IAG 2023_10_31 : Recap IAS & Introduction IAG

https://www.youtube.com/watch?v=LLZDkt5QcKY

[00:09] so if you
[00:11] so if you see what where IAS comes where IPS comes
[00:16] see what where IAS comes where IPS comes and where iag
[00:18] and where iag comes
[00:19] comes right if you look at Ias and
[00:23] right if you look at Ias and IPS are basically the cloud identity
[00:27] IPS are basically the cloud identity Services okay these are are used by all
[00:32] Services okay these are are used by all your cloud based application not only
[00:36] your cloud based application not only iag there is a
[00:38] iag there is a disturbance from my
[00:42] disturbance from my end is the same with others should not
[00:47] be am I audible
[00:52] guys
[00:55] yes no it's
[00:57] yes no it's c yeah okay
[01:00] c yeah okay so what actually your IAS does is Ias
[01:05] so what actually your IAS does is Ias acts as a majorly as a single sign on
[01:08] acts as a majorly as a single sign on for you so you can configure your
[01:11] for you so you can configure your various authentications you know then.
[01:14] various authentications you know then you you have saps MFA feature added.
[01:18] you you have saps MFA feature added multi I know uh Factor.
[01:21] multi I know uh Factor authentication you can do all those.
[01:24] authentication you can do all those activities you know you're setting up.
[01:26] activities you know you're setting up your identity providers Federation.
[01:28] your identity providers Federation authorizations your and open ID connect.
[01:32] authorizations your and open ID connect so this is basically for authenticating.
[01:35] so this is basically for authenticating you I know on various configuration the.
[01:39] you I know on various configuration the way you configure it allows you so.
[01:42] way you configure it allows you so basically what happens is unless and.
[01:45] basically what happens is unless and until the record is created in.
[01:48] until the record is created in a and then into the shadow ID in the sap.
[01:52] a and then into the shadow ID in the sap btp you'll not be able to perform any.
[01:55] btp you'll not be able to perform any activities that is where the scheme ID.
[01:57] activities that is where the scheme ID concept is.
[01:58] concept is used okay.
[02:01] now your identity provisioning your end.
[02:05] now your identity provisioning your end to endend life cycle of user provisoning.
[02:08] to endend life cycle of user provisoning everything is handled by the.
[02:10] everything is handled by the IPS okay so once we get into.
[02:13] IPS okay so once we get into iag then I'll explain you about IPS also.
[02:18] iag then I'll explain you about IPS also what is IPS what it does you know all.
[02:20] what is IPS what it does you know all the architecture all those stuff okay so.
[02:24] the architecture all those stuff okay so your IPS is the provisioning service.
[02:27] your IPS is the provisioning service which runs in the background and then.
[02:30] which runs in the background and then creates the users deletes the users you.
[02:34] creates the users deletes the users you know your Shadow ID is created how it.
[02:36] know your Shadow ID is created how it has got created because of the IPS so.
[02:39] has got created because of the IPS so entire provisioning is handled by.
[02:42] entire provisioning is handled by IPS where in your IAS is just the GC.
[02:46] IPS where in your IAS is just the GC module which is the risk and compliance.
[02:49] module which is the risk and compliance module so that means I and IPS.
[02:53] module so that means I and IPS complement each other right they cannot.
[02:56] complement each other right they cannot work independent they cannot work.
[02:58] work independent they cannot work independently okay.
[03:02] IPS is a core component without IPS you.
[03:05] IPS is a core component without IPS you cannot do.
[03:06] cannot do anything so right now we using IPS right.
[03:09] anything so right now we using IPS right once you activate or you know add that.
[03:12] once you activate or you know add that subscription for cloud Iden IPS will be.
[03:14] subscription for cloud Iden IPS will be added automatically okay without IPS you
[03:18] added automatically okay without IPS you can't provision thanks right
[03:21] right okay so one minute this is uh completely
[03:28] okay so one minute this is uh completely about I anyway I was able to discuss on
[03:33] about I anyway I was able to discuss on that topic but I I have couple of topics
[03:37] that topic but I I have couple of topics that I want to complete in IAS then
[03:40] that I want to complete in IAS then we'll uh go to I we will start with
[03:44] we'll uh go to I we will start with Cloud identity access
[03:49] Cloud identity access governance so yesterday uh we discussed
[03:51] governance so yesterday uh we discussed about creation of
[03:55] about creation of Administrators right
[03:58] so you'll be able to create various
[04:03] so you'll be able to create various administrators on IAS to manage your IA
[04:05] administrators on IAS to manage your IA system I think all of you can go on mute
[04:08] system I think all of you can go on mute please
[04:12] please V
[04:16] V sorry.
[04:18] Sorry, okay.
[04:20] Okay, uh, so basically we...
[04:24] Uh, so basically we have two type of two types of users that have two type of two types of users that gets created on I.
[04:28] Gets created on I.
[04:30] Okay, I'm quickly decapping one type of.
[04:33] Okay, I'm quickly decapping one type of user is basically the application user.
[04:35] User is basically the application user who will not be able to log to IAS even though you create them on IAS.
[04:38] That user will be provisioned automatically in the respective sub account as soon as they log in to the application.
[04:41] Will be provisioned automatically in the respective sub account as soon as they log in to the application and with the assignment of groups.
[04:44] User will automatically get the access.
[04:47] You don't have to go to BTP again assigned roles.
[04:51] Assignment of groups, user will automatically get the access.
[04:53] You don't have to go to BTP again assigned roles.
[04:55] Also is role collections is also not required.
[04:58] Everything can be managed with the group con.
[05:01] So it's a onetime setup that we do the role collection mapping.
[05:04] Required everything can be managed with the group con, so it's a onetime setup.
[05:06] That we do the role collection mapping and then as soon as you onboard the user.
[05:08] And then as soon as you onboard the user and assign him to a user group.
[05:10] The respective role collections will be automatically assigned indirectly to the.
[05:12] And assign him to a user group.
[05:14] The respective role collections will be automatically assigned indirectly to the.
[05:16] automatically assigned indirectly to the user so this Dynamic assignment is done
[05:19] user so this Dynamic assignment is done by IPS service in the back end right
[05:23] by IPS service in the back end right yes so creation of your Shadow ID
[05:27] yes so creation of your Shadow ID assignment of uh authorizations all
[05:30] assignment of uh authorizations all these groups everything is done by
[05:36] ABS
[05:38] ABS okay
[05:42] so the second type of users are
[05:45] so the second type of users are basically are administrators so what
[05:48] basically are administrators so what administrators does administrator job is
[05:51] administrators does administrator job is to manage the IAS so what is that he can
[05:54] to manage the IAS so what is that he can manage he can manage the uh you know
[05:58] manage he can manage the uh you know user like okay what whatever you see
[06:00] user like okay what whatever you see here users and authorizations identity
[06:03] here users and authorizations identity provisioning all these options right you
[06:06] provisioning all these options right you can restrict user access on specific uh
[06:09] can restrict user access on specific uh activities authorizations based on you
[06:12] activities authorizations based on you know the predefined groups so if I say I
[06:15] know the predefined groups so if I say I want to create an administrator only
[06:17] want to create an administrator only with managing user authorization I can
[06:20] with managing user authorization I can only do that I can hide all the other options okay so we we discussed about
[06:23] only do that I can hide all the other options okay so we we discussed about that we created one of the administrator
[06:26] that we created one of the administrator and I've have shown you how exactly the administrator would be and the second
[06:29] and I've have shown you how exactly the administrator would be and the second type of users are non-dialogue users
[06:31] administrator would be and the second type of users are non-dialogue users which are system basically for your communication
[06:34] which are system basically for your communication so what you need to do to create this user is go to administrators
[06:36] communication so what you need to do to create this user is go to administrators okay so click on ADD click on
[06:39] okay so click on ADD click on system okay this user will not have an email ID so you just need to give the username
[06:41] system okay this user will not have an email ID so you just need to give the username let's say I'm using a user ID called iaz connect
[06:45] ID so you just need to give the username let's say I'm using a user ID called iaz connect okay I don't want this user to manage users but I want him to read users as manage groups I'm giving but
[06:50] connect okay I don't want this user to manage users but I want him to read users as manage groups I'm giving but I'm not giving any other activity it's
[06:51] manage users but I want him to read users as manage groups I'm giving but I'm not giving any other activity it's
[06:54] users as manage groups I'm giving but I'm not giving any other activity it's
[06:57] I'm giving but I'm not giving any other activity it's
[07:00] not giving any other activity it's
[07:02] any other activity it's
[07:06] other activity it's
[07:10] activity it's
[07:14] it's
[07:17] it's
[07:20] I'm not giving any other activity it's just like your communication ID that you.
