Cloud Identity Access Governance
uses for connecting.
To create the OAuth client, do as follows:
1. Log on to the SAP BTP cockpit with your S-user.

For EU data center: https://account.hana.ondemand.com
For US data center: https://account.us2.hana.ondemand.com
2. Select the Global Account for Identity Provisioning. Usually, it is the only account that does not belong to
your organization.
3. Select the subaccount. You can only choose from a small number of accounts.
4. In the navigation menu on the left, choose OAuth.

5. Note down the Token Endpoint URL that is listed in the first tab Branding in the OAuth Settings.
6. To create the OAuth Client, refer to Hybrid Scenario - SAP Identity Management.
7. Note down the Client ID and the Secret.
8. Go to Subscriptions, choose ipsproxy from the dropdown list and copy the Application URL listed below the
table or at the bottom of the page.
Configuring a Connection from SAP Cloud Identity Access Governance to

Identity Provisioning
Use the OAuth client to create an IPS_PROXY destination. See Create Destinations.
● For URL, use the Application URL mentioned in step 8 in the section Creating an OAuth client. Remove
the ipsproxy from the end and ensure that the slash (/) remains. The URL should look like
this: ...hana.ondemand.com/.
● As the credentials for Basic Authentication, use the Client ID and Secret from in step 7 in the section
Creating an OAuth client.
● For the OAuth2TokenServiceURL take the Token Endpoint that you made a note of when creating the OAuth
client and add ?grant_type=client_credentials. See table below.
Name IPS_PROXY
Type HTTP
Description IPS Destination
URL https://ipsproxyXXXXXXXXX-<<YOUR_IPS_TENANT>>.
<<DOMAIN>>.hana.ondemand.com/
Proxy Type Internet
Authentication BasicAuthentication
User <<CLIENT_ID>>
Password <<SECRET>>
Accept application/scim+json
OAuth2TokenServiceURL https://oauthasservices-<<YOUR_IPS_TENANT>>. <<DO

MAIN>>.hana.ondemand.com/oauth2/api/v1/token?
grant_type=client_credentials
GROUPSURL /Groups
serviceURL /ipsproxy/api/v1/scim/
USERSURL /Users

12.3 SAP SuccessFactors
You can configure integration for SAP SuccessFactors with SAP Cloud Identity Access Governance solution and
its services (Access Request, Access Analysis, and Role Design). This enables users to create access requests,
design business roles, and analysis access risks for on-premise and on-cloud applications and systems.
12.3.1 Create Destinations
Log into the SAP BTP cockpit and navigate to your tenant. In the left-hand pane click Connectivity
Destinations .
Create the following destinations.
Connection to SuccessFactors Source System [SuccessFactorsEC]
This destination describes the SAP SuccessFactors system where the HR user information is stored, is the
source system
 Note
If you are using this as a source system, you must enter the destination names exactly as described.
Otherwise, you can enter any desired name.

SuccessFactorsEC
Enter the following:
Parameter Value
Name* SuccessFactorsEC
Type HTTP
Description <Any Description>
URL* Enter the URL for the SuccessFactors system API Service,
for example,https://12preview.sapsf.eu/
 Note
2215682
Proxy Type Internet
User* Enter the authenticated user for SuccessFactors system fol

lowed by Company ID such as <UserID@CompanyID>
APIKey To obtain these property values, refer to Manage OAuth2 Cli

ent Applications in SuccessFactors Admin Center.
X509Certificate
Password <Password of the User>
Use default JDK truststore checkbox is checked
For information on how to use the destination service, see: Configure Destinations from the Cockpit

 Note
Only HTTP destinations are relevant for the destination service. For information on creating HTTP
connections, see: Create HTTP Destinations
12.3.2 Add SuccessFactors System
Create an instance for SAP SuccessFactors in the Systems app.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for SAP SuccessFactors. For System Type, select SAP SuccessFactors.
3. In the HCP Destination field, enter the name of the SAP BTP destination for SAP SuccessFactors.
4. Save.
12.3.3 Sync User Data and Provision Access Requests
In the access request service launchpad, open the Job Scheduler app, and run the following jobs:
● Repository Sync to synchronize the user data from the SAP SuccessFactors tenant.
In the System Type field, select SAP SuccessFactors.
● Provisioning the user and group assignment from the SAP SuccessFactors tenant.
12.4 HR Driven Identity Lifecycle Management
You can integrate the SAP Cloud Identity Access Governance solution with your HR systems. This enables
changes in employee status (HR triggers) in the HR system to initiate access requests. The access request
service converts the HR triggers to change requests, which are then provisioned to target applications. The
illustration below shows a high level process flow with SAP SuccessFactors as the HR system.

12.4.1 Process Overview
There are three overall steps to enable HR trigger integration between SAP SuccessFactors and the SAP Cloud
Identity Access Governance solution and its services:
1. In the SAP Business Technology Platform (SAP BTP), set up one destination to connect to the SAP
SuccessFactors tenant.
2. Use the SAP Business Rules Service to define the rules for converting user changes from SAP
SuccessFactors to access requests.
3. Run the Job Scheduler for the HR Trigger job and to sync user data for SAP SuccessFactors.
12.4.2 Prerequisites
You have the following:
● An administrator account for tenant on SAP BTP (Identity Authentication)

● Authenticated user for SAP SuccessFactors system for the Company ID
● SAP SuccessFactors API EmpJob need to have userNav personKeyNav userAccountNav user
data model relation enabled.
● Enter the authenticated user (technical user) for SAP SuccessFactors system followed by Company ID
such as <UserID@CompanyID>. Refer to SAP Note 2937881 .
● An administrator account for target applications. Ex: SAP S/4HANA Cloud
● An administrator account for Identity Provisioning
● For user authentication in SAP S/4HANA CE target applications, user replication to Identity Authentication
must be taken into account.
For configuring related events in SAP SuccessFactors Employee Central such as the ones listed below, refer to
the corresponding links:
Concurrent Employment:
New Hire, Concurrent Hire, Job Change, Termination, Retirement, Rehire. For more information, see:
Configuring Events
Global Assignment:
● Home Assignment: Away from global assignment, Back from global assignment
● Global Assignment: Add global assignment, End global assignment, Obsolete global assignment
For more information, see: Creating Events Reasons for Global Assignments
Contingent Worker:
Start contingent worker, End contingent worker. For more information, see: Configuring ECWK and SCWK for
Contingent Workers

12.4.3 Set Up Destinations
 Note
You must enter the destination names exactly as described. If you have already created a destination, then
you do not require a new one. If not, then you must create a destination and use the name specified below.
Connection to SuccessFactors Source System [SuccessFactorsEC]
This destination describes the SAP SuccessFactors system where the HR user information is stored, which is
the source system.
1. In the SAP BTP tenant for SAP Cloud Identity Access Governance, go to the Subaccounts dropdown menu
and choose your subaccount.
2. Choose Connectivity Destinations .
3. Choose New Destination and add the parameters and values given below.
Parameter Value
Name SuccessFactorsEC
Type HTTP
Description (Optional) Enter a meaningful description.
URL Enter the URL for the SuccessFactors system API Service
such as <https://apisuccessfactors.com/> For more infor
mation, see 2215682 and/or SAP SuccessFactors HXM
Suite OData API: Reference Guide
Proxy Type Internet
User Enter the authenticated user (technical user) for Success

Factors system followed by Company ID such as
<UserID@CompanyID>
Password Enter the password of the authenticated user
4. Select the Use default JDK truststore checkbox.

12.4.4 Add SAP SuccessFactors System
Log into the launchpad for SAP Cloud Identity Access Governance and create an instance for SAP
SuccessFactors in the Systems app.
 Note
You can ignore these steps, if you have already created this instance.

1. Log into launchpad and open the Systems app.
2. Enter Name, Description and select System Type, select SAP SuccessFactors.
3. In the SCP Destination field, enter the name of the SuccessFactors Source System defined in the SAP
BTP tenant Destination. Ex: SuccessFactorsEC.
4. Save.
12.4.5 Set Up Business Rules
SAP Cloud Identity Access Goverance offers pre-delivered business rules. To access these rules, create a
support ticket. To do so, select the component GRC-IAG.
If, however, you wish to create or edit your own objects, follow the steps described below:
Procedure
1. Login to the SAP Cloud Identity Access Governance launchpad.

2. Open the Configuration app.
3. On the Configuration Type screen, navigate to Business Rule and choose Launch on the bottom right.
4. The Manage Projects screen is displayed as shown in the image below.
1. Process Overview [page 68]

2. Edit a Project [page 69]
3. Create Data Objects [page 70]
4. Create a Rule Service [page 73]
5. Create Rules [page 73]
6. Deploy the Rule Service [page 78]

To model and deploy SAP Cloud Platform Business Rules:
1. Create a project
2. Add data objects with attributes that represent your application context.
3. Model rule services to perform operations.
4. Model your business logic using business rules. Define the condition constraints and the results to be
returned for different business logic.
5. Configure the ruleset by grouping the related rules together and assigning them to a rule service.
Parent topic: Set Up Business Rules [page 68]
Next: Edit a Project [page 69]
12.4.5.2 Edit a Project
Maintain a project with the name: IAGSFHRFieldChanges only if you wish to make any changes.The project is
the overall container for the related business rules and objects.
 Note
Make sure the name is exact.

Activate the project.
Previous: Process Overview [page 68]
Next: Create Data Objects [page 70]
12.4.5.3 Create Data Objects
Data objects define the input and output structures for the rule.
In the IAGSFHRFieldChanges project, go to the Data Objects tab, and create the following data objects:
● UserHRFields for the input fields. This is the data coming from SuccessFactors.
● Access for the output fields. This is the data for the access requests.
 Note
You define the data objects as input or output in the Create Rule Service [page 73] step. Data objects and
attributes are case-sensitive.
Create them as type Structure and set them as Active.

Add Attributes for UserHRFields Data Object
Open the UserHRFields data object and add attributes for the data coming from SuccessFactors.
List of Attributes for UserHRFields Data Object
userId User ID String
businessUnit Business Unit String
company Company String
department Department String
division Division String
jobCode Job code String
position Position String
status Status String
event Event String
startDate Start Date String
endDate End Date String
location Location String
costCenter Cost Center String

managerId Manager ID String
Add Attributes for Access Data Object
Open the Access data object and add attributes for the data to be used in creating access requests.
List of Attributes for Access Data Object
system Application system String
name Access name String
type Type String
Previous: Edit a Project [page 69]
Next: Create a Rule Service [page 73]

12.4.5.4 Create a Rule Service
1. From the IAGSFHRFieldChanges project, click Rule Service, and create the IAGRequestAccessData rule
service.
2. Under the Vocabulary section, add two vocabulary objects. From the dropdown, select the data objects you
defined earlier, and select the Usage.
For the UserHRFields data object, select Input usage.
For the Access data object, select Result usage.
Previous: Create Data Objects [page 70]
Next: Create Rules [page 73]
12.4.5.5 Create Rules
In Rules, you create a decision table based on input and the desired results. You can create multiple rules, as
suits your needs.

1. From the IAGSRHRFieldChanges project, click Rules, and then create a new rule.
2. Make sure for Type, you select Decision Table, and for Mode you select Advanced.
3. Click Create. The New Rule screen is displayed. At the bottom of the screen click Start building the table in
Settings to start building your decision table.
Building the Decision Table
The decision table is the core of the access request rule. Here you define the conditions and results that take
the user change information from SuccessFactors and convert them into access requests and provisioning
actions.
This is an explanation of how the information on the Decision Table Settings screen relates to the decision table
itself.
● The Condition Expressions are the "If" columns in the decision table. You can enter multiple condition
expressions. They appear as rows.

 Note
You cannot enter values for the conditions in the Decision Table Settings screen; you can enter values in
the next step in the decision table itself.
● The Result settings are the "Then" columns in the decision table.
 Note
You can enter values for results in the Decision Table Settings screen. You can also edit them in the
decision table itself.

1. In the Decision Table Settings, configure the conditions to determine the data to pull in.
○ Hit Policy sets the parameters the rule uses when matching results from the conditions.
○ Conditions Expressions is where you define the input data relevant for the request. The attributes in the
dropdown list are pulled from the UserHRFields data object.
○ Result is where you define output values. Click the dropdown list and select the Access data object. You
can use three Access Types:
○ TR - Technical Role
○ BR - Business Role
○ CR - Composite Role
○ GP - Group
○ SYS - Application
 Note
The Default Value field are optional and can be left blank.
2. Click Apply. The New Rule screen and the new decision table are displayed.
3. To define the values for decision table, click Add Row.
In the If column, enter the values for the conditions.
 Note
These values must match the values from the SuccessFactors tenant, such as (ACE_US), and so on.

The graphic is an example illustrating that for businessUnit ACE_US, create a request for System123.
 Note
Ensure the data and fields match the data and fields in the SuccessFactors tenant.
4. Click Save and Activate.
Set Up Rulesets
The final step for setting up a rule is to configure and activate the ruleset. Resets enable you to group multiple
rules in one collection. Even if you have only one rule, you still need to add it to a ruleset and activate it.
1. On the IAGSFHRFieldChanges project page, click Rulesets, and then click the plus sign  to add a new
ruleset.
2. On the New Ruleset screen, click the Rule Service dropdown list, and select IAGRequestAccessData.
3. In the Rules section, click the plus sign  to select from the rules you defined.
4. Save and activate the ruleset.

Previous: Create a Rule Service [page 73]
Next: Deploy the Rule Service [page 78]
12.4.5.6 Deploy the Rule Service
1. From the IAGSFHRFieldChanges project, click Rule Service.

2. Select the IAGRequestAccessData rule service and click Deploy.
For more information see, SAP Cloud Platform Business Rules - Deploying a Rule Service.
Previous: Create Rules [page 73]
12.4.6 Synchronize Data Repository and Trigger Access

Requests
Log into the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app, and run the
following jobs:
● Repository Sync to synchronize the user data, permission roles and permission groups from the SAP
SuccessFactors system.
2. In the Job Category field, select Repository Sync.
5. In the System Type field, select SAP SuccessFactors.
6. In the System field, select System.
7. Choose Schedule Job. The job status and log can be checked in the Job History app.
 Note
To schedule a Recurring Job for both the Repository Sync and HR Triggers, refer to the SAP Note
2859618 for recommendation on the frequency of the jobs.

