Describing SAP Cloud Identity Access Governance


After completing this lesson, you will be able to:

  • Describe SAP Cloud Identity Access Governance

SAP Cloud Identity Access Governance

SAP Cloud Identity Access Governance is a leading platform that provides comprehensive security solutions for businesses. Designed to safeguard and streamline your operations, it is currently composed of five core components: Access Analysis, Role Design, Access Request, Access Certification, and Privileged Access Management. Access Analysis conducts risk evaluations using predefined rules, Role Design supports the creation and maintenance of business roles in your systems, while Access Request enables users to apply for access to applications in both on-premise and cloud-based systems. Access Certification reviews access and Privileged Access Management logs consolidation and reviews with automated log assessment for fraud.

Together, these five services create a robust system to effectively manage user access, helping you align IT operations with business objectives securely and efficiently.

The following lesson delves deeper into the solutions provided through SAP Cloud Identity Access Governance.

Access Analysis

The Access Analysis service is designed to provide real-time compliance analytics on risk and compliance-related activities. These services provide similar functionality as SAP Access Control but using a service delivery model. Key features and benefits:

  • Delivers insight into segregation of duties (SoD) and critical access for on-premise and cloud solutions.
  • Built-in risk scoring.
  • Provides configurable and predefined access policies and rules.
  • Enables refinement of assignments to optimize user access for security and compliance.
  • Allows management of controls including integrated control monitoring and testing.
  • Enables preconfigured audit reporting.

Access Analysis is a tool that checks how safe your organization's data is from different users or employees. You can use it at the level of the whole company or for individuals, and you can customize how it looks to make it easier to understand. It checks for risks using certain set rules. After running the test, it will show these risks, and then you have the option to adjust who has access to what, in order to limit these risks.

The total risk handling is shown in the Access Analysis Overview. For individuals, there's the User Access Analysis dashboard. Here, it shows the specific risks related to a particular user. It also tells you which risks have already happened and gives two scores to reflect how risky their access is.

The Access Compliance score tells you how many risks are there that have not been handled for a particular user. On the other hand, the Access Effectiveness score tells you what access a user has and how they are using it. If a user has access to something but they're not using it, this score decreases.

You can make changes to user access within the User Access Analysis dashboard. For example, you can address any identified risks using the system's suggestions or you can remove access that is not necessary or appropriate. These changes are recorded always, so that they can be checked later on. All necessary actions are then sent to the data giving section. This means, once you've decided what access a user should have, the system will make it happen.

Role Design

SAP Cloud Identity Access Governance's innovative Role Design Service aids in the creation, optimization, and maintenance of business roles extending to both on-premise and cloud-based systems. This cohesive service offers an integrated approach, which promotes efficiency in designing and managing business roles.

A core strength lies in its ability to link access analysis results to the role design process. With this feature, pertinent risk data is exhibited within the Business Role definitions. This information can then be assessed, ensuring alignment with corporate policies and accommodating user access requirements.

Significantly, SAP has incorporated machine learning into their role design services. Utilizing SAP Fiori-based tools, the application supports bottom-up business role designs, facilitated by advanced machine-learning algorithms. This union enhances the effectiveness of role reengineering processes, optimizing business role design and functionality.

Importantly, the Role Design Service ensures consistent compliance of business roles with organizational policies. This is further augmented by an integrated reconciliation process, established to maintain the consistency of business roles across various platforms.

The ability to seamlessly interlace the access analysis and role design is particularly valuable, providing a systematic approach to governing access and managing roles. Consequently, SAP Cloud Identity Access Governance's Role Design service serves as an advanced solution to facilitate effective and dynamic role management within your organization.

Access Request

The Access Request Service is an important tool that provides users the ability to request access to applications that are necessary for their work. This applies to both systems on the organization's own network, known as 'on-premise,' and those that are based on the internet, known as 'cloud-based' systems.

Using an easy, user-friendly access request interface, users can submit their request for system access. The screen interface is made simple and intuitive with built-in guides to assist through the process and an advanced search and filtering capacity to streamline their request. This essentially makes the process quicker, efficient, and user-friendly.

One of the essential features of the Access Request Service is its ability to facilitate provisioning and deprovisioning of approved access. In simple terms, it allows granting (provisioning) or denying or removing (deprovisioning) access to certain systems when a request gets approved or denied. This feature adds a significant layer of security.