[07:22] Just like your communication ID that you create right for.
[07:24] RFC's so.
[07:27] Whatever authorization you want to assign you can assign that and then.
[07:33] Assign you can assign that and then click save.
[07:34] So once you save the ID what you need is.
[07:39] Basically to use this particular background ID non dialog or.
[07:46] For you to understand I'm saying non dialogue but there is no concept called.
[07:50] Dialogue or non dialogue here it's called as a system.
[07:55] ID okay now for this user for you to use this user you create the user but where is the authentication of this.
[08:04] User we need to have authentication right the other provider should be able to utilize this user ID if you just give the user ID they'll not be able to.
[08:16] Login right so for that there are two options either you can create a.
[08:21] options either you can create a certificate or you can create a secret.
[08:25] certificate or you can create a secret so when I go to certificate I basically have to update.
[08:28] so when I go to certificate I basically have to update my certificate file okay so this is my certificate file okay so this is where I give all these information so I give the common name you know I can say iy connect.
[08:35] where I give all these information so I give the common name you know I can say iy connect okay and then give some random password or I can simply generate the password.
[08:45] connect okay and then give some random password or I can simply generate the password so this will be a complex password that it generates automatically.
[08:51] password that it generates automatically so if you don't want to use okay your password you can see se. p 12 is created.
[08:55] so if you don't want to use okay your password you can see se. p 12 is created okay so what you need to do is you need to exchange the certificates.
[09:01] 12 is created okay so what you need to do is you need to exchange the certificates again just like how we did for saml the the metadata XML similar way you need to you know give that so the dot trt file is required what you need to do is just.
[09:06] again just like how we did for saml the the metadata XML similar way you need to you know give that so the dot trt file is required what you need to do is just.
[09:10] the metadata XML similar way you need to you know give that so the dot trt file is required what you need to do is just.
[09:14] you know give that so the dot trt file is required what you need to do is just.
[09:17] dot trt file is required what you need to do is just.
[09:22] required what you need to do is just save once you upload then you can start
[09:26] save once you upload then you can start exchanging you know the certificate this
[09:28] exchanging you know the certificate this is one of option second option is our
[09:31] is one of option second option is our easiest option or most widely used
[09:33] easiest option or most widely used option is creating a secret so what you
[09:37] option is creating a secret so what you need to do go
[09:39] need to do go here okay click on ADD give a
[09:43] here okay click on ADD give a description of the secret I'll simply
[09:45] description of the secret I'll simply say I
[09:47] say I a uh you know test system
[09:51] a uh you know test system connector this is for me to understand
[09:54] connector this is for me to understand so do you want the password to be
[09:56] so do you want the password to be expired you can say one year two year or
[09:58] expired you can say one year two year or never work so if you say one year within
[10:01] never work so if you say one year within one year the password will be expained
[10:03] one year the password will be expained so this is important now this is called
[10:06] so this is important now this is called as the client ID and the client secret
[10:09] as the client ID and the client secret client ID is nothing but your username
[10:11] client ID is nothing but your username skim ID and then this is the password so
[10:16] skim ID and then this is the password so what you need to do you need to copy
[10:18] what you need to do you need to copy this you need to keep this safe because
[10:22] this you need to keep this safe because you cannot get this information again
[10:25] you cannot get this information again client ID is available but client Secret
[10:29] client ID is available but client Secret once you save you'll not be able to
[10:32] once you save you'll not be able to retrieve it so for example I'm saving it
[10:34] retrieve it so for example I'm saving it now okay I I get the client ID here I
[10:38] now okay I I get the client ID here I can copy but the client secret is never
[10:42] can copy but the client secret is never available so you have to be really
[10:45] available so you have to be really careful when you are creating any
[10:48] careful when you are creating any secrets you need to copy it or else you
[10:50] need to generate a new one again I can
[10:52] add a new one and then generate a new secret so for each of the application I
[10:55] secret so for each of the application I can create different Secrets it accepts
[10:58] can create different Secrets it accepts multiple Secrets but then uh you know it
[11:01] multiple Secrets but then uh you know it is always recommended to keep either one
[11:05] is always recommended to keep either one of these you know not to create too many
[11:10] of these you know not to create too many Secrets also because it it actually
[11:13] Secrets also because it it actually creates more opportunities for the other
[11:17] creates more opportunities for the other side party right the hackers to uh try
[11:21] side party right the hackers to uh try and break something okay so recommend is
[11:29] and break something okay so recommend is keep one secret.
[11:31] keep one secret or this is to onboard the custom.
[11:35] or this is to onboard the custom identity provider right this is.
[11:39] identity provider right this is to okay now if I want to.
[11:43] to okay now if I want to connect uh.
[11:46] connect uh my iag system or my arba system how do I.
[11:52] my iag system or my arba system how do I connect how do I establish a.
[11:55] connect how do I establish a connection okay in GRC for example you.
[11:58] connection okay in GRC for example you are connecting GRC and S4 Hana how are.
[12:01] are connecting GRC and S4 Hana how are you.
[12:03] you connecting yeah first establishing the T.
[12:06] connecting yeah first establishing the T between you are creating a.
[12:09] between you are creating a sm59.
[12:12] sm59 RFC how RFC Works RFC needs a user.
[12:16] RFC how RFC Works RFC needs a user ID with some.
[12:20] authorization yes right you create a.
[12:24] authorization yes right you create a communication ID and maintain that.
[12:26] communication ID and maintain that communication ID in the RFC connection.
[12:29] communication ID in the RFC connection so it is the same user ID that I'm.
[12:34] creating okay since I cannot give I creating okay since I cannot give I connect as the user ID because it uses the skim ID concept which should be unique since it is a public if someone else also uses is connect what happens so that is where it should be a unique identifier which uses the client ID client ID is nothing but the user ID the global ID or the schem ID so you just need to copy this and the secret secret is the password so I'll show you where we will be using the secret keys and all
[13:12] all okay got it so the first option is certificate so you have to upload that certificate in Ariba ex ARA so you need to download the certificate from Ariba upload it here and then whatever the certificate that you downloaded here should be upload back there so that you are establishing a connection okay
[13:34] thanks
[13:36] thanks okay so this is important because when
[13:39] okay so this is important because when we are integrating systems you need to
[13:42] we are integrating systems you need to create the service IDs sorry system IDs
[13:46] create the service IDs sorry system IDs and those system IDs can be created only
[13:48] and those system IDs can be created only from administrators not from the user
[13:50] from administrators not from the user management so from user management what
[13:53] management so from user management what you can onboard is only the business
[13:55] you can onboard is only the business users or the application users not the
[14:01] administrators we see in the btp
[14:04] administrators we see in the btp homepage right so that is different that
[14:06] homepage right so that is different that is only to connect btp with the uh in
[14:09] is only to connect btp with the uh in know back end systems right where here
[14:12] know back end systems right where here yeah this is only to manage
[14:15] yeah this is only to manage btp
[14:16] btp okay okay if I create any user here
[14:20] okay okay if I create any user here let's say if I go to trial
[14:27] account okay
[14:29] account okay so if whichever users you see here ought
[14:33] so if whichever users you see here ought to manage only btp they are past
[14:37] to manage only btp they are past users they can only manage btp account.
[14:40] users they can only manage btp account they cannot.
[14:41] they cannot manage okay if I create your ID in btp.
[14:44] manage okay if I create your ID in btp can you manage.
[14:49] IAS no no I was asking about.
[14:53] IAS no no I was asking about destinations you know under the.
