Integration Guide | PUBLIC
2021-08-20
IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP
Cloud Identity Access Governance, and Cloud
Applications
© 2021 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN
Content
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Integration Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3 Complete Integration for SAP Cloud Identity Access Governance and Target Cloud
Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4 Sync Repository Data from Target Cloud Application to SAP Identity Access Governance
Repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
5 Complete Integration of SAP Access Control On-Premise to SAP Cloud Identity Access
Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1 Install Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.2 Maintain RFC Destinations for Cloud Connectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
5.3 Configure the Identity Authentication Service in SAP BTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
5.4 Configure Parameters for Cloud Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
5.5 Create Connectors and Connector Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.6 Create Destinations for SAP Cloud Identity Access Governance Service. . . . . . . . . . . . . . . . . . . . . . 11
5.7 Sync Cloud Application Repository Data from IAG Repository to SAP Access Control System. . . . . . . 12
5.8 Create Access Requests for Cloud Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.9 User Access Review in SAP Access Control 12.0 for the Bridge Scenario. . . . . . . . . . . . . . . . . . . . . . 12
5.10 Run Provisioning Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications
2 PUBLIC Content
1 Introduction
This document explains the procedure to enable SAP Access Control 12.0 (on-premise) to use SAP Cloud
Identity Access Governance as a bridge to facilitate creation of access requests, and performing risk analysis,
for cloud applications.
For example, you use the access control on-premise application to create access requests for your cloud
application. The risk analysis, assignment of mitigation controls (if needed), and provisioning is handled by the
SAP Cloud Identity Access Governance.
IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications
Introduction PUBLIC 3
2 Integration Overview
Note
To integrate SAP Access Control using the bridge scenario, you can only connect one SAP Access Control
system at a time.
Prerequisites
You must have completed the following prerequisites before proceeding with this integration:
● Working instance of SAP Cloud Identity Access Governance (see IAG Admin Guide)
● Working instance of SAP Access Control 12.0 on-premise (see AC 12.0 Admin Guide)
● Working instance of at least one integrated target cloud application
● Working instance of Identity Authentication
Procedure
Carry out the following steps for the integration process:
1. Complete the integration process for SAP Cloud Identity Access Governance and target cloud
application, for instance, SAP Ariba.
2. In the SAP Cloud Identity Access Governance launchpad, sync the repository data from target app to the
IAG repository.
3. Complete the integration process for the SAP Access Control on-premise system and SAP Cloud
Identity Access Governance .
4. In the SAP Access Control system, sync the repository data from the IAG repository to the SAP Access
Control system.
5. In the SAP Access Control system, create access requests for target cloud application.
IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications
4 PUBLIC Integration Overview
3 Complete Integration for SAP Cloud
Identity Access Governance and Target
Cloud Applications
Full integration enables communication and data sync between SAP Cloud Identity Access Governance and
target cloud applications.
Note
The information in this section refers to the Administration Guide.
Procedure
To enable communication and data syncing between SAP Cloud Identity Access Governance and a target cloud
application for testing, do the following:
1. In the SAP Business Technology Platform cockpit (SAP-BTP), create destinations for your specific target
application, e.g. SAP Ariba. (see Administration Guide – Integration Scenarios)
2. In SAP Cloud Identity Access Governance launchpad, add a system for the target application destination.
3. Open the Systems app and choose the plus (+) to create a system. Use the information from the
destination you created in SAP-BTP to fill in the fields. (See Administration Guide – Integration Scenarios –
Add App Instance)
Note
For a successful integration of SAP Access Control with SAP Cloud Identity Access Governance, the
Systems and Business Function Group apps created in SAP Cloud Identity Access Governance must have
10 characters or less.
This completes the communication setup between SAP Cloud Identity Access Governance and your target
cloud application.
IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications
Complete Integration for SAP Cloud Identity Access Governance and Target Cloud
Applications PUBLIC 5
4 Sync Repository Data from Target Cloud
Application to SAP Identity Access
Governance Repository
Procedure
To sync repository data from a cloud application to SAP Cloud Identity Access Governance repository, do the
following:
1. Open SAP Cloud Identity Access Governance launchpad.
2. Open the Job Scheduler app.
3. Schedule and run the Repository Sync job.
IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications
Sync Repository Data from Target Cloud Application to SAP Identity Access
6 PUBLIC Governance Repository
5 Complete Integration of SAP Access
Control On-Premise to SAP Cloud
Identity Access Governance
Complete integration enables communication and data sync between SAP Cloud Identity Access Governance
and SAP Access Control.
Note
The information in this section refers to the Administration Guide - Integration Scenarios - SAP ABAP (on-
premise).
This section contains the following tasks:
1. Install connector for SAP Business Technology Platform (SAP-BTP).
2. Create RFC destinations for the IAGTRIGGER app.
3. Configure cloud integration parameters.
4. Create connector and connector group for target applications.
5. Create destination for IAG_PROVISION_STATUS_UPDATE_SRV.
Prerequisites
● You have upgraded the target system to one of the supported NetWeaver versions and support packs (see
Required NW version and SP).
● You have created the required RFC user allow communication with SAP Cloud Identity Access Governance
(see Required RFC User).
● You have set up a trust configuration for Identity Authentication.
5.1 Install Connector
In the customer landscape, install and configure the connector for the SAP Business Technology Platform
(SAP-BTP) to enable communication between on-premise systems and the SAP-BTP, and maintain
destinations for each SAP Access Control system. (For detailed steps, see Maintaining Cloud Connector).
After performing the steps mentioned in the link above, enter the Function Name and the Naming Policy for
the SAP Access Control system added to the cloud connector.
IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications
Complete Integration of SAP Access Control On-Premise to SAP Cloud Identity Access
Governance PUBLIC 7
5.2 Maintain RFC Destinations for Cloud Connectors
Prerequisites
To maintain RFC destinations, do as follows:
1. For authentication, set up a connection between SAP Cloud Identity Access Governance and Identity
Authentication service.
1. Use one of the URL listed below.
Depending on your region, the following URLs apply:
For customers in the United States subscribing to the standard edition:
grc-iag-us10-grc-iag-core-us10-java-rest-authentication.cfapps.us10.hana.ondemand.com
For customers in the United States subscribing to the integration edition:
grc-iag-us10-grc-iag-core-us10-java-rest-authentication-intg.cfapps.us10.hana.ondemand.com
For customers in the EU region subscribing to the standard edition:
grc-iag-eu10-grc-iag-core-eu10-java-rest-authentication.cfapps.eu10.hana.ondemand.com
For customers in the EU region subscribing to the integration edition:
grc-iag-eu10-grc-iag-core-eu10-java-rest-authentication-intg.cfapps.eu10.hana.ondemand.com
2. Create authorization credentials
You only require to create a system user for Identity Authentication and to add the domain name to the
username separated by @.
Username:<IAS SYSTEM USER LOGON NAME OR USERID>@<CUSTOMER-SUBDOMAIN NAME>
In SAP BTP, you can obtain your unique subdomain name from the overview page of your subaccount
for SAP Cloud Identity Access Governance.
Password: Identity Authentication password.
Example:
UserName User@iagcustone
Password xxxx
2. Create these two new destinations.
1. Configure SM59.
2. Create HTTP external destinations.
3. Run SM59 Transaction.
4. Select External HTTP Destination.
1. SAP Identity Access Governance authentication with Identity Authentication
RFC Destination BRIDGE_SOD_AUTH
Host URL and user/password from step 1 and select SSL
active.
Path /authentication
Port 443
IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications
Complete Integration of SAP Access Control On-Premise to SAP Cloud Identity Access
8 PUBLIC Governance
2. Destination for SOD check
RFC Destination BRIDGE_SOD_CHECK
Host URL from listed below
Leave the login blank (do not provide any user/
password) and select SSL active.
