Exploring Hybrid Landscape Scenarios

SAP Cloud Identity Access Governance can be used as a bridge to enable access requests for cloud applications in SAP Access Control and to enable risk analysis for cloud applications in SAP Access Control.

The architecture shows all of the components / systems involved for the integration between SAP Cloud Identity Access Governance and SAP Access Control. This integration setup is called IAG Bridge, and it unifies a landscape between the on-premise and cloud environment.

The IAG Bridge between SAP Access Control and SAP Cloud Identity Access Governance enables SAP Access Control to facilitate the creation of access requests, and performing risk analysis, for cloud applications.

For example, if you are going to use SAP Access Control system to create access requests for your cloud application, the risk analysis, assignment of mitigation controls (if needed), and provisioning can be handled by SAP Cloud Identity Access Governance.

In this scenario, we have a hybrid setup containing on-premise installed and cloud-installed systems/components:

Cloud Connector: Cloud Connector serves as a link between SAP BTP applications (here, SAP Cloud Identity Access Governance) and on-premise systems. Cloud Connector establishes a connection to SAP Access Control system (called Cloud to On-Premise).

The following is further information regarding the Cloud Connector:

• Combines an easy setup with a clear configuration of the systems that are exposed to the SAP BTP
• Runs as an on-premise agent in a secured network
• Acts as a reverse invoke proxy between the on-premise network and SAP BTP

SAP Access Control: SAP Cloud Identity Access Governance connects to SAP Access Control through the Cloud Connector. This connection enables a communication channel of SAP Cloud Identity Access Governance downwards to the SAP Access Control. This is possible because the Cloud Connector acts as a reverse invoke proxy. The other way around it is, however, not needed because the connection from the on-premise system to the cloud application is not considered as dangerous. Therefore, we can use some direct connections from SAP Access Control to SAP Cloud Identity Access Governance.

SAP Access Control system connects to SAP Cloud Identity Access Governance directly. Two following RFC connections are necessary for the communication upwards from SAP Access Control to SAP Cloud Identity Access Governance (see the Architecture Overview figure).

• IAG_SOD_AUTH: This connection is needed for authentication so that SAP Access Control is capable of logging on.
• IAG_SOD_CHECK: This connection is needed so that SAP Access Control can communicate with the SAP Cloud Identity Access Governance "iagtrigger" service primarily for the risk analysis.

Both are RFC connections (type: G - HTTP Connections to External Server), which are maintained in SAP Access Control in transaction SM59.

SAP Cloud Identity Access Governance is running on SAP Business Technology Platform, Cloud Foundry environment and connects to SAP Access Control system. In case, you have to connect specific on-premise target systems, which in turn are connected to SAP Access Control, you have to set up the destinations within the SAP Cloud Identity Access Governance subaccount as well. The same has to be performed in case you have to connect specific cloud target systems.

If you want to connect cloud target systems in this overall scenario, keep in mind that you have to create an SM59 destination for these cloud target systems (type: G - HTTP Connections to External Server) in SAP Access Control.

More information regarding the setup of cloud target systems on SAP Access Control can be found on the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/28eff9bacfed40ba874dd90991871567.html?locale=en-US - see section 3. Create the third destination (create one for each cloud application).

IAS and IPS: Identity Authentication and Identity Provisioning are bundled in the "SAP Cloud Identity Services" (CIS) running on SAP BTP Cloud Foundry.

• Identity Authentication is responsible for authentication (acts as central authentication component) on SAP BTP / cloud systems, thus, it is also required for SAP Cloud Identity Access Governance and the respective SAP Cloud Identity Access Governance user authentication.

• Identity Provisioning acts as proxy (see "IPS_PROXY") for several cloud systems and connects such systems with SAP Cloud Identity Access Governance. Therefore, it is mainly used for user provisioning.
  Note

  Identity Provisioning is not mandatory and is not used in this integration scenario.

The complete integration between SAP Cloud Identity Access Governance and SAP Access Control requires a lot of integration steps. These are explained and demonstrated in the following sections. To start the integration, you should perform the following steps:

• In SAP Cloud Identity Access Governance, create a destination that points to the Identity Authentication tenant.
• In SAP Access Control system, create two SM59 destinations of type G: one for authentication and the other one for SOD checks.

1. Open SAP BTP cockpit.
2. Open Subaccounts and choose your SAP Cloud Identity Access Governance subaccount tenant.
3. Navigate to Connectivity→Destinations.
4. Create a New Destination using the button.
5. Provide the following information:
   • Name: IAGAuthService
   • Type: HTTP
   • Description: IAGAuthService
   • URL: <Host of the Identity Authentication tenant>/service/users/password
     Note

     The host of the Identity Authentication tenant can be generally found in the SAP Cloud Identity Access Governance subaccount. It is available if you have successfully established trust between Identity Authentication and SAP Cloud Identity Access Governance. Navigate to the following: SAP Cloud Identity Access Governance subaccount→Security→Trust Configuration→Select your Identity Authentication tenant.
   • Proxy Type: Internet
   • Authentication: NoAuthentication
6. Ensure that the property Use default JDK truststore is added and checked.
7. Choose Save.

For more information, see the following SAP Note: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/1a099221c55f404ab6ac074c128c1653.html?locale=en-US

1. Open SAP Access Control and log in.
2. Call transaction SM59.
3. Mark the entry HTTP Connections to External Server (Type G).
4. Create the first connection using the Create icon.