[14:55] destinations you know under the connectivity have destinations right so.
[14:57] connectivity have destinations right so when you create the destination this is.
[14:59] when you create the destination this is where you will be.
[15:01] where you will be using.
[15:04] using okay your all the destinations and all.
[15:07] okay your all the destinations and all so authentication what authentication.
[15:09] so authentication what authentication you want what basic authentication so.
[15:13] you want what basic authentication so when I say basic authentication it is.
[15:15] when I say basic authentication it is asking for username password so what is.
[15:18] asking for username password so what is username that is my scheme ID password.
[15:21] username that is my scheme ID password is secret.
[15:25] ID.
[15:27] ID right so we haven't come till.
[15:31] right so we haven't come till this at this point in time right so okay.
[15:34] this at this point in time right so okay okay than let's not let's not worry okay.
[15:38] okay than let's not let's not worry okay I don't want to confuse you you know.
[15:41] I don't want to confuse you you know speaking something know I don't want to.
[15:45] speaking something know I don't want to take you to Cloud9 and then say this is.
[15:48] take you to Cloud9 and then say this is where you need to.
[15:50] where you need to maintain let's let's understand step by.
[15:53] maintain let's let's understand step by step so that it's easy for you here it is.
[15:56] is a multi environment that means it is.
[15:58] is a multi environment that means it is like.
[15:59] like it it can accept any Cloud application.
[16:02] it it can accept any Cloud application is it like this mment sense btp is a.
[16:07] is it like this mment sense btp is a platform where you can get all your.
[16:12] platform where you can get all your Cloud applications set up when I say.
[16:15] Cloud applications set up when I say cloud applications btp allows you to.
[16:18] cloud applications btp allows you to work with three different Cloud.
[16:20] work with three different Cloud applications on the.
[16:22] applications on the platform what is that.
[16:25] platform what is that Neo then Kaa Cloud Foundry and.
[16:33] four if any Linux based application one.
[16:36] four if any Linux based application one of this envirment will help right for.
[16:39] of this envirment will help right for running if if you have an application
[16:41] running if if you have an application which is run which is developed on that
[16:44] which is run which is developed on that runtime that platform you can add it in
[16:47] runtime that platform you can add it in one of the sub account and use
[16:49] one of the sub account and use it
[16:54] okay
[16:57] right
[17:01] is it
[17:03] is it clear yes yes sir
[17:07] clear yes yes sir yeah
[17:10] so yeah so how do you create
[17:13] so yeah so how do you create administrators I just gave the
[17:17] administrators I just gave the details then remember we also discussed
[17:21] details then remember we also discussed about the groups
[17:23] about the groups yesterday okay we created some groups
[17:26] yesterday okay we created some groups like developer administrator and all
[17:28] like developer administrator and all those things in in the IAS right so
[17:32] those things in in the IAS right so similar way for us to use iag we need
[17:37] similar way for us to use iag we need these many groups okay so we need a
[17:41] these many groups okay so we need a group for Central monitor a group for
[17:43] group for Central monitor a group for control owner workflow role owner there
[17:46] control owner workflow role owner there is a concept called candidate business
[17:48] is a concept called candidate business role
[17:49] role Administration um so what we need to do
[17:52] Administration um so what we need to do is we need to create the groups in the
[17:54] is we need to create the groups in the system but remember one thing the groups
[17:58] system but remember one thing the groups should be created with specific naming
[18:01] should be created with specific naming conventions only otherwise system will
[18:03] conventions only otherwise system will not recognize these
[18:06] not recognize these groups okay so we'll discuss in detail
[18:09] groups okay so we'll discuss in detail about these groups during the master
[18:11] about these groups during the master data setup but I want to highlight that
[18:16] data setup but I want to highlight that the way you create groups in IAS is not
[18:21] the way you create groups in IAS is not similar to how you create groups
[18:23] similar to how you create groups in you know ECC or S4 in hugr so what
[18:29] in you know ECC or S4 in hugr so what happens you can actually create groups
[18:32] happens you can actually create groups the way you want and then assign it to
[18:33] the way you want and then assign it to the users okay but in Cloud systems
[18:39] the users okay but in Cloud systems remember
[18:41] remember that you have to follow a specific
[18:44] that you have to follow a specific naming convention in casee if I have naming convention in casee if I have added sa in my btp as one you know under one of the sub account and I want to manage those users on IAS then the groups will start with sa acore so you must create groups with those names only and groups are not pre-delivered okay it's all in the documentation that you should follow this convention these are the groups that are needed and the user should be assigned to these groups okay we will uh have to create the groups which is one time Master data setup activity and then do the role collection mapping for these groups so that okay as soon as you assign group to the user he'll get access to you know the respective role
[19:44] to you know the respective role collection okay so we'll we'll spend collection okay so we'll we'll spend some more time on this how how do we create groups or we create these groups in the system okay so this is question have you added this you add this into the Scribe yeah yeah everything will go into scri I'm just not doing it when I'm explaining because it's not that okay change screens and then you know this things so just after the class I'll update the Scribe and then upload it back
[20:19] right so with that we have completed the IAS btp and IAS training okay
[20:29] uh there will be small bits and pieces that I haven't covered which I want to cover along with iag you know when it comes to that particular scenario you know I want to make it very
[20:46] scenario you know I want to make it very relevant to the topic and then I want to
[20:48] relevant to the topic and then I want to explain you what majority of the topics
[20:51] explain you what majority of the topics are covered both in btp and IAS okay I
[20:56] are covered both in btp and IAS okay I think we spend good time in I as well
[20:58] think we spend good time in I as well well so this is what a complete handson
[21:01] well so this is what a complete handson I want you to do okay starting from
[21:05] I want you to do okay starting from creating a trial account in case if you
[21:08] creating a trial account in case if you have a trial account you can just skip
[21:10] have a trial account you can just skip that but how do you add most of you
[21:13] that but how do you add most of you might have done this but I want you to
[21:16] might have done this but I want you to ensure that everyone
[21:18] ensure that everyone followed these steps and then understand
[21:22] followed these steps and then understand there are certain observations that I
[21:24] there are certain observations that I want to you to see uh especially the
[21:27] want to you to see uh especially the shadow IDs what happens when you delete
[21:30] shadow IDs what happens when you delete the ID from I will it delete the ID back
[21:34] the ID from I will it delete the ID back from your sub account will user has that
[21:38] from your sub account will user has that access and then maybe you know what is
[21:40] access and then maybe you know what is the right approach in case if you're are
[21:42] the right approach in case if you're are deleting the ID from I what is that you
[21:46] deleting the ID from I what is that you have to do right uh and suggest me any
[21:52] have to do right uh and suggest me any any topics where you feel that I can
[21:55] any topics where you feel that I can create a video which is useful for
[21:57] create a video which is useful for everyone I'm really interested in doing
[22:01] everyone I'm really interested in doing that so that okay it will be it will be
[22:03] that so that okay it will be it will be handy for you also at a later point in
[22:06] handy for you also at a later point in time
[22:08] time okay so I I'll update the Scribe with
[22:12] okay so I I'll update the Scribe with all these
[22:14] all these and uh you know you can
[22:17] and uh you know you can just start
[22:20] just start practicing right so yeah a good question
[22:24] practicing right so yeah a good question so in order for me to uh start from
[22:27] so in order for me to uh start from scratch till where you are it's um what
[22:32] scratch till where you are it's um what an hour job an hour and a half
[22:34] an hour job an hour and a half job um maybe a little more for you to do
[22:39] job um maybe a little more for you to do it couple of hours should be
[22:41] it couple of hours should be fine so would that be a good video for
[22:44] fine so would that be a good video for you to make oh I cannot make that entire
[22:47] you to make oh I cannot make that entire video okay I just curious
[22:50] video okay I just curious okay that is
