Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 
SAP Cloud Identity Access Governance (often referred to as SAP IAG) is a cloud service from SAP Business Technology Platform (BTP). It offers similar functionality as SAP Access Control (SAP GRC).

SAP Cloud Identity Access Governance offers Software as a Service (SaaS), which enables companies to comprise several distinct identity management and access governance capabilities .

SAP Cloud IAG offers five core services:

  • Access Analysis

  • Role Design

  • Access Request

  • Access Certification

  • Privileged Access Management

In this Blog I will explain how Access Request Service is configured in SAP Identity access and governance and SAP user access request can be raised for SAP S4Hana Private Cloud.

Make Sure SAP IAS (Identity Authentication Service) and IPS (Identity Provision Service) initial setup has been completed.

Below are the steps for configuring the Access Request Service: -

  1. S4Hana Private Cloud System integration with SAP IAG.

  2. Responsibilities are defined with proper Authorizaiton

  3. IPS Proxy System is enabled between SAP IAG and SAP IAS.

  4. Workflow Setup

  5. Business Rules Activation and deploy.

  6. Upload Notification template.

  7. Access Request Priority are maintained.

  8. Access Request Reason codes are maintained.

Architecture Overview

1.S4Hana Private Cloud System integration with SAP IAG.

For integration, please perform below steps: -

  1. Cloud Connector Setup. Like S4Hana On Premise – S4Hana Private cloud will connect SAP Cloud Identity Access Governance through the Cloud Connector.

  2. Create Destination for the S4Hana Private Cloud System in the SAP Cloud Identity Access Governance Subaccount

  3. Create an Application Instance for SAP S4Hana Private Cloud System in SAP Cloud Identity Access Governance Fiori Launchpad.

After above configuration Run Repository Sync to sync all relevant data from the SAP S4Hana private cloud target system to SAP Cloud Identity Access Governance, which can be applied in access request service.

in SAP IAG , for S4hana Private Cloud system – Application Type will be “S4Hana on – Premise”.

  1. Responsibilities are defined with proper Authorizaiton.

Predefined role collections are deployed with the SAP Cloud Identity Access Governance service. These role collections ensure that users can access and use specific apps that are relevant for their job function and their dedicated tasks.

Role collections are not directly assigned to users in the SAP BTP cockpit. Instead, users in Identity Authentication (IAS) are assigned to groups. These groups are mapped with SAP BTP role collections.

The required steps are the following:

  1. Create user groups in Identity Authentication and assign users to them.

  2. Map role collections in the SAP BTP Cockpit to the created user groups.

  3. Synchronize user groups information between the Identity Authentication and SAP Cloud Identity Access Governance subaccount.

The following groups are required in SAP IAS. The SAP Cloud Identity Access Governance services look for these specific groups. Make sure you create them with the names listed below with the same case. The name is case sensitive.

When you create these groups, you must follow this naming convention: IAG_<TYPE>_<NAME>

Role collection in BTP is mapped with these groups for proper authorization in Identity authentication Tenant. Before that Set Identity Authentication as a trusted identity provider.

To ensure user groups information is synchronized between the Identity Authentication service tenant and the tenant for SAP Cloud Identity Access Governance on SAP Business Technology Platform (SAP BTP), you must maintain the required system in Identity Authentication and the destination in the tenant for SAP Cloud Identity Access Governance in SAP BTP and then run the SCI User Group Sync job in the Job Scheduler app.

  1. IPS Proxy is enabled between SAP IAG and SAP IAS.

To Create an access request for a new user id in target application, user should be present in SAP IAG user source. We have made SAP IAS as user source, for this we must create a proxy system and map that proxy system in SAP IAG.

  1. Map Proxy system in SAP IAG: -

Navigate to Administration - Applications

  1. Map User Source as IAS system                                                  Navigate to Administration – Configuration – Application Parameter and maintain user source as IAS system created in above step.

4.Workflow Setup: -

There is no configuration required for the workflow. For all workflow-related actions, you need to make use of pre-delivered workflow templates. You require these templates to create access requests.

The SAP Identity Access Governance solution pre-delivers both the workflow and notification templates. If this has not been the case, create a support ticket using the GRC-IAG component and request those templates.

You can find the uploaded workflow templates in the Maintain Workflow Template app. Use one of these template.

5.Business Rules Activation and deploy.

SAP Business Rules service is used to define the stages, paths, and other workflow rules used by Access Request service to move the request items through the stages of an access request.

SAP Cloud Identity Access Governance offers pre-delivered business rules. To access these rules, create a support ticket. To do so, select the component GRC-IAG.

To access business rules, navigate to Administration → Configuration Go to Business Rule and choose Launch. The Business Rule editor opens.

Navigate to Rules and select RequestTypeRule in the Local Rules section. For this rule, workflow paths have been defined.

You must ensure that this minimum setup is in place, at least you need a mapping entry for request type "CHANGE". That is the mandatory entry for all created access requests (for all non-PAMID related requests)

Finally, the business rules need to be activated and the new workflow version needs to be deployed.

6.Upload Notification Template: -

Click on the Template Upload tile.

In the Notification section click on the Download button for the Standard Template.

Click on the Browse button and select the zip file you downloaded for the Template Archive.

Click on the Upload Button.

7.Access Request Priority are maintained.

Access Request Priority are defined. Navigate to Administration → Access Request Priority.

8.Access Request Reason codes are maintained.

Access Request Reason are defined. Navigate to Administration → Request Reason.

After the above configuration are successfully performed, you can start raising your access request in SAP IAG to create users in S4Hana Private cloud system.

Please note: - You have to schedule Provisioning job to trigger the provisioning of SAP Cloud Identity Access Governance access request in Target S4Hana Private cloud system.


In Rise with SAP Solution – Customer are opting for cloud based IAG solution as a replacement for GRC On premise solution. This blog post provides a high-level step for configuring Access Request service in SAP Cloud Identity Access Governance.

I hope this blog post helps you during your Access Service Configuration. We look forward to your comments and feedback.

References: -

Mapping Role Collections to Identity Authentication | SAP Help Portal

Identity Authentication | SAP Help Portal
1 Comment
Labels in this area