SAP Customer Data Cloud Positions

CIAM for B2B

Skip to end of metadata
Go to start of metadata



Businesses today engage with a variety of partners to offer and consume products and services. As a business, you are under pressure to be technologically agile, decrease costs and focus on driving revenue. And partners (e.g., customers, suppliers and consultants) demand better experiences throughout the entire business relationship. Businesses are also looking to centralize and simplify access to products and services, reducing the risk of sharing data with the wrong audiences, lowering maintenance costs and offering great experiences to partners that engage and interact with your products and services.

CIAM for B2B is the offering from SAP Customer Data Cloud for businesses to manage their relationship with other businesses in a transparent way. It takes the capabilities of fine-grained authorization based on smart policies, and combines them with authentication and identity management, to provide you with a clear view of your partners, their members, and your relationships, easily managed in an intuitive, visual UI. 

CIAM for B2B offers:

  • Onboarding of partners to all digital properties through a governance process that will enable the business to be in compliance across all connected applications
  • End-to-end partner lifecycle management (as opposed to complex, on-prem and cloud point-to-point integrations), allowing IT teams to focus on improvement and opportunity rather than maintenance.
  • Centralized Policy Based Access Control (PBAC) solution with a governance process to secure applications and resources and help prevent data leaks and unauthorized access across the entire digital ecosystem.
  • Provide self-service delegation of the partner organisation and partner user management with identity, profile and preference management.

The solution leverages the Identity Management capabilities of Customer Data Cloud, such as authentication and profile update flows, a rich user database and pre-built integrations with downstream apps, and includes the following:

Partner Management

  • Partner organization management – The ability to create, edit, update or delete partner organisations direct or support self-service or provisioned partners (for example, from the sales automation system).
  • Self-Registration and Provisioning onboarding – Supporting the self-registration of new Partners which then follow a configurable approval process before being activated.
  • Partner Admin and User onboarding – Business Admins will be able to create and manage Partner Admins as well as Partner Users, while Partner Admins will be able to initiative invitational flows for other Partner Admins and Partner Users.
  • Delegated administration for Partner Admins includes performing the following for partner users: provisioning, activation, role assignment, password reset, revocation

Policy-Based Access Management

  • The ability to manage coarse-grained, fine-grained access to assets such as applications, site pages, and user actions
  • Dynamic attribute-based authorization decision-making
  • Full policy life cycle management
  • Run-time authorization

Member Management

  • Pre-built flows for inviting new and existing users to access the organization's assets
  • Assign members to organizations, departments and roles for coarse and fine-grained access management
  • Easy access management for quick onboarding and offboarding of employees and third-party org members 
  • Use any of the Customer Data Cloud access points in an access management scenario


General Terminology

RBAC (Role-Based Access Control): Traditional authorization method, whereby access to an asset was based only on assigned user roles. Implementing RBAC is relatively simple, but maintaining it over time becomes cumbersome as the system grows and permissions get more fine-grained. This type of access control is used when implementing Active Directory / LDAP

ABAC (Attribute Based Access Control): ABAC is a model for fine-grained authorization where the access is defined according to the attributes of the user, the attributes of the resource and the attributes of the environment. Implementation is more labor-intensive, but once complete, maintaining it is relatively simple and efficient.

PBAC (Policy Based Access Control): PBAC is the harmonization and standardization of the ABAC and RBAC models. PBAC enables easily understanding and expressing the underlying business logic of access decisions. PBAC dramatically reduces the amount of rules to govern, approve & manage, and enables an efficient and scalable access control process. PBAC supports both coarse-grained as well as fine-grained authorization. 

Functional Terminology

Admin / IT AdminAn administrator working in your organization, with the authority to configure your site settings and business flows in Customer Data Cloud. A Customer Data Cloud Console user.
OrganizationA partner organization with some degree of involvement with your business. An "organization" object in Customer Data Cloud, identified by an orgID.
Organization Admin

Administrator at the partner organization, also referred to as the “Delegated Admin”.

Organization MemberNon-IT user at the partner organization who logs in to access one or more of your applications. Expressed as an "identity" or site account in Customer Data Cloud
RoleAn organizational role that is assigned to organization members (e.g. buyer, manager). One member can have several roles, and one role can belong to several members.
DepartmentThe department to which an organization member belongs (e.g. procurement, IT, HR)
Trusted Application

An application where the Customer Data Cloud access control capabilities have been implemented for both authentication and authorization of users. It is on the application that policies (PBAC) translate into affirmation or denial of user actions and access.

AssetAssets of the application, whose access rights are handled by policies
Access PoliciesFine-grained definitions of access rights of organization members to assets.


Example Use Cases

Organization Use Cases

  • Manual creation: An IT admin creates an organization . 
  • Self registration: An organization member enters the partner organization portal and submits a request to add their organization. After the organization is approved, they become the first member of that organization. 


Data Model


Building Blocks

ClientServerCustomer Data CloudCIAM for B2BApplication

Usually a browser or app, on desktop or mobile device

Manages the website or endpoints used by the client

Provides user-facing authentication, profile management, and consent flows

Decision engine based on definitions of roles, attributes, departments and authorization policies

An application, IOT device or API gateway that needs to know a user's access permissions


Frequently Asked Questions

Expand/Collapse All

 Do we support nested organizations?

 No, we do not. It complicates implementation without giving enough benefit.

 Can an org. member be associated to multiple organizations?

 Yes, with different roles, departments etc.

 Can we add additional attributes on the org. <-> org. member relationship?

 No, the relationship attributes are fixed.

 How do we map a hierarchical structure of members?

 The solution is not a workforce IAM solution so no need to map hierarchies. Hierarchical approval can be achieved using department and job function.


Additional Information

Organization Management User Guide





  • No labels