To ensure transparency and security, each access request maintains a detailed audit log. This audit log provides a thorough record of all actions and processes related to each access request, an important feature for administrative review and for maintaining accountability.

The key features and benefits of the Access Request Service can be boiled down to the following points:

  1. Self-service access-request forms with built-in guides and data-driven filters: The system is user-centric with a heavy focus on ease of use and efficiency.
  2. Auditable access-request workflow: The system allows for audit trails, enabling accountability and providing a reliable record of activities.
  3. Integrated, compliant user-provisioning process: This refers to the system's compliance to standard protocols, maintaining the security and efficiency of granting and denying access.
  4. Integration with cloud apps: The system is adaptable, being fully functional and efficient with applications located on the cloud. This provides comprehensive benefits for organizations employing cloud computing.

Access Certification

SAP Cloud Identity Access Governance's access certification service is a cutting-edge cloud-based solution designed to enhance your data and access control operations. Whether you're operating on a local server network ('on-premise'), or leveraging internet-based ('cloud') systems, this service is designed to manage and streamline the periodic assessments and confirmation of access rights to your business applications.

The service provides an integrated strategy to design and manage certification campaigns, offering an optimized process for conducting regular certification reviews for your network access. By harmonizing the certification process, the service ensures the efficiency of your operations by decreasing the complexity typically involved in such crucial processes.

The service is efficient in certifying a variety of roles, ranging from single and composite roles to business roles and profiles. Even static groups within SAP SuccessFactors can benefit from this periodic review process.

One of the principle advantages of the service lies in its ability to automatically conduct periodic access reviews. This automation significantly helps in efficient management and aligning access rights to the changing needs and dynamics of an organization.

The service also allows bespoke reviews tailored to meet the distinct requirements of an organization. Irrespective of the scale, whether you're conducting a modest department-level review or orchestrating a large-scale company-wide reassessment, the certification service is versatile enough to support it.

Managing the review process becomes easier with the service. It provides a mechanism to keep track of the ongoing review processes and adjust workflows as and when necessary.

For improved visibility and informed decision making, the service offers data-driven views of the review process. This feature empowers you with insights derived from the data collected during access review processes, thereby enhancing the efficiency and effectiveness of your access governance.

Privileged Access Management

Privileged Access Management (PAM) is a crucial tool in enforcing your company's standards for managing emergency access. It offers a practical approach to administer who is granted privileged, or emergency, access to your systems and applications.

With PAM, users have the ability to independently send requests for emergency access. Such functionality paves the way for a prompt response in urgent situations, allowing work continuity without compromising security.

Moreover, PAM provides approvers, reviewers, and security personnel with the ability to review these emergency access requests. This collaborative approach ensures that any granted access aligns with the company's security protocols, enhancing the oversight in critical access decisions.

Importantly, PAM empowers compliance personnel to periodically conduct audits of usage and logs. This ensures ongoing examination of system access in accordance with the company's security policy, enabling regulatory compliance and mitigating potential risks.

The key features and benefits of the PAM include:

  1. Administration of privileged user accounts for on-premise Netweaver systems: This feature underscores the capability of the PAM in managing key user accounts within your company's local network systems.
  2. Temporary use of elevated permissions: PAM provides a mechanism for granting short-term access with elevated permissions, addressing emergency needs carefully without causing potential lasting security risks.
  3. Integrated session tracking: PAM keeps a record of all user sessions, providing a clear audit trail that can be traced back for any necessary reviews or investigations.
  4. Workflow-based activity review: By aligning activity reviews with specific workflows, PAM enables a structured process for monitoring and managing access rights, enhancing efficiency and oversight.
  5. Machine Learning (ML) based & Anomaly Detection: PAM leverages advanced ML algorithms to analyze user behavior and identify anomalies. This intelligence layer helps detect any possible threats or breaches, ensuring robust security.


In this lesson, you were provided with an overview of the SAP Cloud Identity Access Governance. This overview introduced you to the three software services in this area: Access Analysis, Role Design and Access Request. You were also provided with an overview on Access Certification and Privileged Access Management. Below is a summary of the key functions within the SAP Cloud Identity Access Governance:

Log in to track your progress & complete quizzes