The SAP Cloud Identity Access Governance Access Certification Service is a cloud solution for periodically reviewing and certifying access rights by managers and / or designated reviewers within applications and systems in the cloud and on-premise. The validation ensures that users have access that is needed to perform their job function and that access that is not needed is removed. Access certification is required for proper compliance and security risk management. The service enables integrated processes for designing and managing certification campaigns while reducing complexity in processing periodic certifications by automating compliance and audit requirements.
This review process can be carried out for profiles, single roles, composite roles, business roles, and SAP SuccessFactors static groups.
Campaign administrators begin the process by deciding which users, access, and systems they want to review, for example, based on a department. Administrators also decide the frequency of a access certification campaign, for example, quarterly. In the next step, the scope of the campaign is selected, which includes the set of users, access, and systems that should be reviewed. In addition, a workflow template for the review process is chosen. When all review steps defined in the workflow template are finished, users' access is updated and the campaign is closed.
The Access Certification section in the SAP Cloud Identity Access Governance Fiori Launchpad contains tiles to create campaigns and manage active campaigns. Besides that there is a Campaign Reviewer Inbox where the assigned reviewer gets requests. The two last tiles are for the log view of the Access Certification Audit Log and Access Certification Campaign Log.
As prerequisite for using the Access Certification Service, the target system has to be already connected to SAP Cloud Identity Access Governance (IAG) and required master data should be set up. For more information, see https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/e0a7486876aa42ae996ebf656be07b95.html
In addition, relevant user groups must be created in the SAP Cloud Identity Authentication Service (IAS), so that users are able to use the relevant apps and functions assigned to their role. For more information, refer to following sites:
- Maintain Users and User Groups in Identity Authentication for the Access Certification Service:
- SAP Note 2806443: https://launchpad.support.sap.com/#/notes/2806443
- Check Pre-Delivered Role Collections on SAP BTP if needed.
In Identity Authentication, contact information as email address and manager information should be maintained, so that the reminder functionality can be used.
Note