In general, there are 2 mandatory setup steps that have to be performed to enable the Access Analysis Service in SAP Cloud Identity Access Governance:
- Assignment of connected target systems (applications) to their respective business function groups
If you have ordered the default rulesets using SAP Support, you have to maintain the proper assignments between connected target systems and the default business function groups.
Without any assignments you will not be able to calculate risks, because business function groups are mapped to application type specific risk rulesets (or in case of cross system risks, Business Function Groups are mapped to cross application rulesets). Missing system assignments to business function groups lead to an empty risk analysis result as no application will be analyzed.
- Scheduling of Access Analysis Job
To trigger and generate any risk data, you have to schedule the proper Access Analysis Job using the Job Scheduler app in SAP Cloud Identity Access Governance Fiori Launchpad (FLP). This job is used to start analyzing potential risks either on user or role level.
Other possibilities to trigger an access analysis (for example, ad-hoc analysis) are not available. If you want to re-analyze new users or roles, which have been synchronized to SAP Cloud Identity Access Governance, you have to trigger the job again.
Hint
Therefore, we recommend that you schedule the job on a recurring basis as only this offline analysis will be offered.
Details on how to assign systems (applications) to business Function Groups or how to schedule the Access Analysis Job can be found on the next pages.
Before triggering the Access Analysis job, you have to maintain the proper assignments between connected target systems and the default business function groups.
To maintain the assignment, perform the following steps:
- Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
- Navigate to Administration→Business Function Groups.
- Select proper business function group from the list.
- Choose applications to assign to the business function group.
- Choose the + button.
- Search for the application and select it using the checkbox.
- Choose Select to assign the selected application to the business function group.
Note
You can add as much applications as needed. The selectable applications are based on the already connected target systems to SAP Cloud Identity Access Governance. - Choose Save.
More information about business function groups can be found on SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/6317a693601941be8e2e0cf7c7e8f78a.html?locale=en-US
To trigger and generate any risk data, you have to schedule the proper Access Analysis Job using the Job Scheduler app in SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
Schedule the job category, Access Analysis, to run the access analysis on the user and role level for all connected target systems.
Perform the following steps:
- Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
- Navigate to Administration→Job Scheduler.
- Schedule job and provide the necessary information:
- Job name = <Any Job name>
Note
No spaces allowed. - Job category = Access Analysis
- Recurring Job = Yes or No
Note
Recurrence depends on your needs, but it is recommended to set it up as recurring job. - Start immediately = Yes or No
Note
Start time depends on your needs.
- Job name = <Any Job name>
- Finally, choose Schedule Job.
- Check job status in Job History List.
More information about job scheduling can be found on SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/298b6cd1945e444c9959e991fea2ada1.html?locale=en-US