SAP Cloud Identity Access Governance

Access Request
December 31, 2019
SAP Cloud Identity Access Governance
Simple, seamless, and adaptive

Privilege access management*

Access analysis
Achieve account-based access, log
Analyze access, refine user
consolidation, and review with
assignments, manage controls
automated log assessment for fraud

Role design
Access Optimize role definition and
Access certification* streamline governance
Review access, role, risk, and governance
mitigation control

Access request
Optimize access, workflow,
Planned 2019*
policy-based assignment, and
processes

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 2

SAP Cloud Identity Access Governance, access request service
Optimize access, workflow, policy-based assignment, and processes

Access request

• Self-service access-request forms with built-in guides and

data-driven filters
• Auditable access-request workflow
• Integrated, compliant user-provisioning process
• Native integration with cloud apps

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 3

SAP Cloud Identity Access Governance, access request service
Optimize processes and streamline governance – access request service

The service provides self-service access requests, auto-provisioning, and auditable workflows.

Approve Provision
Analyze Simulate
Request
Remediate Adjust as Audit
risks needed workflow

Select access Check Cancel or

needed for job Status Resubmit
Adjust as
needed
This is the current state of planning and may be changed by SAP at any time.
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 4
Master Data
Master Data – Access Request Service

Access Access
Request Request
Reason Code Priority
Common
Master Data
Custom Field
Fields Mapping

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 6

Master Data – Access Request Reason Code

You use this app to establish the Reason for

Request choices for Access Requests.

To add a new Access Request Reason Code:

1. Select the plus (+) icon.

2. Complete the ID (will populate the Reason

for Request field in the Create Access
Request app), the Description, and the Is
Active field.

3. Select Save.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 7

Master Data – Access Request Priority

This tile allows administrators to establish

selectable priorities for access requests.

To add a new Access Request Priority:

1. Select the plus (+) icon.

2. Complete the ID (3 numeric characters),

the Description (e.g. High, Critical, Low)
and the Long Description (optional) fields.

3. Select Save.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 8

Master Data – Defining Custom Fields

You can define and create custom fields that are specific to your business.

You decide what to name the field, what type of data it can track, where it is used, under what
conditions it is used, and whether it is mandatory or optional.

There are two steps to create a custom field:

1. Define the Custom Field Group

2. Define the Custom Field

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 9

Master Data – Custom Field Group

The Custom Field Group defines when, where,

and under what conditions to use the new custom
field.
Say you want to require users to enter
a personnel number on an access
request when requesting access to an SAP ERP
application.
• Personnel Number is the new custom field
• Access Request is the process where you
want to use the custom field
• Application Type is the Entity Type
• SAP ERP is the Entity Type Value, the
conditions under which you want to require
users to enter a personnel number on the
access request.
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 10
Master Data – Custom Field

Once the Custom Field Group is created, you

define the Custom Field.

You designate the specifics about the field itself

– its name, its length, whether mandatory, etc.

Use the + icon to assign the custom field to the

correct Custom Field Group(s). You specify
whether the field is required or optional.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 11

Master Data – Field Mapping

This app is only used to map SAP

IAG custom fields that will be used on an
access request to external applications such
as SAP S/4 HANA, SAP SuccessFactors, SAP
ERP, and SAP Ariba for purposes of
provisioning.

Once a field is added to the field mapping list, it

is ready to use in provisioning.

This app is intended for use by technical staff.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 12

Schedule Jobs
Schedule jobs

Job Category Purpose/Description

Repository Sync This job synchronizes user, role, group, user-to-role, authorization, privilege, and
action usage information between target applications and SAP Cloud Identity
Access Governance.
Provisioning This job executes access requests to provide user access and role assignments
in the designated target systems.
HR Triggers This job identifies key changes to user attributes in SAP SuccessFactors. The
changes include but are not limited to:
• New hire
• Position change
• Termination
If needed, the job creates access requests to provision the required access and
roles to the appropriate users and target applications based on business rules
that are configured in SAP Cloud Identity Access Governance.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 14

Access Request Overview
Access Request Workflow

You use the Create Access Request app to extend or ask for access to the
applications that you need to do your job. Access requests are routed to My
Inbox where approvers can approve or reject them. You can use the Access
Request Status app to track the progress of submitted requests.
Approved requests are provisioned to provide users access to the applications.
The entire workflow and approval activity is captured in a detailed audit trail which
you can view in My Inbox.
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 16
Creating Access Requests
Request for New Access

Use the Create Access Request app to

request or extend access that you need to do
your job.
Select Request New Access to search for and
display the desired access. You can search
using the free-form search tool. Search for any
attributes such as name, description, access
type, business process, or subprocess.
To filter your results by application type,
business process, or access type, click Show
Filter Bar.
If desired, drill down on the access to see its
details. When you have made your selections,
click Create Request.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 18

Extend Existing Assignments

Select Extend Existing Assignments to

search for and display the access. You can
search using the free form search tool.

To filter your results by application type,

business process, or access type, click Show
Filter Bar.

By default, the accesses listed are only the

ones that expire within 30 days.

To see all current accesses, select Show All

Existing Assignments.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 19

Review Request

In the Review Request screen, enter the reason

for the request, its priority, and the requestor’s
manager.
Under Access Requested, lists each access
requested, its type, application, business
process, and criticality.
Where applicable, enter validity dates for each
access. Add more access or delete any access
that you do not want.
Under Attachment, attach supplemental
document about the request for the approver to
review.
Once you have filled in the required information,
click Submit Request. The app assigns your
request a number and routes it to the approvers.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 20

Check Request Status

Use the Access Request Status app to look up

the condition and progress of your access
requests. You can also cancel any requests that
are in process.

When you select an access request from the

master list, additional information is displayed in
the details area (right pane). You can see
information for the request and for each access.

Status for the request and for each line item is

shown.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 21

Access Approval
Approving Access Requests

Approvers use the My Inbox app to review and

approve access requests.

This app displays requests from both the

access request and role design services.
Choose the Access Request tab to display
access requests. From here, approvers can
view the open requests and choose which
ones to process.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 23

Approving Access Requests

The app allows you to drill down into the details

of each access. You can approve or reject
each line item. Approvers can also view any
risks associated with an access.

If there are risks, you can remediate risks using

the Remediate Risk button. You can
then Simulate the change to see how the
changes affect the risks.

The app provides a complete audit history of all

the actions associated with the request.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 24

Provisioning Log Administration

This report is designed to help facilitate

the provisioning of line items which are not
successful in the initial trial. Line items include
attributes such as user, access, application,
action, status.

The master view consists of search fields on

the header row followed by default results
sorted in descending order based on the
filed last updated on displayed in a table.

On clicking on a row of the Master table, the

View called Provisioning Log Details opens.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 25

Provisioning Log Administration (cont.)

In the table header the button Retry All is

disabled by default unless at least one of
the provisioning items’ status is Failed. This
helps in updating the status of all the failed items
in a table from Retry to In Process.

Alternatively, if the user wants to set the Retry

status only for selected line items out of all the
failed line items, then the user can
click Retry button which is provided in the same
row for the failed provisioning line items.

As soon as Retry button is clicked, it will

disappear when the line item status is
successfully updated to Retry and the status of
the same line item will be shown as In Process.
Similarly, the aggregated status of the request will
also be updated to In Process.
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 26
Summary
Summary

You are now able to:

• Create self-service request

• Manage approval process with manager and security responsible

• Check the request status

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 28

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components
of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated
companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are
set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release
any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,
and/or platforms, directions, and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The
information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks
and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and
they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company)
in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
See www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.