This is the final part of the 3 blog posts about the reference architecture for Identity and Access Management scenarios:
In the previous blog posts, we described how you can use an Identity Provider in combination with SAP SuccessFactors to implement authentication and a HR driven user provisioning mechanism.
Both scenarios (Azure AD vs SAP IAS) offer what we call HR driven provisioning and are quite similar if you are focused on authentication and user provisioning only.
But when we discuss about Identity and Access Management there are 5 main areas we need to consider:
- Authentication and SSO
- User provisioning
- Authorization and role management
- Access governance
- End-to-end master data integration
Therefore, a solution that only covers authentication and user provisioning will not be enough for modern cloud applications, let’s see why…
Modern cloud applications vs classic monolithic applications
Before we start to discuss about complex authorization requirements, access governance and master data integration we need to understand how modern software works.
In the past, we had SAP ERP and the SAP Business Suite. Most of the business processes were modular processes, were executed “inside” one of the SAP ERP modules (FI, MM, etc…).
Below you can see how the business process “F05 - Hire a new employee” was implemented with SAP ERP 6.0 EHP7.
SAP ERP HCM - Hire a new employee business process flow
By default, in this process, there was no other SAP or non-SAP systems required and therefore the HR users responsible of hiring new employees only needed access to 1 SAP ERP system.
Nowadays, companies have more complex and bigger business requirements, building software to support these new business requirements as a monolith made the software difficult to maintain, difficult to expand and difficult to scale.
The solution is not to develop bigger monoliths, the solution is to compose multiple smaller applications based on SOA or microservices architectural principles.
These composed applications are more granular, loosely coupled, use APIs to communicate, etc… but the combination of these multiple apps and services allow companies to create composite applications that are able to support their complex business requirements better.
The SAP Intelligent Suite offers an integrated suite of applications developed following the principles of modern cloud applications that support your end-to-end business processes.
The composability of business processes is a highly relevant topic for SAP customers as there is no one-size-fits-all ERP system that meets all industry-specific and functional requirements of each customer, the future is all about configuring and extending while keeping end-to-end consistency.
Let’s have a look at one of these E2E processes included in the Intelligent Suite, the
Recruit-to-Retire (R2R). This process is much bigger than the old HCM modular processes from the SAP ERP.
"Recruit-to-Retire (R2R) helps you to understand, manage and optimize all aspects of your workforce (employees and external workers) in line with business objectives and with clear financial impact."
As you can see below, the solution map covers from planning to closing and ran across multiple SAP products and optionally across other non-SAP products as these E2E processes are composable and offer better granularity to replace parts of the processes with different SAP and non-SAP applications:
Recruit to Retire - Solution Map
Depending on their business requirements, different customers can implement this process differently as there are multiple solution variants with different deployment models (on-prem, hybrid, cloud only) and different combination of SAP and non-SAP products so organizations can compose their own recruit-to-retire process according to their own specific requirements:
Recruit to Retire - Process Variants
To make things even more complicated, when provisioning users, you need to understand the authorization technology of each target system and the users must be created in each target system with the right authorizations based on their employee data.
Different applications will have different types of authorizations. SAP S/4HANA authorizations are based on user and roles but SAP SuccessFactors use a different type of objects like users and groups:
Authorization objects from different SAP and non-SAP products
Additionally, to enable real integration between different applications, you also need to replicate the “user context”, the master data of each user (Cost center, WBS, Company Code, etc…), to allow true end-to-end process workflows between different SAP (and non-SAP) applications. And this master data is also required to assign the right authorizations in the required target systems depending on the employee attributes:
End to End processes - master data integration
HR driven identity lifecycle management vs HR driven provisioning
HR driven provisioning is good enough when you are implementing multiple siloed applications that are loosely coupled and the users don’t really need to feel they are using only “one application”.
With Azure AD you can implement an end-to-end process composed of siloed applications “glued” together with a simple HR driven provisioning and a limited master data replication via some attributes that you can writeback from Azure AD to SAP SuccessFactors. If you need a deeper integration, you can always user Microsoft Graph APIs and Azure AD Identity Governance to develop your own integration.
But SAP approach is more ambitious, SAP value proposition is based on the suite qualities of the Intelligent Suite. Implementing end-to-end process over an integrated suite offer obvious advantages vs independent siloed applications with different technology stacks:
Best of Breed vs Best of Suite - Suite Qualities
This deeper integration, the aligned domain models, the consistent security and identity management between the different SAP applications involved in the end-to-end processes enable additional capabilities like the SAP Central Task list or One workflow inbox:
SAP Task Center - one integrated inbox for all workflow tasks across multiple applications
Indeed, to enable real end-to-end processes, a stronger integration between the identity of the users and the master data of the employees is required. The employee attributes like the company code or the job position must be replicated across systems but also should be used to provide the right authorizations on the required target systems and enable an access governance to stablish policies and control when and how these users can access the systems:
Recruit-to-Retire - Data harmonization and identity lifecycle management
When we were talking about HR driven provisioning, we said one of the weaknesses of this solution was that their main focus was the authentication and the user provisioning, and this was not enough for the modern composable applications and the end-to-end processes.
