SAP Community - SAP Cloud Identity Access Governance

SAP Cloud Identity Access Governance (IAG) integration with Identity Authentication Service (IAS)

2023-06-17T16:48:16+02:00

In this blog I will go through the steps to Integrate IAG with IAS.

SAP Cloud Identity Access Governance is a cloud-based service for creating self-service requests to applications for on-premise and cloud source applications and systems. By connecting to the SAP Cloud Identity Access Governance solution, it enables Identity Authentication users to initiate access requests, which are then provisioned to target applications.

Prerequisite: IAG Administrator, IAS & IPS administrator or knowledge in IAS & IPS is preferred to do this setup.

Make sure you completed initial setup for IAG (IAS and IPS enablement) in IAG before following the below steps.

Process Overview

There are four overall steps to enable integration between Identity Authentication Service (SAP IAS) and the SAP Cloud Identity Access Governance solution and its services:

Connect Identity Provisioning with IAG

Create Proxy System for IAS In the IPS

Create an instance for Cloud Foundry in the IAG

Run the repository synch job to sync user data and provision access requests.

1.Connect Identity Provisioning with IAG

The following step is applicable for an Identity Provisioning bundle tenant was created or updated on the SAP Cloud Identity (SCI) platform for use with SAP Cloud Identity Access Governance.

The URL for Identity Provisioning is as follows:

https://UNIQUEID.accounts.ondemand.com/ips

Login to the IAS > User & Authorizations > Administrators > Add System user and provide the Access Proxy System API access. Note down the Client ID and Secret ( Once Secret is generated, you cannot retrieve or change it.)

Enter the Properties listed in the table below for the destination. All properties must be entered. Some properties must be added as Additional Properties. Copy the names of all properties as displayed. Property names and values are case sensitive.

Check the Use default JDK truststore checkbox.

Save your entries.You can test the destination in the BTP Cockpit. However, the URL does not point to a valid API for Identity Provisioning, and shows green status, but HTTP 301 or similar.

Name	IPS_PROXY
Type	HTTP
Description	IPS Destination
URL	https://<<YOUR_IPS_URL_BUT_WITHOUT_THE__ips>>; (For example: https://UNIQUEID.accounts.ondemand.com
Proxy Type	Internet
Authentication	BasicAuthentication
User	<<CLIENT_ID_FROM_STEP_1_ABOVE>>
Password	<< SECRET_FROM_STEP 1_ABOVE>>
Accept	application/scim+json
GROUPSURL	/Groups
serviceURL	/ipsproxy/service/api/v1/scim/
USERSURL	/Users

2.Create Proxy System for IAS In the IPS

Need to create a proxy system to enable Identity authentication service to connect with the IAG Subaccount. Before creating proxy system, please set up the technical user (of type System) in Identity Authentication and assign this user the necessary authorizations.

2.1) How to create a technical user in IAS?

In SAP Cloud Identity Services admin console, navigate to Users & Authorizations > Administrators.

Add an administrator user of type System and configure the basic authentication method for this user.

Please note down the Client Id, Secret from the system user once it created.

2.2) Create a Proxy System

Open your Identity Provisioning Launchpad.

Copy the external system ID and use it to set up the Cloud Foundry instance in the Systems app.

Add a proxy system for IAS and choose Save. The Type should be Identity Authentication

Type Identity Authentication

System Name <Free text>

Destination Name

Description <Free text>


Type	Identity Authentication
System Name	<Free text>
Destination Name
Description	<Free text>

Enter the Properties as shown in below table

Type=HTTP

Authentication=BasicAuthentication

ProxyType=Internet

URL= Specify the URL of the Identity Authentication tenant of your company.

For example: https://mytenant.accounts.ondemand.com

User=<<CLIENT_ID_FROM_STEP_2.1_ABOVE>>

Password=<< SECRET_FROM_STEP 2.1_ABOVE>>

ias.api.version=2

ias.support.patch.operation=true

ips.trace.failed.entity.content=false

3.Create an instance for IAS in the IAG

Log into the SAP Cloud Identity Access Governance launchpad and open the Application app.

Create a system for IAS. For System Type, select IAS.

Enter the external system ID mentioned in step 2.2 in the section Create Proxy system and Save.

4.Run the repository synch job to sync user data and provision access requests.

In the SAP Cloud Identity Access Governance launchpad, open the Job Scheduler app. In the Job Category dropdown list, schedule the following jobs:

Repository Sync to synchronize the relevant data from Identity Authentication.

In the System Type dropdown list, select Identity Authentication V2.

In the System dropdown list, select the configured Identity Authentication V2 system.

Note:

If you are using IAG Standard edition and users are maintained in the IAS group IAG_WF_MANAGER, then they can be selected as managers in the access request.

But if a user’s manager is directly maintained in ‘Employee Information’ – ‘Manager’, then it is not automatically retrieved in the access request.

Example: The user TESTUSER has user MANAGER maintained as a manager. But MANAGERis not automatically populated in the access request in manager field.

If managers are assigned manually to users in IAS, IAS needs to be set as User Source in IAG and the repository sync job needs to be run against IAS for retrieving user information such as email address, employee's manager..Please follow the below steps to make IAS as user source

Maintain IAS system in IAG in System app.

Open the Configuration app and in Application Parameters, enter the IAS system under the Parameter Value for the UserSource.

Run the repository sync against IAS

Run the SCI User group sync

Conclusion

These steps complete the Integration of IAS with IAG. Please check the help.sap.com for SAP Cloud Identity Access Governance for more detailed document on how to integrate IAS with IAG

References

SAP Documentation for IAS integration with IAG

Proxy Settings for IAS

Manager from IAS not populated in Access Request

Note: Please share your feedback or thoughts in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Access Governance.

3 Ways CFOs can Capitalize on AI in Finance

2023-07-07T00:18:56+02:00

Over the past few years, CFOs have been challenged like never before to manage costs through supply chain constraints, inventory issues, inflation, currency fluctuation, regulations and more. They're often relied upon to identify where costs can be optimized, resources re-allocated, and margins protected to be prepared to capitalize on new market opportunities. CFO’s are also increasingly enlisted in sustainability efforts, such as the green ledger.

Consequently, CFOs are looking for innovative technology to free their teams from routine tasks and arm them with greater foresight and control to increase productivity.

We are here to help CFO’s with our unique approach to AI.

At SAP, we deliver AI that is built into the SAP applications that power your most critical business processes. It works for your entire business because it is developed using extensive industry-specific data and deep process knowledge. Organizations can use it with confidence as it is created using responsible AI practices. In essence, SAP AI is AI built for business.

How to Turn AI Potential into Reality for Finance Departments

With AI-powered insights, recommendations, and automation built into your SAP applications, you can reap the rewards of AI by simply activating intelligent capabilities inside your existing applications. In a nutshell, you take advantage of AI that is designed to work with your data and business processes from the get-go.

Benefits of AI in Finance

For example, you can use AI to automate tedious tasks such as inputting invoices, tracking receivables, and logging payment transactions without requiring constant manual rule updates. AI can help you evaluate new business opportunities by enabling you to use scenario-based, iterative planning and forecasting in real time. Plus, you can leverage AI to proactively enforce policies and data quality standards, lowering your data disclosure risks and simplifying compliance. You can also use powerful predictive analytics models to devise payment and collection strategies. Plus, AI-powered business integrity screening and access governance further enhance your security and compliance.

Let’s look in more detail at three ways CFOs can quickly capitalize on AI with SAP.

1. Grow Efficiency with AI-infused Business Processes

Leveraging business AI embedded in your finance applications can dramatically increase the productivity of your finance teams. Take the example of Accenture. The company issues more than half a million client-facing invoices each year from 200 locations globally - and that volume is projected to increase exponentially every five years. By leveraging intelligence built into SAP Cash Application and SAP S/4HANA Cloud, the company can match invoices and payments faster, with fewer errors, and has increased its automatic clearing rate by more than 24%.

Connecting AI to your business processes maximizes the value of your digitalization investments because automation and predictions can take advantage of transactional data and the business context in which that data is used. For example, when an accountant creates a journal entry, the AI capabilities in SAP S/4HANA Cloud can automatically retrieve pertinent information, such cost centers or profit centers, to fill in mandatory fields, speeding up data entry and avoiding errors.

A close connection between AI and business processes can also ensure that AI-based predictions and recommendations remain accurate over time. When AI capabilities are embedded into business processes, algorithms can more easily recognize changing business patterns, learn from human exception handling, and recommend retraining when performance can improve. Since AI algorithms automatically learn from past experiences, you no longer need to manually update obsolete rules to get accurate automation and insights.

SAP Cash Application in SAP S/4HANA reduces manual post-processing of incoming bank statements by applying machine learning to match open receivables to incoming bank statement items, and to intelligently extract relevant information from payment advice documents and use them for the matching and clearing process.

2. Enable Business Foresight with AI-powered Predictive Insights

Increasingly our customers want to steer business strategy based on forward-looking insights. AI-powered insights capture and adjust to business events as they happen, helping your organization become more proactive.

For example, with business AI in SAP S/4HANA Cloud and SAP Analytics Cloud, treasury departments can anticipate future liquidity needs to make timely investment decisions. You take advantage of predictive analytics that help you mitigate liquidity risks by leveraging operating activities, such as invoice payment dates, historical transactional data trends, and external market data. The resulting insights improve the accuracy of mid-to-long-term liquidity forecasts and help you optimize investments despite high market volatility and changing business patterns.

3. Enhance Security and Compliance with AI-powered policy enforcement

We all know that finance processes and reporting must align with growing industry, government, and tax regulations. And, with today's stringent privacy requirements, it is equally important to preserve data privacy and protect data access.

For example, business AI embedded in SAP governance, compliance, and risk management solutions can detect errors as financial transactions are processed and propose remedies based on past successful interventions. And system administrators can leverage AI in SAP Cloud Identity Access Governance to define fine-grained access rights that factor in users’ roles and functional responsibilities, improving productivity and mitigating compliance risks.

To learn more about leveraging SAP AI in your finance department, visit the Finance with SAP AI page on sap.com and read our latest report.

SAP IAG vs Access Control: Which one is right for me?

2023-07-10T12:26:11+02:00

SAP GRC framework has a new buzzword - IAG, or Identity and Access Governance. Many of us have heard about this for the past couple of years, but are unsure of its capabilities. The purpose of this blog is to explain what IAG is and how it differs from Access Control solution. There are even answers to a few frequently asked questions in it.

The SAP Cloud IAG service was introduced in 2018/19 as a public cloud offering from SAP. This application is based on SAP Business Technology Platform (SAP BTP), and uses SAP NetWeaver APIs to fetch data from on-premise and cloud solutions. IAG offers the following services:

SAP Cloud IAG - Access Analysis Service (Similar to Access Risk Analysis)

SAP Cloud IAG - Access Request Service (Similar to Access Request Management)

SAP Cloud IAG - Role Design Service (Similar to Business Role Management)

SAP Cloud IAG - Access Certification Service (Similar to Access Re-certification)

SAP Cloud IAG - Privileged Access Management service (Similar to Emergency Access Management)

Q) What is the difference between IAG and Access Control when both provide the same services?

While both the solutions offer the same services, the difference is that IAG is completely that it is on Public Cloud. It is not available either as on-premise or Private cloud solution. The below table lists few of the differences between IAG and Access Control:

Table 1.0: Differences between Cloud IAG and Access Control

Q) Is IAG a replacement to SAP GRC Access Control?

As detailed by Thomas Frenehard in his GRC Tuesdays blog, SAP is releasing a new version of its GRC platform: SAP GRC edition for SAP HANA. This product is planned for release in Q1 2026 and will replace SAP's existing platform of v12.0 that includes SAP GRC Access Control, Process Control, and Risk Management. Clearly, IAG is not intended to replace GRC Access Control, but could serve as a complementary solution to those who prefer cloud-based access control.

Q) In the event that I have on-premise Access Control, how do I connect to Cloud systems such as Ariba, SAC, Success Factors? Are they limited to the IAG Cloud?

Actually, you still have options! You can utilize the IAG Bridge scenario to establish a connection between the SAP Access Control 12.0 on-premise system and cloud applications. In the case of Cloud IAG, it provides support for both cloud and on-premise applications. In terms of licensing, you don’t have to have extra licenses for Access Control.

Q) What are the limitations in Cloud IAG where compared to Access Control with respective to Access Risk Analysis and management?

The Cloud IAG has evolved continuously since its inception. There are, however, some limitations to it. Here are some differences/limitations:

Table 2.0 - Risk Analysis Management Limitations in Cloud IAG

Q) What is IAG Bridge scenario?

The IAG Bridge scenario is used when the Access Control 12.0 system needs to establish a connection with cloud systems like Ariba, SuccessFactors, and others. In this scenario, both solutions are necessary, with the majority of activities being performed in Access Control. The role of IAG is primarily to facilitate the connection between Access Control and the cloud systems. Its purpose is to enable seamless communication and integration between the on-premise Access Control system and the various cloud applications.

Q) Which is the best option? Cloud IAG or Access Control?

Directly comparing solutions is not a straightforward and recommended approach. Each solution has its own set of advantages and disadvantages. When selecting a solution, it is crucial to consider an organization's specific requirements and priorities. What works well for one enterprise may not necessarily be suitable for another. Therefore, it is vital to thoroughly assess and validate an organization's needs before making a product choice. By taking this approach, organizations can make informed decisions that align with their unique circumstances.

In conclusion, SAP IAG and SAP Access Control are two powerful solutions offered by SAP to address the critical challenges of identity and access management. Understanding their features, benefits, and differences can help organizations make informed decisions while designing their SAP security strategies. By implementing the right solution, organizations can enhance their data security, streamline access management processes, and ensure compliance with regulatory standards.

Access Request Service Configuration in SAP IAG for Target SAP S4Hana Private Cloud

2023-08-26T13:12:52+02:00

SAP Cloud Identity Access Governance (often referred to as SAP IAG) is a cloud service from SAP Business Technology Platform (BTP). It offers similar functionality as SAP Access Control (SAP GRC).

SAP Cloud Identity Access Governance offers Software as a Service (SaaS), which enables companies to comprise several distinct identity management and access governance capabilities .

SAP Cloud IAG offers five core services:

Access Analysis

Role Design

Access Request

Access Certification

Privileged Access Management

In this Blog I will explain how Access Request Service is configured in SAP Identity access and governance and SAP user access request can be raised for SAP S4Hana Private Cloud.

Make Sure SAP IAS (Identity Authentication Service) and IPS (Identity Provision Service) initial setup has been completed.

Below are the steps for configuring the Access Request Service: -

S4Hana Private Cloud System integration with SAP IAG.

Responsibilities are defined with proper Authorizaiton

IPS Proxy System is enabled between SAP IAG and SAP IAS.

Workflow Setup

Business Rules Activation and deploy.

Upload Notification template.

Access Request Priority are maintained.

Access Request Reason codes are maintained.

Architecture Overview

1.S4Hana Private Cloud System integration with SAP IAG.

For integration, please perform below steps: -

Cloud Connector Setup. Like S4Hana On Premise – S4Hana Private cloud will connect SAP Cloud Identity Access Governance through the Cloud Connector.

Create Destination for the S4Hana Private Cloud System in the SAP Cloud Identity Access Governance Subaccount

Create an Application Instance for SAP S4Hana Private Cloud System in SAP Cloud Identity Access Governance Fiori Launchpad.

