You are on page 1of 11

GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO...

Page 1 of 11

SAP governance, risk and compliance concepts, technology, and best practices

Perform Decentralized Periodic User Access Reviews with SAP BusinessObjects Access Control 5 !
by Frank Rambo, Director, Regional Implementation Group (RIG) EMEA, SAP GRC Augu!t "", #$$%

SAP BusinessObjects Access Control identifies and "revents access and authorization ris#s in cross$ enter"rise %& s'stems to "revent fraud and reduce the cost of continuous com"liance and control &he User Access Review (UAR) feature of SAP BusinessObjects Access Control 5 ! automates and documents the "eriodic decentralized user access review b' business mana*ers or role owners %t "rovides a wor#flow$based review and a""roval "rocess +ollow a "rocess flow durin* a UAR to see its business benefits, confi*uration, recommended usa*e of the feature, and wor#flow o"tions

Key Concept
&he User Access Review (UAR feature was first introduced in SAP BusinessObjects Access Control 5 ! and enhanced in some as"ects with Su""ort Pac#a*e - UAR re.uires confi*uration in multi"le SAP BusinessObjects Access Control "roduct ca"abilities, includin* Ris# Anal'sis and Remediation, /nter"rise Role 0ana*ement, and Com"liant User Provisionin* (CUP) A "rere.uisite for a mana*er$driven UAR is a user details data source available in CUP to "rovide the mana*er relationshi" for the users included in the review &his data source ma' be an SAP /RP 1uman Ca"ital 0ana*ement s'stem or a 2i*htwei*ht Director' Access Protocol (2DAP) director' &he User Access Review (UAR) feature enables com"anies to conduct a streamlined internal control "rocess on a "eriodic basis that includes collaboration amon* line mana*ers, internal control, and information securit' teams UAR im"roves visibilit' of access *ranted to business s'stems and im"roves overall information securit' &he #e' features of UAR in SAP BusinessObjects Access Control 5 ! are3 4 An automated re.uest$ and wor#flow$based "rocess for review and a""roval 4 A decentralized review of user access conducted b' res"onsible line mana*ers or role owners 4 Role usa*e information facilitates decision ta#in* for the reviewers 4 Automatic role de$"rovisionin*, if desired b' the user 4 Status and histor' re"orts to assist in monitorin* the review "ro*ress 4 Audit trail and re"orts for su""ortin* internal and e5ternal audits 4 Su""ort for bac#$end s'stems inte*rated with SAP BusinessObjects Access Control throu*h Real &ime A*ents (R&A) as well as le*ac' s'stems

SAP BusinessObjects Access Control is com"rised of four main "roduct ca"abilities3 Com"liant User Provisionin* (CUP), Ris# Anal'sis and Remediation (RAR), /nter"rise Role 0ana*ement (/R0), and Su"eruser Privile*e 0ana*ement (SP0) +or a detailed introduction into each one of these ca"abilities, *o to the 6nowled*ebase Overview tab of www 7RCe5"ertOnline com and clic# the SAP BusinessObjects Access Control lin# under the Cate*ories headin*

Roles and Detailed Process +low

&he UAR "rocess includes the followin* roles3 4 Administrator3 &his user has the A/8Admin U0/ role assi*ned for CUP 1e or she can "erform all CUP administrator tas#s in addition to UAR$s"ecific administrator tas#s that %9ll e5"lain later 4 Reviewer3 &his term refers to the a""rover in the first sta*e of the UAR wor#flow Per confi*uration, the reviewer ma' be either the user9s mana*er or the owners of the assi*ned roles A""rovers of later sta*es (e * , securit' team members) are sim"l' referred to b' the more *eneral term a""rovers 4 0ana*er3 &he direct line mana*er of a user as defined in the User Details Data Source 4 Role Owner3 &he role owner s"ecified in the role master data in CUP 4 Coordinator3 &he coordinator, defined in CUP master data, is assi*ned one or multi"le reviewers 1e or she monitors the UAR "rocess and coordinates activities with reviewers to ensure the "rocess is com"leted in a timel' manner &he hi*h$level "rocess for UAR is as follows ("ig#re $) : %nitialization3 &he administrator "erforms a number of actions in the SAP BusinessObjects Access Control s'stem to initiate the UAR "rocess and tri**er re.uest *eneration Administrator review (o"tional)3 &he administrator reviews re.uests and chec#s correct assi*nment of reviewers before the actual wor#flow tas#s are sent to the reviewers


GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 2 of 11

7eneration of wor#flow tas#s3 &he administrator schedules a bac#*round job, which *enerates the wor#flow tas#s for the reviewers Review sta*e3 Re.uests are reviewed and actions are noted b' the reviewers Additional wor#flow sta*es (o"tional)3 =ou can add a""roval sta*es (e * , a securit' sta*e) to the wor#flow "ath b' confi*uration Automatic de$"rovisionin*3 %f the user desires, SAP BusinessObjects Access Control can automaticall' de$"rovision roles mar#ed for removal b' the reviewers from the bac#$end s'stem 0ana*ement of rejected users3 %f the reviewers are the users9 direct mana*ers, then the' can reject users for whom the'9re not res"onsible durin* the review &he administrator has to follow u" rejected users and re*enerate re.uests to be sent to corrected mana*ers Re"ortin* and audit trails3 A status re"ort, histor' re"ort, and a detailed audit trail com"lete UAR

< 5


"ig#re 1i*h$level view of the UAR "rocess $

%9ll discuss each of these in more detail in the followin* subsections

&he initialization "rocess ste" contains the followin* tas#s that the administrator e5ecutes ("ig#re %)3

"ig#re Details of initialization "rocess ste" %

4 @erif' master data 4 Pre"are role usa*e information 4 Schedule the tas# UAR review load data as bac#*round job in CUP =ou also need to verif' the followin* master data conditions3 4 %f mana*ers are confi*ured to be reviewers3 0ana*ers and mana*er$user relations are both stored in the user details data source %f this data isn9t u" to date, the s'stem sends re.uests to the wron* mana*ers 4 =ou need to im"ort roles that will be included on the UAR re.uests into CUP so role descri"tions are available in re.uests and CUP can su""ort drillin* down to the actions included in the roles =ou can im"ort roles from a bac#$end s'stem su""orted b' an R&A or from a s"readsheet file +or more details refer to the standard documentation


GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 3 of 11

4 %f role owners are confi*ured to be reviewers3 &he role master data in CUP also contains a Role A""rover tab, which lists the role owners 0a#e sure that this information is u" to date Otherwise, the s'stem sends re.uests to the wron* role owners &he re.uests sent to reviewers also contain information on how often transactions from a "articular role assi*ned to the user were actuall' e5ecuted in the bac#$end s'stem durin* the chosen review "eriod of t'"icall' the last si5 or :; months &he "re"aration of the role usa*e information re.uires several tas#s e5ecuted in multi"le "roduct ca"abilities of SAP BusinessObjects Access Control3 4 Alert *eneration job3 Schedule the alert *eneration job in RAR A Confi*uration A Bac#*round Bob with all o"tions selected 4 Pur*e usa*e information3 %f more transaction usa*e information is stored in RAR than is desired for UAR re.uests, then 'ou should archive the data +or e5am"le, if 'our UAR "rocess states that the "rior :; months9 usa*e information should be "rovided in UAR re.uests and RAR has :5 months available, then 'ou should "ur*e the oldest three months9 information in RAR via menu "ath Confi*uration A Utilities A Pur*e Action Usa*e %t is im"ortant to note that usa*e information "ur*ed in RAR is still accessible to RAR from the flat file that is "roduced but is not accessible b' /R0 or CUP 4 Retrieve role usa*e information3 +or bac#$end s'stems with R&A, follow menu "ath /R0 A Confi*uration A Bac#*round Bobs to schedule the tas# Role Usa*e S'nchronization or u"load Role Usa*e %nformation via flat file for le*ac' s'stems without R&A +or details about the u"load "rocedure and re.uired file formats, refer to the standard documentation &o com"lete the initialization "rocess ste", the administrator schedules the tas# UAR Review 2oad Data as a bac#*round job in CUP &his creates the re.uests, but does not 'et create the wor#flow tas#s nor the notification emails that are sent to reviewers &he s'stem does not create re.uests for users that are loc#ed in the bac#$end s'stems Consider unloc#in* loc#ed users before 'ou start the UAR "rocess, if 'ou want to include them

