SAP Cloud Identity Access Governance Initial Setup
Basics
The SAP Cloud Identity Access Governance solution is built on SAP Business Technology
Platform (SAP BTP) [ Platform as a service (PaaS) cloud computing service offered by SAP].
For more understanding of BTP you may refer: https://www.sap.com/products/technology-
platform/what-is-sap-business-technology-platform.html
Uses SAP NetWeaver APIs to fetch data from On-premise and Cloud solutions.
Following Services are enabled to Create Access Requests, Analyse Risks and Design Roles:
1. SAP Cloud Identity Access Governance, Access Analysis Service
2. SAP Cloud Identity Access Governance, Access Request Service
3. SAP Cloud Identity Access Governance, Role Design Service
4. SAP Cloud Identity Access Governance, Access Certification Service
5. SAP Cloud Identity Access Governance, Privileged Access Management Service
License Usage Metric
SAP Cloud Identity Access Governance software is based on
1. Resources of users
2. Connections
For the Full Version:
Metric Used: Monitored Users
The Usage is calculated on the basis of the number of unique Users that customers synchronize
from their on-premise and/or cloud systems. These systems are monitored by the software.
For the Integration Edition:
Metric Used: Unique Type of Connections
Based on how many application types the customer connects to the software, the number of
connections is calculated.
Rashi Kapse
�Solution Architecture
1. Target Applications (on-Premise, cloud)
This is the target system containing user data
2. IAG API
The API for SAP Cloud Identity Access Governance services extracts data from the target
application. The API is part of SAP NetWeaver; make sure your system has the required
NetWeaver Basis Support Packs. The API is available for on-premise and the SAP HANA
Cloud.
3. SAP BTP connector
The cloud connector sits behind the firewall and establishes connectivity between SAP BTP
and the target system.
4. IAG Services
SAP Cloud Identity Access Governance services include: Access Analysis service; Access
Request service; Role Design service; Access Certification; Privileged Access Management.
Rashi Kapse
� 5. Technical Components for IAG services
SAP Cloud Identity Access Governance services components include: Repository, Scheduler,
Reporting and Analytics, Approval Workflow, and Users and Role
6. Identity Authentication service
Identity Authentication service is used to authenticate users before allowing access to the
SAP Cloud Identity Access Governance solution and services.
7. SAP Workflow Management service
SAP Workflow Management is used for automation of access requests through the various
stages of creation and approval
8. SAP Business Rules Service
Business Rules Service enables embedding business decisions into the workflow.
9. Identity Provisioning service
Identity Provisioning service allows provisioning of centrally managed identities and their
access across the enterprise (on-premise and cloud).
INITIAL SETUP PROCEDURE
SAP Cloud Identity Access Governance is available on the Amazon Web Service (AWS) platform,
Microsoft Azure and Google Cloud Platform.
Prerequisite Access Requirements
1. An instance of the Cloud Connector
If you wish to use on-premise applications or the Bridge scenario to connect SAP Access Control
to SAP Cloud Identity Access Governance
2. An instance of the Identity Authentication Service (IAS)
3. An instance of the Identity Provisioning Service (IdP)
4. Administrator has already Access to the Global Accounts and has Administrator Authorization
Rashi Kapse
�Now the question comes to everyone’s mind how do we get these perquisite access in
actual,
So just follow below steps to get this done 😊
1. Paste below URL in your browser to login to SAP Business Technology Platform (BTP) Cockpit
https://account.hana.ondemand.com/#/home/welcome
2. Click on Sign In button as depicted in below screenshot
Rashi Kapse
� 3. Below Page will open where you need to enter your S-USER ID (SAP UNIVERSAL ID) and Click
on Continue Button
For Example: S-USER ID rashukapse88@gmail.com as in below image
If you do not have S-User ID, get it created from SAP below link:
https://www.sap.com/account/universal-id.html in 2 minutes 😊
4. Enter your password and Click on Sign In
Rashi Kapse
� 5. You will be re-directed to a page where you need to wait for 2 minutes to get your Global
Account created (You get an option to select Provider (AWS, Microsoft Azure or GCP) and
Region
For Example - I have selected AWS-US East
Your global SAP BTP Global Account details will be popped in screen like below.
