SAP provides a comprehensive suite of identity and access management (IAM) solutions to help customers manage user identities across their SAP applications, both on-premise and in the cloud. These solutions include SAP Identity Management (SAP IDM), SAP GRC Access Control (SAP GRC AC), SAP Cloud Identity Services (comprising Identity Authentication and Identity Provisioning), and the SAP Identity Access Governance (SAP IAG) service.
SAP IDM, the long-standing on-premise IAM solution that has supported customers for over two decades, is approaching the end of its maintenance lifecycle (refer to SAP Note 3278799). Organizations currently using SAP IDM and planning a migration strategy can consider leveraging SAP IAG, SAP Cloud Identity Services (CIS), and their existing SAP GRC Access Control systems to cover identity lifecycle management needs. In many cases, the combination of SAP IAG with CIS—or SAP IAG with CIS and a bridge to SAP GRC Access Control—can replicate most of the functionalities previously handled by SAP IDM.
SAP IAG and SAP CIS are designed to complement each other and are often deployed together in enterprise environments to deliver end-to-end identity and access management. Additionally, SAP IAG can be integrated in a bridge scenario with SAP GRC Access Control to reuse existing configurations and ensure a smooth transition.
Feature / Solution
SAP IAG
SAP Cloud Identity Services
SAP GRC Access Control
Deployment
Cloud
Cloud
On-premise / Hybrid
Primary Focus
Access governance & compliance
Authentication & identity provisioning
Risk management & compliance
Authentication (SSO, MFA)
No
Yes
No
Access Risk Analysis
Yes
No
Yes
Access Request Management
Yes
No
Yes
Role Management
Yes
No
Yes
Privileged Access Management
Yes
No
Yes (via EAM)
Best Fit For
Cloud-first organizations
Identity and access security
Regulated industries with complex needs
IDM Functionalities
This section outlines the SAP IDM functionalities along with their corresponding equivalents in SAP IAG, CIS, and GRC Access Control. The relevance of each activity may vary depending on the specific SAP IDM implementation within an organization.
IDM Functionality
As-Is Configuration (SAP IDM)
Corresponding Functionality in IAG / CIS / GRC AC
System Connectivity – SAP & Non-SAP Systems
List of systems supported via SAP IDM packages: ABAP Business Suite, ABAP (Load Balanced), AD, AS Java, BW, Dual Stack, HANA DB, S/4HANA, SCI (IAS/IPS), SCIM (IPS Proxy), SuccessFactors (SFSF), Sun (AD), GRC
CIS: Supported Systems
Data Source
SuccessFactors, HR Mini Master, AD (On-Prem/Cloud), third-party DBs
IAG: Integration Scenarios
GRC AC: LDAP, HR triggers for position based assignment, HR Triggers from SuccessFactors, ABAP, or custom)
Role Type
Technical Roles, Business Roles
IAG: Role Design Service
GRC AC: BRM Module
GRC Integration – Risk Analysis
Risk Analysis/Risk Analysis only
IAG: Standalone Version
IAG Bridge with GRC Access Control
Approval Workflows
Maintained Users/ Pending Value Objects
IAG: SAP Workflow Management Service
GRC AC: MSMP Workflows (Bridge Scenario)
Entry Owners
Maintained / Not Maintained
IAG / IAG Bridge: IAS User Groups
GRC AC: Bridge Scenario (Parameter 1090: No)
Self-Services
Password Self-Service, Role Requests
GRC AC: Password Self-Service
Attestation (User Access Review)
User Access Review
IAG: Access Certification
GRC AC: User Access Review (UAR)
Mass Upload Utility
Upload Users, Roles, Privileges, Mappings via Excel
IAG: Access Mass Update, Business Role Mass Update
GRC AC: Excel Uploads (Bridge Scenario)
Custom Notifications
Custom Notification Messages
GRC AC: Custom Notifications
IDM Reports
Reports from IDM DB
IAG: Reports
GRC AC: Reports
Custom Configurations
Custom or Enhanced Functionalities (e.g., HTML5 Forms)
Handled on a Need Basis
Audit Logs
Activity-Based Logging
IAG: BTP Audit Log Service
GRC AC: Audit Logs (Bridge Scenario)
It is recommended to conduct an SAP IDM assessment to evaluate the feasibility of migrating existing functionalities to SAP IAG, CIS, or GRC Access Control. This approach is particularly suitable for customers who primarily use SAP IDM for managing access in SAP systems, whether on-premise or in the cloud.
