In this blog post you are going to learn step-by-step process with the help of screenshots on how to integrate SAP Analytics Cloud with SAP Cloud Identity Access Governance. For successful integration, you would need administrator access in SAP Analytics Cloud, SAP Identity Provisioning Service(SAP IPS), SAP Bussiness Technology Platform Cloud Foundry(SAP BTP CF) and SAP Identity Authentication Service(IAS).

Step 1: Login into BTP IAG subaccount to create IPS_PROXY destination. You would need subaccount adminstrator role assigned to your ID against “Default Identity Provider”

IPS_PROXY

Note: 

• Make sure name(IPS_PROXY) of this destination should be exactly same including case as well
• Insert IAS-IPS bundled link without “/” or “/ips” in suffix

Step 2: Create user in SAP Analytics Cloud with wide privileges

SAP Analytics Cloud

• Purposeshould be selected with value  Interactive Usage and API Access
• For Access, value “User Provisioning”must be selected. It is required from SAP Cloud Identity Access Governance to perform provisioning.

Step 3: Create Proxy System in SAP Identity Provisioning Service for SAP Analytics Cloud using guide

Proxy System in IPS

• Note down Alphanumeric System ID from URL which is required in later steps to configure in SAP Cloud Identity Access Governance(IAG). For eg., it will look like a5af23cb-996b-4249-b52a-385fe50576ab
• Update Read and Write Tarnsformations from Step 5 provided in SAP Help Guide
• Properties Nameand Value should be fetched from SAP Help Guide. It is case sensitive and should not have any space in prefix/suffixof the text
• Value of OAuth2TokenServiceURL must be fetched from screen in Step 2 against field Token URL
• Value of URL should be in format https://<tenant>.hcs.cloud.sap
• Value of User must be fetched from screen in Step 2 against field OAuth Client ID and must be of type Standard
• Value of Password must be fetched from screen in Step 2 against field Secret under Security by pressing button Show secret and must be of ty pe Credential

Step 4: Create Application from Applications tilefor SAP Analytics Cloud in SAP Cloud Identity Access Governance(SAP IAG)

SAP Analytics Cloud in IAG

• Value(for eg., a5af23cb-996b-4249-b52a-385fe50576ab) in External Application IDwill be Alphanumeric System ID fetched from URL in Step 3
• HCP Destination will be auto-populated once external application id is filled

Step 5: Run Repository Object Sync job for SAP Analytics Cloud(SAC) system using Job Scheduler tile

Schedule Repository Sync

Repository Sync from SAP Analytics Cloud(SAC) to SAP Cloud Identity Access Governance(IAG)

As per the design, Repository Sync saves the Teams from SAP Analytics Cloud(SAC) but not the roles to SAP Cloud Identity Access Governance(IAG)

After following above steps, you would be able to sync teams from SAP Analytics Cloud and perform provisioning to SAP Analytics Cloud from SAP Cloud Identity Access Governance. Also, you can perform risk analysis on SAP Analytics Cloud to identify potential risks.

References

Please check the below documentation from Administration Guide for more information:

• https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/e12d8683adfa4471ac4edd40809b9038/ae06bfacfbba43679b0ca802ca3b58d4.html?locale=en-US

Please check below articles which will help in further integration of SAP Analytics Cloud with SAP Cloud Identity Access Governance:

• https://blogs.sap.com/2021/02/25/grc-risk-analysis-for-cloud-systems/
• https://blogs.sap.com/2021/03/29/sap-grc-access-request-for-cloud-systems/
• https://blogs.sap.com/2023/05/09/sap-iag-access-analysis/

Note: Please share your feedback or thoughts in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Access Governance