Improvements

18

GRC-IAG-RD

Improved Performance for Business Role Export

An issue was identified when exporting a large number of business roles, where the Export Business Roles function could become unresponsive and result in a Gateway Timeout error. This has been resolved by optimizing the performance of the Business Role export process, ensuring a more reliable and responsive experience even when exporting large volumes of roles.

GRC-IAG-AA

Incorrect Usage Count Displayed in Mitigation Control Monitoring Report

Fixed an issue with the usage count display when user mapping is configured.

17

GRC-IAG

Delay and errors in provisioning job

Multiple errors causing failures in the IAG provisioning job were identified and resolved. The fixes restore stable and successful provisioning of users and access to target systems, improving overall job reliability.

No updated for week 16.

No updates for week 15.

No updates for week 14.

No updates for week 13.

12

GRC-IAG-OPS

SAP IAG Subscription Issue

The issues impacting SAP IAG subscriptions have been resolved. All subscription services are now operating as expected.

No updates for week 11.

10

GRC-IAG-AA

Some Actions are Missing when Defining Actions and Permissions in the Function app

In some scenarios, permissions (authorization objects) are not maintained for certain actions in the SU24 transaction in on-premise SAP ERP or SAP S/4HANA systems. With this improvement, the system displays all actions defined in SU24, regardless of whether the associated permissions are maintained.

GRC-IAG-AA

Performance Improvement in the User Access Analysis Screen

Performance in the User Access Analysis screen has been improved to reduce response time and prevent gateway timeout issues. This change doesn't affect existing functionality.

09

GRC-IAG-AA

Fixed Duplicate Usage Count in Mitigation Control Monitoring

Mitigation Control Monitoring: the detail view no longer shows duplicate usage entries. It calculates and displays accurate usage counts for all users

GRC-IAG-AA

Enhanced Business Role Display and Usage Information

The system no longer shows Composite Roles assigned under a Business Role as separate line items. Usage Data and Last Used display correctly for Business Roles that contain only ERP (non-cloud) roles. This behavior matches standalone non-cloud roles.

No updates for week 08.

No updates for week 07.

6

GRC-IAG-PAM

Enhanced Security Audit Logs for Improved Tracking

The enhancement provides detailed and accurate tracking of system activities. For more information, refer to Privileged Access Monitoring Review Inbox and Privileged Access Monitoring Report. (You require SAP ID to access the link.)

GRC-IAG-PAM

Enhanced Security Check for PAM ID Creation

A new security check ensures that PAM ID creation is blocked if the on-premise system is not updated with the latest security or functional notes. This check enhances system security by preventing the creation of PAM IDs on outdated systems, ensuring compliance with the latest security standards. For more information, refer to Privileged Access Provisioning Report. (You require SAP ID to access the link.)

GRC-IAG-PAM

Three Apps Support Adjustable Timestamps

When you create an access request, you enter a UTC timestamp and date. However, the system adjusts the assignment to your local time zone. To give you better visibility, the timestamps show when the assignment expires in your time zone. This time stamp is available in the following three apps:

• Privileged Access Inbox

• Execute PAM Session

• Execute PAM Session

GRC-IAG-AR

Duplicate results from the GetExistingAssignments public API

In some cases, the GetExistingAssignments API call returns duplicate results for the same application. This issue doesn't occur in the User Access Assignment Report application. The API call no longer returns duplicate results.

GRC-IAG-ACI

Imrovements to Provisioning Report Status Updates for SAP IBP

Enhanced the Provisioning Report status update process for SAP IBP. The system now updates the status correctly during the initial provisioning job execution. This improvement eliminates delays in status updates and ensures accurate reporting immediately after provisioning.

5

GRC-IAG-AR

GetExistingAssignments duplicates roles and returns incorrectly ordered results

When accessing the Public API GetExistingAssignments, business roles were duplicated and results weren't returned in the same order for each call. Both issues have been resolved.

GRC-IAG-AR

GetApplicationUsers from and to parameters changed after migration

After migrating to JPA repository, the Public API GetApplicationUsers processed the from and to parameters incorrectly. This resulted in incorrect display. The issue has been corrected.

GRC-IAG-AR

HR trigger jobs not working correctly

HR triggered jobs sometimes failed with the error "Something went wrong during operation". This issue occurred because the PROCESS_ID column contained a NULL value. This has been corrected.

4

GRC-IAG-AR

Manager shown incorrectly in Create Request API error response

When a manager listed in Identity Authentication doesn't have the manager workflow group IAG_WF_MANAGER, the request isn't created. However, the error message showed the GlobalUserId instead of the PID or User ID. This has now been corrected.

GRC-IAG-AR

Changes made through the public API in the Access Request app shown correctly in the Audit Log

Changes made through the public API are now displayed in the Audit Log section of the Access Request app as "submitted by Access Request API" or "updated by Access Request API", rather than attributed to the user who made the change.

No updates for week 03.

No updates for week 02.

No updates for week 01.

52

GRC-IAG-AA

Enhanced user search helps filter user IDs based on mapped user IDs from the search

The user search help previously displayed duplicate user IDs because it included mapped IDs in the search results. The enhanced user search help view now retrieves only the main user ID when a mapping exists.

GRC-IAG-AA

The Ruleset Upload now includes validation for incorrect function counts by risk type.

Validation is now part of the ruleset upload process to detect invalid function counts based on risk type. Segregation of Duties (SoD) risks are validated to ensure they contain two or more functions. Non-SoD risks are validated to ensure they contain exactly one function. Any invalid risks are reported in the validation log. The file upload itself succeeds, and no risks are skipped or blocked due to this validation.

GRC-IAG-AR

The Risk Detail view lacks composite access and business role details in the Access Request Approver and Access Analysis applications

The system now includes missing composite access and business role details when you drill down into risk details. This change ensures clear visibility into the specific access that causes the risk.