● HR Trigger to create access requests based on changes to employee record in source system, and then
provision to target systems since its last run.
2. In the Job Category field, select HR Triggers.
5. Click Schedule Job button. The job status and log can be checked in the Job History app.
When an employee in SAP SuccessFactors is terminated or retired, the HR Triggers in SAP Cloud Identity Access
Governance capture the event to deprovision the roles and users in the corresponding systems. HR Triggers are
repeatedly executed to capture the event.

12.5 SAP ABAP (on-premise)
The information in this section covers the scenario of the SAP Cloud Identity Access Governance solution and
its services connecting to SAP ABAP (on-premise) applications. The following graphic illustrates the solution
fetching data from SAP ABAP target applications that reside behind a firewall, and using Identity
Authentication for user authentication.
The information in this section describes the procedure for connecting SAP ABAP (on-premise) applications to
the access request service. By connecting to the access request service, it enables SAP ABAP (on-premise)
users to use the self-service access requests, auto-provisioning, and auditable workflows. The graphic below
illustrates this integration.

12.5.1 Prerequisites and Technical Requirements
This document assumes the following prerequisites have been completed:
● You have upgraded the target system to one of the supported NetWeaver versions and support packs.
● You have created the required RFC user.
● Your SAP Business Technology Platform (SAP BTP) and Identity Authentication tenant accounts have been
created by SAP, and you have received the respective tenant account information and activation
notification.
12.5.1.1 Required NetWeaver Basis Support Packs
You must have upgraded the target system to one of the supported NetWeaver versions and support packs.
The IAG Services Data Extractor API is included in the following NetWeaver versions and support packs.
NetWeaver Version Support Pack
NW 700 SP34

NetWeaver Version Support Pack
NW 701 SP19
NW 702 SP19
NW 710 SP21
NW 711 SP16
NW 730 SP16
NW 731 SP19
NW 740 SP16
NW 750 SP04
NW751 SP02
12.5.1.2 Required RFC User for SAP Cloud Identity Access

Governance Services on Target System
An RFC user is needed in the target SAP system to allow communication with SAP Cloud Identity Access
Governance services using the SAP Business Technology Platform.
Create an RFC user with the authorization objects and values listed in the table below.
RFC Authorization Objects
Object Description Authorization Fields Value
S_RFC Authorization check for RFC ACTVT 16

Access
RFC_NAME SIAG
BAPT RFC1
SDIF SDIFRUNTIME SDTX
SUSR
SUUS
SU_USER
SYST
SYSU
RFC_TYPE FUGR

S_TCODE Authorization check at trans TCD SU01

action start
S_TABU_DIS Table maintenance ACTVT 3
DICBERCLS &NC& SC
SS
ZV&G
ZV&H
ZV&N
S_TOOLS_EX Tools Performance Monitor AUTH S_TOOLS_EX_A
S_GUI Authorization for GUI activi ACTVT S_GUI

ties
S_USER_AGR Authorizations: role check ACTVT *
ACT_GROUP *
S_USER_AUT User Master Maintenance: ACTVT *

Authorizations
AUTH *
OBJECT *
S_USER_GRP User Master Maintenance: ACTVT *

User Group
CLASS *
S_USER_PRO User Master Maintenance ACTVT *
Authorization Profile PROFILE *
S_USER_SAS User Master Maintenance: ACTVT 01

System-Specific Assign
06
ments
22
ACT_GROUP *
CLASS *
PROFILE *
SUBSYSTEM *

S_USER_SYS User Master Maintenance: ACTVT 78

System for Central User
Maintenance SUBSYSTEM *
S_USER_TCD Authorizations: transactions TCD *

in roles
S_USER_VAL Authorizations: filed values in AUTH_FIELD *

roles
AUTH_VALUE *
OBJECT *
S_DEVELOP ABAP Workbench ACTVT *
DEVCLASS SUSO
OBJNAME SIAG*
OBJTYPE FUGR
OBJTYPE *
12.5.2 Maintaining Cloud Connector for On-Premise Scenario
SAP Cloud Connector serves as the link between on-demand applications in SAP Business Technology
Platform (SAP BTP), and existing on premise systems.
The cloud Connector runs as an on-premise agent in a secured network and acts as a reverse invoke proxy
between the on premise network and SAP BTP.
For more information, see Cloud Connector.
1. Install Cloud Connector [page 84]

2. Maintain Cloud Connector [page 85]
3. Maintain Destinations for Cloud Connector [page 85]
12.5.2.1 Install Cloud Connector
To Install the cloud connector, view the help documentation for SAP BTP Cloud Connectivity, and follow the
instructions for the scenario:
Connecting Cloud Application to On-Premise Systems.

Parent topic: Maintaining Cloud Connector for On-Premise Scenario [page 84]
Next: Maintain Cloud Connector [page 85]
12.5.2.2 Maintain Cloud Connector
Prerequisite: You have already activated your user (Pxxxx) in SAP Cloud Identity Access Governance and have
administrator access to this account.
Example of Admin IAS URL: https://<CompanyName>.accounts.ondemand.com/admin/
 Note
For the following, maintain one Cloud Connector for each target system.
1. Login to your Cloud Connector and create a new account.

Go to Account Dashboard and choose Add Account.
2. Enter the following details and save the data:
○ Landscape Host - us2.hana.ondemand.com if your cloud tenant hosted in US data center or
eu1.hana.ondemand.com if it is hosted in Europe data center
○ Account Name: <HCP account name>
○ Display Name: <Company Name>
○ Account User: <P USER ID activated in IAS
○ Password: <Password created for P USER ID in IAS>
3. Select the created Account and choose Access Control.
4. Add system mapping for each on-premise target system.
(For SAP ERP system, enter Back-end Type = ABAP System, Protocol = RFC and system
configurations).
5. Select the above system mapping and add function module name as prefix with SIAG.
For more information, see SAP BTP Connectivity .
Previous: Install Cloud Connector [page 84]
Next: Maintain Destinations for Cloud Connector [page 85]
12.5.2.3 Maintain Destinations for Cloud Connector
In the SAP BTP cockpit, maintain destinations for each target system to enable communication via the Cloud
Connector.

For on premise systems, make sure to select the Proxy Type OnPremise.
For more information about using the destination service, see the following SAP Cloud Platform
documentation: Configure Destinations from the Cockpit
 Note
Only HTTP destinations are relevant for the destination service. For more information, see the following
documentation: Create HTTP Destinations
Previous: Maintain Cloud Connector [page 85]
You must schedule a job to initiate the provisioning process.
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Job Scheduler app.
2. Select the job category Provisioning, fill in the required attributes, and click Schedule Job.
12.6 SAP Ariba
The information in this section describes the procedure for connecting SAP Ariba to the SAP Cloud Identity
Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-based solution
for creating self-service requests to applications for on-premise and cloud source applications and systems. By
connecting to the solution, it enables SAP Ariba users to initiate access requests, which are then provisioned to
target applications.

Prerequisites
Ensure you have completed enablement and configuration for the SAP Cloud Identity Access Governance
solution.
 Note
The integration of SAP Cloud Identity Access Governance and SAP Ariba solutions is based on the Master
Data Native Interface (MDNI). This integration is currently available for SAP Ariba Buying and SAP Ariba
Strategic Sourcing applications. Support for other SAP Ariba solutions is possible; this depends, however,
on the synchronization options between the respective SAP Ariba solution and SAP Ariba Buying and SAP
Ariba Sourcing applications. Refer to the SAP Ariba documentation to determine if such options exist for
your scenario.
There are three overall steps to enable integration between SAP Ariba solutions and the SAP Cloud Identity
Access Governance solution and its service:
1. In the SAP Business Technology Platform (SAP BTP), set up destination for the SAP Ariba solution.
2. In the access request service, use the Systems app to create an instance for the SAP Ariba solution.

3. In the access request service, use the Job Scheduler app to sync user data and provision access requests.
In SAP BTP, create destinations for your SAP Ariba instance.
1. Log into the SAP BTP cockpit, and go to your tenant.

2. In the left-hand pane, choose Connectivity Destinations , and then choose New Destination.
3. Create a destination for the SAP Ariba instance, and add the following properties listed in the table below.
 Note
You may need to manually add the property field if it is not automatically displayed.
 Caution
It is very important to accurately enter the text strings as specified below. We recommending copying
and pasting them.
Name* ARIBA_DEST
Type: HTTP
Description: Ariba Sync
URL* Enter the URL of the SAP Ariba instance
For EU: https://eu.mu.ariba.com
For US: https://mu.ariba.com
Proxy Type Internet
User: User ID access MDNI service in SAP Ariba (You need to get
this from SAP Ariba by creation Service request)
Password: Password for the user
apiKey Generated Api Key (Master Data Integration Job Status

API for Operational Procurement)
fetchGroups /mdni/erpintegration/api/fetchGroups
fetchUsers /mdni/erpintegration/api/fetchUsers
objectName User
serviceURL https://<Ariba Open API service

url>/api/mds-integration-job/v1/prod/
integrationJobs? For EU:
eu.openapi.ariba.com For US:
openapi.ariba.com

tenantId AN-Id provided as part of the Ariba system
uploadXMLUserData /mdni/erpintegration/api/uploadXMLData
4. Make sure Use default JDK truststore is checked.
12.6.3 Add Ariba Instance to Access Request Systems
Create an instance for SAP Ariba in the Systems app.
2. Create a system for SAP Ariba. For System Type, select SAP Ariba.
3. In the HCP Destination field, enter the name of the SAP BTP destination for SAP Ariba.
4. Save.
In the access request service launchpad, open the Job Scheduler app. In the Job Category dropdown, schedule
the following jobs:
● Repository Sync to synchronize the relevant data from SAP Ariba to the access request service.
In the System dropdown, select SAP Ariba.
● Provisioning to initiate the provisioning of access requests.
12.7 SAP Fieldglass
The information in this section describes the procedure for connecting SAP Fieldglass to the SAP Cloud
Identity Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-based
solution for creating self-service requests to applications for on-premise and cloud source applications and
systems. By connecting to the SAP Cloud Identity Access Governance solution, it enables SAP Fieldglass users
to initiate access requests, which are then provisioned to target applications. This leverages out-of-box
authorizations and risk modeling to analyze SAP Fieldglass access requests.
 Note
You can assign one role per user.

Prerequisites
solution.
There are three overall steps to enable integration between SAP Fieldglass and the SAP Cloud Identity Access
Governance solution and its services:
1. In the SAP Business Technology Platform (SAP BTP), set up destination for the SAP Fieldglass solution.
2. In the access request service, use the Systems app to create an instance for the SAP Fieldglass solution.
In SAP BTP, create destinations for your SAP Fieldglass instance.

1. Log into the SAP BTP cockpit, and go to your tenant.
2. In the left-hand pane, choose Connectivity Destinations , and then choose New Destination.
3. Create a destination for the SAP Fieldglass instance, using the following constraints.
 Caution
It is very important to accurately enter the text strings as specified below. We recommending copying
and pasting them.
*Name FieldGlassDest
Type: HTTP
Description: Field Glass Destination
*URL Enter the URL of the SAP Fieldglass instance
Proxy Type Internet
User: Name of the user SAP BTP uses to access the SAP Field
glass instance.
accessToken /api/oauth2/v2.0/token?
grant_type=client_credentials&response_
type=token
apiUser /api/vc/connector/apiUser
getRole /api/vc/connector/Standard User Role

Download
getRoleDetail /api/vc/connector/Standard User Role

Detail Download?__p1=
getUser /api/vc/connector/User Download
x-ApplicationKey Enter the application key from the SAP Fieldglass in
stance.
12.7.3 Add Fieldglass System
Create an instance for SAP Fieldglass in the access request service Systems app.
2. Create a system for SAP Fieldglass. For System Type, select SAP Fieldglass.
3. In the HCP Destination field, enter the name of the SAP BTP destination for the SAP Fieldglass instance.
4. Save.

In the access request service launchpad, open the Job Scheduler app. In the Job Category dropdown, schedule
the following jobs:
● Repository Sync to synchronize the relevant data from SAP Fieldglass to the access request service.
In the System dropdown, select SAP Fieldglass.
12.8 SAP S/4HANA Cloud
The information in this section describes the procedure for connecting your SAP S/4HANA Cloud tenant to the
SAP Cloud Identity Access Governance solution. This connection allows SAP S/4HANA Cloud users to use the
SAP Cloud Identity Access Governance services such as access request, access analysis, and features such as
auto-provisioning, and auditable workflows.
As illustrated in the diagram below, this connection enables the SAP Cloud Identity Access Governance
solution to replicate data from the SAP S/4HANA Cloud tenant, and then provision user role assignments to
target applications.
The procedure consists of configuration steps on the SAP S/4HANA Cloud tenant, and on the SAP Business
Technology Platform (SAP BTP) tenant for SAP Cloud Identity Access Governance. The following is a summary
of the procedure steps. For details, see the respective sections.
On the SAP S/4HANA Cloud tenant do the following:
1. Create a communication user.

2. Create a communication system.
3. Create a communication arrangement, one for each communication scenario.

On the SAP BTP tenant, do the following:
1. Configuration a destination for the SAP S/4HANA Cloud tenant.

2. Run the sync job to replicate data from the SAP S/4HANA Cloud tenant.
Configuration on SAP S/4HANA Cloud Tenant [page 93]
Create Destination for Identity Provisioning [page 99]
Create Proxy System [page 100]
Add SAP S/4HANA Cloud System [page 107]
Sync User Data and Provision Access Request [page 108]
12.8.1 Configuration on SAP S/4HANA Cloud Tenant
The information in this section describes the prerequisites and procedures you carry out on SAP S/4 HANA
Cloud to enable the integration with the access request service.
Prerequisites
You must have completed the following prerequisites before you can begin the configuration tasks.
● Your SAP S/4HANA Cloud user has been assigned the business catalog SAP_CORE_BC_COM.
● You can use the business role template SAP_BR_ADMINISTRATOR.
● You have a signed SSL certificate from Verisign for your tenant or you can use basic authentication (user ID
and password) [optional].
The certificate is used to enable secure communication between the SAP S/4HANA Cloud tenant and the
SAP Business Technology Platform (SAP BTP) tenant for SAP Cloud Identity Access Governance.
Procedure
The configuration steps include the following:
1. Create a communication user and assign to it the SSL certificate.

