Skip to content

Managing Access Reviews

The Access Reviewer automates coordination and communication between review administrators and reviewers, making it faster and easier for admins to create and track reviews and simplifying reviewers' experience approving, rejecting, and delegating access to the review items.

Creating Access Reviews

Creating an access review is the first step to coordinating reviews and reviewers. For each access review, you will:

  • Specify the name and type of review, who it will be performed by, and the review time frame.

  • Specify the settings based on the type of review.

  • Select the fields that the reviewer will see.

  • Set up email alerts.

There are five types of access reviews:

  • User to Role -- The User to Role review allows Managers or Role Owners to review role assignments and determine whether they are appropriate in the target SAP system. When a review is completed, Access Risk Management deprovisions the access associated with any rejected roles. You can also manually deprovision access outside of an access review.

  • Role to TCode -- The Role to TCode review allows Role Owners to review and recertify that the transaction codes included in their respective roles are appropriate.

  • User to Risk -- The User to Risk review allows Managers or Risk Owners to review the list of users and the level of risk associated with their access. They can choose to approve or reject that access.

  • Risk to Mitigating Control -- The Risk to Mitigating Control review allows Risk Owners to review the risks that are mitigated by each mitigating control.

  • Rulebook Details -- The Rulebook Details review allows Risk Owners to review the details of each risk in the rulebook, such as risk rating, process area, and description.

Get started by selecting ACCESS REVIEWER and choosing CREATE ACCESS REVIEW.

Specifying Review Details

Select ACCESS REVIEWER > CREATE ACCESS REVIEW to specify the details for the review. These details are the same for all five types of access reviews.

  1. Enter a name for the review.

  2. Use the Type Of Review dropdown menu to select one of the review types:

  3. Set the time frame:

    • Enter a start date for when to kick off the review and email reviewers.

    • Enter an end date for when the review is due. This determines when the system sends out the final email and reminders (if selected).

      Incomplete reviews after this date are considered overdue. Reviewers cannot complete an overdue review unless an administrator extends the end date.

  4. Use the Performed By dropdown menu to choose what type of user can review this access. Depending on the type of review, your options are:

    • Managers -- Make sure all users you want reviewed have managers by selecting ACCESS REVIEWER > MANAGE HR INFORMATION.

    • Role Owners -- Make sure all roles you want reviewed have owners by selecting the menu icon and choosing SAP ROLES.

    • Risk Owners -- Make sure all risks you want reviewed have owners by selecting RULEBOOKS and selecting the info icon to see the Risk Owners field.

Choosing User to Role Review Settings

After you enter the review details for the User to Role type of review, set the time frame for usage data, rulebook(s), the security extract, and what user groups and roles to include or exclude.

Note

This type of review can only be performed by Managers or Role Owners.

  1. Under Months of utilization, enter or use the arrows to set the time frame the review will use to identify if the transaction codes in those roles are being used, providing insight into whether a role assignment is appropriate for a user based on usage.

    Tip

    You may want to change the months based on the frequency of reviews. For example, if reviews are done quarterly, you may only need the previous three months of utilization.

  2. If you have not run a utilization extract job during the access review time frame, we recommend that you select the Create utilization extracts for missing months checkbox to automatically pull utilization extracts for months missing from the review time frame. Otherwise, they won't be included in the review.

  3. Select the rulebook(s) to include in the review. Reviewers can view the rulebook(s) to see the risk associated with the role, helping them decide if that role's access should be retained by the user.

  4. Choose a security extract. You can select a previously completed security extract or a live security extract where a new security extract is pulled from SAP to run the analysis for the review.

    Note

    Previously completed extracts are sometimes used when completing a review for access at a certain point in time, even if that time has passed.

  5. Select the user group(s) to include in the reviews. For example, you may have contractor and super user groups you can select.

  6. Use the Only include changes since dropdown menu to create a review that only includes the changes since a previously completed review. Items from previous reviews will appear in the review but will be populated with the response from the last submitted review. This allows reviewers to consider previous decisions when choosing a response.

  7. Select the roles to exclude from the review:

    • Emergency Access Roles -- These roles can be excluded from most access reviews since there is a separate workflow and control process in place for emergency access, and they do not represent a user's typical access. If you want to detect whether a user happens to have elevated access during the review timeline, then don't exclude these roles.
    • Standard User Roles -- These roles are often excluded because they will be approved every single time since all users must have this role. Excluding them reduces the time it takes to complete the review. It also minimizes the chance of reviewers accidentally rejecting the role assignment and having to add the role back to the user to correct the error.
  8. Select the Hide Blank Columns checkbox to exclude any columns that contain no data from the view.

  9. Select the Enable Group Approvals checkbox to enable reviewers apply the same decision to all access for an individual user or all the users with a role (instead of being required to review each individual item separately).

  10. Select the Ignore Admin Locked Users checkbox to exclude admin-locked users from the access review. You can tell if a user has been admin locked if 32 or 64 appear in the PFLAG field. This is based on the table USR02 in SAP.

  11. Select the Ignore Failed Login Users checkbox, to exclude users who are locked due to failed login attempts from the access review. These users are usually included based on the assumption that they will successfully reset their password and have access again soon. The determination is based on the SAP table USR02 for users with the value of 128 in the field PFLAG.

