Shift identity management from SAP IDM to SAP IAG with CIS and GRC AC.

SAP provides a comprehensive suite of identity and access management (IAM) solutions to help customers manage user identities across their SAP applications, both on-premise and in the cloud. These solutions include SAP Identity Management (SAP IDM), SAP GRC Access Control (SAP GRC AC), SAP Cloud Identity Services (comprising Identity Authentication and Identity Provisioning), and the SAP Identity Access Governance (SAP IAG) service.

SAP IDM, the long-standing on-premise IAM solution that has supported customers for over two decades, is approaching the end of its maintenance lifecycle (refer to SAP Note 3278799). Organizations currently using SAP IDM and planning a migration strategy can consider leveraging SAP IAG, SAP Cloud Identity Services (CIS), and their existing SAP GRC Access Control systems to cover identity lifecycle management needs. In many cases, the combination of SAP IAG with CIS—or SAP IAG with CIS and a bridge to SAP GRC Access Control—can replicate most of the functionalities previously handled by SAP IDM.

SAP IAG and SAP CIS are designed to complement each other and are often deployed together in enterprise environments to deliver end-to-end identity and access management. Additionally, SAP IAG can be integrated in a bridge scenario with SAP GRC Access Control to reuse existing configurations and ensure a smooth transition.

 

Feature / Solution

SAP IAG

SAP Cloud Identity Services

SAP GRC Access Control

Deployment

Cloud

Cloud

On-premise / Hybrid

Primary Focus

Access governance & compliance

Authentication & identity provisioning

Risk management & compliance

Authentication (SSO, MFA)

No

Yes

No

Access Risk Analysis

Yes

No

Yes

Access Request Management

Yes

No

Yes

Role Management

Yes

No

Yes

Privileged Access Management

Yes

No

Yes (via EAM)

Best Fit For

Cloud-first organizations

Identity and access security

Regulated industries with complex needs

 

IDM Functionalities

This section outlines the SAP IDM functionalities along with their corresponding equivalents in SAP IAG, CIS, and GRC Access Control. The relevance of each activity may vary depending on the specific SAP IDM implementation within an organization.

 

IDM Functionality

As-Is Configuration (SAP IDM)

Corresponding Functionality in IAG / CIS / GRC AC

System Connectivity – SAP & Non-SAP Systems

List of systems supported via SAP IDM packages: ABAP Business Suite, ABAP (Load Balanced), AD, AS Java, BW, Dual Stack, HANA DB, S/4HANA, SCI (IAS/IPS), SCIM (IPS Proxy), SuccessFactors (SFSF), Sun (AD), GRC

CIS: Supported Systems

IAG: Integration Scenarios

Data Source

SuccessFactors, HR Mini Master, AD (On-Prem/Cloud), third-party DBs

IAG: Integration Scenarios

GRC AC: LDAP, HR triggers for position based assignment, HR Triggers from SuccessFactors, ABAP, or custom)

Role Type

Technical Roles, Business Roles

IAG: Role Design Service

GRC AC: BRM Module

GRC Integration – Risk Analysis

Risk Analysis/Risk Analysis only

IAG: Standalone Version

IAG Bridge with GRC Access Control

Approval Workflows

Maintained Users/ Pending Value Objects

IAG: SAP Workflow Management Service

GRC AC: MSMP Workflows (Bridge Scenario)

Entry Owners

Maintained / Not Maintained

IAG / IAG Bridge: IAS User Groups

GRC AC: Bridge Scenario (Parameter 1090: No)

Self-Services

Password Self-Service, Role Requests

GRC AC: Password Self-Service

Attestation (User Access Review)

User Access Review

IAG: Access Certification

GRC AC: User Access Review (UAR)

Mass Upload Utility

Upload Users, Roles, Privileges, Mappings via Excel

IAG: Access Mass Update, Business Role Mass Update

GRC AC: Excel Uploads (Bridge Scenario)

Custom Notifications

Custom Notification Messages

GRC AC: Custom Notifications

IDM Reports

Reports from IDM DB

IAG: Reports

GRC AC: Reports

Custom Configurations

Custom or Enhanced Functionalities (e.g., HTML5 Forms)

Handled on a Need Basis

Audit Logs

Activity-Based Logging

IAG: BTP Audit Log Service

GRC AC: Audit Logs (Bridge Scenario)

It is recommended to conduct an SAP IDM assessment to evaluate the feasibility of migrating existing functionalities to SAP IAG, CIS, or GRC Access Control. This approach is particularly suitable for customers who primarily use SAP IDM for managing access in SAP systems, whether on-premise or in the cloud.