2. Create a communication system to represent the SCP tenant account.
○ SAP_COM_0066 for replication of data
○ SAP_COM_0193 for provisioning
For more information on creating communication users and communication arrangements, see
Communication Management.

12.8.1.1 Create Communication User
Create a communication user and upload the SSL certificate. The uses the private key to enable secure
communication.
 Note
For more information, refer to: SAP Cloud Identity Services - Identity Provisioning.
Option 1: SSL Certificate
1. Log onto your SAP S/4HANA Cloud tenant, and open group Communication Management.
2. Open Maintain Communication Users and choose New to create a Communication User
Value Parameter
User Name Enter a user name. Ex: IAG-INTEGRATION
Description Enter a meaningful description.
Password Enter a password and remember for later step.
 Tip
Create a password via Propose Password to receive a
password which satisfies the password rules.
3. Choose Upload Certificate and select the SSL Client Certificate from Verisign.
4. Choose Create.
Option 2: Basic Authentication
1. Log onto your SAP S/4HANA Cloud tenant, and open group Communication Management.

2. Open Maintain Communication Users and choose New to create a Communication User.
Value Parameter
 Tip
12.8.1.2 Create Communication System
Create a new communication system to represent your tenant account in SAP BTP.
1. Start the app Communication Systems and choose New to create a Communication System representing
your tenant account.
2. Choose a System ID and System Name to represent your SAP BTP account.
3. Choose Create.
4. Enter the hostname of your Provider Tenant ID for SAP Cloud Identity Access Governance. Enter only the
hostname without protocol and path. For example: xxxxx.us2.hana.ondemand.com.
5. Choose Save.
6. In the User for Inbound Communication section, choose the + button.
7. Select Authentication Method as SSL Client Certificate and add the communication user you created in the
previous step for the SSL Certificate option.

 Note
Maintaining User for Outbound Communication is optional.
1. Start the Communication Systems app and choose New to create a Communication System representing
your tenant account.
3. Choose Create.
5. Choose Save.
7. Select Authentication Method as User ID and Password and add the communication user you created in the
previous step for the Basic Authentication option.
8. In the User for Outbound Communication section, choose the + button.
9. Select Authentication Method as User ID and Password and add the communication user you created in the
previous step for the Basic Authentication option.
12.8.1.3 Create Communication Arrangement
Create a communication arrangement, one for each communication scenario. Two scenarios are available.
● SAP_COM_0066 for replication of data

● SAP_COM_0093 for provisioning
You may choose to implement one or both. To implement both, complete all the steps in this procedure to
create a communication arrangement for one, and then repeat the procedure again to create an arrangement
for the other.
1. Start the app Communication Arrangements, and click New Scenario .

2. Select a communication scenario, such as the following:
Example:

3. Select the Communication System you created in the previous step.
The other data is defined by the system.
4. Save the communication arrangement.
To implement another communication arrangement, repeat the procedure.
12.8.1.4 Configuration Steps on the SAP BTP Tenant
The information in this section describes the prerequisites and procedures you carry out on SAP BTP tenant to
enable the connection with the SAP S/4HANA Cloud tenant.
Prerequisites
You must have completed the following prerequisites before you can begin the configuration tasks:
● You have completed the configuration steps for the SAP S/4HANA Cloud tenant.
● You have the SSL certificate from your SAP S/4HANA tenant (applicable for only certificate based).
12.8.1.4.1 Create New Destination for the Tenant
Create a new destination using Client Certificate Authentication or Basic Authentication.
Option 1: Client Certificate Authentication
1. In the your tenant for SAP Cloud Identity Accesss Governance, go to the Subaccounts dropdown menu and
3. Choose New Destination and create the following destination.

Parameter Value
Name Enter a meaningful name.
Type HTTP
URL The service URL from the communication arrangement.
Proxy Type Internet
Authentication ClientCertificateAuthentication
4. Choose New Property and select sap-client and enter SAP S/4HANA client value.
5. Choose Upload and Delete Certificate link to upload the SSL certificate for your SAP S/4HANA tenant.
Select the file location for the SAP S/4HANA certificate. (This is the public key (xxxx.p12) generated from
the private key for the user in SAP S/4 HANA.)
1. From the Key Store Location drop-down menu, select your keystore.
2. In the Key Store Password, enter the keystore password

1. In the your tenant for SAP Cloud Identity Access Governance, go to the Subaccounts dropdown menu and
Parameter Value
Name Enter a meaningful name.

Parameter Value
Type HTTP
URL Enter the URL for the SAP S/4HANA Cloud system Serv
ice such as < https://xxxx.s4hana.ondemand.com>
Proxy Type Internet
Authentication Basic Authentication
User The name of the communication user you have in the SAP
S/4HANA Cloud tenant.
Password The password for the communication user.
4. Choose New Property and select sap-client and enter S4HANA client value.
Parameter Value
sap-client Enter the SAP S/4HANA Cloud system client.
WRITE Enter the SAP S/4HANA service: /sap/bc/srt/

scs_ext/sap/managebusinessuserin

12.8.2 Create Destination for Identity Provisioning
In the SAP Business Technology Platform (SAP BTP), create destinations for your Identity Provisioning.
1. In the tenant for SAP Cloud Identity Access Governance, go to the Subaccounts dropdown menu and
 Note
It is very important to accurately enter the text strings as specified below. We recommend copying and
pasting them.
Parameter Value
Name* IPS_PROXY
Type HTTP

Parameter Value
URL* Enter the URL of the IPS Instance (example: https://

ipsproxyaebd32f83-a90504729.hana.ondemand.com
Proxy Type Internet
User* Enter the OAuth Client ID Authenticated User
 Note
This user is configured in Security OAuth
Clients for service ipsproxy
4. Choose New Property and select sap-client and enter SAP S/4HANA client value.
Parameter Value
OAuth2TokenServiceURL* Enter the URL for the OAUTH Token endpoint suffixed with
grant_type=client_credentials such as <https://oauthas
services-<SubscriptionTenant ID><Regional Host>//
oauth2/api/v1/token?grant_type=client_credentials>
 Note
The OAuth Token Endpoint URL can be found in
Security OAuth OAuth URLs
GROUPSURL /Groups
USERSURL /Users
12.8.3 Create Proxy System
Step 1: Assign role IPS_ADMIN to the user by following the below steps:
2. Choose Services Identity Provisioning in the navigation panel.
3. Choose Configure Service.

4. Choose Roles in the navigation panel.
5. Select IPS_ADMIN role and choose Assign to add User ID.
6. Choose Assign.
 Note
Add the tenant admin so that the user can later perform Step 2 mentioned below.
Step 2: Create a proxy system to connect SAP S4/HANA Cloud with the your tenant.
2. Choose Services Identity Provisioning in the navigation panel.
3. Choose Go to Service.
4. Add a proxy system for SAP S/4HANA Cloud.
5. Select Type as SAP S/4HANA Cloud.
6. Enter the System Name, Description and Destination Name.
The Destination Name is the destination created in the previous section Create Destination for the S/
4HANA Cloud system.

7. Modify the following transformations for SAP Cloud Identity Access Governance to read and provision:
Read Transformation Write Transformation
{ {
"user": { "user": {
"mappings": [ "mappings": [
{ {
"sourcePath": "sourcePath": "$
"$.personID", ['urn:ietf:params:scim:schemas:extens
"targetPath": "$.id", ion:enterprise:2.0:User']
"targetVariable": ['employeeNumber']",
"entityIdSourceSystem" "targetPath":
}, "$.personExternalID"
{ },
"sourcePath": {
"$.user.role[*].roleName", "sourceVariable":
"entityIdTargetSystem",
"preserveArrayWithSingleElement": "targetPath":
true, "$.personID"
"optional": true, },
"targetPath": {
"$.groups[?(@.value)]" "targetPath":
}, "$.businessPartnerRoleCode",
{ "type":
"sourceVariable": "valueMapping",
"entityBaseLocation", "sourcePaths": [
"targetPath": "$.userType"
"$.meta.location", ],
"targetVariable": "defaultValue":
"entityLocationSourceSystem", "BUP003",
"functions": [ "valueMappings": [
{ {
"type": "key": [
"concatString",
"suffix": "$ "Employee"
{entityIdSourceSystem}" ],
}
] "mappedValue": "BUP003"
}, },
{ {
"sourcePath": "key": [
"$.personalInformation.firstName",
"optional": true, "Freelancer"
"targetPath": ],
"$.name.givenName"
}, "mappedValue": "BBP010"
{ },
"sourcePath": {
"$.personalInformation.lastName", "key": [
"optional": true, "Service
"targetPath": Performer"
"$.name.familyName" ],
},
{ "mappedValue": "BBP005"
"sourcePath": }
"$.personalInformation.middleName", ]
"targetPath": {
"$.name.middleName" "sourceVariable":
}, "currentDate",
{ "targetPath":
"$.validityPeriod.startDate",

"sourcePath": "scope":
"$.personalInformation.personFullName "createEntity"
", },
"optional": true, {
"targetPath": "constant":
"$.name.formatted" "9999-12-31",
}, "targetPath":
{ "$.validityPeriod.endDate",
"sourcePath": "scope":
"$.user.userName", "createEntity"
"targetPath": {
"$.userName", "sourcePath":
"$.name.givenName",
"correlationAttribute": true "optional": true,
}, "targetPath":
{ "$.personalInformation.firstName"
"constant": true, },
"targetPath": {
"$.active" "sourcePath":
}, "$.name.familyName",
{ "optional": true,
"condition": "targetPath":
"$.user.lockedIndicator == 'X'", "$.personalInformation.lastName"
"constant": false, },
"optional": true, {
"targetPath": "sourcePath":
"$.active" "$.name.middleName",
}, "optional": true,
{ "targetPath":
"sourcePath": "$.personalInformation.middleName"
"$.workplaceInformation.emailAddress" },
, {
"optional": true, "sourcePath":
"targetPath": "$.name.formatted",
"$.emails[0].value", "optional": true,
"targetPath":
"correlationAttribute": true "$.personalInformation.personFullName
}, "
{ },
"sourcePath": {
"$.user.logonLanguageCode", "sourcePath":
"optional": true, "$.userName",
"targetPath": "targetPath":
"$.locale" "$.user.userName"
}, },
{ {
"sourcePath": "sourcePath":
"$.personExternalID", "$.locale",
"optional": true, "optional": true,
"targetPath": "targetPath":
"$.personExternalID", "$.user.logonLanguageCode"
},
"correlationAttribute": true {
}, "sourcePath":
{ "$.groups[*].value",
"targetPath":
"$.timeZone", "preserveArrayWithSingleElement":
"type": true,
"valueMapping", "optional": true,
"sourcePaths": [ "targetPath":
"$.user.role[?(@.roleName)]"
"$.user.timeZoneCode" },
{

], "sourcePath":
"defaultValue": "$.emails[0].value",
"Europe/Berlin", "optional": true,
"valueMappings": [ "targetPath":
{ "$.workplaceInformation.emailAddress"
"key": [ },
"UTC" {
], "condition":
"$.active == false",
"mappedValue": "Etc/UTC" "constant": "X",
}, "targetPath":
{ "$.user.lockedIndicator"
"key": [ }
"EST" ],
], "scimEntityEndpoint": "Users"
},
"mappedValue": "America/New_York" "group": {
}, "mappings": [],
{ "scimEntityEndpoint":
"key": [ "Groups"
"UTC+8" }
], }
"mappedValue": "Asia/Shanghai"
},
{
"key": [
"BRAZIL"
],
"mappedValue": "America/Sao_Paulo"
},
{
"key": [
"MSTNO"
],
"mappedValue": "America/Phoenix"
},
{
"key": [
"AUSNSW"
],
"mappedValue": "Australia/Sydney"
},
{
"key": [
"BRZLEA"
],
"mappedValue": "America/Sao_Paulo"
},
{
"key": [
"WDFT"
],
"mappedValue": "Europe/Berlin"
},
{
"key": [
"JAPAN"

],
"mappedValue": "Asia/Tokyo"
},
{
"key": [
"ISRAEL"
],
"mappedValue": "Asia/Jerusalem"
},
{
"key": [
"UTC+4"
],
"mappedValue": "Asia/Dubai"
},
{
"key": [
"EST_"
],
"mappedValue": "America/Toronto"
},
{
"key": [
"RUS03"
],
"mappedValue": "Europe/Moscow"
},
{
"key": [
"UTC+3"
],
"mappedValue": "Asia/Riyadh"
}
]
},
{
"targetPath":
"$.userType",
"type":
"valueMapping",
"sourcePaths": [
"$.businessPartnerRoleCode"
],
"defaultValue":
"Employee",
"valueMappings": [
{
"key": [
"BBP005"
],
"mappedValue": "Service Performer"

},
{
"key": [
"BUP003"

],
"mappedValue": "Employee"
},
{
"key": [
"BBP010"
],
"mappedValue": "Freelancer"
}
]
}
],
"scimEntityEndpoint": "Users"
},
"group": {
"mappings": [
{
"sourcePath": "$.ID",
"targetPath": "$.id",
"targetVariable":
"entityIdSourceSystem"
},
{
"sourceVariable":
"entityBaseLocation",
"targetPath":
"$.meta.location",
"targetVariable":
"entityLocationSourceSystem",
"functions": [
{
"type":
"concatString",
"suffix": "$
{entityIdSourceSystem}"
}
]
},
{
"constant":
"urn:ietf:params:scim:schemas:core:
2.0:Group",
"targetPath":
"$.schemas[0]"
},
{
"sourcePath": "$.ID",
"targetPath":
"$.displayName"
},
{
"sourcePath":
"$.to_BusinessUserAssignment.results"
,
"preserveArrayWithSingleElement":
true,
"optional": true,
"targetPath":
"$.members"
},

{
"targetPath":
"$.members[*].__metadata",
"type": "remove"
},
{
"constant": "value",
"targetPath":
"$.members[*].PersonID",
"type": "rename"
},
{
"constant": "user",
"targetPath":
"$.members[*].type"
}
],
"scimEntityEndpoint":
"Groups"
}
}
 Note
Copy the external system ID and use it to set up the SAP S4/HANA Cloud instance in the Systems app in
the next section Add SAP S/4HANA Cloud System.
12.8.4 Add SAP S/4HANA Cloud System
Create an instance for the SAP S/4HANA Cloud system in the access request service Systems app.
Creating a new system
2. Create a system for SAP S/4HANA Cloud. For the System Type, select SAP S/4HANA Cloud.
3. In the HCP Destination field, enter the System name of the S/4HANA Cloud destination created in the
previous section Create Destination.
4. Enter the external system ID which was marked in previous section Create Proxy System.
Updating an existing SAP S/4HANA Cloud System
 Note
Perform the below steps only if SAP S/4HANA Cloud System is created in SAP Cloud Identity Access
Governance prior to 1911 release.
1. Select the SAP S/4HANA Cloud system configured in the previous release.
2. Select Edit.