[22:52] okay that is tough I want people to come the rather
[22:56] tough I want people to come the rather than you know just giving videos maybe
[23:00] than you know just giving videos maybe I'll maybe I'll get a step byep document
[23:02] I'll maybe I'll get a step byep document see where we are that's great that's
[23:05] see where we are that's great that's great okay yeah
[23:09] yeah great so if there are no other
[23:12] yeah great so if there are no other questions then I'll move on to Cloud
[23:15] questions then I'll move on to Cloud identity and access governance this is
[23:18] identity and access governance this is cloud
[23:25] iag great so I take that has no question
[23:29] iag great so I take that has no question so we are now moving on to our main
[23:32] so we are now moving on to our main topic cloud
[23:35] topic cloud iag cloud is nothing but GRC right it is
[23:39] iag cloud is nothing but GRC right it is not
[23:40] not GRC apple and orange are fruits but you
[23:44] GRC apple and orange are fruits but you know each of that has got their own
[23:48] know each of that has got their own features okay
[23:50] features okay right it's a GRC module I won say it is
[23:55] right it's a GRC module I won say it is okay maybe next set of slides explain
[23:58] okay maybe next set of slides explain about that
[23:59] about that only so so we'll have a quick
[24:01] only so so we'll have a quick introduction of iig and then we
[24:04] introduction of iig and then we understand the components we come we see
[24:06] understand the components we come we see the comparison between GRC access
[24:09] the comparison between GRC access control and
[24:10] control and AAG and training flow is something that
[24:13] AAG and training flow is something that I I could not update but I'll explain
[24:16] I I could not update but I'll explain you what all things we cover okay so
[24:19] you what all things we cover okay so what is cloud iag cloud iag is a public
[24:23] what is cloud iag cloud iag is a public offering public Cloud offering from sap
[24:29] offering public Cloud offering from sap that helps to streamline the complain
[24:31] that helps to streamline the complain requirements similar to what your Access
[24:34] requirements similar to what your Access Control does right the way you create
[24:37] Control does right the way you create users the way you create roles the way
[24:39] users the way you create roles the way you assign critical IDs you know your
[24:41] you assign critical IDs you know your firefighter IDs then then the risk
[24:44] firefighter IDs then then the risk analysis whatever you are doing in the
[24:46] analysis whatever you are doing in the access control you can perform the same
[24:49] access control you can perform the same thing in the cloud iag system but what
[24:52] thing in the cloud iag system but what is the
[24:53] is the difference the difference is that iag is
[24:56] difference the difference is that iag is designed as a part of Cloud first
[24:58] designed as a part of Cloud first adoption
[24:59] adoption program what does that
[25:01] program what does that mean now
[25:03] mean now sap if you look at last month sap has
[25:08] sap if you look at last month sap has announced that the support fee for
[25:12] announced that the support fee for onframe customers will be
[25:15] onframe customers will be doubled
[25:17] doubled right because they want people to be on
[25:21] right because they want people to be on cloud now they don't want any on
[25:24] cloud now they don't want any on premise implementations the reason is
[25:27] premise implementations the reason is that
[25:29] that the support that they need to extend for
[25:31] the support that they need to extend for on premise systems is pretty huge
[25:34] on premise systems is pretty huge because every customer has their own set
[25:37] because every customer has their own set of problems and sap has to spend a lot
[25:40] of problems and sap has to spend a lot of time in supporting and then
[25:42] of time in supporting and then developing fixing you know all these
[25:46] developing fixing you know all these activities So to avoid these kind of
[25:50] activities So to avoid these kind of challenges sap has come up with lot of
[25:53] challenges sap has come up with lot of cloud
[25:55] cloud applications and then saying now they
[25:58] applications and then saying now they are saying that any enhancements any
[26:02] are saying that any enhancements any features any uh upgrades are available
[26:06] features any uh upgrades are available for cloud first so we'll first release
[26:10] for cloud first so we'll first release it for the customers who are on cloud
[26:12] it for the customers who are on cloud rather than on on premise so if there is
[26:15] rather than on on premise so if there is a new feature which is added that is
[26:17] a new feature which is added that is available for cloud there are lots of
[26:20] available for cloud there are lots of solutions that are especially designed
[26:22] solutions that are especially designed for cloud they're not available on on
[26:25] for cloud they're not available on on PR so that is where sap is trying to
[26:30] PR so that is where sap is trying to bring as many customers onto the cloud
[26:32] bring as many customers onto the cloud so that it is easy for them to manage
[26:36] so that it is easy for them to manage these
[26:37] these applications okay when when there is a
[26:40] applications okay when when there is a new capability added it it just comes to
[26:43] new capability added it it just comes to everyone they don't have to again uh
[26:46] everyone they don't have to again uh create a support package or sap note or
[26:49] create a support package or sap note or a add-on and then delivery through their
[26:53] a add-on and then delivery through their service portal all that is no more
[26:56] service portal all that is no more required
[26:59] and most of you know about rise with sap
[27:02] and most of you know about rise with sap right now what if a customer is on rise
[27:05] right now what if a customer is on rise with sap on a public cloud or a private
[27:08] with sap on a public cloud or a private Cloud you cannot simply ask him to
[27:11] Cloud you cannot simply ask him to implement GRC access control which is on
[27:16] implement GRC access control which is on or a private Cloud
[27:18] or a private Cloud again so when sap is offering their Erp
[27:22] again so when sap is offering their Erp itself on the cloud as a public and
[27:25] itself on the cloud as a public and private offering why can't GR C be also
[27:29] private offering why can't GR C be also be on the
[27:31] be on the cloud now is it easy to get access
[27:34] cloud now is it easy to get access control onto the cloud no because that
[27:36] control onto the cloud no because that is a completely abap environment lot of
[27:40] is a completely abap environment lot of abap screens lot of webin Pro screens
[27:42] abap screens lot of webin Pro screens which is now that everything is
[27:44] which is now that everything is supported on the
[27:46] supported on the cloud so that is where
[27:49] cloud so that is where exactly
[27:51] exactly sap has
[27:54] sap has developed you know the same set of
[27:57] developed you know the same set of applications on the cloud on the cloud
[28:01] applications on the cloud on the cloud Foundry runtime and named it as
[28:06] Foundry runtime and named it as iag so the primary target is basically
[28:10] iag so the primary target is basically the cloud customers whoever is coming on
[28:13] the cloud customers whoever is coming on cloud and who needs the
[28:16] cloud and who needs the GRC system these are the customers who
[28:19] GRC system these are the customers who will be onboarded onto the access
[28:21] will be onboarded onto the access control of of the cloud which is called
[28:25] control of of the cloud which is called as
[28:26] as iag
[28:28] iag now remember only the access control
[28:31] now remember only the access control capabilities are moved onto the cloud or
[28:35] capabilities are moved onto the cloud or parall designed on the cloud I should
[28:37] parall designed on the cloud I should not say
[28:39] not say mode they parallely designed it on the
[28:41] mode they parallely designed it on the cloud as I a no other GRC component is
[28:45] cloud as I a no other GRC component is available on the cloud at this point in
[28:48] available on the cloud at this point in time and the road map also doesn't say
[28:52] time and the road map also doesn't say that okay they are going to get the
[28:54] that okay they are going to get the other applications on the
[28:56] other applications on the cloud
[28:58] cloud what about GRC
[28:59] what about GRC 2026 which bu on it's still available on
[29:04] 2026 which bu on it's still available on Hana
[29:06] Hana platform okay uh as an on Prem
[29:09] platform okay uh as an on Prem application even PC and RF is not on
[29:12] application even PC and RF is not on cloud no nothing on cloud audit
[29:15] cloud no nothing on cloud audit management is not in Cloud B is not on
[29:18] management is not in Cloud B is not on cloud so it takes probably another 34
[29:21] cloud so it takes probably another 34 years for them to slowly bring these
[29:23] years for them to slowly bring these applications onto the cloud as
[29:26] applications onto the cloud as well
[29:28] well okay uh but now there are lot of
[29:31] okay uh but now there are lot of customers who are getting onboarded on
[29:33] customers who are getting onboarded on rise with sap it's a successful program
[29:36] rise with sap it's a successful program now for sap they were able to onboard