   The first connection will be used for all tasks regarding Authentication. For the first connection, enter the following:

   1. Technical Settings tab

      • RFC Destination: <Any connection name> for example, IAG_SOD_AUTH
      • Connection type: G
      • Description: <Any description>
      • Host: The host is represent by the region where your SAP Cloud Identity Access Governance is subscribed. Use one of the listed and suitable URLs from section 1 of the following SAP Help Portal page:

        https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/28eff9bacfed40ba874dd90991871567.html?locale=en-US

        Note

        Which URL you choose depends on your subscription (standard versus integration edition) of SAP Cloud Identity Access Governance.
      • Port: 443
      • Path Prefix: /authentication

   2. Logon & Security tab

      • Logon with User: <Basic Authentication>
      • User: <Use the created Identity Authentication admin user (type: SYSTEM) and to add the domain name to the username separated by @>

        Username: <IAS SYSTEM USER LOGON NAME OR USERID>@<CUSTOMER-SUBDOMAIN NAME>

        (for details, see the Specific Integration Prerequisites→Prerequisites for the Integration Setup Between SAP Cloud Identity Access Governance and SAP Access Control (IAG Bridge) section.

      • Password: <Use the password of the created Identity Authentication admin user>
      • Logon with ticket: Do not Send Logon Ticket
      • SSL: Active
   3. Choose Save.
5. Create the second connection using the Create icon in transaction SM59.

   The second connection will be used for all tasks with regarding SOD Checks. For the second connection enter the following:

   1. Technical Settings tab

      • RFC Destination: <Any connection name> for example, IAG_SOD_CHECK
      • Connection type: G
      • Description: <Any description>
      • Host: The host is represent by the region where your SAP Cloud Identity Access Governance is subscribed. Use one of the listed and suitable URLs from section 1 of the following SAP Help Portal page:

        https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/28eff9bacfed40ba874dd90991871567.html?locale=en-US

        Note

        Which URL you choose depends on your subscription (standard versus integration edition) of SAP Cloud Identity Access Governance.
      • Port: 443
      • Path Prefix: /

   2. Logon & Security tab

      • Logon with User: Do Not Use a User
      • User: <BLANK>
      • Password: <BLANK>
      • Logon with ticket: Do not Send Logon Ticket
      • SSL: Active
   3. Choose Save.

The next steps for the integration between SAP Cloud Identity Access Governance and SAP Access Control should be as follows:

1. Set up the Cloud Connector for the SAP Cloud Identity Access Governance subaccount.
2. In the Cloud Connector, set up a Cloud-to-On-Premise connection using the RFC protocol that points to the SAP Access Control system.
3. In the SAP Cloud Identity Access Governance subaccount, create a destination to the SAP Access Control system.

1. Open Cloud Connector Admin UI and log in.

   To access the Cloud Connector admin UI, open the browser and enter https://localhost:8443/ (unless you have indicated a different port during installation).

2. Navigate to the Connector and choose Add Subaccount.
3. Provide the following information:
   • Region: <Select the region of the SAP Cloud Identity Access Governance subaccount>
     Note

     This can be found in the SAP Cloud Identity Access Governance subaccount overview section: see Region and Provider.
   • Subaccount: <SAP Cloud Identity Access Governance subaccount ID>
     Note

     This can be found in the SAP Cloud Identity Access Governance subaccount overview section: see Subaccount ID.
   • Display Name: <Any display name>
   • Subaccount User: <Provide SAP Cloud Identity Access Governance user with admin access either to subaccount or cloud connector admin access>
     Note

     Users can be found in the Security→Users section within the SAP Cloud Identity Access Governance subaccount. The user has to be at least assigned to role collection Subaccount Administrator or Cloud Connector Administrator.
   • Password: <Password of the subaccount user>
   • Location ID: <Location ID> (optional)
   • Description: <Any description> (optional)
4. Choose Save.
5. Check if the connection was successful.

   After the creation of the SAP Cloud Identity Access Governance subaccount in Cloud Connector, you can check for a successful connection setup on SAP Cloud Identity Access Governance subaccount in SAP BTP Cockpit: Connectivity→Cloud Connectors→Connected. There, you should also see the Cloud Connector ID (Master Instance section).

For more information, see the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/6b2318bc80f2499da6b031dd571b7996.html

This RFC connection is used for calling any function modules in SAP Access Control (for example, Rep Syncs and so on).

1. Open Cloud Connector Admin UI and log in.

   To access the Cloud Connector admin UI, open the browser and enter https://localhost:8443/ (unless you have indicated a different port during installation).

2. Navigate to the Connector. Make sure that the previously created SAP Cloud Identity Access Governance subaccount is selected in the Subaccount field.
3. To add new RFC connection for the SAP Access Control system, select Cloud to On-Premise.
   Note

   The connection type must be RFC.

