Are IAS IPS jobs safe

SAP IDM, IPS and IAS - What do I need? A demarcation (Part I)

The task: What is it actually about?

Do you remember your school days and the assignments that involved assigning words to each other by connecting them together? Did you do well there? Then let's start this blog with such a simple task:

Map the words on the left to the SAP tools on the right. Multiple connections are possible.

An easy exercise? Have you correctly assigned almost all of the terms on the left to each term on the right? Can you differentiate between all use cases for using the tools on the right? Then you are ready for a deeper technical insight into the detailed, five-part blog series by Matthias Kaempfer.

For all other or interested readers, the first part of the two-part blog series continues here: a delimitation of the above-mentioned services and tools (in the following, they are simply referred to as “tools”).

The functionalities: what actually does what?

SAP describes these different tools as follows:

Some readers will now wonder why neither SAP Access Control nor SAP Cloud Identity Access Governance (IAG) appears in this list. This is because these tools are not in the direct context of "Identity Management". They do not belong to the SAP Cloud Identity Services, as Marko Sommer also describes here. This also applies to SAP Identity Management, but this tool is clearly intended for the management of identities. The reason why it is not part of the SAP Cloud Identity Services club is obvious: It runs on-premise.

If you want to learn more about IAG, I refer you to the very insightful blog of my colleague, Alessandro Banzer.

If you now look at the features of the various tools and take a closer look at them, you will notice that there are functional overlaps and that the areas are partially intertwined. This can be explained using the task at the beginning of the blog, for example using the term “provisioning”.

This term applies to all three tools, because they can all provision data (such as user data, authorizations, etc.) from A to B in a certain way. In this case, the IAS is mostly used as the target system for such provisioning, but SAP Jam and IPS also from IAS can be provisioned from:

With the IPS, on the other hand, you can connect a number of different systems as source, target and proxy systems (e.g. IDM) - including Active Directory, Azure Active Directory, SAP Analytics Cloud, SAP AS ABAP, and Google G Suite, the SAP Success Factors, the SAP S / 4 HANA or other systems that use the SCIM standard. This selection can be seen in Figure 2 "SAP IPS".

The SAP IDM solution, on the other hand, uses a large number of connectors that allow provisioning in almost all known on-premise systems, such as Active Directory, SAP AS ABAP, SAP AS JAVA, SAP S / 4 HANA, various databases and systems, use the LDAP etc. With the option of a connection to the IPS, you can also integrate all cloud systems that can be provisioned by the IPS:

Other terms that apply to all three tools include: B. "Hybrid" (all tools can work and work together in a hybrid landscape), which also cover "Cloud" and "On-Premise". In addition, SAP IDM and SAP IAS can act as "identity providers" and SAP IPS can carry out the provisioning from and to these providers. They can thus be part of the authentication process or authenticate themselves and they can also be targets of workflows or represent them themselves.

So what is the difference between the three tools and which one do I need for which use case?

You can find out from a practical example in Part 2 of the blog: The start of the fictional Elsa Mayer's career at ACME.

If you would like to find out more about IDM, IPS or IAS or what training courses and workshops are available, please contact [email protected] or browse here.

Managing SAP Security Consultant | SAP Identity Management at Xiting AG
Steffen Schatto has been working as an IT security enthusiast at Xiting AG since 2013 and is head of SAP Identity Management Services. He is a specialist for SAP Identity Management and together with his motivated team he is engaged in Identity & Access Management, the implementation of secure identity life cycle processes, authorization and authorization management, recertifications, consulting, project management and much more.
He also enjoys eating pizza.