SAP Cloud - IAG Security Guide
Uploaded by
Dileep reddySAP Cloud - IAG Security Guide
Uploaded by
Dileep reddySecurity Guide | PUBLIC
2302-02-28
SAP Cloud Identity Access Governance Security
Guide
© 2025 SAP SE or an SAP affiliate company. All rights reserved.
THE BEST RUN
Content
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1 Security Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Default Security Configuration and Security Recommendations. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 Internal Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1 OAuth Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 User Authentication and Application Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3 Authorization for Privileged Access Management (PAM). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3 Cloud Connector Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
3.1 Required RFC User for SAP Cloud Identity Access Governance Services on Target System. . . . . . . . . 10
4 Data Protection and Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.2 Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
4.3 Personal Data Record. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Information Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
4.4 Deletion of Personal Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Deleting Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
User-related Information Stored in DB table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.5 Data Retention Management (Beta). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Test Mode Function for Data Destruction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5 Authorization Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
5.1 Authorization Concept. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.2 Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.3 Authorization Policy App (Features and Procedures). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.4 Default Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.5 Maintaining Authorizations for Access Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.6 Maintaining Authorizations for Access Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.7 Maintaining Authorizations for Business Function Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
6 Integration of Audit Log Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
6.1 Event Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
7 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.1 Setting Up User Authentication and Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Maintain Users and User Groups in Identity Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Pre-Delivered Role Collections on SAP BTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
SAP Cloud Identity Access Governance Security Guide
2 PUBLIC Content
Map Role Collections and Identity Authentication Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Set Up Assertion-based Groups for IdentityAuthentication and Role Collection Mapping. . . . . . . 64
Maintaining Access to Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Syncing User Groups from SAP Identity Services Identity Directory . . . . . . . . . . . . . . . . . . . . . . 66
Connecting Identity Provisioning Bundle Tenant. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
8 Support Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
SAP Cloud Identity Access Governance Security Guide
Content PUBLIC 3
1 Introduction
The SAP Cloud Identity Access Governance solution is built on the SAP Business Technology Platform (SAP
BTP). It uses SAP NetWeaver APIs to fetch data from target systems and perform access analysis.
This document covers security relevant information for only the scenario of SAP Cloud Identity Access
Governance fetching data from SAP target systems behind a firewall and using the Identity Authentication
for user authentication with SAP BTP applications.
The SAP Cloud Identity Access Governance solution includes the following services.
• SAP Cloud Identity Access Governance, access analysis service
• SAP Cloud Identity Access Governance, role design service
• SAP Cloud Identity Access Governance, access request service
• SAP Cloud Identity Access Governance, access certification service
• SAP Cloud Identity Access Governance, privileged access management service
Note
Unless specifically stated, it is understood that the information in this security guide applies to all SAP
Cloud Identity Access Governance services.
For additional information about configuration, see the Administrator Guide.
1.1 Security Components
The diagram below illustrates security relevant components in the SAP Cloud Identity Access Governance
services architecture.
SAP Cloud Identity Access Governance Security Guide
4 PUBLIC Introduction
Security Components
Component Description
Target Applications (on-premise and cloud) This is the customer target system which contains the data
to be analyzed.
IAG API (SAP Cloud Identity Access Governance) The IAG Services API extracts data from the target applica-
tion. The API is part of NetWeaver, therefore you need to
upgrade your system to the required NetWeaver Basis Sup-
port Packs. The API is available for on-premise and the SAP
Business Technology Platform (SAP BTP).
SAP Business Technology Platform cloud connector The cloud connector sits behind the firewall and establishes
connectivity between SAP BTP and the target system.
SAP Cloud Identity Access Governance Services SAP Cloud Identity Access Governance services include: ac-
cess analysis, access request, role design, access certifica-
tion, and privileged access management
SAP Cloud Identity Access Governance Technical Compo- SAP Cloud Identity Access Governance services compo-
nents nents include: Repository, Scheduler, Reporting and Analyt-
ics, Appproval Workflow, and Users and Roles
Identity Authentication Identity Authentication is used to authenticate users before
allowing access to the (SAP BTP) solution and services.
SAP Workflow Service SAP Workflow service is used for automation of access re-
quests through the various stages of creation and approval.
SAP Cloud Identity Access Governance Security Guide
Introduction PUBLIC 5
Component Description
SAP Business Rule Service Business Rules service enables embedding of decisions into
the workflow.
Identity Provisioning Identity Provisioning allows provisioning of centrally man-
aged identities and their access across the enterprise (on-
premsie and cloud).
SAP Cloud Portal Services and Authorizations This controls the access of apps to the end user and is pro-
tected by SAP Cloud Identity Access Governance services
roles.
1.2 Default Security Configuration and Security
Recommendations
Since SAP Cloud Identity Access Governance runs on SAP BTP platform, refer here for more information on its
Default Security Configuration and Recommendations.
SAP Cloud Identity Access Governance Security Guide
6 PUBLIC Introduction
2 Internal Communication Security
SAP Cloud Identity Access Governance services use OAuth to protect communication between the
Provisioning and Repository services for SAP Cloud Identity Access Governance.
In the SAP Business Technology Platform (SAP BTP) cockpit, you need to set up the OAuth service and
maintain the destinations.
For more information on maintaining OAuth, see the SAP Cloud Identity Access Governance Admin Guide.
2.1 OAuth Roles
The following table shows the roles defined by OAuth and their respective entities in the SAP Business
Technology Platform (SAP BTP).
OAuth Roles
Role Entity in SAP BTP Description
Resource owner User An entity that holds protected assets.
This entity is capable of granting access
to those assets under its control.
Resource server Application The server that hosts the resource own-
er's protected assets.
Client Third-party application The third party entity that needs to ac-
cess the protected assets on behalf of
the resource owner.
Authorization server SAP BTP infrastructure The server that manages the authenti-
cation and authorization of the different
entities involved.
2.2 User Authentication and Application Access
SAP Cloud Identity Access Governance services use Identity Authentication for authentication, and uses user
groups to manage access to specific apps.
SAP Cloud Identity Access Governance Security Guide
Internal Communication Security PUBLIC 7
To enable user authentication and user access to apps, do the following:
1. Set Up User Groups and assign them the delivered SAP Cloud Identity Access Governance services roles in
the SAP Business Technology Platform (SAP BTP).
2. Set up Users and User Groups in Identity Authentication.
3. Set up Identity Authentication as an Identity Provider for the SAP BTP tenant.
For more information on maintaining authentication and application access, see the SAP Cloud Identity Access
Governance Administrator Guide.
2.3 Authorization for Privileged Access Management (PAM)
Business roles associated with a Privileged Access Management (PAM) ID should have access or a role that has
authorization to launch a remote session.
Procedure
1. In your ABAP system, create a role (for example: ZSIAG_PAMID_RFC_ACCESS) with the following
authorizations:
Auth Object Field Value
S_RFC ACTVT *
RFC_TYPE FUGR, FUNC
RFC_NAME *
2. Sync this role to the SAP Cloud Identity Access Governance application using the Repository Sync job. This
role should be part of all the business roles that will be associated with the PAM ID.
3. To access the PAM Launchpad, create a role (for example: ZSIAG_USER_LAUNCHPAD_ACCESS) in ABAP
systems with the following authorizations:
Auth Object Field Value
S_RFC
RFC_TYPE FUGR, FUNC
RFC_NAME *
ACTVT 16
S_TCODE
TCD SIAG_PAM_LAUNCH_PAD
S_USER_GRP
SAP Cloud Identity Access Governance Security Guide
8 PUBLIC Internal Communication Security
Auth Object Field Value
CLASS *
ACTVT *
S_ADMI_FCD S_ADMI_FCD PADM
This role should also be synced to the SAP Cloud Identity Access Governance application using the
Repository Sync job. The PAM User (user who requires the emergency access) should add this role to the
access request.
SAP Cloud Identity Access Governance Security Guide
Internal Communication Security PUBLIC 9
3 Cloud Connector Security
The SAP Business technology Platform (SAP BTP) cloud connector serves as the link between on-demand
applications in the SAP BTP and existing on-premise systems.
The cloud connector runs as an on-premise agent in a secured network and acts as a reverse invoke proxy
between the on-premise network and the SAP BTP. You need to install the cloud connector in your landscape
and configure it for the SAP BTP.
For more information on configuring the cloud connector, see the Administrator Guide.
3.1 Required RFC User for SAP Cloud Identity Access
Governance Services on Target System
An RFC user is needed in the target SAP system to allow communication with SAP Cloud Identity Access
Governance services using the SAP Business Technology Platform (SAP BTP).
Create an RFC user with the authorization objects and values listed in the table below.
RFC Authorization Objects
Object Description Authorization Fields Value
S_USER_UID Assignment of External UID ACTVT 22, 3
Note
Applicable for SAP Basis
release 7.53 and higher
versions
CLASS *
EXTUID_TYP GU
S_RFC Authorization check for RFC ACTVT 16
Access
SAP Cloud Identity Access Governance Security Guide
10 PUBLIC Cloud Connector Security
Object Description Authorization Fields Value
RFC_NAME SIAG*
BAPT RFC1
SDIF
SDIFRUNTIME
SDTX
SUSR
SUUS
SU_USER
SYST
SYSU
RFCPING
RFC_TYPE FUGR
FUNC
S_TCODE Authorization check at trans- TCD SU01
action start
S_ADMI_FCD System Administration Func- S_ADMI_FCD POPU, PADM
tion
S_TABU_DIS Table maintenance ACTVT 3
DICBERCLS &NC&
SC
SS
ZV&G
ZV&H
ZV&N
S_TOOLS_EX Tools Performance Monitor AUTH S_TOOLS_EX_A
S_GUI Authorization for GUI activi- ACTVT *
ties
S_USER_AGR Authorizations: role check ACTVT *
ACT_GROUP *
S_USER_AUT User Master Maintenance: ACTVT *
Authorizations
AUTH *
SAP Cloud Identity Access Governance Security Guide
Cloud Connector Security PUBLIC 11
Object Description Authorization Fields Value
OBJECT *
S_USER_GRP User Master Maintenance: ACTVT *
User Group
CLASS *
S_USER_PRO User Master Maintenance ACTVT *
Authorization Profile PROFILE *
S_USER_SAS User Master Mainte- ACTVT 01
nance: System-Specific As-
06
signments
22
ACT_GROUP *
CLASS *
PROFILE *
SUBSYSTEM *
S_USER_SYS User Master Maintenance: ACTVT 78
System for Central User
Maintenance SUBSYSTEM *
S_USER_TCD Authorizations: transactions TCD *
in roles
PLOG Plan Version PLVAR *
Object Type OTYPE *
Infotype INFOTYP *
Subtype SUBTYP *
Planning status ISTAT *
Function code PPFCODE *
S_USER_VAL Authorizations: filed values in AUTH_FIELD *
roles
AUTH_VALUE *
OBJECT *
S_DEVELOP ABAP Workbench ACTVT *
DEVCLASS SUSO
SAP Cloud Identity Access Governance Security Guide
12 PUBLIC Cloud Connector Security
Object Description Authorization Fields Value
OBJNAME SIAG*
OBJTYPE FUGR
P_GROUP *
Note
If you wish to integrate SAP Cloud Identity Access Governance with SAP Access Control in addition to the RFC
authorization objects listed above, you need the authorization object GRAC_MITC.
Refer also to 3238048 .
SAP Cloud Identity Access Governance Security Guide
Cloud Connector Security PUBLIC 13
4 Data Protection and Privacy
4.1 Introduction
Data protection is associated with numerous legal requirements and privacy concerns. In addition to
compliance with general data protection and privacy acts, it is necessary to consider compliance with industry-
specific legislation in different countries. SAP provides specific features and functions to support compliance
with regard to relevant legal requirements, including data protection, which are documented in these templates
along with the assumptions that have been guiding the implementation in the software. By nature of legal
requirements the conclusion whether these features are covering customer specific demands as well as the
conclusion whether additional measures have to be taken is solely with the customer.
Note
SAP does not provide legal advice in any form. SAP software supports data protection compliance by
providing security features and specific data protection-relevant functions, such as simplified blocking and
deletion of personal data. In many cases, compliance with applicable data protection and privacy laws will
not be covered by a product feature. Definitions and other terms used in this document are not taken from
a particular legal source.
Caution
The extent to which data protection is supported by technical means depends on secure system operation.
Network security, security note implementation, adequate logging of system changes, and appropriate
usage of the system are the basic technical requirements for compliance with data privacy legislation and
other legislation.