4. Navigate to the Access Control section and choose the + button on the right side of the Mapping Virtual to Internal System panel.
5. Follow the wizard and provide the following information:
   • Back-end type: ABAP System
   • Protocol: RFC / RFC_SNC
     Note

     Based on your requirements, you can either use a non-secured or secured RFC connection.
   • Connection Type: With / Without load balancing
     Note

     Based on your requirements, you can either use it with or without load balancing. Based on your choice, you have to provide data of the application server or message server.
   • Application Server: <Application server of SAP Access Control system>
     Note

     This is necessary for connection setup without load balancing.
   • Instance number: <Instance number of SAP Access Control system>
     Note

     This is necessary for connection setup without load balancing.
   • SAProuter: <SAProuter string in case there is one used for SAP Access Control system>
   • Virtual Application Server / Host: <Provide virtual host name>
     Note

     Only the virtual host name will be visible in the SAP Cloud Identity Access Governance subaccount.
   • Virtual Instance Number: <Provide virtual port>
     Note

     Only the virtual instance number name will be visible in the SAP Cloud Identity Access Governance subaccount.
   • Description: <Any description>
   • Check Internal Host: False (unchecked)
     Note

     This is only necessary if you want to do an ad-hoc connection check. Otherwise, it can be done afterward.
   • Principal Type: <Only relevant if you are using RFC_SNC>
   • SNC Partner Name: <Only relevant if you are using RFC_SNC>
   • Host in Request Header: Use Virtual Host
     Note

     This is a pre-selected, standard option.
6. Choose Save.
7. Expose resources of SAP Access Control system.

   The following step is important: add the following function modules under Resources of the previously created RFC connection. These function module classes can be called in the SAP Access Control system by SAP Cloud Identity Access Governance:

   • Function Name: SIAG
   • Naming Policy: Prefix
   • Function Name: RFC_READ_TABLE
   • Naming Policy: Exact Name
   • Function Name: GRAC
   • Naming Policy: Prefix
8. Perform the connection check.

   After the creation of the RFC connection in Cloud Connector, you can check for a successful connection setup on the SAP Cloud Identity Access Governance subaccount navigation to Connectivity→Cloud Connectors→Exposed Back-End Systems section. The virtual host name of the created RFC connection from Cloud Connector (RFC protocol) should be visible in the Exposed Back-End Systems section with Resources status Available.

For more information, read the documentation on the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/6b2318bc80f2499da6b031dd571b7996.html

For more information on configuring an RFC connection, see the SAP Help Portal:

https://help.sap.com/docs/CP_CONNECTIVITY/cca91383641e40ffbe03bdc78f00f681/ca5868997e48468395cf0ca4882f5783.html?locale=en-US

Perform the following steps:

1. Open SAP BTP cockpit.
2. Open Subaccounts and choose your SAP Cloud Identity Access Governance subaccount tenant.
3. Navigate to Connectivity→Destinations.
4. Create a New Destination using the button.
5. Provide the following information:
   • Name: <Any name>
   • Type: RFC
   • Description: <Any description>
   • Proxy Type: OnPremise
   • User: <Technical RFC user (type: SYSTEM) created in SAP Access Control system with proper authorizations>

     This is the user that you should have already created in the SAP Access Control system. For details, see section Specific Integration Prerequisites→Prerequisites for the Integration Setup Between SAP Cloud Identity Access Governance and SAP Access Control (IAG Bridge→in this lesson.

   • Password: <Password of the technical RFC user>
   • Other destination fields: optional, not needed.
6. Provide additional properties by choosing the New Property button:
   • jco.client.ashost: Enter host name of the server; in this case, this has to be the virtual host name set in the RFC connection (Cloud To On-Premise) of Cloud Connector (mandatory)
   • jco.client.client: Enter client number (mandatory)
   • jco.client.lang: Enter language, for instance, EN (optional)
   • jco.client.sysnr: Enter the virtual instance number that you have defined in the Cloud Connector when setting up the RFC connection (Cloud To On-Premise) (mandatory)
   • jco.destination.pool_capacity: Enter pool capacity, for example, 6 (optional)
   • jco.destination.proxy_type: OnPremise (optional)
   Note

   Take note that additional properties are based on the previously created RFC connection in Cloud Connector and the load balancing option. If, for example, you have defined an application server (without load balancing), you have to provide other properties that for load balancing option with message server.
7. Choose Save.

For more information, see the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/09c24809d79446728ed27ace7d0262af.html

1. Initial SAP Cloud Identity Access Governance setup is done.
   • SAP Cloud Identity Access Governance subaccount is created
   • SAP Cloud Identity Access Governance service is subscribed in the subaccount
2. Trust connection between Identity Authentication and SAP Cloud Identity Access Governance is established and Identity Authentication setup is done.
   • Establish trust configuration (on both ends: SAP Cloud Identity Access Governance and Identity Authentication)
   • Create an application for SAP Cloud Identity Access Governance in Identity Authentication
   • Create a system user in Identity Authentication (used for SCI user group sync in SAP Cloud Identity Access Governance)
3. Identity Provisioning setup is done and Identity Authentication user is created with the proper authorization (Manage Identity Provisioning) to access Identity Provisioning (this is optional in this scenario).