[29:39] now for sap they were able to onboard huse customer based on PR with sap now
[29:42] huse customer based on PR with sap now how do I offer them my complains risk
[29:46] how do I offer them my complains risk and complain services so the first set
[29:48] and complain services so the first set of or first application
[29:51] of or first application is
[29:54] cloud
[29:56] cloud okay you pay as you go along right there
[30:00] okay you pay as you go along right there are multiple options you can subscribe
[30:02] are multiple options you can subscribe you can pay as you go CPA you know your
[30:06] you can pay as you go CPA you know your corporate agreement is available depends
[30:09] corporate agreement is available depends on um rise with sap is not pay pay as
[30:13] on um rise with sap is not pay pay as you go it is CPA because you need to buy
[30:17] you go it is CPA because you need to buy fuse the licensing model is few Model
[30:22] fuse the licensing model is few Model F full user
[30:25] F full user equalent Okay so so so that
[30:29] equalent Okay so so so that is the primary purpose of bringing on
[30:34] is the primary purpose of bringing on cloud IAS it is just not to replace sap
[30:38] cloud IAS it is just not to replace sap GRC but it it probably runs as a
[30:42] GRC but it it probably runs as a parallel system for some time so that
[30:44] parallel system for some time so that the cloud customers can also liage the
[30:46] the cloud customers can also liage the capabilities of governance risk and
[30:49] capabilities of governance risk and complience
[30:51] complience module but remember this is only a
[30:55] module but remember this is only a public Cloud offering cloud iag cannot
[30:57] public Cloud offering cloud iag cannot be a private Cloud
[30:59] be a private Cloud offering okay at this point in time it
[31:02] offering okay at this point in time it is available on the
[31:04] is available on the public but it allows you to connect both
[31:09] public but it allows you to connect both your cloud and on premise
[31:12] your cloud and on premise systems okay iig if you implement
[31:16] systems okay iig if you implement iig you can connect your you know
[31:20] iig you can connect your you know backend score systems which are on Prim
[31:22] backend score systems which are on Prim or if you have S4 cloud or uh you know
[31:26] or if you have S4 cloud or uh you know rise with sap cloud all of these can be
[31:29] rise with sap cloud all of these can be connected to the I system and with this
[31:33] connected to the I system and with this you don't have to really worry you know
[31:36] you don't have to really worry you know um see for me to create a sub account
[31:40] um see for me to create a sub account add the entitlement set up the cloud iag
[31:44] add the entitlement set up the cloud iag doesn't take more than 5 minutes of
[31:47] doesn't take more than 5 minutes of time okay so once you once you have the
[31:51] time okay so once you once you have the entitlement once you have the
[31:52] entitlement once you have the subscription to Cloud iag creating a
[31:56] subscription to Cloud iag creating a system and then setting up iag is just
[31:59] system and then setting up iag is just five minutes J you don't have to really
[32:01] five minutes J you don't have to really build the system you don't have to spend
[32:04] build the system you don't have to spend lot of time in procuring the
[32:06] lot of time in procuring the infrastructure then again adding you
[32:09] infrastructure then again adding you know talking to your bases getting all
[32:11] know talking to your bases getting all the software components installed your
[32:14] the software components installed your upgrades all
[32:16] upgrades all that you
[32:18] that you know uh messy work or time consuming
[32:22] know uh messy work or time consuming work is no more when you want to build a
[32:25] work is no more when you want to build a instance 5 minutes you can build a and
[32:27] instance 5 minutes you can build a and start with your master data setup and
[32:30] start with your master data setup and you don't have to worry about
[32:33] you don't have to worry about upgrades right as in when there are any
[32:37] upgrades right as in when there are any changes new capabilities sap will simply
[32:42] changes new capabilities sap will simply add it and then updates it in the road
[32:44] add it and then updates it in the road map document so you'll get to know what
[32:46] map document so you'll get to know what all new changes that have come in Cloud
[32:49] all new changes that have come in Cloud I a and remember they're doing pretty
[32:52] I a and remember they're doing pretty good and adding lots and lots of
[32:55] good and adding lots and lots of capabilities if you look at what is is
[32:57] capabilities if you look at what is is there in Q2 Q3 Q4 they have a real good
[33:00] there in Q2 Q3 Q4 they have a real good road map and making it more user
[33:03] road map and making it more user friendly with more integration points
[33:07] friendly with more integration points right uh more capabilities and all but
[33:09] right uh more capabilities and all but at this point in time we should admit
[33:13] at this point in time we should admit that cloud iag has certain
[33:17] that cloud iag has certain limitations so explained about how
[33:20] limitations so explained about how exactly is position where exactly you
[33:23] exactly is position where exactly you know Cloud I comes uh so this is
[33:26] know Cloud I comes uh so this is basically the GRC component which is on
[33:28] basically the GRC component which is on the cloud uh which has got different
[33:31] the cloud uh which has got different modules so we'll speak about these
[33:33] modules so we'll speak about these modules so what is there so this is
[33:36] modules so what is there so this is something that I picked up from the web
[33:38] something that I picked up from the web it is not
[33:40] it is not my
[33:42] my image uh hopefully from saps okay uh so
[33:48] image uh hopefully from saps okay uh so what it has basically it has four
[33:50] what it has basically it has four different components just like your
[33:52] different components just like your access control with the access
[33:55] access control with the access certification component
[33:58] certification component okay uh so access analysis service we
[34:02] okay uh so access analysis service we call these as services not components so
[34:05] call these as services not components so access analysis service is basically
[34:08] access analysis service is basically your risk analysis and
[34:10] your risk analysis and Remediation okay or access risk
[34:14] Remediation okay or access risk analysis uh so you can perform the same
[34:18] analysis uh so you can perform the same you can create rule sets you can manage
[34:20] you can create rule sets you can manage rule sets you can run risk analysis and
[34:23] rule sets you can run risk analysis and all those
[34:24] all those activities but uh limitation is that the
[34:28] activities but uh limitation is that the risk analysis is only available at a
[34:30] risk analysis is only available at a user level not at a role level you it
[34:33] user level not at a role level you it gives information on the role level but
[34:36] gives information on the role level but you don't have certain options like
[34:39] you don't have certain options like simulation you cannot run simulation
[34:41] simulation you cannot run simulation before modifying a role uh you know all
[34:44] before modifying a role uh you know all those are not available so when you have
[34:48] those are not available so when you have a role which is updated into the IAS
[34:50] a role which is updated into the IAS repository then you can quickly see what
[34:53] repository then you can quickly see what risks are there in that particular po
[34:55] risks are there in that particular po but you cannot run simulations and all
[34:57] but you cannot run simulations and all and most focus of IAS is on user level
[35:01] and most focus of IAS is on user level analysis rather than role level
[35:03] analysis rather than role level analysis okay so we'll we'll Deep dive
[35:07] analysis okay so we'll we'll Deep dive into each of these
[35:09] into each of these services and understand what is that we
[35:11] services and understand what is that we have what is the limitation and all
[35:13] have what is the limitation and all those things then you have Ro design
[35:16] those things then you have Ro design which is basically your brm similar to
[35:19] which is basically your brm similar to brm but the limitation again here is you
[35:22] brm but the limitation again here is you can only create business roles you
[35:25] can only create business roles you cannot create uh your single roles
[35:28] cannot create uh your single roles composite roles and all those roles so
[35:30] composite roles and all those roles so you cannot create a role in iag and push
[35:33] you cannot create a role in iag and push it back to the S4 system okay rather you
[35:37] it back to the S4 system okay rather you need to create the role in S4 and then
[35:39] need to create the role in S4 and then bring it on to the brm or the role
[35:42] bring it on to the brm or the role designer I repository okay and then you
[35:46] designer I repository okay and then you can create various business
[35:53] roles sorry then you have access request
[35:57] roles sorry then you have access request I have a question I have a question so
[35:59] I have a question I have a question so you're doing Ro design in S4 and you
[36:03] you're doing Ro design in S4 and you have created couple of single and
