How to manage identities and access in SAP?

How to manage identities and access in SAP?

How to manage identities and access in SAP?

SAP offers multiple solutions to manage identity and access across its various solutions including its ERP, Supply Chain, Spend Management, HCM, CRM and other solutions. The solutions cover both legacy solutions such as ECC 6.0, BW, as well as newer solutions such as SAP S/4 HANA, Concur, Ariba, etc. SAP Identity Management (‘IdM’) used to be one of the SAP solutions in this space. However, SAP is now focussing on its SAP Cloud Identity Services.

This blog provides an overview of both these solutions and explores the key differences between these two as well as advise on how to manage upcoming depreciation of IdM.

SAP Identity Management

IdM focuses on overall identity governance and can integrate with SAP and non-SAP systems, providing centralized governance and automated workflows for user provisioning, de-provisioning, and role assignments. Some of its key features are as follows:

  1. User lifecycle management – business rules and policies drive assignment and maintenance of user access rights across multiple systems
  2. Access request – including workflow and approval
  3. Password management – self-service password reset and password synchronization across connected target systems
  4. Reporting – reports based on current access and past events

IdM supports Segregation of Duties (‘SoD’) management through integration with SAP Access Control. IdM can also support SAP cloud applications such as Ariba and Concur through integration with SAP Cloud Identity Services. IdM is separately licensed by SAP.

SAP Cloud Identity Services

SAP Cloud Identity Services is central solution from SAP for managing authentication, identity lifecycle and authorization for SAP cloud systems such as Ariba, Concur, Business Technology Platform (‘BTP’), etc. It encompasses multiple services such as SAP Cloud Identity Authentication (‘IAS’), SAP Cloud Identity Provisioning (‘IPS’) and Authorization Management Service (‘AMS’).

IAS focuses on user authentication and provides Secure authentication and Single Sign-On (‘SSO’), Multi-Factor Authentication (‘MFA’) and self-service password reset functionalities. It can be used to connect existing corporate Identity Provider (‘IdP’) to the SAP application landscape. Users can interact either with IAS or the 3rd party IdP and experience SSO.

IPS focuses on managing identity lifecycle processes with a central Identity Directory as the single source of truth for users of SAP cloud solutions. It can automate the provisioning of identities and their authorisations to various SAP solutions.

AMS assign access centrally based on policies within SAP Cloud Identity Services.

There is no need to separately license the usage of SAP Cloud Identity Services when used with SAP cloud solutions (however, organizations need to pay if they want to use it with non-SAP solutions). It is automatically enabled as part of the product delivery process. And it allows organizations to have only one provisioning target for the SAP cloud landscape.

The figure below summarizes various components of SAP Cloud Identity Services.

SAP Cloud Identity Access Governance

SAP Cloud Identity Access Governance (‘IAG’) is another SAP solution, which integrates seamlessly into the broader SAP ecosystem, presenting a unified approach to governance and compliance initiatives. This focuses on access analysis, access request, access certification, privileged access management and role design for SAP solutions (on-prem, cloud or BTP). It can be thought of as a SaaS version of SAP’s on-prem Access Control solution (also referred as SAP GRC Access Control).

IAG can be integrated with SAP Access Control on-prem solution (through IAG Bridge) or with third-party IGA solutions to manage access in SAP cloud systems.

How various SAP identity and access solutions integrate?

The figure below illustrates how these components work together.

SAP’s plan to deprecate IdM

As businesses increasingly move towards the cloud, SAP has been shifting its focus to cloud-based identity and access management solutions. This shift has led to SAP’s announcement that it will gradually deprecate IdM, and encourage organizations to transition to newer, cloud-centric SAP Cloud Identity Services.

IdM is approaching the end of its lifecycle, with mainstream support set to end in 2027, followed by extended maintenance until 2030, albeit at a higher cost. Post-2027, organizations relying on SAP IdM should transition to alternative solutions to maintain compliance, security, and operational efficiency Microsoft and SAP are actively collaborating to develop guidance that enables customers to migrate from IdM to Microsoft Entra ID. Microsoft Entra ID offers a universal identity platform that provides employees, partners, and customers with a single identity to access applications and collaborate from any platform and device. In general, this architecture is illustrated below.

This work and partnership are in progress and we expect more details about this collaboration efforts in future.

What does it mean to you?

It’s important to understand that IdM and SAP Cloud Identity Solutions are fundamentally different, and they serve different needs.

  • IdM is an on-premises solution primarily designed for managing identities and roles within traditional, on-prem SAP systems
  • SAP Cloud Identity Solutions are built for cloud environments, offering authentication and user provisioning across cloud applications like SAP S/4HANA Cloud, SAP SuccessFactors, and others.

IdM should be thought of as typical Identity Governance and Administration (‘IGA’) solutions such as SailPoint, Saviynt or One Identity – though not as comprehensive or modern. As organizations continue to move towards cloud-first strategies, IdM becomes increasingly incompatible with the demands of modern hybrid and cloud-based environments. This is one of the reasons it is being deprecated by SAP.

SAP Cloud Identity Services have limited features and cannot replace traditional IAM solutions.

Existing IdM solution

If you are already using IdM, of course it means that you should replace IdM. While SAP recommends Microsoft Entra ID, it may be worth shopping around and comparing other third-party IAM systems such as SailPoint which provides much better, comprehensive and modern IAM capabilities. The figure below illustrates this option.

Existing third-party IAM solution and using SAP solutions

Given the cloud centric focus of SAP, it will be important to extend your IAM solution to SAP cloud solutions. You should consider integrating your IAM solution with SAP Cloud Identity Services for a more streamlined solution and user experience.

If you have not yet onboarded SAP into your IAM system because you find it very complex, read this blog which talks  about how to integrate SAP with SailPoint (but this is also useful for other IAM solutions). Of course, feel free to contact us for consultant if you need help.

Using SAP solutions and planning to implement IAM solution

You should evaluate and implement a good fit-for-purpose IAM solution and ensure that it is integrate with SAP systems. If you use multiple SAP cloud solutions, the IAM solution should be integrated with Cloud Identity Services.

Note: All figures are courtesy SAP.

Table of Contents

Stay Informed

Receive our latest blogs directly in your inbox