1. Cloud Connector is installed and configured.

   General information about the installation of Cloud Connector can be found on the SAP Help Portal: https://help.sap.com/docs/CP_CONNECTIVITY/cca91383641e40ffbe03bdc78f00f681/e6c7616abb5710148cfcf3e75d96d596.html?version=Cloud

2. SAP Access Control system uses supported SAP NetWeaver version.

   It is important that you only use supported SAP NetWeaver versions. This is because the SAP Cloud Identity Access Governance Services Data Extractor API has to be included there. The following are supported SAP NetWeaver versions:

   • SAP NetWeaver Version - Support Pack
   • NW 700 - SP34
   • NW 701 - SP19
   • NW 702 - SP19
   • NW 710 - SP21
   • NW 711 - SP16
   • NW 730 - SP16
   • NW 731 - SP19
   • NW 740 - SP16
   • NW 750 - SP04
   • NW 751 - SP02

   For more information about the supported versions, see SAP Support Note: 2628749 - IAG Provisioning Services for SAP ERP and S/4HANA on-premise Systems

3. SAP Cloud Identity Access Governance user with admin access either to subaccount or global account available.

   This user is used for SAP Cloud Identity Access Governance subaccount creation in Cloud Connector.

4. Two technical RFC users (type: SYSTEM) with proper authorizations are created in SAP Access Control system.
   Hint

   This is only a recommendation. You could also create one technical user and use him in both destinations.

   1. One technical user is used to create a destination in SAP Cloud Identity Access Governance subaccount that points to the SAP Access Control system.

      To create the destination pointing to SAP Access Control system in SAP Cloud Identity Access Governance, you need to maintain a technical RFC user (type: SYSTEM) with proper authorizations to allow the communication between SAP Cloud Identity Access Governance (and respective services) and SAP Access Control system (system to system communication).

      More information about the necessary authorizations can be found on the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/9d169142752a480f8cc0210ac38e0a22.html

   2. The other technical user is used to establish a communication between SAP Cloud Identity Access Governance and an OData service in SAP Access Control - IAGProvisionStatusUpdate. This user is also needed to create a destination in SAP Cloud Identity Access Governance. You also need to provide proper authorizations to the user.

      The mandatory authorizations are as follows:

      Object	Authorization Filed	Value
      S_RFC	RFC_TYPE	FUGR FUNC
      	RFC_NAME	GRAC_IAG_INTEGRATION RFC_METADATA
      	ACTVT	16
      GRAC_ROLED	GRAC_ACTRD	03
      	All other fields	*
      S_SERVICE	SRV_NAME	IAG_PROVISION_STATUS_UPDATE_SRV OData service (IWSV and IWSG)
      	SRV_TYPE	Hash value or technical name

      Note

      Authorization default values for non-transactional services, such as OData services, are stored using a hash code-based key entry. The connection between this key attribute and the original application name is saved in the table, USOBHASH. The content of this table is the basis for the input help and existence validation of these applications in, for example, PFCG or SU24.

      Make sure the hash code-based entry for the IWSG and IWSV object exists in USOBHASH, otherwise you will not be able to maintain the S_SERVICE object.

      For more information, you may also refer to this SAP note 2528712: https://launchpad.support.sap.com/#/notes/2528712

      Find more information on create destinations for SAP Cloud Identity Access Governance Service on the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/9eaea31a1ec14a6297b2d4378e9e0e96.html?locale=en-US

5. The Identity Authentication administrator user (type: SYSTEM) is created.

   This user is used for SM59 destinations in SAP Access Control (Type G - HTTP connections to External Server).

   Note

   When you are creating the SM59 destination in SAP Access Control and entering the credential of this Identity Authentication admin user, you will have to add the domain name to the username separated by @, for example, <IAS SYSTEM USER LOGON NAME OR USERID>@<CUSTOMER-IAG-SUBDOMAIN NAME>.
   Hint

   The Identity Authentication administrator user can be the same user, which is used for the SCI User group sync (SAP Cloud Identity User group sync). In case you do not want to use the same user, ensure that your new user has the same authorizations activated as the admin user for the respective SCI User group sync.

Further information on the Identity Authentication user / admin user authorizations can be found in the official documentation on the SAP Help Portal:

• https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/28eff9bacfed40ba874dd90991871567.html?locale=en-US
• https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/6aa2c7e7c76e4a40b0f6ac387101f909.html?locale=en-US
• https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/86ee37423f8945a1898faff1e6308756.html?locale=en-US

To enable SAP Cloud Identity Access Governance to push provisioning status updates from the cloud target applications to SAP Access Control, you have to perform the following steps:

• In the SAP Access Control system, activate the Odata service IAG_PROVISION_STATUS_UPDATE_SRV.
• In the Cloud Connector, set up a Cloud-to-On-Premise connection using the HTTP protocol that points to the provisioning status update service in SAP Access Control.
• In the SAP Cloud Identity Access Governance subaccount, create a destination for the provisioning status update service.

This Provisioning status update service is used by SAP Cloud Identity Access Governance to push provisioning status updates to SAP Access Control. This enables the proper and accurate display of provisioning status for access requests.

To enable this mechanism, set up and activate the following ODATA service within the service catalog of the SAP Access Control system: IAG_PROVISION_STATUS_UPDATE_SRV.

