After reading the guides and forum it is still not clear to me how the scope of roles to review is determined in CUP user access review functionality. The guide mentions in ERM the Role Usage Synch job has to be run, and then that data is to be loaded into CUP.

Will the UAR then have all roles defined in CUP in scope for review? Or is it possible to only have business and IT critical roles in scope, e.g. leave display roles out of scope.

If we want to scope a limited list of roles is it then not better to use Upload Role Usage funtionality. The actual usage of the role I find less important, as e.g. the transactions used by a user does not tell for which derived role in case multiple derived roles for a transaction are assigned.

Role reaffirm would be another way I guess by setting the reaffirm period to zero I assume the role is not in scope for reaffirm.

I would prefer the UAR as it comes with better monitoring and reporting compared to Role reaffirm. But I want to prevent creating many hours of review on access that is not deemed riskful.