SAP GRC framework has a new buzzword - IAG, or Identity and Access Governance. Many of us have heard about this for the past couple of years, but are unsure of its capabilities. The purpose of this blog is to explain what IAG is and how it differs from Access Control solution. There are even answers to a few frequently asked questions in it.
The SAP Cloud IAG service was introduced in 2018/19 as a public cloud offering from SAP. This application is based on SAP Business Technology Platform (SAP BTP), and uses SAP NetWeaver APIs to fetch data from on-premise and cloud solutions. IAG offers the following services:
Q) What is the difference between IAG and Access Control when both provide the same services?
While both the solutions offer the same services, the difference is that IAG is completely that it is on Public Cloud. It is not available either as on-premise or Private cloud solution. The below table lists few of the differences between IAG and Access Control:
Q) Is IAG a replacement to SAP GRC Access Control?
As detailed by Thomas Frenehard in his GRC Tuesdays blog, SAP is releasing a new version of its GRC platform: SAP GRC edition for SAP HANA. This product is planned for release in Q1 2026 and will replace SAP's existing platform of v12.0 that includes SAP GRC Access Control, Process Control, and Risk Management. Clearly, IAG is not intended to replace GRC Access Control, but could serve as a complementary solution to those who prefer cloud-based access control.
Q) In the event that I have on-premise Access Control, how do I connect to Cloud systems such as Ariba, SAC, Success Factors? Are they limited to the IAG Cloud?
Actually, you still have options! You can utilize the IAG Bridge scenario to establish a connection between the SAP Access Control 12.0 on-premise system and cloud applications. In the case of Cloud IAG, it provides support for both cloud and on-premise applications. In terms of licensing, you don’t have to have extra licenses for Access Control.
Q) What are the limitations in Cloud IAG where compared to Access Control with respective to Access Risk Analysis and management?
The Cloud IAG has evolved continuously since its inception. There are, however, some limitations to it. Here are some differences/limitations:
Q) What is IAG Bridge scenario?
The IAG Bridge scenario is used when the Access Control 12.0 system needs to establish a connection with cloud systems like Ariba, SuccessFactors, and others. In this scenario, both solutions are necessary, with the majority of activities being performed in Access Control. The role of IAG is primarily to facilitate the connection between Access Control and the cloud systems. Its purpose is to enable seamless communication and integration between the on-premise Access Control system and the various cloud applications.
Q) Which is the best option? Cloud IAG or Access Control?
Directly comparing solutions is not a straightforward and recommended approach. Each solution has its own set of advantages and disadvantages. When selecting a solution, it is crucial to consider an organization's specific requirements and priorities. What works well for one enterprise may not necessarily be suitable for another. Therefore, it is vital to thoroughly assess and validate an organization's needs before making a product choice. By taking this approach, organizations can make informed decisions that align with their unique circumstances.
In conclusion, SAP IAG and SAP Access Control are two powerful solutions offered by SAP to address the critical challenges of identity and access management. Understanding their features, benefits, and differences can help organizations make informed decisions while designing their SAP security strategies. By implementing the right solution, organizations can enhance their data security, streamline access management processes, and ensure compliance with regulatory standards.
The SAP Cloud IAG service was introduced in 2018/19 as a public cloud offering from SAP. This application is based on SAP Business Technology Platform (SAP BTP), and uses SAP NetWeaver APIs to fetch data from on-premise and cloud solutions. IAG offers the following services:
- SAP Cloud IAG - Access Analysis Service (Similar to Access Risk Analysis)
- SAP Cloud IAG - Access Request Service (Similar to Access Request Management)
- SAP Cloud IAG - Role Design Service (Similar to Business Role Management)
- SAP Cloud IAG - Access Certification Service (Similar to Access Re-certification)
- SAP Cloud IAG - Privileged Access Management service (Similar to Emergency Access Management)
Q) What is the difference between IAG and Access Control when both provide the same services?
While both the solutions offer the same services, the difference is that IAG is completely that it is on Public Cloud. It is not available either as on-premise or Private cloud solution. The below table lists few of the differences between IAG and Access Control:
Table 1.0: Differences between Cloud IAG and Access Control
Q) Is IAG a replacement to SAP GRC Access Control?
As detailed by Thomas Frenehard in his GRC Tuesdays blog, SAP is releasing a new version of its GRC platform: SAP GRC edition for SAP HANA. This product is planned for release in Q1 2026 and will replace SAP's existing platform of v12.0 that includes SAP GRC Access Control, Process Control, and Risk Management. Clearly, IAG is not intended to replace GRC Access Control, but could serve as a complementary solution to those who prefer cloud-based access control.
Q) In the event that I have on-premise Access Control, how do I connect to Cloud systems such as Ariba, SAC, Success Factors? Are they limited to the IAG Cloud?
Actually, you still have options! You can utilize the IAG Bridge scenario to establish a connection between the SAP Access Control 12.0 on-premise system and cloud applications. In the case of Cloud IAG, it provides support for both cloud and on-premise applications. In terms of licensing, you don’t have to have extra licenses for Access Control.
Q) What are the limitations in Cloud IAG where compared to Access Control with respective to Access Risk Analysis and management?
The Cloud IAG has evolved continuously since its inception. There are, however, some limitations to it. Here are some differences/limitations:
Table 2.0 - Risk Analysis Management Limitations in Cloud IAG
Q) What is IAG Bridge scenario?
The IAG Bridge scenario is used when the Access Control 12.0 system needs to establish a connection with cloud systems like Ariba, SuccessFactors, and others. In this scenario, both solutions are necessary, with the majority of activities being performed in Access Control. The role of IAG is primarily to facilitate the connection between Access Control and the cloud systems. Its purpose is to enable seamless communication and integration between the on-premise Access Control system and the various cloud applications.
Q) Which is the best option? Cloud IAG or Access Control?
Directly comparing solutions is not a straightforward and recommended approach. Each solution has its own set of advantages and disadvantages. When selecting a solution, it is crucial to consider an organization's specific requirements and priorities. What works well for one enterprise may not necessarily be suitable for another. Therefore, it is vital to thoroughly assess and validate an organization's needs before making a product choice. By taking this approach, organizations can make informed decisions that align with their unique circumstances.
In conclusion, SAP IAG and SAP Access Control are two powerful solutions offered by SAP to address the critical challenges of identity and access management. Understanding their features, benefits, and differences can help organizations make informed decisions while designing their SAP security strategies. By implementing the right solution, organizations can enhance their data security, streamline access management processes, and ensure compliance with regulatory standards.
- SAP Managed Tags:
7 Comments