3. Enter the external system ID which was marked in previous section Create Proxy System.
12.8.5 Sync User Data and Provision Access Request
In the SAP Identity Access Governance launchpad, open the Job Scheduler app and schedule the following job:
● Repository Sync to synchronize the relevant data from Identity Authentication to the access request
service.
5. In the System Type field, select SAP S4/HANA Cloud.
6. In the System field, select System.
7. Choose Schedule Job button. The job status and log can be checked in the Job History app.
 Note
To schedule a Recurring Job for both Repository Sync and Provisioning, refer to 2859618 for
recommendation on the frequency of the jobs.

5. Choose Schedule Job button. The job status and log can be checked in the Job History app.
12.9 SAP S/4HANA (on-premise)
The information in this section describes the procedure for connecting SAP S/4HANA On-Premise to the SAP
Cloud Identity Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-
based service for creating self-service requests to applications for on-premise and cloud source applications
and systems. By connecting to the IAG solution, it enables SAP S/4HANA On-Premise users to initiate access
requests, which are then provisioned to target applications.

Prerequisites
solution.
There are three overall steps to enable integration between SAP S/4HANA on-premise systems and the SAP
Cloud Identity Access Governance solution and its services:
1. In the SAP Business Technology Platform (SAP BTP), set up destination for the SAP S/4HANA on-premise
system.
2. In the access request service, use the Systems app to create an instance for the SAP S/4HANA on-premise
system.

12.9.2 Install Cloud Connector and Set Destinations
If you have not already done so, install the SAP Business Technology Platform (SAP BTP) Connector to enable
secure communication between the access request service and the SAP S/4HANA on-premise system.
Make sure to select the Proxy Type OnPremise.
For the procedure, refer to the topic Maintaining Cloud Connect for On-Premise Scenario [page 43].
12.9.3 Sync User Data and Provision Requests
In the access request service launchpad, open the Job Scheduler app, and schedule the following jobs:
● Repository Sync to synchronize the relevant data from SAP S/4HANA system to the access request
service.
12.9.4 Add SAP S/4HANA Instance to Access Request

Systems
Create an instance for SAP S/4HANA in the access request service Systems app.
2. Create a system for SAP S/4HANA. For System Type, select SAP S/4HANA On-Premise.
3. In the HCP Destination field, enter the name of the SAP S/4HANA destination from SAP Business
Technology Platform (SAP BTP).
4. Save.
12.10 Microsoft Azure Platform
The information in this section describes the procedure for connecting Microsoft Azure to the SAP Cloud
service for creating self-service requests to applications for on-premise and cloud source applications and
systems. By connecting to the SAP Cloud Identity Access Governance solution, it enables Microsoft Azure
users to initiate access requests, which are then provisioned to target applications.

There are three overall steps to enable integration between Microsoft Azure and the SAP Cloud Identity Access
1. In the Identity Provisioning, create a proxy system for the Microsoft Azure system.
2. In the access request service launchpad, use the Systems app to create a system for Azure, using the
external system ID generated from step 1.
3. In the SAP Business Technology Platform (SAP BTP), create two destinations: one to generate an
authentication token; one for provisioning.
4. In the access request service, schedule jobs to synch Azure users and roles, and to provision the access
requests.
Create a proxy system to enable Microsoft Azure to connect with the SAP Business Technology Platform (SAP
BTP).
1. Log into the SAP BTP cockpit, go to your tenant instance, and open Services Identity Provisioning Go
To Service Proxy System .

2. Add a proxy system for Azure and click Save.
The service generates a URL for the Azure proxy system. The external system ID is included in the
URL. (See the illustration below.)
3. Copy the external system ID, and use it to set up the Azure instance in the Systems app in the next step.
12.10.3 Add Azure Instance to Access Request Systems
Create an instance for Azure in the access request service Systems app.
2. Create a system for Azure. For System Type, select Microsoft Azure.
3. In the External System ID field, paste the ID you copied from the SAP BTP proxy system.
4. Save.

In the SAP Business Technology Platform (SAP BTP), create two destinations.
● IAGprovisioning_IDMOauth to generate a token for authentication.

● IAGProvisioning_SCIMService uses the token to have authentication for provisioning.
Log into the SAP BTP cockpit, go to your tenant, and then choose Connectivity Destinations New
Destination .
 Note
When creating the destinations, enter the name exactly as described below.
IAGprovisioning_IDMOauth
Create the IAGprovisioning_IDMOauth destination with the following details:
Field Value
Name* IAGprovisioning_IDMOauth

Field Value
Type HTTP
URL*
Proxy Type Internet
Body grant_type=client_credentials
Header {"Content-Type":"application/x-www-form-
urlencoded","Authorization":"Basic
Yzk3YTY3YTEtOTUxZS0zN2NjLWJmMWUtZjgwNDlhYTMxZ
mRiOkFiY2QxMjM0","Accept":"application/json"}
IAGProvisioning_SCIMService
Create the IAGProvisioning_SCIMService destination with the following details:
Field Value
Name IAGProvisioning_SCIMService
Type HTTP
URL
Proxy Type Internet
GroupAssignmentURL /Groups/
Header {"Accept": "application/scim+json","Content-

Type": "application/scim+json",
"Authorization": "Bearer"}
UserURL /Users
12.10.5 Sync User Data and Provision Requests
In the access request service launchpad, open the Job Scheduler app, and schedule the following jobs:

● Repository Sync to synchronize the relevant data from Azure to the access request service.
12.11 SAP Marketing Cloud
The information in this section describes the procedure for connecting SAP Marketing Cloud to the SAP Cloud
solution for creating self-service requests to applications for on-premise and cloud source applications and
systems. By connecting to the solution, it enables SAP Marketing Cloud users to initiate access requests, which
are then provisioned to target applications.
Prerequisites
solution.
There are three overall steps to enable integration between SAP Marketing Cloud solutions and the SAP Cloud
Identity Access Governance solution and its service:
1. In the SAP Business Technology Platform (SAP BTP), set up destination for the SAP Marketing Cloud
solution.
2. In the access request service, use the Systems app to create an instance for the SAP Marketing Cloud
solution.

12.11.2 Configuration in SAP Marketing Cloud
The information in this section describes the prerequisites and procedures you carry out in SAP Marketing
Cloud to enable the integration with the access request service.
Prerequisites
● Your user for SAP Marketing Cloud has been assigned the business catalog SAP_CORE_BC_COM.
● You have a signed SSL certificate from Verisign for your tenant [optional].
The certificate is used to enable secure communication between SAP Marketing Cloud and the SAP BTP
tenant for SAP Cloud Identity Access Governance.
Procedure

2. Create a communication system to represent the SAP BTP tenant account.
communication.
1. Log onto your SAP Marketing Cloud, and open group Communication Management.
Value Parameter

Value Parameter
 Tip
4. Choose Create.
1. Log onto your SAP Marketing Cloud, and open group Communication Management.
Value Parameter
 Tip
3. Choose Create.
Create a new communication system to represent your tenant account for SAP Cloud Identity Access
Governance.
your tenant account for SAP Cloud Identity Access Governance.
3. Choose Create.
5. Choose Save.
previous step for SSL Certificate option.

 Note
1. Start the Communication Systems app and click New to create a Communication System representing your
tenant account for SAP Cloud Identity Access Governance.
3. Choose Create.
4. Enter the hostname of your Provider Tenant ID. Enter only the hostname without protocol and path. For
example: xxxxx.us2.hana.ondemand.com.
5. Choose Save.
7. Select Authentication Method as User ID and Password and add the communication user you created in
the previous step for Basic Authentication option.

for the other.
1. Start the app Communication Arrangements, and click New Scenario .

2. Select a communication scenario:

In SAP BTP, create destinations for your SAP Marketing Cloud instance.
1. Log in to the SAP BTP cockpit and go to your tenant.

2. In the left-hand pane, click Connectivity Destinations , and then click New Destination.
3. Create a destination for the SAP Marketing Cloud instance, and add the following properties listed in the
table below.
 Note
 Caution
pasting them.
*Name MKTCLOUD
Type: HTTP
Description: Marketing Cloud Destination
*URL Enter the URL of the SAP Marketing Cloud instance
Proxy Type Internet
User: Name of the user SAP BTP uses to access the SAP Mar
keting Cloud instance
sap-client Marketing cloud client
WRITE /sap/bc/srt/scs/sap/
managebusinessuserin
12.11.4 Add Marketing Cloud Instance to Access Request

Systems
Create an instance for SAP Marketing Cloud in the Systems app.
1. Log in to the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for SAP Marketing Cloud. For System Type, select SAP Marketing Cloud.
3. In the HCP Destination field, enter the name of the SAP BTP destination for SAP Marketing Cloud.
4. Save.

In the access request service launchpad, open the Job Scheduler app. In the Job Category dropdown list,
schedule the following jobs:
● Repository Sync to synchronize the relevant data from SAP Marketing Cloud to the access request service.
In the System dropdown list, select SAP Marketing Cloud.
12.11.6 User ID Mapping
Configuration of User ID to Login Name mapping for SAP Cloud Identity Access Governance:
● Open a Configuration tile from the Administration group in the SAP Cloud Identity Access Governance Fiori
launchpad. Make sure there is an entry for USERIDGROUP as shown below.
Custom Field Configuration:
1. Open the Fiori launchpad in a Web browser.

2. Go to IAG Administration, Custom Field Groups, and open this tile.
3. Choose on + sign to create a new Custom Field Group.
4. Provide a Name and Description.
5. Select the Process as Access Request.
6. Select the Entity Type as Application Type.
7. Select the Entity Type Value as SAP Marketing Cloud from the F4 Help dialog window.
8. Select the Status checkbox to make this active.
9. Save this data using the Save button.

10. Go to the Custom Field tile on the Administration tab.
11. Choose on the + icon to create a new custom field.
12. On the next screen, provide the following inputs:
Name Any name
Description Any description
Label Any label
Input Type Select Input Text
Data Type Select String
Field Length 40
Status Select the checkbox
13. On the next tab, choose the Custom Field Group created in the first step. Save the custom field using Save
button at the bottom.
After creating this configuration, there will be a new custom field in Access Request which will read the login
name from the authentication system (example: Identity Authentication). This will be blank if the login name is
not maintained. In this case, it will use the same P-number for the user provisioning.

12.12 SAP Integrated Business Planning
The information in this section describes the procedure for connecting SAP Integrated Business Planning to
the SAP Cloud Identity Access Governance solution and its services. SAP Cloud Identity Access Governance is
a cloud-based solution for creating self-service requests to applications for on-premise and cloud source
applications and systems. By connecting to the solution, it enables SAP Integrated Business Planning users to
initiate access requests, which are then provisioned to target applications.
Prerequisites
solution.

There are four overall steps to enable integration between SAP Integrated Business Planning solution and the
SAP Cloud Identity Access Governance solution and its service:
1. In the SAP Integrated Business solution, carry out the required configuration tasks and steps.
2. In the SAP Cloud Platform, set up destination for the SAP Integrated Business Planning solution.
3. In the access request service, use the Systems app to create an instance for the SAP Integrated Business
Planning solution.
12.12.2 Configuration in SAP Integrated Business Planning
The information in this section describes the prerequisites and procedures you carry out in SAP Integrated
Business Planning to enable the integration with the access request service.
Prerequisites
● Your user for SAP Integrated Business Planning has been assigned the business catalog
SAP_CORE_BC_COM.
● You have a signed SSL certificate from Verisign for your tenant [optional].
The certificate is used to enable secure communication between SAP Integrated Business Planning and
the SAP BTP tenant for SAP Cloud Identity Access Governance.
Procedure

2. Create a communication system to represent the SAP BTP tenant account.

communication.
1. Log onto your SAP Integrated Business Planning, and open group Communication Management.
Value Parameter
 Tip
4. Choose Create.
1. Log onto your SAP Integrated Business Planning, and open group Communication Management.
Value Parameter
 Tip
3. Choose Create.

Create a new communication system to represent your SAP BTP tenant account for SAP Cloud Access Identity
Governance.
your SAP BTP tenant account for SAP Cloud Access Identity Governance.
3. Choose Create.
5. Choose Save.
previous step for SSL Certificate option.
 Note
1. Start the Communication Systems app and choose New to create a Communication System representing
your tenant account for SAP Cloud Identity Access Governance.
3. Choose Create.
5. Choose Save.
7. Select Authentication Method as User ID and Password and add the communication user you created in
the previous step for Basic Authentication option.

for the other.
1. Start the app Communication Arrangements, and choose New Scenario .

2. Select a communication scenario.
In the SAP Cloud Platform, create destinations for your SAP Integrated Business Planning instance.
1. Log in to the SAP Cloud Platform cockpit and go to your tenant.

2. In the left-hand pane, click Connectivity Destinations , and then click New Destination.
3. Create a destination for the SAP Integrated Business Planning instance, and add the following properties
listed in the table below.
 Note
 Caution
pasting them.
*Name IBPCLOUD
Type: HTTP
Description: SAP Integrated Business Planning

Destination
*URL https://myXXXXXX-api.scmibp.ondemand.com
Proxy Type Internet
User: Name of the user SCP uses to access the SAP Integrated
Business Planning instance
sap-client Integrated Business Planning client
WRITE /sap/bc/srt/scs_ext/sap/
managebusinessuserin

12.12.4 Add Integrated Business Planning Instance to Access
Request Systems
Create an instance for SAP Integrated Business Planning in the Systems app.
1. Log in to the SAP Cloud Identity Access Governance launchpad and open the Systems app.
2. Create a system for SAP Integrated Business Planning. For System Type, select SAP Integrated System
Planning.
3. In the HCP Destination field, enter the name of the SAP Cloud Platform destination for SAP Integrated
Business Planning.
4. Save.
● Repository Sync to synchronize the relevant data from SAP Integrated Business Planning to the access
request service.
In the System dropdown list, select the SAP Integrated Business Planning system defined in the
previous step.
12.12.6 User ID Mapping
IAG Configuration for User ID to Login Name mapping:
● Open a Configuration tile from the Administration group in the SAP Cloud Identity Access Governance (IAG)
Fiori launchpad. Make sure there is an entry for USERIDGROUP as shown below.

