(Series: Foundations for AI Success in SAP Landscapes) 

If your organization is eager to “switch on AI” in SAP, you’re not alone. But here’s the pattern we keep seeing: teams light up AI features in one line-of-business (LoB) app, it looks promising, and then everything stalls—or breaks—when they try to add the next LoB. 

This post explains why these activations are at stake, what “good” looks like for a unified agent experience with Joule, and how to get ready the right way. The goal: one Joule that works across your SAP landscape—without rework, identity headaches, or dead ends—so users never have to think about which system is behind the task. 

Why 

End users expect a single assistant that “just knows” where to go to answer a question or complete a task—create a leave request, initiate a purchase order, summarize a case. But activation often happens app by app: one Joule for SuccessFactors, another for S/4HANA, another for Signavio. That fragmentation shows up fast: 

• The AI can’t act in the user’s name across systems, so it can’t complete high-value actions. 

• Agents would not be able to perform system to system interaction in the context of a real identity. 
• Each new LoB reintroduces the same identity and provisioning challenges with system-specific workarounds. 

The one prerequisite that makes or breaks activation: identity  

Principal propagation—the AI acting in the user’s own identity with the right authorizations and audit trail—is the critical path. It requires your BTP subaccount and each backend system (S/4HANA, SuccessFactors, Ariba, Concur, etc.) to trust the same SAP Cloud Identity Services – Identity Authentication Service (IAS), with consistent provisioning and a stable Global User ID that maps the same person across systems. With mixed identity providers or uncoordinated tenants, calls fail or fall back to technical users, which won’t satisfy security or audit requirements. 

SAP Build Work Zone helps Joule understand and route capabilities to the right system—think of Work Zone as the registry that sends “create leave request” to SuccessFactors or “create purchase order” to S/4HANA. If Work Zone isn’t set up with the right trust and destinations, routing won’t be reliable and end-to-end scenarios won’t complete. 

Common activation failure patterns 

• Fragmented identity and user matching: Multiple Cloud Identity Services tenants, no central trust, and no Global User ID undermine principal propagation. 

• Missing Work Zone foundation: Work Zone not provisioned, trusted, or populated with destinations, leaving Joule without a reliable navigation context. 

• Per-LOB BTP sprawl: Uncoordinated subaccounts, entitlements, role collections, and destinations block a unified agent experience. 

• Authorization blind spots: Backend roles aren’t synchronized, so the assistant won’t act. 

• “Flip the switch” mindset: Assuming production activation without assessment, test runs, or guardrails leads to early wins that collapse when you add the second LoB. 

The goal: a unified Joule by design 

• One identity plane: A designated SAP Cloud Identity Services tenant trusted by BTP and your SAP apps, with end-to-end principal propagation and a consistent Global User ID. 

• Work Zone as the capability map: Trusted SAP Build Work Zone with established destinations so Joule can route to the right backend. 

• A coherent BTP footprint: Clear subaccount strategy, correct entitlements, Joule booster executed and validated, connectivity established, and role collections aligned. 

• Role and authorization awareness: Backend authorizations synchronized so Joule knows what each user can do and logs actions under that user’s identity. 

This blog describes the technical prerequisites—the SAP IAM Reference Architecture for SAP Business AI—in detail. 

The SAP Joule Readiness Service guides you to avoid these pitfalls and get to a unified assistant that “just works”  

Who it’s for 

• Customers aiming to enable Joule in SAP Cloud LoB solutions—such as SuccessFactors or Cloud ERP—who face challenges meeting prerequisites, especially in identity lifecycle and authentication management (IAM). 

How the service helps 

• Establishes a consistent, unified SAP Cloud Identity Services infrastructure 

• Develops a Global User ID concept so the same person is recognized across systems 

• Resolves hurdles related to SAP Cloud Identity Services (IAS/IPS) 

• Integrates with your existing authentication processes (for example, Microsoft Entra ID) 

• Hands-on analysis of your current setup (identity landscape, provisioning, authentication flows) 

• Hands-on support to understand prerequisites, plan activities, implement them in your test landscape, and define follow-up recommendations 

Delivery approach and scope 

• An initial workshop to discover the technical prerequisites for a Unified SAP Joule experience and explain the SAP IAM Reference Architecture 

• Multiple iterations of system analysis workshops to identify gaps in tenant setup, user management, authentication and authorization setup for SAP Joule activation in the test landscape, tailored for one LoB scenario 

• Wrap-up presentation with identified gaps, tailored best practices for production, and pointers to additional services as needed 

How to book 

Use this booking link and request for "Cloud Identity Service for SAP Joule & SAP Business AI (IAS, IPS)", this service is free of charge.