No updates for week 51.

No updates for week 50.

No updates for week 49.

No updates for week 48.

No update for week 47.

46

GRC-IAG

User filter configured for one application affects other applications

Resolved an issue where a user filter set for a specific application was incorrectly applied to all matching applications. The filter now correctly limits user visibility only within the intended application.

45

GRC-IAG

Integration Enhancement: SAP Sales and Service Cloud with SAP Cloud Identity Access Governance

Addressed an issue in the SAP Sales and Service Cloud (C4C) delta synchronization job that caused user group assignments in SAP Cloud Identity Access Governance (IAG) to be unintentionally overwritten. With this fix, existing user assignments are now preserved during delta sync operations, ensuring consistent and reliable access management across integrated systems.

44

GRC-IAG-AA

Fixed Access Analysis Popover Details

Ensured accurate access details are displayed in the Access Analysis application's popover.

No updates for week 43.

42

GRC-IAG-PAM

Implement Scheduled Job to Update Logged_Off Timestamp for Inactive PAM Sessions

PAM sessions that auto-terminate due to inactivity (rdisp/gui_auto_logout) or disconnection often retain Logged_Off = NULL. This results in inflated session durations and misleading audit and review data in SAP Cloud Identity Access Governance

To schedule regular jobs that update inactive PAM sessions with the correct Logged_Off timestamp, implement SAP Note 3666084 .

GRC-IAG-ACI

IAG Bridge does not support user creation from business role assignment update in Access Control

In the Access Control Business Role Management application, an issue occurs when updating an existing business role that has assigned users. If the role is updated to include access to a new application where the user does not yet exist, and the configuration "Update Bus Role Assign" in Maintain Provisioning Settings is set to Yes for user creation, the expected provisioning does not happen. After choosing the "Update Assignment" button, the user creation record is not sent to SAP Cloud Identity Access Governance. Support for this scenario has now been extended to IAG Bridge. Refer to 3640318 , 3613828 , 3636380 and 3614963 .

GRC-IAG-MD

Enhanced Validation for Function and Risk Integrity

To ensure data integrity, we have enhanced the validation rules for functions and risks. The following changes have been implemented:

• A function cannot be deactivated if it is assigned to any risk.

• A risk cannot be activated or updated if any of its assigned functions are inactive.

41

GRC-IAG-ACI

Issue with deprovisioning multiple business roles sharing one common access in from Access Control

When multiple business roles share one common cloud access, and the user requests to deprovision all business roles through an access request, one business role remains assigned to the user in Access Control. A fix has been applied. Refer to SAP Note 3646572 .

GRC-IAG-ACI

IAG Bridge does not support user creation from business role assignment update in Access Control

In the Access Control Business Role Management application, an issue occurs when updating an existing business role that has assigned users. If the role is updated to include access to a new application where the user does not yet exist, and the configuration "Update Bus Role Assign" in Maintain Provisioning Settings is set to Yes for user creation, the expected provisioning does not happen. After choosing the "Update Assignment" button, the user creation record is not sent to SAP Cloud Identity Access Governance. Support for this scenario has now been extended to IAG Bridge. Refer to 3640318 , 3613828 , 3636380 and 3614963 .

GRC-IAG-MD

Enhanced Validation for Function and Risk Integrity

• A function cannot be deactivated if it is assigned to any risk.

• A risk cannot be activated or updated if any of its assigned functions are inactive.

No updates for week 40.

No updates for week 39.

No updates for week 38.

37

GRC-IAG-AA

Unable to Define Rule Data for the SAP S/4HANA Cloud IAM Application

An enhancement was introduced to include metadata for the SAP S/4HANA Cloud IAM application as an action. This allows users to define the IAM app as an action and configure all data-level restrictions as permissions through the Function application.

36

GRC-IAG-PAM

Restrict Users from validating their own PAM Log Review requests

Users cannot submit their own PAM Log review requests. Submission must be done by an authorized user. PAM administrators should forward review requests to other users for submission.

SQL script to update privileged access users' business role in User Access Assignment Report

SQL Script automatically updated the historical records of PAM users' business role in the User Access Assignment Report application.

GRC-IAG-RD

Issue when canceling candidate business role proposals

In certain cases, when an administrator attempted to cancel candidate business role proposals, a success message was displayed even though the request was not actually canceled. This issue was caused by a missing scenario, which has now been addressed through an enhancement.

No updates for week 35.

34

GRC-IAG-AR

During access request submission via API, users are prompted to provide custom field values when removing assignments.

During access request submission via API, the user was prompted to provide custom field values when attempting to remove assignments in Concur. This behavior has been corrected to align with the UI-based access request submission, where users are not required to provide custom field values when removing access.

GRC-IAG-AR

Business role approval is stuck at the role owner stage when none of its assignment approvers are available.

The enhancement resolved the issue related to removed assignment approvers for business roles. When the last assignment approver becomes unavailable, business role will be forwarded to the default stage approvers instead—specifically, users in the IAG_WF_DEFAULT group.

GRC-IAG-AR

Some user assignments were not removed in the target application after termination in SuccessFactors.

The access removal request triggered by user termination in SuccessFactors skipped individual role assignments if they were shared through an assigned business role. A fix has been released to address this issue.

GRC-IAG-ACI

Incorrect validity dates generated by a business role assignment update in Access Control.

The provisioning job triggered by a business role assignment update in Access Control is generating incorrect validity dates of the user assignment for both cloud and on-premise access. Refer to SAP Note 3640605 .

GRC-IAG-AC

Improved Notification Error Log message for Failing Mail Authentication.

Notification Error Logs now include the username when sending notifications fails.