Custom Field Configuration:
1. Open the IAG Fiori launchpad in a Web browser.

2. Go to IAG Administration, Custom Field Groups, and open this tile.
3. Click on + sign to create a new Custom Field Group and make the following entries.
Name IBP_Group
Description IBP_Group
Process Access Request
Entity Type Application Type
Entity Type Value Select the SAP Integrated Business Planning

from the F4 Help dialog window.

5. Go to the Custom Field tile on the Administration tab.
6. Click on the + icon to create a new custom field.
7. On the next screen, provide the following inputs:
Name IBP_USERNAME
Description IBP_USERNAME
Label UserName
Input Type Select Input Text
Data Type Select String
Field Length 40
8. On the next tab, choose the Custom Field Group created in the first step. Save the custom field using Save
button at the bottom.
9. In the Field Mapping app, create a new field mapping between the IAG custom field and SAP Integrated
Business Planning field.

After creating this configuration, there will be a new custom field in Access Request which will read the
login name from the authentication system (example: IAS). This will be blank if the login name is not
maintained. In this case, it will use the same P-number for the user provisioning.

12.13 SAP Analytics Cloud
The information in this section describes the procedure for connecting SAP Analytics Cloud to the SAP Cloud
Identity Access Governance solution and its services.
SAP Cloud Identity Access Governance is a cloud-based solution for creating self-service requests to
applications for on-premise and cloud source applications and systems. By connecting to the solution, it
enables SAP Analytics Cloud users to initiate access requests, which are then provisioned to target
applications.
There are three overall steps to enable integration between SAP Analytics Cloud systems and the SAP Cloud
Identity Access Governance solution and its services:
1. In the SAP Cloud Platform, set up destination for the SAP Analytics Cloud system.
2. In the access request service, use the Systems app to create an instance for the SAP Analytics Cloud
system.

12.13.1.1 Create Proxy System
Create a proxy system to enable SAP Analytics Cloud to connect with the SAP Cloud Platform.
Context
Procedure
1. Log into the SAP Cloud Platform cockpit, go to your SCP tenant instance, and open Services Identity
Provisioning Go To Service Proxy System .
2. Copy the external system ID and use it to set up the SAP Analytics Cloud instance in the Systems app in the
next step.
3. Add a proxy system for SAP Analytics Cloud and click Save, the Type should be SAP Analytics Cloud.

4. Click on the Properties and add all the following properties:
The OAUTH2 service token can be generated in the SAC system. Click on System Administration App
Integration Click on Add a new OAuth Client
12.13.1.2 Create Destinations
In the SAP Cloud Platform, create destinations for your SAP Analytics Cloud instance.
1. Log into the SAP Cloud Platform cockpit and go to your tenant.
2. In the left-hand pane, Connectivity Destinations, and then select New Destination.
3. Create a destination for the SAP Analytics Cloud instance, using the following constraints.
 Note
pasting them.
*Name IPS_PROXY
Type HTTP
*URL Enter the URL of the IPS Instance
Proxy Type Internet
*User Name of the User to access IPS

Password Password of the User
*OAuth2TokenServiceURL <OAUTH Token URL>?grant_type=client_credentials
GROUPSURL /Groups
USERSURL /Users
12.13.1.3 Add SAP Analytics Cloud System
Create an instance for SAP Analytics Cloud in the access request service Systems app.
2. Create a system for SAP Analytics Cloud. For System Type, select SAP Analytics Cloud.
3. In the SCP Destination field, enter the name of the IPS destination created in the above step for the SAP
Analytics Cloud instance.
4. Enter the external system ID marked in previous step Create Proxy System.
5. Save.
12.13.1.4 Sync User Data and Provision Access Requests
In the access request service launchpad, open the Job Schedulerapp.
In the Job Category dropdown list, schedule the following jobs:
● Repository Sync to synchronize the relevant data from SAP Analytics Cloud to the access request service.
In the System Type dropdown list, select SAP Analytics Cloud. In the System dropdown list, select the
configured Analytics Cloud System.
 Note
You can only assign groups to a user because it is not possible to directly assign roles.
12.14 LDAP System
The information in this section describes the procedure for connecting LDAP to the SAP Cloud Identity Access
Governance solution and its services.

enables users of the SAP Cloud Identity Access Governance to initiate access requests, which are then
provisioned to target applications.
 Note
Currently, we only support Microsoft LDAP (Microsoft Active Directory). Additionally, only users in the top
organization unit on the LDAP server can be provisioned. The users can then be assigned to or removed
from groups.
There are three overall steps to integrate the LDAP system with the SAP Cloud Identity Access Governance
solution and its services.
Procedure
1. In the SAP Business Technology Platform (SAP BTP) cockpit, set up destination for the LDAP system.
2. In the SAP Cloud Identity Access Governance launchpad, use the Systems app to create an instance for the
LDAP system.
3. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
provision access requests.
Create a proxy system to connect the LDAP system with the SAP Business Technology Platform (SAP BTP).
Procedure
1. Log into the SAP BTP cockpit, go to your tenant instance, and open Services Identity Provisioning
Go To Service Proxy System .
2. Add a proxy system for the LDAP system and select Microsoft Active Directory or LDAP based on the target
LDAP system type.
3. Properties should have ldap.group.path and ldap.user.path.
Name Value
ips.trace.failed entity. content: false

ldap.group.path : LDAP path to group
ldap.respond.with.resource.after.create true
ldap.respond.with.resource.after.update true
ldap.user.path: LDAP path to group
4. Save to create the proxy system.

5. Copy the external system ID from the URL and use it to set up the LDAP instance in the Systems app in the
next step.

In SAP BTP, create a destination for your LDAP instance.
Procedure
1. Log into the SAP BTP cockpit and go to your subaccount.

2. In the left-hand pane, select Destinations, and then select New Destination.
3. Create a destination for the LDAP instance, using the following properties.
Name <Your destination name>
Type LDAP
URL Enter the URL of the LDAP Instance
Proxy Type OnPremise
User User ID of the User to access LDAP
12.14.1.3 Add LDAP System
Create an instance for LDAP in the SAP Cloud Identity Access Governance launchpad.
Procedure
2. Create a system for LDAP. For System Type, select LDAP.
3. In the HCP Destination field, enter the name of the LDAP destination created in the above step for the LDAP
instance.
4. Enter the external system ID marked in previous step Create Proxy System and save your entries.

12.14.1.4 Create Cloud Connector
In the cloud connector system, create the cloud connector.
Procedure
1. Log into the Cloud Connector system.

2. In the tenant subaccount, select your tenant and select Cloud to On-Premise.
3. Add a new entry in the Mapping Virtual To Internal System section with the following properties:
Back-end Type Non-SAP System
Protocol LDAP
Internal Host URL of the LDAP server
Internal Port LDAP server port
4. Select Check Availability of Internal Host to ensure the host is reachable.
In SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app.
● Repository Sync to synchronize the relevant data from LDAP to the access request service.
In the System Type dropdown list, select LDAP.
In the System dropdown list, select the configured LDAP System.
12.15 Identity Authentication
The information in this section describes the procedure for connecting the Identity Authentication to the SAP
Cloud Identity Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud-
based solution for creating self-service requests to applications for on-premise and cloud source applications
and systems. By connecting to the solution, it enables the Identity Authentication users to initiate access
requests, which are then provisioned to target applications.

There are three overall steps to enable integration between the Identity Authentication system and the SAP
Cloud Identity Access Governance solution and its services:
1. In the cockpit for the SAP Business Technology Platform (SAP BTP), set up destination for the Identity
Authentication system.
2. In the access request service, use the Systems app to create an instance for the Identity Authentication
system.
12.15.2 Register OAuth Client for Identity Provisioning
1. Open your subaccount in the SAP BTP cockpit.

2. Register a new OAuth client for the subscription to the ipsproxy application:
1. Go to Security OAuth Clients.
2. Select Register New Client.
3. From the Subscription combo box, select <provider_subaccount>/ipsproxy.
4. From the Authorization Grant combo box, select Client Credentials.
5. In the Secret field, enter a password (client secret) and remember it. You will need it later for the
repository configuration in the external system.
6. Copy/paste and save (in a notepad) the generated client ID. You will need it later, too.
3. Assign role IPS_PROXY_USER to the OAuth client:
1. From the left-side navigation, select Subscriptions.
2. Under the Java Applications section, select ipsproxy.

3. From the left-side navigation, select Roles.
4. Assign role IPS_PROXY_USER to the newly created OAuth client. Choose Assign and enter
oauth_client_<client_ID>, where <client_ID> is the one you have saved in the previous step.
In SAP BTP, create destinations for Identity Provisioning.
1. Log into the SAP BTP cockpit and go to your tenant.

2. In the left-hand pane, select Connectivity Destination New Destination .
 Note
pasting them.
Parameter Value
*Name IPS_PROXY
Type HTTP
Proxy Type Internet
*User <Name of the User to access IPS>
GROUPSURL /Groups
USERSURL /Users
3.  Note
The URL can be copied from the SAP BTP-Subscriptions-ipsproxy-Application URLs.
Select ipsproxy to get the Application URL.

4. User is the Client ID configured through the SAP BTP - Security OAUTH Clients for service
IPSProxy (or) it is the same as configured in the previous section.
5. OAuth2TokenServiceURL can be copied from SAP BTP-Security-OAuth-Token EndPoint.https://
oauthasservices-TENANTID.int.sap.eu2.hana.ondemand.com/oauth2/api/v1/token?
Create a proxy system to enable the Identity Authentication system to connect with SAP BTP.
1. Log into the SAP BTP cockpit, go to your SAP BTP tenant instance, and open Services Identity
Provisioning Go To Service Proxy System .
2. Add a proxy system for the Identity Authentication and select Save; the Type should be Identity
Authentication.
The service generates a URL for the proxy system specified for Identity Authentication. The external ID is
included in the URL.
 Note
Copy the external system ID and use it to set up the Identity Authentication instance in the Systems
app in the next section Add Identity Authentication System
.
3. Select Properties and add the following properties
ips.trace.failed.entity content false
Proxy Type Internet
Type HTTP
URL Enter the URL for the Identity Provisioning tenant
User Enter the Login User Name
1. To obtain the URL for Identity Authentication, go to SAP BTP Trust Application Identity
Provider .
2. For the property User, enter the technical user name configured for the Identity Authentication. This
name is automatically generated.
Example: <Technical ID>
3. For the property Password, enter the password for the technical user.
4. Default read and write transformations are generated.

Modify the following transformations for SAP Cloud Identity Access Governance to read and provision:
{ {
"user": { "user": {
"mappings": [ "condition":
{ "($.emails.length() > 0) &&
"sourcePath": "$", ($.name.familyName EMPTY false)",
"targetPath": "$" "mappings": [
}, {
{ "sourcePath": "$",
"sourcePath": "$.id", "targetPath": "$"
"targetVariable": },
"entityIdSourceSystem" {
}, "sourcePath":
{ "$.groups",
"sourceVariable":
"entityBaseLocation", "preserveArrayWithSingleElement":
"targetPath": true,
"$.meta.location", "optional": true,
"targetVariable": "targetPath":
"entityLocationSourceSystem", "$.corporateGroups"
"functions": [ },
{ {
"type": "sourceVariable":
"concatString", "entityIdTargetSystem",
"suffix": "$ "targetPath": "$.id"
{entityIdSourceSystem}" },
} {
] "constant": true,
}, "targetPath":
{ "$.active"
"targetPath": },
"$.hasPassword", {
"type": "remove" "constant": "true",
}, "targetPath":
{ "$.sendMail",
"targetPath": "scope":
"$.groups[*].display", "createEntity"
"type": "remove" },
}, {
{ "constant": "true",
"$.displayName EMPTY true", "$.mailVerified",
"$.displayName", "createEntity"
"type": "remove" },
}, {
{ "constant":
"sourcePath": "disabled",
"$.timeZone", "targetPath":
"optional": true, "$.passwordStatus",
"$.timezone" "createEntity"
}, },
{ {
"sourcePath": "$ "constant":
['urn:ietf:params:scim:schemas:extens "employee",
ion:enterprise:2.0:User'] "targetPath":
['employeeNumber']", "$.userType"
"targetPath": "$ {
['urn:ietf:params:scim:schemas:extens

['employeeNumber']" "$.groups",
}, "type": "remove"
{ },
"sourcePath": "$ {
['urn:ietf:params:scim:schemas:extens "sourcePath": "$
ion:enterprise:2.0:User'] ['urn:ietf:params:scim:schemas:extens
['costCenter']", ion:enterprise:2.0:User']",
"optional": true, "optional": true,
"targetPath": "$ "targetPath": "$
['urn:ietf:params:scim:schemas:extens ['urn:ietf:params:scim:schemas:extens
ion:enterprise:2.0:User'] ion:enterprise:2.0:User']"
['costCenter']" },
}, {
{ "sourcePath":
"sourcePath": "$ "$.timezone",
['urn:ietf:params:scim:schemas:extens "optional": true,
['organization']", "$.timeZone"
"optional": true, }
"targetPath": "$ ],
['urn:ietf:params:scim:schemas:extens "scimEntityEndpoint": "Users"
ion:enterprise:2.0:User'] },
['organization']" "group": {
}, "mappings": [
{ {
"sourcePath": "$ "sourceVariable":
['urn:ietf:params:scim:schemas:extens "entityIdTargetSystem",
ion:enterprise:2.0:User'] "targetPath": "$.id"
['division']", },
"optional": true, {
"targetPath": "$ "sourcePath":
['urn:ietf:params:scim:schemas:extens "$.displayName",
['division']" "$.displayName"
}, },
{ {
"sourcePath": "$ "sourcePath":
['urn:ietf:params:scim:schemas:extens "$.displayName",
ion:enterprise:2.0:User'] "targetPath": "$
['department']", ['urn:sap:cloud:scim:schemas:extensio
"optional": true, n:custom:2.0:Group']['name']",
"targetPath": "$ "scope":
['urn:ietf:params:scim:schemas:extens "createEntity",
ion:enterprise:2.0:User'] "functions": [
['department']" {
}, "type":
{ "replaceAllString",
"sourcePath": "$ "regex": "[\
['urn:ietf:params:scim:schemas:extens \s\\p{Punct}]",
ion:enterprise:2.0:User']['manager']
['value']", "replacement": "_"
"optional": true, }
"targetPath": "$ ]
['urn:ietf:params:scim:schemas:extens },
ion:enterprise:2.0:User']['manager'] {
['value']" "sourcePath": "$
}, ['urn:sap:cloud:scim:schemas:extensio
{ n:custom:2.0:Group']['name']",
"sourcePath": "$ "optional": true,
['urn:ietf:params:scim:schemas:extens "targetPath": "$
ion:enterprise:2.0:User']['manager'] ['urn:sap:cloud:scim:schemas:extensio
['displayName']", n:custom:2.0:Group']['name']"
},

