Setting up the Access Request Service

In general, there are 3 mandatory setup steps that have to be performed to enable the Access Request Service in SAP Cloud Identity Access Governance:

1. Maintain Access Request Reason Codes

   In order to successfully create an access request you have to create and maintain proper reason codes, which can be used. As reason code is a mandatory field in the access request submission form, it is crucial to have them available.

2. Maintain Access Request Priority

   In order to successfully create an access request you have to create and maintain proper priority codes, which can be used. As priority code is a mandatory field in the access request submission form, it is crucial to have them available.

3. Schedule Provisioning Job

   To trigger the provisioning of finally processed and approved access requests, you have to schedule the proper Provisioning Job through the Job Scheduler app in SAP Cloud Identity Access Governance Fiori Launchpad (FLP).

   This job is used to start the provisioning of all approved access requests and assign the relevant roles, groups and authorizations to the users in the respective target applications. Other possibilities to trigger the provisioning are not available. The job catches all approved requests and start the provisioning, hence you are not able to pick specific access requests and start the provisioning. It follows the all or nothing principle.

   Therefore, it is recommended that you schedule the job on a recurring basis as only this provisioning option is offered.

To create access requests, you have to setup the mandatory master data, which is used in the request submission form. One of the master data are the access request reason codes.

The creation of access request reason codes can be performed in the following app:Request Reason

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Request Reason.
3. Create a new entry using the + button.
4. Provide the necessary information:
   • Name = <Entry any name>
     Note

     No spaces are allowed.
   • Description = <Enter any description>
   • Type = Access Request
5. Choose the Save and Activate button.
   Note

   Without activation, the reason code cannot be selected in the access request submission form. In case you want to deactivate a reason code, you have to select it from the list and choose Deactivate.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/83f383d3123c4f57b036d2707ec2e730/472c41769e25482996f2440c054ec6a1.html?locale=en-US

To create access requests you have to setup the mandatory master data, which is used in the request submission form. One of the master data are the access request priority.

The creation of access request reason codes can be done in the following app:Access Request Priority

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Access Request Priority.
3. Create new entry using the + button.
4. Provide the necessary information:
   • Name = <Entry any name>
     Note

     Entry has to be a number. No spaces are allowed.
   • Description = <Enter any description>
   • Long Description = <Enter any long description (optional)
5. Choose the Save button.
   Note

   The created priority will not be automatically in active state, therefore it has to be activated afterward. In case you want to deactivate a priority code, you have to select it from the list and choose Deactivate.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/83f383d3123c4f57b036d2707ec2e730/a004fe6dc6b24e4a8cf1ea6b16ae821e.html?locale=en-US

To trigger the provisioning of all approved access requests, you have to schedule the proper Provisioning Job through the Job Scheduler app in SAP Cloud Identity Access Governance Fiori Launchpad (FLP).

Schedule the following job category:Provisioning(used to start the provisioning of approved access requests in all connected target systems)

The steps to perform are as follows:

1. Open the SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Job Scheduler.
3. Schedule the job and provide the necessary information:
   • Job name = <Any Job name>
     Note

     No spaces are allowed.
   • Job category = Provisioning
   • Recurring Job = Yes or No
     Note

     Recurrence depends on your needs, but it is recommended to set it up as recurring job.
   • Start immediately = Yes or No
     Note

     Start time depends on your needs.
4. Choose Schedule Job.
5. Check the job status in the Job History List.

More information about job scheduling can be found on SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/298b6cd1945e444c9959e991fea2ada1.html?locale=en-US

The SAP Cloud Identity Access Governance has introduced a concept named USERID Mapping, which enables the opportunity to allow a mapping of different user ids across different applications.

You have to think about the following use case, which will cause problems and inconsistencies if it is not handled properly.

Scenario: Your connected applications have a highly heterogeneous user ID naming convention and you want to assign several roles to a specific user across the whole landscape.

Problem: The user has different IDs across the landscape. The user ID selected in SAP Cloud Identity Access Governance differs from other applications and does not match the user IDs in the applications

If you are going to trigger the access request without having proper a USERID mapping and utilize one unique master user ID, then a new user will be created, due to the system logic: "Create user if it does not exist".

The mapping of those IDs to one master ID is crucial to narrow down the overall variety of different IDs.

The same problems occurs, if you want to trigger (cross-system) risk analysis. In this case, an SOD conflict comes from the combination of authorizations on different systems where the user has different user IDs. To prevent those, you have to have a USERID mapping defined.

In general, the functionality of USERID mapping in SAP Cloud Identity Access Governance provides 2 options:

1. You can either manually upload files that include the main users and their mapped user IDs for associated applications.
2. Or you can run repository sync jobs, after which data automatically matches you with the main data source system - for instance, Identity Authentication, using SAP Global User ID and / or email.

In the above figure, The Concept of USERID Mapping, you see an example on how the USERID mapping works and it also shows you the steps how to down- and / or upload the appropriate template to perform one of the mapping options.

On the left side, you can see the mapping example, whereas the right side depicts how to get the template and what it looks like.

In the following, we are going to explain the example and how the mapping works:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Reports→User ID Mapping.
3. On the result list, you can see one filtered entry named "USER_IAG". This entry contains one additionally mapped user ID.
4. Select the entry to navigate further to the details view.
5. On the details view, you can see that the entry "USER_IAG" has one mapped user ID "test@sap.com", which is used in the application "SAC_SEC_CONS". The Master User ID comes from the IAS.
6. In case you want to create an access request for the user "USER_IAG" and assign more roles in the application "SAC_SEC_CONS", the provisioning of those roles will be successful, although its user account differs from its original user ID. The mapping ensures that the provisioned roles are assigned to its user account "test@sap.com" in the application "SAC_SEC_CONS".

The download and upload of the mapping template works as follows:

1. Open the SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Reports→User ID Mapping.
3. Choose the Upload User ID Mapping button.
4. Select Download Template to get the master template (a CSV file, which can opened and edited in Microsoft Excel) for USERID mapping.
5. To upload the filled template, you have to choose Browse, select the template file, and choose the Upload & Process button.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/1153c656ce164287bd54acf8f6e225a3.html?q=USERID&locale=en-US

The Access Request Service offers one configuration parameter, which can be used to enable the opportunity to allow requestors to approve access requests for others.

A requestor can approve requests for others which they have created themselves if the parameter value is set to "YES". The default value of this configuration parameter is "NO", thus the option is disabled. If you want activate it, you have to manually switch the parameter value.

The only possible values are "YES" and "NO" - other values are not supported.

The enablement of this opportunity for access request approvals can be done in the following app:Configuration

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Configuration.
3. Select the entry Application Parameters.
4. Choose the Edit button to switch in change mode.
5. Change the value of the Requestor Approval = YES / NO.
6. Choose the Save button.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/4906bff90a97424aa84abcbf18a971a0.html?q=Requestor%20Approval&locale=en-US