SAP Cloud Identity Access Governance Security Guide
14 PUBLIC Data Protection and Privacy
4.2 Glossary
Term Definition
Artificial Intelligence (AI) The simulation of human intelligence processes by machines
and computer systems – typically by learning, coming to its
own conclusions, appearing to understand complex content,
engaging in natural dialogs with people, enhancing human
cognitive performance (also known as cognitive computing)
or replacing people on execution of nonroutine tasks. Appli-
cations include autonomous vehicles, automatic speech rec-
ognition and generation and detecting novel concepts and
abstractions (useful for detecting potential new risks and
aiding humans to quickly understand very large bodies of
ever-changing information)
Automated Decision Making The ability to make decisions by technological means with-
out human involvement.
Blocking A method of restricting access to data for which the primary
business purpose has ended.
Business Purpose The legal, contractual, or in other form justified reason for
the processing of personal data to complete an end-to-end
business process. The personal data used to complete the
process is predefined in a purpose, which is defined by the
data controller. The process must be defined before the per-
sonal data required to fulfill the purpose can be determined.
Consent The action of the data subject confirming that the usage
of his or her personal data shall be allowed for a given pur-
pose. A consent functionality allows the storage of a consent
record in relation to a specific purpose and shows if a data
subject has granted, withdrawn, or denied consent.
Data Subject Any information relating to an identified or identifiable natu-
ral person ("data subject"). An identifiable natural person is
one who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an identifica-
tion number, location data, an online identifier, or to one or
more factors specific to the physical, physiological, genetic,
mental, economic, cultural, or social identity of that natural
person.
Deletion Deletion of personal data so that the data is no longer avail-
able.
End of Business Defines the end of active business and the start of residence
time and retention period.
SAP Cloud Identity Access Governance Security Guide
Data Protection and Privacy PUBLIC 15
Term Definition
End of Purpose (EoP) The point in time when the processing of a set of personal
data is no longer required for the primary business purpose,
for example, when a contract is fulfilled. After the EoP has
been reached, the data is blocked and can only be accessed
by users with special authorizations (for example, tax audi-
tors).
End of Purpose (EoP) check A method of identifying the point in time for a data set when
the processing of personal data is no longer required for the
primary business purpose. After the EoP has been reached,
the data is blocked and can only be accessed by users with
special authorization, for example, tax auditors.
Personal data Any information relating to an identified or identifiable natu-
ral person ("data subject"). An identifiable natural person is
one who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an identifica-
tion number, location data, an online identifier, or to one or
more factors specific to the physical, physiological, genetic,
mental, economic, cultural, or social identity of that natural
person.
Processing of Personal Data Processing means any operation or set of operations which
is performed on personal data or on sets of personal data,
whether or not by automated means, such as collection, re-
cording, organisation, structuring, storage, adaptation or al-
teration, retrieval, consultation, use, disclosure by transmis-
sion, dissemination or otherwise making available, alignment
or combination, restriction, erasure or destruction.
Purpose The information that specifies the reason and the goal for
the processing of a specific set of personal data. As a rule,
the purpose references the relevant legal basis for the proc-
essing of personal data.
Residence period The period of time between the end of business and the
end of purpose (EoP) for a data set during which the data
remains in the database and can be used in case of sub-
sequent processes related to the original purpose. At the
end of the longest configured residence period, the data is
blocked or deleted. The residence period is part of the over-
all retention period.
Retention period The period of time between the end of the last business
activity involving a specific object (for example, a business
partner) and the deletion of the corresponding data, subject
to applicable laws. The retention period is a combination of
the residence period and the blocking period.
SAP Cloud Identity Access Governance Security Guide
16 PUBLIC Data Protection and Privacy
Term Definition
Sensitive personal data A category of personal data that usually includes the follow-
ing type of information:
• Special categories of personal data, such as data reveal-
ing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership, genetic
data, biometric data, data concerning health or sex life
or sexual orientation.
• Personal data subject to professional secrecy
• Personal data relating to criminal or administrative of-
fenses
• Personal data concerning insurances and bank or credit
card accounts
Technical and organizational measures (TOM) Some basic requirements that support data protection and
privacy are often referred to as technical and organizational
measures (TOM). The following topics are related to data
protection and privacy and require appropriate TOMs, for
example:
• Access control: Authentication features
• Authorizations: Authorization concept
• Read access logging
• Transmission control / Communication security
• Input control / Change logging
• Availability control
• Separation by purpose: Is subject to the organizational
model implemented and must be applied as part of the
authorization concept.
4.3 Personal Data Record
Data subjects have the right to receive information regarding their personal data undergoing processing. The
personal data record feature helps you to comply with the relevant legal requirements for data protection by
allowing you to search for and retrieve all personal data for a specified data subject. The search results are
displayed in a comprehensive and structured list containing all personal data of the data subject specified,
organized according to the purpose for which the data was collected and processed.
SAP Cloud Identity Access Governance Security Guide
Data Protection and Privacy PUBLIC 17
4.3.1 Information Report
You can view your personal data record in the My Information app. The app is available on the SAP Cloud
Identity Access Governance launchpad Home screen.
SAP Cloud Identity Access Governance logs record information relevant to your employment and access, such
as:
• User ID
• First Name
• Last Name
• Email
• Phone Number
• Personnel Number
• Organization
• Department
• Company
• Business Unit
• Division
• Location
• Cost Center
• Position
• Job
• Employee Type
• Manager ID
In addition, SAP Cloud Identity Access Governance records your user group information, which has been
synched from SAP Cloud Identity (SCI) that are relevant for workflows. The following table explains the
abbreviations for the user group types.
Type Full Name
CM Control Monitor
CO Control Owner
CADM Control Administrator
RAA Role Assignment Approver
RCA Role Content Approver
WF Workflow Administrator
SAP Cloud Identity Access Governance Security Guide
18 PUBLIC Data Protection and Privacy
4.4 Deletion of Personal Data
• Simplified Blocking and Deletion: In addition to compliance with the general data protection regulation,
it is necessary to consider compliance with industry-specific legislation in different countries. A typical
potential scenario in certain countries is that personal data shall be deleted after the specified, explicit,
and legitimate purpose for the processing of personal data has ended, but only as long as no other
retention periods are defined in legislation, for example, retention periods for financial documents. Legal
requirements in certain scenarios or countries also often require blocking of data in cases where the
specified, explicit, and legitimate purposes for the processing of this data has ended, but the data has to
be retained in the database due to other legally defined retention periods. In some scenarios, personal
data also includes referenced data. Therefore, the challenge for deletion and blocking is to first handle
referenced data and finally other data, such as business partner data.
• Deletion of personal data: The handling of personal data is subject to applicable laws related to the deletion
of such data at the end of purpose (EoP). If there is no longer a legitimate purpose that requires the use
of personal data, it must be deleted. When deleting data in a data set, all referenced objects related to that
data set must be deleted as well. It is also necessary to consider industry-specific legislation in different
countries in addition to general data protection laws. After the expiration of the longest retention period,
the data must be deleted.
4.4.1 Deleting Users
SAP Cloud Identity Access Governance services use the IAG Synchronization Job to synchronize user data
between the source system and the Repository tables for SAP Cloud Identity Access Governance. Therefore,
users deleted on the source system are also deleted from all relevant Repository tables.
• Deleted Users
The SAP Cloud Identity Access Governance synch job ensures that only active authorized users are
synched. When users have been deleted on target systems, the Synch automatically identifies the changes
and deletes all the information corresponding to the user in SAP Cloud Identity Access Governance.
• Deleting User Information and Action Usage Information from SAP Cloud Identity Access Governance
Action Usage data can be used for future audits.
In the Maintain User Data app, you can delete users’ action usage data and you can also delete the user
information from SAP Cloud Identity Access Governance.
You must have administrator authorization to use the app and carry out these tasks.
4.4.2 User-related Information Stored in DB table
The IAGUSER table contains “target or managed” user information.
SAP Cloud Identity Access Governance Security Guide
Data Protection and Privacy PUBLIC 19
IAG User
USER_ID NVARCHAR(50) NOT NULL
SOURCE_CONNECTOR NVARCHAR(20) NOT NULL
LAST_NAME NVARCHAR(50) NOT NULL
FIRST_NAME NVARCHAR(50) NULL
USER_EMAIL NVARCHAR(128) NULL
USER_PHONE NVARCHAR(20) NULL
ORG_UNIT NVARCHAR(50) NULL
DEPARTMENT NVARCHAR(40) NULL
COMPANY NVARCHAR(40) NULL
BUSINESS_UNIT NVARCHAR(60) NULL
DIVISION NVARCHAR(60) NULL
LOCATION NVARCHAR(40) NULL
COST_CENTER NVARCHAR(20) NULL
POSITION NVARCHAR(40) NULL
JOB NVARCHAR(40) NULL
EMPLOYEE_TYPE NVARCHAR(20) NULL
PERSONAL_NO NVARCHAR(20) NULL
MANAGER_USER_ID NVARCHAR(50) NULL
UPDATED_ON DATETIME NULL
The following is a list of tables that relate the USER_ID field to the user information stored in the IAGUSER
table.
• IAGUSERSYSTEM
• IAGUSERGROUP
• IAGUSERPRIVILEGEEXT
• IAGUSERPRIVILEGE
• IAGUSERCONTROL
• IAGUSERPRMVL
• IAGUSERPRMVLDTL
• IAGUSERPRMVLTAG
• IAGUSERPRMVLDTLTAG
• IAGUSERCONTROLTAG
SAP Cloud Identity Access Governance Security Guide
20 PUBLIC Data Protection and Privacy
• IAGUSERPRIVILEGETAG
• IAGUSERACCESSPROPOSAL
• IAGUSERTAG
• IAGUSERTAGNOTE
• IAGUSERACTIONLOG
• IAGUSERACTIONUSAGE
• IAGRISKBPOVERVIEWDTL
4.4.2.1 IAGAPPLUSER Table
The IAGAPPLUSER table stores the app user’s information. This table is for users who actually log in to SAP
Cloud Identity Access Governance services apps.
IAG User
APPLUSER_ID NVARCHAR(50) NOT NULL
LAST_NAME NVARCHAR(50) NOT NULL
FIRST_NAME NVARCHAR(50) NULL
USER_EMAIL NVARCHAR(128) NULL
USER_PHONE NVARCHAR(20) NULL
ORG_UNIT NVARCHAR(50) NULL
DEPARTMENT NVARCHAR(40) NULL
COMPANY NVARCHAR(40) NULL
BUSINESS_UNIT NVARCHAR(60) NULL
DIVISION NVARCHAR(60) NULL
LOCATION NVARCHAR(40) NULL
COST_CENTER NVARCHAR(20) NULL
POSITION NVARCHAR(40) NULL
JOB NVARCHAR(40) NULL
EMPLOYEE_TYPE NVARCHAR(20) NULL
PERSONAL_NO NVARCHAR(20) NULL
MANAGER_USER_ID NVARCHAR(50) NULL
SAP Cloud Identity Access Governance Security Guide
Data Protection and Privacy PUBLIC 21
APPLUSER_ID NVARCHAR(50) NOT NULL
UPDATED_ON DATETIME NULL
The following is a list of tables that reference the APPLUSER_ID field in table IAGAPPLUSER.
• IAGAPPLUSERTYPEAPPLUSER
• IAGAPPLUSERGROUPAPPLUSER
4.5 Data Retention Management (Beta)
SAP Cloud Identity Access Governance supports the SAP Information Lifecycle Management (ILM) framework
for data retention management.
At present, SAP Cloud Identity Access Governance supports the following ILM objects:
End of Business Day Defini-
Service ILM Object Description tion
Privileged Access Manage- Privileged Access Log Privileged Access Logs Object has these attributes:
ment stored in the Privileged Ac-
Date: Last workflow stage ap-
cess Monitoring Report will
be affected. proval timestamp
Status of object: Approved
Access Request Access Request Access Requests stored in Object has these attributes:
the Access Request Status
Date: Last Updated On time-
and Access Request Audit
Log will be affected. stamp
Status of object: Failed, Re-
jected, Canceled, Completed
with Errors, Completed
Access Analysis Access Analysis Audit Log Data stored in Access Analy- Object has these attributes:
sis Audit Log will be affected.
Date: Last Updated On time-
stamp
Audit Type: "USER_AC-
CESS_ANALYSIS", "AC-
CESS_CONTROL_ASSIGN-
MENT", "USER_CON-
TROL_ASSIGNMENT"
SAP Cloud Identity Access Governance Security Guide
22 PUBLIC Data Protection and Privacy
End of Business Day Defini-
Service ILM Object Description tion
Access Analysis Access Analysis Change Log Data stored in the Change Object has these attributes:
Log Report will be affected.