Choosing Role to TCode Review Settings

After you enter the review details for the Role to TCode type of review, set the rulebook(s), security extract, and the changes to include based on a prior review.

Note

This type of review can only be performed by Role Owners.

When specifying the review details, select Role to TCode under Type of Review.

  1. Select the rulebooks to include in the review. Role owners can review and recertify that the transaction codes included in their respective roles are appropriate and if that role's transaction codes should be retained.

  2. Choose a security extract. You can select a previously completed security extract or a live security extract where a new security extract is pulled from SAP to run the analysis for the review.

    Note

    Previously completed extracts are sometimes used when completing a review for access at a certain point in time, even if that time has passed.

  3. Select Only include changes since to only include changes made since the chosen review was performed.

Choosing User to Risk Review Settings

After you enter the review details for the User to Risk type of review, set the rulebook(s), security extract, risk ratings, the changes to include based on a prior review, and the roles to exclude.

Note

This type of review can be performed by Risk Owners and Managers.

When specifying the review details, select User to Risk under Type of Review. This will change the available settings.

  1. Select the rulebooks to include in the review. Risk Owners can review the list of users and the risk associated with their access to determine if that access should be retained.

    Important

    Associated risk is identified by determining if any of the transaction codes in the role are associated with access in a risk. This does not mean there is an inherent risk in the role.

  2. Choose a security extract. You can select a previously completed security extract or a live security extract where a new security extract is pulled from SAP to run the analysis for the review.

    Note

    Previously completed extracts are sometimes used when completing a review for access at a certain point in time, even if that time has passed.

  3. Select the risk rating(s) to include:

Refer to the User to Role type of review for information on completing this section.

Choosing Risk to Mitigating Control Review Settings

After you enter the review details for the Risk To Mitigating Control type of review, set the rulebook(s), the changes to include based on a prior review, and if you want to hide blank columns. This type of review can only be performed by Risk Owners.

Choosing Rulebook Review Details

After you enter the review details for the Rulebook Details type of review, set the rulebook(s), the changes to include based on a prior review, and specify if you want to hide blank columns.

Note

This type of review can only be performed by Risk Owners.

Selecting Review Fields

After you enter the review details, you can select what fields will be included in the review. The default selection is basic user information, roles assigned, and additional risk information.

Tip

If the SAP table USER_ADDR is maintained, you may consider selecting additional columns to help the reviewer understand a user's responsibilities, and therefore, what roles are appropriate.

Select the down arrow to see an example of how the review will look based on your field selections.

Setting Email Reminders

You can choose the cadence and content of the following types of emails sent to reviewers.

  • Initial Email -- This will be sent to all reviewers on the start date of the review.

  • Reminder Email (optional) -- You can schedule up to three reminder emails. You cannot set reminder emails for the same date as other emails.

  • Final Email -- Reviewers who have not completed their review will receive a final reminder email one day before the review is due.

Select the tabs to edit the initial email, any reminders, and the final email.

When you have completed configuring your access review, select Submit. On the review's start date, Access Risk Management will generate the review and send all reviewers an email containing a link to complete the access review.

Reviewing and Approving Access

Reviewers can access the review by selecting the link in their email or by selecting ACCESS REVIEWER > REVIEWER DASHBOARD and selecting the review icon .

When reviewing access, reviewers can choose from the following options:

  • -- Approve the access

  • ­ -- Reject the access. When rejecting an item, the reviewer will be required to fill in the comment field with a reason.

  • -- Delegate the review of a specific access item. When delegating, the reviewer will be required to select who to delegate the item to and provide a reason for delegating it.

Reviewers can also leave a note about the review or delegate the entire review to someone else.

Reviewers will use the information provided to make decisions on access. For example, in the User to Role review, the reviewers may look at the TCodes, TCode usage, and Risks associated with each user to decide if their assigned roles are appropriate.

Important

Associated risk is identified by determining if any of the transaction codes in the role are associated with access in a risk. This does not mean there is an inherent risk in the role.

If a role has risk associated with it but no utilization, a reviewer might decide to reject that role since there is risk, and it is not being used. Likewise, if a role has neither risk nor utilization, reviewers might still reject it to follow best practices around least privileged access.

Reviewers will select Submit Review to complete their review. When all reviews are completed, you can generate audit reports or kick off a job to remove all rejected roles.

Reviewing Rejected Roles

To see the list of rejected roles and the users who had those roles assigned to them, scroll to the far-right column on the Administrator Dashboard and select Remove Roles to see the list of roles that were rejected and the users who had those roles.

To remove the rejected roles, select Approve and Access Risk Management will remove the rejected roles.

Note

Some organizations choose not to use this functionality and instead rely on manual processes to remove the rejected roles.

Generating Access Review Reports

In the Access Review Administrator Dashboard, select the Report dropdown menu to see the three reports you can generate:

  • Latest Signed Report -- This report consolidates all the responses from the reviewers into one Excel document. The signature is an electronic signature within the Excel document that gives auditors evidence of the completeness and accuracy of the data since it cannot be modified with the signature.

  • Latest Unsigned Report -- This report is identical to the signed report but does not include the electronic signature. This means the report can be modified, so this option is more likely used for internal reports that can be shared and commented on.

  • Reviewer Action Log -- This log is more detailed than the reports and shows every action taken instead of just the final review decision, including delegations of roles or reviews.