"optional": true, {
"targetPath": "$ "sourcePath": "$
['urn:ietf:params:scim:schemas:extens ['urn:sap:cloud:scim:schemas:extensio
ion:enterprise:2.0:User']['manager'] n:custom:2.0:Group']['description']",
['displayName']" "optional": true,
}, "targetPath": "$
{ ['urn:sap:cloud:scim:schemas:extensio
"sourcePath": "$ n:custom:2.0:Group']['description']"
['urn:sap:cloud:scim:schemas:extensio },
n:custom:2.0:User']", {
"optional": true, "sourcePath":
"targetPath": "$ "$.members",
['urn:sap:cloud:scim:schemas:extensio
n:custom:2.0:User']" "preserveArrayWithSingleElement":
}, true,
{ "optional": true,
"sourcePath": "targetPath":
"$.company", "$.members"
"optional": true, }
"targetPath": "$ ],
['urn:ietf:params:scim:schemas:extens "scimEntityEndpoint":
ion:enterprise:2.0:User'] "Groups"
['organization']" }
} }
],
},
"group": {
"mappings": [
{
"sourcePath": "$.id",
"targetVariable":
},
{
"sourceVariable":
"targetPath":
"$.meta.location",
"targetVariable":
"functions": [
{
"type":
"concatString",
"suffix": "$
}
]
},
{
"constant":
2.0:Group",
"targetPath":
"$.schemas[0]"
},
{
"sourcePath": "$
n:custom:2.0:Group']['name']",

"targetPath":
"$.displayName"
},
{
"sourcePath":
"$.members",
true,
"optional": true,
"targetPath":
"$.members"
},
{
"constant":
"urn:sap:cloud:scim:schemas:extension
:custom:2.0:Group",
"targetPath":
"$.schemas[1]"
},
{
"sourcePath": "$
"targetPath": "$
n:custom:2.0:Group']['name']"
},
{
"sourcePath": "$
n:custom:2.0:Group']['description']",
"optional": true,
"targetPath": "$
n:custom:2.0:Group']['description']"
}
],
"Groups"
}
}
12.15.5 Add Identity Authentication System
Create an instance for the Identity Authentication system in the Systems app for the access request service.
2. Create a system for Identity Authentication. For System Type, select Identity Authentication.
3. In the SCP Destination field, enter the name of the Identity Provisioning destination (IPS_PROXY) created
in the previous section Create Destination.
4. Enter the external system ID marked in the previous step Create Proxy System.

12.15.6 Manage Rule Sets
To create a user in Identity Authentication for single sign-on, pre-delivered business rules for your tenant must
be accessed via a URL and workflow templates must be uploaded.
Procedure
1. Go to SAP BTP Business Rules.

2. Go to Projects to generate the URL.
○ Customers in the US can generate the URL as follows: cfapps.us10.hana.ondemand.com/
comsapbpmrule.ruleeditor/index.html#//Projects
Example: https://iagdemo.iag-prod-demo.cfapps.us10.hana.ondemand.com/
○ Customers in the EMEA region need to do the following: cfapps.eu10.hana.ondemand.com/
Example: https://com-sap-csf-iag.sapciag-ee.cfapps.eu10.hana.ondemand.com/
3. To upload the workflow templates, login to Application Administration Notification and choose
Upload in Workflow.
Process status should be 100%. With this upload all the three standard templates are uploaded to the
tenant.
4. To download and view the templates, go to Process Log and choose Download.
 Note
At present, the standard Workflow templates are to be found in the Notification tile.
In the Notification, the standard Download template downloads all the notification templates related to
Approvers.
Once these standard templates are downloaded, the content can be changed based on the individual
customer's requirements.
Once the templates are updated, these can be uploaded via the Upload button.
5. In the Decision Table, enter the following:
Status System Type
t IAS tenant name SYS
6. Create a new rule and select Validate.

7. Go to Rule Select, select the business rule and Deploy.
8. Add the business rule to the ruleset.
9. Redeploy the rule services.

In the access request service launchpad, open the Job Scheduler app.
● Repository Sync to synchronize the relevant data from the Identity Authentication to the access request
service.
In the System Type dropdown list, select the Identity Authentication.
In the System dropdown list, select the configured Identity Authentication System.
12.16 SAP Busines Technology Platform
The information in this section describes the procedure for connecting the SAP Busines Technology Platform
(SAP BTP) to the SAP Cloud Identity Access Governance solution and its services.
This section provides details for connecting the following platforms to the SAP Cloud Identity Access
Governance:
● SAP BTP - Cloud Foundry

● SAP BTP - Neo
12.16.1 SAP Busines Technology Platform - Cloud Foundry
The information in this section describes the procedure for connecting Cloud Foundry to the SAP Cloud
Identity Access Governance solution and its services.
enables Cloud Foundry users to initiate access requests, which are then provisioned to target applications.
There are three overall steps to enable integration between SAP Business Technology Platform (SAP BTP) and
the SAP Cloud Identity Access Governance solution and its services:
1. In the SAP BTP cockpit set up destination for Cloud Foundry.

2. In the access request service, use the Systems app to create an instance for Cloud Foundry.

12.16.1.1.1 Create Proxy System
Create a proxy system to enable Cloud Foundry to connect with the SAP BTP cockpit.
Service Proxy System .
2. Copy the external system ID and use it to set up the Cloud Foundry instance in the Systems app.
3. Add a proxy system for Cloud Foundry and choose Save. The Type should be SAP BTP XS Advanced UAA.
For more details, refer to SAP BTP XS Advanced UAA (Cloud Foundry).
Type SAP HANA XS Advanced UAA Server
System Name XSUAA
Destination Name
Description XSUAA test system
4. Choose Properties and add all the following properties:
Name Value
ips.trace.failed.entity.content false
OAuth2TokenServiceURL OAuth token service to Cloud Foundry that needs to be configured in the
Cloud Foundry system.
Password ********************
ProxyType Internet
scim.support.patch.operation true
Type HTTP
URL Enter the Cloud Foundry tenant URL.
User Enter Login Username
xsuaa.origin Enter the location of your identity provider
xsuaa.origin.filter.enabled true
12.16.1.1.2 Create Destinations
In SAP BTP, create a destination for your Cloud Foundry instance.

2. In the left-hand pane, choose Connectivity Destinations New Destination .
3. Create a destination for the Cloud Foundry instance, using the following constraints.

 Note
pasting them.
*Name IPS_PROXY
Type HTTP
Proxy Type Internet
*User Name of the User to access IPS
GROUPSURL /Groups
USERSURL /Users
12.16.1.1.3 Add Cloud Foundry System
Create an instance for Cloud Foundry in the access request service Systems app.
2. Create a system for Cloud Foundry. For System Type, selectCloud Foundry.
3. Enter the external system ID marked in the previous step Create Proxy system.
4. In the HCP Destination field, enter the name of the Identity Provisioning destination for the Cloud Foundry
instance.
5. Save.
12.16.1.1.4 Sync User Data and Provision Access Requests
● Repository Sync to synchronize the relevant data from Cloud Foundry to the access request service.
In the System Type dropdown list, select Cloud Foundry.
In the System dropdown list, select the configured Cloud Foundry System.

12.16.2 SAP Business Technology Platform - NEO
The information in this section describes the procedure for connecting the SAP Business Technology (SAP
BTP) to the SAP Cloud Identity Access Governance solution and its services. SAP Cloud Identity Access
Governance is a cloud-based solution for creating self-service requests to applications for on-premise and
cloud source applications and systems. By connecting to the solution, it enables the SAP BTP users to initiate
access requests, which are then provisioned to target applications.
There are three overall steps to enable integration between the SAP BTP and the SAP Cloud Identity Access
1. In the SAP BTP cockpit, set up destination for the Identity Provisioning service to integrate SAP BTP with
the SAP Cloud Identity Access Governance solution.
2. In the access request service, use the Systems app to create an instance for the SAP BTP.
12.16.2.1.1 Register OAuth Client for the Identity Provisioning
1. Open your subaccount in the SAP Cloud Platform cockpit.

2. Register a new OAuth client for the subscription to the ipsproxy application:
1. Go to Security OAuth Clients.
2. Select Register New Client.
3. From the Subscription combo box, select <provider_subaccount>/ipsproxy.

4. From the Authorization Grant combo box, select Client Credentials.
5. In the Secret field, enter a password (client secret) and remember it. You will need it later for the
repository configuration in the external system.
6. Copy/paste and save (in a notepad) the generated client ID. You will need it later, too.
3. Assign role IPS_PROXY_USER to the OAuth client:
1. From the left-side navigation, select Subscriptions.
2. Under the Java Applications section, select ipsproxy.
3. From the left-side navigation, select Roles.
4. Assign role IPS_PROXY_USER to the newly created OAuth client. Choose Assign and enter
oauth_client_<client_ID>, where <client_ID> is the one you have saved in the previous step.
12.16.2.1.2 Create Proxy System
Create a proxy system to connect with the SAP Business Technology Platform (SAP BTP).
Go To Service Proxy System .
2. Add a proxy system for the SAP BTP and select Save; the Type should be SAP BTP Java/HTML5 Apps.
 Note
Copy the external system ID and use it to set up the SAP BTP instance in the Systems app in the next
section Add SAP BTP.
3. Select Properties and add the following properties:
hcp.application.names some-app-name
hcp.patch.response.with.resource true
hcp.read.group.roles true
 Note
Ignore this parameter if Identity Provisioning and the
actual system, for instance, SAP Cloud Identity Ac
cess Governance, which is defined as proxy in Identity
Provisioning, are in different regions. For more infor
mation, refer to: Identity Provisioning - List of Propert
iers.
ips.trace.failed.entity.content true

OAuth2TokenServiceURL https://api.<hostname>/oauth2/apitoken/v1
Hostname can be retrieved from the URL of your SAP BTP

tenant or refer to https://launchpad.support.sap.com/#/
notes/ 2418879
Example: api.eu2.hana.ondemand.com is for EU (Frank

furt) datacenter
Password Enter the password
ProxyType Internet
Type HTTP
URL https://api.<hostname>/authorization/v1/accounts/
<tenantid>
Here, tenantid can be retrieved from the Technical Name

found in the subaccount.
User User enters the relevant GUID
1. To obtain the Admin user for SAP BTP, go to Security OAuth Platform API .
2. To create oAuthclient for oAuth Platform API, select Authorization Management.
3. For the property Password, enter the password for the technical user.
4. Default read and write transformations are generated.

Modify the following transformations for SAP Cloud Identity Access Governance to read and provision as
follows:
{ {
"user": { "user": {
"mappings": [ "condition":
{ "($.emails.length() > 0) &&
"sourcePath": "$", ($.name.familyName EMPTY false)",
"targetPath": "$" "mappings": [
}, {
{ "sourcePath": "$",
"sourcePath": "$.id", "targetPath": "$"
"targetVariable": },
"entityIdSourceSystem" {
}, "sourcePath":
{ "$.groups",
"sourceVariable":
"entityBaseLocation", "preserveArrayWithSingleElement":
"targetPath": true,
"$.meta.location", "optional": true,
"targetVariable": "targetPath":
"entityLocationSourceSystem", "$.corporateGroups"
"functions": [ },
{ {
"type": "sourceVariable":
"concatString", "entityIdTargetSystem",
"suffix": "$ "targetPath": "$.id"
} {
] "constant": true,
}, "targetPath":
{ "$.active"
"targetPath": },
"$.hasPassword", {
"type": "remove" "constant": "true",
}, "targetPath":
{ "$.sendMail",
"$.groups[*].display", "createEntity"
"type": "remove" },
}, {
{ "constant": "true",
"$.displayName EMPTY true", "$.mailVerified",
"$.displayName", "createEntity"
"type": "remove" },
}, {
{ "constant":
"sourcePath": "disabled",
"$.timeZone", "targetPath":
"optional": true, "$.passwordStatus",
"$.timezone" "createEntity"
}, },
{ {
"sourcePath": "$ "constant":
['urn:ietf:params:scim:schemas:extens "employee",
['employeeNumber']", "$.userType"
{

"targetPath": "$ "targetPath":

