IAG User Lock Enhancement

Table of Contents
  • Share This On
IAG User Lock Enhancement

IAG User Lock Enhancement

A practical enhancement for customers running SAP IAG without SuccessFactors — paired with AD-driven auto termination.

In my previous post, I shared how organizations running SAP landscapes without SuccessFactors can still achieve near real-time user termination by integrating Azure AD with SAP IAG. That approach works beautifully for detection and access request orchestration — but it surfaces one important question that every IAG practitioner eventually runs into:

“Why doesn’t SAP IAG lock the user on the backend system out-of-the-box?”

By design, SAP IAG performs role removal, validity expiration, and access revocation — but it does not natively lock the user record (SU01 lock) in the managed SAP backend. For many compliance and audit teams, “role removed” is not the same as “user locked.”

Here’s how we closed that gap with a lightweight, standards-friendly enhancement.

The Problem Statement

For customers who:

  • Do not have SAP SuccessFactors as a leading HR system

  • Rely on Azure AD / on-prem AD for identity lifecycle

  • Use SAP IAG as the central access governance platform

…the standard IAG de-provisioning flow revokes roles but leaves the user record active on the target SAP system. This creates a residual risk window — and audit findings nobody wants to explain.

The Enhancement — Locking Users via Implicit Enhancement

The good news: SAP IAG exposes the right hooks in the provisioning layer. With a small, audit-friendly implicit enhancement inside the function module SIAG_USR_CHANGE, we can automatically lock the user when their validity has expired.

Where the enhancement goes

  1. SE37 → Function module SIAG_USR_CHANGE

  2. Add an implicit enhancement at the appropriate exit point

  3. Trigger the standard IAG lock API when validity end date (GLTGB) is ≤ today

The code

The logic is intentionally simple — read the incoming user list, filter those whose validity has expired, and call the SAP-delivered lock method:

DATA(lr_users) = VALUE siag_t_usr_range(

  FOR ls_usr IN it_usr WHERE ( is_logondata-gltgb LE sy-datum )

    ( low = ls_usr-iv_username sign = ‘I’ option = ‘EQ’ ) ).

 cl_siag_provision=>lock_user(

  EXPORTING

    it_user_range = lr_users   ” User range table

).

That’s it. No custom lock logic, no Z-tables, no parallel provisioning path — we’re simply extending what IAG already does by invoking a standard SAP-delivered method.

Why This Matters

  • Closes the audit gap: Role removal + user lock = a clean, defensible offboarding trail.

  • Zero disruption to standard IAG: Implicit enhancement is upgrade-safe and doesn’t fork the delivered function module.

  • Works with the AD-driven model: Pairs perfectly with the Azure AD → IAG auto termination flow I shared earlier — the moment AD disables the account, IAG ends validity, and the enhancement locks the user on the SAP backend.

  • Ideal for non-SF landscapes: Customers without SuccessFactors finally get a complete, automated identity lifecycle story.

The End-to-End Picture

With this enhancement in place, the full chain looks like this:

Azure AD disables user → Azure app detects change → SAP IAG access request (de-provisioning) → Validity expired → Enhancement triggers cl_siag_provision=>lock_user → User locked on SAP backend

No manual intervention. No forgotten SU01 locks. No audit surprises.

A Few Implementation Notes

  • Place the enhancement carefully — after role updates but before the provisioning response is returned to IAG.

  • Keep it conditional on GLTGB (validity end date) so you never lock active users.

  • Log every lock action. Audit teams love telemetry; future-you will too.

  • Test in Dev/QA with a range of scenarios: new user, extended validity, expired validity, and already-locked users.

Closing Thought

SAP IAG is powerful, but like every enterprise platform, it assumes an ideal world — one with an HR system of record driving the lifecycle. Most real customers don’t live in that world. Small, well-placed enhancements like this one bridge the gap between what’s delivered and what compliance truly needs.

Governance isn’t about features. It’s about closing every last gap.

If you’re running SAP IAG without SuccessFactors and want to take your offboarding automation from “good” to “audit-proof,”

Scroll to Top