 

​ SAP provides a comprehensive suite of identity and access management (IAM) solutions to help customers manage user identities across their SAP applications, both on-premise and in the cloud. These solutions include SAP Identity Management (SAP IDM), SAP GRC Access Control (SAP GRC AC), SAP Cloud Identity Services (comprising Identity Authentication and Identity Provisioning), and the SAP Identity Access Governance (SAP IAG) service.SAP IDM, the long-standing on-premise IAM solution that has supported customers for over two decades, is approaching the end of its maintenance lifecycle (refer to SAP Note 3278799). Organizations currently using SAP IDM and planning a migration strategy can consider leveraging SAP IAG, SAP Cloud Identity Services (CIS), and their existing SAP GRC Access Control systems to cover identity lifecycle management needs. In many cases, the combination of SAP IAG with CIS—or SAP IAG with CIS and a bridge to SAP GRC Access Control—can replicate most of the functionalities previously handled by SAP IDM.SAP IAG and SAP CIS are designed to complement each other and are often deployed together in enterprise environments to deliver end-to-end identity and access management. Additionally, SAP IAG can be integrated in a bridge scenario with SAP GRC Access Control to reuse existing configurations and ensure a smooth transition. Feature / SolutionSAP IAGSAP Cloud Identity ServicesSAP GRC Access ControlDeploymentCloudCloudOn-premise / HybridPrimary FocusAccess governance & complianceAuthentication & identity provisioningRisk management & complianceAuthentication (SSO, MFA)NoYesNoAccess Risk AnalysisYesNoYesAccess Request ManagementYesNoYesRole ManagementYesNoYesPrivileged Access ManagementYesNoYes (via EAM)Best Fit ForCloud-first organizationsIdentity and access securityRegulated industries with complex needs IDM FunctionalitiesThis section outlines the SAP IDM functionalities along with their corresponding equivalents in SAP IAG, CIS, and GRC Access Control. The relevance of each activity may vary depending on the specific SAP IDM implementation within an organization. IDM FunctionalityAs-Is Configuration (SAP IDM)Corresponding Functionality in IAG / CIS / GRC ACSystem Connectivity – SAP & Non-SAP SystemsList of systems supported via SAP IDM packages: ABAP Business Suite, ABAP (Load Balanced), AD, AS Java, BW, Dual Stack, HANA DB, S/4HANA, SCI (IAS/IPS), SCIM (IPS Proxy), SuccessFactors (SFSF), Sun (AD), GRCCIS: Supported SystemsIAG: Integration ScenariosData SourceSuccessFactors, HR Mini Master, AD (On-Prem/Cloud), third-party DBsIAG: Integration ScenariosGRC AC: LDAP, HR triggers for position based assignment, HR Triggers from SuccessFactors, ABAP, or custom)Role TypeTechnical Roles, Business RolesIAG: Role Design ServiceGRC AC: BRM ModuleGRC Integration – Risk AnalysisRisk Analysis/Risk Analysis onlyIAG: Standalone VersionIAG Bridge with GRC Access ControlApproval WorkflowsMaintained Users/ Pending Value ObjectsIAG: SAP Workflow Management ServiceGRC AC: MSMP Workflows (Bridge Scenario)Entry OwnersMaintained / Not MaintainedIAG / IAG Bridge: IAS User GroupsGRC AC: Bridge Scenario (Parameter 1090: No)Self-ServicesPassword Self-Service, Role RequestsGRC AC: Password Self-ServiceAttestation (User Access Review)User Access ReviewIAG: Access CertificationGRC AC: User Access Review (UAR)Mass Upload UtilityUpload Users, Roles, Privileges, Mappings via ExcelIAG: Access Mass Update, Business Role Mass UpdateGRC AC: Excel Uploads (Bridge Scenario)Custom NotificationsCustom Notification MessagesGRC AC: Custom NotificationsIDM ReportsReports from IDM DBIAG: ReportsGRC AC: ReportsCustom ConfigurationsCustom or Enhanced Functionalities (e.g., HTML5 Forms)Handled on a Need BasisAudit LogsActivity-Based LoggingIAG: BTP Audit Log ServiceGRC AC: Audit Logs (Bridge Scenario)It is recommended to conduct an SAP IDM assessment to evaluate the feasibility of migrating existing functionalities to SAP IAG, CIS, or GRC Access Control. This approach is particularly suitable for customers who primarily use SAP IDM for managing access in SAP systems, whether on-premise or in the cloud.   Read More Technology Blog Posts by SAP articles 

#SAP

#SAPTechnologyblog

You May Also Like

More From Author