SuccessFactors tells you who works here. OpenIAM governs what they can access.

Q: We already have a SuccessFactors-to-SAP provisioning integration. What does OpenIAM add?

Most SuccessFactors-to-SAP integrations provision the SAP account and stop there. They do not govern Microsoft 365, Salesforce, or any other connected system. They do not handle the mover scenario. They do not produce the ITGC audit evidence an auditor needs. OpenIAM extends what an existing SuccessFactors-SAP integration does into a full JML governance program: every system, every lifecycle event, full audit trail.

Q: Does OpenIAM work with SAP BTP Identity Provisioning?

Yes. OpenIAM can operate alongside SAP BTP Identity Provisioning (IPS) in a co-existence model where IPS handles SAP-internal provisioning and OpenIAM governs the non-SAP systems and provides the unified access certification and audit evidence layer. Alternatively, OpenIAM can serve as the sole provisioning platform for organizations that want a single system governing both SAP and non-SAP access from one place.

Q: How does OpenIAM handle employees who need access to systems not driven by standard SuccessFactors attributes?

Birthright access is driven by SuccessFactors attributes and requires no manual request. Beyond birthright access, OpenIAM's access request module allows employees to request additional access through a self-service portal with manager and system-owner approval workflows. Both routes produce audit evidence: birthright access is linked to the SuccessFactors HR event; requested access is linked to the approval workflow and business justification.

Q: What happens if there is a delay between an employee leaving and their SuccessFactors offboarding being completed?

OpenIAM addresses this in two ways. First, the OpenIAM admin can manually trigger a leaver workflow for any user at any time, independent of a SuccessFactors event. Second, OpenIAM's orphan detection reconciliation identifies active system accounts where the SuccessFactors employment status has been set to inactive or terminated, even if the formal offboarding workflow has not yet been triggered. Either route produces audit evidence of when the access was revoked and by what mechanism.

SAP SuccessFactors is your system of record for workforce data — but it does not provision access, revoke it when someone leaves, or adjust it when someone changes roles. OpenIAM bridges that gap: every HR event in SuccessFactors automatically triggers the right access change across SAP, Microsoft 365, and every connected system — with audit-ready evidence produced for every action.

SuccessFactors is not your identity governance solution. It was never designed to be.

SAP SuccessFactors is an outstanding HR platform. It manages your workforce data with precision — new hires, role changes, departures, organizational restructures. When someone joins your company, SuccessFactors records it immediately. When they leave, SuccessFactors records that too.

What SuccessFactors does not do is govern what those people can access. It does not provision a new starter's SAP account on Day 1. It does not revoke a leaver's Microsoft 365 access on their last day. It does not remove a manager's elevated permissions when they change roles and the elevation is no longer appropriate. Those governance actions require a separate system — and without one, the gap between what SuccessFactors knows and what your connected systems reflect is where access risk lives.

That gap has a name in audit language: an ITGC access control failure. Auditors test specifically for the delta between HR records and system access. Leavers with active accounts. New starters without Day 1 access. Role changes that weren't reflected in permissions for days or weeks. Each of these is a finding — and in regulated industries, a pattern of them is a control deficiency.

The joiner gap — Day 1 access that isn’t

A new hire starts on Monday. SuccessFactors has their record, their role, their department, their manager. But without automated provisioning, their SAP access depends on someone raising a manual request, someone else approving it, and an IT team processing it. The average time to first access in a manual JML environment is 3–7 business days. The new starter cannot do their job. The access record shows no formal grant. The auditor flags it.

The leaver gap — active accounts that shouldn’t be

An employee leaves on Friday. HR completes the offboarding in SuccessFactors that afternoon. Without automated revocation, their SAP account, their Microsoft 365 email, their Salesforce access, and their VPN credentials remain active over the weekend — and often for days or weeks after that. Orphaned accounts following leaver events are one of the most common ITGC findings in regulated industry audits. Every day an account remains active after its owner has left is a documented access risk.

The mover gap — access that accumulates

An employee moves from Accounts Payable to a management role. They receive the access their new role requires. Their old AP access — including sensitive financial transaction permissions — is rarely removed because no process forces the removal. Over time, across multiple role changes, a single user accumulates access from every role they’ve ever held. Access accumulation is the quiet version of an SoD violation — each grant was appropriate at the time, but the combination is not.