After above configuration Run Repository Sync to sync all relevant data from the SAP S4Hana private cloud target system to SAP Cloud Identity Access Governance, which can be applied in access request service.

in SAP IAG , for S4hana Private Cloud system – Application Type will be “S4Hana on – Premise”.

Responsibilities are defined with proper Authorizaiton.

Predefined role collections are deployed with the SAP Cloud Identity Access Governance service. These role collections ensure that users can access and use specific apps that are relevant for their job function and their dedicated tasks.

Role collections are not directly assigned to users in the SAP BTP cockpit. Instead, users in Identity Authentication (IAS) are assigned to groups. These groups are mapped with SAP BTP role collections.

The required steps are the following:

Create user groups in Identity Authentication and assign users to them.

Map role collections in the SAP BTP Cockpit to the created user groups.

Synchronize user groups information between the Identity Authentication and SAP Cloud Identity Access Governance subaccount.

The following groups are required in SAP IAS. The SAP Cloud Identity Access Governance services look for these specific groups. Make sure you create them with the names listed below with the same case. The name is case sensitive.

When you create these groups, you must follow this naming convention: IAG_<TYPE>_<NAME>

Role collection in BTP is mapped with these groups for proper authorization in Identity authentication Tenant. Before that Set Identity Authentication as a trusted identity provider.

To ensure user groups information is synchronized between the Identity Authentication service tenant and the tenant for SAP Cloud Identity Access Governance on SAP Business Technology Platform (SAP BTP), you must maintain the required system in Identity Authentication and the destination in the tenant for SAP Cloud Identity Access Governance in SAP BTP and then run the SCI User Group Sync job in the Job Scheduler app.

IPS Proxy is enabled between SAP IAG and SAP IAS.

To Create an access request for a new user id in target application, user should be present in SAP IAG user source. We have made SAP IAS as user source, for this we must create a proxy system and map that proxy system in SAP IAG.

Map Proxy system in SAP IAG: -

Navigate to Administration - Applications

Map User Source as IAS system Navigate to Administration – Configuration – Application Parameter and maintain user source as IAS system created in above step.

4.Workflow Setup: -

There is no configuration required for the workflow. For all workflow-related actions, you need to make use of pre-delivered workflow templates. You require these templates to create access requests.

The SAP Identity Access Governance solution pre-delivers both the workflow and notification templates. If this has not been the case, create a support ticket using the GRC-IAG component and request those templates.

You can find the uploaded workflow templates in the Maintain Workflow Template app. Use one of these template.

5.Business Rules Activation and deploy.

SAP Business Rules service is used to define the stages, paths, and other workflow rules used by Access Request service to move the request items through the stages of an access request.

SAP Cloud Identity Access Governance offers pre-delivered business rules. To access these rules, create a support ticket. To do so, select the component GRC-IAG.

To access business rules, navigate to Administration → Configuration Go to Business Rule and choose Launch. The Business Rule editor opens.

Navigate to Rules and select RequestTypeRule in the Local Rules section. For this rule, workflow paths have been defined.

You must ensure that this minimum setup is in place, at least you need a mapping entry for request type "CHANGE". That is the mandatory entry for all created access requests (for all non-PAMID related requests)

Finally, the business rules need to be activated and the new workflow version needs to be deployed.

6.Upload Notification Template: -

Click on the Template Upload tile.

In the Notification section click on the Download button for the Standard Template.

Click on the Browse button and select the zip file you downloaded for the Template Archive.

Click on the Upload Button.

7.Access Request Priority are maintained.

Access Request Priority are defined. Navigate to Administration → Access Request Priority.

8.Access Request Reason codes are maintained.

Access Request Reason are defined. Navigate to Administration → Request Reason.

After the above configuration are successfully performed, you can start raising your access request in SAP IAG to create users in S4Hana Private cloud system.

Please note: - You have to schedule Provisioning job to trigger the provisioning of SAP Cloud Identity Access Governance access request in Target S4Hana Private cloud system.

Conclusion:

In Rise with SAP Solution – Customer are opting for cloud based IAG solution as a replacement for GRC On premise solution. This blog post provides a high-level step for configuring Access Request service in SAP Cloud Identity Access Governance.

I hope this blog post helps you during your Access Service Configuration. We look forward to your comments and feedback.

References: -

Mapping Role Collections to Identity Authentication | SAP Help Portal

Identity Authentication | SAP Help Portal

Unleashing the Power of Cloud: A Fun Guide to Automating User Administration - SAP Best Practices Identity Lifecycle Service (IDLS) for SAP Cloud Identity Services (SCI)

2023-09-05T16:16:38+02:00

Why You Should Jump On Board!

Picture this: You're using SAP Cloud Identity Services (SCI), but there's a hitch. You can't whip out your magic wand and conjure up some custom logic for any event in the Identity Directory Service (IDDS). What a downer, right?

Well, wipe that frown away! The SAP Best Practices Identity Lifecycle Service (IDLS) is here to save the day. It's like your personal superhero, giving you the power to inject your own custom wizardry into the SCI. Whether there's a tiny tweak or a mammoth modification in the IDDS, IDLS is ready to execute your custom logic, written in the language of the internet - JavaScript!

Three Fabulous Feats You Can Perform:

Abra-cadabra! Change a name and the email address recalculates automatically!

Have a new hire? Or a sudden termination? No worries! Activate or deactivate identities based on data in the IDDS.

Organize a coup! Automatically assign groups based on juicy info like cost center.

How This Magic Works:

IDLS acts like a busy bee, frequently buzzing around the IDDS to gather user information. You decide how often it buzzes.

Detects any changes in the user data and neatly stacks them up in a queue in the Event Mesh service.

Voila! It executes your custom logic.

Writes back the modification into the IDDS, like a diligent scribe.

The service comes with a treasure chest of predefined JavaScript functions. It's nostalgia-inducing, just like good old SAP IdM. Use these to perform certain operations inside IDDS.

Peek Into A Sample Spellbook:

Here's a sneak peek at a script that covers two of the scenarios mentioned above: Recalculating an email address (including checking for uniqueness) and assigning a group based on the user's cost center.

function eventTriggered(value, event) {

    if (event.getValue() == "Changed") {

        if (value instanceof Java.type("com.sap.openapi.idds.model.User")) {

            let changesMap = new Map(Object.entries(JSON.parse(changes)));

            changesMap.forEach((valueAttr, key) => {

                print(`Changes: ${value.getUserName()} : ${key} `); 

                if (key == 'familyName' || key == 'givenName') {

                    handleUserNameChanged(value);

                }



                if (key == 'costCenter') {

                    addUserToGroupByCC(value);

                }

            });

            utils.patchValues('user', value);

        }

    }

}





function handleUserNameChanged(user) {

    let name = user.getName();

    var familyName = name.getFamilyName();

    var givenName = name.getGivenName();

    var emailList = [];

    var email = `${givenName}.${familyName}@company.com`;

    email = deleteUmlauts(email);

    var index = 1;

    while (utils.getValueByEntry("email", email)) {

        email = `${givenName}.${familyName}${index}@company.com`;

        index++;

    }

    user.getEmails().forEach(element => {

        element.setValue(email);

        element.display(email);

        element.setPrimary(true);

        element.setType(utils.getEmailType('work'));

        emailList.push(element);

    });

    print(emailList);

    user.setEmails(emailList);

    user.setUserName(email);

}



function addUserToGroupByCC(user) {

    if (user.isActive()) {

        var listGroups = utils.getGroups();

        listGroups.forEach((group) => {

            let name = group.getGroupExentsion().getName();

            print(`Cost Center Name: ${name}`);

            if(name.indexOf("_") > -1) {

                let cc_number = name.substring(name.indexOf("_") + 1)

                print(`Cost Center Number: ${name}`);

                if (cc_number == (user.getEnterpriseUser().getCostCenter())) {

                    utils.addUserToGroup(user.getId(), group.getId());

                }

            }

        });

    }   

}



function deleteUmlauts(value) {

    value = value.replace(/\u00e4/g, "ae");

    value = value.replace(/\u00fc/g, "ue");

    value = value.replace(/\u00f6/g, "oe");

    value = value.replace(/\u00df/g, "ss");

    value = value.replace(/\u00dc/g, "Ue");

    value = value.replace(/\u00c4/g, "Ae");

    value = value.replace(/\u00d6/g, "Oe");

    return value;

}

The function "eventTriggered" is like the red carpet rolled out for every modification the IDSL detects. This function sorts out the modifications ("Created", "Changed", "Deleted") and provides all the juicy details related to the event (like the modified name). This function is your VIP pass into the IDSL.

The functions "handleUserNameChanged" and "addUserToGroupByCC" jump into action when the name or cost center are tweaked, and perform the necessary operations. Think of them as your trusty sidekicks, ready to perform more feats as you add them.

So, buckle up and get ready to automate your user administration in the Cloud with SAP's IDLS!

Predefined Script Functions

This is a list of the predefined script functions available as of now:

patchValues

Input Parameters:<entryType>,<JSONEntry>

Updating the entry in the IDDS

getValueByEntry

Input Parameters: <searchAttribute>,<searchValue>

Return Value: Boolean (true if entry was found in the IDDS)

Search for an entry in IDDS by attribute name and value

addUserToGroup

Input Parameters: <userScimId>,<groupScimId>

Adding a user as member of a group inside the IDDS

deleteUserFromGroup

Input Parameters: <userScimId>,<groupScimId>

Removing a user as member from a group inside the IDDS

deleteUser

InputParameters: <userScimId>

Delete a user form IDDS

deleteGroup

InputParameters: <groupScimId>

Delete a group form IDDS

getGroups

Returning a List of all groups inside the IDDS

Prerequisites

The following BTP Services are required to be available to be able to use this SAP Best Practices Service:

SAP Cloud Identity Services

SAP Cloud Foundry Runtime Environment

SAP Event Mesh Service

SAP Object Store Service

The Inside Scoop

If your curiosity is piqued and you're itching to know more about this service and how to roll it out, don't be shy! Reach out to me directly or shoot an email to security.consulting@sap.com. We're all ears!

How to handle “usernames”, “Global User IDs” and “external IDs” in your landscape?

2023-09-12T14:41:17+02:00

When it comes to setting up Identity Access Management (IAM) flows, we are often asked for best practices regarding usernames, Global User Ids and external ids. This blog post explains exactly this so let's crack it !

In a nutshell, it is safe to say that it is good practice to avoid sensitive data when choosing a policy for usernames and IDs.

Here are some example of what sensitive data means:

credit card information,

user session identifiers,

customer data,

personal data / employee data.

The data type which is mainly processed in IAM context is personal data.

IAM admins might feel tempted to choose personal data derivations for usernames, Global User IDs and external IDs. This is bad practice.

Usernames, Global User IDs or external IDs appear in log files and other traces. DevOps who have access and authorisations to such log files might see personal data that they are otherwise not allowed to (need-to-know principle).

Furthermore if you use personal data in these attributes, the changes to values might not be applied, because the effort to keep track of audit-trails in log files would be too high. Keeping a history of multiple username- or external-ID-values over time (log files are read-only) is expensive. Some applications do not allow an ID change at all, which adds up complexity in the processes.

What is the difference between these attributes and when to use them?

The username is a mutable attribute which can be used for login hints like an email address, but which is also often distributed into applications.

Best described in the SCIM2 RFC7643 a username is the service provider's unique identifier for the user, typically used by the user to directly authenticate to the service provider. Often displayed to the user as their unique identifier within the system (as opposed to "id" or "externalId", which are generally opaque and not user-friendly identifiers).

Imagine your user is provisioned in various target applications and for business purposes (such as workflows), the same user must be uniquely identified between them. In this case, one needs a correlation attribute. We in SAP call it the Global User ID.

Also, in case the application requires data from another systems, it fetches it based on a mapping done via this correlation attribute.

The externalID is also described in the SCIM2 RFC7643 - it is mutable, defined by the client (and not the server) and optional within SCIM2.

The email attribute is often used in cloud services as login-name, as notification attribute and sometimes also as userID. Emails frequently contain personal data. The email is mutable and changes more often than we think. Name changes happen for several reasons but also domain changes in case of company changes. The email is easy to remember as login name and indicates the notification channel, but it creates headaches regarding Security, Data Protection and Privacy if the app doesn't have other ways to identify the person at hand.

Best practices:

Generated usernames / IDs are better than manually assigned ones.
First and foremost, admins should differentiate between the processes where the attributes are used. It is common to use personal data derived attributes (such as email or a human-friendly username) as logon aliases at the authenticating Identity Provider (IdP). On the other hand, for technical integrations which are not visible to the end user (such as SAML/OIDC flows or SCIM based replication), generate unique values without personal data as usernames, external IDs or Global User ID. Consider uuid formats because uuids are, for practical purposes, unique. Their uniqueness does not depend on a central registration authority and uuid does not contain derived personal data.

The usage of immutable IDs (referencing to mutable information) for the entire Identity Lifecycle.
During the Identity Lifecycle, attributes such as lastname and email change. With stable identity identifiers the system to system communication continues without disruptions. The SAP Cloud Identity Services automatically generate the SCIM ID and Global User Id in uuid format for each record (The Global User Id is technically defined as mutable but there are rare reasons to change it during normal operations).

Avoid the usage of IDs in User Interfaces (UI).
In the User Interface the technical identifiers should be replaced with human-friendly attributes. No one likes to be greeted in the morning with a Hello 0ae23960-721d-453c-8b1f-12eab5494e93!. Instead, what is being displayed in UIs or in self service portals should be a personal data attribute like the Displayname or firstname (belonging to the identity having this uuid). At the same time, DevOps engineers can observe in monitoring tools the successful authentication of a user based on the uuid value (or a username / external ID) without seeing any personal data.

You can find more details in the links bellow:

SAP Cloud Identity Services (incl. IAM recommendations)

Global User ID concept

The Added Value of a CDP (Part 2)

2023-10-27T20:10:13+02:00

A Deeper Analysis of the Benefits of a Customer Data Platform

By Peter Gergen, Solution Architect CX

A Customer Data Platform (CDP) offers companies a wide range of benefits when it comes to using and managing their customer information. It enables extensive insights into customer behavior, personalized customer journeys, improved data quality and data integrity, automated marketing processes, and real-time interaction over a variety of channels. A CDP optimizes marketing strategies, improves customer satisfaction, and increases sales.

I will be examining the decisive differences between “traditional” decentralized handling of customer information and managing this information in a Customer Data Platform (CDP). I will highlight the many ways that a CDP adds value in the effective use and management of customer information. I will split my assessment into three posts, to facilitate a comprehensive examination. In the first part, I discussed the aspects of centralized data storage. In this second post, I will be examining the benefits provided by the customer-centric focus in the CDP in more detail.

Customer-Centric Focus

The term “customer experience” (CX) plays a key role in many current initiatives for generating new business, as well as for maintaining and deepening business relationships with existing customers. But what exactly is this “experience” about?

To get to the bottom of this aspect, we need to change our perspective. This means companies have to temporarily give up their familiar perspective and instead put themselves in the place of a customer who is interacting with their company. This change of perspective often reveals deficits and deficiencies in the processes that have to be rectified.

Customer Use Cases

Use cases make it possible to take on the customer’s perspective. To do so, an exemplary process involving interaction with the company is examined from the customer perspective, with all its individual steps. This approach enables you to capture improvements in both service offerings and activities to increase customer satisfaction. Complex, time-intensive process steps that can be burdensome for the customer can be reduced, while new, innovative measures can be tested.

