Working with SAP IAG Workflow
The operational backbone of SAP IAG lies in its sophisticated Workflow system.
Fueled by the robust SAP Business Rules and grounded in the foundational logic
MSMP & BRF+ workflow in SAP Access Control, this cloud-based solution on the
Business Technology Platform (BTP) empowers organizations to create, optimize,
and manage various services such as Access Request, Role Designer seamlessly.
This learning blog provides valuable information on SAP IAG Workflow.
1) How does the Workflow function in SAP IAG?
IAG workflow is integrated with the SAP Cloud Platform Business Rules Service.
This integration allows the definition of stages, paths, and other workflow rules,
enabling the Requests to progress through the various approval stages.
2) How to setup Workflow?
Setting up Workflow in SAP IAG is carried out in 2 stages:
1. Creating new workflow templates
2. Updating Business Rule
Creating New Workflow Templates:
1. Login to SAP IAG
2. From the Administration group, execute Maintain Workflow Template app
3. Click + sign to create a new template
4. Provide Name and Description for the new template
5. Click + sign for stages and add the relevant stages

NOTE: Currently SAP IAG support only 4 pre-defined stages, i.e., Security, Risk
Owner, Role Owner and Manager. No additional stages can be created.
6. Change the sequence as needed using the up/down arrows.
7. Click Save You can notice the template created as a User defined template in the list.
6. Change the sequence as needed using the up/down arrows.
7. Click Save You can notice the template created as a User defined template in the list.
Updating Business Rule:
Once the template is created, the next step is to update the Business rule. Follow the
steps highlighted below:
1. Login to SAP IAG
2. Under Administration group, execute Configuration app
3. Launch Business Rule
1. Login to SAP IAG
2. Under Administration group, execute Configuration app
3. Launch Business Rule

4. Click (open) “IAG Workflow Business Rule”
5. Click Edit
6. Navigate to Rulesets tab
7. Click (open) “PathRulset”
8. Click (open) “RequestTypeRule”
9. Maintain the Decision Table, i.e., Request Type (pre-defined values) and
PathName (created in Maintain Workflow Template)

10. Click Validate
11. Go to previous screen, click Deploy to deploy the updated workflow on Cloud Runtime and Activate.
Now the requests that are getting created will utilize the new PathName which is mapped against the RequestType
11. Go to previous screen, click Deploy to deploy the updated workflow on Cloud Runtime and Activate.
Now the requests that are getting created will utilize the new PathName which is mapped against the RequestType
3) What are the limitations of Workflow in SAP IAG?
Unlike SAP GRC Access Control, the Workflow in SAP IAG has less flexibility. It
accommodates only a maximum of four predefined stages, namely Security,
Manager, Role Owner, and Risk Owner. These stages are fixed and cannot be
extended or customized. SAP IAG does not permit the creation of new agents,
limiting the adaptability of its workflow structure compared to SAP GRC Access
Control.
4) Can I use BRF+ Rules in SAP IAG?
SAP IAG has limitations regarding the utilization of BRF+ rules. It does not support
the integration of BRF+ rules; instead, it exclusively relies on a single Decision Table,
which is already provided within the Business Rule configuration. This underscores
the system’s constraints in accommodating additional decision logic through BRF+
rules within SAP IAG.