Disclaimer-It is recommended to conduct an SAP IDM assessment to evaluate the feasibility of migrating existing functionalities to SAP IAG, CIS, or GRC Access Control. The approach in this blog is particularly suitable for customers who primarily use SAP IDM for managing access in SAP systems, whether on-premise or in the cloud.In a more complex and heterogeneous enterprise-wide environment, customers are most likely to rely on a third-party identity management solution. Refer this blog that highlights our partnership with Microsoft to position MS Entra as a successor for SAP IDM.
SAP provides a comprehensive suite of identity and access management (IAM) solutions to help customers manage user identities across their SAP applications, both on-premise and in the cloud. These solutions include SAP Identity Management (SAP IDM), SAP GRC Access Control (SAP GRC AC), SAP Cloud Identity Services (comprising Identity Authentication and Identity Provisioning), and the SAP Identity Access Governance (SAP IAG) service.
SAP IDM, the long-standing on-premise IAM solution that has supported customers for over two decades, is approaching the end of its maintenance lifecycle (refer to SAP Note 3268799). Organizations currently using SAP IDM and planning a migration strategy can consider leveraging SAP IAG, SAP Cloud Identity Services (CIS), and their existing SAP GRC Access Control systems to cover identity lifecycle management needs. In many cases, the combination of SAP IAG with CIS—or SAP IAG with CIS and a bridge to SAP GRC Access Control—can replicate most of the functionalities previously handled by SAP IDM.
SAP IAG and SAP CIS are designed to complement each other and are often deployed together in enterprise environments to deliver end-to-end identity and access management. Additionally, SAP IAG can be integrated in a bridge scenario with SAP GRC Access Control to reuse existing configurations and ensure a smooth transition.
Feature / Solution | SAP IAG | SAP Cloud Identity Services | SAP GRC Access Control |
Deployment | Cloud | Cloud | On-premise / Hybrid |
Primary Focus | Access governance & compliance | Authentication & identity provisioning | Risk management & compliance |
Authentication (SSO, MFA) | No | Yes | No |
Access Risk Analysis | Yes | No | Yes |
Access Request Management | Yes | No | Yes |
Role Management | Yes | No | Yes |
Privileged Access Management | Yes | No | Yes (via EAM) |
Best Fit For | Cloud-first organizations | Identity and access security | Regulated industries with complex needs |
IDM Functionalities
This section outlines the SAP IDM functionalities along with their corresponding equivalents in SAP IAG, CIS, and GRC Access Control. The relevance of each activity may vary depending on the specific SAP IDM implementation within an organization.
IDM Functionality | As-Is Configuration (SAP IDM) | Corresponding Functionality in IAG / CIS / GRC AC |
System Connectivity – SAP & Non-SAP Systems | List of systems supported via SAP IDM packages: ABAP Business Suite, ABAP (Load Balanced), AD, AS Java, BW, Dual Stack, HANA DB, S/4HANA, SCI (IAS/IPS), SCIM (IPS Proxy), SuccessFactors (SFSF), Sun (AD), GRC | CIS: Supported Systems IAG: Integration Scenarios |
Data Source | SuccessFactors, HR Mini Master, AD (On-Prem/Cloud), third-party DBs | IAG: Integration Scenarios GRC AC: LDAP, HR triggers for position based assignment, HR Triggers from SuccessFactors, ABAP, or custom) |
Role Type | Technical Roles, Business Roles | IAG: Role Design Service GRC AC: BRM Module |
GRC Integration – Risk Analysis | Risk Analysis/Risk Analysis only | IAG: Standalone Version IAG Bridge with GRC Access Control |
Approval Workflows | Maintained Users/ Pending Value Objects | IAG: SAP Workflow Management Service GRC AC: MSMP Workflows (Bridge Scenario) |
Entry Owners | Maintained / Not Maintained | IAG / IAG Bridge: IAS User Groups GRC AC: Bridge Scenario (Parameter 1090: No) |
Self-Services | Password Self-Service, Role Requests | GRC AC: Password Self-Service |
Attestation (User Access Review) | User Access Review | IAG: Access Certification GRC AC: User Access Review (UAR) |
Mass Upload Utility | Upload Users, Roles, Privileges, Mappings via Excel | IAG: Access Mass Update, Business Role Mass Update GRC AC: Excel Uploads (Bridge Scenario) |
Custom Notifications | Custom Notification Messages | GRC AC: Custom Notifications |
IDM Reports | Reports from IDM DB | IAG: Reports GRC AC: Reports |
Custom Configurations | Custom or Enhanced Functionalities (e.g., HTML5 Forms) | Handled on a Need Basis |
Audit Logs | Activity-Based Logging | IAG: BTP Audit Log Service GRC AC: Audit Logs (Bridge Scenario) |
Discover SAP's approach to identity and access management (IAM) within the framework of the identity lifecycle through the following links- IAM reference architecture and CIO Guide.
Bluesky
