logo

Are you need IT Support Engineer? Free Consultant

The future vision of Authorization Management in S…

  • By sujay
  • 18/06/2026
  • 2 Views

Authorization management rarely makes headlines – until it becomes the thing that slows down onboarding, creates compliance risk, or simply cannot model how an organization actually works.

As SAP Cloud ALM grows into the central ALM platform across SAP's cloud portfolio, the demands on its authorization model have changed. What was sufficient for a team of twenty does not hold up when hundreds of users across multiple workstreams need precisely defined, differentiated access – scoped not just to functional areas, but to specific process areas, scenarios, and organizational responsibilities.

The current model has clear limitations: predefined role collections with limited flexibility, no support for fine-granular delegation, and user management that is disconnected from where enterprises already govern their identities. These are not corner cases – they are consistent feedback from customers operating SAP Cloud ALM at scale.

This post outlines the direction we are taking to address them.

The Limits of Where We Are Today

SAP Cloud ALM today provides a solid starting point: a set of predefined role collections aligned to functional areas – Implementation, Operations, Administration – built on SAP's Authorization and Trust Management Service (XSUAA). For many customers, this has been sufficient to get started.

But “sufficient to get started” is not sufficient for enterprise-scale operations.

We hear consistent feedback across our customer base:

  • Role collections are predefined, leaving limited room for tailoring to diverse organizational structures
  • Fine-granular delegation – assigning someone access to part of a process, not all of it – is not supported
  • Restricting authorization to specific process areas or scenarios requires workarounds that don't scale
  • User and authorization management lives inside SAP Cloud ALM itself, disconnected from where enterprises already manage their identities

These are not edge cases. They are the lived experience of running SAP at enterprise scale. And they are precisely what the next chapter of SAP Cloud ALM authorization is designed to solve.

Our Vision: Authorization as a Strategic Capability

Our vision is simple to state, but significant in its implications: authorization in SAP Cloud ALM should be a strategic enterprise capability – not an administrative constraint.

That means moving from a model where access is approximated through fixed role bundles, toward one where access is defined with precision, governed centrally, and enforced through modern, policy-driven infrastructure aligned with the full SAP cloud platform.

We are pursuing this through three interconnected horizons – each delivering value on its own, while collectively transforming the foundation.

Horizon 1 – Fine-Granular Role Templates and Custom Role Collections

The first horizon is about giving customers the building blocks to design authorization that mirrors how their organization actually works.

SAP Cloud ALM already covers a rich set of authorization scopes – in some ways comparable to what SAP S/4HANA customers know as authorization objects. These scopes are grouped into authorization role templates, which in turn can be combined into role collections. Role templates are the lowest level of this hierarchy that customers can actively work with: they serve as the building blocks from which customers compose their own custom role collections. Role collections are the entity ultimately assigned to end users – role templates cannot be assigned to users directly. The challenge today is that SAP's current role templates are too coarsely defined, limiting customers' ability to tailor role collections to the diversity of their organizational structures.

We are changing this. SAP is re-clustering authorization scopes into coherent, fine-granular role templates – modular authorization units, each representing a defined functional capability. Customers will be able to combine these templates freely into custom role collections, assembled to match their teams, governance policies, and operational responsibilities – and assign them directly to end users.

This is not a cosmetic change. It is the shift from a model where customers adapt to SAP's packaging, to one where SAP's building blocks adapt to the customer's reality. We expect to deliver this starting later this year.

Horizon 2 – Centralizing Identity and Authorization in SAP Cloud Identity Services

Fine-granular role templates give customers flexibility within the existing architecture. But the second horizon is about replacing that architecture altogether – and in doing so, laying the foundation for everything that follows.

Today, SAP Cloud ALM manages users and authorizations within its own application layer. That means separate admin UIs, separate role management, and separate provisioning workflows – disconnected from where enterprises already govern their identities. For customers running multiple SAP cloud services, this multiplies overhead and creates governance blind spots.