Administrator Review
&he administrator review is an o"tional "rocess ste" that, if 'ou choose to ta#e it, 'ou need to activate durin* confi*uration of the UAR scenario %ts "ur"ose is to have the administrator chec#in* the com"leteness and accurac' of the *enerated re.uests with res"ect to the reviewers "rior to *eneration of wor#flow tas#s and notification emails =ou can start the administrator review b' followin* menu "ath CUP A Confi*uration A User Review A Re.uest Review &he s'stem dis"la's to the administrator the list of all re.uests *enerated for the current UAR c'cle 1e can ta#e action on each re.uest in one of the followin* wa's ("ig#re &)3

"ig#re Details of the administrator review "rocess ste" &

4 0anuall' assi*n reviewers to re.uests havin* no reviewer assi*ned due to missin* mana*er data in the user details source or role a""rovers in CUP9s role master data =ou can do this b' selectin* the re.uest and clic#in* the chan*e button on the bottom of the Re.uest Review "a*e to "roduce the screen shown in "ig#re ' &his assi*nment won9t u"date the user details source or the role master data, but onl' a""l' for the *iven re.uest 4 Cancel re.uests and mar# them for user rejection ("ig#re () =ou can a""l' this o"tion to re.uests with missin* reviewers in the case where the administrator would li#e to "ermanentl' u"date the mana*er or role a""rover information in the user details source or role master data, res"ectivel' &he administrator can re*enerate re.uests for these users later in the 0ana*ement of Rejected Users "rocess ste" Com"letel' cancel re.uests &he' will be e5cluded from the current UAR c'cle until a new UAR c'cle is initiated via e5ecution of the UAR Review 2oad Data job


GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 4 of 11

"ig#re '

0anuall' assi*n reviewers to re.uests without reviewers

Administrator Review C Cancellation of re.uests "ig#re ( 7eneration of Dor#flow &as#s &he administrator schedules the tas# UAR Review U"date Dor#flow as a bac#*round job in CUP &he s'stem sends email notifications to reviewers with the ne5t e5ecution of the "eriodic /mail Dis"atcher job in CUP

Review Sta*e
&he re.uests are first sent to the reviewers =ou can "rovide detailed instructions for reviewers to su""lement the content of the notification emails &he level of instruction for a""roval of "eriodic access reviews mi*ht be more e5tensive because it is an infre.uent "rocess and ma' involve reviewers who do not "erform routine a""roval of re.uests to create or chan*e accounts &he %nstructions area of the UAR re.uests is an 1&02 viewer An e5am"le of a UAR re.uest with an 1&02 "a*e "rovided in the re.uest is shown in "ig#re )

"ig#re )

%nstructions for reviewers

Durin* confi*uration 'ou can select whether reviewers are the mana*ers of the users or role owners 0ana*ers have the additional o"tion to reject users for whom the' don9t feel res"onsible ("ig#re *) &he' can mar# the users in the User "ane for rejection, select from one of the "reconfi*ured rejection reasons, and "rovide a comment as shown in "ig#re + &hese users then enter the 0ana*ement of Rejected Users "rocess ste"


GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 5 of 11

"ig#re *

Details of the Review sta*e "rocess ste"

"ig#re +

0ana*ers rejectin* users who aren9t re"ortin* to them an'more

All reviewers can find multi"le line items "er re.uest ("ig#re ,) in the User Access tab of each re.uest ("ig#re )) &he number of line items "er re.uest is confi*urable /ach line item re"resents a role assi*ned to a "articular user in a "articular s'stem and can be mar#ed for a""roval or removal b' the reviewer &he role name is dis"la'ed as a h'"erlin# that 'ou can use to view the details of the role Ee5t to the role name is a role usa*e counter %t tells the reviewer how often transactions from the role were e5ecuted b' the user durin* the review "eriod &his information facilitates decision ma#in* for the reviewer considerabl' &he line items in a re.uest can belon* to multi"le users and multi"le s'stems A reviewer can receive multi"le re.uests includin* all user$to$role assi*nments within the res"onsibilit' of the reviewer

"ig#re ,

A""roval and removal of roles from users su""orted b' role usa*e information

&he reviewer ma' choose to save the re.uest multi"le times to ensure wor# is saved in the re.uest &he re.uest is not forwarded to the ne5t wor#flow sta*e until the reviewer com"letes all line items of the re.uest and clic#s the Submit button