Date: Last Updated On time-
stamp
Entity Type: Function, Risk,
Control, Ruleset
Access Analysis Manage Job Log All jobs and job logs are de- Object has these attributes:
leted from the Manage Jobs
Date: Created On timestamp
app.
Schedule Type: Immediate
Date: Start Time On time-
stamp
Schedule Type: One Time Ex-
ecution
Date: End Time On time-
stamp
Schedule Type: Recurring
Note
Recurring jobs are re-
tained but associated job
run histories that are
older than the retention
period configured by you
are deleted. For instance,
if a job has been sched-
uled to run for 10 years
and has been running for
the past 7 years, the job
will continue to run for
the next three years.
Role Designer Role Designer Data stored in the Role De- Object has these attributes:
sign Inbox, Role Design Ad-
Date: Last Updated On time-
ministration, and Role De-
signer Audit Log will be af- stamp
fected.
Status of object: Pending,
Canceled, Closed
SAP Cloud Identity Access Governance Security Guide
Data Protection and Privacy PUBLIC 23
End of Business Day Defini-
Service ILM Object Description tion
Access Certification Access Certification Cam- All campaigns, reviewed Object has these attributes:
paign
data, and logs stored in the
Date: Close Date On time-
following apps are deleted:
stamp
Create Campaigns
Status of object: Closed
Manage Active Campaigns
Access Certification Re-
viewer Inbox
Access Certification Audit
Log
Access Certification Cam-
paign Log
Note
The data is also deleted from the Attachment and Workflow services.
Prerequisite
Before you start using the data retention management, ensure that you have correctly defined the Retention
Policies in the Configuration app. You must separately configure the configuration parameters. Depending on
what your needs are, the retention periods can be, for instance, 5 years, 15 years, or 30 years. Once the
retention period is added in the Configuration app, you run the job in Manage Jobs app.
Note
This feature allows you to remove data for a time period spanning five years and higher.
Configuration Application
The Manage Retention Policies application provides data controllers with a dedicated interface to configure
and manage data retention policies. This application ensures that data is retained and deleted according to
organizational policies and regulatory requirements, enhancing data governance and compliance.
BTP Authorization Role: IAG_Data_Controller_Data_Retention_Management
The table includes three main columns: Configuration Parameter, ILM Object Name, and Retention Period.
Configuration Parameter: This column shows MANAGE_RETENTION_POLICIES for all entries, indicating that
these settings fall under the configuration for managing retention policies. The parameter and ILM Object
columns are predefined. No changes can be made in those; the only editable fields are under the Retention
Period column.
Retention Period: This column specifies the retention period settings for each corresponding ILM object. The
default value is NEVER.
SAP Cloud Identity Access Governance Security Guide
24 PUBLIC Data Protection and Privacy
Configuration Parameter ILM Object Name Retention Period
MANAGE_RETENTION_POLICIES Privileged Access Log NEVER
MANAGE_RETENTION_POLICIES Access Request Data will never be deleted unless you
change it for the correct period. This is
MANAGE_RETENTION_POLICIES Role Designer
a default value that you must change to
MANAGE_RETENTION_POLICIES Access Analysis Audit Log use the retention framework.
MANAGE_RETENTION_POLICIES Access Analysis Change Log Correct format for retention period is
00Y-00M-00D.
MANAGE_RETENTION_POLICIES Manage Job Log
Example: The retention period is set to
MANAGE_RETENTION_POLICIES Access Certification Campaign
5 years 05Y-00M-00D.
To reduce data in your systems, follow the steps listed below.
Executing Data Deletion Job
1. Open the Manage Jobs app.
2. Enter the Job Name.
3. In the Job Category, select Data Destruction.
4. Select the ILM Object.
5. Enter the Business Purpose.
6. Check the notification box if you wish to receive notification about the jobs.
7. Choose the Execution Type, either Run immediately or Single Run.
8. Choose Schedule.
Note
Data Destruction is irreversible.
The retention period is calculated from the end of the business day. For instance, for Access Request, the
status of the log depends on the workflow stage, i.e, when the job was last approved or completed. To view
details of the job such as the Job Parameters, Job Run History and Job Log Messages, choose the relevant job
from the Jobs list.
If your retention period for PAM logs is set for 5 years, then from today’s date, it will calculate and subtract 5
years in the past; this will be then the end of the retention period. It will take into consideration all objects that
are older than five years from the current date.
In addition, for retention period in months, the calculation will consider the number of days (28, 30, or 31 days)
in a month to calculate the correct retention period.
An Example of Data Retention Management
Retention Period Details:
• Configuration Parameter: MANAGE_RETENTION_POLICIES
• Parameter: Privileged Access Log
• Parameter Value: 15Y-00M-00D
Explanation:
The retention period for Privileged Access Logs is defined as 15 years. That means that all PAM Logs older than
15 years are deleted from the system.
SAP Cloud Identity Access Governance Security Guide
Data Protection and Privacy PUBLIC 25
Retention Period Start Date: [Start Date – Date when the ILM object reached the End of Business Day]
Retention Period End Date: [Start Date + 15 Years]
For example, if the retention period starts on January 1, 2022, the logs will be retained until after January 1,
2037. The data destruction job can be scheduled anytime after January 1, 2037.
Summary:
The Privileged Access Logs are retained for a total of 15 years, starting from the date they reach the end of
business day and ending 15 years later.
4.5.1 Test Mode Function for Data Destruction
Before removing any data such as PAM logs or access requests permanently, you can use the simulation or test
mode to obtain an overview about what will be deleted. The job calculates the number of ILM objects, workflow
objects, and attachments. There are no limitations for the retention period.
To use the test mode, follow the steps listed below:
1. Open the Manage Jobs app.
2. In the General Settings, go to Create New Job and enter the Job Name and select Data Destruction Job as
the Job Category from the dropdown menu.
3. Select any ILM object from the dropdown menu.
4. Select the Test for Job Mode.
5. Provide a Business Purpose. For example, maple: Tax Document category and choose Schedule.
If the Notification box is checked, administrators receive emails about the scheduled jobs.
Once the job is completed, you can view the details in the following three sections:
• Job Parameters
• Job Run History
• Job Log Messages
SAP Cloud Identity Access Governance Security Guide
26 PUBLIC Data Protection and Privacy
5 Authorization Policies
5.1 Authorization Concept
The authorization concept is based on the assignment of authorizations to users via policy sets.
A policy set is a grouping of policies.
Within policies are contained the tasks and authorization objects.
You enable data level security by selecting the authorization object attributes to which the policy applies. For
example, you can be as granular as a specific back-end user ID, an organization, etc.
5.2 Prerequisites
Ensure the latest user information is synched to the repository by running the following background jobs:
• Role and User Synch Job
This job synchronizes access, user, and authorization data from back-end systems with SAP Cloud Identity
Access Governance.
SAP Cloud Identity Access Governance Security Guide
Authorization Policies PUBLIC 27
• User Groups from SCI Sync Job
This job fetches SAP Cloud Identity Access Governance (application) users and user groups from Identity
Authentication.
For more information, see the Job Scheduler app.
5.3 Authorization Policy App (Features and Procedures)
You maintain authorization policies via the Authorization Policy app. The app allows you to do the following:
• Create policy sets
• Assign users to the policy set
• Create / Delete policies
• Activate / Deactivate policies
• Assign actions and authorization objects (within policies)
• Assign JAAS roles
To Create Policy Sets:
1. From the Authorization Policy app Policy Set screen, click the plus sign (+).
2. In the New Policy Set window, enter the name and select a policy type. The policy type defines the
authorization object, such as mitigation control.
3. Click Save.
To Assign Users to Policy Sets:
1. Open the policy set.
2. Under the Assigned Users section, click the plus sign (+).
3. Select the users using the filtering criteria, and click OK.
4. On the policy set screen, click Apply.
To Deactivate Policy Sets:
You cannot directly deactivate or delete a policy set. To deactivate a policy set you deactivate its policies.
1. Open the policy set.
2. On the policy set details screen, in the Policies section, click Deactivate All.
3. Click Apply.
SAP Cloud Identity Access Governance Security Guide
28 PUBLIC Authorization Policies
To Create Policies:
Policies belong to the respective policy set.
1. To create a policy, open a policy set, and click the plus sign (+).
2. Click Save.
Note
Once you save a policy, you cannot edit the policy. You can delete or deactivate the policy and create a new
one.
To Delete Policies:
Policies are maintained within policy sets.
1. To delete a policy, open a policy set, and select a policy.
2. On the policy detail page, click Delete.
3. On the policy set details screen, click Apply.
To Activate and Deactivate Policies:
Policies are maintained within policy sets.
1. To activate or deactivate a policy, open a policy set, and select a policy.
2. On the policy detail page, click Activate or Deactivate as applicable.
3. On the policy set details screen, click Apply.
Note
On the policy set detail screen, you can also choose to Deactivate All policies.
To Assign Actions and Authorization Objects:
You assign actions and authorization objects within policies.
1. Open a policy and go to the Authorizations section.
2. Click the respective plus signs (+) to assign actions and authorization objects.
3. Click Save.
SAP Cloud Identity Access Governance Security Guide
Authorization Policies PUBLIC 29
To Assign Role Collection:
SAP Cloud Identity Access Governance delivers a specific role for the Authorization Policy app on the SAP
Busines Technology Platform (SAP BTP). On SAP BTP, assign the delivered role to specific users who are
responsible to setup SAP Cloud Identity Access Governance and Authorization Policies. This role collection can
be either directly assigned to the user or via SAP Cloud Identity Access Governance User Mapping.
IAG Application: iagauthpolicy
Role collection: IAG_Config_Admin
For more information on other roles, refer to the section Pre-Delivered Role Collections on SAP BTP [page 53]
5.4 Default Authorizations
By default, the access analysis service provides sufficient authorizations for users to remediate all access
risks for all back-end users. We recommend administrators use the Authorization Policy app to adjust the
authorization policies to be in line with your company’s guidelines.
The tables below list and describe the default policy sets and policies.
Default Authorizations for Access Analysis
Default Policy Set and Policy for Access Risks
Policy/Policy Set Name (ID) Description
Policy Set Policy Set Access Risk Auth Allows the assigned users to take action
ALL on all access risks.
Policy Access_Risk_Auth_ALL
Default Policy Set and Policy for Back-end Users
Policy/Policy Set Name (ID) Description
Policy Set Policy Set Back-end User Auth Allows the assigned users to take action
ALL on all back-end users.
Policy Back-end_User_Auth__ALL
Default Policy Set and Policy for Mitigation Controls
Policy/Policy Set Name (ID) Description
Policy Set Policy Set Mitigation Control Allows the assigned users to take action
Auth ALL on all mitigation controls.
Policy Mitigation_Control_Auth_ALL
SAP Cloud Identity Access Governance Security Guide
30 PUBLIC Authorization Policies
Default Policy Set and Policy for Business Roles
Policy/Policy Set Name (ID) Description
Policy Set Policy Set Business Role Auth Allows the assigned users to request
ALL access to all business roles.
Policy Business_Role_Auth_ALL
Default Policy Set and Policy for Access
Policy/Policy Set Name (ID) Description
Policy Set Policy Set Access Auth ALL Allows the assigned users to request
access to all access.
Policy IAG_Access_Auth_ALL
Default Policy Set and Policy for Applications
Policy/Policy Set Name (ID) Description
Policy Set Policy Set Application Auth Allows the assigned users to request
ALL access to all applications.
Policy IAG_Application_Auth_ALL
Default Authorizations for Business Function Groups
Default Policy Set and Policy for Deleting Business Function Groups (By default, this policy is inactive and needs to be
activated for granting access)
Policy/Policy Set Name (ID) Description
Policy Set Policy Set Business Function Allows the assigned users to perform
Group Delete Auth ALL the delete action on all business func-
tion groups.
Policy Business_Function_Group_Delete
_Auth_ALL
Default Policy Set and Policy for Viewing, Editing, and Creating Business Function Groups (By default, this policy is inactive
and needs to be activated for granting access)
Policy/Policy Set Name (ID) Description
Policy Set Policy Set Business Function Allows the assigned users to perform
Group Auth ALL actions pertaining to viewing, editing,
and creating on all business function
Policy Business_Function_Group_View_E groups.
dit_Create_Auth_ALL
Default Authorizations for Access Request
SAP Cloud Identity Access Governance Security Guide
Authorization Policies PUBLIC 31
Default Policy Set and Policy for Access Request
Policy/Policy Set Name (ID) Description
Policy Set Policy Set Access Request Auth Enables Access Request fields for as-
ALL signed users.
Policy Access_Request_Auth_ALL
For information on the value help for the various Policy Type Attributes, refer to2788255 .
5.5 Maintaining Authorizations for Access Analysis
Use the following information to maintain authorization policies for the scenario - Access Risks Remediation.
