Top FAQs About SAP BTP, SAP IAS, and SAP IAG Every Security Expert Should Know

SAP Business Technology Platform (BTP) and other SAP Cloud applications are revolutionizing the way businesses leverage technology. Understanding the key components—SAP Identity Authentication Service (IAS) and SAP Identity and Access Governance (IAG)—is essential for any SAP security professional.

In this blog post, we cover the most frequently asked questions about SAP BTP, SAP IAS, and SAP IAG. Whether you’re new to the SAP ecosystem or an experienced consultant, this guide will help you stay informed and ahead of the curve.

1. Will SAP IAG replace SAP GRC?

No, SAP IAG will not replace SAP GRC. SAP plans to release the next version of SAP GRC in 2026, and both tools will coexist with complementary functionalities.

2. Can SAP GRC and SAP IAG be used together?

Yes, clients can implement both. SAP IAG is essential when integrating on-premise SAP GRC with cloud systems like SAP Ariba or SuccessFactors—referred to as the IAG Bridge Scenario.

3. Can SAP IAG be used with on-premise systems?

Yes, SAP IAG supports both on-premise and cloud environments.

4. Does IAG offer the same features as SAP GRC Access Control?

While SAP IAG and SAP GRC Access Control share some features, they are separate products with distinct capabilities, advantages, and limitations.

5. Is SAP IAG a public or private cloud offering?

SAP IAG is currently available as a public cloud solution, with potential future plans for a private version.

6. What advantages does SAP IAG offer over SAP GRC?

Each product offers unique benefits. Direct comparisons aren’t always helpful as their functionalities differ based on use cases.

7. Is prior SAP GRC knowledge necessary to learn IAG?

While not mandatory, familiarity with SAP GRC can make learning SAP IAG easier, especially for SAP consultants transitioning into cloud governance roles.

8. Can SAP IAG integrate with SAP Process Control or Risk Management?

No, currently SAP IAG does not support integration with other GRC applications such as SAP Process Control (PC) or Risk Management (RM).

9. How often is SAP IAG updated?

SAP regularly updates IAG with new capabilities. Refer to the official SAP Help Portal for the latest roadmap.

10. Is BTP security knowledge necessary to support IAG?

Yes, understanding SAP BTP security is beneficial, especially since role assignments and user management for IAG are handled via IAS, which is integrated with BTP.

11. What is a Universal ID and how do I create one?

SAP Universal ID (also known as SAP Open ID) is a centralized identity provider. Create your ID at SAP Account.

12. What is the Default Identity Provider (IDP)?

The Default IDP is automatically set up during BTP account creation, using SAP’s user store. SAP recommends configuring a corporate IDP for enhanced security.

13. Why configure a custom/corporate IDP?

Custom IDPs allow organizations to manage user data internally. They offer more flexibility and control compared to the default provider.

14. What’s required to set up SAP Cloud IAG?

Setting up SAP Cloud IAG involves configuring IAS, destination settings in BTP, and running background jobs for synchronization and provisioning.

15. Difference between S User ID, P User ID, and Universal ID?

For a detailed breakdown, refer to this SAP Blog Post.

16. How are role collections assigned in BTP?

You can assign role collections:

• Directly via BTP cockpit (manual)
• Dynamically via groups in IAS (recommended)

17. How to create administrators in IAS?

Navigate to Users & Authorizations → Administrators in IAS and add either a standard user or a system user with appropriate authentication.

18. How do business users log in to IAS?

They don’t. Business users log in to the applications integrated with IAS, not the IAS portal itself.

19. How to change user profile settings?

Use the “User Profile” link from your activation email: https://<tenant>.ondemand.com/.

20. What is SAP Cloud IAG?

SAP Cloud IAG is a public cloud solution that streamlines compliance for hybrid environments. It’s part of SAP’s “Cloud First Adoption” strategy.

21. How to manage authorizations in SAP IAG?

Create custom IDPs, sync user groups to IAG, and configure destinations and schedulers in BTP to automate role provisioning.

22. What configuration is needed for SCIUserGroup destination?

Specific configuration parameters are required (refer to official documentation for updated fields and values).

23. How to perform risk analysis in SAP IAG?

For Roles: Use Access Maintenance to search for roles and view risk data.
For Users: Use Access Analysis – Enhanced Report to evaluate risks at the user level.

24. How to log in to a PAM ID session?

Use transaction code SIAG_PAM_LAUNCH_PAD in the backend system.

25. Can I create a PAM ID in the backend system?

No. PAM IDs must be created in SAP IAG and then pushed to backend systems through provisioning jobs.

26. Can individual roles be assigned to PAM IDs?

No, PAM IDs must be assigned a single business role, which can include multiple single roles.

27. What workflows are associated with PAM IDs?

• PAM – for ID assignments
• PAMREVIEW – for reviewing access logs

Configure workflows and rules within the IAG application.

Conclusion

SAP BTP, IAS, and IAG are reshaping how organizations approach identity and access management. As cloud adoption increases, mastering these technologies is critical for SAP professionals. This guide serves as a foundational reference for security teams aiming to stay secure, compliant, and agile in today’s evolving enterprise landscape.

Read More – SAP BTP is the future of SAP