Setting Up the Service on SAP BTP

SAP Cloud Identity Access Governance is deployed in the cloud on SAP BTP and available as software as a service (SaaS), so you can access the software from any web browser through the SAP Fiori launchpad. There is no installation required.

It always comes with a bundled solution known as "SAP Cloud Identity Services" (CIS) that includes two other services – Identity Authentication (IAS) and Identity Provisioning (IPS). They are essential for successfully configuring the solution.

• Tenant of Identity Authentication

  Identity Authentication is a cloud service on SAP Business Technology Platform (SAP BTP) that provides services for authentication, single sign-on (SSO), user management, and on-premise integration. It also provides convenient user self-services such as registration and password reset for employees and partners.

  The identity authentication service provides security features for protecting access to applications, support to define risk-based authentication rules, two-factor authentication, and delegated authentication to on-premise user stores and other identity providers for secure authentication and user management cloud based systems as well as on-premise systems.

  To manage access to applications belonging to SAP Cloud Identity Access Governance, it is important to authenticate users. The Identity Authentication service simplifies the access as you can choose from various authentication mechanisms, single sign-on, on-premise integration, and self-service options.

  For more information, refer to the official documentation: https://help.sap.com/docs/IDENTITY_AUTHENTICATION/6d6d63354d1242d185ab4830fc04feb1/27882717f44b445fa287936c6f43dc1f.html

• Tenant of Identity Provisioning

  Identity Provisioning is designed to provide customers with easy management of identity and access management for cloud-based solutions. It enables an organization to centrally manage identity lifecycle processes for on-premise and cloud applications. The solution is compliant with System for Cross-domain Identity Management (SCIM) standards and enables provisioning and de-provisioning of users and their authorizations to cloud business applications using identity data from existing central user stores. IPS supports policy-based assignments using rules defined based on user input. Identity mapping across multiple data models is supported. This allows IPS to act as an identity directory to store and aggregate identity data in the cloud. IPS can take data from multiple user data sources and merge the attribute context from different sources before writing to target systems.

  For a successful integration, always use the Identity Provisioning tenant that is included in the bundle.

  Note

  You will not have to use IPS for all SAP Cloud Identity Access Governance integration scenarios.

  For more information, refer to the official documentation: https://help.sap.com/docs/IDENTITY_PROVISIONING/f48e822d6d484fa5ade7dda78b64d9f5/f2b2df8a273642a1bf801e99ecc4a043.html

SAP Cloud Identity Access Governance 2.0 is a multi-tenant solution that is built on top of SAP Business Technology Platform (SAP BTP, Cloud Foundry environment) and SAP’s proprietary SAP HANA database. It is a service on SAP BTP that must be subscribed and it integrates with other SAP BTP services. SAP Cloud Identity Access Governance can connect with cloud applications (for example, SAP Success Factors) and on-premise target applications.

The service is available on the Amazon Web Service (AWS) platform and Microsoft Azure platform. A subaccount must be created in one of these data centers.

The service is licensed as a separate product. When the license for SAP Cloud Identity Access Governance is obtained, global account is set up and a suitable entitlement is assigned to this global account. The administrator gets access to this global account by receiving a notification email with the link to the global account in it. The entitlement must be then defined further for subaccounts where the service is going to be consumed. The consumption of SAP Cloud Identity Access Governance service is based on the metric of monitored users. The usage is calculated on the basis of the number of unique users that customers synchronize from their on-premise and/or cloud systems. These systems are monitored by the service.

To be able to use the SAP Cloud Identity Access Governance service, the following steps must be executed:

• A subaccount must exist or must be created where the service is going to be subscribed.
• The entitlement that is assigned to the global account must be defined for the subaccount and the service plan has to be added.
• The service must be subscribed within the subaccount.

For a better understanding of the SAP BTP account model, refer to the documentation: https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/8ed4a705efa0431b910056c0acdbf377.html

Accessing Global Account

When you, as an administrator, access the global account for the first time, it is empty. In order to be able to consume the SAP Cloud Identity Access Governance service, you need to create a subaccount where you will subscribe the service. The following steps describe how to do that:

1. Log in to your global account and choose Create on the Account Explorer page.
2. Choose Subaccount. A dialog window appears where you need to provide the details.

Creating a Subaccount for Subscription

1. In the Create Subaccount dialog, enter the Display Name and the description. You can change them at a later time.
2. Review the Subdomain since it is entered automatically. Change it if necessary.

   The subdomain forms the first part of the URL visible in the browser, so it must be a unique entity in the data center where your subaccount is hosted.

   Hint

   Use your corporate internet domain and the SAP Cloud Identity Access Governance service that you plan to subscribe. Depending on whether the plan is a test (Test) or standard (Production), the subdomain must start with a unique entity, followed by -iag- and then either test, prod.
3. Choose the Region.

   The region represents the data center of a specific provider and its geographical location. Refer to the text above to establish which providers are available in your region or check the official documentation.

4. Check Used for production if you are going to use SAP Cloud Identity Access Governance productively. This information is useful for the platform support and does not affect the behavior of SAP Cloud Identity Access Governance.

Note

When you purchase a variant of SAP Cloud Identity Access Governance, we recommend that you create two subaccounts in your global account and subscribe for testing purposes and for the productive use. Refer to the steps to choose a unique naming convention for the subdomains for your two subaccounts.

Configuring the Entitlement for the Subaccount

After purchasing the license for SAP Cloud Identity Access Governance, a suitable entitlement is assigned to your global account. You can find this information under Entitlements→Service Assignments. However, you will need to configure the entitlement for the created subaccounts.

Note

When you purchase a variant of SAP Cloud Identity Access Governance, you are offered both the test and standard plans. For these plans, you must create two subaccounts in your global account and add one service plan in one subaccount only.

1. In the global account, go to Entitlements→Entity Assignments.
2. In the Select Entities field, choose the subaccount for which you want to configure the entitlement.
3. Choose the Add Service Plan button.

1. Select SAP Cloud Identity Access Governance from the service list.
2. Select a service plan.

   If you are going to use the service productively, select the standard (Application) service plan. For test purposes, select the test (Application) service plan.

3. Choose Add Service Plan.

You can now subscribe the service in the subaccount for further consumption.

If you have several subaccounts, repeat the steps for them as well.

Subscribing the Service in the Subaccount

Now, when you have configured the entitlement for the subaccount, navigate to this subaccount.

There, go to Service Marketplace and search for SAP Cloud Identity Access Governance.

Choose the tile for SAP Cloud Identity Access Governance and choose Create in the drill-down area.

The relevant service plan is already entered. To subscribe to this application, choose Create.

In Instances and Subscriptions, you can see the status of your subscription. When the processing is completed and displayed as Subscribed, the tenant is created and the role collections for SAP Cloud Identity Access Governance are assigned to your subaccount.

Note

The processing time may take a few minutes until the service is subscribed.

The right role collections must be assigned to users to provide the right authorizations. This is described in the following sections.

When you have the proper authorizations, choose the Go to Application button to open the SAP Cloud Identity Access Governance Launchpad.

Note

The end users of SAP Cloud Identity Access Governance will not be authorized to access the launchpad using the URL from the subscription screen in SAP BTP cockpit. You will have to copy the URL and save it, so you can communicate it to them.

For more information, see the official documentation: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/76f596f074c34737aa70e1307050fdcf.html