Planning improvements to the customer experience begins with outlining the use cases from the customer’s perspective

A number of different starting points are important to a successful customer experience. Examples:

As soon as a customer registers, their customer information is immediately distributed to all relevant channels. Negative example: It is extremely detrimental when a customer has to register, log in, and define their preferences and interests again during every interaction and over every channel.

Based on a customer’s declarations of consent, their information may only be passed on to the channels for which the customer has explicitly granted their consent. If the customer agrees to the processing of their information in accordance with the company’s general terms and conditions, but rejects marketing-related activities, then every advertising activity that is carried out represents a violation of the customer’s expressed wishes – and a breach of the General Data Protection Regulation.

Take this drastic example of a completely failed customer experience: A customer opens a support ticket for a product and faces a complex repair. Their sales contact is not notified of this support case, however, and instead suggests a repeat purchase of the product, combined with a price increase. The fact that the customer has already searched for the conditions under which the contract can be canceled is hidden in the log files on the web server in the best case. This information is not taken into account in dealings with the customer.

In all three scenarios, a CDP can help to prevent this misguided handling of the customer. This is built on a foundation of targeted interchange of customer information and activities, compliant with data protection regulations, between the source and target systems (such as website, purchasing portal, support and service system, and CRM), all facilitated by the CDP.

Whether a CDP implementation is successful depends mainly on meticulous execution, especially of a company’s most important use cases for its customers.

The Customer Journey

The customer journey describes the full path that a customer takes from their first contact with a company until the fulfillment of their needs – and potential repeat purchases. It passes various milestones, such as the ones described in the following example:

An anonymous user who has contact with a company for the first time and is interested in its products or services

A potential customer who has already given the company their contact information, such as an email address, to subscribe to a newsletter, for instance

A registered potential customer who has defined their full contact information, preferences, and consent options and has already interacted with the company through a variety of communication channels, including buying products

A regular customer who is known to the company in all their facets and has a dedicated contact person, including discounts and exclusive service offerings

The primary objective of every company is to guide customers through this journey from the beginning and give them the custom-tailored information they need at every milestone to convert a potential customer from unknown user to regular customer.

The aim of the customer journey is to guide the customer from prospect to regular customer. A successful customer experience plays a key role in this conversion

But let’s start at the beginning. The customer journey can start long before a prospect is even aware of the company. Targeted “lookalike” campaigns can be launched on social media, such as Instagram, to address specific target audiences on these platforms who could potentially be relevant for our company. If an anonymous prospect visits the company’s website to find out about its product range, their click patterns provide important insights about the parts of the product range they are interested in. The company can then issue a targeted response by making these products the focus of the user’s attention.

The customer journey continues when the anonymous user shows interest by subscribing to a newsletter and provides their contact information, such as an email address. This creates the first, loose connection with the company, which the marketing department can identify and use. In this process, the available information such as the user’s click patterns and dwell time on specific products is taken into account, so the newsletter can be generated for the user in a targeted way.

The customer’s journey toward the company continues. Every touchpoint on the customer journey marks important milestones as the customer is converted from an anonymous prospect to a loyal repeat customer. A CDP collects and structures customer information and activities from different source systems, to create profiles in categories, segments, and target groups. This information is then made available to the relevant channels. At the start of the customer journey, the marketing system plays a key role in exchanging information with the customer, while the company’s contact persons and the CRM system become increasingly more important as the journey to becoming a regular customer continues.

Are you still with me? If so, let’s continue with the last item: the aspect of data security, privacy, and data protection regulations.

Data Security, Privacy, and Data Protection Regulations

If a customer is willing to give your company their contact information and grants their consent to recording their activities and interactions and use them to improve their customer experience, this is an important signal of trust – one that you should not treat lightly as a company. Of course, it isn’t possible to discuss these topics individually with every customer, down to the smallest detail. Therefore, basic formalities that the customer can consent to (or reject) are defined ahead of time.

The subject of data security and data privacy is divided into three areas:

Data collection: Every time a potential customer registers, they step out of their anonymity and reveal their identity. In this process, they define how they want to be kept up to date and which guidelines the company must observe with regard to their data.

Data storage and processing: The company is obliged to process the customer’s information exclusively for the stated purposes and in accordance with the consent granted by that customer. If a consent has not been granted, the company must take this into account and may not use the information for the affected purpose, even if it is available. Furthermore, it is the company’s obligation to take all measures needed to ensure that the data is stored securely and inaccessible to unauthorized third parties. It is also very important for the customer to have the ability to change their own information and that there is no way for third parties to manipulate this information.

Data erasure and profile removal: The “right to be forgotten” gives individuals the option to demand that companies erase their personal data. It empowers them to control their digital presence and remove information that they deem to be irrelevant, outdated, or inappropriate from the public sphere. The right to be forgotten is intended to strengthen privacy protections and the right to informational self-determination. It obliges companies to review requests from data subjects and, if necessary, erase or anonymize the requested information.

These aspects are not only simple demands that customers can make of companies; they are firmly embedded in the corresponding data protection regulations. The European General Data Protection Regulation (GDPR) is the strictest data protection regime in the world. The regulation was passed by the European Union and came into force on May 25, 2018. All European companies are obliged to comply with the requirements of the GDPR.

Trusted customer relationships demand clear data protection agreements

A CDP plays a key role in the collection, analysis, and transfer of customer information. Therefore, it is highly important for data protection policies to be an inherent part of CDP processes. How this “data governance” is implemented in the CDP is dependent on both the system manufacturer and the configuration of the processes.

Regretfully, a more detailed explanation of this topic would be too long here, so I’ll ask you to consult the relevant literature for the time being. I will tackle this topic in a future blog post.

Summary and Outlook

A CDP gives customers decisive benefits with regard to the customer experience. An analysis of the use cases that examines interactions between a customer and the company reveals weak points and obstacles in the customer experience. When a CDP is implemented, the customer’s experiences and activities from these use cases are merged and evaluated in a comprehensive customer profile.

The CDP also represents a powerful tool for supporting the conversion of anonymous users into regular customer. To do so, the CDP defines precise phases of this conversion and then carries out automated processes to increase customer retention based on these phases.

Last but not least, a CDP supports comprehensive data governance and compliance with the General Data Protection Regulation (GDPR). It facilitates centralized data control, transparency in data collection and use, and the implementation of security mechanisms such as encryption and access controls. The CDP supports the erasure and anonymization of information in accordance with the “right to be forgotten”, as well as the management of consent and customer preferences. With these activities, the CDP supports compliance with data protection regulations, strengthens the trust of customers, and minimizes breaches of data protection.

All of these benefits help companies to improve customer satisfaction, boost conversion rates, and build long-term customer relationships. In the third and final part of my observations of the benefits of a Customer Data Platform in the context of customer data, I’ll be focusing on internal data analytics within the CDP. In the process, I will be examining how a CDP supports the company in creating a more precise customer journey, while at the same time capturing added value such as improved customer loyalty and increased sales.

More about SAP CDP:

Customer Data Platform: The Core Element for Customer Information

The Real 360° Customer View – SAP Customer Data Platform in Action

The Added Value of a CDP (Part 1) – Central Data Store

The Added Value of a CDP (Part 2) – Customer-Centric Focus

The Added Value of a CDP (Part 3) – Data Analytics, Customer Segmentation, and Audience-Building

Data Governance and Compliance in CDP

Unlocking Value in CX Development: The Way to the Perfect Set of Use Cases

Unleashing Customer Insights: SAP CDP for Insurance Companies

Unleashing Customer Insights: SAP CDP for Retail

An Architectural Look at Integrations with SAP CDP

Open in all directions: SAP CDP and the integration of source and target systems

Real-time … Really?

Monitoring the remote access from SAP on application-level (Part 3.8)

2023-11-03T10:56:02+01:00

Background

In a cloud environment (Software-as-a-Service), the software is usually not maintained by the customer, but by the software/cloud provider.

Control description

Remote access to the SAP S/4HANA Cloud system for e.g. incident management or software maintenance by the SAP vendor is restricted, approved by management, and removed in a timely manner. Access to the SAP Support IDs is appropriately controlled when IDs are not in use.

Population

Application 'Display Technical Users' displays all technical users from SAP that are available in the customer system and the related SAP support request logs. Using the Incident ID, it is possible to display more information about when and why SAP Support Users requested a user for a customer system in the past twelve months:

Note 1: Column “Customer User” displays if SAP user used authorizations from a customer user.

Note 2: Access with the _SAPxxx users is only possible via special URLs, which are not reachable outside of SAP, therefore customers cannot access those technical user accounts.

Note 3: Technical users are only used on SAP side for defined activities. SAP Support User can only request a user if there is a valid and open customer ticket in place. It is not possible to bypass this process.

Using the Security Audit Log (SAL), the last log-on of the SAP technical users can be monitored. The SAL is per default activated in the SAP S/4HANA cloud system (for details please read blog post part 2 “SAP S/4HANA Cloud, public edition – Secure by Default”).

After the auditor has determined whether SAP employees had access to the productive customer system in the audited period, it should be evaluated, if the access to the SAP user accounts was reviewed by the customer timely after the fix / maintenance was completed.

Note: There is no explicit approval by the customer after SAP did a change in the productive system. This is done implicitly when opening a customer ticket to SAP. The review of the activities by the customer is solely a customer internal process to ensure, that only authorized and appropriate changes were conducted and that the impact on the Internal Control System is evaluated.

The access of SAP users to customer productive systems in case of e.g. incidents in also covered in the SOC1 type 2 report. For details please refer to our blog article Service Organization Controls Report Review (Part 4) | SAP Blogs.

Using the SAP Help portal, it is possible to get further information about the access levels and access categories for the SAP support to customer systems (https://help.sap.com/docs/SAP_S4HANA_CLOUD/55a7cb346519450cb9e6d21c1ecd6ec1/3cdb582583b342fd82b3caf3f3763af8.html😞

Engage with us

To read all upcoming posts in this series, please follow the S4HANACloud audit tag we’ve created for this purpose.”

Or contact us on LinkedIn.

Your feedback

Feel free to share your feedback and thoughts in the comment section below.

Who we are

A big thank you to my colleagues for their collaboration and support

	Matthias Ems (SAP) – Business Information Security Officer SAP S/4HANA and Chief Security Product Owner S/4HANA With more than 20 years of experience in SAP Security, Auditing and Compliance, Matthias leads a team of Security Experts, responsible for Cloud Operations Security, Secure Development, Data Protection & Privacy and Security Attestation & Certification.
	Florian Eller (SAP) – Product Management SAP S/4HANA Security Florian has more than 15 years of experience working at SAP. For the past 8 years, his focus has been on application security.
	Björn Brencher (SAP) – Chief Product Security Architect SAP S/4HANA Bjoern is working in the field of SAP security for more than 2 decades with additional experience in SAP implementation and IT auditing.
	Patrick Boch (SAP) – Product Management SAP S/4HANA Security Patrick has 20 years experience of working with SAP, with a focus on SAP security for over a decade.
	Heiko Jacob (Deloitte) – Partner Risk Advisory (IT & Specialized Assurance) Heiko Jacob has more than 20 years of experience in the field of IT auditing and IT consulting, both in industry and with financial service providers.
	Christina Köhler (Deloitte) – Senior Manager Risk Advisory (IT & Specialized Assurance) Christina Köhler has more than 6 years of professional experience in the field of IT auditing and IT consulting, both in industry and with financial service providers.

クラウド時代のSAPのIDとアクセス管理ソリューションのご紹介

2023-11-27T09:22:35+01:00

こんにちは！

今回のブログでは、クラウド時代にふさわしい SAP が提供する IDとアクセス管理（いわゆる IAM、Identity and Access Management）のためのソリューションをご紹介します。

ソリューションポートフォリオ

企業ユーザのための IDとアクセス管理ソリューションは、以下の３つの領域において、クラウドでの提供サービスと、従来からのオンプレミスソリューションで構成されます。

クラウドソリューション

SAP Cloud Identity Services

SAP Cloud Identity Services では、ユーザ認証およびプロビジョニングの基本機能が提供されます。SAP Cloud Identity Services は、Identity Authentication と Identity Provisioning の 2 つの主要コンポーネントで構成されています。

詳細については、ヘルプ「SAP Cloud Identity Services」を参照ください。

SAP Cloud Identity Services - Identity Provisioning

SAP Cloud Identity Services - Identity Provisioning は、ID ライフサイクルプロセスを管理するための SCIM ベースのクラウドサービスです。このサービスにより、アイデンティティライフサイクルプロセスが自動化され、さまざまなクラウドおよびオンプレミスのビジネスアプリケーションへの ID とその権限のプロビジョニングが容易になります。

詳細については、ヘルプ SAP Cloud Identity Provisioning、SAP Discovery Center でのサービスカタログ SAP Cloud Identity Services - Identity Provisioning を参照ください。

SAP Cloud Identity Services - Identity Authentication

SAP Cloud Identity Services, Identity Authentication は、SAP クラウドおよびオンプレミスアプリケーションの安全な認証およびシングルサインオンのためのパブリッククラウドサービスです。これは、アイデンティティプロバイダ自体として機能することも、顧客の既存のシングルサインオンインフラストラクチャと統合するためのプロキシとして使用することもできます。

詳細については、ヘルプ SAP Cloud Identity Services - Identity Authentication、SAP Discovery Center でのサービスカタログ SAP Cloud Identity Services - Identity Authentication を参照ください。

SAP Cloud Identity Access Governance

SAP Cloud Identity Access Governance は、シンプルでシームレスな適応型のビジネス主導の継続的なアクセス分析、ユーザプロビジョニング、およびロール設計により、管理者、監査人、およびビジネスユーザのアクセスガバナンスとコンプライアンスの複雑さとコストを削減します。IAG は、動的なロールエンジニアリングに機械学習を活用しています。

詳細については、ブログ「SAP Cloud Identity Access Governance (IAG) の概要」、ヘルプ SAP Cloud Identity Access Governance を参照ください。

SAP Secure Login Service for SAP GUI

SAP Secure Login Service for SAP GUI では、SAP GUI for Windows における安全な認証およびシングルサインオンが提供されます。

詳細については、ブログ「SAP GUI for Windows のためのシングルサインオンソリューションのご紹介」、ヘルプ SAP Secure Login Service for SAP GUI を参照ください。

オンプレミスソリューション

SAP Identity Management

SAP Identity Management は、オンプレミス環境のSAP、SAP以外のアプリケーションのためのIDMソリューションです。

詳細については、このブログの最後の概要、あるいはヘルプ SAP Identity Management を参照ください。

SAP Access Control

SAP Access Control では、アクセスリスク違反を検出、修正、および最終的に防止するプロセス、ロール管理アクティビティの標準化、プロビジョニングプロセスとユーザアクセスレビュープロセスの自動化、およびスーパーユーザアクティビティのエンドツーエンドの可視性の提供が含まれます。

詳細については、ブログ「SAP Access Control の概要」、ヘルプ SAP Access Control を参照ください。

SAP Single Sign-On

SAP Single Sign-On は、オンプレミスのシングルサインオンソリューションです。

詳細については、ブログ「SAP GUI for Windows のためのシングルサインオンソリューションのご紹介」、ヘルプ SAP Single Sign-On を参照ください。

補足: SAP Identity Management の主な機能について

以下は、過去、別サイトに投稿したブログからの抜粋です。該当サイトが近く閉鎖されることから記録として残すために、転載しています。灰色の文字が元のブログから、黒字が今回追記した箇所を示しています。

SAP Identity Managementとは?