By contrast, the HR driven lifecycle management provides the same authorization capabilities but provide a better user provisioning, a real master data integration (not only some attribute writeback) and include compliance checks and governance controls:
SAP HR Driven lifecycle management
This enables you to capture changes to the employment status in the HR system and to initiate access requests automatically through SAP IAG. The access request service converts the HR triggers to change requests, which are then provisioned via SAP IPS to the target applications (cloud and on-premise) with the right authorizations and roles based on business rules derived from the employee master data.
Like Azure AD Identity Governance or many other governance solutions, SAP Cloud Identity Access Governance (IAG) offers you tools to control privileged access to your systems, self-service access request, analytics, etc...
But, in the context of building real end-to-end processes, SAP IAG offers you tools to optimize your governance and access control to your SAP applications:
- SAP IAG contains rulesets for SAP on-prem and SAP cloud applications (SAP Ariba, SAP SuccessFactors,...) to optimize the role definition minimizing risks and guarantying the required Segregation of Duties (SoD) when assigning multiple roles to users.
- These rulesets and checks can be used to automatize the approval workflows every time there is a change in the HR system.
SAP IAG - rulesets for SAP Ariba
Reference architecture for SAP HR driven identity lifecycle management
The HR driven lifecycle management reference architecture for the Intelligent Enterprise is based on the
SAP One Domain Model used in the SAP Master Data Integration service, the usage of the SAP Cloud Identity Services (IAS and IPS) and the SAP Identity and Authorization Governance (IAG)
There are 2 main data flows in this architecture:
- Master data changes are routed and orchestrated via SAP Master Data Integration (MDI)
- Identity and access flows are routed via SAP Identity Authentication Service (IAS)
Any change on the workforce status or master data from Internal employees (SAP SuccessFactors) and external contingent workforce (SAP Fieldglass or 3
rd party HR systems) is consolidated and routed via SAP MDI and it is used via the SAP IAS to initiate the identity provisioning and provide access to the required systems:
Reference Architecture - HR Driven identity lifecycle management
The integration with SAP IAG enables the creation of an "Access Request" for each HR event triggered from SAP SuccessFactors. These access requests can automatically be approved based on SoD rules or could require manual manager's approval. Once approved, the role mapping is done via Business rules based on the employee master data. And users will be provisioned or changed or deleted on the target system/s via the integration with the SAP IPS service.
For customers that want to safeguard their investments into on-premises IAM tools, like SAP GRC and/or SAP IDM, it is also possible to integrate SAP IAG with your on-premise SAP landscape and build a "cloud driven" identity Access Management as shown below:
Reference Architecture - HR Driven identity lifecycle management - SAP GRC and/or SAP IDM integration
If you are looking for a detailed blue print how to setup this architecture please have a look at the SAP API Business Hub -> Recruit-to-Retire
R2R - business process flow
Summary
In these 3 blog post we have been talking about how customers can implement an IAM strategy and what are the 5 main topics to be considered when you are defining an IAM architecture:
- Authentication and SSO
- User provisioning
- Authorization and role management
- Access governance
- End-to-end master data integration
We saw that these topics can be group in 3 main types of solutions that customers can use to implement their IAM strategy:
- Basic SSO scenarios: for customers mainly interested in Authentication and SSO with a very limited user provisioning provided via user sync from LDAP or AD.
- HR Driven user provisioning scenarios: A prepackaged integration of IDP with the HR system that offers you authentication and user provisioning but cannot provide a complete role management or access governance solution. This prepackaged integration between the IDP and the HR system enable some attribute sync but can't sync all the master data required for end-to-end processes.
- SAP HR Driven lifecycle management: a fully integrated scenario that covers all the requirements (authentication, provisioning, role, access and master data integration) to enable true end-to-end processes and it's the foundation of the Intelligent Suite.
SSO vs HR driven provisioning vs HR driven lifecycle management
What is the best option for you? It really depends on your needs...
We see many customers looking for an agnostic IAM solution based on Microsoft or other 3rd party IDP tools like Okta. This approach it's absolutely valid and it will enable you to implement a strong IAM architecture, but it will require the development of ad-hoc integrations via Microsoft Graph, Powershell, APIs... to go beyond multiple siloed applications glued together via and IDP like Azure AD.
On the other hand, for customers with a solid SAP footprint, the lack of a proper integration between the different SAP Cloud applications has been a pain point in the past. Many SAP customers complained and demanded a better SAP-to-SAP and SAP-to-Any integration. To address these gaps, SAP have designed the SAP’s
Integration Plan in the Cloud. Many of these new end-to-end processes and business capabilities require the use of SAP identity services (IAS, IPS, IAG,...). And it's perfectly possible (and recommended) to integrate this SAP Identity Services with your corporate IAM tools.
Brought to you by the SAP S/4HANA Customer Care and RIG