The access lag that auditors find. Measured in days.

This is what the JML gap looks like in a typical mid-market organization without automated identity lifecycle governance. Each row is a real scenario. The 'Unresolved' entries are the ones that appear in ITGC audit findings.

Without OpenIAM — typical mid-market manual JML process

HR event	Day	Status	Audit implication
Joiner scenario
New hire added in SuccessFactors	Day 0	Pending	HR record created. Access not yet provisioned.
IT access request raised manually	Day 2	At risk	2-day delay before request even enters the queue.
Manager approval received	Day 4	At risk	New starter has been working without system access for 4 days.
SAP account created	Day 6	Unresolved	Day 1 access target missed by 6 days. ITGC finding: access not granted on commencement.
Microsoft 365 provisioned	Day 8	Unresolved	Systems provisioned separately. No single audit trail of the full access grant.
Mover scenario
Role change recorded in SuccessFactors	Day 0	Pending	New role attributes updated in HR system.
Old access removal request raised	Day 5	Unresolved	5-day lag before old access removal is even requested.
Old access removed	Day 9	Unresolved	Access accumulation for 9 days. SoD risk if old and new roles conflict.
Leaver scenario
Leaver offboarded in SuccessFactors	Day 0	Pending	Offboarding completed in HR system.
SAP access revoked	Day 3	Unresolved	Active SAP account 3 days after offboarding.
Microsoft 365 access revoked	Day 7	Unresolved	Active email account 7 days after offboarding — ITGC finding.
Salesforce access revoked	Day 14	Unresolved	Active CRM access 2 weeks after offboarding. Orphaned account.

With OpenIAM — automated lifecycle from SuccessFactors

HR event	Day	Status	What happens
Joiner scenario
New hire added in SuccessFactors	Day 0	Resolved	OData API sync triggers OpenIAM joiner workflow immediately.
Birthright access provisioned — SAP	Day 0	Resolved	SAP account created with role-appropriate access. Day 1 ready.
Birthright access provisioned — Microsoft 365	Day 0	Resolved	Microsoft 365 account and group memberships provisioned simultaneously.
All connected systems provisioned	Day 0	Resolved	Single joiner workflow covers all connected systems in one pass. Audit event logged with SuccessFactors HR record as evidence.
Mover scenario
Role change recorded in SuccessFactors	Day 0	Resolved	Attribute change detected via OData sync. Mover workflow triggered immediately.
Old access removed, new access granted	Day 0	Resolved	Access delta calculated: old permissions removed, new permissions provisioned in the same workflow. No accumulation.
Leaver scenario
Leaver offboarded in SuccessFactors	Day 0	Resolved	Offboarding event triggers leaver workflow immediately.
All system access revoked	Day 0	Resolved	SAP, Microsoft 365, Salesforce, and all connected systems revoked simultaneously. Orphan reconciliation report generated.
Audit evidence produced	Day 0	Resolved	Every action timestamped and linked to the triggering SuccessFactors HR event. Audit trail complete.

Every HR event in SuccessFactors becomes an automated, auditable access action.

OpenIAM listens to SuccessFactors via the OData API — in real time or on a scheduled sync. When an employee joins, moves, or leaves, the corresponding access change happens automatically across every connected system. No manual requests. No approval queues. No missed revocations. Every action produces audit evidence.

The three SuccessFactors identity lifecycle events OpenIAM governs automatically

Joiner — new employee added in SuccessFactors

Access is active on Day 1. Before they arrive.

When a new employee's record is created in SuccessFactors, OpenIAM reads the HR attributes — role, department, cost center, location, manager — and provisions birthright access across SAP and all connected systems according to pre-configured access templates. The new starter arrives on Day 1 with everything they need. The provisioning action is logged as an auditable event, with the triggering SuccessFactors HR record attached as evidence.

What OpenIAM does — automatically

•Birthright access provisioned across SAP (ECC or S/4HANA), Microsoft 365, and all connected systems simultaneously — not sequentially

•Access templates driven by role, department, cost center, and location attributes — the same attributes SuccessFactors already captures

•Every provisioning action logged with a timestamp and a reference to the triggering SuccessFactors employee record

•Access certification campaign automatically triggered if any provisioned access exceeds a defined risk threshold

•Audit evidence: formal access grant record linked to HR commencement date — the control auditors test for Day 1 compliance

Mover — employee changes role or department

The right access for the new role. The old access removed.