Perform the following steps:

1. Open SAP Access Control and log in.
2. Call transaction SPRO.
3. Navigate to SAP NetWeaver→ SAP Gateway→OData Channel→Administration→General Settings→ Activate and Maintain Services.
4. On the Service Catalog screen, select IAG_PROVISION_STATUS_UPDATE_SRV.
   Note

   If you were able to find the OData service in the table, it means that it has been activated. If not, you need to activate the service by adding it to the table.
5. Maintain the system alias LOCAL for the service. In the System Aliases panel, choose Add System Alias.
   • Service Doc. Identifier: IAG_PROVISION_STATUS_UPDATE_SRV_<No.>, for example, IAG_PROVISION_STATUS_UPDATE_SRV_0001
   • User Role: <BLANK>
   • Host Name: <BLANK>
   • SAP System Alias: LOCAL
   • Default System: <BLANK>
   • Metadata Default: <BLANK>
   • Tech. Svc. Name: <Filled out automatically>
   • Ext. Service Name: <Filled out automatically>
6. In the ICF Nodes panel, choose SAP Gateway Client.
7. Choose Execute to test the service.
8. In the HTTP Response panel, copy the href link.
   Note

   You will need this information later for the internal host and internal port number when creating the HTTP connection to SAP Access Control system in Cloud Connector.

For more information, see steps 1-5 on the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/9eaea31a1ec14a6297b2d4378e9e0e96.html?locale=en-US

This HTTP connection is used to call the provisioning update service in SAP Access Control.

1. Open Cloud Connector and log in.

   To access the Cloud Connector admin UI, open the browser and enter https://localhost:8443/ (unless you have indicated a different port during installation).

2. Navigate to the Connector. Choose the previously created SAP Cloud Identity Access Governance subaccount using the select-option of the Subaccount field.
3. The SAP Cloud Identity Access Governance subaccount is selected.
4. To add a new HTTP connection for the SAP Access Control system, select Cloud to On-Premise.
5. Navigate to the Access Control section and choose the + button on the right side of the Mapping Virtual to Internal System panel.
6. Follow the wizard and provide the following information:
   • Back-end Type:ABAP System
   • Protocol: HTTP / HTTPS
     Note

     Based on your requirements, you can use either a non-secured or secured HTTP connection.
   • Internal Host: <Enter the host name from the root URL of the previously created ODATA service IAG_PROVISION_STATUS_UPDATE_SRV in the SAP Access Control system>
     Note

     Do not include the protocol.
   • Internal Port: <Enter the port number from the root URL used by the previously created ODATA service IAG_PROVISION_STATUS_UPDATE_SRV in the SAP Access Control system>
   • Virtual Host: <Provide virtual host name>
     Note

     Only the virtual host name will be visible in the SAP Cloud Identity Access Governance subaccount.
   • Virtual Port: <Provide virtual port>
     Note

     Only the virtual instance number will be visible in the SAP Cloud Identity Access Governance subaccount.
   • Principal Type: X.509 Certificate (General Usage)
     Note

     This option is only available if you are using HTTPS as the protocol type. For HTTP protocol, you can choose between the options Kerberos and NONE.
   • Host in Request Header: Use Virtual Host
   • Description: <Any description>
   • Check Internal Host: False (unchecked)
     Note

     This is only necessary if you want to do an ad-hoc connection check. Otherwise, it can be done afterward.
7. Choose Save.
8. Add the following resource path under Resources of the previously created HTTP connection. This resource / service can be called in the SAP Access Control system by SAP Cloud Identity Access Governance:
   • URL Path:/sap/opu/odata/sap/IAG_PROVISION_STATUS_UPDATE_SRV/
   • Access Policy: Path Only (Sub-Paths Are Excluded)
9. Perform the connection check.

   After the creation of the RFC connection in Cloud Connector, you can check for a successful connection setup on the SAP Cloud Identity Access Governance subaccount navigation to Connectivity→Cloud Connectors→Exposed Back-End Systems section. The virtual host name of the created RFC connection from Cloud Connector (RFC protocol) should be visible in the Exposed Back-End Systems section with Resources status Available.

For more information, see section 6 on the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/9eaea31a1ec14a6297b2d4378e9e0e96.html?locale=en-US

Perform the following steps:

1. Open SAP BTP cockpit.
2. Open Subaccounts and choose your SAP Cloud Identity Access Governance subaccount tenant.
3. Navigate to Connectivity→Destinations.
4. Create a New Destination using the button.
5. Provide the following information:
   • Name: IAGProvisionStatusUpdate
   • Type: HTTP
   • Description: <Any description>
   • URL: <HTTP/HTTPS>://<Virtual host of the created HTTP connection to SAP Access Control system in SAP Cloud Connector>:<Virtual port of the created HTTP connection to SAP Access Control system in SAP Cloud Connector>/sap/opu/odata/sap/IAG_PROVISION_STATUS_UPDATE_SRV/
   • Proxy Type: OnPremise
   • Authentication: BasicAuthentication
   • Location ID: <BLANK>
   • User: <Technical RFC user (type: SYSTEM) created in SAP Access Control system for consuming the ODATA ServiceIAG_PROVISION_STATUS_UPDATE_SRV

     This is the user that you should have already created in the SAP Access Control system. For details, see section Specific Integration Prerequisites→Prerequisites for the Integration Setup Between SAP Cloud Identity Access Governance and SAP Access Control (IAG Bridge→in this lesson.

   • Password:<Password of the technical RFC user>
6. Choose Save.
7. Provide additional properties by choosing the New Property button:
   • entity: Requests
   • sap-client: <Enter specific client number of your SAP Access Control system>

For more information, see section 7 on SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/9eaea31a1ec14a6297b2d4378e9e0e96.html?locale=en-US

1. Open the SAP Cloud Identity Access Governance Fiori Launchpad.
2. Navigate to Administration→Applications.
3. Add a new Application by using the + button.
4. Provide the following information:
   • Application name: <Any application name>
     Note

     It is generally recommended that you use the same name for the previously created destination in SAP Cloud Identity Access Governance and the new application.
   • Description: <Any description>
   • Application Type: SAP S/4HANA On-Premise
   • HCP Destination: <Name of the created SAP Access Control destination in the SAP Cloud Identity Access Governance subaccount>
     Note

     This field is case sensitive.
5. Choose Save.