33

GRC-IAG-PAM

Use "System" instead of "User" as an Attribute

In SAP S/4 HANA Public Cloud logs, users appear as SYSTEM rather than the user assigned to the PAM ID.

GRC-IAG-AC

Empty State Indicator

Items that don't show any values or lack descriptions are indicated by dashes rather than blank spaces.

No updates for week 32.

31

GRC-IAG-CFG

The job instance status is incorrectly being marked as 'Completed' even when the job ends with an error

The job status update logic was enhanced to include an additional check for execution errors, ensuring the status is now correctly updated based on the actual job outcome.

30

GRC-IAG

Repository Synchronization job for SAP Identity Business Planning gives an Error during User Sync

The repository synchronization job for SAP Identity Business Planning was previously encountering an error during user synchronization. A fix has now been implemented to resolve the issue.

GRC-IAG-AR

During Request Approval, Drilling Down into the Critical Permission Risk Displays Placeholder Characters (e.g., ^!) Instead of Meaningful Value

An enhancement has been implemented to show a [CP] prefix on the action when approvers drill down to view critical permission risk details.

29

GRC-IAG-PAM

Preventing Simultaneous Logon with the same PAM ID in PAM Launchpad

The system automatically removes the PAM ID reservation (lock) if user is logged from the system in the following cases:

When the Log Synchronization job runs.

When users choose Refresh, Back, Exit, or Cancel in the PAM launchpad.

When users choose the Unlock button.

When the PAM launchpad is opened or when other PAM-related actions are performed.

For details, refer to SAP Note 3618392 .

GRC-IAG-AA

Business Role Assignments for PAM Users

PAM now provides business role assignments for newly created PAM users and PAM users that have been updated in the User Access Assignment Report.

GRC-IAG-AA

Delta synchronization from SAP S/4 HANA Cloud application doesn't consider newly created users for risk assessment.

Improvement was made to trigger risk assessment for the newly created users in S4 HANA Cloud application.

28

GRC-IAG-PAM

Authorization Optimization: Removed Requirement for S_ADMI_FCD = PADM from Users with Assigned PAM ID

Users who are assigned a PAM ID are currently required to have the authorization object S_ADMI_FCD with value PADM. This authorization is too strong for end users and raises security concerns in customer environments. To change the authorization, refer to SAP Note 3618623 . For more information, go to Authorization for Privileged Access Management (PAM).

27

GRC-IAG-RD

User is removed from the Users list in the Business Roles application after extending validity dates of the assignment

User to business role relation is removed after user requests for the extension of business role assignment in SAP Cloud Identity Access Governance.

26

GRC-IAG-PAM

Enhanced Audit Logs for Privileged Access Review Requests

The Privileged Access Monitoring Review Inbox and Privileged Access Monitoring Report applications now offer improved audit logging capabilities. These enhancements provide detailed tracking of review actions.

25

GRC-IAG-PAM

Short Dump during Privileged Access Synchronization job.

SAP Note 3615746 fix the issue when Privileged Access Synchronization job terminates with following symptom: The program SAPLSIAG_ACCESS_LOG attempts to access the field of type X using a substring length greater than the defined field length, which leads to a runtime error.

GRC-IAG-PAM

Activation of a PAM ID on ERP connectors fails with a misleading error message.

Previously, when activating PAM ID on ERP connectors with insufficient user authorizations, the system returned a misleading error message: Field 'ET_OPERATION_RESULT' is not a member of record 'OUTPUT'.. SAP Note 3574113 note addresses that issue by updating the error handling to correctly display that the activation failed due to missing authorizations, allowing for quicker diagnosis and resolution.

.

GRC-IAG-AC

Common UI for Risk Details

Risk Details in Access Certification are being displayed in the same way as in other services belonging SAP Cloud Identity Access Governance.

24

IAG-CFG

Performance issue with synchronizing users from SAP S/4HANA Cloud application to IAG.

An additional property, s4c-user-page-size, has been introduced to address performance issues during user synchronization from the SAP S/4HANA Cloud application to IAG. Customers must configure this property in the BTP destination and specify the desired paging size to enable pagination during user synchronization.

GRC-IAG-CFG

The last run on date/time for recurring job is not correct for authorization synchronization job for on-premise ERP applications.

An improvement was made to authorization synchronization job to display execution time of the job logs correctly.

.

23

GRC-IAG-ACI

Issue with Repository Synchronization job from SAP Access Control to SAP Cloud Identity Access Governance

An improvement was implemented to resolve the issue where the repository synchronization job was failing when scheduled in SAP Cloud Identity Access Governance.

GRC-IAG

Extra validations added to the custom workflow template name

dditional validations were introduced for theMaintain Workflow Template app. Template name may only contain numbers, letters, and underscores and must begin with a letter.

22

GRC-IAG-PAM

When Can Multiple Users Log into the Same On-Premise PAM Session Concurrently

Refer to 3528087 for more details on when two users can simultaneously login into the system using the same Privileged Access ID.

GRC-IAG-PAM

Failing Privileged Access Log Synchronization job

To optimise runtime and reduce memory consumption during privileged access log synchronisation, refer to 3606297 .

GRC-IAG-PAM

Missing logged_off Timestamp When Session Is Closed Improperly in SIAG_PAM_LAUNCH_PAD

If a user closes a session in the SIAG_PAM_LAUNCH_PAD without clicking the Unlock button, the logged_offtimestamp remains empty. This note provides a fix to correctly calculate the logged_off time in such scenarios to ensure accurate session tracking. For more details, go to 3604073 .

GRC-IAG-PAM

Issues were resolved regarding when PAM IDs assigned to a user are visible in another user SIAG_PAM_LAUNCH_PAD

Fixed issue when a user can see PAM IDs assigned to another user in SIAG_PAM_LAUNCH_PAD. Refer to 3327858 .

