Ever thought about how to control access and permissions effectively in SAP Identity Access Governance (IAG)? Let’s break it down in simple terms.
Imagine a scenario where a user, who has the power to manage risks, ends up mitigating risks unrelated to his/her function. Or what if a user can request sensitive roles, and the manager approves it without a thorough review? Think of a situation where a user changes his/her manager ID or email during the run-time. Also, consider to implement a requirement to restrict only full-time users from requesting PAM IDs.
It’s easy to implement authorization restrictions in SAP GRC Access Control as it is a NetWeaver based system. But how to implement similar restrictions in SAP IAG? SAP IAG poses challenges as role collections have limitations, and applying restrictions at the data level isn’t possible. But here’s the good news – you can address these issues by implementing Authorization Policies.
An Authorization Policy is essentially a set of rules with predefined conditions. Admins use the Authorization Policy app to define these policies. To keep things simple, let’s focus on one policy type – Access Risks. However, it’s important to note that SAP IAG supports setting up policies for various types, providing a comprehensive solution to your access control restriction needs.
- Access Risk
- Back-end User
- Mitigation Control
- Business Role
- Access
- Application
- Business Function Group and
- Access Request
Refer to the figure 1.0 to know various options that you can select from the policy definition screen.
- From SAP IAG, navigate to the Administration group
- Click “Authorization Policy”
- Click New Policy Set
- Enter name and select the Policy Type
- Click Save.
- Now navigate to the Policy Set from the list and click + sign in Policies
7. Enter the Policy ID, and description and click + sign to add the conditions.
Since “Access Risk” is selected in Policy type, the Conditions will show the Risk ID, Business Process, Risk Level and Risk type.
8. Select the condition with a value and create the policy.
9. Click Save.
Definition can also be based on various conditions as shown below:
NOTE: Multiple policies can be defined in a single Policy definition. Once defined, you may notice all the Policies along with Assigned Users (based on the condition)
10. Click Apply to apply the changes. Once activated, the Status will be changed to Active.
In this example, Mitigate Authorization is provided for B001, and B002 risks along with other critical risks to user – RAGHU.
Setup other Attribute restrictions using the other policy options.
For more detailed information on these settings, refer to SAP note 2788255 – Value Help Attribute Values for Auth Policy UI and 3300664 – IAG – How does Authorization Policy works with different filters?
