Before describing the details of SAP Cloud Identity Access Governance, we will outline the differences between SAP Access Control and SAP Cloud Identity Access Governance.
SAP Cloud Identity Access Governance is a cloud solution running on the SAP Business Technology Platform (BTP). It is a counterpart to SAP Access Control, but it does not replace SAP Access Control. It offers similar capabilities to a broader environment (cloud) with some overlapping functions.
For example, SAP Cloud Identity Access Governance can run a risk analysis against on-premise applications (similar to SAP Access Control), and offers firefighting capabilities with the Privileged Access Management (PAM) for on-premise systems (for example, SAP ERP and SAP S/4HANA).
Additionally, SAP Cloud Identity Access Governance can connect to both cloud and on-premise applications. For the integration with on-premise application, the Cloud Connector is used. The Cloud Connector is located on the intranet (the customer network) as an on-premise agent and establishes connectivity between the SAP Business Technology Platform (internet), on which SAP Cloud Identity Access Governance is running, and the target system (intranet).
The following table shows a high-level comparison of the modules and their core functionalities.
High-Level Comparison of SAP Cloud Identity Access Governance and SAP Access Control
| SAP Access Control | SAP Cloud Identity Access Governance | ||
|---|---|---|---|
| Module | Function | Module | Function |
| Access risk analysis (ARA) | Access analysis for on-premise systems, ruleset management | Access analysis | Access analysis for on-premise and cloud, limitation for simulation of users and roles, ruleset management |
| Business role management (BRM) | Role management and business roles | Role design | Business roles for hybrid landscapes |
| Access request management (ARM) | Fully customizable and extendable access request workflows | Access request | Predefined set of workflows with limited configuration capabilities |
| Emergency access management (EAM) | Firefighter for on-premise SAP systems (for example, ABAP-based systems, SAP HANA database | Privileged access management | Firefighter for ABAP systems |
| User access review (UAR) and SOD risk review | Customizable UAR and SOD risk review workflows through ARM | Access certification | Campaigns with predefined workflow templates to review user access |
Even though SAP Cloud Identity Access Governance is not officially the direct replacement for SAP Access Control, it might serve that purpose for some customers, depending on requirements. For many customers considering access governance solutions, or for those moving from a third-party to SAP, SAP Cloud Identity Access Governance might offer all that is needed. SAP Cloud Identity Access Governance is capable of covering the most relevant use cases, not only for the on-premise world but also for the cloud (including access risk analysis and access provisioning).
The user interface (UI) for SAP Cloud Identity Access Governance is SAP Fiori, which is the standard UI for SAP’s cloud services. SAP Fiori apps are also available for SAP Access Control. However, SAP Access Control still comes with the SAP NetWeaver Business Client (NWBC), which is the desired UI of most administrators. Furthermore, some of the SAP Fiori apps are still the "old" WebDynpros that we know from the NWBC. The user experience is similar in both tools when using SAP Fiori.
