1 Introduction
Integrating SAP systems is a common requirement in IAM (Identity and Access Management) projects. With SAP being a leader in various market segments of business applications and related infrastructure, most large businesses own one or more SAP applications. Users and their access must be managed efficiently. This is where IAM comes into play. Granting user access to SAP environments is not a challenge of SAP specifically, but part of the generic user lifecycle management processes that span all relevant applications. From a user’s perspective, SAP systems are only one (or some, depending on their number) of the systems he needs access to.
Running SAP-related access management separately from the rest of IAM neither responds to the user’s demand of having one lifecycle to request access, to approve access, and to review access, nor does it reflect the changing landscape of business applications in most organizations.
Factually, experience from a vast number of organizations KuppingerCole had insight into over the past years, splitting access request and management interfaces for different sets of applications and services is a common complaint of end users, who need to understand which tool to use for requesting which type of access, and who have to deal with different UIs (User Interfaces), processes, etc. There is a demand and a need for having one interface for IGA (Identity Governance and Administration) tools, across the entire range of applications and services, regardless of deployment model and type of application.
Furthermore, the typical IT environments of organizations are under change, as part of the ongoing shift from traditional on premises business applications and services to cloud-based solutions, delivered as a service. This heavily affects traditional SAP environments, with new market entrants challenging SAP as well as the growing number of SAP offerings on premises and in the cloud that replace traditional SAP R/3. SAP SuccessFactors and SAP Concur, while being SAP offerings, are vastly different from the traditional SAP offerings, requiring expanded and new integration capabilities. A specific challenge within the SAP portfolio of applications and services is the fact that there is no consistent security model within the SAP portfolio. Virtually every piece of technology, from SAP R/3 to S/4 HANA, SAP HCM, SAP Concur, or SAP SuccessFactors, builds on a different model for access management and security. Thus, it is not about a single piece of SAP connectivity, but specific support for the various tools that SAP provides to its customers.
That support must serve both, incoming and outgoing, connections. For employees, SAP HR/HCM and, with growing relevance, SAP SuccessFactors are the source of information about new employees, leaves, retirements, and other changes. However, with the shift in focus of IGA from pure-play Enterprise IAM focused on employees to serving all types of identities, including business partners and employees, the number of integration points increases.
On the other hand, and as mentioned above, support for outgoing connections is required for a growing number of targets, with different integration points and security models. Beyond that, it is not only about connecting SAP environments, but a growing number of services provided by other vendors, which further increases complexity.
One Identity Manager provides comprehensive and certified integration into SAP environments since 2003. These features have been enhanced continuously, now supporting a broad range of SAP products and services well beyond SAP R/3. Integration is based on specific connectors with deep integration as well as cloud-based integration via One Identity’s Starling Connect cloud service.