When performing user access analysis in the Access Analysis app, users can remediate user access risks by
refining the access or mitigating the SoD and critical access risks. By default users can remediate access
risks for all back-end users, which includes refining the access and assigning mitigation controls. As an
administrator, you can use the Authorization Policy app to clarify these authorizations, and define which
access risks a user can remediate, which mitigation controls they can assign, and for which back-end users
they can perform these tasks.
The following image provides an overview of what can be defined through authorization policies.
Use the information in the following table to maintain authorizations for access risk remediation.
SAP Cloud Identity Access Governance Security Guide
32 PUBLIC Authorization Policies
Access Risk Remediation Authorization Policy Types
Authorization Object Attrib-
Policy Type Action Description utes
Back-end User Mitigate Allow user to mitigate access Back-end User ID, Orgaiza-
risks for the back-end users tion, Location
specified by the authoriza-
tion object attributes.
This sets these screen ele-
ments to active for the user:
Remediate, Risks Mitigation,
Notes, Save, Save and Con-
firm.
Refine Allow user to refine access
for the specified back-end
user.
This sets these screen el-
ements to active for the
user: Remediate, Simple Re-
finement, Advanced Refine-
ment, Notes, Save, Save and
Confirm.
Access Risk Mitigate Allow user to mitigate risks Risk ID, Business Process,
specified by the authoriza- Risk Level, Risk Type
tion object attributes.
Mitigation Control Assign Allow user to assign mitiga- Mitigation Control ID, Organi-
tion controls specified by zation, Business Subprocess
the authorization object at-
tributes.
Note
If the user does not have
authorization to assign
a mitigation control, the
risk information is still
displayed, but the mit-
igation control field is
grayed.
You enable data level security by selecting the authorization object attributes to which the policy applies. For
example, you can be as granular as a specific back-end user ID, an organization, etc.
SAP Cloud Identity Access Governance Security Guide
Authorization Policies PUBLIC 33
Note
Each of the policy types and their actions controls authorizations for an aspect of access risk remediation.
Therefore, to fully set up authorizations for the access risk remediation scenario, you must assign all 3
policy types to the users.
You enable data level security by selecting the authorization object attributes to which the policy applies.
For assigning the users to Authorization policies, you can use the following user attributes to define a fine-
grained authorization.
User Attribute Attribute Description
USER_ID User ID
ORG_UNIT Org Unit
LOCATION Location
DEPARTMENT Department
COMPANY Company
DIVISION Division
COST_CENTER Cost Center
EMPLOYEE_TYPE Employee Type
Special Keywords: Two special keywords are used in User assignment.
ALL: When you enter ALL as the value for the USER_ID field, the Authorization engine skips the runtime
evaluation of this policy. This keyword is used with all of the default Auth policies.
ALL_USERS: When you put ALL_USERS as the value for the USER_ID field, the Authorization engine
substitutes the logged in user at runtime when evaluating Auth Policy. This is for the scenarios where a policy is
intended for all users. You can define a minimum privilege for all users in this way and then customize specific
ones based on user’s other attributes as needed.
For information on the value help for the various Policy Type Attributes, refer to 2788255 - Value Help
Attribute Values for Auth Policy UI.
5.6 Maintaining Authorizations for Access Request
Use the following information to maintain authorization policies for the scenario - Access Request Role Search.
When performing role search in Access Request app, the search results can be restricted or filtered out based
on the Authorization policy definition.
As an administrator, you can use the Authorization Policy app to define these authorizations and define which
Access/Application or Business Role an end user can search and request via Access Request Application.
Use the information in the following table to maintain authorizations for access request role search.
Maintaining Authorizations for Access Request (Role Search)
SAP Cloud Identity Access Governance Security Guide
34 PUBLIC Authorization Policies
Authorization Object Attrib-
Policy Type Action Description utes
Access Request Access Allow the assigned users to Name, Application, Applica-
request access to all Access tion Type, Access Type, Busi-
specified by the authoriza- ness Process, Business Sub-
tion object attributes. process
Business Role Request Access Allow the assigned users to Name, Business Process,
request access to all Busi- Business Subprocess, Criti-
ness Roles specified by the cality
authorization object attrib-
utes.
Application / System Request Access Allow the assigned users to Application, Application Type
request access to all Applica-
tions/Systems specified by
the authorization object at-
tributes.
Maintaining Authorizations for Access Request User Interface
Use the following information to maintain authorization policies for the scenario - Access Request user
interface (UI) - Enable/Disable Manager and Email fields.
When you create an access request, the Manager and Email fields are enabled or disabled based on the
Authorization policy definition.
As an administrator, you can use the Authorization Policy app to define these authorizations and define which
field is to be enabled for endusers.
Use the information in the following table to maintain authorizations for access request UI.
Authorization Policy Types for Access Request UI
Authorization Object Attrib-
Policy Type Action Description utes
Access Request Manager Editable Enable Manager ID field on Request Priority, Request
the UI Reason
Email Editable Enable Email ID field on the
UI
You enable data level security by selecting the authorization object attributes to which the policy applies.
For assigning the users to Authorization policies, you can use the following user attributes to define a fine-
grained authorization.
User Attribute Attribute Description
USER_ID User ID
ORG_UNIT Org Unit
LOCATION Location
DEPARTMENT Department
COMPANY Company
SAP Cloud Identity Access Governance Security Guide
Authorization Policies PUBLIC 35
User Attribute Attribute Description
DIVISION Division
COST_CENTER Cost Center
EMPLOYEE_TYPE Employee Type
Special Keywords: Two special keywords are used in User assignment.
ALL: When you enter ALL as the value for the USER_ID field, the Authorization engine skips the runtime
evaluation of this policy. This keyword is used with all of the default Auth policies.
ALL_USERS: When you put ALL_USERS as the value for the USER_ID field, the Authorization engine
substitutes the logged in user at runtime when evaluating Auth Policy. This is for the scenarios where a policy is
intended for all users. You can define a minimum privilege for all users in this way and then customize specific
ones based on user’s other attributes as needed.
For information on the value help for the various Policy Type Attributes, refer to 2788255 - Value Help
Attribute Values for Auth Policy UI.
5.7 Maintaining Authorizations for Business Function
Groups
Use the following information to maintain authorization policies for the scenario – Deleting Business Function
Groups.
Deleting business function groups includes deleting all related master data, for example, Risks, Functions,
Rules etc. This authorization controls who can see the delete button enabled on the tile and delete business
function groups.
As an administrator, you can use the Authorization Policy app to define these authorizations and define which
business function group an end user can delete via UI.
Use the information in the following table to maintain authorizations for business function groups.
Authorization Policy Type for Business Function Groups
Authorization Object Attrib-
Policy Type Action Description utes
Business Function Group Delete Allows the assigned users to Business Function Group
Name, Business Function
delete all business function
Group Type
groups specified by the au-
thorization object attributes.
This action enables/disables
the Delete button on the UI.
SAP Cloud Identity Access Governance Security Guide
36 PUBLIC Authorization Policies
Authorization Object Attrib-
Policy Type Action Description utes
View This action enables the mas-
ter list for the respective
business function group to
filter and show only the au-
thorized entries.
Edit This action enables/disables
the Edit button for the re-
spective business function
group for which the user is
authorized to perform an Edit
action.
Create This authorization is checked
when the Save button is se-
lected on the UI to determine
if the user is authorized to
save the corresponding en-
tries.
You enable data level security by selecting the authorization object attributes to which the policy applies.
Refer to the Business Function Group tile for possible values for the authorization object attributes.
For assigning the users to Authorization policies, you can use following user attribute to define a fine-grained
authorization.
User Attribute Attribute description
USER_ID User ID
ORG_UNIT Org Unit
LOCATION Location
DEPARTMENT Department
COMPANY Company
DIVISION Division
COST_CENTER Cost Center
EMPLOYEE_TYPE Employee Type
Special Keywords: Two special keywords are used in User assignment.
ALL: When you enter ALL as the value for the USER_ID field, the Authorization engine skips the runtime
evaluation of this policy. This keyword is used with all of the default Auth policies.
ALL_USERS: When you put ALL_USERS as the value for the USER_ID field, the Authorization engine
substitutes the logged in user at runtime when evaluating Auth Policy. This is for the scenarios where a policy is
intended for all users. You can define a minimum privilege for all users in this way and then customize specific
ones based on user’s other attributes as needed.
SAP Cloud Identity Access Governance Security Guide
Authorization Policies PUBLIC 37
For information on the value help for the various Policy Type Attributes, refer to 2788255 - Value Help
Attribute Values for Auth Policy UI.
SAP Cloud Identity Access Governance Security Guide
38 PUBLIC Authorization Policies
6 Integration of Audit Log Service
SAP Cloud Identity Access Governance sends relevant information about changes made to security and
configuration events to SAP Audit Log Service where it is stored centrally.
Retention time:
By default, SAP Audit Log Service allow 90 days for retention. If you wish to have a different retention time, you
can enable the Audit Log service, premium edition service plan, to configure a flexible retention period, longer
than the free 90 days. For more information, refer to Audit Log Retention for Cloud Foundry Environment.
Application Maintenance
Area Event Key Message Event Category
Application Maintenance Create applica- Application created. audit.security-events
tion
Delete applica- Application deleted. audit.security-events
tion
Area Event Key Example Event Category
Access Maintenance Assignment Approvers Technical Role Approver audit.security-events
(Change/Add/Delete) Changed, Updated, or De-
leted
Business Function Group
Area Event Key Example Event Category
Business Function Group Create business Business function group created. audit.security-events
function group
Create connec- Business function group - application assign- audit.security-events
tor group – con- ment created.
nector assign-
ment
Update busi- Business function group text changed. audit.security-events
ness function
group
Delete connec- Business function group - application assign- audit.security-events
tor group – con- ment deleted.
nector assign-
ment
Workflow Template Upload
Area Event Key Example Event Category
Workflow Template Up- Workflow template uploaded. audit.security-events
load
SAP Cloud Identity Access Governance Security Guide
Integration of Audit Log Service PUBLIC 39
Template Upload
Area Event Key Example Event Category
Template Upload Notification Notification template uploaded. audit.security-events
Template Up-
load
Recurring Jobs
Area Event Key Example Event Category
Recurring jobs Schedule recur- Recurring job schedued. audit.security-events
ring jobs
Cancel recur- Recurring job canceled. audit.security-events
ring jobs
Configuration
Area Event Key Example Event Category
Configuration Application pa- Configuration changed. audit.security-events
rameter
Maintain User Data
Area Event Key Example Event Category
Maintain user data Delete backend User deleted. audit.security-events
application user
Delete IAG ap- User deleted. audit.security-events
plication user
Workflow Template
Area Event Key Example Event Category
Workflow template Create template Workflow path created. audit.security-events
path
Update work- Workflow stage description changed. audit.security-events
flow Stage de-
scription
Update work- Workflow stage configuration changed. audit.security-events
flow stage con-
figuration
Authorization Policy
Area Event Key Example Event Category
Authorization Policy Create authori- Authorization policy created audit.security-events
zation policy set
Create authori- Authorization policy created audit.security-events
zation policy
Create authori- . audit.security-events
zation policy ac-
tion
SAP Cloud Identity Access Governance Security Guide
40 PUBLIC Integration of Audit Log Service
Area Event Key Example Event Category
Create policy at- audit.security-events
tribute
Create user pol- Authorization policy changed audit.security-events
icy set
Edit policy set Authorization policy changed audit.security-events
Activate user Authorization policy changed audit.security-events
policy set
Delete policy Authorization policy changed audit.security-events
Delete user pol- Authorization policy changed audit.security-events
icy set
Deactivate pol- audit.security-events
icy
User Mapping Upload
Area Event Key Example Event Category
User Mapping Upload Upload user User mapping file uploaded. audit.security-events
mapping
Approver Upload
Area Event Key Example Event Category
Approver Upload Upload approv- Approver file uploaded. audit.security-events
ers
Application User Upload
Area Event Key Example Event Category
Application User Upload Upload applica- Application user file uploaded. audit.security-events
tion users
Functions
Area Event Key Example Event Category
Functions Activate/Deac- Function activated/deactivated. audit.security-events
tivate
Draft to Activate Draft function activated.
Mitigation Control
Area Event Key Example Event Category
Mitigation Control Owner change Mitigation control owner changed. audit.security-events
Monitor Group Mitigation control monitor added.
change
or
Mitigation control monitor removed
SAP Cloud Identity Access Governance Security Guide
Integration of Audit Log Service PUBLIC 41
Mitigation Control Assignments
Area Event Key Example Event Category
Mitigation Control As- Delete Assign- User mitigation control assignment deleted. audit.security-events
signments ment
or
Privilege mitigation control assignment de-
leted.