6. Click on Continue and you will land up in your SAP BTP global account
Now next step would be to get subscription for IAG Solution. Follow below steps to
understand it in detail 😊
Subscription process
Three steps for the subscription process:
1. Creating a Subaccount for subscription
1. Log into your Global Account and create a subaccount
Rashi Kapse
�2. Enter a unique entity as a Subdomain.
The subdomain forms the first part of the URL visible in the browser, so it must be a unique entity
in the data centre where your Global Account is hosted. It should connect your tenant ID and to
the relevant tenant. (If you want to understand this statement in depth you need to form cloud
concept understanding)
2. Assigning Entitlement to the subaccount
Procedure:
1. Log on to the SAP BTP Cockpit and open your global account
2. Select the relevant Subaccount
Rashi Kapse
� 3. Go to Entitlements (click highlighted button)
4. Choose Configure Entitlements (Tab highlighted in below screenshot)
Rashi Kapse
� 5. Choose the Add Service Plan button next to the Search field, select SAP Cloud Identity Access
Governance from the list of Entitlements and choose Add 1 Service Plan and Save. You are now
subscribed to SAP Cloud Identity Access Governance and it is available as your subaccount in the
Service Marketplace.
Step 1: Click on Add service Plan
Step 2: Select SAP Cloud Identity Access Governance from the list
Rashi Kapse
� Step 3: Click on Save Button
3. Subscribing to the subaccount
After creating your subaccount, you need to subscribe to SAP Cloud Identity Access Governance
plan.
Procedure:
1. Navigate to Subaccounts and choose the subaccount that you have created.
2. Go to Service Marketplace and under Integration Suite choose SAP Cloud Identity Access
Governance. (I cannot show the screenshot depicting IAG under Integration as free access is not
available for IAG, but you will see IAG under this section)
Rashi Kapse
� 4. Go to the three dots displayed on the right side in the column and choose Create to
subscribe to this application.
For Example: I am creating a subscription plan for Cloud Identity Services
*You have to select Cloud Identity Access Governance.
5. In the pop-up window New Instance or Subscription, select Service: SAP Cloud Identity
Access Governance and Plan: for instance/standard, and choose Create.
Rashi Kapse
� 6. To see the status of your subscription that appears as an option in Instances and
Subscriptions tab in SAP BTP Cockpit, choose View Subscriptions that is displayed in.
As an example, I subscribed for Cloud Identity Services Plan:
7. In the Status column, the status subscribed is displayed.
8. Choose Go to Application button by clicking 3 dots to open the SAP Cloud Identity Access
Governance Launchpad.
Rashi Kapse
� Key point here is:
When you click on Go to Application you will be re-directed to an Administration Console
Sign in Page as below:
A. You need to enter User Name and Password for Admin Console
B. You get access to Admin Console only after you Activate Admin Console Account
C. How do you do that?
a. You will get an email to activate you Admin Console password (in your email id linked to
S-User ID)
b. Click on that link in email and set your password
c. Enter that set password in above page
d. Once you click continue you will land up to application.
Rashi Kapse
� Example: Cloud Identity Services here
Maintain Administrators
After subscribing to the SAP Identity Access Governance application, you must maintain
security administrators.
Add security administrators to your subaccount by entering their e-mail addresses instead of
the user IDs.
Security administrators can add other security administrators, and manage authentication
and authorization in this subaccount, such as configuring trust to identity providers, and
assigning role collections to business users.
Rashi Kapse
�User Management
SAP Cloud Identity Access Governance solution and its services use Identity Authentication
service for user authentication and to manage access to the solution's apps
Security and permissions are maintained in Groups and Role collections
You control the tasks a user can perform, and the apps they can access, through the
appropriate assignment of group and role collections to the user
The assignment of groups and roles to users controls these three security aspects:
• Permission to access and use specific apps
• You can ensure that users can access only those apps relevant for their job function. For
example, that only administrators can access admin apps.
