Setting Up Privileged Access Management Service

Perform the following steps to set up the SAP Cloud Identity Access Governance - Privileged Access Management:

1. Create reason code in the Reason Code app of SAP Cloud Identity Access Governance Fiori Launchpad.
2. Create business role in the Business Roles app of SAP Cloud Identity Access Governance Fiori Launchpad.
3. Create, maintain, and activate PAM ID in the Maintain Privileged Access app of SAP Cloud Identity Access Governance Fiori Launchpad.
4. Trigger the Provisioning job in the Job Scheduler app of SAP Cloud Identity Access Governance Fiori Launchpad.

The creation of business-related reason codes is a mandatory task in this scenario because it is required for starting the privileged access session using the launchpad of privilege access management in ABAP systems.

Perform the following steps:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Request Reason.
3. Create new entry using + button.
4. Provide the necessary information:
   • Name = Any name>
   • Description = <Any description>
   • Type = Privileged Access Session
5. In the displayed section, Assigned Applications, specify which system or application can use the reason code.
6. Create new list entry using the + button.

   You can choose only those on-premise system that have been registered in the Applications app of SAP Cloud Identity Access Governance Fiori Launchpad.

7. Select the application that you want to assign.
8. Choose Select.
9. Choose Save and Activate.
   Note

   Without activation, the newly created reason code will not be published to the respective application.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/37bacb728d75468c92b1f1e20d5afbe2/7cfaf28f59af429abdaa83f90f8155a6.html?locale=en-US

You have to create privileged access management related business roles, which will be used for assignment to a dedicated PAM ID (see section Prerequisites for the setup of SAP Cloud Identity Access Governance - Privileged Access Management in this unit).

The business role and its content (technical roles with specific authorizations and transaction codes) will be used to determine the required activities for the PAM ID.

Perform the following steps to create a business role:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Role Designer→Business Roles.
3. Create the new entry using the + button.
4. Provide the necessary information:
   • Business Role = <Any name>
   • Description = <Any description>
   • Business Process = <Select an available business process from the dropdown list>
5. In the Access section, add the PAM related technical roles, which have been created in the respective target system.
   Note

   At least you have to add the roles that are necessary for PAM ID to perform the privileged access management session and the activities that need to be executed.
6. Choose the + button.
7. Search for the specific role(s), you want to add.
8. Use the + button to add / assign it to the business role.
   Note

   Assign as much roles as needed.
9. In the Other Attributes section, enter the following:
   • Content Approvers = <Select the proper person, who should act as approver>
     Note

      

     You can add as much content approvers as you want. Only those persons are listed who are assigned to the specific SAP Cloud Identity Access Governance group.

     The content approver will have no further tasks in the PAM process.

   • Assignment Approvers = <Select the proper person, who should act as approver>
     Note

     You can add as much assignment approvers as you want. Only those persons are listed who are assigned to the specific SAP Cloud Identity Access Governance group.

     The assignment approver will have no further tasks in the PAM process.

   • (Optional): Business Subprocess = <Select an available business subprocess from the dropdown list>
   • (Optional): Criticality = <Select an available criticality from the dropdown list>
   • (Optional): Long Description = <Any long description>
10. Choose Save and Activate.

PAM IDs are specific users (or user accounts) that are needed to start a privileged access session. Instead of utilizing his own user account, the PAM user (who is the end-user) switches to a designated PAM ID, which is created solely for this purpose.

To create a PAM ID, perform the following steps:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Privileged Access Management→Maintain Privileged Access.
3. Create new PAM ID using the + button.
4. Provide the necessary information:
   • Name = <Any name>
   • Description = <Any description>
   • Optional: Long Description = <Any long description>
   • Business role = <Select the previously created business role, which is designated for this new PAM ID>
   • Criticality = <Select an available criticality from the dropdown list>
   • Duration in days = <Enter the maximum number of days for which you would like to have a PAM ID>
5. In the Allowed Activities section, enter the relevant activities that have to be performed by this PAM ID.
   Note

   The selectable activities are based on the assigned business role and its included technical roles. You can add as much activities as needed.
6. In the Approvers/Reviewers section, select the proper person, who should act as approver and / or reviewer.

   Approver

   Responsible for the approval of the PAM ID to the PAM user.

   Reviewer

   Responsible for reviewing the log protocol.

   Note

   The approver and reviewer can be a single person. You can add as much approvers / reviewers as you want. Only those persons are listed who are assigned to the specific SAP Cloud Identity Access Governance group.
7. Choose Save and Activate.
   Note

   Without activation, the newly created PAM ID cannot be requested using access request.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/37bacb728d75468c92b1f1e20d5afbe2/98dbdb8c98e94f8dbbd79376d25eaa0b.html?locale=en-US

When you have created and activated the PAM ID, it is not fully available in the respective target system (its status is still In Process). To make it available and switch its status to Active, you have to provision the PAM ID to the specific ABAP target system. To do so, you have to trigger the provisioning job in the SAP Cloud Identity Access Governance Fiori Launchpad.

Schedule the following job category:Provisioningused to trigger the provisioning of SAP Cloud Identity Access Governance data. In this case, it is necessary to provision the newly created PAM ID to the respective target system and to finally activate it for further usage - for example, end-user is able to request the PAM ID through an access request.

To schedule a provisioning job, perform the following steps:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Job Scheduler.
3. Schedule the job and provide the following information:
   • Job name: <Any Job name>
     Note

     No spaces are allowed.
   • Job category: Provisioning
   • Recurring Job: Yes or No
     Note

     The selection depends on your needs.
   • Start immediately: Yes or No
     Note

     The selection depends on your needs.
4. Choose Schedule Job.
5. Check the job status in Job History List.