Deactivate/ User mitigation control assignment acti-
Activate
vated/deactivated.
or
Privilege mitigation control assignment acti-
vated/deactivated.
ChangeValidity User mitigation control assignment validity
changed.
or
Privilege mitigation control assignment valid-
ity changed.
Invalid Mitigation Control Assignments
Area Event Key Example Event Category
Invalid Mitigation Control Delete Assign- Invalid user mitigation control assignment de- audit.security-events
Assignments ment
leted.
or
Invalid privilege mitigation control assign-
ment deleted.
ChangeValidity Invalid user mitigation control assignment
validity changed.
or
Invalid privilege mitigation control assign-
ment validity changed.
Risks
Area Event Key Example Event Category
Risks Add/Remove Segregation of Duties risk changed. audit.security-events
Functions
Activate/Deac- Segregation of Duties risk changed.
tivate/Delete
SAP Cloud Identity Access Governance Security Guide
42 PUBLIC Integration of Audit Log Service
Risk Level
Area Event Key Message Event Category
Risk Level Description Risk level description changed. audit.security-events
change
Rule Setup
Area Event Key Message Event Category
Rule Setup Rule Upload Rule set file uploaded. audit.security-events
(Risk Analysis)
Mass Update
Area Event Key Message Event Category
Mass Update Business role Master data changed. audit.security-events
mass update
Rulesets
Area Event Key Message Event Category
Rulesets Activate/Deac- Ruleset activated./Ruleset deactivated. audit.security-events
tivate
User Access Analysis
Area Event Key Message Event Category
User Access Analysis Mitigation Con- audit.security-events
trol Assignment
Access Request Inbox
Area Event Key Message Event Category
Access Request Inbox Access Request Access Request Approved. audit.security-events
Approve/Reject
or
Access Request Rejected.
Business Roles
Area Event Key Message Event Category
Business Roles Edit (access Business role updated. audit.security-events
changes)/Acti-
vate/Deacti- or
vate/Delete
Business roles deleted.
Content/ Business role updated. audit.security-events
Assignment Ap-
provers changes
SAP Cloud Identity Access Governance Security Guide
Integration of Audit Log Service PUBLIC 43
Access Request Administration
Area Event Key Message Event Category
Access Request Adminis- Forward Access Request Forwarded. audit.security-events
tration
Cancel Access Request Cancelled. audit.security-events
Approve/Reject Access Request Approved. audit.security-events
or
Access Request Rejected.
Delegation Approval delegation in Application added. audit.security-events
or
Approval delegation in Application activated.
or
Approval delegation in Application deacti-
vated.
Manage Jobs
Area Event Key Message Event Category
Manage Jobs Scheduled job: Recurring job schedued. audit.security-events
Recurring
Cancel jobs: Re- Recurring job canceled. audit.security-events
curring
Maintain Privileged Access
Area Event Key Message Event Category
Maintain Privileged Ac- Create Privi- PAM object created.. audit.security-events
cess leged Access
Note
To see Pam obj value, open Log Entry De-
tails.
SAP Cloud Identity Access Governance Security Guide
44 PUBLIC Integration of Audit Log Service
Area Event Key Message Event Category
Edit Privileged Configuration modification message. audit.security-events
Access Details
Attribute with name "Description" was
changed from "XXX" to "XXX".
Attribute with name "LongDescription" was
changed from "XXX" to "XXX"
Attribute with name "CriticalityId" was
changed from "XXX" to "XXX".
Attribute with name "PamAssignmentDura-
tion" was changed from "XXX" to "XXX".
Attribute with name "BusinessRole" was
changed from "XXX" to "XXX".
Attribute with name "UpdatedBy" was
changed from "XXX" to "XXX".
The attributes are a part of an object with
type "IagPamObjs" and id consisting of: Pa-
mobjectId "XXX".
Edit Privileged Configuration modification message. audit.security-events
Access Re-
viewer Attribute with name "PamobjectId" and value
"XXX" was deleted.
Attribute with name "Controler" and value
"XXX" was deleted.
The attributes are a part of an object with
type "IagPamControlers" and id consisting of:
PamobjectId "XXX".
Configuration modification message.
Attribute with name "PamobjectId" and value
"XXX" was added.
Attribute with name "Controler" and value
"XXX" was added.
The attributes are a part of an object with
type "IagPamControlers" and id consisting of:
PamobjectId "XXX".
Edit Privileged Attribute with name “businessFunc- audit.security-events
Access Ap-
tionGroup” was changed from <business
prover
function group name> to “”.
The attributes are a part of an object with
type “BusinessFunctionGroup” and id con-
sisting of <business function group name>.
SAP Cloud Identity Access Governance Security Guide
Integration of Audit Log Service PUBLIC 45
Area Event Key Message Event Category
Configuration modification message.
Attribute with name "PamobjectId" and value
"XXX" was added.
Attribute with name "Pamowner" and value
"XXX" was added.
The attributes are a part of an object with
type "IagPamOwners" and id consisting of:
PamobjectId "XXX".
Edit Privileged Configuration modification message. audit.security-events
Access Activi-
ties Attribute with name "PamobjectId" and value
"XXX" was added.
Attribute with name "ConnectorType" and
value "XXX" was added.
Attribute with name "Action" and value "XXX"
was added.
The attributes are a part of an object with
type "IagPamObjActions" and id consisting of:
PamobjectId "XXX".
Configuration modification message.
Attribute with name "PamobjectId" and value
"XXX" was deleted.
Attribute with name "ConnectorType" and
value "XXX" was deleted.
Attribute with name "Action" and value "XXX"
was deleted.
Attribute with name "ActionType" and value
"XXX" was deleted.
The attributes are a part of an object with
type "IagPamObjActions" and id consisting of:
PamobjectId "XXX".
Deactivate Privi- PAM object deactivated. audit.security-events
leged Access
Note
To see Pam obj value, open Log Entry De-
tails.
SAP Cloud Identity Access Governance Security Guide
46 PUBLIC Integration of Audit Log Service
PAM Execute Session
Area Event Key Message Event Category
PAM Execute Session Execute Privi- PAM session executed. audit.security-events
leged Access
Session Note
To see Pam obj value, open Log Entry De-
tails.
Terminate Privi- PAM session terminated. audit.security-events
leged Access
Session Note
To see Pam obj value, open Log Entry De-
tails.
Privileged Access Review Inbox
Area Event Key Message Event Category
Privileged Access Review Submit Privi- Security event message. audit.security-events
Inbox leged Access
Log Security event message "PAM - Request re-
view added" on XXX. Security event was re-
lated to user "XXX".
Note
To see Privileged Access Log ID, open Log
Entry Details.
6.1 Event Format
Common Fields for all events:
1. An actor - the actorId variable represents the unique identifier of the actor associated with an auditable
event. The actor is typically a user or system that triggers the event. The actorId value is used to track and
identify the source of the event.
2. A tenant identifier - the tenantId variable represents the unique identifier of the tenant associated with
an auditable event. The tenant is a grouping or subdivision within an organization that is separate from
other groupings. The tenantId value is used to track and identify the specific tenant associated with the
event.
3. The SAP passport ID – the passportId represents the SAP passport ID associated with an auditable
event. See also: SAP Passport.
4. A group - permissionGroups stores the permission groups associated with an auditable event. For
SAP Cloud Identity Access Governance users, this is the role collection of which the user is currently a
member. This is useful in diagnosing security events and for auditing changes. The permission groups are
represented as a list of strings.
SAP Cloud Identity Access Governance Security Guide
Integration of Audit Log Service PUBLIC 47
5. An Action event Category – eventCategory represents the category of an auditable event.
6. An action event type - the eventType represents the type of event for an auditable event.
7. A module - the iagModule represents the module of an auditable event in the SAP Cloud Identity Access
Governance system.
8. A timestamp - eventTimestamp represents the timestamp of an event. This value is stored in UTC.
9. Message data – messageData represents the data associated with an auditable event message. The
messageData is a string that can contain any type of information related to the auditable event. It can be
used to store messages, details, or any other relevant data.
10. Security data – securityData represents the security data associated with an auditable event. Attributes
in the sub-object define additional contextual data about the event.
11. Meta data - metaData represents the metadata associated with an auditable event. It contains information
about the attribute being modified, the before and after values, and additional details.
SAP Cloud Identity Access Governance Security Guide
48 PUBLIC Integration of Audit Log Service
7 User Management
SAP Cloud Identity Access Governance solution and its services use Identity Authentication service for user
authentication and to manage access to the solution's apps. Security and permissions are maintained in
groups and role collections. You control the tasks a user can perform, and the apps they can access, through
the appropriate assignment of group and role collections to the user.
The assignment of groups and roles to users controls these three security aspects:
• Permission to access and use specific apps
• You can ensure that users can access only those apps relevant for their job function. For example, that only
administrators can access admin apps.
• Permission to perform administrative tasks
Within the framework of access governance, tasks have different levels of risk and sensitivity. You can
ensure that users can only perform administrative tasks in line with their job function. For example, only
users assigned to the Control Owners group can approve new or updated mitigation controls.
• Permission to use specific services
The SAP Cloud Identity Access Governance solution integrates with other SAP services, such as Business
Rule service. And these services require users have specific roles to use them.
7.1 Setting Up User Authentication and Access
The process to configure authentication and access requires you to perform configuration tasks on SAP
Business Technology Platform (SAP BTP) for the SAP Cloud Identity Access Governance tenant and the
Identity Authentication service.
• Maintain users in Identity Authentication.
• Pre-delivered role collections for the SAP Cloud Identity Access Governance tenant.
1. Maintain Users and User Groups in Identity Authentication [page 50]
2. Pre-Delivered Role Collections on SAP BTP [page 53]
3. Map Role Collections and Identity Authentication Group [page 62]
4. Set Up Assertion-based Groups for IdentityAuthentication and Role Collection Mapping [page 64]
5. Maintaining Access to Tasks [page 65]
6. Syncing User Groups from SAP Identity Services Identity Directory [page 66]
7. Connecting Identity Provisioning Bundle Tenant [page 69]
SAP Cloud Identity Access Governance Security Guide
User Management PUBLIC 49
7.1.1 Maintain Users and User Groups in Identity
Authentication
In Identity Authentication, tenant administrators can manage user accounts and groups.
Activity Description Procedure
Create User Create users via the Add user option in Create a New User
the administration console.
Create User Groups Create new user groups via User Create a New User Group
Groups option in the administration
console.
Note
It is mandatory to follow the User
Group Naming Guidelines and cre-
ate the Required Groups provided
below.
Assign Groups to User Assign groups to a user via the adminis- Assign Groups to a User
tration console for Identity Authentica-
tion.
User Group Naming Guidelines
When you create these groups, you must follow this naming convention: IAG_<TYPE>_<NAME>.
In this string, the <TYPE> must be one of the delivered types shown in the table below. The <NAME> can be of
your choosing, though we recommend choosing a name that is clear and concise.
Example: IAG_WF_ADMIN
Group Types
Group Type Name Description
CM Control Monitor Users assigned to this group are availa-
ble as control monitors, which can be
assigned during control creation.
CO Control Owner Users assigned to this group are availa-
ble as default control owners, which can
be assigned during control creation.
WF Workflow Assign users to this group to enable
participation in the workflow service.
SAP Cloud Identity Access Governance Security Guide
50 PUBLIC User Management
Group Type Name Description
RO Role Owner Users assigned to this group can be se-
lected as Role Owner in the under Ac-
cess Maintenance app when editing the
role in the SAP Cloud Identity Access
Goverrnance launchpad.
CADM Candidate Business Role Adminstrator Users assigned to this group have ac-
cess to the Candidate Business Role
Adminstration app and carry out ad-
ministrative tasks.
RCA Business Role Content Approver Users can modify and approve busi-
ness roles. Users assigned to this group
are included in the dropdown list of
Business Role Content Approvers.
RAA Business Role Assignment Approver Users can approve business role as-
signments. Users assigned to this
group are included in the dropdown list
of Assignment Approvers.
USER IAG Application Users Assign this group by default to all appli-
cation users for SAP Cloud Identity Ac-
cess Governance.
Required Groups
The following groups are required for using SAP Cloud Identity Access Governance services. Make sure you
create them with the names listed below with the same case. The name is case-sensitive.
In the Identity Authentication tenant, create the groups as described below, and then assign the relevant users
to them. These are suggested groupings and names. In your own implementation, you can create groups that
suit your needs.
Note
You can create users in Identity Authentication or make them available on a connected LDAP server.