SAP provides a comprehensive suite of identity and access management (IAM) solutions to help customers manage user identities across their SAP applications, both on-premise and in the cloud. These solutions include SAP Identity Management (SAP IDM), SAP GRC Access Control (SAP GRC AC), SAP Cloud Identity Services (comprising Identity Authentication and Identity Provisioning), and the SAP Identity Access Governance (SAP IAG) service.SAP IDM, the long-standing on-premise IAM solution that has supported customers for over two decades, is approaching the end of its maintenance lifecycle (refer to SAP Note 3278799). Organizations currently using SAP IDM and planning a migration strategy can consider leveraging SAP IAG, SAP Cloud Identity Services (CIS), and their existing SAP GRC Access Control systems to cover identity lifecycle management needs. In many cases, the combination of SAP IAG with CIS—or SAP IAG with CIS and a bridge to SAP GRC Access Control—can replicate most of the functionalities previously handled by SAP IDM.SAP IAG and SAP CIS are designed to complement each other and are often deployed together in enterprise environments to deliver end-to-end identity and access management. Additionally, SAP IAG can be integrated in a bridge scenario with SAP GRC Access Control to reuse existing configurations and ensure a smooth transition. Feature / SolutionSAP IAGSAP Cloud Identity ServicesSAP GRC Access ControlDeploymentCloudCloudOn-premise / HybridPrimary FocusAccess governance & complianceAuthentication & identity provisioningRisk management & complianceAuthentication (SSO, MFA)NoYesNoAccess Risk AnalysisYesNoYesAccess Request ManagementYesNoYesRole ManagementYesNoYesPrivileged Access ManagementYesNoYes (via EAM)Best Fit ForCloud-first organizationsIdentity and access securityRegulated industries with complex needs IDM FunctionalitiesThis section outlines the SAP IDM functionalities along with their corresponding equivalents in SAP IAG, CIS, and GRC Access Control. The relevance of each activity may vary depending on the specific SAP IDM implementation within an organization. IDM FunctionalityAs-Is Configuration (SAP IDM)Corresponding Functionality in IAG / CIS / GRC ACSystem Connectivity – SAP & Non-SAP SystemsList of systems supported via SAP IDM packages: ABAP Business Suite, ABAP (Load Balanced), AD, AS Java, BW, Dual Stack, HANA DB, S/4HANA, SCI (IAS/IPS), SCIM (IPS Proxy), SuccessFactors (SFSF), Sun (AD), GRCCIS: Supported SystemsIAG: Integration ScenariosData SourceSuccessFactors, HR Mini Master, AD (On-Prem/Cloud), third-party DBsIAG: Integration ScenariosGRC AC: LDAP, HR triggers for position based assignment, HR Triggers from SuccessFactors, ABAP, or custom)Role TypeTechnical Roles, Business RolesIAG: Role Design ServiceGRC AC: BRM ModuleGRC Integration – Risk AnalysisRisk Analysis/Risk Analysis onlyIAG: Standalone VersionIAG Bridge with GRC Access ControlApproval WorkflowsMaintained Users/ Pending Value ObjectsIAG: SAP Workflow Management ServiceGRC AC: MSMP Workflows (Bridge Scenario)Entry OwnersMaintained / Not MaintainedIAG / IAG Bridge: IAS User GroupsGRC AC: Bridge Scenario (Parameter 1090: No)Self-ServicesPassword Self-Service, Role RequestsGRC AC: Password Self-ServiceAttestation (User Access Review)User Access ReviewIAG: Access CertificationGRC AC: User Access Review (UAR)Mass Upload UtilityUpload Users, Roles, Privileges, Mappings via ExcelIAG: Access Mass Update, Business Role Mass UpdateGRC AC: Excel Uploads (Bridge Scenario)Custom NotificationsCustom Notification MessagesGRC AC: Custom NotificationsIDM ReportsReports from IDM DBIAG: ReportsGRC AC: ReportsCustom ConfigurationsCustom or Enhanced Functionalities (e.g., HTML5 Forms)Handled on a Need BasisAudit LogsActivity-Based LoggingIAG: BTP Audit Log ServiceGRC AC: Audit Logs (Bridge Scenario)It is recommended to conduct an SAP IDM assessment to evaluate the feasibility of migrating existing functionalities to SAP IAG, CIS, or GRC Access Control. This approach is particularly suitable for customers who primarily use SAP IDM for managing access in SAP systems, whether on-premise or in the cloud. Read More Technology Blog Posts by SAP articles
#SAP
#SAPTechnologyblog