SAP Identity Management によって、企業は、複雑で異機種混在のシステム環境において、ユーザーIDとそのIDへの権限の割当を集中管理できます。例えば、複数のシステムに分散した、本社、関連会社、契約社員のユーザーIDを一元管理できます。

SAP Cloud Identity Services により、本社、関連会社、契約社員を含むユーザID を一元管理できます。

SAPおよびSAP以外のアプリケーションにユーザーIDと権限割当を自動的に配信できます。また、SAP Access Controlソリューションと連携することで、職務分掌に適合したコンプライアンス対応のID管理を実現できます。

SAP Cloud Identity Services - Identity Provisioning、あるいは、SAP Cloud Identity Services - Identity Provisioning と SAP Cloud Identity Access Governance との組み合わせにより、SAPおよびSAP以外のアプリケーションにユーザーIDと権限割当を自動的に配信でき、SAP Cloud Identity Access Governance を利用して職務分掌に適合したコンプライアンス対応をサポートできます。

ワークフロー、レポート、セルフサービス機能を提供します。SAPのシングルサインオンソリューションと連携することで、ITシステム全体に対するシングルサインを、アクセスセキュリティを確保したうえで安全に提供できます。

SAP Cloud Identity Access Governance により、ワークフロー、レポート、セルフサービスの権限申請をサポートできます。SAP Cloud Identity Services - Identity Authentication により、ITシステム全体に対するブラウザベースでのシングルサインオンを実現できます。SAP GUI for Windows でのシングルサインオンに対しては、SAP Secure Login Service for SAP GUI がこれをサポートします。

図: SAP Identity Management の主な機能

SAP Identity Managementの差別化要因

SAPアプリケーションとの技術的連携
- SAP S/4HANA、SAP Business Suite、SAP HANA、SAP BusinessObjects、SAP SuccessFactorsを含むSAPアプリケーションとの連携

ビジネスプロセスレベルの連携
- SAP HCM、SAP SuccessFactorsとの連携（従業員情報）
- SAP CRMとの連携（ビジネスパートナー情報）

SAP Access Controlとの連携 -> コンプライアンス（職務分掌）

多くのSAPおよびSAP以外とのコネクタを標準装備（例： Active Directory、Outlook、Lotus Notes、データベース、ファイル、他）

SAP Identity Managementの利用シナリオ

統制されたID管理の代表例としてユーザーによるロール（権限）割当申請のシナリオと、ビジネスプロセスの効率化に有効な人事ビジネスプロセスとの連携によるプロビジョニングのシナリオを紹介します。

(1) ユーザーによるロール（権限）割当申請のシナリオ

ユーザーがSAP Identity Managementにログインし、Web UIを使って、ロール割当を申請

SAP Identity Managementのワークフロー機能により、マネージャーにワークフローのタスクが通知され、マネージャーは申請を承認
（3から6はオプション）

SAP Identity ManagementはSAP Access Controlのリスク分析へ依頼を転送

SAP Access Controlはリスクを分性（職務分掌に適合することをチェック）

リスクがある場合は適切な担当者が緩和処置を実行

SAP Access ControlはリスクステータスをSAP Identity Managementに転送

SAP Identity Managementは、ターゲットシステムへ配信（例えば、SAP ERPの請求処理ロールの申請のケースでは、SAP ERPのユーザIDに請求処理ロールを割当てる。ユーザーIDが未登録であればそのIDを登録する。）

SAP Identity Managementは、ユーザーとマネージャーへメールで完了を通知

図: ロール割当申請から配信までのプロセスフロー

(2)人事プロセス主導のIDとロール割当のシナリオ（採用時）

採用前フェーズ: 人事は、ポジションや入社日などの彼女の社員データを入力

イベント起動で個人データを抽出

SAP HCMでのポジションに基づき、IDMは、ビジネスロール “Marketing Specialist” を自動的に割当て

彼女の上司が割当を承認

仕事の初日: 関連システムにロールと権限情報を配信

図: ビジネスプロセス主導のID管理（採用時）

SAP Identity Managementのコネクタ

SAP Identity Managementの標準コネクタの一覧を示します。多くのコネクタが提供されていることを確認いただけると思います。これら以外に、パートナー企業から提供されているコネクタもあります。必要に応じて、コネクタを独自に開発することも可能です。

図: SAP Identity Management のコネクタ一覧

Enhance your SAP experience with SAP approved GRC AC Experts through the Ask an Expert Peer channel

2023-12-04T15:55:49+01:00

What is Ask an Expert Peer?

Ask an Expert Peer lets you collaborate on your technical, product-related questions through one-on-one interactions with a qualified and approved expert outside of SAP. This channel is best to deliver fast issue resolutions for your basic, non-business critical questions and all low to medium priority cases. Ask an Expert Peer is currently available for SAP SuccessFactors and SAP ERP, SAP S/4 HANA, Technology, GRC & Finance solutions at no additional cost.

More information, including expanded product areas for Ask an Expert Peer, can be found in KBA 2998816. More details in blog

Ask an Expert Peer channel is available for which GRC Product Areas?

This channel is available for SAP Access Control and SAP Access Control for SAP S/4HANA.

Experts are available for all sub-product functions of Access Control.

Product Function includes:-

Emergency Access Management

Business Role Management

Access Risk Analysis

Access Request Management

Analysis and Reports

How to Access Ask an Expert Peer from SAP for ME?

Logon to SAP for Me with valid S user id. Navigate to Services & Support and select Get Support App

Provide all basic information about your issue, System, Product and Product Function.

Based upon Product SAP Access Control / SAP Access Control for SAP S/4HANA selection, all available channels will be shown. Select button “Ask an Expert Peer” to launch the experience

Provide details about your issue and submit your question. A qualified and approved expert outside of SAP will work with you to resolve your case through a chat window.

If the expert is unable to resolve your question or you are not satisfied with the answer, you have the option to easily switch to another channel and interact with SAP support by starting Schedule an Expert or by submitting Case. The conversation transcript from Ask an Expert Peer will be saved, so there will be no duplication of effort for you.

Start using Ask an Expert Peer today for all your low to medium
priority incidents.

Privileged Access Management in SAP S/4HANA Cloud: A Comprehensive Guide

2024-01-03T18:58:26+01:00

Introduction: In the dynamic world of cloud computing, managing privileged access is crucial for maintaining security and operational integrity. SAP's introduction of Privileged Access Management (PAM) for SAP S/4HANA Cloud, as part of the SAP Cloud Identity and Access Governance (IAG) release 2302, marks a significant advancement in this field. This feature streamlines access control, ensuring enhanced security and compliance within your SAP environment. In this blog post, we'll explore the key steps and best practices for implementing PAM in SAP S/4HANA Cloud.

Understanding the Basics:

Privileged Access Management (PAM) in the context of SAP S/4HANA Cloud is a critical aspect of cybersecurity and compliance. It serves as the cornerstone of secure cloud operations. But what exactly is PAM, and why is it so vital in the SAP ecosystem? At its core, PAM is a security solution designed to monitor and control elevated ('privileged') access within an IT environment. Privileged accounts are those that have administrative or specialized access to critical systems. In SAP S/4HANA Cloud, these accounts could include system administrators, superusers, or any account with access to sensitive data and controls.

Privileged or Emergency Access Management in SAP refers to the process of securely granting and monitoring temporary, high-level access to critical systems and data in exceptional situations while ensuring strict controls, auditability, and accountability. This access is typically granted to authorized personnel for urgent tasks and it is closely managed to minimize security risks.

The figure below explains some of the scenarios where PAM can be potentially used.

PAM Usage Scenarios

The figure below explains the PAM process for SAP S/4HANA Cloud.

Users can create self-service requests for emergency access to systems and applications.

Approvers, reviewers and security can review requests for emergency access and grant access.

Compliance persons can perform periodic audit and monitoring based on usage logs.

PAM Process

The benefits of PAM are:

Enhanced Security: PAM ensures that only authorized personnel have access to critical systems, reducing the risk of security breaches.

Audit and Compliance: It provides detailed logging and tracking of privileged activities, which is crucial for audits and regulatory compliance.

Least Privilege Principle: PAM enforces the principle of least privilege, where users are granted only the access necessary for their role, minimizing the potential for unauthorized access or actions.

The various terminologies used within PAM process in SAP are:

PAM User: The IT Support User who requires the elevated access.

PAM ID: The PAM User Id with elevated privileges.

PAM Approver: The person(s) who approvers the PAM ID assignment to a PAM User.

PAM Reviewer: The person(s) who reviews the log request and investigates any differences between intended and actual usage.

The PAM ID is a generic ID created in SAP IAG and backend SAP S/4HANA Cloud system.

What is a PAM ID?

Implementation Steps:

Client Authentication Setup: This step involves creating a client ID and secret for the S/4HANA application in Identity Authentication (IAS). It is crucial for establishing a secure connection.

Destination Creation in BTP: We then proceed to create a destination in the BTP for PAM in the IAG Subaccount.

Privileged Access IDs Creation: This is a critical step where privileged access IDs are set up in PAM on IAG.

Provisioning Job Execution: Finally, running the provisioning job on IAG is essential to ensure that all configurations take effect.

Prerequisites:

Before diving into the implementation of Privileged Access Management (PAM) in SAP S/4HANA Cloud, certain foundational steps must be completed. Here's what needs to be in place:

IPS_PROXY destination has been set as per SAP documentation

S/4HANA Cloud application setup has been completed as per SAP documentation

Worker IDs have been created for the PAM IDs using the Manage Workforce app in S/4HANA Cloud.

Business roles have been defined for PAM in IAG

PAM access has been provided using BTP role collections for PAM to the administrators, approvers, reviewers, and the PAM end users. (Pre-delivered role collection CIAG_Privileged_Access)

Access Request workflow has been set up for PAM as per SAP documentation. (Request Type: PAM and PAMREVIEW)

Request Type Rule for PAM Access Request Process

The following communication scenarios have been added to the communication user in S/4HANA:

SAP_COM_0193	Identity Provisioning Integration
SAP_COM_0066	SAP Cloud Identity Access Governance Integration
SAP_COM_0093	Identity Management Integration
SAP_COM_0327	Business User Change Document Integration
SAP_COM_0366	Business Role Change Document Integration
SAP_COM_0750	Security Audit Log Integration

We started implementing PAM after we completed the implementation of the Access Request Service. So, some of these prerequisites were already in place.

Configuration Steps

Let's walk through the key configuration steps.

Client Authentication Setup for S/4HANA Application in Identity Authentication (IAS)

To integrate with IAG, we will create a Client ID and Secret on the S/4HANA application in IAS. This is because IAG currently only supports basic authentication. You will need to use this client and secret as your user and password when setting up the BTP destination for PAM.

- Navigate to Applications and Resources  Applications.
- Select the SAP S/4HANA Cloud Tenant and navigate to Trust  Application APIs  Client Authentication.
- Go to the Secrets section and click on Add. Enter a description and click Save.

Add a Secret in S/4HANA API Authentication on IAS

- Copy and securely store the Client and Secret values. They will be required to create the BTP destination for PAM.

Copy Client ID and Secret

Create a destination in BTP for PAM in the IAG Subaccount

- Login to the IAG Subaccount on BTP and navigate to Connectivity  Destinations.
- Create a new destination with these values:

- - Name: (e.g., S4C-IAG-PAM)
  - Description: PAM Destination for S/4HANA
  - Type: HTTP
  - Accept: */*
  - Authentication: BasicAuthentication
  - ProxyType: Internet
  - URL: [Your IAS URL, e.g.,https://<yourtenant>.accounts.ondemand.com]
  - User: [Client ID from IAS]
  - Password: [Secret from IAS]
  - USERSURL: /service/users

Destination for PAM in the IAG Subaccount on SAP BTP

Update the S/4HANA destination with PAM parameters in the IAG Subaccount

Add these additional properties to the S/4HANA destination in BTP in the IAG subaccount.

- IASApplicationName: Application name of Identity Authentication system in IAG
- IASDestinationName: Name of the PAM destination created in the previous step
- IASSubjectNameIdentifier: The Subject Name Identifier used for user authentication to S/4HANA in the IAS application configuration. E.g. UserID or Email
- S4HCHomePageURL: URL to the S/4HANA system. If you have set up a corporate identity provider and if you are using IAS as a proxy then you will need the URL to bypass the corporate identity provider. This can be found under the conditional authentication of the S/4HANA application configuration in IAS.

Destination for S/4HANA Cloud in IAG Subaccount on SAP BTP

Create Privileged Access Ids in PAM on IAG

You can now start creating the PAM Ids using the “Maintain Privileged Access” app on IAG.

- Login to IAG and navigate to Privilege Access Management tab.
- Open the app “Maintain Privileged Access”

Maintain Privileged Access App on IAG

- Click on “+” button on the right.
- In the attributes section enter all the mandatory fields.
- Name: Same as Worker ID
- Description: Provide a suitable description for the PAM ID
- Business Role: Role defined for the PAM ID in IAG
- PS: Upon selecting the business role, the Employee ID and Email fields are displayed. These fields are not displayed initially.
- Employee ID: Same as Worker ID
- Email: Same as the email provided for the Worker ID
- Criticality: Can be CRITICAL, HIGH, MEDIUM or LOW
- Duration in Days: Max number of days for which the PAM can be requested.

Attributes Section of a PAM ID on IAG

- In the allowed activities, you will be provided with a list of catalogs based on the business role assigned. Here you can select the activities for which the PAM ID is designed to be used. This is not an authorization restriction for the PAM ID. It is just for documentation purposes only.

Catalogs allowed for the PAM ID based on the assigned business role

Allowed activities section of the PAM ID on IAG

- In the Approvers / Reviewers section you will assign the users who should approve the PAM ID in the access request workflow in the “ROLE OWNER” stage and the person who will review the log access review request after the PAM ID has been used by a user. PS: All IAS users are listed for selection. There is no dependency upon any group to be assigned for users to be listed here.

Approvers and Reviewers section of the PAM ID on IAG

- Click on Save and Activate to save the PAM ID.

Run the provisioning job on IAG
- Navigate to Administration  Job Scheduler
- Provide a suitable job description and job category as Provisioning

Schedule Job for PAM ID Provisioning on IAG

- Click on Schedule Job
- Navigate to the Job History App to confirm that the PAM ID has been provisioned in the S/4HANA Cloud backend system.

Log of Provisioned PAM ID in the Job History app on IAG

- Login to the backend S/4HANA Cloud to ensure the account has been created.

PAM ID displayed in Maintain Business Users app on S/4HANA Cloud

PAM Access Request Process

The Access Request app now allows you to request the PAM ID. Simply search for the PAM ID you need using the search field, or filter by “Access Type = Privilege Access”.

Search for PAM ID in Access Request on IAG

Once the PAM end user submits the request, the access request workflow for the "PAM" request type will be triggered. Note, the PAM end user is any IT support user who requires elevated access to perform a critical task in Production.

The defined workflow will send the request to the appropriate approver. In the case below, the approver is the PAM Owner defined in the Maintain Privileged Access app on the PAM ID. You can define your own workflow stages and have multiple stage approval as well as multiple approvers for a stage (except the Manager stage).