GRC-IAG

Error when running the repository sync job for IAS V2 application

Improved the logic to update IAG tables for deleted user and for manager user name update.

No updates for week 20

19

GRC-IAG

SCI sync job to show skipped users in the job history

Job History List logs for SCI Sync Job via IAS V1 and IAS V2 will display the users who were skipped during the sync to SAP Cloud Identity Access Goverance.

GRC-IAG

User Access Assignments Report to show assignments from SAP Access Control

Business roles assigned to the users in SAP Access Control will be displayed in the User Access Assignments Report, including access from ACTARGET applications.

GRC-IAG-PAM

Provisioning of Privileged Access ID assignments to the user in the connected ABAP systems

Privileged Access ID assignments can now be provisioned for users regardless of the case-sensitivity in their login names. This feature supports users with lower-case login names in Identity Authentication and upper-case login names in connected ABAP Systems, ensuring seamless access management.

GRC-IAG-PAM

Assigned To column in IAG_PAM_LAUNCH_PAD

Assigned To column is now displayed when PAM ID is locked by another user in SIAG_PAM_LAUNCH_PAD. Refer to 3605758 .

18

GRC-IAG-PAM

Paging for PAM Access Log Synchronization Job to Improve Performance and Stability

Implement Paging for PAM Access Log Synchronization Job to improvepPerformance and stability in SAP Cloud Identity Access Governance.

Refer to 3586925 and 3586699 .

GRC-IAG-PAM

Session Logged On and Logged Off Times Exceeding gui_auto_logout Parameter in SAP Cloud Identity Access Governance

This note 3575316 is designed to address logged off timestamp for sessions which were not formally terminated in siag_pam_launchpad.

17

GRC-IAG-AR

Deprovisioning user access in on-premise applications with correct validity dates

Replacing one business role assignment with another business role that has overlapping roles will update user access in the target applications with the correct new validity dates.

GRC-IAG-AR

Info message added for the Notes section

Added an info message in the Notes section of access request approval screen. The message informs approvers that their comments will be visible to the next stage approvers (if any), but will not be available in the audit log.

GRC-IAG-AR

New field 'managerPnumber' added to GetApplicationUsers API

Added a new field 'managerPnumber' to GetApplicationUsers API which shows the P-number of user’s manager in Identity Authentication.

16

GRC-IAG-AA

SoD risks are incorrectly flagged for all SuccessFactors users, instead of being selectively reported to the relevant users

An improvement was implemented to analyze and report SoD risks only for specific categories of SuccessFactors users—such as Managers, HR Managers, and Matrix Managers—when roles are assigned through dynamic groups.

GRC-IAG-PAM

Implement Paging for PAM Access Log Synchronization Job to Improve Performance and Stability

You run a Privileged Access Log Synchronization in SAP Cloud Identity Access Governance to retrieve PAM logs from SAP ERP sessions. This job terminates because of out-of-memory issues caused by lack of paging in log retrieval on the SAP ERP side.

The note introduces paging to retrieve logs more efficiently, preventing the transmission of excessive number of logs in a single call.

Notes are downported into SAP_BASIS 756 and 757. See 3586925 and 3586699 .

GRC-IAG

Clear delta mode checkbox for repository sync jobs where it's non-applicable

Clear delta mode checkbox for repository sync jobs where it's non-applicable.

No updates for week 15

14

GRC-IAG-AA

Synchronization-Based Cleanup of AC User Mappings

13

GRC-IAG-AR

Manager email ID is blank

Enhanced database objects to fetch the manager details. The manager user ID is the login name if present, otherwise it is a P-number.

12

GRC-IAG-AR

Enhancement for CheckUserHasRisk IAG API

The logic for CheckUserHasRisk API was enhanced to not consider expired roles for calculation.

GRC-IAG-BRM

Access Mass Update is including all Assignment Approvers to the access approver list

With this update, the Guided Mass update process will update / add, as expected, only those access assignment approvers that are included in the guided process flow UI.

11

GRC-IAG-AC

Partially provisioned business roles were not visible for data selection

Data selection for business roles in the Create Campaigns app shows both fully and partially provisioned business roles.

GRC-IAG-AC

Access Certification Usage Data Value for Cloud Applications

By default, no data is available, as we only provide usage data for on-prem applications.

GRC-IAG-AA

New button introduced in User Mapping ID

A new button called Choose from Application Assignment is now available.

10

GRC-IAG-PAM

Cancel recurring jobs for PAM in Job scheduler

To manage duplicated PAM Review Log Requests, recurring jobs previously scheduled for Privileged Access Log Sync Job and Privileged Access Review Request in the Job Scheduler will be terminated. Status of each job run will be set to Completed with Errors. For details, refer 3577849 - Managing Duplicated PAM Log Requests .

9

GRC-IAG-AA

Risk analysis job dumps due to large volume of SAP S/4HANA Cloud authorization data

Enhanced risk analysis processing efficiency by optimizing data handling and performance tuning to prevent job failures caused by the large volume of SAP S/4HANA Cloud authorization data.

Role deprovisioning issue with access analysis

Improvement was made to resolve deprovisioning roles issues due to role assignment validity period.

GRC-IAG-AR

Error in creating Access Request in SAP Cloud Identity Access Governance through ServiceNow with standard SAP API, Description

Enhanced the logic for Access request creation for API.

8

GRC-IAG-AR

Admin Inbox download report formatting enhanced for Creation Date

Admin Inbox download report formatting enhanced for Creation Date

GRC-IAG-CFG

Out of Memory issue in SAP S/4HANA Cloud sync due to very large SAP S/4HANA business roles.

Optimized S/4 HANA Cloud synchronization by improving memory management and handling large S/4HANA business roles to prevent Out of Memory issues.

