SAP Community - SAP Cloud Identity Access Governance

how to provision assignments with validity date from SAP IPS to AS ABAP system

2025-06-30T16:22:41.595000+02:00

Hello Experts,

Has anyone been able to provision users to AS ABAP SAP System from IPS where the AS ABAP system is configured as an target or else as proxy system. what should be maintained in the transformation so that the connector can provision?

I am guessing this is the Function Module which we will be using ips connector uses to provision user assignments BAPI_USER_ACTGROUPS_ASSIGN.

I see this function module accepts validity dates for role assignments? but how to pass this in the write transformation logic?

currently in write transformation of proxy system below is the logic. As per my understanding for each role the user would be assigned? then how can be pass the validity dates for each role assignment? does the IPS support that?

{
        "sourcePath": "$.members[*].value",
        "preserveArrayWithSingleElement": true,
        "targetPath": "$.USERLIST[?(@.USERNAME)]",
        "optional": true,
        "functions": [
          {
            "type": "decode",
            "algorithm": "base32",
            "skipPadding": true
          },
          {
            "type": "toString",
            "applyOnElements": true
          }
        ]
      }

/Deva

Overwrite Role in Enable Now (IPS)

2025-06-30T19:08:37.399000+02:00

Hello Experts,

Users and groups from IAS are provisioned to Enable Now using IPS.

Groups (IAS) are converted to roles in Enable Now.

If roles with the same name already exist in Enable Now (created manually), can IPS overwrite these roles?

Many Thanks

Best Regards

Delete provisoned Rolles

2025-07-01T12:59:20.260000+02:00

Hello Experts,

we are using SAP IPS to provision groups from IAS to Enable Now. In Enable Now, the provisioned IAS groups are automatically converted into roles.

How can I delete these provisioned roles in Enable Now?
They were automatically created through provisioning from IAS and we want to remove some of them.
Is it possible to overwrite manually created roles with provisioned ones?
For example, we have a group called "Admins" in IAS and a manually created role with the same name "Admins" already exists in Enable Now.
Can the provisioning be configured in such a way that it does not create a new role in Enable Now but instead updates or takes the existing one?

Thank you in advance

Best regards

provisioning users to SAC directly from Entra ID

2025-07-10T14:33:23.170000+02:00

Dear community,

It´s possible enable access to SAP Analytics Cloud (SAC) stories using user group defined in Entra ID?

the data master for IAS is Entra ID since not all users managed by IAS are in SFSF, because there are applications in IAS that do not depend on SFSF.

Thanks

License model of IAG

2025-08-01T07:22:59.747000+02:00

can you please confirm if provisioning BTP/IAS/IPS via IAG access requests will incur Integration license of IAG or the Standard one.

IAG: how to select users to be sync

2025-09-16T09:25:34.518000+02:00

Hi all

Is there a way to control the number of users to be synced into IAG, from SAP S/4HANA Cloud, Public edition?

Currently the job does sync all users deployed in the application.

Thank you

GRC prod system provisioning to Prod and non prod systems

2025-09-23T19:48:55.048000+02:00

Hi Gurus,

Has anyone considered and managed / failed to setup GRC Prod environment to provision to all connected Prod and non prod systems through IAG/IAS prod tenants

Short story - GRC ARM request loaded with business role and IAG/IAS element would provision to both prod and non prod cloud apps.

Generative AI Powered IAM Business Role Augmentation (GAIRA)

2025-10-17T16:43:15.834000+02:00

Generative AI Powered IAM Business Role Augmentation (GAIRA) is a transformative concept for modern enterprises, shifting Identity and Access Management (IAM) from manual, reactive processes to a proactive, intelligent, and efficient system.