['urn:ietf:params:scim:schemas:extens "$.groups",
ion:enterprise:2.0:User'] "type": "remove"
['employeeNumber']" },
}, {
{ "sourcePath": "$
"sourcePath": "$ ['urn:ietf:params:scim:schemas:extens
['urn:ietf:params:scim:schemas:extens ion:enterprise:2.0:User']",
ion:enterprise:2.0:User'] "optional": true,
['costCenter']", "targetPath": "$
"optional": true, ['urn:ietf:params:scim:schemas:extens
"targetPath": "$ ion:enterprise:2.0:User']"
ion:enterprise:2.0:User'] {
['costCenter']" "sourcePath":
}, "$.timezone",
{ "optional": true,
"sourcePath": "$ "targetPath":
['urn:ietf:params:scim:schemas:extens "$.timeZone"
ion:enterprise:2.0:User'] }
['organization']", ],
"optional": true, "scimEntityEndpoint": "Users"
"targetPath": "$ },
['urn:ietf:params:scim:schemas:extens "group": {
ion:enterprise:2.0:User'] "mappings": [
['organization']" {
}, "sourceVariable":
{ "entityIdTargetSystem",
"sourcePath": "$ "targetPath": "$.id"
ion:enterprise:2.0:User'] {
['division']", "sourcePath":
"optional": true, "$.displayName",
"targetPath": "$ "targetPath":
['urn:ietf:params:scim:schemas:extens "$.displayName"
ion:enterprise:2.0:User'] },
['division']" {
}, "sourcePath":
{ "$.displayName",
"sourcePath": "$ "targetPath": "$
['urn:ietf:params:scim:schemas:extens ['urn:sap:cloud:scim:schemas:extensio
ion:enterprise:2.0:User'] n:custom:2.0:Group']['name']",
['department']", "scope":
"optional": true, "createEntity",
"targetPath": "$ "functions": [
['urn:ietf:params:scim:schemas:extens {
ion:enterprise:2.0:User'] "type":
['department']" "replaceAllString",
}, "regex": "[\
{ \s\\p{Punct}]",
"sourcePath": "$
['urn:ietf:params:scim:schemas:extens "replacement": "_"
ion:enterprise:2.0:User']['manager'] }
['value']", ]
"targetPath": "$ {
['urn:ietf:params:scim:schemas:extens "sourcePath": "$
ion:enterprise:2.0:User']['manager'] ['urn:sap:cloud:scim:schemas:extensio
['value']" n:custom:2.0:Group']['name']",
}, "optional": true,
{ "targetPath": "$
"sourcePath": "$ ['urn:sap:cloud:scim:schemas:extensio
['urn:ietf:params:scim:schemas:extens n:custom:2.0:Group']['name']"
},

ion:enterprise:2.0:User']['manager'] {
['displayName']", "sourcePath": "$
"optional": true, ['urn:sap:cloud:scim:schemas:extensio
"targetPath": "$ n:custom:2.0:Group']['description']",
['urn:ietf:params:scim:schemas:extens "optional": true,
ion:enterprise:2.0:User']['manager'] "targetPath": "$
['displayName']" ['urn:sap:cloud:scim:schemas:extensio
}, n:custom:2.0:Group']['description']"
{ },
"sourcePath": "$ {
['urn:sap:cloud:scim:schemas:extensio "sourcePath":
n:custom:2.0:User']", "$.members",
"optional": true,
"targetPath": "$ "preserveArrayWithSingleElement":
['urn:sap:cloud:scim:schemas:extensio true,
n:custom:2.0:User']" "optional": true,
}, "targetPath":
{ "$.members"
"sourcePath": }
"$.company", ],
"optional": true, "scimEntityEndpoint":
"targetPath": "$ "Groups"
['urn:ietf:params:scim:schemas:extens }
ion:enterprise:2.0:User'] }
['organization']"
}
],
},
"group": {
"mappings": [
{
"sourcePath": "$.id",
"targetVariable":
},
{
"sourceVariable":
"targetPath":
"$.meta.location",
"targetVariable":
"functions": [
{
"type":
"concatString",
"suffix": "$
}
]
},
{
"constant":
2.0:Group",
"targetPath":
"$.schemas[0]"
},
{

"sourcePath": "$
"targetPath":
"$.displayName"
},
{
"sourcePath":
"$.members",
true,
"optional": true,
"targetPath":
"$.members"
},
{
"constant":
"urn:sap:cloud:scim:schemas:extension
:custom:2.0:Group",
"targetPath":
"$.schemas[1]"
},
{
"sourcePath": "$
"targetPath": "$
n:custom:2.0:Group']['name']"
},
{
"sourcePath": "$
n:custom:2.0:Group']['description']",
"optional": true,
"targetPath": "$
n:custom:2.0:Group']['description']"
}
],
"Groups"
}
12.16.2.1.3 Create Destinations
In the SAP BTP, create destinations for Identity Provisioning.

2. In the left-hand pane, select Connectivity Destination New Destination .

 Note
pasting them.
Parameter Value
*Name IPS_PROXY
Type HTTP
Proxy Type Internet
*User <Name of the User to access IPS>
GROUPSURL /Groups
USERSURL /Users
3.  Note
The URL can be copied from the SAP BTP-Subscriptions-ipsproxy-Application URLs. After copying the
URL, remove /ipsproxy from the URL.
Select ipsproxy to get the Application URL.

4. User is the Client ID configured through the SAP BTP - Security OAUTH Clients for service
IPSProxy (or) it is the same as configured in the previous section.
5. OAuth2TokenServiceURL can be copied from SAP BTP-Security-OAuth-Token EndPoint.https://

oauthasservices-TENANTID.int.sap.eu2.hana.ondemand.com/oauth2/api/v1/token?
12.16.2.1.4 Add SAP Business Technology Platform
Create an instance for the SAP BTP in the Systems app for the access request service.
2. Create a system for SAP BTP. For System Type, select SAP BTP.
3. In the SCP Destination field, enter the name of the IPS destination (IPS_PROXY) created in the previous
section Create Destination.
4. Enter the external system ID marked in the previous step Create Proxy System.
12.16.2.1.5 Sync User Data and Provision Access Requests
In the access request service launchpad, open the Job Scheduler app.
● Repository Sync to synchronize the relevant data from the SAP BTP to the access request service.
In the System Type dropdown list, select the SAP BTP.
In the System dropdown list, select the configuredSAP BTP.

12.17 SAP SuccessFactors Employee Central Payroll
The information in this section describes the procedure for connecting SAP SuccessFactors Employee Central
Payroll to the SAP Cloud Identity Access Governance solution and its services.
You can synchronize users, roles, and profiles from the Employee Central Payroll to SAP Cloud Identity Access
Governance. Furthermore, you can provision users and user role assignments to the Employee Central Payroll
system.
Prerequisites
● Implement the following notes for Employee Central Payroll:

○ 2951824 Rest service APIs for integration with SAP Cloud Identity Access Governance.
○ 2954584 SAP IAG SICF Rest Service.
○ 2958309 IAG Repository Sync Role List with the Deleted Role.
● Generate certificate if you want to use certificate instead of basic authentication.

There are four overall steps to integrate Employee Central Payroll with the SAP Cloud Identity Access
Procedure
● Configure an Employee Central Payroll system.

● In the SAP Business Technology Platform cockpit (SAP BTP), set up destination for the Employee Central
Payroll system.
● In the SAP Cloud Identity Access Governance launchpad, use the Systems app to create an instance for the
Employee Central Payroll system.
● In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
12.17.2 Create Certificate
Procedure
You can use the Cloud Identity Services - Identity Authentication to create a certificate. Use tools such as
KeyStore Explorer to convert a .p12 file to a .cer file.
 Note
You can ignore this step if you are using Basic Authentication for this integration scenario.
To create certificate, proceed as follows:
1. Logon to Identity Authentication.

2. Go to Applications & Resources Applications .
3. Choose an application.
4. Choose Certificate for API Authentication in the right panel.
5. In the section Generate certificate, enter Common Name and Password.
6. Choose Generate to download a cer.p12 file. You can rename it to xxxx.p12 and save it to a proper place.
Use tools such as KeyStore Explorer to convert it to a xxxx.cer file.
7. Import the xxxx.cer file to Employeee Central Payroll and map to a connection user.
12.17.3 Configuration in SAP Employee Central Payroll
1. Create a SICF service

○ Implement 2954584 SAP IAG SICF Rest Service.
2. Create a connection user
The connection user must have the authorization in Employee Central Payroll to create/modify users,
resetting passwords and assigning/unassigning roles to users.
Refer to Required RFC User for SAP Cloud Identity Access Governance on Target SystemRequired RFC
User for SAP Cloud Identity Access Governance Services on Target System [page 82]
3. Assign a role to the connection user
1. Use transaction PFCG to create a role in Employee Central Payroll and assign it to the connection user.
To create the role, use the authorization object and the field values listed below:
Authorization Object Authorization Field SIAG_ENT Authorization Field ACTVT
SIAG_SRV ○ AUTHOBJECT ○ 01
○ PROFILE ○ 02
○ ROLE ○ 03
○ USAGE ○ 04
○ USER ○ 05
○ 06
2. Assign the role to the connection user.
4. Map certificate to the connection user

If you wish to use a certificate, you need to import the certificate, created in the previous step, to Employee
Central Payroll and map the certificate to the connection user in Employee Central Payroll.
12.17.4 Configuration in SAP Cloud Identity Access

Governance
Procedure
1. Configure Destination
There are two ECP host URLs: one is for Basic Authentification and the other is for Client Certificate.
1. Integration using Basic Authentication
Maintain a destination in the SAP BTP cockpit and enter the following values:
Parameter Value
Destination Type HTTP
URL Employee Central Payroll host url for Basic Authentica

tion/sap (The host url is provided by Employee Central
Payroll. )

Parameter Value
Proxy Type Internet
User Connection user in Employee Central Payroll
Password Enter the password for the connection user
Under Additional Properties, add the following:
sap-client Client number for Employee Central Payroll
servicepath /iagrestapi
Save your entries.
2. Configure destination using client certificate

Maintain a destination in the SAP BTP cockpit and enter the following values:
Parameter Value
Destination Type HTTP
URL Employee Central Payroll host url for Client

Certificate/sap (The host url is provided by Employee
Central Payroll.)
Proxy Type Internet
Authentication ClientCertificateAuthentication
KeyStore Location Upload the certificate xxxx.p12 you downloaded in the

previous step.
KeyStore Password Enter the password when you generate the certificate.
Under Additional Properties, add the following:
sap-client Client number for Employee Central Payroll
servicepath /iagrestapi
2. Configuring the SAP Cloud Identity Access Governance system (Connector)

1. Log into the SAP Cloud Identity Access Governance launchpad and open the Systems app to create a
new system for Employee Central Payroll.
2. Enter a System Name.
3. For System Type, select SAP ERP.
4. Enter a Description.
5. In the SAP BTP Destination field, enter one of the name following:
○ If you are using basic authentication, enter the destination you maintained for Basic
Authentication.

○ If you are using client certificate, enter the destination you maintained for Client Certificate
Authentication.
6. Save the system you have created.
12.17.5 Sync SAP SuccessFactors Employee Central Payroll

Data to SAP Cloud Identity Access Governance and
Provision Access Requests
Syncing data from Employee Central Payroll to SAP Cloud Identity Access Governance
1. In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app.
2. Enter a job name.
3. In the Job Category dropdown list, select Repository Sync.
4. In the System Type dropdown list, select SAP ERP.
5. In the System dropdown list, selected the system (connector) you created.
6. Choose Schedule Job.
Provisioning to Employee Central Payroll
Refer to the following documentation for Access Request Service.
As an application type, select SAP ERP and then choose the application with the Employee Central Payroll
system you created.
12.18 SCIM System
The information in this section describes the procedure for connecting SCIM System to the SAP Cloud Identity
Access Governance solution and its services. SAP Cloud Identity Access Governance is a cloud solution for
creating self-service requests to applications for on-premise and cloud applications and systems. By
connecting to the solution, it enables the SCIM System users to initiate access requests, which are then
provisioned to target applications.

There are five overall steps for integrating the SCIM System with the SAP Cloud Identity Access Governance
solution and its services:
1. In the Identity Provisioning service, create a proxy system to connect to the SCIM System.
2. In the SAP BTP, set up destination for Identity Provisioning (destination name IPS_PROXY).
3. In the SAP Cloud Identity Access Governance launchpad, use theConnector Type app to create a custom
connector type for the SCIM System.
4. In the SAP Cloud Identity Access Governance launchpad, use the Systems app to create an instance for the
SCIM System.
5. In the SAP Cloud Identity Access Governance launchpad, use the Job Scheduler app to sync user data and
Create a proxy system to enable the SCIM System to connect with Identity Provisioning.

Procedure
1. Log into the SAP BTP cockpit, go to your tenant, and open Services Identity Provisioning Go To
Service Proxy System.
2. Copy the external system ID and use it to set up the SCIM System instance in the Systems app in the next
step.
3. Add a proxy system for the SCIM System and choose Save. For more details, refer to SCIM System.
 Note
The SCIM System needs to support all standard SCIM API features, including modify the group/user
assignment via the PATCH /Groups with attribute members. For user creation, the following SCIM User
attributes are supported: username, displayName, name (givenName and familyName), emails (one
primary email).
4. Select Properties and add the following values:
Name Value
URL Enter the URL of the SCIM system
Proxy Type Internet
User Name of the User to access SCIM system
OAuth2TokenServiceURL If you need to make OAuth authentication for the system,

enter the URL to the access token provider service for
OAuth HTTP destinations.
scim.support.patch.operation true
5. To read and provision, modify the following transformations for SAP Cloud Identity Access Governance as
follows:

{ {
"user":{ "user":{
"mappings":[ "mappings":[
{ {
"sourcePath":"$",
"targetPath":"$" "sourceVariable":"entityIdTargetSyste
}, m",
{ "targetPath":"$.id"
"sourcePath":"$.id", },
{
"targetVariable":"entityIdSourceSyste
m" "constant":"urn:ietf:params:scim:sche
}, mas:core:2.0:User",
{
"targetPath":"$.schemas[0]"
"sourceVariable":"entityBaseLocation" },
, {
"targetPath":"$.meta.location", "sourcePath":"$.userName",
"targetVariable":"entityLocationSourc "targetPath":"$.externalId"
eSystem", },
"functions":[ {
{
"sourcePath":"$.userName",
"type":"concatString",
"suffix":"$ "targetPath":"$.userName"
} {
]
}, "sourcePath":"$.displayName",
{
"targetPath":"$.displayName"
"sourcePath":"$.userName", },
{
"targetPath":"$.userName", "sourcePath":"$.name",
"targetPath":"$.name"
"correlationAttribute":true },
}, {
{
"sourcePath":"$.active",
"sourcePath":"$.emails[0].value",
"optional":true, "targetPath":"$.active"
},
"targetPath":"$.emails[0].value" {
},
{ "sourcePath":"$.emails[0]",
"sourcePath":"$.emails[?(@.primary== "targetPath":"$.emails[0]"
true)].value", },
"optional":true, {
"correlationAttribute":true "condition":"$.emails[0].length() >

} 0",
], "constant":true,
"scimEntityEndpoint":"Users"
}, "targetPath":"$.emails[0].primary"
"group":{ },
"mappings":[ {
{ "sourcePath":"$",
"sourcePath":"$", "targetPath":"$",
"targetPath":"$" "scope":"patchEntity"
}

}, ],
{ "scimEntityEndpoint":"Users"
"sourcePath":"$.id", },
"group":{
"targetVariable":"entityIdSourceSyste "mappings":[
m" {
},
{ "sourceVariable":"entityIdTargetSyste
m",
"sourceVariable":"entityBaseLocation" "targetPath":"$.id"
, },
{
"targetPath":"$.meta.location",
"constant":"urn:ietf:params:scim:sche
"targetVariable":"entityLocationSourc mas:core:2.0:Group",
eSystem",
"functions":[ "targetPath":"$.schemas[0]"
{ },
{
"type":"concatString", "sourcePath":"$.id",
"suffix":"$ "targetPath":"$.id"
} {
]
} "sourcePath":"$.displayName",
],
"targetPath":"$.displayName"
"scimEntityEndpoint":"Groups" },
} {
}
"sourcePath":"$.members",
"targetPath":"$.members"
},
{
"sourcePath":"$",
"targetPath":"$",
"scope":"patchEntity"
}
],
"scimEntityEndpoint":"Groups"
}
}
In SAP BTP, create a destination IPS_PROXY.
Procedure

2. In the left-hand pane, select Connectivity Destinations New Destinations .
3. Create a destination for the Identity Provisioning instance, using the following properties.
 Note
It is very important to accurately enter the text strings as specified below. We recommend in copying
and pasting them.
Name IPS_PROXY
Type HTTP
URL Enter the URL of the Identity Provisioning instance
Proxy Type Internet
User Name of the User to access Identity Provisioning
GROUPSURL /Groups
service URL /ipsproxy/api/v1/scim
USERSURL /Users
12.18.1.3 Add Connector Type
Procedure
To add your own custom connector type, do as follows:
1. Log into the SAP Cloud Identity Access Governance launchpad and open the Connector Types app.
2. To add a new connector type, select ‘+’ icon from the connector types list on the left-side.
3. Enter Name, Description, Action Type, and Action Description and save your entries.
12.18.1.4 Add SCIM System
Create an instance for SCIM System in the SAP Cloud Identity Access Governance launchpad Systems app.