Note
To connect to LDAP and other services for app user, you must configure this in Identity Authentication. For
more information, see SAP Cloud Identity Services - Identity Authentication.
Required Groups
The following groups are required. The SAP Cloud Identity Access Governance services look for these specific
groups. Make sure you create them with the names listed below with the same case. The name is case
sensitive.
SAP Cloud Identity Access Governance Security Guide
User Management PUBLIC 51
Users Assigned to the Group can Per-
Service Create these Groups form these Tasks
Access Analysis Service IAG_WF_RISKOWNERS Risk owner approvers are assigned to
the IAG_WF_RISKOWNERS group in
Identity Authentication.
Access Request Service IAG_WF_MANAGER In the Create Access Request app there
is the Manager field. You assign users to
the IAG_WF_MANAGER group to make
them available for selection in this field.
Managers are responsible for approving
access requests.
Note
If a user's manager is explicitly as-
signed in Identity Authentication,
then the manager is displayed in
this field and is read-only.
IAG_WF_ADMIN In the access request process, requests
go through a security stage. Users as-
signed to this group are able to receive
and work on access requests in this
stage.
Users assigned to this group can also
receive and work on access requests for
Privileged Access Management.
IAG_WF_DEFAULT When managers and approvers are not
available in the system, the task of re-
viewing and approving a requests goes
to users assigned to this group.
IAG_CO_DEFAULT These groups are mandatory for the in-
tegration edition and for the bridge sce-
IAG_CM_DEFAULT
nario between SAP Access Control and
SAP Cloud Identity Access Governance.
IAG_USER Required for access request.
Role Design Service IAG_WF_CBRRefine Users assigned to this group can refine
the proposed candidate business roles.
IAG_WF_CBRActivate Users assigned to this group can acti-
vate candidate business roles.
IAG_WF_CBRReconcile Users assigned to this group can per-
form tasks in the reconciliation stage of
CBR, such as provisioning and deprovi-
sioning user role assignments.
IAG_RCA_DEFAULT Business Role Default Content Ap-
prover
IAG_RAA_DEFAULT Business Role Default Assignment Ap-
prover
SAP Cloud Identity Access Governance Security Guide
52 PUBLIC User Management
Users Assigned to the Group can Per-
Service Create these Groups form these Tasks
Access Certification IAG_WF_ADMIN Users assigned to this group can re-
ceive and work on access certification
review items in the security stage.
IAG_WF_DEFAULT When managers or role owners are not
available, the task of reviewing a user’s
access is forwarded to members of this
group.
IAG_CPG_ADMIN Users assigned to this group are able to
create and edit campaigns.
IAG_CPG_CO Users assigned to this group can coor-
dinate campaign activities, for example,
reassign items or remind reviewers.
Privileged Access Management IAG_WF_ADMIN Users assigned to this group can re-
ceive and work on privileged access
request and log items in the security
stage.
IAG_WF_MANAGER If a user's manager is explicitly as-
signed in Identity Authentication, then
this user will get privileged access logs
for reviewing in the manager stage.
When manager is not assigned to user
in Identity Authentication, the task of
reviewing a user’s privileged access
logs is forwarded to members of this
group
Parent topic: Setting Up User Authentication and Access [page 49]
Next: Pre-Delivered Role Collections on SAP BTP [page 53]
7.1.2 Pre-Delivered Role Collections on SAP BTP
In the tenant for SAP Cloud Identity Access Governance on SAP BTP, the administrator can view the
pre-delivered role collections. The role collections CIAG_Display, CIAG_Access_Certification_Admin, and
CIAG_Super_Admin are primarily required to gain full access to the apps in SAP Identity Cloud Access
Governance. Refer to the tables below for the role collections.
Note
If you are subscribing to the SAP Cloud Identity Access Governance, integration edition, refer to SAP Cloud
Identity Access Governance, integration edition
SAP Cloud Identity Access Governance Security Guide
User Management PUBLIC 53
Role Collections for all Business Users
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Display Destination Certificate Viewer This is the default role collection. It in-
cluded roles that are needed by the
Destination Configuration Viewer framework. They are grouped under a
single role collection and must be as-
Destination Subaccount Trust Viewer signed to all business users.
Destination Viewer
EXTERNAL_PORTAL_USER
IAGDisplay_Admin
sap_scheduler_configuration_template
sap_scheduler_viewer_template
Token_Exchange_Admin
Role Collections and Associated Roles for the Access Request Service
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Request_Admin_Inbox IAG_Req_Admin_Role • Access to Request Administration
Application
• Forward requests to other approv-
ers
• Cancel Requests
• Approve requests at any stage as
an administrator
• Remediation, if required, while ap-
proving requests as administrator
CIAG_Access_Request IAG_Access_RequestAccess_Request • Create access requests
• View status of request
RuleRepositorySuperUser
• Cancel request
RuleRuntimeSuperUser • For approvers:
• review and approve or reject
access requests
• remediate risks
Note
To create a new role collection,
for instance, ZIAG_ARQ_WF_AP-
PROVE role, carry out the steps be-
low:
SAP Cloud Identity Access Governance Security Guide
54 PUBLIC User Management
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
WorkflowParticipant 1. In the SAP BTP cockpit, go to
Role Collections and define a
new role.
2. Choose the role collection you
created and edit it.
3. Under Role Name, select the
WorkflowAdmin Role and add it
to the role collection.
4. Map this new role collec-
tion with the existing group
(CIAG_Access_Request) or a
new Identity Authentication
group in SAP BTP.
CIAG_Access_Request_Admin IAG_Access_Request_AdminAc- • Setting up connections between
cess_Request the service to the target systems
• Setting up recurring jobs for the
IAG_Access_Request_AdminAdminis- service
tration • Setting up master data in the apps
• Setting up workflow service
IAG_Access_Request_AdminReports
• Setting up Business Rule service
iag_access_request_priority • Setting up Identity Provisioning
service
iag_authorization_policy
• Set configurations for SAP Cloud
iag_business_processes Identity Access Governance, such
as UI language
iag_configuration
iag_custom_field_groups
iag_custom_fields
iag_field_mapping
iag_maint_user_data
iag_notif_upload
iag_reason_code
RuleRepositorySuperUser
RuleRuntimeSuperUser
WorkflowAdmin
WorkflowDeveloper
SAP Cloud Identity Access Governance Security Guide
User Management PUBLIC 55
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Access_ Request_Others IAG_Access_Request_Others Ac-
cess_Request_for_others
Role Collections and Associated Roles for the Role Design Service
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Role_Designer IAG_Role_DesignerAdministration • Business roles: create and main-
tain
IAG_Role_DesignerReports • Candidate business roles: create,
review, and approve
IAG_Role_DesignerRole_designer
CIAG_Role_Designer_Admin iag_authorization_policy • Setting up connections between
the service to the target systems
iag_business_processes
• Setting up recurring jobs for the
iag_configuration service
• Setting up master data in the app
iag_departments • Set configurations for SAP Cloud
Identity Access Governance, such
iag_projects
as UI language
IAG_Role_Designer_AdminAdministra- • View the Role Design Audit Log
tion
IAG_Role_Designer_AdminReports
IAG_Role_Designer_AdminRole_de-
signer
Role Collections and Associated Roles for the Access Analysis Service
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Access_Analysis IAG_Access_AnalysisAccess_Analysis • Analyzing access risks
• Remediating access risks
IAG_Access_AnalysisAdministration
• Refining access
IAG_Access_AnalysisReports • Mitigating risks
• Auditing access compliance
RuleRuntimeSuperUser
CIAG_Access_Analysis_Admin IAG_Access_Analysis_AdminAc- • Setting up connections between
cess_Analysis the service to the target systems
• Setting up recurring jobs for the
IAG_Access_Analysis_AdminAdminis- service
tration
• Setting up master data in the apps
IAG_Access_Analysis_AdminReports
SAP Cloud Identity Access Governance Security Guide
56 PUBLIC User Management
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
iag_authorization_policy • Set configurations for SAP Cloud
Identity Access Governance, such
iag_business_processes
as UI language
iag_configuration
iag_functions
iag_mitigaton_control_master_data
iag_risk
iag_risk_level
iag_risk_score_policy
iag_test_plans
RuleRepositorySuperUser
RuleRuntimeSuperUser
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Access_Analysis_Enh IAG_Access_AnalysisAccess_Analy- • Analyzing access risks
sis_Enh • Remediating access risks
• Refining access
RuleRuntimeSuperUser
• Mitigating risks
• Auditing access compliance
Associated Roles for the Role Collec-
Assign this Role Collection tion Description
CIAG_Access_Analysis_MCA iag_blanket_mitigations IAG Access Analysis Mitigation Control
Assignments
iag_invalid_mitigations
SAP Cloud Identity Access Governance Security Guide
User Management PUBLIC 57
Role Collections for the Configuration Admin
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Configuration_Admin iag_access_request_priority This role collection enables Business
Users to configure in SAP Cloud Iden-
iag_authorization_policy tity Access Governance.
iag_business_processes
iag_configuration
IAG_Configuration_AdminAdministra-
tion
iag_custom_field_groups
iag_custom_fields
iag_field_mapping
iag_functions
iag_maint_user_data
iag_mitigaton_control_master_data
iag_notif_upload
iag_projects
iag_reason_code
iag_risk
iag_risk_level
iag_risk_score_policy
iag_test_plans
RuleRepositorySuperUser
RuleRuntimeSuperUser
WorkflowAdmin
WorkflowDeveloper
WorkflowParticipant
CIAG_Administrator_v1 iag_connector_type
CIAG_Job_Scheduler_Admin IAGSchedulerAdmin
SAP Cloud Identity Access Governance Security Guide
58 PUBLIC User Management
Role Collections for the Super Admin
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Super_Admin IAG_Access_Analysis_AdminAc- This role collection is for Super Admin
who needs to configure and access all
cess_Analysis
the services.
IAG_Access_Analysis_AdminAdminis-
tration
IAG_Access_Analysis_AdminReports
IAG_Access_AnalysisAccess_Analysis
IAG_Access_AnalysisAdministration
IAG_Access_AnalysisReports
IAG_Access_Request_AdminAc-
cess_Request
IAG_Access_Request_AdminAdminis-
tration
iag_access_request_priority
IAG_Access_RequestAccess_Request
IAG_Access_RequestAdministration
iag_authorization_policy
iag_business_processes
iag_configuration
iag_custom_field_groups
iag_custom_fields
iag_departments
iag_field_mapping
iag_functions
iag_maint_user_data
iag_mitigaton_control_master_data
iag_notif_upload
IAG_Privileged_AccessAdministration
IAG_Privileged_AccessPrivileged_Ac-
cess_Management
IAG_Privileged_AccessPrivilegedRoles
IAG_Privileged_AccessReports
iag_projects
iag_reason_code
SAP Cloud Identity Access Governance Security Guide
User Management PUBLIC 59
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
iag_risk
iag_risk_level
iag_risk_score_policy
IAG_Role_Designer_AdminAdministra-
tion
IAG_Role_Designer_AdminReports
IAG_Role_Designer_AdminRole_de-
signer
IAG_Role_DesignerAdministration
IAG_Role_DesignerReports
IAG_Role_DesignerRole_designer
iag_test_plans
RuleRepositorySuperUser
RuleRuntimeSuperUser
WorkflowAdmin
WorkflowDeveloper
WorkflowParticipant
iag_massupdate
CIAG_Job_Scheduler_Admin IAGSchedulerAdmin
CIAG_Administrator_v1 iag_connector_type
Role Collections for the Privileged Access Admin (deprecated)
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Privileged_Access iag_configuration This role collection is for privileged ac-
cess management activities.
IAG_Privileged_AccessAdministration
IAG_Privileged_AccessPrivileged_Ac-
cess_Management
IAG_Privileged_AccessPrivilegedRoles
IAG_Privileged_AccessReports
iag_reason_code
SAP Cloud Identity Access Governance Security Guide
60 PUBLIC User Management
Assign BTP Authorization Roles To perform these tasks
IAG_Privileged_Access_Monitoring_Review_Inbox Accessing Privileged Access Monitoring Review Inbox
IAG_Privileged_Access_Sessions Accessing PAM Execute Sessions
IAG_Maintain_Privileged_Access Accessing Maintain Privileged Access
IAG_Privileged_Access_Report Accessing Privileged Access Monitoring Report
IAG_Privileged_Access_Execute Accessing PAM Execute sessions
IAG_Privileged_Access_Inbox Accessing Privileged Access Inbox
IAG_Privileged_Access_Provisioning_Report Accessing Privileged Access Provisioning Report
Role Collections for the Access Certification
Associated Roles for the Role Collec-
Assign this Role Collection tion To perform these tasks
CIAG_Access_Certification_Admin IAGAccessCertificationAdmin 1. Create and edit campaign
2. View logs
WorkflowParticipant
3. Manage/coordinate campaign ac-
tivities (escalate, ...)
