You could use only SAP provided the API to extract. And there is one channel I experienced during the data migration, which allows us to create the customer or delete the customer. And it won't allow for any change. 

The data migration needs improvement.

The automated provisioning only works well with the SAP products and there are some problems with the non-SAP products. Even if it is SAP, if it is a non-ABAP system, it is a little bit problematic. 

We find it hard to translate things into the SAP world.

SAP has introduced IAG, Identity Access Governance. That piece does the risk analysis, as far as I know, however, the IAM doesn't do that. The risk analysis is doing the checks of whether you have access to set up things which have conflicts, like creating an employee and paying the employee. That kind of access. The IAM is basically not doing the same kind of checks as the IAG.

I have heard that IAG can do risk analysis, however,  what we have done at one client is we have the IAG management solution from SAP, and then it was tied to a solution of SAP called GRC, GRC Access Control, and then we were running the risk analysis from there. There are multiple levels of interfaces involved, it's not a one-stop solution. It is overly complex.

You have to interface IDM with SAP and GRC, and then GRC will check into the actual plugin system. Due to the fact that it is multiple levels of interface that you need to deal with, sometimes, if something fails, it's very hard to troubleshoot.

You do need to be knowledgeable about the solution. It's not a good product for beginners, especially in terms of deployment.