• Permission to perform administrative tasks Within the framework of access governance,
tasks have different levels of risk and sensitivity. You can ensure that users can only perform
administrative tasks in line with their job function. For example, only users assigned to the
Control Owners group can approve new or updated mitigation controls.
• Permission to use specific services The SAP Cloud Identity Access Governance solution
integrates with other SAP services, such as Business Rule service. And these services require
users have specific roles to use them.
Setting Up User Authentication and Access
The process to configure authentication and access requires you to perform configuration tasks on
SAP Business Technology Platform (SAP BTP) for the SAP Cloud Identity Access Governance tenant
and the Identity Authentication service.
1. Maintain Users and User Groups in Identity Authentication
Below are few screenshots which I took while exploring User maintenance and Group
assignment.
Rashi Kapse
� Well, if you have some background for any of the cloud platform it becomes easier to
understand the logic of how and why we use groups to give access to users.
Rashi Kapse
�Rashi Kapse
� Below are key activities which are to be performed to give access to users:
In IAG we follow specific naming convention to create groups as below:
Rashi Kapse
� I will mention, User Groups required specific to services (Access analysis, Access request,
Access certification etc.) in that particular document
2. Pre-Delivered Role Collections on SAP BTP
In the tenant for SAP Cloud Identity Access Governance on SAP BTP, the administrator can
view the pre-delivered role collections.
The role collections CIAG_Display, CIAG_Access_Certification_Admin, and
CIAG_Super_Admin are primarily required to gain full access to the apps in SAP Identity
Cloud Access Governance.
Below is the screen which can help you to understand where we can view Role Collections:
Below is the Role Collection used for all Business Users:
Rashi Kapse
�Some more standard role collections are pre-defined by SAP to use in IAG which can easily be used.
Will mention in specific document.
3. Mapping Role Collections to Identity Authentication
To map the Role Collections to your Identity Authentication tenant, you must do the
following:
1. Set Identity Authentication as a trusted identity provider (This is a simple exchange of
certificates)
2. Set up assertion-based groups and attributes mapping.
Part A: Manually Establish Trust and Federation Between UAA and Identity Authentication
SAP Cloud Identity Access Governance services Use Identity Authentication to provide user
identity authentication.
This is a 5-step configuration:
Step 1: Download the SAML Metadata File for the Subscriber Subaccount as shown in
screenshot:
1. Go to the SAP BTP cockpit, and open your subscriber subaccount.
2. In the menu panel on the left side, choose Security and Trust Configuration.
3. Download the SAML Metadata file for the subaccount. The file is downloaded with a
name that contains the subdomain of the subaccount. The name makes it easier to
find the file for uploading it at a later date.
Rashi Kapse
� Step 2: Create Application in Identity Authentication and Upload SAP BTP Metadata File
1. In the Identity Authentication cockpit, navigate to Applications & Resources > Applications.
2. Add a custom application and save.
Rashi Kapse
� 3. Upload the metadata from the SAP BTP tenant.
1. From the Custom Applications list, select your new custom application, and then select
SAML 2.0 Configuration.
2. In the Metadata File field, browse to the location of the SAP BTP metadata file.
Rashi Kapse
� 3. Upload the file and save.
Rashi Kapse
�Step 3: Set Up Assertion-based Groups for Identity Authentication and Role Collection Mapping
1. Log in to the Identity Authentication tenant and navigate to Applications & Resources
Applications.
2. Under Custom Applications, select your custom application. (This is the application you
created as part of the procedure for setting up a trust relationship between the Identity
Authentication service tenant and the SAP BTP tenant.)
Rashi Kapse
� 3. Choose Assertion Attributes and create the following attributes:
4. Save
Rashi Kapse
� Add assertion-based groups and attributes mapping
1: Logon to the SAP-BTP tenant, and navigate to Security > Trust Configuration > Name
2: Click on Establish Trust button
Rashi Kapse
� 3: Configure Tenant
Rashi Kapse
�Rashi Kapse
� 4: Choose New Role Collection Mapping to create the mapping rules.
