The Challenge
Managing user terminations across a complex SAP landscape is one of the most critical — and most overlooked — aspects of enterprise security and compliance. When an employee leaves an organisation, their SAP access must be revoked swiftly and consistently across every connected system. Failure to do so exposes the business to significant audit risks, potential data breaches, and compliance violations.
For organisations running SAP SuccessFactors, the Identity Lifecycle module can be synced with SAP Identity Access Governance (IAG) to provide a native pathway for handling this. But what about the many enterprises that do not have SAP SuccessFactors, or where SuccessFactors cannot be synced with SAP IAG? These organisations — often running SAP S4 HANA, SAP SAC , SAP BTP and other systems — are left without a clean, automated solution for cross-system user termination.
At Datanub, we built a solution to close this gap.
What We Built
We developed a custom application hosted on Microsoft Azure that integrates directly with the SAP IAG API to automate user termination across the entire SAP landscape. The application orchestrates the full lifecycle of a termination event: identifying the user, creating access requests in SAP IAG, configuring auto-approval workflows, and executing the termination — all without manual intervention.
The core components of the solution include:
- Azure App Service — hosts the termination application with a clean, intuitive web interface for configuration and monitoring.
- SAP IAG API Integration — connects to SAP IAG to programmatically create access requests for user termination across all connected SAP systems.
- Auto-Approval Workflow — access requests are configured to be automatically approved, eliminating bottlenecks and ensuring terminations are processed in near real-time.
- Azure SQL Database — stores configuration data, user mappings, termination logs, and audit trails for full traceability.
- Azure Scheduler — enables scheduled and recurring termination runs, allowing organisations to automate batch processing of departing users.
Solution Architecture
The diagram below illustrates the end-to-end architecture of the solution, showing how the Azure-hosted application communicates with SAP IAG to orchestrate user termination across the entire SAP landscape
How It Works
The process is straightforward and fully configurable. Below we walk through each step, accompanied by screenshots from our User Acceptance Testing (UAT) environment.
Step 1: Secure Login
Administrators access the IAG Auto Termination application through a secure, browser-based interface hosted on Azure App Service. Authentication is handled via Azure Active Directory, ensuring enterprise-grade security from the outset.
Step 2: IAG API Configuration
The settings panel allows administrators to configure the SAP IAG connection parameters, including the Client ID, Client Secret, Token URL, IAG base URL, and the specific API scopes required for access request creation. A built-in test connection feature validates the configuration before any task is executed
Step 3: Azure Active Directory Configuration
The Azure AD tab configures the Microsoft Graph API integration. This is where the application connects to Azure Active Directory to identify disabled user accounts. Administrators specify the Tenant ID, Client ID, Client Secret, and select the Azure AD groups to monitor for disabled accounts. When a user is disabled in Azure AD, the application automatically picks them up for SAP termination.
Step 4: Database Configuration
The database configuration connects the application to the Azure SQL Server instance that stores user mappings, configuration data, termination logs, and complete audit trails. This ensures every action taken by the system is fully traceable and auditable.
Step 5: Scheduler Configuration
The scheduler enables automated, recurring termination runs. Administrators can configure the frequency — daily, weekly, or monthly — along with the specific run time and timezone. This ensures that user terminations are processed consistently without requiring manual intervention.
Step 6: Execute the Termination Task
In addition to scheduled runs, administrators can trigger a termination task on-demand using the “Run Now” button. This provides flexibility for urgent offboarding scenarios where immediate action is required.
Step 7: Termination Overview & Results
The overview dashboard provides a real-time summary of the termination run, including the total number of users terminated, groups monitored, scheduler status, and a detailed activity log showing each user processed. Every termination is timestamped and status-tracked for complete visibility.
Step 8: Termination Logs & Audit Trail
The termination logs page provides a comprehensive, searchable audit trail of all termination actions. Each entry includes the user details, SAP system, request status, access request number, and timestamp — providing the evidence needed for SOX, GDPR, and internal compliance audits.
Step 9: Access Request in SAP IAG — Auto-Approved
The final confirmation: access requests are automatically created in SAP IAG and move directly to provisioning with auto-approval. The screenshot below from the SAP IAG Provisioning Report shows the access requests generated by the application, all auto-approved and ready for de-provisioning across the connected SAP systems.
Why This Matters for Companies Without SAP SuccessFactors
This is where the solution delivers its greatest value. Organisations that do not have SAP SuccessFactors in their landscape — or where SuccessFactors cannot be integrated with SAP IAG due to technical or licensing constraints — lack the native Identity Lifecycle sync that would otherwise automate user terminations. These companies are typically managing offboarding through a combination of manual processes, custom ABAP scripts, or fragmented ticket-based workflows. These approaches are slow, error-prone, and difficult to audit.
Our Azure-based solution bridges this gap by providing:
- Centralised termination management across heterogeneous SAP landscapes (ECC, BW, SRM, CRM, GRC, Solution Manager, and more).
- Audit-ready logging with full traceability of every termination action, satisfying SOX, GDPR, and internal compliance requirements.
- Elimination of manual effort — no more chasing approvals or manually locking users in each system.
- Reduced security exposure — terminated users are de-provisioned in near real-time, closing the window for unauthorised access.
- Cloud-native scalability — built on Azure, the solution scales with your organisation and integrates seamlessly with existing Azure Active Directory and identity management infrastructure.
Proven in Practice
We have successfully completed User Acceptance Testing (UAT) for this solution, validating the entire flow from login and configuration through to task execution, termination completion, and access request creation in SAP IAG. The UAT confirmed that access requests are created, auto-approved, and provisioned without any manual steps — exactly as designed.
The Bigger Picture
User termination is just one piece of the identity governance puzzle. But it is arguably the most time-sensitive. A delayed termination can lead to data exfiltration, fraudulent transactions, or failed audits. By automating this process through Azure and SAP IAG, organisations gain confidence that their offboarding process is consistent, auditable, and fast.
At Datanub, we specialise in SAP security, GRC, and identity governance solutions. If your organisation does not have SAP SuccessFactors, or if SuccessFactors cannot be synced with SAP IAG in your landscape, we would be glad to discuss how this solution can be tailored to your needs.
Get in Touch
Interested in automating SAP user termination for your organisation? Reach out to the Datanub team to learn more about our Azure-based IAG integration solutions