IAM

Identity and Access Management

System landscapes are becoming increasingly diverse and heterogeneous.
Whereas SAP systems were predominantly used in the past,
more and more systems from other manufacturers are now being used.
In addition, there is a trend toward the increasing use of cloud systems.

We have looked at various IAM systems and have come
to the conclusion that once SAP, always SAP.

Arrange a consultation appointment

SAP IDM

The classic from the SAP world. The end of the SAP Netweaver platform also heralds the end of SAP IDM 8.0.
The maintenance phase ends in 2027 with the option to extend until 2030.
SAP will not provide an official IDM successor.

So, it’s a bit long in the tooth, but still going strong. Of course, we will continue to advise you on the solution and will not let you down.

SAP GRC + SAP IAG

There are many IAM solutions and even more promises and colorful, attractive images. Ultimately, they all offer the same functionality and all have different areas for improvement. It will never be possible to do without in-house developments entirely, regardless of what is promised. That is why we rely on the “tried and tested,” remain in the SAP world, and asked ourselves why not use SAP GRC and, if it is already available in the company, expand it into an IAM tool. After all, all the tools, such as HR master data system connection, role requests, workflows, automated role assignment, approval processes, risk analyses, etc., are on board. With a little effort, a SCIM connector is also possible, opening up all modern business web apps such as Ariba, Concur, SAP IPS, SAP IAS, etc.

Pro:

  • Extensive workflow design possible with BRF+ and MSMP
  • SoDs and critical authorization checks in the standard
  • Role application process
  • Emergency user process
  • Backend and business role management

Cons:

  • SAP GRC 12.0 does not have a SCIM connector in the standard version
  • risk assessment is limited to SAP systems
  • old SAP look and feel (NWBC in GRC 12.0)
  • connecting Microsoft cloud apps: no MS Graph API implemented in standard

And what does SAP IAG do now?
Provocative statement: not much at the moment.
If you expand the current SAP GRC 12.0 with an SCIM connector, you have everything you need.
The IAG Bridge only creates the connection from the “local” GRC to the IAG (SaaS), which actually only manages roles in the cloud applications and transfers them to the SAP IdDS (Identity Identity Directory Service) for provisioning, which distributes the roles (groups) using SAP IPS (Identity Provisioning Service).
Everything that the SCIM-enabled “local” GRC can also do directly.