Note that the access request inbox for approving PAM requests is under the Privileged Access Management tab and the app is called "Privileged Access Request – Inbox”. This can cause confusion for approvers because the normal tendency would be to check the "Access Request - Inbox". I hope that in future releases SAP would consolidate the different inboxes of the services that have workflow capabilities on IAG.

Approval work item in Privileged Access Request – Inbox app on IAG

PAM Request Details for Approval on IAG

Once the request is approved, the user who made the request is assigned an ID.

PAM Execution

The PAM end user can now log in to IAG and execute the PAM ID session using the "PAM Execute Session" application.

Assigned PAM ID displayed in PAM Execute Session app on IAG

Upon clicking “Execute Session”, the user is presented with a popup with a link to activate the PAM ID.

Access Link to activate PAM ID for the session

Click the link to open a new tab. The message displayed states that you are required to sign out from the current application to activate the new account. Click on Sign out and continue.

Sign Out page for activating the PAM ID

On the next page, enter a password for the account and click on continue.

IAS Password entry page for activating PAM ID

You will now be logged in to the target S/4HANA Cloud system with the PAM ID.

S/4HANA Account to confirm the logged in PAM ID

If you go to your IAS Tenant and navigate to the User Management section, you will see that the PAM ID is created after this step. Once the PAM session is terminated, the ID will be removed from IAS. This process will be repeated each time the user logs in and terminates the PAM session.

IAS User Management displaying the activated PAM ID

Once you have completed the PAM tasks, sign out of the PAM ID from S/4HANA.

PAM Sign Out after completion of the session tasks

Navigate back to the IAG tab. If you have been logged out of IAG then close the browser and log back into IAG using a new browser window. Navigate back to the “PAM Execute Session” app.

PAM Execute Session app on IAG after Signing Out of PAM from S/4HANA

Click on “Terminate Session”. A pop up message confirms that the session has been terminated.

Termination Confirmation

The “Execute Session” button is displayed once again.

PAM Execute Session app on IAG after session is terminated

If you check the user in IAS you will find that the user has been deleted.

PAM ID is deleted from IAS after session is terminated

PAM Log generation and review

To proceed, we need to schedule the Log Sync and Access Request Review jobs. It's recommended to schedule these jobs to run regularly, particularly in a production scenario.

Using the Job Scheduler application on IAG, you can schedule the "Privileged Access Log Sync" job. This job syncs the logs from the S/4HANA backend system to IAG.

Scheduling the Privileged Access Log Sync Job on IAG

Check the Job History to confirm the job is completed. Next use the Job scheduler app on IAG, to schedule the “Privileged Access Review Request” Job.

Scheduling the Privileged Access Review Request job on IAG

The second job creates a log review request and sends it to the PAM ID reviewer for approval. The PAM reviewer can access the PAM Logs review request in the app “Privileged Access Monitoring – Inbox”.

Log review work item in Privileged Access Monitoring – Inbox app on IAG

The log review request has three files as attachment.

Business Role Changes: An excel file with changes made to the business role using the PAM ID during that PAM session.

Business User Changes: An excel file with changes made to any business users using the PAM ID during that PAM session.

Security Audit Log: An excel file with the details of the login session and the apps used during the PAM session.

Log attachments for the PAM session in the review work item

Important Note on PAM Log File Generation

As of the writing of this content, there is a known challenge with the consistent generation of log files in the Privileged Access Management (PAM) system. This issue primarily arises from a timing discrepancy between the PAM log generation process on SAP Cloud Identity Access Governance (IAG) and the synchronization with the SAP S/4HANA backend system. SAP is actively aware of this issue and is diligently working towards a resolution.

In the interim, SAP has proposed a manual workaround for this issue. It involves the use of the "Click to upload attachment" feature to manually add log files from the SAP backend system. This method ensures that crucial log files are not missed and maintains a comprehensive audit trail for privileged access activities.

To aid in the prioritization and rapid resolution of this issue, I have initiated a customer influence request. If you, like many others, are keen on seeing a more streamlined and automated solution to this log file generation challenge, your support would be invaluable. By voting on this customer influence request, you can significantly contribute to highlighting the importance of this issue to SAP, thereby potentially accelerating its resolution.

https://influence.sap.com/sap/ino/#/idea/314189

Completing the Privileged Access Management Cycle

The final step in the Privileged Access Management (PAM) process within SAP S/4HANA Cloud is crucial and signifies the completion of a comprehensive cycle of secure access management. Once a PAM ID has been used, it undergoes a thorough review process. This review is essential to ensure that the privileged access was utilized appropriately and by the established guidelines and policies.

The PAM reviewer, a designated authority within the system, plays a pivotal role at this juncture. After the PAM ID usage, the reviewer meticulously examines the access logs and activities performed. This step is not just a formality but a critical component of maintaining the integrity and security of the system. It helps in identifying any discrepancies, unauthorized activities, or potential security risks.

Upon a detailed review, when the PAM reviewer approves the review request, it marks the successful conclusion of the PAM process. This approval indicates that the privileged access was managed, executed, and reviewed in line with the stringent security standards set by the organization.

Creating and Managing Campaigns in IAG - Access Certification Service

2024-01-31T10:37:26.306000+01:00

Introduction to SAP Cloud Identity Access Governance (IAG)

SAP Cloud Identity Access Governance (SAP IAG) is a SaaS (Software as a service) application built on SAP Business Technology Platform (BTP). Although it offers features that are comparable to SAP GRC Access Control, it will not replace Access Control.

It provides out of the box integration with existing on-premise ECC applications along with latest cloud applications such as Ariba, SuccessFactors, S/4HANA, Analytics Cloud and other cloud solutions with many more SAP integrations on the roadmap. It helps customers achieve access control and governance through the below key services:

Access Analysis, Role Design, Access Request, Access Certification and Privileged Access Management.

I'll guide you through the Access Certification service in this blog post.

What is Access Certification Service?

Access certification service is used for periodically reviewing and certifying access to business applications in the cloud and on-premises area. It ensures that users have optimized access based on their designation.

The Managers and designated reviewers validate access to business applications. Periodic review process can be carried out for single roles, composite roles, business roles, profiles, and SAP SuccessFactors static groups.

Responsibilities of Campaign Administrators, Coordinators and Reviewers

Administrator – is responsible for creating and editing campaigns.

Coordinator – is responsible for coordinating campaign activities, for example, reassign items, remind reviewers, escalating to the reviewer's manager etc.

Reviewer – is responsible for approving/rejecting user access during review stage.

Access required for Campaign Administrators, Coordinators, and Reviewers.

User	Role collections on BTP	User groups on IAS
Campaign Administrator	CIAG_Access_Certification_Admin	IAG_CPG_ADMIN
Coordinator	CIAG_Access_Certification_Coordinator	IAG_CPG_CO
Reviewer	CIAG_Access_Certification_Reviewer	IAG_CPG_REVIEWER

Note:

IAG_WF_ADMIN - Users assigned to this group can receive and work on access certification review items in the security stage.

IAG_WF_DEFAULT - When managers or role owners are not available, the task of reviewing a user’s access is forwarded to members of this group.

Access Certification Service apps

Below are the apps available on the launchpad for the access certification service.

How to create campaigns - Campaign administrators use the Create Campaigns app to create, edit, and submit campaigns.

Open Create Campaigns app and select the option new certification campaign as mentioned in the screenshot below.

In step 1 – General information, provide campaign name without spaces or special characters, description, planned duration, coordinators (the person responsible for managing the campaign) and send notification (coordinator will receive a notification about the upcoming end of the campaign’s planned duration) as mentioned in the screenshot below.

In step 2 – Data selection, add relevant information in the search fields to refine the set of users, access, and systems that are to be part of the campaign. You can choose any search criteria based on your requirement. In this instance, the search criteria is the application, which takes into account every application user for the purpose of evaluation.

In step 3 - Workflow selection, select a workflow for approval process. You can choose any workflow from the list of workflows available. Here, the security workflow path is chosen.

Review all the information and submit the campaign. Once it is submitted, review requests will be created and assigned to the corresponding reviewers. Note : Once the campaign is in progress, it is sent to the Manage Active Campaigns app where the coordinator can view its status and monitor and manage the progress of the campaign.

How to Manage Active Campaigns - Campaign coordinators use the Manage Active Campaigns app to see the overall status of campaigns assigned to them. They can close an existing campaign, reassign tasks to a different reviewer, or remind a current reviewer of items to evaluate.

Select the campaign which was created previously.

Once you open the campaign, you can see the list of reviewers for the campaign and what status the review is in. It also includes the options to reassign to another reviewer, remind the reviewer that there are items to review, escalate the task to the reviewer’s manager, or release the claimed task. The Escalate option sends an e-mail notification to the reviewer’s manager, and the remind option sends an e-mail notification to the reviewer.

How to Manage Campaign Reviewer Inbox - Campaign reviewers use the app Manage Campaign Reviewer Inbox app to review and approve the review requests.

Select the campaign that was created previously to review and approve requests.

To perform a review, approve/reject each line item individually or choose approve/reject all to handle all line items. Here, a few line items were chosen for approval and a few for rejection. Following submission, requests that are approved will not be subject to any further action, while requests that are rejected will be deprovisioned.

What does Access Certification Audit Log app contain?

Every campaign is listed in the audit log. This app can be used by anyone handling access certification campaigns to verify the steps that have been performed. Utilize the search function to locate particular campaigns.

What does Access Certification Campaign Log app contain?

Details about that campaign's log history are shown in the app. This covers any messages that are generated while the request creation process is run. Furthermore, the app assists you in confirming that the steps have been generated correctly.

Conclusion

I would like to conclude saying that, IAG - Access Certification service help organizations reduce losses from unforeseen risk (fraud, access risk) - by performing periodic access reviews for users.

It lowers compliance and risk management costs by empowering the business with automated user access management and efficient, cost-effective access audits.

References

Product Overview | SAP Help Portal

Governance, Risk, and Compliance (GRC) with SAP S/4HANA Cloud Public Edition 2402

2024-02-05T14:32:19.582000+01:00

Hello and welcome to the release highlights for Governance, Risk, and Compliance (GRC) with SAP S/4HANA Cloud Public Edition 2402. This blog contains selected highlights from SAP Risk and Assurance Management (formerly known as SAP Financial Compliance Management), SAP Document and Reporting Compliance, and SAP Cloud Identity Access Governance along with their business benefits and deep-dive system demos.

To get a quick overview of our SAP S/4HANA Cloud Public Edition 2402 highlights for Governance, Risk, and Compliance (GRC), watch this 4-minute video:

Topics of Covered in this Blog

Expert Talk: Empower the Intelligent, Sustainable Enterprise with SAP Finance & Risk – 2023 Update
SAP Risk and Assurance Management (formerly known as SAP Financial Compliance Management)
- Integrated Risk Management
- Additional Assurance Activity Type in Control Management
- Automated and Manual Grouping and Ungrouping of Issues
- Preconfigured internal control framework for medium-sized companies

SAP Cloud Identity Access Governance
- Support for Multiple Rulesets in Access Analysis
SAP Document and Reporting Compliance
- Streamlined Communication with Authorities with SAP Document and Reporting Compliance
- Simplified Review and Clearing of Withholding Tax Items for Reporting
- Early Adopter: Enablement of Sales and Use Tax Reporting for the United States through SAP Document and Reporting Compliance
SAP S/4HANA for International Trade
- Ability to Suppress Output from a Sales Order in Case of Trade Compliance Blocks in SAP Global Trade Services
- Produce and Sell Standard Products - Inventory Management

If you are interested in innovations for Finance, please refer to the blog 'Finance in SAP S/4HANA Cloud Public Edition 2402' from UIrich Hauke.

Expert Talk: Empower the Intelligent, Sustainable Enterprise with SAP Finance & Risk – 2023 Update

If you are interested in SAP's strategy on how to empower the intelligent, sustainable enterprise with SAP Finance & Risk in a 2023 update, check out this expert talk video with Yannick Peterschmitt, Ulrich Hauke, Christoph Ernst and myself:

Video 1: Expert talk video on how to empower the intelligent, sustainable enterprise with SAP Finance & Risk - 2023 update

SAP Risk and Assurance Management (formerly known as SAP Financial Compliance Management)

SAP Risk and Assurance Management is integrated with SAP S/4HANA Cloud, public edition and provides you with the tools to become compliant with internal controls, laws, and regulations that apply to your organization. The solution enables you to document your internal controls framework and manage potential risks to your organization, as well as develop and monitor checks put in place to ensure compliance.

Integrated Risk Management

We enhance the core compliance functionalities with a comprehensive risk management framework to outline purpose and benefit of each control, and to provide transparency to the overall process health and compliance.

Value Proposition

Enable customers to set up and maintain risk information in financial compliance
Empower customers to continuously update risk information and quickly identify risk areas
Provide the overview of the risk and control matrix to customers

Capabilities

Leverage existing controls in your risk-mitigation response
Add existing risks to controls and, thereby, leverage control for risk mitigation
When risk attributes, such as risk level, validity, and status, are updated, display the corresponding changes in controls

If you are interested in a system demo of the new risk management functionality, check out this video:

Video 2: Integrated Risk Management with SAP Risk and Assurance Management

For more information, see: GRC Risk Service in SAP FCM

Additional Assurance Activity Type in Control Management

With the concept of assurance activity types, the solution allows customers to establish a 3 lines of defence concept (perform, test and assess control).

Value Proposition

Complete holistic approach for compliance by adding control assessments to control-related compliance activities
Enable compliance officers to collect information to assess completeness and maturity of the implemented control framework
Assist management and compliance teams for monitoring or identifying control unidentified weaknesses and risks

Capabilities

Support control assessments as new assurance activity type for controls
Support survey-based assessment on controls and provide rating of control assessment
Generate issue in case control assessment rating is deficient or significantly deficient

If you are interested in a system demo of the control assessment functionality, check out this video:

Video 3: Three lines of defense concept thanks to introduction of third assurance activity type 'Control Assessment' in SAP Financial Compliance Management

For more information, see: Assurance Activity

Automated Grouping and Ungrouping of Issues

Issue grouping complements the capabilities to manage issues and run remediation activities in more more advanced.

Value Proposition

Automatic grouping of issues based on configurable grouping rules
Manual group and ungroup of issues based on business decision
Group issues cross data sources

Capabilities

Streamline issue processing by addressing similar findings with less issues enabled through automatic issue grouping
Optimize issue processing by manual grouping and ungrouping of issues to
Bundle issues according to business needs
Split issue items in case they need separate processing
Address same defect at multiple business documents with one issue
Address multiple defects at the same business document with one issue

Fig. 1: You can automatically and manually group and ungroup issues in SAP Financial Compliance Management

For more information, see:

Preconfigured Internal Control Framework for Medium-Sized Companies

The solution comes with a predefined internal control framework which has been extended with additional focus areas such as Environmental, Social and Governance (ESG) and Human Rights Due Diligence for Suppliers in Risky Countries. In addition, a new control around Supplier Duplicate Invoices with additional flexible logic was provided.