The following parameters have to be configured in the SAP Access Control system:

Perform the following steps to configure the parameters:

1. Open SAP Access Control and log in.
2. Call transaction SPRO.
3. Navigate to Governance, Risks and Compliance→Access Control→Maintain Configuration Settings.
4. Add the configuration parameters listed before these steps.
   Note

   If the required parameters are not listed in the table, create new entries and add the parameters. You can, for example, search for the parameter ID. It is the easiest way to find a parameter.
   Hint

   If possible, always use the selection button to enter a value.
5. Save.

For more information, see the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/23ed707ade1f40d4bc96009fba62430d.html?locale=en-US

To manage the cloud target applications in SAP Access Control, for example, to create access requests for cloud applications in SAP Access Control, you have to create dedicated SM59 destinations (Type G - HTTP Connection to External Server) for each of them.

1. Open SAP Access Control and log in.
2. Call transaction SM59.
3. Mark the entry HTTP Connections to External Server.
4. Create a new connection using the Create icon.
5. Provide the following information:

   Technical Settings

   • RFC Destination: <This name should correspond to the one listed in the Applications app in the SAP Cloud Identity Access Governance Fiori Launchpad> The connector name itself should be equal to the application name (instance) in the SAP Cloud Identity Access Governance Fiori Launchpad. Ideally, the destination name in the SAP Cloud Identity Access Governance subaccount is equal to the name of the application name (instance) as well. It is recommended that you have one consistent "target" name throughout the whole integration scenario.
   • Connection type: G
   • Description: <Any description>
   • Host: <Use one of the listed and suitable URLs from section 2d of the following SAP Help Portal page>:

     https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/28eff9bacfed40ba874dd90991871567.html?locale=en-US

     Note

     The URL that you choose depends on your subscription (standard versus integration edition) of SAP Cloud Identity Access Governance.
   • Port: 443
   • Path Prefix: /com/sap/grc/iag/service/roleSimulationService.svc/

   Logon & Security

   • Logon with User: Do Not Use a User
   • User: <BLANK>
   • Password:<BLANK>
   • Logon with ticket: Do not Send Logon Ticket
   • SSL: Active
6. Choose Save.

For more information, see section 3 on the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/28eff9bacfed40ba874dd90991871567.html?locale=en-US

In order to manage all available cloud target applications in SAP Access Control, we have to set up some connector configurations as follows:

• Create connection type definition:
  • IAG (description: IAG)
  • IAG_GRP (description: IAG Bridge Systems)
• Define connectors:

  You have to create new entries for every existing cloud target application.

• Define connector groups and assign connectors to connector groups:

  You have to assign every existing cloud target application to a proper connector group.

Lets start with the creation of a connection type definition. Therefore, you have to perform the following steps:

1. Open SAP Access Control and log in.
2. Call transaction SPRO.
3. Navigate to Governance, Risks and Compliance→Common Component Settings→Integration Framework→Maintain Connectors and Connection Types. 
4. On the left-hand panel, select Connection type definition.
5. Choose New Entries.
6. Add the above listed, Connection type definitions.
7. Choose Save.
   Note

   Typically, these connection type definitions are already in place.

Continuing with the connector definition and its respective connection type definition, the following steps need to be performed in SAP Access Control:

1. Open SAP Access Control and log in.
2. Call transaction SPRO.
3. Navigate to Governance, Risks and Compliance→Common Component Settings→Integration Framework→Maintain Connectors and Connection Types. 
4. Select Define Connectors.
5. Choose New Entries.
6. For every cloud target application, you have to create a new connector entry:
   • Target Connector: <Select SM59 connector of cloud target application>
   • Con.Type: <Either choose IAG or IAG_GRP>
     Note

     It depends on the cloud application. If privileges have a group type, select IAG_GRP, for example, for SAP Ariba or SAP SuccessFactors or any other cloud applications having groups.
   • Source Connector: <Name is equal to target connector name>
   • Logical Port: <Name is equal to target connector name>
   • Max No. of Background WP: <Choose your preferred number>
     Note

     Generally, it is something between 3 and 5; the default is 3.
   • Wait Time: <Choose any wait time that matches your requirements>
     Note

     The default is <blank>.
7. Choose Save.

The last step in this configuration task is the assignment of the newly created connector to its proper connector group. If you do not create a proper connector group yet, you have to do that as well.