Path /
Port 443
Use the region-based URLs listed below for the Trigger service application for SAP Cloud Identity
Access Governance:
For customers in the United States:
grc-iag-us10-grc-iag-core-us10-java-rest-trigger.cfapps.us10.hana.ondemand.com
For customers in the United States subscribing to the integration edition:
grc-iag-us10-grc-iag-core-us10-java-rest-trigger-intg.cfapps.us10.hana.ondemand.com
For customers in the EU region:
grc-iag-eu10-grc-iag-core-eu10-java-rest-trigger.cfapps.eu10.hana.ondemand.com
For customers in the EU region subscribing to the integration edition:
grc-iag-eu10-grc-iag-core-eu10-java-rest-trigger-intg.cfapps.eu10.hana.ondemand.com
3. Create the third destination (create one for each cloud application).
1. Configure SM59.
2. Create HTTP external destinations.
3. Run SM59 Transaction.
4. Select External HTTP Destination.
Refer to the table below for an example of a destination.
RFC Destination (This name should correspond to the ARIBA_DEST
one listed in the Systems app in SAP Cloud Identity
Access Governance)
Host URL - same as the trigger URL from the previous step.
Leave the login blank (do not provide any user/
password) and select SSL active.
Path /com/sap/grc/iag/service/roleSimulationService.svc/
Port 443
5.3 Configure the Identity Authentication Service in SAP
BTP
1. In SAP BTP, create destination for Identity Authentication.
2. Go to your subaccount and open Connectivity Destinations New Destinations .
IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications
Complete Integration of SAP Access Control On-Premise to SAP Cloud Identity Access
Governance PUBLIC 9
3. Create destinations as specified below.
Name IAGAuthService
Type HTTP
Description IAGAuthService
URL <IAG service URL>/service/users/password
Note
Copy URL from Security Trust Configuration
Select your IAS Entity ID (It has the URL for
Identity Authentication).
Proxy Type Internet
Authentication No Authentication
5.4 Configure Parameters for Cloud Integration
1. Go to SPRO Governance, Risks and Compliance Access Control Maintain Configuration Settings .
2. Maintain the following parameters and values. (For more information, see Configure Parameters for SAP
Identity Access Governance).
5.5 Create Connectors and Connector Groups
Create connectors and connector groups for the target cloud application.
1. Go to SPRO Governance, Risks and Compliance Common Component Settings Integration
Framework Maintain Connectors and Connection Types .
2. Create Connection Type Definition: IAG and IAG_GRP (only for customers subscribing to SAP Ariba and
SAP SuccessFactors).
Note
For steps 3 and 4 below, the Systems and Business Function Group apps in SAP Identity Access
Governance must have 10 characters or less, as SAP Access Control supports only 10 characters.
3. Define the Connectors for the target cloud applications.
4. Assign Connectors to Connector Groups.
IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications
Complete Integration of SAP Access Control On-Premise to SAP Cloud Identity Access
10 PUBLIC Governance
5.6 Create Destinations for SAP Cloud Identity Access
Governance Service
This delivered service is used by SAP Cloud Identity Access Governance to push provisioning status updates to
SAP Access Control. This enables the proper and accurate display of provisioning status for access requests.
1. Go to SPRO Governance, Risks and Compliance SAP NetWeaver SAP Gateway Administration
General Settings Activate and Maintain Services .
2. In the Service Catalog screen, select IAG_PROVISION_STATUS_UPDATE_SRV and activate it.
3. In the System Aliases pane, choose Add System Alias, and add it as local host, and Save.
4. In the ICF Nodes pane, choose SAP Gateway Client, and Execute.
5. In the html pane, copy the href link. You need it for the next step.
6. In the Cloud Connector, create a system mapping for the provisioning status update service.
1. Open the SAP Cloud Platform Connector, select the subaccount, and choose Cloud To On-Premise.
2. Go to the Access Control tab and choose the plus (+) sign to add a new system mapping.
3. For Backend Type, select ABAP System and choose Next.
4. For Protocol, select HTTPS, and choose Next.
5. Enter the internal host and port information and choose Next.
You can copy this information from the services URL. Refer to the image in step 5.
