Spend Management Blog Posts by SAP
Stay current on SAP Ariba for direct and indirect spend, SAP Fieldglass for workforce management, and SAP Concur for travel and expense with blog posts by SAP.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

What's New in SAP Cloud Identity Access Governance: Elevating Enterprise Access Security

ElyasAhmed
Product and Topic Expert
Product and Topic Expert
‎2025 Apr 08 10:00 PM
1,440

In today’s digital age, safeguarding sensitive information and ensuring robust access governance has become paramount for organizations across all industries. The rapid adoption of cloud technologies and regulatory demands necessitate a sophisticated and dynamic approach to access management. SAP Cloud Identity Access Governance is here to address these challenges, providing a comprehensive suite of tools to enhance security, ensure compliance, and optimize operational efficiency. The latest updates to SAP Cloud Identity Access Governance introduce a host of new features and improvements, helping businesses manage access controls and identity governance.

Overview of New Features in SAP Cloud Identity Access Governance

1. Enhanced Security and Compliance with Fine-Grained Analysis for BTP Applications

This feature enables the synchronization of SAP BTP authorizations, allowing for comprehensive Segregation of Duties (SoD) analysis by extracting data-level authorizations for both application roles and individual users.

Through the existing SAP BTP synchronization job, administrators can retrieve role-based and user-specific data authorizations while also scheduling regular data extraction processes.

To implement this, a new subscription must be created in the SAP BTP target tenant using the Authorization and Trust Management Service with the API access plan under Cloud Foundry.

For more details, refer to the Help Portal.

2. Enhanced Management of Mapped User IDs

The Manage User ID Mapping app helps administrators efficiently manage users with multiple IDs across different systems. By linking a master user ID with mapped IDs in various applications, it ensures seamless access and better security.

Key features include:

  • Easy search and filter – Quickly find and view user mappings by ID or application.
  • Simple Mapping Creation – Manually link user IDs and validate existing assignments.
  • Bulk Upload – Streamline large updates using a pre-filled template.
  • Effortless Data Management – Edit, delete, and export mappings in CSV or Excel formats.

This app streamlines managing user access, improving efficiency and consistency across systems.

For more details, refer to the Help Portal.

3. Deprovision Expired Business Role Assignments

Administrators can use the Job Scheduler app to schedule the "Deprovision Expired Business Role Assignments" job, which automatically removes business role assignments that are no longer valid based on their end date.

When the job runs, the system performs the following actions:

  • Identifies all business role assignments where the validity end date has passed.
  • Queues expired assignments for deprovisioning and processes them during the next scheduled deprovisioning job.
  • Updates audit logs and the Business Role User Assigned tab to reflect the removal of roles.

This approach ensures that outdated access is routinely cleaned up and that records remain accurate across the system. The job can be scheduled to run at regular intervals, allowing organizations to continuously enforce access governance without manual effort.

For more details, refer to the Help Portal.

4. Flexible Workflow Configuration Update with Configurable Role Owner Stage Auto Approval

SAP Cloud Identity Access Governance now supports auto approval of access requests at the role owner stage, allowing specific requests to be automatically approved without manual intervention. This is achieved through configurable business rules that evaluate access attributes to determine if they meet conditions for auto-approval.

The rules can assess factors such as role criticality, the access name, approver assignments, and whether the access relates to non-critical business processes. If a request matches the defined conditions, the system approves it automatically, bypassing the need for role owner action. This reduces approval time while maintaining governance.

Importantly, business rules override the assignment approvers. Even if a designated approver exists, the request will be auto-approved if it meets the rule conditions. However, if the rule includes risk-based checks, numeric values must be maintained for validation to succeed.

Manual approval is still required when risk analysis or remediation is enforced at the role owner stage. If any requested role poses unresolved risk, the request cannot be completed until the risk is mitigated or approved separately.

For more details, refer to the Help Portal.