Our direction is clear: as part of SAP's broader platform strategy, SAP cloud services will no longer maintain their own user and authorization management. Everything consolidates into SAP Cloud Identity Services (SCI) — the single identity fabric across the SAP cloud portfolio.

2026-06-17_13-40-43.Png

For SAP Cloud ALM customers, this transition means:

  • One place to manage users — no more context-switching between application-specific admin interfaces
  • Centralized authorization governance in SCI — consistent, auditable, and aligned with enterprise-wide identity policies
  • Seamless corporate IdP integration — users synchronized into SCI regardless of whether a customer relies on SAP's identity provider or their own corporate identity provider
  • Readiness for SAP Joule — the SCI migration is a prerequisite for bringing SAP's AI copilot capabilities into SAP Cloud ALM

Solman73_0-1781696895972.Png

This is not just a technical migration. It is the prerequisite for the next horizon — and the realization of an integrated SAP ALM Suite where identity is handled once, consistently, and at scale.

Horizon 3 – Attribute-Based Authorization via SAP Cloud Identity Services AMS

With SAP Cloud Identity Services in place as the central identity foundation, the third horizon becomes possible: authorization that goes beyond roles and reflects the full organizational context of the user.

Fine-granular role templates answer the question of what someone can do. This horizon answers the harder question: under what conditions can they do it.

Restricting access based on context – limiting a user to a specific process area, a defined set of scenarios, or an organizational scope – requires a fundamentally different technical approach. Role-based access control alone cannot model this complexity at enterprise scale. This capability is unlocked by migrating to SAP Cloud Identity Services Authorization Management Service (AMS) – a modern, policy-driven framework for Attribute-Based Access Control (ABAC). AMS policies evaluate not just who you are, but what you are accessing and under what organizational context. Critically, AMS builds directly on the SCI foundation established in Horizon 2 – it cannot be introduced without it.

With AMS, SAP Cloud ALM will unlock:

  • Process area- and scenario-scoped authorization — users see and interact with only the parts of SAP Cloud ALM relevant to their responsibilities
  • Context-aware access policies – dynamic, fine-grained control that scales with organizational complexity
  • A future-proof authorization architecture – fully aligned with SAP BTP standards, consistent across SAP cloud services

This is the horizon where authorization becomes a true enterprise governance instrument – not a set of switches to toggle, but a policy layer that reflects how your organization actually operates.

Why This Matters Now?

The shift to cloud-native ALM is accelerating. Customers are consolidating their SAP landscapes, expanding their use of SAP Cloud ALM across more processes and teams, and increasing their expectations for governance and compliance. The authorization model must keep pace.

At the same time, the broader industry is moving decisively toward attribute-based, policy-driven access control – away from the rigid role hierarchies of the past. SAP Cloud ALM's path through these three horizons is not just a product improvement roadmap. It is alignment with where enterprise identity and access management is heading and a commitment to making SAP Cloud ALM ready for the demands of the next decade.

Summary

SAP Cloud ALM's authorization model is undergoing a fundamental, three-horizon transformation

  • Horizon 1 (later this year): Fine-granular role templates and custom role collections – giving enterprises the flexibility to model authorization to their organizational structure
  • Horizon 2: Migration to SAP Cloud Identity Services AMS – enabling attribute-based authorization, including process area- and scenario-scoped access control
  • Horizon 3: Full consolidation into SAP Cloud Identity Services – a single identity fabric across the SAP cloud portfolio, a prerequisite for SAP Joule integration
  • Together, these horizons move authorization from an administrative necessity to a strategic enterprise capability

Related Resources

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

SAP DIGITALIZATION NEWS
Origin Profit Centers – Track Margins not only for…
SAP DIGITALIZATION NEWS
Hands-on Tutorial: Vibe coding SAP HANA Cloud Mach…
SAP DIGITALIZATION NEWS
France E-Invoices and E-Reports: The Cloud Editio…
SAP DIGITALIZATION NEWS
Enterprise-ready AI at scale: Securely connect and…