SAP application roles in Entra ID and user provisioning
Hello Team,
Since SAP IDM is going to retire, can Entra ID be a possible replacement for it ?
In some blog post from SAP they recommend themselves to use Entra ID instead of SAP IDM.
Entra ID using its identity governance lifecycle workflow can cater to Joiner , Mover , Leaver scenarios and also since it has out of the box integration with SAP HR .
But the main question is, since SAP ‘s applications are mainly Role driven, how can we map SAP application specific roles to users via Azure AD.
Eg :
User A has joined a company and using SAP HR its record and data is created in Entra ID , but now User A also needs access to SAP app 1, app 2 and app 1 ,app 2 have their own Role sets .
How these roles can be made available in Entra ID and even if we some how make it available as a part of Entra ID group , once users becomes part of these group in Entra ID, how will the user provisioning to SAP app 1 and app2 work . Ideally in SAP, provisioning works via SAP IPS service but in Entra ID docs, all we have is just a way to provision the users to SAP IPS using SCIM .
There are other SAP components namely SAP IAG and GRC which are the governing authority to provide access to the users to SAP applications to its requested role and provisions the users once the access request is approved in IAG or GRC .
How can these systems be integrated with Entra ID. There are no connectors from Entra ID for such event based user provisioning.
Hello Team, Since SAP IDM is going to retire, can Entra ID be a possible replacement for it ?In some blog post from SAP they recommend themselves to use Entra ID instead of SAP IDM. Entra ID using its identity governance lifecycle workflow can cater to Joiner , Mover , Leaver scenarios and also since it has out of the box integration with SAP HR . But the main question is, since SAP ‘s applications are mainly Role driven, how can we map SAP application specific roles to users via Azure AD. Eg : User A has joined a company and using SAP HR its record and data is created in Entra ID , but now User A also needs access to SAP app 1, app 2 and app 1 ,app 2 have their own Role sets . How these roles can be made available in Entra ID and even if we some how make it available as a part of Entra ID group , once users becomes part of these group in Entra ID, how will the user provisioning to SAP app 1 and app2 work . Ideally in SAP, provisioning works via SAP IPS service but in Entra ID docs, all we have is just a way to provision the users to SAP IPS using SCIM . There are other SAP components namely SAP IAG and GRC which are the governing authority to provide access to the users to SAP applications to its requested role and provisions the users once the access request is approved in IAG or GRC . How can these systems be integrated with Entra ID. There are no connectors from Entra ID for such event based user provisioning. Read More