Value Proposition

Empower the CFO and the head of finance with ready-to-run internal controls
Minimize the effort of building your financial compliance management framework

Capabilities

Use out-of-the-box business content, such as predefined controls
Addition of internal controls for new focus areas such as ESG and Human Rights Due Diligence

Fig. 4: Additional preconfigured controls in new focus areas such as ESG and Human Rights Due Diligence

For more information, see: Business Content for SAP Financial Compliance Management

SAP Cloud Identity Access Governance

Support for Multiple Rulesets in Access Analysis

SAP Cloud Identity Access Governance now has the capability to assist in meeting external audit standards through the support of multiple rulesets. These rulesets can be employed to simplify the external auditor's independent assessment, such as evaluating location-specific Segregation of Duties (SoD) rulesets for employees assigned to specific locations. Additionally, users have the option to define multiple customized rulesets for conducting further analyses.

Value Proposition

Make comprehensive and thorough assessments of various types of risks and scenarios
Have flexibility and adaptability to apply different rules within specific contexts
Allow external auditors to maintain independent evaluations by enabling them to use their own rules

Capabilities

Evaluate and manage risks in different contexts by leveraging multiple rule sets to define and apply various sets of rules, criteria, or frameworks
Address specific needs through customization using the rule sets; for example, meet the unique risk considerations of different departments or units within an organization

If you are interested in a system demo of the multiple ruleset functionality, check out this video:

Video 4: Support for Multiple Rulesets in Access Analysis in SAP Cloud Identity Access Governance

For more information, see: Rulesets

SAP Document and Reporting Compliance

Streamlined Communication with Authorities with SAP Document and Reporting Compliance

Increasing complexity driven by regulations requiring integration with local authorities for electronic documents, statutory reports, validation of VAT registrations and more. SAP Document and Reporting Compliance, cloud edition provides a single channel for all submissions across countries and processes, that can be easily activated and managed leveraging the new scope item 78L.

Value Proposition

Easy to use and simple to configure
Faster implementation of legal changes / new reporting requirements
Simplify IT landscape and reduce total cost of ownership
Manage your integrations to tax authorities within your global SAP BTP account

Capabilities

Electronic exchange of invoices for Israel and more planned in the roadmap.
Electronic submission of statutory reports
One API-based integration between SAP S/4HANA Cloud, Public Edition and SAP Document and Reporting Compliance, cloud edition scalable across countries and scenarios
Seamless activation per country

Fig. 2: Streamlined communication with authorities with SAP Document and Reporting Compliance

For more information, see: Integrating the Cloud Edition with SAP S/4HANA Cloud

Simplified Review and Clearing of Withholding Tax Items for Reporting

As part of withholding tax reporting, withholding tax items need to be reviewed and cleared to create a payable document to the authorities
Review of withholding tax items to be settled to the authorities
- User-friendly preview of documents to be settled
- Confirmation of items to be settled to authorities
Automated clearing of withholding tax items confirmed and creation of payable documents to authorities
Creation of withholding legal reports based on cleared items

If you are interested in a system demo of the functionality for withholding tax items, check out this video:

Video 5: Simplified Review and Clearing of Withholding Tax Items for Reporting with SAP Document and Reporting Compliance

Early Adopter: Enablement of Sales and Use Tax Reporting for the United States through SAP Document and Reporting Compliance

Please note the following functionality is currently only available for early adopter customers:

Functionality:

Integration with partner solutions to enable sales and use tax reporting for United States through SAP Document and Reporting Compliance and standardize tax reporting worldwide
- Definition and mapping of entities from partner solution
- Seamless replication of transactional data
Generation and review of legal file using ‘Run Statutory Reports’ application in SAP S/4HANA Cloud
Output files retrieved from partner solution and managed centrally (same solution of all other countries)
- User-friendly preview of tax data
- Download of ready-to-upload-file
Central monitoring of all deadlines for statutory reporting

If you are interested in a system demo of the functionality for the enablement of sales and use tax reporting for the U.S. through SAP Document and Reporting Compliance, check out this video:

Video 6: For early adopters: Sales and Use Tax Reporting for the U.S. with SAP Document and Reporting Compliance

SAP S/4HANA for International Trade

Ability to Suppress Output from a Sales Order in Case of Trade Compliance Blocks in SAP Global Trade Services

Value Proposition

Help ensure that follow-on functions can be suppressed to stay legally compliant

Capabilities

Provide the ability to suppress output as a follow up action in sales orders when the document is blocked by trade compliance functionality in SAP Global Trade Services (GTS)

Produce and Sell Standard Products - Inventory Management

We have added the possibility to include legal control checks for compliance with the international trade regulations during the sales order creation process. In a follow-up step you can analyze and resolve the blocked documents. After the completion of the sales cycle, we have added the option to trigger an Intrastat declaration for the EU-wide business.

Meanwhile, don’t hesitate to leave a comment and check out our new community page to ask your questions and engage with the experts. Follow the PSCC_Enablement tag to stay up to date with our latest blog posts.

️Watch Our Live Sessions

This month, we hosted a series of 19 compelling live sessions to highlight the exciting innovations shipped with the SAP S/4HANA Cloud Public Edition 2402 release. Missed the live sessions? No problem! Take advantage of the entire series or pick and choose the sessions most relevant to you on demand.

️ Inside SAP S/4HANA Cloud

There is no customer success without project success and product success! Leverage the unique knowledge and expertise of SAP S/4HANA Cloud experts, partners, and customers, sharing their SAP S/4HANA Cloud implementation project best practices and lessons learned – anywhere, anytime. In this podcast, we give you all ingredients to get to the next level and make your SAP S/4HANA Cloud project a success. Subscribe now and benefit from the shared knowledge!

openSAP Microlearnings for SAP S/4HANA Cloud

Our openSAP microlearnings for SAP S/4HANA Cloud offer an exciting new learning opportunity. What began with a small batch of 20 videos, has now become a channel with more than 50 microlearnings that have generated over 20,000 views. Today, we cover multiple lines of business such as finance, manufacturing, and supply chain management, and key technology topics like Master Data Management, extensibility, SAP User Experience, and upgrade management. We are continuously adding new microlearnings to our channel, so make sure you check them out.

️ Your Voice Matters

You want to learn more and actively engage with SAP subject matter experts on SAP S/4HANA Cloud topics? We have just the right place for you! Join our interactive community where we bring together customers, partners, and SAP experts with a clear mission: To engage with one another about best practices and product solutions. We invite you to explore the ‘one-stop shop’ as the central place for all resources, tools, content questions, answers and to connect with experts who will guide you through your journey to the intelligent, sustainable enterprise.

Find All of Our Assets

SAP S/4HANA Cloud is the foundation of the intelligent, sustainable enterprise and is an innovative, robust, and scalable ERP. We at Cloud ERP Product Success and Cloud Co-Innovation offer a service as versatile as our product itself. Check out the numerous offerings our team has created for you by clicking on the image below:

Where to Find More Information:

Link Collection - Governance, Risk and Compliance (GRC) with SAP S/4HANA and SAP S/4HANA Cloud
SAP Community for Finance
Watch the replays of our exclusive SAP S/4HANA Cloud Public Edition 2402 Early Release Series here: https://community.sap.com/t5/enterprise-resource-planning-blogs-by-sap/watch-the-replays-of-our-excl...
Explore the ready-to-run cloud ERP here: https://www.sap.com/products/erp/s4hana.html
Watch our SAP S/4HANA Cloud product update videos on YouTube: https://www.youtube.com/playlist?list=PLWV533hWWvDnnyN2j-CcUheNN-GaNCb3H
Check out our digital enablement wheel here: https://chart-bdmaicr0au.dispatcher.eu2.hana.ondemand.com/index.html?hc_reset
Find out how to switch from groups to spaces and pages here: https://blogs.sap.com/2023/11/06/deactivation-of-groups-in-the-sap-fiori-launchpad-in-sap-s-4hana-cl...
Become an early adopter for Joule in SAP S/4HANA Cloud Public Edition here: https://influence.sap.com/sap/ino/#campaign/3612
Check out the SAP Activate Roadmap for early adopters here: https://go.support.sap.com/roadmapviewer/#/group/658F507A-D6F5-4B78-9EE1-0300C5F1E40F/roadmapOvervie...
Review the PPL content here: https://go.support.sap.com/roadmapviewer/#/group/658F507A-D6F5-4B78-9EE1-0300C5F1E40F/roadmapContent...
Listen to our podcast here: https://podcast.opensap.info/inside-sap/
Watch our openSAP microlearnings to learn about SAP S/4HANA Cloud topics at your own pace here: https://microlearning.opensap.com/
Find best practices on SAP S/4HANA Cloud Public Edition here: https://me.sap.com/processnavigator/SolS/EARL_SolS-013/latest?region=DE
Check out what’s new here: https://help.sap.com/doc/ce01d82756b947a1a043a5d5a3204226
Find help here: https://help.sap.com/docs/SAP_S4HANA_CLOUD
Read the feature scope description here: https://help.sap.com/doc/7c9e0bbbd1664c2581b2038a1c7ae4b3

Preparing for SAP Identity Management’s End-of-Maintenance in 2027

2024-02-06T10:43:55.073000+01:00

Maintenance for SAP Identity Management (SAP IDM), our on-premises tool for managing the identity lifecycle, will end in 2027. Extended maintenance will be available until 2030. This extension is intended to give your organization ample time to plan and execute a well-considered migration strategy.

There are several topics for SAP IDM customers to consider.

SAP Cloud Identity Services are the center point of SAP’s IAM strategy, relying on widely established industry standards such as Security Assertion Markup Language (SAML), OpenID Connect (OIDC), X.509 certificates and System for Cross-Domain Identity Management (SCIM). Their focus is to simplify system integration and help ensure security and compliance while providing a seamless user experience.

With SAP Cloud Identity Services it is easy to integrate SAP Cloud applications with an existing IAM system infrastructure. SAP Cloud Identity Services provides a central integration point that enables a single one-time integration to support extended partner identity scenarios for SAP Cloud solutions.

You can find more details in the System Integration Guide for SAP Cloud Identity Services.

Furthermore, recognizing the importance of seamless integration within the identity and access management landscape, SAP is committed to further enhance SAP Cloud Identity Services and SAP Cloud Identity Access Governance. These enhancements are designed to facilitate integration with other partner identity management solutions, like Microsoft Entra ID, that provide a comprehensive approach to enterprise-wide identity and access scenarios.

Microsoft and SAP are actively collaborating to develop guidance that enables customers to migrate their identity management scenarios from SAP Identity Management to Microsoft Entra ID. Microsoft Entra ID offers a universal identity platform that provides your people, partners, and customers with a single identity to access applications and collaborate from any platform and device. This work and partnership are in progress; stay tuned for updates and blogs with details about our collaboration efforts

2024 SAP Cloud Identity Services & IAM Portfolio: What’s New?

2024-02-28T19:10:38.504000+01:00

This blog explores the latest 2024 updates in SAP's Identity and Access Management (IAM) portfolio derived from various early 2024 SAP events, particularly focusing on SAP Cloud Identity Services (SCI).

IAM 101: Identity Lifecycle, Authorization, and Authentication

In simple terms, Identity and Access Management (IAM) revolves around three core aspects:

Identity Lifecycle: This encompasses the journey of user identities within a system, from creation to deletion.
Authorization: Determining what actions users are allowed to perform within a system.
Authentication: Ensuring that users are who they claim to be when accessing applications or services.

Identity Access Management Portfolio by SAP

SAP offers a Identity Access Management (IAM) portfolio that caters to both on-premises and public cloud solutions. Let's delve into each category - Identity Lifecycle, Authentication, and Authorization - highlighting the different components within SAP's Cloud Identity Services (SCI) suite.

Source SAP SE: Image from the SAP presentation showcased at the DSAG Technology Days 2024 in Hamburg

Identity Lifecycle Management

For managing the lifecycle of identities, SAP provides several solutions:

Identity Provisioning: Part of SCI. Facilitates seamless creation and management of user identities.
Identity Directory: Part of SCI. Serves as a centralized repository for user and group information.
SAP Identity Management: An on-premises product ensuring robust identity lifecycle management unitl the end of 2027/2030.

Authentication Solutions

SAP's authentication solutions ensure secure access to applications and services:

Identity Authentication: Part of SCI. Provides seamless and secure authentication for users across applications.
SAP Single Sign-On 3.0: An on-premises product offering single sign-on capabilities until the end of 2027.
Secure Login Service: A standout addition to SAP's IAM lineup is the SAP Secure Login Service, heralded as the new star in the SAP Single Sign-On horizon. This service promises enhanced security and user experience in single sign-on scenarios.

Want to know more? Read here: https://community.sap.com/t5/technology-blogs-by-members/exploring-sap-secure-login-service-for-sap-gui-a-comprehensive-review/ba-p/13573382

Authorization Management

Authorization management is crucial for defining user permissions and access control:

SAP Cloud Identity Access Governance: Symbiotically linked with SCI, it offers comprehensive authorization management and access governance.
Authorization Management of SAP Cloud Identity Services: Streamlines authorization management for developers on SAP BTP. Define access policies with specified conditions, easily adjustable by administrators post-deployment. This centralizes access control, mitigating complexity and ensuring precise authorization levels.

Want to know more? Read here: https://community.sap.com/t5/technology-blogs-by-sap/sap-btp-innobytes-january-2024/ba-p/13584601

SAP Access Control: An on-premises product offering that enables organizations to control access and prevent fraud across the enterprise, while minimizing the time and cost of compliance. An upcoming version (release 2026) will further enhance authorization capabilities within SAP's IAM portfolio.

While SAP's IAM portfolio boasts a comprehensive suite of solutions, it's worth noting that the SAP Customer Data Cloud is beyond the scope of this discussion due to the author's limited experience with it.

SAP Cloud Identity Services

Short Overview

SAP Cloud Identity Services (SCI) offer a suite of components tailored to address various facets of IAM:

Identity Provisioning: Streamlining the process of creating and managing user identities.
Identity Directory: Serving as a centralized repository for storing and accessing user and group information.
Authorization Management: Facilitating the assignment and management of user permissions.
Identity Authentication: Ensuring secure and seamless user authentication across applications.

Key Features of SCI

Predefined Connectivity and Bundling: SCI seamlessly integrates with SAP cloud solutions, providing out-of-the-box configuration for user provisioning and authentication.
Automated Service Enablement: Identity Services are automatically enabled as part of the product delivery process, simplifying setup for customers.
Default Pre-Configuration: SAP cloud solutions come pre-configured with Identity Services, catering to common scenarios without the need for separate licensing.

Source SAP SE: Image from the SAP presentation showcased at the DSAG Technology Days 2024 in Hamburg

Long story? Read here: https://xiting.com/en/downloads/download-sap-cloud-identity-services-e-book/

Cross-Enterprise Access Governance

Cross-enterprise identity management and access governance integration is set to be streamlined with the integration of Microsoft Entra ID and Microsoft Entra ID Governance alongside SAP Cloud Identity services and SAP Cloud Identity Access Governance. This integration will empower organizations to achieve single sign-on and provisioning capabilities across a range of SAP business applications, including SAP S/4HANA Public Cloud, SAP Ariba, SAP Concur, and SAP SuccessFactors. Furthermore, the linkage between Microsoft Entra ID and Microsoft Entra ID Governance with SAP Cloud Identity Access Governance will enable cohesive identity and access risk assessments, alongside monitoring and management of compliance controls.

Source SAP SE: Image from the SAP presentation showcased at the DSAG Technology Days 2024 in Hamburg

Identity Lifecycle Management with SCI

SAP Cloud Identity Services facilitates efficient management of the employee lifecycle, from onboarding to offboarding, ensuring smooth transitions and access management throughout.