When an employee's role, department, or cost center changes in SuccessFactors, OpenIAM calculates the access delta: what does the new role require that the old role didn't have, and what did the old role have that the new role no longer needs? Both actions happen in the same workflow — new access is provisioned and old access is removed simultaneously. Access accumulation — the quiet SoD risk — is prevented by design.

What OpenIAM does — automatically

•Attribute change detected via OData API sync — role, department, cost center, or location change triggers the mover workflow

•Access delta calculated automatically: access added for new role, access removed from old role in the same workflow pass

•Any access that spans both roles and creates an SoD conflict is flagged for manager re-certification before it is extended

•Access accumulation prevented — users are never left with more access than their current role requires after a role change

•Audit evidence: before/after access record for the role change, linked to the SuccessFactors HR event

Access accumulation across role changes is one of the most common sources of SoD conflicts in SAP. See how OpenIAM detects and prevents them: how SAP SoD enforcement works.

Leaver — employee offboarded in SuccessFactors

Access revoked across every system. Before they reach the parking lot.

When an employee's offboarding is completed in SuccessFactors, OpenIAM initiates the leaver workflow immediately. Access is revoked across SAP and every connected system simultaneously — not sequentially, not manually, not dependent on a ticket being raised. An orphan account reconciliation report is generated, documenting every system where access was revoked and confirming the revocation. The audit trail is complete before the employee has left the building.

What OpenIAM does — automatically

•Leaver workflow triggered immediately on SuccessFactors offboarding event — no manual step required

•Access revoked across SAP, Microsoft 365, Salesforce, ServiceNow, and all connected systems simultaneously

•Orphaned account reconciliation report generated automatically — every system where access was revoked is documented

•Manager notified of leaver access revocation with a summary of systems cleared

•Audit evidence: revocation timestamp, triggering HR offboarding date, list of systems cleared, and confirmation of zero remaining active accounts

SuccessFactors drives the lifecycle. OpenIAM executes it everywhere.

Some SAP environments already have a basic SuccessFactors-to-SAP provisioning integration. What those integrations rarely cover is every other system the employee needs access to. Microsoft 365, Salesforce, ServiceNow, cloud applications, on-premises systems — each of these has its own access model, its own provisioning mechanism, and its own orphaned account risk.

OpenIAM takes SuccessFactors as the single source of truth for every system in the connected landscape — not just SAP. A joiner workflow provisions SAP, Microsoft 365, and every other connected system from a single SuccessFactors HR event. A leaver workflow revokes access everywhere simultaneously, producing a single reconciliation report that covers the full IT landscape. One HR system of record. One governance platform. One audit trail.

System	What OpenIAM governs from SuccessFactors data
SAP ECC 6.0 / S/4HANA	Role-based provisioning, access request management, SoD enforcement, and access certification -- driven by SuccessFactors role and department attributes
SAP SuccessFactors (self)	Service account and admin access governance within the SuccessFactors platform itself -- often overlooked but increasingly audited
Microsoft 365 / Entra ID	User account creation, group membership, Teams provisioning, SharePoint access, and license assignment -- all driven by SuccessFactors HR events
Salesforce	User provisioning, profile and permission set assignment, and deprovisioning -- driven by SuccessFactors role attributes
ServiceNow	User account and group provisioning for IT service management access -- driven by department and role attributes
SaaS applications	Any SaaS application connected to OpenIAM -- same JML workflow, same audit trail, same revocation on offboarding
On-premises systems	Legacy on-premises applications connected via LDAP, SCIM, or custom connectors -- unified lifecycle governance from a single SuccessFactors sync

The GRC boundary question applied to lifecycle

SAP GRC governs access within SAP. OpenIAM governs the full landscape.

SAP GRC governs access control within the SAP boundary. When an employee leaves, GRC does not revoke their Microsoft 365 account, their Salesforce access, or their SaaS application credentials. OpenIAM governs the full IT landscape from a single SuccessFactors HR event -- every system, simultaneously, in one workflow. A SOX or ITGC auditor testing leaver controls will ask for evidence of revocation across all material systems -- not just SAP. OpenIAM produces that evidence in a single report.