Limitations of traditional IAM include:

- Manual Provisioning: Managing user accounts and privileges can be time-consuming and error-prone, particularly in large organizations.
- Inflexible Security: Rule-based systems often lack the context needed to detect subtle, behavioral-based anomalies indicative of modern threats, such as insider risks.
- Compliance Burden: The manual nature of access reviews and audit trail generation drains resources and struggles to keep pace with regulatory changes.
- Subpar User Experience: Slow access request workflows can frustrate users and hinder productivity.

GAIRA addresses these challenges by integrating generative AI into the four pillars of IAM:

1. Adaptive Authentication
- Risk-Based Access: GAIRA enables continuous, risk-based authentication by analyzing user behavior, location, and device in real-time. For instance, a login attempt from an unusual location could trigger additional verification steps.
- Frictionless Security: This dynamic security approach balances convenience and trust, enhancing security without burdening trusted users.

2. Intelligent Authorization
- Automated Role Management: Generative AI analyzes historical access data and user roles to recommend optimal role assignments, significantly reducing manual effort and errors.
- Contextual Access Recommendations: For access requests needing approval, GAIRA provides context-rich insights based on peer-group comparisons and historical outcomes, facilitating faster, informed decisions.

3. Streamlined Administration
- Lifecycle Automation: GAIRA automates the entire user lifecycle, from onboarding to offboarding, dynamically assigning and removing access rights based on predefined policies and roles.
- Enhanced User Experience: Users can interact with the IAM system using natural language via conversational AI interfaces, improving productivity and reducing the burden on IT help desks.

IAG Access Request: creating a new user in ECC backend for an existing IAS user

2025-10-23T12:49:37.780000+02:00

Dear all,

As an IAG user I create a new request in AR, choosing as Access Type "Application" and then I choose the ECC onprem application we have integrated with IAG. My user doesn't exist in ECC yet. Then after the request has been approved, the Provisioning job fails because it tries to create the ECC user as "<First Name in IAS><space><Last Name in IAS> which of course fails. Is there any way to tell IAG to create the backend user with other name, for example the Display Name in IAG, or other value?

IAS Tenant

2025-11-04T16:31:28.468000+01:00

Hello Experts,

As far as I know, it was previously recommended to use the Test IAS tenant only for testing purposes (i.e. Sandbox), and to use the Productive IAS tenant for productive cloud applications as well as for development and test environments.

Previous recommendation:

IAS Test → Sandbox environments
IAS Prod → PROD, DEV, and QAS

My question to the community:

What is the current recommended approach?

Should this setup still be followed:

- IAS Test → Sandbox environments (only testing)
- IAS Prod → PROD, DEV, and QAS ( SAC PROD + SAC QAS)

Or does SAP now recommend a different model, for example:

IAS Test → for development and test environments
IAS Prod → only for PROD

I would like to make this decision for our landscape (e.g. SAC QAS & PROD) and would appreciate an up-to-date assessment of which option is currently considered Best Practice.

Thank you in advance

Best Regards

SAP Cloud Identity Access Governance License Counting Logic

2025-11-20T18:11:03.269000+01:00

For Expired Users in SAP ERP and SAP S/4HANA, they will not be counted for SAP Cloud Identity Access Governance License, right?

When a SAP S/4HANA User is deemed to be expired, will IAG automatically stop monitoring that user and will the license consumption be reduced by 1? Thanks.

Autopath in IAG is not working for PAM requests

2025-11-25T18:01:58.760000+01:00

Dear colleagues,

We have activated the rulesets in SAP IAG so when a user creates an access requests and chooses 'AUTO_APPROVAL' as request reason, the autopath workflow (no approvers required) is used.

This works fine for normal access requests, but if we request a PAM user, this message appears:

"PAM Assignment request cannot be auto approved. Please contact your IAG Administrator to correct the access request workflow configuration"

We have also tried with other different rule, which is based on the request type. In case it is 'PAM', the autopath is used. The behaviour is just like the one we have with the first case, same message.

Is there any way in SAP IAG to activate auto-approvals for Privileged Accesses?