[36:05] have created couple of single and composite role so they have to be pushed
[36:07] composite role so they have to be pushed into uh ieg through whatever mechanism
[36:11] into uh ieg through whatever mechanism is and then you create a VM Ro correct
[36:14] is and then you create a VM Ro correct yeah okay the the role should be in the
[36:18] yeah okay the the role should be in the iag repository for provisioning as well
[36:21] iag repository for provisioning as well as creating your VM your business
[36:25] roles it's not mandatory right only if
[36:28] roles it's not mandatory right only if you need business we can create
[36:30] you need business we can create otherwise no for for privilege access
[36:33] otherwise no for for privilege access management business role is mandatory
[36:35] management business role is mandatory without creating business rules you
[36:37] without creating business rules you cannot assign P Pam ID you firefighter
[36:41] cannot assign P Pam ID you firefighter ID okay but otherwise it is
[36:45] ID okay but otherwise it is not okay then you have access request
[36:48] not okay then you have access request which is armm similar way you can
[36:52] which is armm similar way you can create
[36:54] create uh users can create submit request and
[36:57] uh users can create submit request and then it goes through the approval
[36:58] then it goes through the approval process after approvals the ID will be
[37:01] process after approvals the ID will be automatically provisioned in the system
[37:03] automatically provisioned in the system you know you have all those things then
[37:05] you know you have all those things then your access certification is just the
[37:07] your access certification is just the user access review it doesn't have the
[37:10] user access review it doesn't have the sod review so only you can perform
[37:13] sod review so only you can perform periodic reviews on
[37:15] periodic reviews on users uh but it gives better reporting
[37:19] users uh but it gives better reporting than your uh Ur in Access Control in
[37:24] than your uh Ur in Access Control in terms of the risks what risks user has
[37:26] terms of the risks what risks user has and you know you can
[37:28] and you know you can perform various audit Cycles review
[37:31] perform various audit Cycles review Cycles you know uh you can do uh all
[37:36] Cycles you know uh you can do uh all those things okay these are
[37:39] those things okay these are preconfigured or we have to configure it
[37:42] preconfigured or we have to configure it we need to
[37:43] we need to config it's like like GRC right like you
[37:46] config it's like like GRC right like you have to run you have to you have to you
[37:49] have to run you have to you have to you have to find the coordinator or a r and
[37:52] have to find the coordinator or a r and all that stuff correct yes because they
[37:54] all that stuff correct yes because they are very specific to you right I if if
[37:56] are very specific to you right I if if it doesn't know who will do the
[37:57] it doesn't know who will do the coordinate and all no no that no that
[38:00] coordinate and all no no that no that part that part I understand what I was
[38:02] part that part I understand what I was trying to say is that you have to create
[38:03] trying to say is that you have to create the jobs and everything it that is still
[38:07] the jobs and everything it that is still the same that is still the same it is
[38:08] the same that is still the same it is the same it is that's that's what the
[38:10] the same it is that's that's what the master data setup is oh I see I see okay
[38:14] master data setup is oh I see I see okay okay so we do the master data setup
[38:16] okay so we do the master data setup first create your rule sets for example
[38:20] first create your rule sets for example rule set like you don't have BC sets so
[38:23] rule set like you don't have BC sets so the moment you need a rule set you need
[38:25] the moment you need a rule set you need to raise a ticket to SA
[38:27] to raise a ticket to SA sap will activate the rule set for
[38:30] sap will activate the rule set for you okay but nothing comes at default
[38:35] you okay but nothing comes at default no you you have to raise a ticket to sap
[38:38] no you you have to raise a ticket to sap they'll enable the rule set in your
[38:41] they'll enable the rule set in your accounts that that particular iag
[38:43] accounts that that particular iag account and then you can make changes to
[38:46] account and then you can make changes to the
[38:48] the rules you have no control on the system
[38:54] rules you have no control on the system if sap wants to shut down the system for
[38:56] if sap wants to shut down the system for two hours they'll shut down you cannot
[38:58] two hours they'll shut down you cannot ask them because this is a public
[39:03] Cloud so which means we don't we can't
[39:05] Cloud so which means we don't we can't even create custom
[39:08] even create custom rules custom rules can we
[39:11] rules custom rules can we created using the existing one standard
[39:13] created using the existing one standard ones right yeah yeah yeah rule set
[39:15] ones right yeah yeah yeah rule set customization is
[39:16] customization is possible okay okay okay but understand
[39:20] possible okay okay okay but understand the limitations at this
[39:22] the limitations at this point okay um then you have privilege
[39:27] point okay um then you have privilege access management pal pal is nothing but
[39:30] access management pal pal is nothing but your firefighter
[39:32] your firefighter ID FF ID again in
[39:35] ID FF ID again in ffid one
[39:37] ffid one question yeah one question with respect
[39:40] question yeah one question with respect to rule sets uh I mean you said we have
[39:42] to rule sets uh I mean you said we have to raise a ticket right to sap to
[39:44] to raise a ticket right to sap to activate rule sets um is there any price
[39:47] activate rule sets um is there any price for that I mean do we have to pay
[39:49] for that I mean do we have to pay anything to activate no no that is a
[39:51] anything to activate no no that is a offering standard offering only okay so
[39:54] offering standard offering only okay so as soon as you raise a ticket they'll
[39:55] as soon as you raise a ticket they'll activate the rule set for you okay there
[39:59] activate the rule set for you okay there is no additional cost okay why would
[40:02] is no additional cost okay why would they not give it at default yeah exactly
[40:05] they not give it at default yeah exactly that's
[40:07] that's why so when when you
[40:12] actually go to the
[40:14] actually go to the AAG site you can always give
[40:16] AAG site you can always give recommendations though that is where
[40:19] recommendations though that is where they are accepting these recommendations
[40:20] they are accepting these recommendations now so when you feel that some feature
[40:23] now so when you feel that some feature is missing you can recommend that that
[40:25] is missing you can recommend that that particular uh recommendation to them
[40:28] particular uh recommendation to them they'll quickly
[40:30] they'll quickly evaluate and then if it is a good
[40:32] evaluate and then if it is a good feature to be you know to have good to
[40:36] feature to be you know to have good to have feature they'll add it they're
[40:39] have feature they'll add it they're doing
[40:40] doing it okay when you working you find
[40:44] it okay when you working you find something is missing which should be
[40:46] something is missing which should be there you can ask them so they still
[40:49] there you can ask them so they still haven't got the concept like in s you
[40:52] haven't got the concept like in s you know you can use task list which is
[40:55] know you can use task list which is which basically does everything what
[40:56] which basically does everything what you're supposed to do to configure the
[40:57] you're supposed to do to configure the system so they haven't come out with
[40:59] system so they haven't come out with that looks like maybe that might be a
[41:01] that looks like maybe that might be a better idea just a
[41:04] better idea just a thought at this point in
[41:10] time
[41:12] time okay so when this product has been
[41:15] okay so when this product has been launched uh
[41:17] launched uh 2020 or 2021 I think if I'm not
[41:23] 2020 or 2021 I think if I'm not wrong I know it from 2021
[41:37] right
[41:39] right so this is the basic comparison between
[41:43] so this is the basic comparison between your iag and GRC access
[41:46] your iag and GRC access control so iag is built on btp platform
[41:50] control so iag is built on btp platform Cloud foundary run time where an access
[41:53] Cloud foundary run time where an access control is NV
[41:55] control is NV platform availability of I is only
[41:58] platform availability of I is only public cloud and access control is on
[42:01] public cloud and access control is on Prem mostly and it can be a private
[42:05] Prem mostly and it can be a private Cloud offering not a public Cloud
[42:07] Cloud offering not a public Cloud offering so you can just have it on your
[42:09] offering so you can just have it on your own
[42:10] own cloud okay or it can be one of the
[42:12] cloud okay or it can be one of the hypers scalers like AWS or Google Cloud
[42:16] hypers scalers like AWS or Google Cloud platform uh you know and then hor
[42:19] platform uh you know and then hor here
[42:21] here system uh complex work workflows uh are
[42:25] system uh complex work workflows uh are not possible in a okay where in Access