Additional Dor#flow Sta*es

Users can add additional wor#flow sta*es to the UAR wor#flow %t is better to add a securit' sta*e "rior to de$"rovisionin* &his ensures that securit' e5"erts chec# the actions ta#en b' the reviewers an additional time to detect undesired side effects before removin* the roles mar#ed for removal 1owever, there are more o"tions for additional wor#flow sta*es available =ou can derive a""rovers usin* a Custom A""rover Determinator (CAD) &he attributes available in the UAR CAD differ from those available in CUP9s standard CADs &he followin* attributes are available3 4 A""lication 4 Re.uest t'"e 4 UAR review role (roles bein* reviewed) 4 Priorit' +or more details on the use of CADs, refer to the Confi*uration 7uide



GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 6 of 11

&his article can onl' "rovide an overview on the re.uired confi*uration ste"s, but % hi*hli*ht the ste"s and o"tions that are s"ecific to the UAR scenario +or more details, refer to the SAP BusinessObjects Access Control 5 ! Confi*uration 7uide available in htt"3FFservice sa" comFinst*uides and to the *uide Access Control 5 ! C User Access Review that 'ou can download from the SAP Communit' Eetwor#3 htt"s3FFsdn sa" comFirjFscnFarticles$*rc$all =ou can confi*ure each sta*e to dis"la' in re.uests onl' roles "reviousl' mar#ed for removal to focus the attention of the additional a""rovers on these roles onl' Another confi*uration o"tion is to allow or disallow chan*es to the re.uest content %f chan*es aren9t allowed for a sta*e, then the buttons A""rove and Pro"ose Removal aren9t available to the a""rovers in this sta*e %f chan*es to the re.uest content aren9t allowed, a""rovers can onl' su**est chan*es to the re.uest content "er comment and forward the re.uest to the reviewer in the "revious sta*e ("ig#re $-) &he reviewer would then ta#e the decision, chan*e the re.uest content accordin*l', and resubmit the re.uest %f the sta*e confi*uration allows for chan*es, a""rovers can turn a""rovals into the removals and vice versa before the' submit the re.uest

"ig#re $-

Details of additional wor#flow sta*es "rocess ste"

Automatic De$"rovisionin*
=ou can define whether roles a""roved for removal are de$"rovisioned from the user manuall' or automaticall' &he confi*uration settin* for auto$"rovisionin* is a *lobal settin* for all re.uest t'"es that 'ou can confi*ure for each s'stem connected via R&A to CUP individuall' See the SAP BusinessObjects Access Control 5 ! Confi*uration 7uide for more instructions on confi*urin* auto$"rovisionin* %f 'ou o"t for manual de$"rovisionin*, then a securit' sta*e is mandator' Securit' receives the re.uests and manuall' removes the roles as indicated in the tar*et s'stems before it submits the re.uest to close it

0ana*ement of Rejected Users

Administrators and mana*ers can reject users durin* the administrator review and the review sta*e "rocess ste"s Users t'"icall' are rejected because the user$to$mana*er relation isn9t u" to date or not maintained at all in the user details data source Administrators can correct the mana*er data in there and re*enerate re.uests for the rejected users ("ig#re $$) Administrators can search for rejected users in Confi*uration A User Review A 0ana*e Rejections &he s'stem then dis"la's the resultin* list of rejected users, includin* the ori*inal re.uest number and the reason for the rejection, in the lower section of the screen ("ig#re $%)

"ig#re Details of mana*ement of rejected users "rocess ste" $$


GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 7 of 11

"ig#re $%

0ana*e rejected users screen

&he status column contains the current status of each user &he followin* statuses are "ossible3 4 Eew3 &hese are re.uests submitted b' the reviewer 4 &o 7enerate3 &he user is mar#ed for re*eneration, but the *eneration bac#*round job has not started =ou can clic# Cancel 7eneration to cancel the re.uest *eneration 4 %n Process3 &he bac#*round *eneration job has started but has com"leted Re.uests with this status cannot be cancelled, because the bac#*round job has started 4 /rror3 &he *eneration bac#*round job has encountered an error 4 Com"leted3 &he *eneration bac#*round job has com"leted &he new re.uest number is u"dated in the Eew Re.uest column &he administrator selects the users for whom he wants to *enerate new re.uests and clic#s the 7enerate Re.uests button ("ig#re $%) &his onl' mar#s the users +or the actual re.uest *eneration the administrator has to schedule the tas# UAR Review Process Rejected as bac#*round job in CUP &he new re.uests then re$enter the administrator review "rocess ste" before the corres"ondin* wor#flow tas#s are *enerated and sent to the correct mana*ers for review

