SAP Business Technology Platform (BTP) and other cloud applications from SAP are changing the way businesses use technology. Understanding how to work with SAP BTP, SAP Identity Authentication Service (IAS), and SAP Identity and Access Governance (IAG) is essential. For security experts, knowing the answers to common questions about these SAP solutions is not just helpful; it’s really important.
In this Learning blog, we will look at the questions that people often ask about SAP BTP, SAP IAS, and SAP IAG. Whether you’re new to this or have been working with it for a while, these frequently asked questions will give you useful information. Join us as we explore the details of SAP security, providing a guide to help security experts stay on top of things in the ever-changing world of SAP.
1. Will SAP IAG replace SAP GRC?
No, SAP IAG will not replace SAP GRC, despite having similar functionalities. SAP is, in fact, planning to release the next version of SAP GRC in 2026.
2. Can the client implement both SAP GRC and SAP IAG?
3. If I have on-premise systems, can I still choose SAP IAG?
4. Does IAG has all the capabilities of SAP GRC Access Control?
Indeed, as previously highlighted, SAP GRC Access Control (AC) and SAP Identity Access Governance (IAG) are two distinct products. While they share certain capabilities, each application comes with its own set of advantages and drawbacks. Despite their similarities, there exist many differences between the two.
5. Is SAP IAG a private cloud offering? Or a public cloud offering?
6. What advantages IAG has over SAP GRC?
7. Is it mandatory to know SAP GRC for learning SAP IAG?
8. Is it possible to integrate SAP IAG with SAP PC/RM?
9. What is SAP’s strategy on updating SAP IAG?
SAP is consistently updating IAG with and adding various capabilities with it’s frequent releases. For the latest information on the IAG product roadmap, check the SAP Help document.
10. Do I need to know BTP security for supporting SAP IAG?
It is good to have SAP BTP knowledge as User Management and Role assignments for SAP IAG must be performed from IAS. SAP IAS is not part of SAP Identity Services which is a service integrated with BTP.
11. What is Universal ID and how do I create one?
For creating a BTP trail account, you would need a Universal ID. Refer to the below link for a detailed walk-through: https://developers.sap.com/tutorials/hcp-create-trial-account.html
13. What is Default Identity Provider (IDP)?
Default Identity Provider is setup automatically while the BTP account is created. It uses the SAP User store. When the option is set to Default Identity provider, the user must use the SAP Open ID (Universal ID) to login to the application.
However, SAP recommends creating a corporate IDP once the BTP sub-account is set up. Root should remain on Default Identity Provider. Once the trust configuration is set up and established, you may create user IDs in IAS.
14. What is the need of a custom/corporate IDP? How different it is from the default IDP?
Custom/corporate IDP is used when the user store should be managed internally by the administrators.
Here are the differences:
15. What is needed to setup Cloud IAG?
16. What is the Difference between S User ID, P User ID and Universal ID?
A detailed explanation on S User ID, P User ID and Universal ID is provided in the SAP Blog. Click the below link:
https://blogs.sap.com/2021/03/10/sap-user-ids-whats-the-difference-find-out-more-here
17. What are the different ways to assign role collections to users?
Role collections can be assigned to users in 2 ways:
Option 1 – Classical way, directly assigning role collections thru BTP cockpit
Option 2 – Dynamic way, assigning role collections to groups and groups to users.
It is always recommended to follow Option 2, i.e., the dynamic way, which will reduce the manual effort.
To assign role collections to groups and provision the authorization to users:
- Update the Attribute assertion for the respective Identity provider application (For eg: SAMLV2), ensure the changes are uploaded to the trust configurations by the way of Metadata XML.
- From BTP Update the role collection mapping. From trust configuration, click the IDP link, and click Maintain Role collections. Map the role collections against groups.
- Assign users to groups in IAS
18. How to create administrators in IAS?
There are 2 types of Administrators that can be created in IAS:
- IAS Administrator
- System (non-dialog) user
To create Administrators,
- Login to IAS
- Click Users & Authorizations
- Click Administrators
- Click Add
- Select User, or System
For “SYSTEM” type ID, you must configure system authentication which can be either Certificate, or Secrets.
NOTE: Secret key must be copied as it is not possible to get it at a later stage.
19. How business (normal) users can login to IAS?
20. How can user change profile settings?
The profile information can be changed using “User Profile” link which looks as follows:
You may find the link on your invitation/activation email once the ID is created in IAS.
21. What is Cloud IAG?
SAP Cloud IAG is:
- A public cloud offering from SAP that helps enterprises to streamline various compliance requirements.
- Designed as a part of “Cloud First Adoption” programme.
- Targeting “Rise with SAP” customers.
- Allows Cloud & On-premise system integrations.
- No more upgrade challenges.
22. What is the right way to manage authorizations? How to assign authorization to users in SAP IAG?
The recommended approach is to setup Custom Identity provider for IAG and perform the following:
- Setup User Groups in IAS
- Synch user groups in IAG
- Create SCIUserGroup destination to sync user groups
- Create a system type administrator
- Create a destination in BTP sub-account
- Run job scheduler
NOTE: Ensure to carry out the role connection mapping to IAG groups in SAP BTP destination settings.
23. What values to be kept while creating the SCIUserGroup destination?
24. How to view the Risk analysis data in SAP IAG Risk Analysis service?
For roles – Go to Access Maintenance, Search with the Role name and you can see the risk information.
Important – Role-level mitigation is not possible. SAP IAG doesn’t support mitigating risks as the role level.
For Users – Go to the Access Analysis tab, execute Access Analysis – Enhanced Report app and search for the user based on your selection criteria.
Additionally, you may use the Access Analysis app which doesn’t have the filtering options.
Risk Analysis screen provides 2 options:
- Remediate
- Mitigate
Simple Refinement – Where roles will be removed from users. Provisioning Request will be automatically created and once executed, the roles will be removed from the users.
Advanced Refinement – Which will propose the removal of risks from the user and action can be taken on the same.
25) How user logs in to PAM ID session?
User must login to PAM ID in the backend system using SIAG_PAM_LAUNCH_PAD transaction code.
26) Can I create PAM ID in backend system and push it to IAG?
Creating PAM IDs in the backend system is not possible. PAM IDs must be created in SAP IAG only and will be pushed to the backend systems. To provision, run the “Provisioning” job.
27) Can I assign individual roles to PAM ID?
Not possible. PAM ID can only have 1 business role. You must create a Business Role and assign it to the PAM ID. The business roles can have multiple single roles assigned.
28) Which workflows are relevant to PAM ID?
PAM ID uses the following workflows:
- PAM – For PAM ID assignment
- PAMREVIEW – Review logs
You may maintain the workflow stages in the App and maintain them in the Rules for the Workflow settings.
Conclusion
In conclusion, the transformative impact of SAP BTP and SAP’s cloud applications is reshaping the technological landscape for businesses. Proficiency in navigating SAP BTP, SAP Identity Authentication Service (IAS), and SAP Identity and Access Governance (IAG) is vital for those aiming to stay ahead in this dynamic environment. This learning blog has shed light on common queries about these SAP solutions, serving as a valuable resource for both newcomers and experienced professionals.