6

GRC-IAG-AR

Request Administration application will only be assigned via new role collection CIAG_Request_Admin_Inbox

With this enhancement, there is a new role collection available, CIAG_Request_Admin_Inbox. This role collection needs to be assigned to users to have access to Request Administration tile and carry our administration actions of 'Forward', 'Cancel' or 'Approve' as an administrator. Any existing users with access to this application would need to be assigned with this new role collection to continue having access.

5

GRC-IAG-PAM

PAM Email Notifications Update

Since enhancements have been made to improve the functionality of PAM access request notifications, the Notification template in the Template Upload application must be re-uploaded..

GRC-IAG-AA

Performance Improvement

Manage Jobs: Performance for AC Mitigation Control Transfer Job has been improved.

GRC-IAG-AR

Business role to User Association Updated

With this fix, if a business role is provisioned or deprovisioned from users successfully via access request or HR Trigger process, these updates will reflect as expected on the Business Role assigned user list.

GRC-IAG-RD

Technical error encountered while maintaining role approvers in the SAP Cloud Identity Access Governance system.

An improvement was made to the Access Maintenance screen. With this fix, a role approver can be replaced when the current approver is no longer has the role or no longer exists.

4

GRC-IAG-AR

Access Request Audit Log Report Date Range Filter

Enhancement carried out to render access request audit logs data as per filters selected, including date range.

GRC-IAG-AR

Gateway Timeout when searching by User ID in provisioning report

Changes have been made to improve the performance of the provisioning report to render records based on search criteria.

GRC-IAG-AR

GetExistingAssignments API duplicate access during pagination

With this update, now the GetExistingAssignments API will get unique access list only.

GRC-IAG-AR

SAP ERP, SAP S/4 OP expired application showing up in new access search list

With this enhancement, expired SAP ERP and SAP S/4HANA On- Premise application assignments will be available in existing assignments as expired accesses. Users can select these expired application types to request for extension.

3

GRC-IAG-CER

Access Certification Manage Campaign

Removed translation errors in Cancel Campaign message box.

51

GRC-IAG-AR

User Access Assignment and Existing Assignment API return duplicate Access with different descriptions

The result view was updated to remove such duplicate data.

GRC-IAG-AR

The application is not showing in new and existing assignments tab for expired users

With these changes, Applications access type will now be available in new access list for users with expired validity dates. Once added to request and provisioned, the users will have updated validity dates in target applications.

GRC-IAG-AR

Risk Mitigation at Access level not showing up as fuly mitigated at User request level

With these changes, any risks that are mitigated at access level will not appear for user when requesting accesses that have any of these mitigated risks as common and one of them is mitigated.

GRC-IAG-PAM

Notify Reviewer that review request waiting for review

Notifications are sent to all review stages for the connector type SAP S/4HANA Cloud.

49

GRC-IAG-AR

Password Retrieval for Mapped Users

Password Retrieval for Mapped Users enhanced for SAP S/4HANA (on-premise) and SAP ERP.

48

GRC-IAG-AA

In the Access Analysis app, risk details are not displayed when drilling down into risks violated by a user through a business role.

A solution has been implemented to resolve the drill-down issue related to business role assignments for users.

GRC-IAG-AA

The usage count for cloud applications is not applicable, but it is incorrectly displayed as zero.

Usage information is currently available only for on-premise SAP S/4HANA and SAP ERP systems. Changes have been implemented for cloud applications, including the SAP S/4HANA public cloud to display the usage count as blank instead of zero.

GRC-IAG-AR

SAP_ALL profile was being removed from user via SAP Cloud Identity Access Governance launchpad

When we schedule a provisioning job it calls a plug-in module on SAP ERP or SAP S/4HANA system that assigns the role to the back-end user.

Previously, provisioning was wiping off the SAP_ALL profile or any other profile that was added manually and not generated programmatically during this provisioning.

Refer to 3544014 for correction instructions.

GRC-IAG-PAM

Downport of PAM security note to the older versions

Backport of Security Note Implemented: Security note 3389398 has been downported to older versions. The last supported version for this note is SAP_BASIS 740.

47

GRC-IAG-AR

Updated UI behaviour for approver action in risk remediation screen during approval

At risk and role owner stages, owners can now only approve or reject their own line items instead of all accesses in a request. This update ensures approvals are made in a secure and auditable manner by authorized individuals.

GRC-IAG-AA

Duplicate authorization object data is generated when maintaining function actions and permissions.

Enhancements have been implemented to prevent the creation of duplicate authorization object data during the maintenance of function actions and permissions.

46

GRC-IAG-AR

Line items on the remediate risk screen are incorrectly enabled for approval or rejection for non-risk owners

The UI was enhanced as the line items were incorrectly enabled on the remediate risk screen for non-risk owners. The UI now determines actions to ensure that only authorized users can approve or reject to remediate risks.

GRC-IAG-AR

PAM Request Status update corrected

In the Request Statusapp, the status of PAM approval is now reflected in the action taken by approvers for PAM requests. The status can be 'In process' if an approval is still pending, 'approved' if an approval is at the final stage, and 'Rejected' if an approval is rejected by an approver at any stage.

GRC-IAG-AR

GetLineItemProvStatus API -Response Parsing fix.

Parsing response has been improved for the API as it was returning internal server error.

GRC-IAG-AR

Deprovisioning error for ovverlapping technical roles in business roles

When removing business roles that have overlapping technical roles, deprovisioning error showed up for duplicate items. With this improvement, now even with duplicate items in provisioning, these can be successfully deprovisioned.

45

GRC-IAG-AR

Risk details filter improvement in Access Request approver view

In the risk details popover in approver view, the filter on permission details now filters out the list based on selected criteria by user.

GRC-IAG-AA

Risk Owners are not loaded properly

Improvement was made to upload the risk owners correctly when uploading the ruleset data.