In general we have to maintain 2 separate connector groups (the connector group creation is similar to the standard SPRO connector configuration of SAP Access Control):

• 1x connector group for Risk Analysis
• 1x connector group for Business Role Management (BRM)

Perform the following steps for the creation of connector groups:

1. Open SAP Access Control and login.
2. Call transaction SPRO.
3. Navigate to Governance, Risks and Compliance→Common Component Settings→Integration Framework→Maintain Connectors and Connection Types.
4. Select Define Connector Groups.
5. Click New Entries to create new connector group.
6. Provide the following data:
   • Conn.Group: <Name of connector group>The name of the risk analysis connector group should be equal to the name of the appropriate Business Function Group within the SAP Cloud Identity Access Governance Fiori Launchpad.
   • Connector Group Text: <Description of the connector group>
   • Con.Type: <Select the proper connection type>
7. Save the entry.
8. Assign the newly created connectors for every cloud target application to the proper connector group by selecting the Assign Connectors to Connector Groups.
9. 1.Create new entry via respective button and provide the data:
   • Target Connector: <Name of the new connector>
   • Connection Type: <Will be filled out automatically as you have already defined the connection type for your connector>
10. Choose Save.

For more information, see the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/a4b43430a7e94f7aa9b436be8e348cd2.html?locale=en-US

In order to manage all available cloud target applications on SAP Access Control, we have to set up some connector configurations as follows:

Maintain connection settings.

You have to assign the following integration scenarios to every existing cloud target application: AUTH, PROV.

Perform the following steps:

1. Open SAP Access Control and log in.
2. Call transaction SPRO.
3. Navigate to Governance, Risks and Compliance→Common Component Settings→ Integration Framework→Maintain Connection Settings. 
4. Select integration scenario AUTH.
5. Mark the existing entry AUTH of Subscenario definition.
6. Choose Scenario-Connector Link.
7. Add a new entry by choosing the New Entries button.

   Target Connector: <Select SM59 connector of cloud target application>

   Note After selection of the connector, press Enter to automatically fill out the other columns of the new entry.

8. Choose Save.
9. Repeat these steps for integration scenario PROV.

In order to manage all available cloud target applications on SAP Access Control, we have to set up some connector configurations as follows:

Maintain connector settings.

You have to create new entries for every existing cloud target application.

Perform the following steps:

1. Open SAP Access Control and log in.
2. Call transaction SPRO.
3. Navigate to Governance, Risks and Compliance→Access Control→Maintain Connector Settings.
4. Add new entry by choosing the New Entries button.
   • Target Connector: <Select SM59 connector of cloud target application>
   • Appl Type: 20 (IAG)
   • Environment: <Choose the matching environment>
   • Path Id: <BLANK>
   • PSS: <BLANK>

In order to manage all available cloud target applications on SAP Access Control, we have to set up some connector configurations as follows:

Maintain mapping for actions and connector groups.

You have to create the previously created BRM connector groups in Maintain Connector Group Status

You have to maintain the specific (action) assignments for the BRM connector groups in Assign default connector to connector group

Note This is necessary if you want to build business roles containing cloud target applications.

To complete the aforementioned mentioned setup tasks, you have to perform the following steps

1. Open SAP Access Control and log in.
2. Call transaction SPRO.
3. Navigate to Governance, Risks and Compliance→Access Control→Maintain Mapping for Actions and Connector Groups. 
4. Select Maintain Connector Group Status.
5. Add new entry by choosing the New Entries button.
   Note

   Repeat these steps for every connector group that is needed.
   • Conn.Group: <Select the previously created BRM connector group>
   • Active: Active (True)
   • Appl. Type: 20 (IAG)
6. Choose Save.
7. Assign the default connector to the BRM connector group.
   • Select Assign default connector to connector group.
   • Add a new entry for actions 0001-0004 for every target cloud application by choosing the New Entries button.
     Note

     Repeat these steps for every for all BRM connector groups.
   • Save your entries.

Having all cloud application data from SAP Cloud Identity Access Governance in SAP Access Control for further processing purposes, we have to sync it from the SAP Cloud Identity Access Governance repository to the SAP Access Control repository. Therefore, we have to do the following:

Start Repository Object Sync

You have to trigger the Repository Object Synch for every existing cloud target application

Perform the following steps:

1. Open SAP Access Control and log in.
2. Call transaction SPRO.
3. Navigate to Governance, Risks and Compliance→Access Control→Synchronization Jobs→Repository Object Synch.
4. Start the Repository Object Synch as follows:
   • Select Sync Job: Profile, Role and User checked
   • Select Connector and Sync mode: <Select the specific connector of the cloud target application you want to synchronize>, Language: EN, Full Sync Mode checked
   • Advance Options: IAG Role Import checked
5. Execute the sync.
6. Repeat these steps for every existing cloud target application.

For more information, see the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/ae57e4b7328548ce8592d79cfd8bb436.html?locale=en-US

Schedule the following 2 job categories:

• Access Control - Risk Definition Sync: used to sync all risk related data from SAP Access Control to SAP Cloud Identity Access Governance
• Access Control - Mitigation Control Transfer: used to sync all mitigation control related data from SAP Access Control to SAP Cloud Identity Access Governance

Perform the following steps:

1. Open the SAP Cloud Identity Access Governance Fiori Launchpad.
2. Navigate to Administration→Job Scheduler.
3. Schedule the job and provide the following information:
   • Job name: <Any Job name>
     Note

     No spaces are allowed.
   • Job category: Access Control - Risk Definition Sync and / or Access Control - Mitigation Control Transfer
   • Recurring Job: Yes or No, depending on your needs
   • Start immediately: Yes or No, depending on your needs
   • Application Type: SAP Access Control
   • Application: <Previously created SAP Access Control instance in the SAP Cloud Identity Access Governance Fiori Launchpad>
4. Choose Schedule Job.
5. Check the job status in the Job History List.