It plays a key role by centralizing Identity Access Management. They collect the derived identities and act as a single source of truth. The Identity Directory and Identity Provisioning components of SAP Cloud Identity Services work together to manage identities efficiently across systems.

Identity Directory: Centralized User Management

The Identity Directory serves as a central repository for user and group information, accessible via APIs and admin UI, simplifying connectivity and integration with SAP SaaS applications. It provides a System for Cross-domain Identity Management (SCIM) 2.0 REST API for managing resources (users, groups and custom schemas) with a set of attributes. Those attributes are defined in the SCIM 2.0 Core schema and the Enterprise user resource schema. Custom attributes are supported through a schema extension.

Identity Provisioning

Transformation Engine

Identity Provisioning Connectors play a crucial role in the Identity Lifecycle process. These connectors come in various types, including Source System Connectors, Target System Connectors, and Proxy System Connectors. They enable seamless integration between different systems, allowing for the provisioning and authentication of users.

The Identity Provisioning transformation engine offers several powerful capabilities:

Assignment: Users can define rules for assignments based on input data. For instance, organizations can use the value of an identity's organizational unit to determine the roles required for that user.
Mapping between identity models: The engine facilitates mapping between attributes in different models. For example, it can map the surname attribute to the family name attribute. Additionally, it allows for adjustments to data formats, such as converting time or number formats as needed.
Filtering: Organizations can specify detailed criteria for determining which objects should be read or written. This enables fine-grained control over data synchronization and provisioning processes, ensuring that only relevant information is transferred between systems.

Various types of connectors to facilitate seamless integration

Source System Connectors: These connectors enable the extraction of user data from source systems, such as SAP Cloud solutions, on-premise solutions, and third-party solutions.
Target System Connectors: These connectors facilitate the transfer of user data to target systems, including SAP Cloud solutions, on-premise solutions, and third-party solutions.
Proxy System Connectors: These connectors act as intermediaries between source and target systems, ensuring smooth data transfer and integration.

With support for over 20 SAP Cloud solutions, on-premise solutions, and third-party solutions, Identity Provisioning Connectors offer out-of-the-box configuration for user provisioning and authentication. This ensures quick and easy setup for organizations, enabling efficient management of user identities across diverse systems.

Authorization Management

Authorization plays a crucial role in ensuring secure access to applications and resources. Here's how SAP addresses authorization management:

Internal Authorization Definition: Many applications define authorizations internally, tailored to their specific domain requirements.
Central User Assignment: SAP Cloud Identity Services centralizes user assignment to roles and groups, streamlining access management.
Authorization Management Service (AMS): This "new" service provides centralized management of end-user authorizations for applications on the SAP Business Technology Platform. AMS integrates seamlessly with SAP Cloud Identity Services, allowing for configuration and assignment of policies directly from the administration console.
Policy Assignment: In SAP Cloud Identity, each policy corresponds to a group in the identity directory. Policies can be assigned to users by making them members of the respective policy group. Customers have the flexibility to assign SAP-provided or custom policies to users using the user-friendly UIs in the SAP Cloud Identity console or programmatically via the SCIM API of the Identity Directory.

Source SAP SE: Image from the SAP presentation showcased at the DSAG Technology Days 2024 in Hamburg

Identity Access Governance

SAP Cloud Identity Access Governance (IAG) is already widely recognized, offering a comprehensive suite of features aimed at enhancing security and compliance.

Key Features:

Privileged Access Management: Enables the management of super-user access, log consolidation, and automated log assessment to ensure stringent security measures.
Access Certification: Facilitates the review of access, roles, risks, and mitigation controls to maintain compliance with regulatory standards.
Access Analysis: Provides tools to analyze access, refine user assignments, and manage controls effectively.
Access Request: Optimizes access by streamlining workflows, policy-based assignment, and processes to ensure efficient access provisioning.
Role Design: Allows organizations to optimize role definition and governance processes, enhancing overall security posture.

Moreover, SAP Cloud Identity Access Governance offers HR-driven identity lifecycle management by integrating with SAP SuccessFactors. This integration enables automatic access requests triggered by changes in employee status within the HR system. The IAG Bridge Cloud facilitates the creation of access requests for cloud applications, with risk analysis and provisioning handled by SAP Cloud Identity Access Governance.

API-based integrations further enhance flexibility, allowing external applications to submit requests to SAP Cloud Identity Access Governance for processing. This enables efficient access provisioning and deprovisioning based on approval processes, with the option to retrieve request status periodically.

With support for over 16 SAP Cloud solutions, on-premises solutions, and third-party solutions, SAP Cloud Identity Access Governance provides a robust platform for organizations to maintain security, compliance, and efficient access management across their IT environment.

Authentication

Authentication within SAP's ecosystem is facilitated through SAP Cloud Identity Services, serving as the interface for Identity Access Management. Here's how authentication in the overall hybrid SAP landscape idealy works:

SAP Cloud Identity Services: This platform acts as the primary hub for authentication. SAP applications inherently trust SAP Cloud Identity Services for identity authentication, ensuring a secure login process.
User Interaction: Users have the flexibility to interact with either Identity Authentication provided by SAP Cloud Identity Services or third-party Identity Providers. Regardless of the chosen method, users benefit from Single Sign-On capabilities, enhancing user experience and simplifying access to multiple applications.
Integration with SAP GUI: SAP GUI seamlessly integrates with short-term X.509 certificates from SAP Secure Login Service, further enhancing authentication security supporting MFA within SAP environments.

Source SAP SE: Image from the SAP presentation showcased at the DSAG Technology Days 2024 in Hamburg

Short Comparative Note: SAP Secure Login Service (SLS) for SAP GUI versus SAP Single Sign-On (SSO) 3.0. While SAP Single Sign-On 3.0 remains a viable solution for certain use cases, the emerging preference leans towards the new SLS for SAP GUI for most scenarios. The rationale behind this shift lies in the fact that SSO relies on capabilities like multi-factor authentication and CLM (Certificate Lifecycyle Management with NDES CA-Integration) on SAP NetWeaver Application Server Java, which is scheduled to exit mainstream maintenance by the end of 2027.

Source SAP SE: Image from SAP

Contrarily, the new SLS does not depend on SAP NetWeaver AS Java; instead, it leverages a cloud-based service. It emphasizes seamless integration with cloud-centric identity providers, such as SAP Cloud Identity Services – Identity Authentication. Furthermore, it is offered as a cloud subscription, aligning with the contemporary preferences of software licensing among customers. However, it is important to note that currently, some features are still missing in direct comparison with the SAP SSO 3.0 Suite.

Principal Propagation: SAP Cloud Identity Services facilitates principal propagation between applications, ensuring consistent authentication across various systems and enhancing interoperability.

Upcoming Developments and Enhancements

Upcoming: Simplified Principal Propagation for Authentication

SCI will act as a central token service, reducing complexity in system-to-system calls and enhancing trust between applications. In an upcoming development, SAP Cloud Identity Services is poised to introduce a significant enhancement aimed at simplifying principal propagation for authentication. Here's what to expect:

Central Token Service: SAP Cloud Identity Services will transition into a central token service, streamlining the process of system-to-system calls. This move aims to reduce complexity and enhance efficiency in authentication workflows.
Token Request Flow: When a sender application needs to call an API of the receiver application on behalf of the current user, it will request a token from Identity Authentication within SAP Cloud Identity Services.
Trust in Tokens: SAP applications, along with third-party applications, will trust tokens issued by SAP Cloud Identity Services for API calls. This trust ensures secure and seamless communication between applications, regardless of their origin.

Source SAP SE: Image from the SAP presentation showcased at the DSAG Technology Days 2024 in Hamburg

SCIM & SAP: Updates for Improved Enterprise Readiness

SAP is working on enhancements to the SCIM protocol, including cursor-based pagination and additional schema support, to enhance user assignment processes and enterprise readiness.

Here's an overview of the recent developments:

SCIM Adoption: SAP initially adopted SCIM as a product standard with the Identity Provisioning Service (IPS). SCIM2 was subsequently designated as the primary user and group replication protocol for SAP applications, outlining the implementation guidelines.
SCIM User Lifecycle: SCIM includes the "active" flag to control authentication and app interactions. It mandates responding to GET requests after a DELETE request with no result. Applications have the autonomy to set users to a blocked status or create new user records as needed.
Enterprise Readiness: SAP identified areas for improving SCIM's enterprise readiness, including the lack of delta-read processes and index-based pagination. To address these concerns, SAP is working on implementing cursor-based pagination for entities like Users and Groups, as well as multi-valued attributes.
SCIM Groups and Schema Enhancements: SAP envisions SCIM Groups as the primary method for user assignments, offering transparent concepts for SCIM clients. SAP's group schemas introduce additional capabilities, such as defining group types and supported operations, providing more precise operations for SCIM clients.
SAP User Extensions: SAP plans to introduce additional user extensions for business attributes derived from the One Domain Model (ODM). This extension aims to enable applications to create users with related business attributes. The schema will support legacy approaches and integration scenarios with the Master Data Integration Service.

Source SAP SE: Image from the SAP presentation showcased at the DSAG Technology Days 2024 in Hamburg

SAP Cloud Identity Services continue to evolve, offering comprehensive IAM solutions for businesses. With features such as predefined connectivity, automated service enablement, and upcoming enhancements, SAP remains innovative, ensuring secure and efficient identity and access management for its customers.

Safeguarding Data Privacy in KSA - Leveraging SAP to navigate NDMO’s Regulations in Digital Era

2024-03-28T12:05:30.971000+01:00

Blog v1.0 | Published On: 28 March 2024

Authors: @asadkhan02 , @AyeshaSafeer , @Zainab_ASalam

_________________________________________

In today's digital era, data privacy is a crucial issue for both individuals and organizations. The Saudi National Data Management Office (NDMO), in partnership with the Saudi Data and Artificial Intelligence Authority (SDAIA), has introduced stringent Data Governance and Personal Data Protection Standards. These regulations mandate all organizations operating across various industries in the Kingdom of Saudi Arabia comply by September 2024.

Failure to comply with these regulations can result in hefty financial fines reaching SAR 3 million or higher in some cases, reputational damage, legal consequences, and loss of trust among customers and partners.

To ensure compliance with these new regulations, organizations are encouraged to implement processes aligned with the 15 domains outlined by the NDMO for Data Governance and Personal Data Protection Standards. Leveraging technology as an enabler, organizations can implement robust data privacy measures and effectively meet these requirements.

Top 5 Areas part of 15 Domains outlined by NDMO for Data Governance and Personal Data Protection Standards

SAP, a global leader in enterprise software, provides advanced technologies with artificial intelligence (AI) capabilities that provide a solid foundation for organizations to implement data governance and personal data protection processes. SAP solutions enable Saudi organizations to efficiently navigate and fulfill regulatory requirements:

By implementing SAP solutions, Saudi organizations can empower their data privacy practices, mitigate compliance risks, and build trust among stakeholders. SAP technologies uphold data integrity, safeguard personal information, offer the framework for regulatory compliance implementation, and adapt to the demands of the digital age.

As a team at SAP, we are committed to supporting organizations in achieving their regulatory compliance initiatives. We invite you to take the next step by exploring how our technologies and solutions can assist you on this journey.

Contact us today to learn more about how SAP can help you navigate the complex landscape of data privacy regulations in Saudi Arabia and ensure compliance.

Integrating IBM Security Verify with SAP Cloud Identity Services in SAP BTP

2024-04-02T10:29:43.856000+02:00

This blog delves into the technical aspects of integrating IBM Security Verify with SAP Cloud Identity Services (CIS) in SAP Business Technology Platform (BTP) as a proxy.

SAP CIS offers a suite of solutions for managing user identities, access controls, and application integrations across the IT landscape. Conversely, IBM Security Verify provides identity governance, workforce and Customer Identity Access Management (CIAM), and privileged account controls through automated, cloud-based, and on-premises capabilities. By integrating these platforms, organisations can leverage their combined strengths to establish a secure business environment. This integration enhances operational control, regulatory compliance, and user experience in the digital era.

IBM Security Verify supports various authentication methods, including passwordless, fingerprints, and one-time passcodes, ensuring flexibility and robustness against unauthorised access. Meanwhile, SAP Cloud Identity Services serves as a comprehensive Identity and Access Management solution which is available in SAP BTP.

The integration process involves configuration updates in SAP CIS and IBM Security Verify to enable authentication utilising standard protocols supported by both components, such as SAML 2.0. Organisations must ensure they have the necessary admin privileges or access rights for editing configurations before initiating the integration procedure. Collaboration between the organisation and SAP is required for the integration, with most of the effort undertaken by the organisation.

Reference Architecture

The diagram represents a SAP Cloud Identity Service that integrates with IBM Security Verify though which various SAP BTP application(s), SAP SaaS solution(s) and on-premises application(s) can be accessed. It demonstrates user sign-in via IBM Security Verify which allow possible passwordless, bio-metric or multi-factor authentication (MFA) using mobile devices for fast application access and pleasing user-experience.

Prerequisites

SAP Cloud Identity Services(for trial instance check this link)
IBM Security Verify (for trial instance check this link)
A smartphone with IBM Security Verify App

Configurations and Settings in IBM Security Verify

When a user logs in, home screen as shown below will be displayed.

Now on the left panel, click on "Applications" under "Applications". On the right side of the screen, there is an “Add application” button. Click on it.

Fill the necessary details under “General” section as below and save the details.

Before we go further, let’s log into SAP BTP account and you will be navigated on SAP BTP Cockpit. As suggested below, navigate to the “Instances and Subscriptions” tab, which is under “Services”.

Upload the metadata file which you have recently saved on your device to IBM Verify dashboard

Configurations and Settings in SAP Cloud Identity Services

Now, get back to SAP BTP and navigate to “Instances and Subscriptions.”

Now, enable the “Cloud Identity Services” if it’s not and once done it will be accessible as below:

Once you click on “Cloud Identity Services”, you will be redirected to the login screen of the SAP authentication screen as shown below

After successful login, you can see the home screen of Cloud identity service. Go to the “Identity Providers” as highlighted below

Click on the Corporate Identity providers and create new identity provider

Once the new identity provider is added successfully, click on the identity provider type and select SAML 2.0 compliant as shown below

Go to the SAML configuration section and fill in the information as shown below.

You can browse the “Metadata” file from your device once you download it from IBM Security Verify dashboard. Go to “Sign on” section of the application and on the right side of the screen, download the file from the given URL and upload the same in SAP Cloud Identity Service as highlighted below:

Click on the Trusting application section and add SAP BTP trial sub-account.

Now, navigate back to SAP BTP cockpit and establish the trust configuration which is under “Security” section for the cloud identity application as shown in the below screenshots.

Select “Establish Trust”

You will see the below steps once you click on establish trust. As a first step, choose tenant and click on next.

After selecting a tenant in the next step choose the domain for your SAP Cloud identity services application.

Click on the next button and configure parameters as shown in below screenshot.

Click on the next button and make a final review of the setup you have done while establishing the trust. Then click on the finish button and save the details.

Once done, you can see the new active trust configuration as shown below.

To provide access to the user, click on the Users section which is inside the “Security” section on the left menu.

Click on the user and assign role collection to the user as shown below.

You can select different roles and assign them to the user. Here we have added three roles to the user. After selecting all the roles, click on the “Assign role collection” button and save the details.

We have completed the configurations in IBM Security Verify and SAP Cloud Identity Services. Let’s test it now by opening the SAP business studio application as shown below.