Some examples of role collections are listed below:
Rashi Kapse
� Let’s create one role collection as an example:
Rashi Kapse
�Step 4: Download SAML Metadata File for Identity Authentication
1. In the Identity Authentication cockpit, navigate to Tenant Settings SAML 2.0 Configuration
Rashi Kapse
� 3. Download Metadata file
Step 5: Add new Trust Configuration for the SAP Cloud Identity Access Governance Subaccount
1. Go to the SAP BTP cockpit, and open your subscriber subaccount
In the menu panel on the left side, choose Security, Trust Configuration, and New Trust
Configuration
Rashi Kapse
� 2. Upload the SAML Metadata file
3. Enter a meaningful Name, Description, and Link Text for User Logon. For instance, the
tenant ID of the Identity Authentication Service and Save
Rashi Kapse
� B. Establish Trust and Federation Between UAA and Identity Authentication
For enabling trust with a tenant of SAP Cloud Identity Services - Identity Authentication, the
service creates an OpenID Connect (OIDC) application in Identity Authentication to represent
your subaccount.
For more information, refer to
https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/
bbb4a8a1eae04843967a8a629dcb30f9.html?state=DRAFT&q=Default%20Configuration%20of%
20
C. Maintaining Access to Tasks
Within the framework of access governance, tasks have different levels of risk and sensitivity.
You use Identity Authentication tools to ensure that only designated users can perform
administrative tasks. For example, only users designated as business role approvers can approve
new business roles. There are three steps in this procedure:
1. In the Identity Authentication tenant, create your groups
Rashi Kapse
�Rashi Kapse
� 2. Assign the appropriate users to the relevant groups.
Rashi Kapse
�3. Sync the user-group assignments. In the Fiori launchpad for SAP Cloud Identity Access
Governance, open the Job Scheduler app, and run Sync User Groups from IAS job.
D. Syncing User Groups from Identity Authentication Service
To ensure user groups information is synchronized between the Identity Authentication service
tenant and the tenant for SAP Cloud Identity Access Governance on SAP Business Technology
Platform (SAP BTP), you must maintain the required system in Identity Authentication and the
destination in the tenant for SAP Cloud Identity Access Governance and then run the SCI User Group
Sync job in the Job Scheduler app.
Step 1: Set Up IAG Sync System as Administrator in the Identity Authentication tenant
1. Login to the Identity Authentication tenant.
Rashi Kapse
�2. Choose Administrators tile.
Rashi Kapse
�3. Press the +Add button on the left-hand panel to add a new administrator to the list.
4. Choose Add System.
5. Enter the name of the system under Name as IAG Sync.
Rashi Kapse
�**Choose the name carefully for your system as administrator. Once created, the name cannot be
changed.
6. To be a tenant administrator, a user must be assigned to Manage Users and Manage Groups from
the following roles. Administrator Roles
Below are few screenshots to understand
Rashi Kapse
�Step 2: Create SCIUserGroup destination in the Tenant for SAP Cloud Identity Access Governance on
SAP BTP
1. In the tenant for SAP Cloud Identity Access Governance, go to the Subaccounts dropdown menu
and choose your subaccount.
Rashi Kapse
�2. Choose Connectivity Destinations in the navigation panel.
3. Create SCIUserGroup destination
Rashi Kapse
�Enter the properties listed below:
Rashi Kapse
�Step 3: Run SCI User Group Sync Job
1. Login the SAP Cloud Identity Access Governance launchpad and open the Job Scheduler app.
2. In the Job Name field, enter Job Name.
3. In the Job Category field, select SCI User Group Sync from the dropdown list.
4. In the Recurring Job field, select No.
5. In the Start Immediately field, select Yes.
6. Enter information in all required fields and choose Schedule Job. The job status and log can be
checked in the Job History app.
Rashi Kapse