Re"ortin* and Audit &rails

&he followin* UAR$s"ecific re"ortin* features are available3 4 UAR status re"ort 4 UAR histor' re"ort 4 UAR audit trail &he user review status re"ort allows for monitorin* UAR re.uests to ensure that the "rocess is com"leted in a timel' manner &his re"ort is useful to coordinators or other "ersons overseein* the review "rocess =ou can reach it b' followin* menu "ath %nformer A Anal'sis @iew A Anal'tical Re"orts A User Review Status Re"ort ("ig#re $&) =ou can see the current sta*e, the number of items com"leted in the re.uest, reviewer, and other hel"ful information =ou can use the h'"erlin#s to dis"la' the details of the res"ective object

"ig#re $&

/5am"le of a UAR status re"ort

&he UAR histor' re"ort shows the a""roval decisions ta#en for each item in UAR re.uests &his re"ort is hel"ful after a "ortion of the review "rocess or the entire review "rocess is com"lete %t dis"la's actions indicated b' the a""rovers for each line item re"resentin* a user$role assi*nment in a s"ecific s'stem ("ig#re $') &hese actions can be set to A""roved, Removal, or Rejection G the latter refers to rejected users

"ig#re $'

/5am"le of a UAR histor' re"ort


GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 8 of 11

=ou can view the UAR audit trail of a "articular re.uest to see the detailed activit' durin* the lifetime of the re.uest Eavi*ate to 0' Dor# A Re.uest Audit &rail and enter 'our selection criteria for the re.uest for which 'ou are searchin* &he audit trail shows the histor' of the re"ort from re.uest creation to closure ("ig#re $() =ou can "rint or download it and send it to internal or e5ternal auditors

"ig#re /5am"le of a UAR audit trail $(

.verview o/ Con/ig#ration o/ the UAR Scenario

&he UAR scenario uses the RAR, /R0, and CUP ca"abilities of SAP BusinessObjects Access Control On a hi*h level, 'ou can thin# of its confi*uration in the followin* tas#s3 4 @erification of SAP BusinessObjects Access Control 5 ! "ost$installation ste"s 4 Confi*uration of user review o"tions 4 Setu" of the a""roval wor#flow 4 0aintenance of rejection reasons 4 0aintenance of coordinator$to$reviewer relations %9ll e5"lain each of these tas#s in the followin* subsections

0eri/ication o/ SAP 1#siness.b2ects Access Control (3& Post45nstallation Steps

&he "ost$installation "hase refers to a bundle of rather technical confi*uration ste"s re.uired in each "roduct ca"abilit' before users can start customizin* their s"ecific use cases &he "ost$installation is "erformed ri*ht after installation of the SAP BusinessObjects Access Control software on an SAP EetDeaver A""lication Server Bava > H and the re.uired R&As on the bac#$end s'stems +or all details of the "ost$ installation ste"s, refer to the SAP BusinessObjects Access Control 5 ! Confi*uration 7uide and m' articles mentioned at the be*innin* of this article %9ll assume for the followin* that "ost$installation has been e5ecuted correctl' in 'our SAP BusinessObjects Access Control s'stem, but verif' that the followin* "rere.uisites are met from a "ost$installation "ers"ective3 4 %nitial data file for UAR u"loaded3 =ou need to u"load the A/8init8a""end8data8+orSODUARReview 5ml file in CUP A Confi*uration A %nitial S'stem Data &his 5ml file comes with the software and Su""ort Pac#a*es ma' deliver u"dated versions &he initial data file adds a re.uest t'"e UAR8R/@%/D and a "riorit' UAR81%71, which 'ou can verif' b' followin* menu "ath CUP A Confi*uration A Re.uest Confi*uration 4 Dor#flow t'"e UAR8R/@%/D3 &he initial data file also adds the wor#flow t'"e UAR8R/@%/D to CUP A Confi*uration A 0iscellaneous /nsure it is activated and the e5it UR%, user name, and "assword are maintained as well 4 User details data source for mana*er information3 %f 'ou o"t for the user9s mana*er as reviewer, then ma#e sure that 'our user details data source is correctl' set u" and contains correct and u"$to$ date mana*er information %f 'ou9re usin* an 2DAP server, verif' that the attribute containin* the mana*er of a *iven user is correctl' ma""ed in CUP A Confi*uration A +ield 0a""in* A 2DAP 0a""in* 4 Role data in CUP3 @erif' that the administrator has im"orted into CUP all roles to be a""roved or removed durin* the UAR so that role descri"tions are available in UAR re.uests and to su""ort drillin* down to the actions included in the roles =ou ma' im"ort roles from a bac#$end s'stem


GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP BusinessO... Page 9 of 11

su""orted b' an R&A or from a s"readsheet file /nsure that each role is assi*ned a role owner, if role owners act as reviewers or a""rovers in an additional wor#flow sta*e durin* 'our UAR 4 Securit' lead3 %f 'ou "lan to involve 'our securit' team in the UAR wor#flow, maintain 'our securit' lead information b' followin* menu "ath CUP A Confi*uration A A""rovers A Securit' 2ead 4 S0&P server3 Sendin* notifications and reminders "er email to users, reviewers, and a""rovers re.uires the confi*uration of a S0&P server +ollow menu "ath CUP A Confi*uration A Dor#flow A S0&P server Also chec# whether the /mail Dis"atcher and /mail Reminder tas#s are scheduled in CUP as recurrin* bac#*round jobs Otherwise, email notification won9t be sent out 4 Eumber ran*e3 /nsure there is an active number ran*e in CUP &he number ran*e is a""licable to all CUP re.uests and is not s"ecific to an' re.uest t'"e +ollow Confi*uration A Eumber Ran*es to maintain number ran*es 4 Connectors3 0a#e sure that connectors (that all have the same name) have been created in CUP, RAR, and /R0 for each bac#$end s'stem in sco"e for UAR &his is re.uired for *eneration of role usa*e information 4 Auto$"rovisionin*3 %f 'ou want to de$"rovision roles automaticall' from the bac#$end s'stems that were mar#ed for removal b' the a""rovers, then 'ou need to confi*ure auto$"rovisionin* =ou can do this b' followin* menu "ath CUP A Confi*uration A Dor#flow A Auto Provisionin* choosin* either *loball' in the 7lobal tab or "er s'stem in the B' S'stem tab, if 'ou want to activate auto$ "rovisionin* onl' for a subset of 'our s'stems 4 U0/ securit'3 Dith Su""ort Pac#a*e -, 'ou can assi*n to administrators and reviewers new U0/ actions for rejectin* and mana*in* the rejected users as well as for accessin* the UAR re"orts &hese actions are "rovided in the initial data files

Con/ig#ration o/ User Review .ptions

+ollow menu "ath CUP A Confi*uration A User Review A O"tions and s"ecif' im"ortant o"tions for 'our UAR scenario ("ig#re $)) &he o"tions to set are3

"ig#re User review o"tions $)

4 Admin review re.uired before sendin* tas#s to reviewers3 &he "referred settin* for this is =es, because it *ives the administrator the o""ortunit' to chec# if all re.uests are *oin* to be sent to the correct reviewers, and ma#e corrections where needed Administrators can also delete re.uests durin* the review %f there are users without mana*er information in the user detail source, then 'ou must enable the administrator review in order to *enerate re.uests 4 Dho are the reviewersI3 =ou can s"ecif' if the 0ana*er or Role Owner should be the reviewer 4 Eumber of 2ine %tems "er Re.uest3 /nter the a""ro"riate number %f CUP needs to include more line items into the re.uest, then it creates additional re.uests and sends them to the same reviewer 4 Default Re.uest &'"e3 &he onl' re.uest t'"e available is User Access Review %t has been u"loaded with the initial data file 4 Default Priorit'3 &he onl' "riorit' available here is UAR hi*h 4 /nter UR2 for UAR review instructions3 %f an 1&02 "a*e with detailed instructions for reviewers (such as the "a*e shown in "ig#re )) was created to su""lement an' instruction in the email notification, enter the UR2 of that "a*e =ou can save the "a*e to a local director' of 'our choice on 'our internal server