CIAG_Access_Certification_Coordina- IAGAccessCertificationCoordinator 1. Manage/coordinate campaign ac-
tor tivities (escalate, ...)
WorkflowParticipant 2. View logs
CIAG_Access_Certification_Reviewer IAGAccessCertificationReviewer Review and approve or reject access
item (Role Owner, Manager, Security)
WorkflowParticipant
In the tenant for SAP Cloud Identity Access Governance, the administrator can assign the role collections. For
more information, refer to Assign Role Collections.
Note
If you wish to customize your role collections, you have the option of creating and assigning them manually.
If you need a list of roles belonging to role collections for workflow management and business rules, refer to
the following links SAP Workflow Management - Authorization Configuration
SAP Business Rules Service for the Cloud Foundry Environment - Authorization Configuration
Parent topic: Setting Up User Authentication and Access [page 49]
Previous: Maintain Users and User Groups in Identity Authentication [page 50]
Next: Map Role Collections and Identity Authentication Group [page 62]
SAP Cloud Identity Access Governance Security Guide
User Management PUBLIC 61
7.1.3 Map Role Collections and Identity Authentication Group
To map the role collections to your Identity Authentication tenant, you must do the following:
• Set Identity Authentication as a trusted identity provider.
• Set up assertion-based groups and attributes mapping.
Parent topic: Setting Up User Authentication and Access [page 49]
Previous: Pre-Delivered Role Collections on SAP BTP [page 53]
Next: Set Up Assertion-based Groups for IdentityAuthentication and Role Collection Mapping [page 64]
7.1.3.1 Manually Establish Trust and Federation Between
UAA and Identity Authentication
SAP Cloud Identity Access Governance services use Identity Authentication to provide user identity
authentication.
Before you can start using the solution, you must federate your SAP Identity Access Service tenant with the
subscriber subaccount for SAP Cloud Identity Access Governance. This is a simple exchange of certificates;
however, some special settings must be implemented for optimum usability of the software.
7.1.3.1.1 Generate and Download SAP BTP Metadata File
1. Log into the SAP BTP as administrator, and go to your tenant account.
2. Navigate to Security Trust Configuration .
3. Select SAML Metadata to download the metadata file.
Make sure to download the metadata file to a directory that is accessible by the Identity Authentication
tenant.
For more information on Identity Authentication and SAP BTP trust configuration, see SAP Cloud Identity
Services - Identity Authentication.
SAP Cloud Identity Access Governance Security Guide
62 PUBLIC User Management
7.1.3.1.2 Create Application in Identity Authentication and
Upload SAP BTP Metadata File
In the Identity Authentication cockpit, create a custom application for SAP Cloud Identity Access Governance
services, which are used to establish the trust relationship with the SAP Business Technology Platform tenant
(SAP BTP).
1. In the Identity Authentication cockpit, navigate to Applications & Resources > Applications.
2. Add a custom application and save.
Note
For ease of use, the application and the subaccount should have the same name.
3. Upload the metadata from the SAP BTP tenant.
1. From the Custom Applications list, select your new custom application, and then select SAML 2.0
Configuration.
2. In the Metadata File field, browse to the location of the SAP BTP metadata file.
3. Upload the file and save.
7.1.3.1.3 Download the SAML Metadata File for the
Subscriber Subaccount
1. Go to the SAP BTP cockpit, and open your subscriber subaccount.
2. In the menu panel on the left side, choose Security and Trust Configuration .
3. Download the SAML Metadata file for the subaccount.
The file is downloaded with a name that contains the subdomain of the subaccount. The name makes it
easier to find the file for uploading it at a later date.
7.1.3.1.4 Download SAML Metadata File for Identity
Authentication
1. In the Identity Authentication cockpit, navigate to Tenant Settings SAML 2.0 Configuration .
2. In the SAML 2.0 Configuration , in the Identity Provider Settings, go to Signing Certificate at the bottom of
the page to down the metadata file.
3. Rename the file. Use the tenant ID of the Identity Authentication Service for this purpose.
4. In the field Description, enter the description (optional).
5. Save.
SAP Cloud Identity Access Governance Security Guide
User Management PUBLIC 63
7.1.4 Set Up Assertion-based Groups for
IdentityAuthentication and Role Collection Mapping
Attributes
Note
Make sure that the Application in Identity Authentication contains ONLY the attributes listed in the table in
Step 3. The Subject Name Identifier (SNI) MUST be User ID.
1. Log in to the Identity Authentication tenant and navigate to Applications & Resources Applications .
2. Under Applications, select your application for SAP Cloud Identity Access Governance (This is the
application you created as part of the procedure for setting up a trust relationship between the Identity
Authentication service tenant and the SAP Cloud Identity Access Governance application on SAP BTP.).
3. Go to Trust and choose Attributes and make sure only the following attributes are defined:
Name Value
Groups Groups
(Ensure that the letter G is in upper case.)
first_name First Name
last_name Last Name
mail Email
4. Remove other attributes and save.
Add Assertion-based Identity Authentication Groups and Attributes Mapping
1. Add assertion-based Groups.
1. Logon to the SAP-BTP tenant, and navigate to Security > Trust Configuration > Name.
2. Select the name of the relevant identity provider (the Identity Authentication that you have already
configured). For more information, refer to Manually Establish Trust and Federation Between UAA and
Identity Authentication [page 62].
3. Go to Role Collection Mapping and choose New Role Collection Mapping to create the mapping rules.
Some examples of role collections that must be mapped are listed below.
SAP Cloud Identity Access Governance Security Guide
64 PUBLIC User Management
Note
If role collections values are unavailable in the Identity Authentication system, you need to
manually create them. Other role collections listed here
Pre-Delivered Role Collections on SAP BTP [page 53] must be mapped in the same manner as the
examples listed below.
Role Collection Mapping to Identity Authentication Groups
Value - Equals to this
Pre-delivered Role Collec- Identity Authentication
tion Attribute Operator Group
CIAG_Access_ Analysis Groups equals IAG_Access_Analysis
CIAG_Access_ Analy- Groups equals IAG_Access_Analysis_Ad-
sis_Admin min
CIAG_Role_ Designer Groups equals IAG_Role_Designer
CIAG_Role_ Designer _Ad- Groups equals IAG_Role_Designer_Admin
min
4. Save.
Parent topic: Setting Up User Authentication and Access [page 49]
Previous: Map Role Collections and Identity Authentication Group [page 62]
Next: Maintaining Access to Tasks [page 65]
7.1.5 Maintaining Access to Tasks
Within the framework of access governance, tasks have different levels of risk and sensitivity. You use Identity
Authentication tools to ensure that only designated users can perform administrative tasks. For example, only
users designated as business role approvers can approve new business roles.
There are three steps in this procedure:
1. In the Identity Authentication tenant, create your groups according to the guidelines below.
2. Assign the appropriate users to the relevant groups.
3. Sync the user-group assignments.
In the Fiori launchpad for SAP Cloud Identity Access Governance, open the Job Scheduler app, and run
Sync User Groups from IAS job.
For more information about creating user groups and assigning users, see the For More Information section
below.
SAP Cloud Identity Access Governance Security Guide
User Management PUBLIC 65
For group naming conventions and assigning users to groups, refer to the Required Group Guidelines section
mentioned in Maintain Users and User Groups in Identity Authentication [page 50].
For group naming conventions and assigning users to groups, refer to the Group Naming Guidelines section
mentioned in Maintain Users and User Groups in Identity Authentication [page 50].
For More Information:
SAP Cloud Identity Services - Identity Authentication - User Management
SAP Cloud Identity Services - Identity Authentication - User Groups
SAP Cloud Identity Services - Identity Authentication - Assign Groups to Users
Parent topic: Setting Up User Authentication and Access [page 49]
Previous: Set Up Assertion-based Groups for IdentityAuthentication and Role Collection Mapping [page 64]
Next: Syncing User Groups from SAP Identity Services Identity Directory [page 66]
7.1.6 Syncing User Groups from SAP Identity Services
Identity Directory
With the configuration on in this page, Users/Groups and managed users’ attributes in SAP Cloud Identity
Access Governance application will all use SAP Identity Services Identity Directory as source system (), instead
of Identity Authentication Service. The configuration to use Identity Authentication Service as source () is no
longer needed.
To ensure user groups information is synchronized between the SAP Cloud Identity Services tenant and the
tenant for SAP Cloud Identity Access Governance on SAP Business Technology Platform (SAP BTP), you must
maintain the required system in SAP Cloud Identity Services and the destination in the tenant for SAP Cloud
Identity Access Governance and then run the SCI User Group Sync job in the Job Scheduler app.
Step 1: Set Up IAG Sync System as Administrator in the SAP Cloud Identity
Service Tenant
1. Login to the SAP Cloud Identity Service tenant.
2. Choose Administrators app.
3. Press the +Add button on the left-hand panel to add a new administrator to the list.
4. Choose Add System.
5. In the System Details section, enter the name of the system in the Name field, such as IAG Sync.
SAP Cloud Identity Access Governance Security Guide
66 PUBLIC User Management
6. To be a tenant administrator, a user must be assigned to Manage Users and Manage Groups from the
following roles.
Administrator Roles
Authorization Description
Manage Users This role gives the tenant administrator permission to
manage, import and export users via the administration
console.
Manage Groups This role gives the tenant administrator permission to cre-
ate, edit and delete user groups via the administration
console.
Access Proxy System API Authorizations to access API for provisioning identities via
proxy systems
Access Real-Time Provisioning API Authorizations to access API for real-time provisioning of
identities
Access Identity Provisioning Tenant Admin API Authorizations to access tenant API for running Identity
Provisioning jobs or downloading job logs
7. Configure System Authentication, using either Client ID/Secret or Certificate.
• Using Secrets: Select the IAG Sync system and choose Secrets. Add Secret and Save (the app
automatically generates a Client ID). Make a note of the Client ID and Client Secret. You will use them in
the next step.
• Using Certificate: Select the IAG Sync system and choose Certificate. Generate a certificate and Save.
Keep the downloaded certificate p12 file and the password for the certificate. You will use them in the
next step.
Step 2: Create Destination in the Tenant for SAP Cloud Identity Access
Governance on SAP BTP
1. In the tenant for SAP Cloud Identity Access Governance, go to the Subaccounts dropdown menu and
choose your subaccount.
2. Choose Connectivity Destinations in the navigation panel.
3. Create SAP_Identity_Services_Identity_Directory destination and choose the pencil icon to
edit it.
Enter the properties listed below:
*Name SAP_Identity_Services_Identity_Directory
Type HTTP
Description SAP Identity Services Identity
Directory
SAP Cloud Identity Access Governance Security Guide
User Management PUBLIC 67
*URL https://SCI_TENANT_ID.accounts.ondemand.com
(replace SCI_TENANT_ID with your SAP Identity Services
instance name)
Proxy Type Internet
Authentication: BasicAuthentication or
ClientCertificateAuthentication
User BasicAuthentication: Client ID of the Admin in Step 1
Password BasicAuthentication: Client Secret of the Admin in Step 1
Key Store Location ClientCertificateAuthentication: The certificate name
which is uploaded to BTP Cockpit using the certificate file
downloaded from SCI in Step 1
Key Store Password ClientCertificateAuthentication: The password for the cer-
tificate in Step 1
Accept application/scim+json
GROUPSURL /Groups
serviceURL /scim
USERSURL /Users
Step 3: Configuration Application Parameters
In the , Configuration Group UserSource, Parameter SourceSystem, set Parameter Value as:
SAP_Identity_Services_Identity_Directory.
Step 4: Run SCI User Group Sync Job
1. Login the SAP Cloud Identity Access Governance and open the Job Scheduler app.
2. In the Job Name field, enter the Job Name.
3. In the Job Category field, select SCI User Group Sync from the dropdown list.
4. In the Recurring Job field, select No.
5. In the Start Immediately field, select Yes.
6. Enter information in all required fields and choose Schedule Job. The job status and log can be checked in
the Job History app.
Note
To schedule a Recurring Job, refer to 2859618 for recommendation on the frequency of the jobs.
Parent topic: Setting Up User Authentication and Access [page 49]
SAP Cloud Identity Access Governance Security Guide
68 PUBLIC User Management
Previous: Maintaining Access to Tasks [page 65]
Next: Connecting Identity Provisioning Bundle Tenant [page 69]
7.1.7 Connecting Identity Provisioning Bundle Tenant
The SAP Cloud Identity Access Governance solution integrates with other SAP services, such as SAP Cloud
Identity Services - Identity Provisioning. These services require users to have specific roles to use them.