For more information, see the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/e9c6953f5d0c43fe967668ae4c9c281b.html?locale=en-US

Having the same data basis between SAP Access Control and SAP Cloud Identity Access Governance is mandatory for a feasible integration and data exchange between both systems. SAP Cloud Identity Access Governance should know about the users and roles of the SAP Access Control connected backend systems, for example, to perform a risk analysis on any roles from connected backend systems to SAP Access Control. In such cases, the SAP Access Control calls the SAP Cloud Identity Access Governance risk analysis service. Therefore, we also have to sync the SAP Access Control repository data to SAP Cloud Identity Access Governance. We have to do the following:

Schedule the Repository Sync job in SAP Cloud Identity Access Governance

Perform the following steps:

1. Open the Identity Access Governance Fiori Launchpad.
2. Navigate to Administration→Job Scheduler.
3. Schedule the job and provide the following information:
   • Job name: <Any Job name>
     Note

     No spaces are allowed.
   • Job category: Repository Sync
   • Recurring Job: Yes or No, depending on your needs
   • Start immediately: Yes or No, depending on your needs
   • Application Type: SAP Access Control
   • Application: <Select previously created SAP Access Control system instance in the SAP Cloud Identity Access Governance Fiori Launchpad>
   • Backend System: <Select any backend system that is connected to SAP Access Control, in order to sync the repository data to SAP Cloud Identity Access Governance>
   • Delta Sync: <Can be used if the job is not initially scheduled>
     Note

     Delta mode is used to sync only new data compared to the previous sync run.
4. Choose Schedule Job.
5. Check the job status in the Job History List.

For more information, see the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/610a06a66eab46e9a4abd60d26ed2a2d.html?locale=en-US

The "IAG Bridge" (integration between SAP Access Control and SAP Cloud Identity Access Governance) allows you to create access requests for cloud target applications on the SAP Access Control side. Further processing and the provisioning itself will be done by SAP Cloud Identity Access Governance.

The handover of such access requests can be achieved as follows:

Schedule the Provisioning job: used to trigger the provisioning of access requests)

Steps to perform:

1. Open the SAP Cloud Identity Access Governance Fiori Launchpad.
2. Navigate to Administration→Job Scheduler.
3. Schedule the job and provide the following information:
   • Job name: <Any Job name>
     Note

     No spaces are allowed.
   • Job category: Provisioning
   • Recurring Job: Yes or No, depending on your needs
   • Start immediately: Yes or No, depending on your needs
4. Choose Schedule Job.
5. Check the job status in the Job History List.

For more information, see the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/7c1c41b5685e4832abf678927ec77a80.html?locale=en-US

For the mapping of various IDs, which are used for different connectors, to one unique user ID, you have to maintain and enable a master user ID in SAP Access Control. This process helps in synchronizing user mapping entries from SAP Access Control to SAP Cloud Identity Access Governance.

To achieve this, in SAP Access Control, you have to Maintain Master User ID Mapping.

Perform the following steps:

1. Open SAP Access Control and log in.
2. Call transaction SPRO.
3. Navigate to Governance, Risks and Compliance→Access Control→Maintain Master User ID Mapping.
4. To add new entries, choose the New Entries button.
5. Enter (1) name of SM59 connector (2) the user ID that is specific to this connector (3) a master user ID.
   Note

   You have to create entries for every SM59 connector that will be using the master user ID mapping.
6. Save your entries.
7. Navigate to Governance, Risks and Compliance→Access Control→Maintain Configuration Settings.
8. To insert a new configuration parameter, choose the New Entries button. This one is necessary to ensure that the mapping is enabled:
   • Param ID: 1055
   • Parameter Value: <Select the specific connector to enable the mapping>
     Note

     Insert as many entries of configuration parameter 1055 as you need; it depends on the connectors you have maintained for user mapping in the previous step.
   • Description: Connector enabled for auto User Mapping in Repository
     Note

     This is automatically populated.
9. Save your entries.

For more information, see the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/fca8558b03ad4aa19a29142f4ca912d5.html?locale=en-US

After defining the mapping in SAP Access Control, you have to import the user mapping entries from SAP Access Control to SAP Cloud Identity Access Governance as follows:

Schedule Access Control - User Mapping Sync Job

You to have schedule the job for every connector that is maintained within Master User ID Mapping on SAP Access Control

Perform the following steps:

1. Open the SAP Cloud Identity Access Governance Fiori Launchpad.
2. Navigate to Administration→Job Scheduler.
3. Schedule the job and provide the following information:
   • Job name: <Any Job name>
     Note

     No spaces are allowed.
   • Job category: Access Control - User Mapping Sync Job
   • Recurring Job: Yes or No, depending on your needs
   • Start immediately: Yes or No, depending on your needs
   • Application Type: SAP Access Control
   • Application: <Select the appropriate system instance of connector, which is enabled for user mapping>
   • Delta Sync: Checked/Unchecked
     Note

     Delta mode is used to sync only new data compared to the previous sync run.
4. Choose Schedule Job.
5. Check the job status in the Job History List.

When the job is completed, you can view your master user ID and the mapped user IDs in the Access Analysis app under User Access Analysis.

For more information, see the SAP Help Portal: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/5c19369f0b924946abc80242ffaa2f27/fca8558b03ad4aa19a29142f4ca912d5.html?locale=en-US