The case for SAP Identity Access Management (IAG)

As part of our ongoing SAP solution spotlight series, Winterhawks Head of Operations Andrew Sawyer gives his thoughts on the development of SAP IAG.

The case for SAP Identity Access Governance

Since the launch of SAP Identity Access Governance (IAG), there had been some debate as to the target audience and future potential of IAG. Where does IAG fit in for organisations who already operate SAP Access Control (AC)? Is it not just a cloud version SAP Access Control? What is the additional value of IAG? These are some of the most asked questions, so, can IAG live and succeed in a world where SAP Access Control has been the dominant force.

Let’s review…

What is IAG?

First let’s take a look at what SAP IAG brings to the table, and cover the main solutions features. By design SAP IAG is an SAP cloud application that sits within the SAP Business Technology Platform (BTP).

As an independent solution, IAG contains five unique “Services”, with the most hotly demanded service Access Analysis providing users with the ability to gain access insight into Segregation of Duties and Critical Access across the SAP landscape (including SAP Cloud), allowing for refinement and control of SAP access risk.

IAG enables organisations to request & provision SAP (and Non-SAP) Access Requests, either through HR driven identity management workflows, direct system requests or system integration with 3rd party solutions. The solution provides a platform to review and certify user access assignment, alongside providing the management of Privileged Access (PAM) via review and assessment.

Finally, IAG supports effective role design, allowing organisations to manage and optimise their cross-application business roles.

Whilst IAG is a cloud-based solution, this does not exclude it from communication and integration with core on-premise systems such as SAP S/4HANA, or SAP NetWeaver applications. Therefore, its versatility covers a wide range of connections not freely available in alternative solutions of its kind.

Why is IAG important?

As the scope and diversity of SAP cloud applications continues to grow, the need for strong governance and assurance within the Cloud suite becomes ever more important. SAP IAG fills the gap when it comes to these cloud applications, as the solution already integrates with key applications such as SAP SuccessFactors, SAP Ariba, SAP Concur (and many others – with the list continuing to grow).

Another major factor that is driving success for IAG, is the “IAG bridge” scenario. This scenario is extremely relevant for those organisations who already use SAP Access Control or are looking to deploy Access Control in the future. The IAG bridge provides an effective stage for communication between the existing SAP Access Control application and the SAP Cloud suite, by leveraging IAG in a hybrid model. With IAG bridge, significant additional value can be gained by organisations who are not only looking to perform SAP-Cloud based analysis, but also include the monitoring cross-application risks in their ERP and cloud solutions.

Thus, ensuring that existing SAP Access Control setups remain ready for the future and up to date with fast moving Cloud technology.

If you had already been looking closely, SAP have been releasing content for the IAG Bridge scenario for some time. A high number of the recent enhancements & improvements for SAP Access Control have been geared towards its optimisation and integration with IAG – therefore strengthening the scope and functionality of the IAG bridge scenario.


Is IAG a viable option for customers who do not currently operate SAP Access Control, but are looking for a well-rounded Risk Analysis, PAM and provisioning solution?

Absolutely! In fact, as an independent SAP solution there is a case to be made that SAP IAG has a huge role to play in any future SAP landscape, especially as it provides the much-desired SAP cloud integration coverage not available in other solutions. With future expansions and roadmap planning geared towards the inclusion of more 3rd party solution integration.

Is IAG relevant as an extension to those who already use SAP Access Control?

Without a doubt and should be a key roadmap discussion for solution architects when planning their current and future governance strategies. The IAG bridge scenario expands the core functionality of SAP Access Control, allowing existing processes to thrive and remain effective for the foreseeable future.

Author – Andrew Sawyer

Andrew is a technology leader with twenty+ years of experience implementing systems and technology transformation programmes. He has a wealth of knowledge and hands-on experience across Data Management, GRC, Security, Business and Process Controls, and has worked in a diverse range of industries. At Winterhawk, Andrew is responsible for all aspects of operational delivery, partner management and quality assurance, across all geographies.

Contact Us

For further information on SAP IAG, to speak to Andrew, or to discuss how to implement and support the solution, please get in touch with Winterhawk:


The Case for SAP IAG by Andrew Sawyer