Skip to content

Choosing User to Risk Review Settings

After you enter the review details for the User to Risk type of review, set the rulebook(s), security extract, risk ratings, the changes to include based on a prior review, and the roles to exclude.


This type of review can be performed by Risk Owners and Managers.

When specifying the review details, select User to Risk under Type of Review. This will change the available settings.

  1. Select the rulebooks to include in the review. Risk Owners can review the list of users and the risk associated with their access to determine if that access should be retained.


    Associated risk is identified by determining if any of the transaction codes in the role are associated with access in a risk. This does not mean there is an inherent risk in the role.

  2. Choose a security extract. You can select a previously completed security extract or a live security extract where a new security extract is pulled from SAP to run the analysis for the review.


    Previously completed extracts are sometimes used when completing a review for access at a certain point in time, even if that time has passed.

  3. Select the risk rating(s) to include:

Refer to the User to Role type of review for information on completing this section.