How does it work? Let’s Check.

Log into SAP BTP Cockpit and Navigate to “Instances and Subscriptions” under “Services” as highlighted below:

It will redirect to the sign in options screen of the SAP. Here, select SAP cloud identity service as an identity provider.

Once you select, it will redirect to the verify sign in option screen for a authentication. Here you can select a different sign in option for Verify or can log in with IBM id/Cloud directory.

Enter your IBMid for log in and click the continue button.

It will redirect you for w3 authentication screen where you can enter your w3 id & password.

Once you click on sign in, you will see below screen of SAP business application studio.

Click on the “OK” button and you will be redirected to the SAP Business Application Studio home screen.

Conclusion

To summarise, combining IBM Security Verify with SAP Cloud Identity Services via SAML 2.0 provides a strong solution for organisations wishing to:

Enhance security: By implementing multi-factor authentication and centralised user management, businesses may greatly minimise the risk of unauthorised access to vital data and applications.

Improve the user experience: SAML 2.0 integration offers single sign-on, which allows users to access various applications with a single login, eliminating login fatigue and increasing overall user experience.

Simplify identity management: Consolidating identity management across several platforms allows organisations to streamline administration operations and reduce the complexity of managing user access.

Overall, this integration enables organisations to achieve a balance between strong security and a user-friendly interface, building trust and confidence in this digital era.

Streamlining User Provisioning from IBM Verify to SAP Cloud Identity Services

2024-05-08T12:57:02.652000+02:00

SAP Cloud Identity Services (CIS), part of SAP BTP, can be used to integrate Identity Access Management (IAM). In our last blog, we discussed the integration of SAP Cloud Identity Services (CIS) with IBM Security Verify, and now we're taking the next step in this integration. User provisioning is the process of setting up new user accounts in a system or application. In this blog, we will explore a common use case - - transitioning user provisioning from IBM Verify to SAP Cloud Identity Services, and how this transition can streamline operations and enhance security.

The Challenge of User Provisioning

User provisioning is the process of granting and controlling access to resources within an organisation’s information technology infrastructure. Historically, on-boarding or off-boarding users has been a laborious and time-consuming procedure that frequently required numerous processes across multiple systems. As businesses embrace cloud solutions, the complexity of user provisioning has grown, necessitating automated and integrated approaches.

Transitioning from IBM Verify to SAP Cloud Identity Services

IBM Verify is a comprehensive identity and access management system that includes multi-factor authentication (MFA) and adaptive access control, while SAP Cloud Identity Services offers identity lifecycle management, single sign-on (SSO), and access governance features. Integrating these two systems can help organisations automate and streamline user provisioning operations, while also improving security and user experience.

How does it work?

The diagram shows that IBM Security Verify acts as a central user management system. It creates user accounts and manages their attributes, and also provisions them (or creates them) in SAP Cloud Identity Services, potentially syncing relevant user attributes. Selected attributes from Verify are mapped to specific target attributes in SAP Cloud Identity Services, ensuring consistent user information across both systems. SCIM, a standardised protocol, enables communication between Verify and SAP Cloud Identity Services. On the left side of the diagram, IBM Security Verify acts as a SCIM server, receiving requests for user management and then modifying the target directory as needed. This streamlines user creation and ensures consistent user information across both systems.

Prerequisites

SAP Cloud Identity Services (for trial instance check this link)
IBM Security Verify (for trial instance check this link)
A smartphone with IBM Security Verify App

Configurations and Settings in IBM Security Verify and SAP Cloud Identity Services

Log into IBM Security Verify as an administrator

When a user logs in, the home screen as shown below will be displayed.

On the left panel, click on "Applications" under "Applications". On the right side of the screen, there is an “Add application” button. Click on it.

Fill in the necessary details under “General” section as below and save the details.

Before we go further, let’s log into SAP BTP account and you will be navigated on SAP BTP Cockpit. As suggested below, navigate to the “Instances and Subscriptions” tab which is under “Services.”

You have to enable the cloud identity services application.

Once enabled, it will look as below. Now, click on Cloud Identity Services application and you will be redirected to the login screen of the SAP authentication screen as shown below.

After a successful login, you can see the home screen of Cloud identity Services. Go to the “Identity Providers” as highlighted below :

Click on the Corporate Identity providers and create new identity provider.

Once the new identity provider is successfully added, click on the identity provider type and select SAML 2.0 compliant, as shown below:

Go to the SAML configuration section and fill in the information as shown below:

You can browse the “Metadata” file from your device once you download it from IBM Security Verify dashboard. Go to the “Sign on” section of the application and on the right side of the screen, download the file from the given URL and upload the same in SAP Cloud Identity Services as highlighted below:

Click on the Trusting application section and add SAP BTP trial subaccount.

Establish the trust configuration, which is under the “Security” section for the cloud identity application as shown in the below screenshots.

You will see the below steps once you click on establish trust. In the first step, choose tenant and click on the next.

After selecting a tenant, choose domain for your SAP Cloud Identity Services application.

Click on the next button and configure parameters as shown in the below screenshot.

Click on the next button and review the setup that you have done while establishing the trust. Finally, click on the finish button and save the details.

Once done, you can see the trust new active trust configuration as shown below:

Now go back to IBM Security Verify and click on “Sign-on” section, then select “Use metadata” checkbox. It will allow us to upload the metadata file which we have downloaded from SAP BTP as shown below:

Upload the metadata file which you have recently saved on your device to IBM Verify dashboard.

Now go to the “Account lifecycle” tab and add SCIM URL, Username and password detail as shown in below image. You can get all the details from SAP Cloud Identity Services application page.

To get SCIM URL, go to SAP CIS and get the URL details from the browser and add “SCIM” at the end of URL.

After adding the above details, scroll down and you can see “Attribute mapping” section. Click on the checkbox for which attribute you want to map from IBM Verify to SAP CIS and want to keep updated. Here we have checked email. Save this detail once changes are completed.

We have completed the configurations in IBM Security Verify and SAP Cloud Identity Services. Let’s add user with attribute into Verify and check if it is mapped to Cloud Identity Users dashboard.

Go to the Users tab under the “Directory” section on the left side of the verify dashboard and click on the “Add User” button as shown in below screenshot.

Fill out the necessary information for the user as mentioned in the below image and click on the “Save” user tab.

Scroll down and you can add more detail about the user. Here we have added an email ID, mobile number and user company details.

Once done, click on the Save button and the user detail will be saved.

Open the Cloud Identity Services application and go to the user section to check whether the newly-created user from Verify is mapped.

Click on the “Instance and subscription” section from the “Services” section on the left menu, and once the application list is shown, click on the Cloud Identity Services application as shown below.

When the new application is loaded, click on the “User Management” tile and all the user list will be displayed.

As you can see in the below screenshot, a new user is created, which is added from Verify and mapped into SAP Cloud Identity Services. Also, the user detail is mapped into Cloud Identity Services.

Conclusion

Effective user provisioning is critical to maintaining security, compliance, and operational efficiency. Centralising identity management, improving security, and streamlining administration activities enables organisations to successfully manage user identities and access controls across their entire IT infrastructure. Embracing integrated identity management solutions is more than just convenient - - it is a strategic need for businesses looking to flourish in an increasingly linked and security-conscious environment.

More information:

Refer to our another blog on SAP Cloud Identity Service integration with IBM Security Verify.

If you have any question or query about SAP BTP please refer to SAP Community and for any question or query about IBM Security Verify refer to IBM Security Verify Community

Identity Access Management (IAM) Reference Architectures 2024

2024-05-10T17:20:21.397000+02:00

Identity Access Management Reference Architectures in 2024

We are happy to share with you that we just released an update to our reference architectures (2024 version).

The latest version is published in SAP Discovery Center along with further links to our documentation and to related missions. We want to support you trying out easily what we describe.

If you are new to this topic, consider reading my older blog post about Cloud leading Identity Lifecycle from 2021. The 1st chapter is still valid to start with - although it's 3 years old 🙂

We have an updated version of the SAP Secure Operations Map which allows you to verify your security requirements and map them to the regional requirements like NIST or BSI.
The Secure Operations Map contains in the application layer the three main IAM pillars that are now described in the SAP Discovery Center:

Authentication flows

Authorization flows as part of the identity lifecycle

Identity Lifecycle flows

Please read them and we can use this community to discuss.

If you want to know more about the SAP Cloud Identity Services I recommend this blog post.

PS: Yes, we are already working on an integrated architecture which considers SAP Access Control - but we need a bit more time.

[SSO] [SF] (Single Sign-On) for SAP SuccessFactors

2024-05-11T06:44:44.370000+02:00

IAS Tenant preparation: Log onto Identity Authentication service

Navigate to Identity provisioning > Source > Properties > sf.user.filter make it (active eq "true")
Navigate to Identity provisioning > Source > Outbound Certificates and make sure that the certificate is valid, if not generate a new one and delete the old one and activate the automatic generation
Go to Identity provisioning > Target > Outbound Certificates and make sure that the certificate is valid, if not generate a new one and delete the old one and activate the automatic generation

Note: If the IAS tenant links were not provided from SAP, you can activate from the Upgrade Center, and after completing the configuration, testing and activation will be done again from the Upgrade Center

Created trust between Azure Active Directory and Identity Authentication service

Step 1: Download Identity Authentication service tenant metadata

Navigate to Applications and resources > Tenant Setting > Single Sign-On > SAML 2.0 Configuration and download the IAS Meta data file

Download the metadata file.

Step 2: Create enterprise application in Azure Active Directory

Navigate to the Enterprise applications, Click New application.

Azure Active Directory has templates for a variety of applications, one of them is the SAP Cloud Platform Identity Authentication Service. Search for this and select it.

A new column on the right side will appear to give the application a name. Give the application a name and click Add.

Go to Single sign-on and select SAML as Single-Sign On method.

STEP 3: Upload the IAS tenant metadata file you get from the step 1

Select the application you just created, Click Upload metadata to upload the metadata file from Identity Authentication service.

All the details are now taken from the metadata file. There’s nothing to do for you other than saving the details. Therefore, click Save.

STEP 4: Download single sign-on metadata from Azure Active Directory

Download the federation metadata as shown below.

With this information we can setup the trust between Azure Active Directory and Identity Authentication service.

Step 5: Create corporate identity provider in IAS

Go back to IAS and navigate to Identity provider > Create > Microsoft ADFS / Entra AD (SAML 2.0) Type

STEP 6: Upload Azure Active Directory federation metadata file

Click SAML 2.0 Configuration and to upload the recently downloaded federation metadata from Azure Active Directory.

Choose the file from your local file system.

All fields below are automatically going to be filled due to the information provided through the uploaded file.

Click Save at the top of the page.

STEP 6: Add a new user in the Users and groups Microsoft Azure application

Go back to your overview of enterprise applications in Microsoft Azure AD and click your application. Add a new user by clicking Add user in the Users and groups submenu, as shown on the screenshot.

By hitting the result tile, you select the user, which should appear under Selected members panel. Finish your user assignment with clicks on Select and Assign.

Congrats Now you created trust between Azure Active Directory and Identity Authentication service.

IAS Tenant Final Preparation:

Navigate to Identity provisioning > Source > Jobs and run now read job to get all users from SF then schedule the job for future new hires.

Navigate to Applications and resources > Applications > SuccessFactors > Conditional Authentication and create a rule for all domains you need it to access the system from the identity provider you created... this step will define the domains witch will access as SSO, any other domain will access from the default identity provider.

Set the Default Identity Provider as Identity Authentication.

Navigate to Identity provider > Identity Federation > switch On Use Identity Authentication user store and Switch On User Access

Now you can test and be sure that the user you are try to test with is already added to the SF tenant.

Hope you enjoy the process.

Thanks

Ahmed Aranda

SAP Community - SAP Cloud Identity Access Governance

SAP Cloud Identity Access Governance (IAG) integration with Identity Authentication Service (IAS)

Process Overview

1.Connect Identity Provisioning with IAG

2.Create Proxy System for IAS In the IPS

2.1) How to create a technical user in IAS?

2.2) Create a Proxy System

3.Create an instance for IAS in the IAG

4.Run the repository synch job to sync user data and provision access requests.

Conclusion

References

3 Ways CFOs can Capitalize on AI in Finance

How to Turn AI Potential into Reality for Finance Departments

1. Grow Efficiency with AI-infused Business Processes

2. Enable Business Foresight with AI-powered Predictive Insights

3. Enhance Security and Compliance with AI-powered policy enforcement

SAP IAG vs Access Control: Which one is right for me?

Access Request Service Configuration in SAP IAG for Target SAP S4Hana Private Cloud

Unleashing the Power of Cloud: A Fun Guide to Automating User Administration - SAP Best Practices Identity Lifecycle Service (IDLS) for SAP Cloud Identity Services (SCI)

Why You Should Jump On Board!

How This Magic Works:

Peek Into A Sample Spellbook:

Predefined Script Functions

patchValues

getValueByEntry

addUserToGroup

deleteUserFromGroup

deleteUser

deleteGroup

getGroups

Prerequisites

The Inside Scoop

How to handle “usernames”, “Global User IDs” and “external IDs” in your landscape?

What is the difference between these attributes and when to use them?

Best practices:

You can find more details in the links bellow:

The Added Value of a CDP (Part 2)

A Deeper Analysis of the Benefits of a Customer Data Platform

Customer-Centric Focus

Customer Use Cases

The Customer Journey

Data Security, Privacy, and Data Protection Regulations

Summary and Outlook

More about SAP CDP:

Monitoring the remote access from SAP on application-level (Part 3.8)

クラウド時代のSAPのIDとアクセス管理ソリューションのご紹介

ソリューションポートフォリオ

クラウドソリューション

SAP Cloud Identity Services

SAP Cloud Identity Services - Identity Provisioning

SAP Cloud Identity Services - Identity Authentication

SAP Cloud Identity Access Governance

SAP Secure Login Service for SAP GUI

オンプレミスソリューション

SAP Identity Management

SAP Access Control

SAP Single Sign-On

補足: SAP Identity Management の主な機能について

SAP Identity Managementとは?

SAP Identity Managementの差別化要因

SAP Identity Managementの利用シナリオ

(1) ユーザーによるロール（権限）割当申請のシナリオ

(2)人事プロセス主導のIDとロール割当のシナリオ（採用時）

SAP Identity Managementのコネクタ

Enhance your SAP experience with SAP approved GRC AC Experts through the Ask an Expert Peer channel

What is Ask an Expert Peer?

Ask an Expert Peer channel is available for which GRC Product Areas?

How to Access Ask an Expert Peer from SAP for ME?

Start using Ask an Expert Peer today for all your low to medium priority incidents.

Privileged Access Management in SAP S/4HANA Cloud: A Comprehensive Guide

Creating and Managing Campaigns in IAG - Access Certification Service

Governance, Risk, and Compliance (GRC) with SAP S/4HANA Cloud Public Edition 2402

Topics of Covered in this Blog

Expert Talk: Empower the Intelligent, Sustainable Enterprise with SAP Finance & Risk – 2023 Update

SAP Risk and Assurance Management (formerly known as SAP Financial Compliance Management)

Integrated Risk Management

Additional Assurance Activity Type in Control Management

Automated Grouping and Ungrouping of Issues

Preconfigured Internal Control Framework for Medium-Sized Companies

SAP Cloud Identity Access Governance

Start using Ask an Expert Peer today for all your low to medium
priority incidents.