Introduction to SAP Cloud Identity Access Governance (IAG)

SAP Cloud Identity Access Governance (SAP IAG) is a SaaS (Software as a service) application built on SAP Business Technology Platform (BTP). Although it offers features that are comparable to SAP GRC Access Control, it will not replace Access Control.

It provides out of the box integration with existing on-premise ECC applications along with latest cloud applications such as Ariba, SuccessFactors, S/4HANA, Analytics Cloud and other cloud solutions with many more SAP integrations on the roadmap. It helps customers achieve access control and governance through the below key services:

Access Analysis, Role Design, Access Request, Access Certification and Privileged Access Management.

I'll guide you through the Access Certification service in this blog post.

What is Access Certification Service?

Access certification service is used for periodically reviewing and certifying access to business applications in the cloud and on-premises area. It ensures that users have optimized access based on their designation.

The Managers and designated reviewers validate access to business applications. Periodic review process can be carried out for single roles, composite roles, business roles, profiles, and SAP SuccessFactors static groups.

Responsibilities of Campaign Administrators, Coordinators and Reviewers

Administrator – is responsible for creating and editing campaigns.

Coordinator – is responsible for coordinating campaign activities, for example, reassign items, remind reviewers, escalating to the reviewer's manager etc.

Reviewer – is responsible for approving/rejecting user access during review stage.

Access required for Campaign Administrators, Coordinators, and Reviewers.

 Note:

IAG_WF_ADMIN - Users assigned to this group can receive and work on access certification review items in the security stage.

IAG_WF_DEFAULT - When managers or role owners are not available, the task of reviewing a user’s access is forwarded to members of this group.

Access Certification Service apps

Below are the apps available on the launchpad for the access certification service.

How to create campaigns - Campaign administrators use the Create Campaigns app to create, edit, and submit campaigns. 

• Open Create Campaigns app and select the option new certification campaign as mentioned in the screenshot below.

• In step 1 – General information, provide campaign name without spaces or special characters, description, planned duration, coordinators (the person responsible for managing the campaign) and send notification (coordinator will receive a notification about the upcoming end of the campaign’s planned duration) as mentioned in the screenshot below.

• In step 2 – Data selection, add relevant information in the search fields to refine the set of users, access, and systems that are to be part of the campaign. You can choose any search criteria based on your requirement. In this instance, the search criteria is the application, which takes into account every application user for the purpose of evaluation.

• In step 3 - Workflow selection, select a workflow for approval process. You can choose any workflow from the list of workflows available. Here, the security workflow path is chosen.

• Review all the information and submit the campaign. Once it is submitted, review requests will be created and assigned to the corresponding reviewers. Note : Once the campaign is in progress, it is sent to the Manage Active Campaigns app where the coordinator can view its status and monitor and manage the progress of the campaign.

How to Manage Active Campaigns - Campaign coordinators use the Manage Active Campaigns app to see the overall status of campaigns assigned to them. They can close an existing campaign, reassign tasks to a different reviewer, or remind a current reviewer of items to evaluate. 

• Select the campaign which was created previously.

• Once you open the campaign, you can see the list of reviewers for the campaign and what status the review is in. It also includes the options to reassign to another reviewer, remind the reviewer that there are items to review, escalate the task to the reviewer’s manager, or release the claimed task. The Escalate option sends an e-mail notification to the reviewer’s manager, and the remind option sends an e-mail notification to the reviewer. 

How to Manage Campaign Reviewer Inbox - Campaign reviewers use the app Manage Campaign Reviewer Inbox app to review and approve the review requests. 

• Select the campaign that was created previously to review and approve requests.

• To perform a review, approve/reject each line item individually or choose approve/reject all to handle all line items. Here, a few line items were chosen for approval and a few for rejection. Following submission, requests that are approved will not be subject to any further action, while requests that are rejected will be deprovisioned.

What does Access Certification Audit Log app contain?

Every campaign is listed in the audit log. This app can be used by anyone handling access certification campaigns to verify the steps that have been performed. Utilize the search function to locate particular campaigns.

What does Access Certification Campaign Log app contain?

Details about that campaign's log history are shown in the app. This covers any messages that are generated while the request creation process is run. Furthermore, the app assists you in confirming that the steps have been generated correctly.

Conclusion

I would like to conclude saying that, IAG - Access Certification service help organizations reduce losses from unforeseen risk (fraud, access risk) - by performing periodic access reviews for users.

It lowers compliance and risk management costs by empowering the business with automated user access management and efficient, cost-effective access audits.

References

Product Overview | SAP Help Portal