GRC-IAG-AA

User provisioning is failing in IBP application

Improvement was made to address the user provisioning issue due to missing validation in IBP application for the access request submitted via SAP Access Control.

44

GRC-IAG-AR

Request Administrator approver popover user list

In the Request Administration app, the Approvers popover list is now updated to show all approvers, even if there is one approver or more than one approver.

GRC-IAG-AR

GetApplicationUsers API sorting logic improvement

Improved the sorting logic for GetApplicationUsers API to work seamlessly with pagination.

43

GRC-IAG-AA

Risk ID is not visible in Access Analysis for Mitigation Control Assignment

The Access Analysis app now displays both the risk ID and risk description in the mitigation control assignment area.

GRC-IAG

Enhancement on access token retrieval for repository synchronization of applications based on Identity Provisioning.

In Neo, for applications based on Identity Provisioning, access tokens can be retrieved in cases where previous access tokens expired while repository synchronization was running.

42

GRC-IAG-AA

Recurring schedule option for Data Deletion

Data Deletion Jobs can be scheduled with repeated runs.

GRC-IAG-AA

Improved risk assessment update for OData services

Proper risk assessments will be displayed for users and accesses having access to OData services even when there are changes to risks and functions that have OData services active in the list of actions and permissions.

41

GRC-IAG-AR

Ability to create an application with same ID as a deleted application

This update allows for another application name to be created that is same as a deleted application name.

GRC-IAG-AR

Configuration introduced to enable submission of requests with valid from date earlier than current date

A new application configuration has been introduced that allows for submission of a request submitted via API that is valid from date for any line item earlier than the current date.

40

GRC-IAG-CER

Approve/Reject Functionality Disabled for Own Assignments

To ensure that reviewers don’t approve or reject their own assignments, the Approve/Reject functionality has been disabled in the reviewer inbox. After reviewing all other line items, the reviewer needs to forward the assignment to another reviewer to finish the review and submit the assignment.This feature allows administrators to configure whether multiple access requests can be submitted for the same user when there are

GRC-IAG-AR

Configuration for Multiple Access Request Submissions

functionality has been disabled in the reviewer inbox. After reviewing all other line items, the reviewer needs to forward the assignment to another reviewer to finish the review and submit the assignment.This feature allows administrators to configure whether multiple access requests can be submitted for the same user when there are already pending requests in the system. A new option has also been introduced in the application configuration. Administrators can now set this option to functionality has been disabled in the reviewer inbox. After reviewing all other line items, the reviewer needs to forward the assignment to another reviewer to finish the review and submit the assignment.No, which will prevent users from submitting additional requests for the same user if there are any open requests already in the system.

GRC-IAG-AR

From Date Validation in Access Requests

In the access request form and API, a validation check has been introduced to ensure that the From date is not in the past. The From date must be either today or a future date.

GRC-IAG-AR

Enhancement for Risk Owner Stage Approval in Access Requests

If no risk owners are defined, users assigned to the IAG_WF_DEFAULT group in IAS will receive the approval request at the risk owner stage.

GRC-IAG-AR

Performance Enhancements for Cloud Foundry Provisioning

Performance enhancements have been made to speed up provisioning to Cloud Foundry.

GRC-IAG-MD

Updated Logic for Populating Control Owner List in Mitigation Control Master Data

In Mitigation Control master data maintenance, the control owner list now correctly reflects the complete list based on the group assigned in IAS.

39

GRC-IAG-CER

Close Campaign Button Renamed

In the Manage Campaign app, administrators and coordinators are able to close a campaign. Rejected access assignments will not be revoked. The campaign closes without provisioning and without taking into account decisions made during that campaign. For better understanding of this process, the button was renamed to Cancel Campaign.

38

GRC-IAG-PAM

Export PAM Logs to Excel spreadsheet

Introduced a Download button to export large volumes of logs into an Excel file, helping to avoid gateway timeout errors. Additionally, now users can see a limited number of logs directly in the application for a quick reference and a pop-up message that indicates if the log count exceeds the display threshold.

GRC-IAG-AR

Not able to update request reason in Request Reason app

While saving, the service returns a 500 error. This is due to the conversion of null values to strings. If the value is nulll, do not convert it to a string to avoid the exception.

37

GRC-IAG-AR

Fix for missing risk approver error in access request workflow

During access request workflow approval at risk owner stage even If there are no risk approvers maintained for risks, the approval for that line item will pick users from IAG_WF_DEFAULT group instead of showing an error.

GRC-IAG-AR

Performance enhanced for PAM approval tile

The performance of PAM approval view has been enhanced along with some enhancements in loading time for all the details. These improvements avoid the exceptions that were encountered while opening PAM approval pages

36

GRC-IAG-BRM

Assigment Approvers saving not updating the current users

The fix has been released to save and update any changes to assignment approvals inlcuding removing, adding new approvers to access assignment.

35

GRC-IAG-AR

No verification for Exception during provisioning that was null

Now a check has been added so if the exception message is null, the message is updated to "exception with no message".

All users are coming up in F4 value help when searching for users to add as delegates

The F4 value help list now fetches only those users that have access to access request Inbox (with WF groups).

GRC-IAG-AA

Access Analysis enhanced report doesn’t include all users to remediate the access

An improvement was made to the Access Analysis Enhanced Report. It now includes all users with SoD risks, regardless of their remediation status.

34

GRC-IAG-AA

When a recurring job is scheduled and runs, the "last run time" field is not updated after each job finishes.

Update the "last run time" field after completing each job.

33

GRC-IAG-AR

Two identical Privileged Access IDs for the same user

When now you create an access request for a user to obtain a Privilieged Access ID, you will get a validation message stating there's already a pending request for the user with overlapping validity dates.

32

GRC-IAG-AA

AC Business Role Synchronisation

To significantly improve system performance logs were enhanced for better consumption and performance details.