[42:28] not possible in a okay where in Access Control you have the brf msmp all these
[42:32] Control you have the brf msmp all these things uh but I a gives you only four
[42:35] things uh but I a gives you only four now it says number of stages three but
[42:38] now it says number of stages three but it is four now so last month only they
[42:41] it is four now so last month only they added one more stage so the stages can
[42:44] added one more stage so the stages can be manager role owner security and risk
[42:50] be manager role owner security and risk owner so you can have these four stages
[42:54] owner so you can have these four stages in the order you want you know first you
[42:57] in the order you want you know first you can give it to security then risk owner
[42:59] can give it to security then risk owner role owner and manager or first manager
[43:03] role owner and manager or first manager security you can change the order but
[43:06] security you can change the order but you
[43:07] you cannot have more than four stages Max is
[43:11] cannot have more than four stages Max is four and these are the four agents
[43:13] four and these are the four agents available you cannot create custom
[43:16] available you cannot create custom agents you cannot create custom
[43:18] agents you cannot create custom rules nothing is
[43:21] rules nothing is possible but Access Control there is no
[43:25] possible but Access Control there is no limit you can have stages
[43:27] limit you can have stages also and there are many standard agents
[43:30] also and there are many standard agents available then you can create your
[43:32] available then you can create your custom agents you have all those
[43:35] custom agents you have all those capabilities as I said brf is not
[43:37] capabilities as I said brf is not possible in iag and access control is
[43:41] possible in iag and access control is you can do multiple things
[43:43] you can do multiple things authentication is Ias the primary
[43:46] authentication is Ias the primary authentication system is Ias and in
[43:50] authentication system is Ias and in Access Control you have multiple options
[43:53] Access Control you have multiple options right you can authenticate user with
[43:55] right you can authenticate user with multiple things
[43:58] then provisioning is IPS where in in
[44:01] then provisioning is IPS where in in Access Control it uses rfc's function
[44:04] Access Control it uses rfc's function modules apis you know uh for provisoning
[44:08] modules apis you know uh for provisoning it uses B you know directly doesn't have
[44:11] it uses B you know directly doesn't have to create it uses papies and then all
[44:14] to create it uses papies and then all those authorizations uh we use standard
[44:17] those authorizations uh we use standard role Collections and roles mostly we
[44:20] role Collections and roles mostly we don't create custom role corrections but
[44:22] don't create custom role corrections but it is still okay if you want to
[44:24] it is still okay if you want to create and
[44:26] create and in access control everything is through
[44:28] in access control everything is through PFC
[44:34] Z right and Cloud connectors are
[44:36] Z right and Cloud connectors are available with
[44:37] available with iag in Access Control you can still
[44:40] iag in Access Control you can still connect to your re bar access factors
[44:43] connect to your re bar access factors and all these Cloud
[44:45] and all these Cloud systems using a brid scenario so it is
[44:48] systems using a brid scenario so it is an integration scenario called as iag
[44:51] an integration scenario called as iag brid scenario so if you have access
[44:54] brid scenario so if you have access control today and want to to connect
[44:56] control today and want to to connect your Cloud systems then you have to go
[44:59] your Cloud systems then you have to go to then you have to subscribe I a bridge
[45:03] to then you have to subscribe I a bridge scenario okay which means it is only the
[45:06] scenario okay which means it is only the connector you'll be able to only connect
[45:09] connector you'll be able to only connect the systems but you'll not be able to
[45:11] the systems but you'll not be able to use any of the I applications in
[45:15] use any of the I applications in parallel and ldap integration is
[45:18] parallel and ldap integration is possible in both the scenarios and HR
[45:22] possible in both the scenarios and HR triggers in I it is possible with
[45:24] triggers in I it is possible with success factors and and sap
[45:28] success factors and and sap MDA where in in Access
[45:31] MDA where in in Access Control you can use HCM you know your HR
[45:35] Control you can use HCM you know your HR sap HR success factors or any third
[45:39] sap HR success factors or any third party provisioning systems using restful
[45:42] party provisioning systems using restful apas okay so if you want to uh integrate
[45:46] apas okay so if you want to uh integrate your third party hrms except workday
[45:50] your third party hrms except workday workday doesn't support those
[45:52] workday doesn't support those Integrations uh but you know there are
[45:54] Integrations uh but you know there are multiple ways to inte in case if there
[45:57] multiple ways to inte in case if there is no direct integration possible there
[45:59] is no direct integration possible there are multiple ways to do
[46:01] are multiple ways to do that wherein I you have that limitation
[46:05] that wherein I you have that limitation you cannot
[46:09] just HR triggers in the sense like oning
[46:12] just HR triggers in the sense like oning outting
[46:15] outting yes leers and movers can we integrate
[46:19] yes leers and movers can we integrate what day using the iig bridge to access
[46:24] what day using the iig bridge to access no okay
[46:27] no okay so this with Access Control itself it is
[46:29] so this with Access Control itself it is not possible why you thinking about
[46:35] I doesn't give any integration scenarios
[46:39] I doesn't give any integration scenarios they don't allow integrating to
[46:42] they don't allow integrating to a directly there are no
[46:50] apas so so one question regarding this
[46:53] apas so so one question regarding this available with iig brid scenarios that
[46:55] available with iig brid scenarios that means it can only provide the connectors
[46:58] means it can only provide the connectors and you can connect to the specific
[46:59] and you can connect to the specific Cloud but you cannot provision the
[47:02] Cloud but you cannot provision the access to that specific system that me
[47:04] access to that specific system that me the four components are not available in
[47:06] the four components are not available in iag Bridge
[47:08] iag Bridge scenario iag Bridge scenario is only to
[47:11] scenario iag Bridge scenario is only to establish your on Prem GRC to the cloud
[47:18] systems so can can can we download you
[47:22] systems so can can can we download you know the roles like you know whatever we
[47:24] know the roles like you know whatever we have in the cloud and then the users can
[47:26] have in the cloud and then the users can request those roles and the provisioning
[47:28] request those roles and the provisioning and the risk analysis can happen within
[47:30] and the risk analysis can happen within the access control
[47:33] the access control yes that's possible
[47:36] yes that's possible okay so Ragu when you say cloud systems
[47:39] okay so Ragu when you say cloud systems does that also include hybrid and
[47:42] does that also include hybrid and ibp currently I think ibp is supported
[47:46] ibp currently I think ibp is supported ibp you can connect uh but what I know
[47:49] ibp you can connect uh but what I know is success factor employee Central is
[47:52] is success factor employee Central is possible Ariba is possible then uh field
[47:56] possible Ariba is possible then uh field glass is
[47:58] glass is posible
[48:00] posible uh then what other systems you have
[48:02] uh then what other systems you have field glass coner is h h h is also
[48:07] field glass coner is h h h is also possible I think I just need to
[48:10] possible I think I just need to check and then what about um
[48:13] check and then what about um ivp ivp is
[48:15] ivp ivp is possible you can
[48:21] connect
[48:23] connect right okay so
[48:26] right okay so maybe
[48:28] maybe today we might feel that GRC has more
[48:33] today we might feel that GRC has more and more capabilities when compared to
[48:36] and more capabilities when compared to iag but remember GRC is a much matured
[48:40] iag but remember GRC is a much matured product it's it's like almost 20 plus
[48:44] product it's it's like almost 20 plus years where the the development teams
[48:47] years where the the development teams the experts are working and adding lots
[48:50] the experts are working and adding lots and lots of capabilities in Access
[48:52] and lots of capabilities in Access Control right I is just a started so it
[48:55] Control right I is just a started so it takes little time for it to have you
[48:59] takes little time for it to have you know lot of features but then even at
[49:02] know lot of features but then even at this point in time I should say we see
[49:05] this point in time I should say we see certain limitations like the workflows
[49:07] certain limitations like the workflows number of stages and all but you know it
[49:11] number of stages and all but you know it gives a better UI better decision making
[49:15] gives a better UI better decision making for the approvals before that they