Procedure
2. For System Type, select the custom connector type created in previous step Add Connector Type.
3. Enter the External System ID marked in previous step Create Proxy System.
In the SAP Cloud Identity Access Governance launchpad, open theJob Scheduler app. In the Job Category
dropdown list, schedule the following jobs:
● Repository Sync to synchronize the relevant data from SCIM System to SAP Cloud Identity Access
Governance.
● In the System Type dropdown list, select the custom connector type created in the previous section Add
Connector Type.
● In the System dropdown list, select the configured SCIM System created in the previous section Add SCIM
System.

13 Business Configuration
13.1 Set Up Master Data
Maintain the following master data to get the full functionality of the SAP Cloud Identity Access Governance
services.
 Note
The following is a comprehensive list of the required master data. Some master data may be required for
more than one service. For example: Systems is required for all the services.
Master Data Maintain the Master Data in this App
Application Types Application Types
Systems Systems
Business Function Groups Business Function Groups
Business Processes Business Processes
Functions Functions
Risk Level Risk Level
Risks Risks
Rules Rules
Access Types Access Types
Monitoring Groups Monitoring Groups are defined in the dentity Authentication.
Owners Owners are defined in the Identity Authentication.
Test Plans Test Plans
Mitigation Controls Mitigation Controls
Access Access Maintenance
Departments Departments

Business Configuration PUBLIC 169
Master Data Maintain the Master Data in this App
User Data Maintain User Data
Risk Score Policy (optional) Risk Score Policy
Access Maintenance Access Maintenance
Projects Projects
Access Request Reason Code Access Request Reason Code
Access Request Priority Access Request Priority
Common Master Data [page 170]

You must set up Master Data for all three SAP Cloud Identity Access Governance services: access
analysis service, access request service, and role design service. This topic outlines the common set-up
that is required for all three services. Set up the common master data before setting up the master
data that is specific to the services.
Setting Up Master Data for Access Request Service [page 172]

After setting up the Common Master Data, you must then set up the Master Data specific to your
services. This topic outlines the Master Data needed for Access Request.
Setting Up Master Data for the Role Design Service [page 173]
services. This topic outlines the Master Data needed for the Role Design service.
Setting Up Master Data for Access Analysis Service [page 174]

services. This topic outlines the Master Data needed for Access Analysis.
Related Information

13.1.1 Common Master Data
You must set up Master Data for all three SAP Cloud Identity Access Governance services: access analysis
service, access request service, and role design service. This topic outlines the common set-up that is required

170 PUBLIC Business Configuration
for all three services. Set up the common master data before setting up the master data that is specific to the
services.
Common Master Data Elements
This image shows master data that is needed for all three SAP Cloud Identity Access Governance services:
access analysis service, access request service, and role design service.
 Note
You must set up business processes first, then business subprocesses, then access maintenance.
Dependency / Prerequi
Master Data tile site How the Master Data is Used
Access Maintenance Business Subprocess App is used to display and maintain different types of technical
access.
Access Types None App is used to create and update different types of access
such as single roles, composite roles, and business roles.
Application Types None App is used to create types that categorize applications. Exam
ples of categories could be SAP S/4HANA or HR.
Business Processses None App is used to define your company's operational processes
such as Finance and Marketing

Master Data tile site How the Master Data is Used
Departments None App is used to create and maintain your company's depart
ments such as Finance and Public Relations
Systems None App is used to define the various source and target systems
that connect with SAP Cloud Identity Access Governance. For
example, system connections must be defined for the role
source system and the user source system
To complete the Master Data setup, go to the topic specific to the Services you are setting up. There are
additional setup steps for each service.
Related Information

13.1.2 Setting Up Master Data for Access Request Service
After setting up the Common Master Data, you must then set up the Master Data specific to your services. This
topic outlines the Master Data needed for Access Request.
The table below describes the master data elements that must be set up for the Access Request Service after
you have finished setting up the common Master Data.
Master Data App site How the Master Data is Used
Access Request Priority None App is used to define priorities for access requests.
Access Request Reason Code None App is used app to define the Reason for Request choices for
access requests

Related Information
13.1.3 Setting Up Master Data for the Role Design Service
topic outlines the Master Data needed for the Role Design service.
The table below describes the master data elements that must be set up for the Role Design Service after you
have finished setting up the common Master Data.
Master Data Dependency/ Prerequisite How the Master Data is used
Projects None When companies re-engineer or create

new business roles, it is usually in the
context of a project, such as security in
itiatives, or role optimaization initia
tives.
You use this app to define such

projects. The projects are then available
in the Create Candidate Business Roles
app.

Related Information
Create Candidate Business Roles (app)

13.1.4 Setting Up Master Data for Access Analysis Service
topic outlines the Master Data needed for Access Analysis.
 Note
In some cases, you must define the data in the indicated order. For example, you must define business
function groups before you can define rule setup.
Master Data Details for Access Analysis Service
The table below describes the master data elements that must be set up for the Access Analysis service after
you have finished setting up the common Master Data.

Master Data App site How the Master Data is Used
Functions Business Process App is used to define and maintain functions which are a col
lection of authorizations (actions and permissions). Access
risks are defined based on functions.
Business Functions Group Systems App is used to assign source systems to SAP Cloud Identity
Access Governance. Source can be one or multiple systems.
Mitigation Control Monitoring 1. Business Subprocess App is used to define and maintain mitigation controls which
are used to remediate and monitor access risks.
2. Risks
3. Test Plans
Risk Score Policy 1. Business Process App is used to create, edit, view, deactivate, or delete risks.
2. Function
3. Risk Level
Risk Level None App is used to define the criticality of a risk and the sensitivity
of a risk.
Rule Setup Business Function Group App used to establish, customize, and maintain your SoD or
critical access rules for access analysis.
Test Plans None App allows you to upload test plans for testing mitigation con
trols. Test plans are maintained offline.
Related Information
13.2 Configuration App
The Configuration app is intended for administrators only. It enables administrators to configure a set of
behaviors and parameters in SAP Cloud Identity Access Governance to align with business needs.

13.2.1 Language Configuration
The purpose of this functionality is to improve performance.
From the Configuration app, you can limit the languages that the data from the database is imported into SAP
Cloud Identity Access Governance.
Choose which languages are used by your company and select Apply.
These are the supported languages:
● English
● German
● Chinese
● French
● Japanese
● Portuguese
● Russian
● Spanish
 Note
The default is English.
13.2.2 Application Parameters
Configure your product according to your business needs.
The Application Parameters feature contains a list of configuration groups and parameters that enable you to
set certain attributes and behaviors for SAP Cloud Identity Access Governance.
 Note
The list of available configurable parameters is updated regularly.
The table below describes the current available parameters:
Configuration Group Parameter Parameter Value Description
UserSource SourceSystem <enter the name of your Designate a User Source System
system or application> for retrieving user information
such as email address, employ
ee's manager, etc.
Requestor Approval Requestor can approve No (default value) A requestor can approve requests
requests for others for othes if the parameter value is
set to Yes. Possible values are Yes
and No.

13.2.3 Application Users
You use the Application Users app to upload and download larger data files relevant for application users.
Procedure
1. Go to the Configuration app.

2. On the next screen, before uploading an application users file, select Download File to download a template
of the file that is available in zip format.
3. Extract the template, including the ApplicationUsers_readme.txt file.
4. Familiarize yourself with the ApplicationUsers_readme.txt file.
Add the necessary new data to the extracted files, which are in the tab-delimited text format. For ease of
use, you can open the text files in Microsoft Excel.
5. Save the text files in the tab-delimited text format and add them to a zip file.
6. To upload the zipped file as an application users file, select Upload and Process.
7. To view log reports, proceed as follows:
1. Select Download Validation Log to check for any log validation error messages and that data entered is
correct, for instance, in length and type.
2. Select Download Processing Log to ensure that no data is missing, such as parent data before inserting
child data.

14 Security and Data Protection and Privacy
For SaaS customers, many of the necessary security measures are taken care of by SAP. For SAP Cloud
Identity Access Governance security information, see the Security Guide on https://help.sap.com/viewer/
product/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE.

178 PUBLIC Security and Data Protection and Privacy
15 Further Information
Content Location
SAP Business Technology Platform (SAP BTP) https://help.sap.com/viewer/product/CP/Cloud/en-US
SAP Cloud Identity Access Governance https://help.sap.com/viewer/p/SAP_CLOUD_IDEN

TITY_ACCESS_GOVERNANCE
SAP Cloud Identity Access Governance Security Guide https://help.sap.com/viewer/

8927ff487e3e4520b3211167b7f06c31/latest/en-US

Further Information PUBLIC 179
16 Support Information
For assistance and questions, you can go to the SAP Support Portal at https://support.sap.com, and click on
Report an Incident.
Use the following components as needed.
Service Component
access analysis service GRC-IAG-AA
access certification service GRC-IAG-CER
access request service GRC-IAG-AR
role design service GRC-IAG-RD
privileged access management service GRC-IAG-PAM

180 PUBLIC Support Information
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.
Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

Important Disclaimers and Legal Information PUBLIC 181
www.sap.com/contactsap
© 2021 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.
THE BEST RUN

SAP IAG Admin Guide

Uploaded by

Copyright:

Available Formats

SAP IAG Admin Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP IAG Admin Guide

Uploaded by

Copyright:

Available Formats

Administration Guide | PUBLIC

SAP Cloud Identity Access Governance Admin

THE BEST RUN

3 Upgrade Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

4 Monitor License Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

10 Maintaining Cloud Connector for On-Premise Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

11 Additional Services for Access Request Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

SAP Cloud Identity Access Governance Admin Guide

SAP Cloud Identity Access Governance Admin Guide

SAP Cloud Identity Access Governance Admin Guide

13 Business Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

14 Security and Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

15 Further Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179

16 Support Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

SAP Cloud Identity Access Governance Admin Guide

● SAP Cloud Identity Access Governance, access analysis service

1.1 About This Document

This guide addresses the following target audience:

1.2 Document History

SAP Cloud Identity Access Governance Admin Guide

2021-03-01 ● Added Connector Type - SCIM System and Extended in­

2020-11-19 ● Added new features in Privileged Access Management,

2020-08-28 ● Added new features in Privileged Access Management,

2020-07-24 ● Added a new service called Privileged Access Manage­

2020-02-25 ● Added applications for integration scenarios and Ac­

2019-11-19 ● Integration scenarios and applications for Access Anal­

2019-08-16 ● Added integration scenarios for SAP Analytics Cloud

2019-05-20 ● Added information on SAP Marketing Cloud

SAP Cloud Identity Access Governance Admin Guide

2019-02-28 ● Added Quick Start Guides section

2018-11-09 ● Added integration procedure for SAP Fieldglass

2018-08-30 ● Added new SCI Group: IAG_WF_MANAGER

2018-05-11 ● Added Integration Scenarios section.

1.3 Terminology and Conventions

SAP Cloud Identity Access Governance Admin Guide

Scenario-based integration and configuration guides.

Scenario Description Guide

SAP Cloud Identity Access Governance Admin Guide

Maintenance Window for Cloud Services

Maintenance Window for Cloud Services Duration

SAP Asset Manager Zero Downtime

SAP Browse Manager and Conversion Manager

SAP Business Technology Platform

SAP Credential Store

SAP Connected Parking

SAP Customer Identity, B2B add-on, SAP Customer Con­

SAP Event Mesh

SAP Exchange Media

SAP Fiori Cloud

SAP Global Track and Trace

SAP Vehicles Network

SAP Work Manager, cloud edition

Weekly Maintenance Windows for Cloud Services - Standard Windows

Start time in UTC per region

Region Weekday Time Timezone

MENA FRI 7pm UTC

APJ SAT 3pm UTC

Europe SAT 10pm UTC

2021-03-01 ● Added Connector Type - SCIM System and Extended in

2020-07-24 ● Added a new service called Privileged Access Manage

2020-02-25 ● Added applications for integration scenarios and Ac

2019-11-19 ● Integration scenarios and applications for Access Anal

SAP Customer Identity, B2B add-on, SAP Customer Con

CM Control Monitor Users assigned to this group are availa

CO Control Owner Users assigned to this group are availa

RO Role Owner Users assigned to this group are availa

IAG_WF_CBRActivate Users assigned to this group can acti

IAG_WF_CBRReconcile Users assigned to this group can per

Access Certification IAG_WF_ADMIN Users assigned to this group can re

IAG_CPG_REVIEWER Users assigned to this group can be se

IAG_CPG_CO Users assigned to this group can coor

CIAG_Access_ Request_Admin IAG_Access_Request_AdminAc ● Setting up connections between