GRC-IAG-AR

While provisioning user in CONCUR, an error is encountered when user is missing company domain with ‘@’.

If CONCUR target application user ID does not have the ‘@’ symbol while provisioning, then the user ID will be concatenated with company domain that is maintained in the CONCUR destination.

30

GRC-IAG-AR

Concur provisioning is failing from SAP Cloud Identity Access Governance

Improvement was made to support mandatory employee number as part of access request to avoid the provisioning failure.

GRC-IAG-AR

Access level mitigation is not considered in Access Request approval process

Considered access level mitigation when identifying Segregation of Duties (SoD) risk in access requests

GRC-IAG-AA

Issue with repository synchronization for SCIM application type

Improvement was made to retrieve authorization for applications that are using SCIM protocol

GRC-IAG-AA

Manage Jobs - user warning for Access Control - Risk Definition Synchronization and Access Control - Mitigation Control Transfer

In most cases, jobs in the categories Access Control - Risk Definition Synchronization and Access Control - Mitigation Control Transfer should be executed once. Starting it again could cause problems. We introduced a visual indicator and warning popup when at least one job of this category has already been completed to make the user aware of this. Scheduling recurring job runs will no longer be available.

29

GRC-IAG

IAG Jobs are aborted due to JCO exception

SAP Cloud Identity Access Governance has incorporated the solution that was released by SAP BTP platform team to address the random JCO exception in destination service API and released to customers.

GRC-IAG

Performance issue with repository synchronization for Fieldglass application

28

GRC-IAG-CER

Improved log messages

Upgraded Job Log Messages to incorporate detailed processing information.

(For Business Role Sync, customers can view the total number of Business Roles read from SAP Access Control, identify which Business Roles have been processed and inserted, and clearly see if a Business Role Sync is complete. For Mitigation Control Sync, customers can now see the number of risks associated with each processed control, facilitating better identification and troubleshooting.)

GRC-IAG-CER

Job validation

Made the connector field mandatory in sync job creation to prevent potential problems and ensure seamless job execution.

GRC-IAG-CER

Job status

Implemented an active instead of running job status to provide real-time clarity for recurring tasks and prevent confusion about pending job executions.

GRC-IAG-CER

Business Role Sync Default Approver

SAP Access Control - Business Role Sync updates the Business Role with the Default Role Content Approver & Role Assignment Approver.

GRC-IAG-AA

Mitigation control assignment validity is not updated incorrectly for expired control assignments

Solution was provided to correctly update the assignment validity period for expired control assignments.

GRC-IAG-AA

Mitigation Control assigned in SAP Acccess Control in ARM Workflow is getting updated in SAP Cloud Identity Access Governance with Inactive status

In Bridge Scenario, an improvement was made to correctly update the status for user mitigation assignments that are mitigated from SAP Access Control.

GRC-IAG-AA

Improved sync of fine grained authorizations for SCIM connectors

Now the improved logic brings all the fine grained authorizations as defined in payload with proper hierarchy defined.

GRC-IAG-AR

Support for on premise SMTP server via cloud connectors

Now on-premise email server via cloud connector is supported for email notifications.

GRC-IAG-AR

Improved logic to validate Manager field

The validation check for the Manager field value is enhanced now and doese not result in time out even if the group IAG_WF_MANAGER has several users assigned in Identity Authentication.

GRC-IAG-AR

Correction to saving user attribute company from Identity Authentication (user data source)

The value of user attribute can now be synced correctly against the company field for users from Identity Authentication as a user data source.

GRC-IAG-AR

Enhanced custom field logic for CONCUR users in access request form

Enhanced custom field logic for CONCUR users in access request form, even if existing in any one of the CONCUR systems.

GRC-IAG-AR

Improved logic for access validity date changes in access request

The improvement takes care of validity date changes in Access Request for existing assignments. Now the audit logs in SAP Cloud Identity Access Governance and the connected target SAP ERP system also reflects these changes.

27

GRC-IAG-PAM

Audit Log message update

Audit Log updated in the Maintain Privileged Access app for disabled Privileged Access IDs when users change a business role.

GRC-IAG-PAM

Length of messages from connected system

Update to prevent gateway timeouts in the Maintain Privileged Access app when connected systems send long messages while saving and activating Privileged Access IDs.

GRC-IAG-PAM

Unsupported symbols in search field

An improvement was made to prevent gateway timeouts in the Maintain Privileged Access app when users enter ‘@&% symbols in the Search field.

GRC-IAG-AA

Role not showing as mitigated after applying mitigation control

Enhancements were implemented to apply mitigation controls to both single and composite access, filtering out reported risks that are mitigated on the Access Maintenance screen.

GRC-IAG-AA

A gateway timeout occurs in User Access Analysis for specific users

26

GRC-IAG-AR

Role owner was able to approve access requests despite risks

Improvements were made to restrict approval if accesses have associated risks and remediation is mandatory for a stage.

GRC-IAG-AR

Access Request Custom fields displayed for all access types

If there are any custom fields available in the application, these are shown in Access Request Form for all access types including technical accesses and business roles.

GRC-IAG-AA

Handling of mapping users display in Access Analysis

When user mapping is available in the system, UI now shows the details of the mapped users without throwing an error.

25

GRC-IAG-AR

Login into SAP Cloud Identity Access Governance using SSO creates a new user in SAP BTP

GRC-IAG-AR

Access request role search API enhancement

For access request role search API, now the language parameter is being passed to eliminate performance and time out issues.

GRC-IAG

Gateway time out in job logs due to huge volume of logs

Pagination has been implemented to eliminate time out issues in the Job Scheduler history.

GRC-IAG-AA

Mitigation Control Assignment Report display correction

Mitigation Control Assignment Report now displays the access type for composite roles.