○ For Internal Host: enter the root URL; do not include the protocol.
○ For Internal Port: enter the port number.
6. For Principal Type, select X.509 Certificate (General Usage) and choose Next.
7. Select the Check the Internal Host box and choose Finish.
8. Add a resource path. In the Mapping Virtual To Internal System table, select the new mapping. In the
Resources Accessible On section, choose the pencil icon to edit it.
In the URL Path field, make sure /sap/opu/odata/sap/IAG_PROVISION_STATUS_UPDATE_SRV is
entered, and save.
9. Test the configuration. In the Mapping Virtual To Internal System table, select the new mapping, and
choose the check-availability icon.
7. In SAP BTP, create a destination for the Provisioning Status Update virtual mapping.
IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications
Complete Integration of SAP Access Control On-Premise to SAP Cloud Identity Access
Governance PUBLIC 11
1. Go to Connectivity, choose Destinations and the plus sign (+) to add a destination. Add the destination.
Enter the name as IAGProvisionStatusUpdate.
2. For the URL field, copy and paste the URL from the services configuration step.
3. Save the entries.
5.7 Sync Cloud Application Repository Data from IAG
Repository to SAP Access Control System
Go to SPRO Governance, Risks and Compliance Synchronization Jobs and run the Repository Object
Sync.
1. In Select Sync Job, select all three jobs.
2. In Select Connector and Sync mode, select the cloud connector.
3. In Advance Options, select IAG Import.
5.8 Create Access Requests for Cloud Applications
Use SAP Access Control to create access requests for the target cloud applications.
5.9 User Access Review in SAP Access Control 12.0 for the
Bridge Scenario
User Access Review (UAR) in Access Control 12.0 is an automated process for periodic access review.
Some other features of the UAR include a decentralized review of user access; workflow of requests for review
and approval; automatic role removal, if needed; status and history reports to assist in monitoring the review
process; audit trail and reports for supporting internal and external audits; and support for business roles and
backend systems integrated with SAP Access Control as well as legacy systems.
To create User Access Review, refer to the steps below.
Procedure
For scheduling a background job in SAP NetWeaver Business Client (NWBC), fill out the details as follows:
1. Go to Schedule Details.
IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications
Complete Integration of SAP Access Control On-Premise to SAP Cloud Identity Access
12 PUBLIC Governance
1. Select Generate data for access request UAR review.
2. Select Recurring Plan or Start Immediately.
2. In Select Variant, select the relevant Connector ID. The connector ID should belong to the Application type
IAG or IAG_GRP.
3. Once the job is finished, schedule the 2nd job Update Workflow for UAR request.
The request sent to the role owner’s or manager’s inbox depends on the UAR configurations: SPRO
Governance, Risk and Compliance Access Control Maintain Configuration Settings .
4. After the approval process is completed in SAP Access Control, the request is sent to SAP Cloud Identity
Access Governance for deprovisioning.
5. After deprovisioning, the cloud application updates the provision status, repository, audit log, and
workflow.
5.10 Run Provisioning Jobs
In the SAP Fiori launchpad for SAP Identity Access Governance, run the provisioning job to retrieve provisioning
requests from SAP Access Control and push them to the target cloud application.
1. In the SAP Fiori launchpad, open the Job Scheduler app.
2. In the Job Category field, select Provisioning.
We recommend setting this as a recurring job.
IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications
Complete Integration of SAP Access Control On-Premise to SAP Cloud Identity Access
Governance PUBLIC 13
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Videos Hosted on External Platforms
Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.
Beta and Other Experimental Features
Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.
IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications
14 PUBLIC Important Disclaimers and Legal Information
IAG Bridge Cloud: SAP AC 12.0 (on-premise), SAP Cloud Identity Access Governance, and
Cloud Applications
Important Disclaimers and Legal Information PUBLIC 15
www.sap.com/contactsap
© 2021 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form
or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for
informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for
additional trademark information and notices.
THE BEST RUN