Performing User Access Review

Compliance Officers and Access Management process owners face with a challenge - how to ensure that:

• User access is still relevant and corresponds current job functions?
• Risk profile of a user is still on acceptable level?
• Emergency access of a user is still relevant and not excessive?

Some time after provisioning users, due to organizational and processes changes, user access can become irrelevant. You must have a process of periodic checks of user access from different perspectives, to monitor and prompt changes to user access, if necessary. SAP Access Control provides formal workflow-driven review procedures to support ongoing access certification and access review to ensure continued compliance. These functions include:

• User Access Review (UAR)

  Through this process, managers or role owners review a users access to determine if access is still appropriate.

• Segregation of Duties (SoD) Review

  Managers or risk owners review access of users who have access risks and determine whether continued access is still required.

• Firefighter ID Review

  Through this process, to determine if access is still appropriate, Firefighter ID owners review users' access to Firefighter IDs in Emergency Access Management.

To automate continuous monitoring of user access from role assignments, risks, and firefighter IDs assignments perspectives, administrators schedule reviews of all types periodically. While performing periodic checks, reviewers of all mentioned reviews approve existing access to keep it for a user. If existing access should be removed, reviewers launch removal of access to de-provision the user at the end of the review process.

In the preceding graphic, you can see the steps required to conduct the User Access Review and the SoD Review:

• Scheduling of data generation.
• Request review.
• Scheduling of workflow update.
• Performing review.
• Reject user if necessary.

Firefighter ID Review differs from User Access Review and SoD Review in that there are only two steps:

• Scheduling of data generation.
• Performing review.

Let's start with the User Access Review.

To know if user access in an organization is still relevant, user-role assignments must be reviewed periodically. You might need to remove some roles that a user may not be using or no longer needs, due to job changes. The User Access Review (UAR) feature of SAP Access Control automates and documents the periodic user access review by business managers or role owners. Requests are generated automatically based on selected criteria. The approver can approve, remove access or take different actions, such as forward or reject a user. To process user roles through UAR requests, as a prerequisite, import roles into the BRM component of SAP Access Control. Additional details about the BRM component were provided earlier in the course.

On the first step, SAP Access Control administrators or compliance officers schedule generating data for UAR access requests in the Background Scheduler app. As an administrator, in the app, you define the name of the schedule, the type of activity to generate data for UAR, and the recurring plan. If you defined the recurring plan, the system generates UAR data, according to the specified frequency in the recurring plan.

In the second step, you define review criteria, that is, what users to check in what target system. You can specify one or several users, user group, exclude locked or expired users, and other criteria according to the criteria list. In the third and fourth steps, you review and confirm to finalize the creation of a UAR data generating job.

In the Request Review app, administrators can manage requests that were created following the results of a UAR data generating job. This enables the administrator to check if the system assigned the correct reviewers, coordinators to a request before sending it to the reviewers. Reviewers can be managers or role owners. Managers receive review requests sorted by users, and role owners receive review requests sorted by roles. In a system configuration where reviewers are managers, the SAP Access Control system can load data about managers automatically from HR systems. In a system configuration where reviewers are role owners, SAP Access Control takes role owners data from BRM component.

Within SAP Access Control, coordinators are responsible for verifying that all reviewers perform UAR and SoD risk reviews. Coordinators monitor the review process and coordinate activities to ensure that the process is completed in a timely manner. You can define coordinators and reviewer-coordinator mappings in the Manage Coordinators app of SAP Access Control, the system uses this mapping while setting coordinators for requests.

If necessary, administrators can change reviewers and coordinators through the button Change Reviewers in the Request Review app. If UAR request is not relevant anymore, administrators can cancel the request.

SAP Access Control has a configuration to make the administrator review step optional. Thus, if the administrator review isn't required according to your data and processes, skip this step. Then, plan a workflow update for UAR requests after the UAR data generating job.

After checking reviewers for UAR requests, in the next, step administrators schedule the "Update Workflow for UAR request" job in the Background Scheduler app with specifying a recurring plan. It updates the workflow for UAR requests, and moves all requests from the administrator to the reviewers' inbox.

Reviewers receive UAR requests in the Work Inbox app. A UAR request contains data about all user assignments selected for review, while generating data for UAR requests. You as a reviewer you must check if user access is still relevant or if some access must be deleted. Select each assignment and decide whether to approve or remove access, or perform other actions such as forwarding a particular assignment to another approver. Also, you can forward the whole request to another approver. You can see Approve and Remove options in the Action column. These actions take effect after you approve the request, by choosing Submit, then Approve. All roles marked as approved, stay in user access. All roles marked for removal are deleted from user access in a target system.

Also, on the system configuration phase you can configure UAR workflow and use a standard routing rule to send removed roles to another stage for approval.

It may be that the structure of employees' managers has changed. However, the data in the company systems may not be updated, or administrators may have set the wrong managers as reviewers for UAR requests. To handle such issues, SAP Access Control provides a functionality in UAR: During UAR review, users' managers can reject users for whose access they are no longer responsible. After user rejection, administrators can generate a new request for those users. You can view rejected users also in the UAR History report and the User Review Status report.

Administrators process rejected users in the Manage Rejections app. You as administrator mark a rejection for new request generation by selecting a rejection in the app and choosing Generate Requests. This marks the user for inclusion in a new UAR request when running the "Generates new request for UAR rejected request" background job. To cancel a generation, select a rejection in the table and choose Cancel Generation.

In the background Scheduler app, you schedule "Generates new request for UAR rejected request" job to create new requests for rejected users. After new requests are generated, it is recommended to make sure that the users have the correct reviewer information and check a request in the Request Review app. In the app, you can change reviewers or cancel request. This prevents incorrect information from entering the request cycle again that led to rejection.

Then responsible persons perform the steps described previously for the original UAR process:

1. Once correct reviewers are assigned, administrators schedule "Update Workflow for UAR request" job in the Background Scheduler app to sent new requests to reviewers.
2. New reviewers check users' access in the Work Inbox app and make a decision to keep or remove roles from users.

This report provides the history of UAR requests and the actions that were taken for those requests. In the report, you can see UAR requests in the list with details about system, user, reviewer, what decision the reviewer made for each role, and so on. By selecting the request, you can access all details of the request in a separate window.