5. Implement SAP Identity Services Identity Directory as User Datasource

SAP Cloud Identity Access Governance can now retrieve users, groups, and managed user attributes directly from SAP Identity Services Identity Directory. When this configuration is in place, the application uses SAP Identity Services Identity Directory as the source system instead of Identity Authentication Service.

To sync user group information, the required system must be maintained in SAP Cloud Identity Services and a destination must be created in the tenant for SAP Cloud Identity Access Governance on SAP BTP. The SCI User Group Sync job is then executed from the Job Scheduler app to keep the user group data synchronized.

To configure this, follow the steps in the Help Portal for guidance.

6. Enhanced Management of Privileged Access Management (PAM) Sessions

The PAM Sessions app provides administrators with a view of all valid Privileged Access ID assignments for SAP S/4HANA Cloud, SAP S/4HANA on-premise, and SAP ERP. The app provides administrators with a clear view of Privileged Access IDs, showing their status (Active, Inactive, or Available) along with assigned users and applications. It includes key session details like access level, validity periods, and user assignments.

Admins can customize views, apply filters, and monitor access logs for better control and compliance. Privileged Access Monitoring offers deeper insights, including activity history, logs, and reason codes, ensuring secure and well-managed privileged access.

For more details, refer to the Help Portal.

7. Privileged Access Provisioning Report

The Privileged Access Provisioning Report app provides a real-time view of privileged access provisioning across SAP S/4HANA Cloud, SAP S/4HANA On-Premise, and SAP ERP. It tracks both provisioned and deprovisioned Privileged Access IDs, showing which users received access, their associated roles, and the current provisioning status.

Detailed logs are available for each PAM ID to help administrators monitor and review the full provisioning history.

For more details, refer to the Help Portal.

8. Log Review: Flexible Workflow with Notification Enabled at All Stages

Privileged Access Management offers a flexible workflow for the Review Log process, with predefined templates supporting up to three approval stages: Manager, Role Owner, and Security. Administrators can configure approvals based on their needs.

The system also includes automated email notifications, alerting users and approvers at key stages such as request submission, approval/rejection, and pending log reviews. These workflows and notifications apply across all connector types, ensuring efficient and timely management of privileged access.

For more details, refer to the Help Portal.

9. Enhanced Data Selection for Creating Certification Campaign

The Create Campaigns app now supports selecting users based on the User Group filter during the Data Selection step. This additional parameter allows administrators to define specific user groups or business user groups that should be included in the campaign. This enables more targeted and structured certification campaigns based on defined group membership.

For more details, refer to the Help Portal.

10. Client Certificate Authentication

SAP Cloud Identity Access Governance now supports Client Certificate Authentication for configuring secure destinations in cloud environments. This enhancement allows identity provisioning to be performed without relying on basic authentication credentials, improving security posture, compliance readiness, and minimizing credential-related risks.

Administrators can now set the authentication method to Client Certificate Authentication and upload the necessary certificate files, including the key store and password. To complete the setup, the certificate’s public key must be assigned to the appropriate administrator user in SAP Cloud Identity.

Once the destination is saved, the connection can be tested through SAP BTP Cockpit and validated by provisioning access to a test user in the target system.

For more details and step-by-step instructions, refer to the Help Portal.

Conclusion: Shaping the Future of Access Governance

The latest updates to SAP Cloud Identity Access Governance are a testament to SAP’s commitment to providing cutting-edge solutions that address the complex challenges of modern access governance. By continually evolving its offerings through a continuous development cycle, SAP ensures that businesses have the tools they need to manage access risks effectively, comply with regulations, and secure their digital transformations. New features, enhancements, and innovations are regularly introduced to keep pace with a rapidly changing environment. As we move forward, SAP Cloud Identity Access Governance will continue to be an indispensable ally in securing the digital landscape.

For more information, to view detailed feature lists, or to get started with SAP Cloud Identity Access Governance, please visit SAP Cloud Identity Access Governance Product Page and Documentation.

 

Popular Blog Posts