User Review

User review allows designated approvers to review the access assigned to a user and the

segregation of duties risks violated by a user. These two procedures are referred to as User

Access Review and User SoD Review.

Features

1. Options: You configure review parameters such as reviewer, require admin review, review instructions URL, and so on.
2. Coordinator: Choose a coordinator for each reviewer. Access Control uses the coordinator information to generate reports you can use while managing the review process.
3. Request Review: Administrators can review requests, and choose to cancel them or change the coordinator and reviewer roles.
4. Manage Rejections: Authorized users can search for rejected users, and generate or cancel review requests.
5. Reason for Rejection: You configure the rejection reasons, descriptions, and reason codes.
6. UAR Load Data Tasks: Create tasks to enable selective user access reviews based on role attributes such as, criticality and names, or user attributes such as, user ID and user groups.

Performing User Access Reviews

The User Access Review (UAR) feature provides a workflow-based review and approval

process for user access requests. The periodic reviews of user access are performed by

business managers or role owners, and the system automatically generates the requests

based on the company’s internal control policy.

Features

An automated process for the periodic access review.

• Decentralized review of user access.
• Workflow of requests for review and approval.
• Automatic role removal, if desired.
• Status and history reports to assist in monitoring the review process.
• Audit trail and reports for supporting internal and external audits.
• Support for back-end systems integrated with Access Control as well as legacy systems.

Use of the user UAR feature requires configuration in multiple capabilities. The information in

this section provides details about the user access review feature, its process options,

configuration, and use.

ERM -> You configure system connectors. This is required for transaction usage and

for user-role assignment information.

RAR -> You configure connectors. This is required for alert generation to provide

transaction usage information.

CUP -> You define connectors, configure UAR, configure workflows, and define

coordinators.

Roles in the UAR Process

Administrator: This person has the AE_Admin UME role assigned for Access Control. They can

perform general CUP administrator tasks in addition to UAR-specific administrator tasks, such as

cancelling UAR requests and regenerating requests for rejected users.

User’s Manager: The direct manager of a user as defined in the User Details Data Source.

Role Owner: The role owner specified in CUP master data.

Reviewer: This term refers to the approver at the Reviewer stage. The Reviewer may be

the user’s manager or the role owner.

Coordinator: The Coordinator specified in CUP master data. The Coordinator is assigned to

Reviewer. They monitor the UAR process and coordinate activities to ensure the process is completed in a timely manner.

Process Options

You choose from multiple process options to determine the approvers of the UAR requests.

• Admin Review: You decide whether to enable Admin Review. This configuration option provides an opportunity for the administrator to validate the request data after the requests are generated (by the UAR Load Data job) but prior to generating workflow tasks (by the UAR Update Workflow job). If the Reviewer information is incorrect or missing, the administrator can modify the data prior to generating workflow tasks and notifications. The administrator can also delete requests.
• Reviewer Stage: You decide whether the Reviewer stage will be addressed by the User’s Manager or the Role Owner.
• Security Stage: You decide whether to have a security stage. A security stage is mandatory if you do not have automatic provisioning enabled. The security stage may be desired even when automatic provisioning is enabled so that security personnel can ensure accurate data prior to provisioning.If a security stage will be included in your approval workflow, you must decide whether security personnel will be able to modify the direction previously noted by an Approver. For instance, a security team member may decide to retain basic roles that have been inappropriately marked for removal by an approver.
• Additional Approver Stage: You decide whether you will have an additional stage with the approver derived by a Custom Approver Determinator (CAD). The fields available in the UAR CAD differ from those available in the standard CUP CADs. The fields available are in the UAR CAD are:

1. Application
2. Request type
3. Role(s) being reviewed

• Instruction for Reviewers: You can provide detailed instructions for reviewers to supplement the content of the notification emails. The level of instruction for approval of periodic access reviews might be more extensive since it is an infrequent process and may involve reviewers who do not perform routine approval of requests to create or change accounts.

Configure Rejection Reasons

Rejection reasons are mandatory when rejecting a review request. You must upload the reason codesand descriptions using a template.

Procedure

1. Go to Configuration -> User Review -> Reason for Rejection. The Reason for Rejection screen

appears.

2. Under Import Rejection Reasons, click Download Template. The template opens in Excel.

3. Complete the required information and save the template.

Let me know if this concerns your query.

Thank you,

Fernando