OpenIAM ships pre-built SoD rule sets for manufacturing environments -- 45 rules mapped to SOX, IFC, and COBIT control objectives, ready on day one: SAP SoD rules for manufacturing.

If your organization is also facing the SAP IDM end-of-life deadline, OpenIAM replaces SAP IDM with full feature parity -- see the SAP IDM replacement guide.

ITGC auditors test three things about your SuccessFactors JML process. OpenIAM produces evidence for all three.

IT General Controls (ITGC) auditors testing identity lifecycle controls focus on three specific questions about your JML process. The answers need to be supported by documented, auditable evidence — not a description of your process, but proof that the process executed correctly for every employee event in the audit period.

What auditors test	What OpenIAM produces as evidence
Test 1: Day 1 provisioning Was access provisioned consistently and promptly on Day 1 for all new starters? Auditors sample joiner events from the period and verify that SAP and other material systems were provisioned on the employee's commencement date.	OpenIAM output A timestamped provisioning record for every joiner event in the audit period, linked to the SuccessFactors commencement date and the triggering HR record. Exportable as a report filtered by date range, system, or employee. Day 1 compliance is demonstrable for every sampled event.
Test 2: Leaver revocation Was access removed promptly when employees left the organization? Auditors test specifically for orphaned accounts -- active system accounts belonging to employees no longer on the payroll.	OpenIAM output A leaver revocation report for every offboarding event in the audit period, showing the SuccessFactors offboarding date, the date each system was revoked, and confirmation of zero remaining active accounts. Orphan account reconciliation included for any accounts that required manual follow-up.
Test 3: Role change access delta Were access changes made consistently when employees changed roles? Auditors test for access accumulation -- users holding permissions from multiple previous roles that were never removed.	OpenIAM output A mover access delta report showing before and after access for every role change event. Old access removed, new access granted, simultaneous execution. Any access retained across the role change is documented with a business justification or flagged for re-certification.

Native OData integration. No middleware. No custom development.

OpenIAM connects to SAP SuccessFactors via the native OData API — the same interface that SAP uses for its own integrations. The connection requires no middleware layer, no custom development, and no third-party integration platform. Configuration is completed in the OpenIAM admin console.

Integration attribute	Detail
Connection method	SAP SuccessFactors OData API v2/v4. Standard SAP-documented API -- no custom endpoints required.
Sync modes	Real-time (webhook-triggered on SuccessFactors event) or scheduled (configurable interval, minimum hourly). Both modes available -- real-time recommended for leaver events, scheduled acceptable for joiners and movers.
Attributes read	Employee ID, first/last name, job title, department, cost center, location, manager, employment status, hire date, termination date, and any custom attributes configured in SuccessFactors.
Provisioning logic	Attribute-to-access mapping is configured in OpenIAM -- e.g. department = Finance AND location = Dallas means SAP FI role set A plus Microsoft 365 group Finance-Dallas. Mapping rules are maintained by the IT team without developer involvement.
SAP version support	SuccessFactors Employee Central. Tested and validated with all current SuccessFactors release trains. Compatible with SAP BTP identity provisioning alongside OpenIAM (co-existence model).
Audit trail	Every sync event is logged -- SuccessFactors change detected, OpenIAM workflow triggered, provisioning actions executed, completion confirmed. Log is queryable and exportable for audit review.

<--Back to SAP compliance overview: SoD enforcement, SAP IDM replacement, and SuccessFactors lifecycle governance in one platform.

Frequently Asked Questions

We already have a SuccessFactors-to-SAP provisioning integration. What does OpenIAM add?

⌄

Does OpenIAM work with SAP BTP Identity Provisioning?

⌄

How does OpenIAM handle employees who need access to systems not driven by standard SuccessFactors attributes?

⌄

What happens if there is a delay between an employee leaving and their SuccessFactors offboarding being completed?

⌄

Let’s Connect

Managing identity can be complex. Let OpenIAM simplify how you manage all of your identities from a converged modern platform hosted on-premises or in the cloud.

For 15 years, OpenIAM has been helping mid to large enterprises globally improve security and end user satisfaction while lowering operational costs.

Download a Trial Contact Sales