20

GRC-IAG-AR

Handling for decimal notations in provisioning to SAP ERP, SAP S/4 On Premise applications

User provisioning to SAP ERP, SAPS/4 On Premise applications are updated with correct decimal notations as per application settings.

GRC-IAG-PAM

PAM assignment removal update

With this change, now the PAM ID removal from users is handled correctly for all users (Users existing only in target applications with no authorization for SAP Cloud Identity Access Governance and those who have access to SAP Cloud Identity Access Governance).

GRC-IAG-BRM

Candidate Business Role proposal enhancements

With this update, the Candidate Business Role proposal now has enhanced clustering by either roles or users.

GRC-IAG

Different date displays in the logs

Job Scheduler displays the correct job executed date and logs,

19

GRC-IAG-AR

Provisioning Job Log returns Internal Server Error 500

The internal server error caused by the incorrect data format has been resolved.

GRC-IAG-PAM

Improved handling of PAM assignments for SAP S/4 On-Premise and SAP ERP system

After final approval of PAM ID assignments in SAP ERP and SAPS/4 On Premise applications, in cases where assignment couldn’t happen due to some error like communication with the applications couldn’t happen, the PAM ID assignments will not get updated and will not appear in existing assignment list in access request forms in SAP Cloud Identity Access Governance.

GRC-IAG-AR

User Access Assignment report

Now the report and existing assignment list in request form shows the same data for users access list.

GRC-IAG-AR

Configuration Application parameters > Requestor Approval (Requestor can approve requested for others) extended for all stages

This configuration is now extended to all stages, not only Manager stage. Essentially if this is set to Yes, then not only manger stage, but Requestor now can approve at role owner, security and risk owner stages as well, provided the request is for others.

GRC-IAG

Improvement in mail notification for different languages and character

Mail notification upload has been enhanced to handle special characters in some languages

GRC-IAG-AA

Displaying deleted roles within the Access Risk Summary Report

The Access Risk Summary Reportcontinues to include deleted roles even after they have been removed from the target system.

GRC-IAG-AA

When downloading violation data from the Analyze Access Report, it yields false-positive violation information.

Within the Analyze Access Report, the dataset download function presents inaccurate violation details for users by furnishing complete rule data instead of the specific violations.

18

GRC-IAG-AR

Requested For user name changes on Remediate screen

Requested For user first name and last name will be shown as expected on the Remediate of Access Request service.

GRC-IAG-AR

Role owner stage approval and provisioning update

Single role oner stage or role owner stage as the last approval step, The request is not sent for provisioning unless all the role owners take action on the access for which they are responsible.

GRC-IAG-AR

Improvement to mitigate risk from multiple systems

Improvement to mitigate risk from multiple systems when stage level configuration to ‘Mitigation of critical risk required before approving the request’.

GRC-IAG

Enhanced handling for privilege descriptions during repository sync job for SCIM connectors

The access descriptions in Identity Authentication are synced to SAP Cloud Identity Access Governance in the logon languages of logged users running the repository sync job if these descriptions are maintained in those languages.

GRC-IAG

Built-in Support for the Manage Jobs app

The Built-in Support is now available for the Manage Jobs app.

GRC-IAG-BR

Business Role field requirements are standardized during creation and mass upload.

Criticality field mandatory check is now removed for file upload of business roles.

GRC-IAG-AA

Allow access request in IAG to simulate risk assessment even if ruleset is not configured

In case, ruleset details are not maintained, access request will allow risk simulation

GRC-IAG-AA

In Access Maintenance UI, Business/sub process displayed with description and allow to remove the same.

Now user can see the description of BP and Sub Process with ID in Access Maintenance UI

GRC-IAG-AA

Consider mitigation assignment with wildcard risk ID in risk analysis

Improvement to risk analysis to consider mitigation assignment that are defined with wildcard risk ID.

16

GRC-IAG-PAM

Attributes displayed in the Audit Log in theMaintain Privileged Access app

When editing Privileged Access IDs, any changes made to attributes such as Description, Long Description, Criticality, and Duration of Days are displayed in the section.

GRC-IAG-AR

Improved handling of Composite Roles in Business Role removal scenarios.

If there are Overlapping Composite Roles within multiple Business Roles and a user has these Business roles assigned and when 1 of the Business Roles is deprovisioned, the overlapping composite role is retained in user assignments list as part of other business role assignment.

GRC-IAG-AR

Role Assignment Removal in SAP S/4HANA Cloud via SAP Cloud Identity Access Governance

The SAP S/4HANA Cloud roles update is taken care with proper type in SAP Cloud Identity Access Governance. This update ensures deprovisioning of SAP S/4CLOUD roles assigned to users via Business roles is carried out as expected.

GRC-IAG-AR

HR Events Report

Users can export HR Events Report as expected.

GRC-IAG-AR

HR Events API enhancement

HR Events API is enhanced to include CostCenterRef. Even when this field is not used (empty or null), request submission will continue to behave as before.

14

GRC-IAG-AR

Harmonize Business Role search criteria in Business role master list and access request form

Harmonize access Business Roles and Access Request screens. All matching results are to be returned for partial and full description search, even if it contains special characters.

GRC-IAG-AR

Standardized displayed information in Approver and Administrator Inboxes

In Access Request Admin UI, instead of just user ID, users can see full name and User ID of Requested by.

GRC-IAG-RD

Restrict Business Role name to 50 characters.

A check has been added to ensure that Business role name cannot exceed 50 characters while creating a business role.

GRC-IAG-RD

In Access Maintenance detail UI, user can select description of business subprocess instead of technical ID

While editing an access in the Access maintenance app, Business process and Sub Process descriptions are shown along with ID in the dropdown list.

GRC-IAG-AA

Performance improvement while saving Mitigation control master data

When saving details for a mitigation control there is a significant improvement in performance.