[49:18] for the approvals before that they actually do any
[49:20] actually do any activity and I'm sure sap is going to
[49:22] activity and I'm sure sap is going to add lots and lots of other capabilities
[49:26] add lots and lots of other capabilities okay
[49:27] okay to uh I the probably you know next few
[49:34] to uh I the probably you know next few years and then make it a more robust
[49:39] product so one question yeah can can you
[49:43] product so one question yeah can can you go slide behind I mean to the previous
[49:45] go slide behind I mean to the previous slide so so say if a customer is not
[49:48] slide so so say if a customer is not having GRC at all okay and they have
[49:50] having GRC at all okay and they have multiple cloud-based systems whatever
[49:54] multiple cloud-based systems whatever it's Ariba hybris ibp and all can they
[49:57] it's Ariba hybris ibp and all can they just go ahead and use iag
[50:01] just go ahead and use iag yes okay if customer has only on premise
[50:06] yes okay if customer has only on premise S4 let's assume he don't have anything
[50:08] S4 let's assume he don't have anything else only one on premise for we can
[50:12] else only one on premise for we can still go with
[50:16] iag okay so we can connect iag to an on
[50:19] iag okay so we can connect iag to an on premise S4 system
[50:21] premise S4 system yes and then you can do all the
[50:23] yes and then you can do all the provisioning from there yes
[50:27] can it also connect to other onr system
[50:30] can it also connect to other onr system strugle like you know GTS and other
[50:33] strugle like you know GTS and other stuff any net weer system
[50:37] stuff any net weer system is
[50:40] is okay EP cannot be connected so with this
[50:44] okay EP cannot be connected so with this I brick scenarios right when we are
[50:46] I brick scenarios right when we are saying that we can connect to any of the
[50:49] saying that we can connect to any of the cloud system so can we connect it to the
[50:52] cloud system so can we connect it to the SE account applications like how we are
[50:54] SE account applications like how we are assigning the groups right so the
[50:56] assigning the groups right so the provisioning can be done from the access
[50:57] provisioning can be done from the access control for those sub accounts as well
[51:00] control for those sub accounts as well instead of using I I IAS and IPS okay so
[51:05] instead of using I I IAS and IPS okay so understand AC is not provisioning to btp
[51:08] understand AC is not provisioning to btp AC is not provisioning
[51:10] AC is not provisioning to uh uh you know any of the sub
[51:14] to uh uh you know any of the sub accounts what you can connect is let's
[51:16] accounts what you can connect is let's say for example success factors success
[51:20] say for example success factors success factors is not on btp platform Ariba is
[51:23] factors is not on btp platform Ariba is not on btp platform right your field
[51:26] not on btp platform right your field glass is not on btp
[51:28] glass is not on btp platform what you are doing is you are
[51:31] platform what you are doing is you are using the cloud
[51:33] using the cloud connector because btp can talk to these
[51:38] connector because btp can talk to these Cloud systems which are which are built
[51:42] Cloud systems which are which are built on some other runtime they are not on
[51:44] on some other runtime they are not on cloud Foundry or Kaa runtime right so so
[51:49] cloud Foundry or Kaa runtime right so so if they are not on runtime Cloud Foundry
[51:52] if they are not on runtime Cloud Foundry runtime or kaima runtime or Neo runtime
[51:55] runtime or kaima runtime or Neo runtime you cannot add them in sub accounts
[51:57] you cannot add them in sub accounts itself you cannot add them in btp sub
[52:01] itself you cannot add them in btp sub accounts okay that is where you would be
[52:04] accounts okay that is where you would be using your destinations and all those
[52:07] using your destinations and all those configurations so once you set up that
[52:10] configurations so once you set up that okay then then you'll be able to
[52:12] okay then then you'll be able to integrate with your the bridge scenario
[52:15] integrate with your the bridge scenario so you can create a cloud
[52:17] so you can create a cloud connector uh on the btp to your
[52:21] connector uh on the btp to your onframe btp will be a
[52:24] onframe btp will be a middleware
[52:27] middleware which allows you to connect both the
[52:29] which allows you to connect both the cloud systems and the onr
[52:31] cloud systems and the onr system can I explain this
[52:34] system can I explain this again see S I think we are going to
[52:38] again see S I think we are going to discuss about when we start connecting
[52:40] discuss about when we start connecting connectors and all so there is a
[52:43] connectors and all so there is a detailed session on that but remember
[52:46] detailed session on that but remember one thing success factors Ariba field
[52:48] one thing success factors Ariba field glass all these are not developed on btp
[52:52] glass all these are not developed on btp platform you cannot add them to sub
[52:54] platform you cannot add them to sub accounts
[53:02] you can connect it through AC there is a
[53:05] you can connect it through AC there is a separate approach to connect these
[53:07] separate approach to connect these systems so on btp you need to add these
[53:10] systems so on btp you need to add these systems and then you establish a
[53:13] systems and then you establish a connection with your on print
[53:19] system okay can you show the steps or is
[53:22] system okay can you show the steps or is it possible for you to I mean I know
[53:24] it possible for you to I mean I know that you don't have an Aras system and
[53:25] that you don't have an Aras system and all but can you just outline the steps
[53:29] all but can you just outline the steps as to how you add an external or in this
[53:31] as to how you add an external or in this case maybe
[53:33] case maybe not when I'm adding connectors to my
[53:40] iag
[53:42] iag okay so I have to add a connector right
[53:45] okay so I have to add a connector right I need to do the pring and all then I'll
[53:47] I need to do the pring and all then I'll explain you how do I connect a system to
[53:52] explain you how do I connect a system to iig we'll go through the uh you know the
[53:55] iig we'll go through the uh you know the detail steps also we'll connect a system
[53:58] detail steps also we'll connect a system and
[54:00] and see in the AC we have the available with
[54:03] see in the AC we have the available with I Bridge
[54:04] I Bridge scenario like how do we collect success
[54:08] scenario like how do we collect success factor ARA through
[54:12] factor ARA through this I explain you that as well what
[54:15] this I explain you that as well what configuration is required maybe I'll not
[54:17] configuration is required maybe I'll not be able to show you connecting directly
[54:19] be able to show you connecting directly as I said I don't have the systems but
[54:22] as I said I don't have the systems but I'll explain you the scenarios the brid
[54:24] I'll explain you the scenarios the brid scenario what is the configuration you
[54:26] scenario what is the configuration you have to do in RIS scenario we'll discuss
[54:29] have to do in RIS scenario we'll discuss all those
[54:30] all those topics
[54:32] topics okay guys this is the first class of I
[54:38] AG don't worry you know we we we we
[54:43] AG don't worry you know we we we we cover all the topics I'm I'm going to
[54:46] cover all the topics I'm I'm going to explain you
[54:54] everything
[54:56] everything right so let let me stop it here today
[55:00] right so let let me stop it here today uh uh
[55:02] uh uh tomorrow uh I'm not available
[55:06] tomorrow uh I'm not available so uh I have a flight in the morning so

IAG 2023_10_31 : Recap IAS & Introduction IAG

https://www.youtube.com/watch?v=LLZDkt5QcKY

Summary

TL;DR — This video introduces SAP's Cloud Identity Access Governance (IAG) solution, explaining its role in managing cloud-based identity and access. It contrasts IAG with the on-premise SAP GRC Access Control, highlighting IAG's cloud-native design, its integration capabilities with various SAP cloud and on-premise systems, and its core services like risk analysis, role design, access requests, and access certification.

Key points

• SAP Cloud Identity Access Governance (IAG) is a cloud-native solution built on the BTP platform, designed to streamline compliance and access management for cloud environments.

• IAG complements, rather than replaces, on-premise GRC Access Control, offering a parallel solution for cloud customers.

• Core IAG services include Access Analysis (risk analysis at user level), Role Design (for business roles), Access Request (workflow-driven provisioning), and Access Certification (user access reviews).

• While IAG offers a modern UI and streamlined setup (around 5 minutes), it has limitations compared to GRC Access Control, such as fewer workflow stages, no custom rule creation, and user-level risk analysis.

• IAG integrates with various SAP cloud solutions (like SuccessFactors, Ariba, Fieldglass) and on-premise systems (like S/4HANA) via BTP and cloud connectors, though direct provisioning to BTP sub-accounts is not its primary function.

Takeaway — SAP Cloud IAG is SAP's modern, cloud-first approach to identity and access governance, offering essential GRC functionalities with a focus on cloud integration and user experience, despite current limitations compared to its on-premise predecessor.