Identity Provisioning service is available as part of the bundled SAP Cloud Identity Access Governance solution.
For a successful integration, always use the Identity Provisioning tenant that is included in the bundle.
To obtain your Identity Provisioning tenant, or to have your existing bundle tenant upgraded for use with SAP
Cloud Identity Access Governance, create an incident for component GRC-IAG-OPS.
In the incident, mention the following information:
• That you request Identity Provisioning tenant from SAP Cloud Identity Access Governance bundle
• ID of the account where you have subscribed to SAP Cloud Identity Access Governance
• Whether the subscription is for test or production: specify plan test, standard, or tandd
• The URL of the Identity Authentication tenant for which you have established trust from your subscriber
account for SAP Cloud Identity Access Governance.
• S-user (ID and email address) who should be administrator in the Identity Provisioning tenant
• File separate incidents for test and production landscapes
Note
Do not use any standalone Identity Provisioning tenant or the Identity Provisioning service from SAP
Identity Access Governance (1.0) tenants (SAP BTP, Neo environment). Technically, it is still possible to use
Identity Provisioning from SAP Identity Access Governance (1.0) but not once the grace period expires.
Parent topic: Setting Up User Authentication and Access [page 49]
Previous: Syncing User Groups from SAP Identity Services Identity Directory [page 66]
7.1.7.1 Delivered Roles for Business Rules
The SAP Cloud Platform Business Rules service delivers the predefined role: RuleSuperUser. This role enables
you to create, modify, read, and activate a business rule project and other entities within it.
Assign the role to the groups you want to have those authorizations.
For more information, see SAP Cloud Platform Business Rules service - Authorization Configuration.
SAP Cloud Identity Access Governance Security Guide
User Management PUBLIC 69
7.1.7.2 Delivered Roles for Workflow
The SAP Cloud Platform Workflow service is delivered with predefined roles. Assign the following roles to the
Access Request Group to enable users to use the workflow service.
Roles for Accessing Workflow Service Runtime
Role Description
WorkflowDeveloper (global role) • Permission to use the workflow editor and deploy workflow definitions
• Permission to query workflow definitions
• Permission to retrieve the current error messages of a workflow instance
• Permission to retrieve the model of the latest version of a specified workflow
definition
WorkflowContextAdmin (global • Permission to partially modify or completely override the workflow context of a
role) workflow instance
contextAdminUsers
• Permission to retrieve the context of a task instance
contextAdminGroups
WorkflowContextViewer (global • Permission to retrieve the context of a workflow instance
role) • Permission to retrieve the context of a task instance
contextViewerUsers
contextViewerGroups
WorkflowInitiator (global role) • Permission to view the sample context of a workflow definition
• Permission to start workflow instances (using the API or the Monitor Workflows
app)
WorkflowParticipant (global • Permission to view tasks in My Inbox, where the user assigned to this role is a
role) recipient
• Permission to perform task operations including the following:
• Claim
• Release
• Call the task completion API
• This role is a prerequisite to work with instance-specific permissions.
SAP Cloud Identity Access Governance Security Guide
70 PUBLIC User Management
Role Description
WorkflowAdmin (global role) • Permission to use the Monitor Workflows app*
adminUsers
• Permission to query workflow definitions as well as query and cancel workflow
instances*
adminGroups • Permission to retrieve and modify the tasks of a workflow instance
• Permission to retrieve the current error messages of a workflow instance
• Permission to retry the failed steps of an erroneous workflow instance
• Permission to suspend and resume a workflow instance for temporary suspen-
sion of processing
• Permission to retrieve the workflow logs for a given workflow instance
• Permission to download the workflow model in the Monitor Workflow app*
WorkflowMessageSender (global • Permission to send a message to a set of workflow instances for consumption in
role) intermediate message events
WorkflowTenantOperator • Permission to export data
(global role) • Permission to undeploy workflow definitions
• Permission to delete multiple workflow instances
• Permission to purge all workflow definitions, workflow instances, and form defini-
tions
WorkflowEventSubscriber • Permission to subscribe to events. For internal use only.
(global role)
WorkflowViewer (global role) • Permission to query workflow definitions* as well as query workflow instances
viewerUsers
• Permission to view context of workflow instances and task instances
• Permission to retrieve the tasks of a workflow instance
viewerGroups
• Permission to retrieve the workflow logs for a given workflow instance
• Permission to download the workflow model
WorkflowBusinessExpert • Permission to work with process variants. For internal use only.
(global role)
* Only for global roles
The SAP Cloud Platform Workflow service is delivered with three apps to enable you to maintain it.
To access and use the Workflow Definition and Workflow Instances apps, assign to them the following roles:
• WorkflowContextViewer (global role)
• WorkflowContextAdmin:
• WorkflowViewer
Available Platform Roles for Using the Workflow Service Runtime
Role Description
Space Developer • Permission to deploy a workflow project
SAP Cloud Identity Access Governance Security Guide
User Management PUBLIC 71
7.1.7.3 Delivered Roles for Identity Provisioning
1. On the SAP Cloud Platform cockpit open > Services > Identity Provisioning> Configure Service > Roles.
2. IPS_ADMIN is a predefined role. Assign administrator’s S-user ID to this role so that they can configure the
IPS proxy system.
For more information, see SAP Cloud Platform Identity Provisioning service - Access the Identity Provisioning
Service
SAP Cloud Identity Access Governance Security Guide
72 PUBLIC User Management
8 Support Information
For assistance and questions, you can go to the SAP Support Portal at https://support.sap.com , and click on
Get Support button to report a new issue.
Use the following components as needed.
Service Component
access analysis service GRC-IAG-AA
access certification service GRC-IAG-CER
access request service GRC-IAG-AR
role design service GRC-IAG-RD
privileged access management service GRC-IAG-PAM
SAP Cloud Identity Access Governance Security Guide
Support Information PUBLIC 73
Important Disclaimers and Legal Information
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:
• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering an SAP-hosted Web site. By using
such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.
Videos Hosted on External Platforms
Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.
Beta and Other Experimental Features
Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.
Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities,
genders, and abilities.
SAP Cloud Identity Access Governance Security Guide
74 PUBLIC Important Disclaimers and Legal Information
SAP Cloud Identity Access Governance Security Guide
Important Disclaimers and Legal Information PUBLIC 75
www.sap.com/contactsap
© 2025 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form
or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for
informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.
Please see https://www.sap.com/about/legal/trademark.html for
additional trademark information and notices.
THE BEST RUN
You might also like
- E Bites - Introducing SAP Cloud Identity Access Governance (IAG)No ratings yetE Bites - Introducing SAP Cloud Identity Access Governance (IAG)108 pages
- IAG Bridge Cloud SAP AC12.0, SAP Cloud Identity Access and Cloud AppNo ratings yetIAG Bridge Cloud SAP AC12.0, SAP Cloud Identity Access and Cloud App24 pages
- SAP Cloud Identity Services - Identity Authentication, Solution OverviewNo ratings yetSAP Cloud Identity Services - Identity Authentication, Solution Overview36 pages
- SAP Implementation: Key Success FactorsNo ratings yetSAP Implementation: Key Success Factors16 pages
- Sap Security Webcast Series Sap BTP Cloud Identity and Security ServicesNo ratings yetSap Security Webcast Series Sap BTP Cloud Identity and Security Services47 pages
- SAP HANA Cloud Platform Identity Provisioning - SCNNo ratings yetSAP HANA Cloud Platform Identity Provisioning - SCN4 pages
- Job Aid For SU24: Purpose: Transaction SU24 Maintains The USOBT - C and USOBX - C Tables. These Tables HoldNo ratings yetJob Aid For SU24: Purpose: Transaction SU24 Maintains The USOBT - C and USOBX - C Tables. These Tables Hold23 pages
- Top 10 SAP Audit and Security Risks: Securing Your System and Vital DataNo ratings yetTop 10 SAP Audit and Security Risks: Securing Your System and Vital Data6 pages
- SAP Secure Login Service For SAP GUI - Solution OverviewNo ratings yetSAP Secure Login Service For SAP GUI - Solution Overview34 pages
- Sap Hana Database: User's Guide To MeasurementNo ratings yetSap Hana Database: User's Guide To Measurement12 pages
- IDM 7.2 Identity Center Tutorial - Working With Roles and PrivilegesNo ratings yetIDM 7.2 Identity Center Tutorial - Working With Roles and Privileges96 pages
- Active Directory As Usar Data Source in SAP GRC InprosecNo ratings yetActive Directory As Usar Data Source in SAP GRC Inprosec3 pages
- Configuring SAP Analytics Cloud With IASNo ratings yetConfiguring SAP Analytics Cloud With IAS3 pages
- GRC - PC - 10 0 - PreliminarySizingGuideline - V5No ratings yetGRC - PC - 10 0 - PreliminarySizingGuideline - V516 pages
- Integration Access Control With Fiori Apps For S4HANA On-PremiseNo ratings yetIntegration Access Control With Fiori Apps For S4HANA On-Premise5 pages
- User Authentication and Single Sign On PDFNo ratings yetUser Authentication and Single Sign On PDF119 pages
- Creating Custom SU01 Transaction Code With Display and Password Reset Buttons PDFNo ratings yetCreating Custom SU01 Transaction Code With Display and Password Reset Buttons PDF7 pages
- GRC POST INSTALLATION - Auttomatic Workflow CustomizingNo ratings yetGRC POST INSTALLATION - Auttomatic Workflow Customizing31 pages
- Translate On-Premised Fiori LaunchPad Tiles in Different Languages On The ABAP Stack - SAP BlogsNo ratings yetTranslate On-Premised Fiori LaunchPad Tiles in Different Languages On The ABAP Stack - SAP Blogs15 pages
- Setting Up An SNC-Based SAProuter Connection For Employee Central Payroll SystemsNo ratings yetSetting Up An SNC-Based SAProuter Connection For Employee Central Payroll Systems26 pages
- RSUSR 008 009 New - Critical Authorizations100% (1)RSUSR 008 009 New - Critical Authorizations10 pages
- Upgrade SAP Access Control 10.010.1 To 12.0No ratings yetUpgrade SAP Access Control 10.010.1 To 12.028 pages
- GRC Components - Work Module of GRC: Compliant User ProvisioningNo ratings yetGRC Components - Work Module of GRC: Compliant User Provisioning4 pages
- Security Guide For SAP Assurance and Compliance Software For SAP S4HANA - 1.5 SP00No ratings yetSecurity Guide For SAP Assurance and Compliance Software For SAP S4HANA - 1.5 SP00204 pages
- Add New Field On The Dynamic Selection Using Logical Database - SAP BlogsNo ratings yetAdd New Field On The Dynamic Selection Using Logical Database - SAP Blogs9 pages
- R3 Authorizations Made Easy 4.6AB User Role Templates and Generating Authorizations ProfilesNo ratings yetR3 Authorizations Made Easy 4.6AB User Role Templates and Generating Authorizations Profiles13 pages
- DEV262 - Evolution of The ABAP Programming Language - Exercise - SolutionNo ratings yetDEV262 - Evolution of The ABAP Programming Language - Exercise - Solution33 pages
- Scenario Based SAP ABAP RAP Interview QuestionsNo ratings yetScenario Based SAP ABAP RAP Interview Questions15 pages
- Upgrade Standard Adjustments - SPDD - SPAU - SummaryNo ratings yetUpgrade Standard Adjustments - SPDD - SPAU - Summary27 pages
- Making ALV To React To Change Data Automatically - ABAP Development - SCN WikiNo ratings yetMaking ALV To React To Change Data Automatically - ABAP Development - SCN Wiki7 pages
- Step by Step Guide To Debug A Start - 2c End or An Expert Routine in BI 7.0No ratings yetStep by Step Guide To Debug A Start - 2c End or An Expert Routine in BI 7.018 pages
- ABAP Classical Reports Interview QuestionNo ratings yetABAP Classical Reports Interview Question4 pages
- Sap Production Planning and Control: SappracticesNo ratings yetSap Production Planning and Control: Sappractices4 pages
- Note 1901463 - How To Unlock The SAP System To Perform Correction(s) During An UpgradeNo ratings yetNote 1901463 - How To Unlock The SAP System To Perform Correction(s) During An Upgrade2 pages
- PI Message Alerting PI7.31 SolMan7.1SP5 ComponentBased AlertingNo ratings yetPI Message Alerting PI7.31 SolMan7.1SP5 ComponentBased Alerting12 pages
- End To End OData Service SAPUI5 Application93% (30)End To End OData Service SAPUI5 Application66 pages
