Explaining Authorization Reference Architecture

Objective

After completing this lesson, you will be able to use the authorization reference architecture in SAP environments.

Authorization Reference Architecture

Reference Architecture for Cloud Leading Identity Lifecycle Authorizations

The figure explains the reference architecture for Cloud leading identity lifecycle authorizations.

The diagram illustrates the reference architecture for SAP Cloud Identity Services, showing how identity provisioning interacts with identity directory and authorization management within SAP BTP to connect to SAP Cloud and On-Premise Solutions. It highlights multiple data flows and uses legends to indicate authorizations, SAP BTP services, mutual trust, identity lifecycle, and data flow directions.

Authorizations are domain-specific but should be centrally assigned to identities for effective management. Traditionally, authorizations are defined and managed within their respective applications, making it difficult to maintain them and enforce the least-privilege methodology across systems. SAP uses the SCIM-compliant Identity Directory as the interface for managing identity lifecycles and the central hub for authorization assignments. Additionally, Cloud Identity Services function as a trusted anchor for SAP applications, providing key security features such as authentication, authorization, and federation with third-party solutions.

For new applications, the SAP Cloud Identity Services - Identity Directory serves as the user and group store. It integrates with the SAP Authorization Management Service (AMS), enabling developers to define policies centrally assigned to users in the Identity Directory. That ensures efficient and centralized authorization management.

Additionally, you can use SAP Cloud Identity Access Governance (IAG) to manage and enforce user access and authorization policies across SAP applications. IAG helps to ensure compliance, provides visibility into user roles and permissions, and streamlines access management by automating tasks like role assignments, provisioning, and auditing.

You find more information about the reference architecture for Cloud leading identity lifecycle authorizations on SAP Architecture Center.

SAP Cloud Identity Access Governance (IAG)

The figure explains the key features of SAP Cloud Identity Access Governance.

The diagram illustrates the key features of SAP Cloud Identity Access Governance, showing Access Governance at the center surrounded by five interconnected components: Analyze Risk, Privileged Access Management, Access Certification, Access Request, and Role Design. Each component focuses on distinct processes such as account-based access management, role optimization, risk analysis, certification review, and request workflow.

SAP Cloud Identity Access Governance software enhances security and compliance, offering a suite of services for optimized access management and governance within your organization. Key features include the following:

Access Analysis: Conducts risk assessments to identify segregation of duties (SoD) violations and critical access risks, enhancing security by preventing unauthorized access.
Access Certification: Facilitates periodic reviews of user access, removing unused access, and enforcing policies for a secure environment.
Role Design: Supports the creation and maintenance of business roles, ensuring optimized access aligned with user roles for efficiency and security.
Access Request: Enables user-initiated access requests via self-service or HR system integration, with automated risk assessments and workflow-based approvals.
Privileged Access Management: Secures privileged accounts with elevated rights through stricter controls and activity monitoring, adding an extra layer of security for critical systems and data.

Next lesson