Thank you

Francisco

Error: While connecting from SAP BTP Integration Suite to SAP S4 Cloud Odata

2025-11-30T19:42:29.722000+01:00

Hello Team,

I'm getting below error while connecting from SAP BTP Integration Suite Cloud to SAP S4 Cloud Odata service.

"com.sap.gateway.core.ip.component.odata.exception.OsciException: HTTP Request failed with error : <HOST>: No address associated with hostname, cause: java.net.UnknownHostException: <HOST>: No address associated with hostname"

Thanks and Regards,

Rajesh PS

FF SAP Public cloud

2025-12-08T16:48:15.179000+01:00

Hello,

I would like to know if it is possible to create and use Firefighter IDs in SAP Public Cloud, similar to how we do in the on-premise version. Additionally, is SAP Identity Access Governance (IAG) required for this functionality?
If this is not possible, what replaces or substitutes this concept in the SAP Public Cloud environment?

Thank you

SAP IAS Admin Console

2025-12-09T20:09:22.861000+01:00

Hello everyone,

What would be the best way to secure the SAP IAS Administration Console?

Is it a good idea to restrict access to a specific IP range (e.g. only the company network)? I’m concerned about locking myself out in case the IP address changes.

Or would it be better to implement 2FA for an admin group containing all admins? In that case, there’s also the risk of locking myself out.

I would appreciate your experiences and tips!

Many Thanks

Best Regards

SAP IAG Access Request Status audit logs

2026-01-06T17:33:18.916000+01:00

Seeking advisory guidance on SAP Cloud Identity Access Governance (8010452)

The IAG customer would like to generate a report that shows access requests approved by an individual user or their team members.

In addition, they would like to view audit logs within the Access Request Status app. Is it possible to enable this?

Currently, the available IAG reports are administrative reports that display all access requests and therefore cannot be shared with business users.

IAS Login Name dependencies

2026-01-14T14:56:45.075000+01:00

Hi everyone,

Quick question about the Login Name field in IAS:

Does it matter what I enter here? I often see an email address, but could I also use an employee ID or a short name?

Are there SAP applications or scenarios that require the "Login Name" to be a specific attribute (e.g. Email), or is the field completely flexible?

I want to avoid SSO issues with specific apps if the value is wrong. Does anyone have experience with dependencies for this field?

Many Thanks

Best Regards

IAG: Assign Mitigation Control at User level

2026-01-26T14:24:18.170000+01:00

Is Mitigation control assignment possible at User level. if so through which app is the same possible

Does Sap Cloud Identity Services (CIS) - IAS/IPS support position based security?

2026-01-30T14:48:03.146000+01:00

I am interested to know if the new age SAP Cloud Identity solutions suppor the position based security for S/4HANA (HCM on S/4HANA)?
I could not find any mention of this anywhere on sap help documentations.

IAG–S/4HANA User ID Mapping Requirement

2026-02-15T09:05:25.737000+01:00

I have requirement regarding an integration involving SAP Identity Access Governance (IAG), SAP Cloud Identity Services (IAS/IPS), and our on-premise SAP S/4HANA system.

We are currently provisioning users from Microsoft Entra ID into SAP Cloud Identity Services, where users will create and assigned P-User IDs. Once the User IDs created in CIS, We are maintaining “Login Name” as our required naming convention (XXYYZZNN) for S/4 HANA system.

As per SAP Recommendation we are creating user IDs as P user IDs in BTP-IAG Subaccount. However, our S/4HANA system requires user IDs to follow a specific internal naming convention (XXYYZZNN). We need guidance and confirmation on the recommended approach to ensure that:

1.SAP IAG provisions users into S/4HANA with our required naming convention (XXYYZZNN) instead of the IAS P-User ID.

2. Attribute mapping and transformation rules between IAS, IPS, IAG, and S/4HANA. We would appreciate assistance advising on the correct configuration steps for attribute mapping and user ID transformation within IAG.