A wor#flow in CUP alwa's consists of an initiator, one or multi"le sta*es, and a "ath lin#in* the se.uence of sta*es to*ether &his allows for a ver' fle5ible confi*uration of UAR wor#flows accordin* to 'our or*anization9s re.uirements +or this reason the e5am"le %9ll "resent is a ver' common one, but not the onl' wa' of doin* it &he wor#flow contains the followin* features3 4 &he first sta*e of the wor#flow is the review sta*e 4 %f the reviewer mar#s line items in a re.uest for removal, then the re.uest is sent to a securit' sta*e 4 %f all line items of a *iven re.uest are a""roved, then the re.uest is closed without bein* sent to the securit' sta*e 4 &he securit' administrator sees all line items of the re.uest, not onl' those mar#ed for removal


GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP Busines... Page 10 of 11

4 &he securit' administrator has "ermission to chan*e the re.uest content in terms of a""rovals and removals 4 After the securit' administrator re.uests submission, de$"rovisionin* of mar#ed roles ha""ens automaticall' &o im"lement this wor#flow, 'ou have to define the followin* characteristics3 4 %nitiator 4 Review sta*e 4 Securit' sta*e 4 Primar' "ath containin* the review sta*e 4 Detour "ath containin* the securit' sta*e 4 Detour lin#in* the two "aths to*ether +ollow menu "ath CUP A Confi*uration A Dor#flow A %nitiator to define an initiator 0a#e sure that 'ou select User Access Review as the wor#flow t'"e first =ou9ll need to select this wor#flow t'"e for all other wor#flow elements such as sta*es, "aths, and detours +or this e5am"le, it is sufficient to add the attribute Re.uest &'"e with value User Access Review to the initiator 1owever, for the wor#flow t'"e User Access Review, 'ou also have the attributes A""lication and UAR Review Role available to build more com"le5 Boolean conditions to su""ort multi"le wor#flow "aths in "arallel for 'our UAR scenario +ollow menu "ath CUP A Confi*uration A Dor#flow A Sta*e to define the review sta*e Select Reviewer as the a""rover determinator =ou can define a re.uest wait time and an escalation confi*uration, which defines which t'"e of escalation action should be ta#en if the UAR re.uest isn9t submitted in this sta*e durin* the re.uest wait time &he followin* o"tions are available3 4 +orward to ne5t sta*e 4 +orward to administrator 4 DeactivateJ +orward to ne5t sta*e3 &he role assi*nments for users on the re.uest are deactivated with the validit' date set to the current date and the re.uest is forwarded to the ne5t sta*e 4 DeactivateJ 2oc#, +orward &o Ee5t Sta*e3 &he users on the re.uest are loc#ed in addition to the measures ta#en in the "revious o"tion 4 2oc#, +orward &o Ee5t Sta*e3 &he users on the re.uest are onl' loc#ed and the re.uest is forwarded to the ne5t sta*e &hen, confi*ure the notification o"tions similar as for an' other sta*e in CUP %n the additional Confi*uration "ane, 'ou can confi*ure a number of "arameters ("ig#re $*) Some of them are of s"ecific interest for the UAR wor#flow3 4 Chan*e Re.uest Content3 Controls whether the a""rover is "ermitted to chan*e the re.uest content in terms of a""roval or removal of line items re"resentin* role$to$user assi*nments 4 Reject Users3 &he abilit' to reject users is re.uired in the reviewer sta*e, if the reviewers were confi*ured to be the user9s mana*ers 4 A""roval &'"e3 Determines whether all line items of the re.uest are visible to the a""rover of this sta*e or onl' items mar#ed for removal

"ig#re $*

Additional Confi*uration section durin* definition of the review sta*e

=ou can define the securit' sta*e in the same wa' as the review sta*e Select Securit' as the a""rover determinator &hen a""l' the same Additional Confi*uration settin*s as for the review sta*e with the e5ce"tion of Reject Users to be set to Eo ("ig#re $*) +ollow CUP A Confi*uration A Dor#flow A Path to define the "rimar' "ath, includin* the review sta*e ("ig#re $+) Select the initiator and the review sta*e "reviousl' created and chec# the Active chec# bo5

"ig#re $+

Create the "rimar' "ath for the UAR wor#flow containin* the review sta*e

Because % onl' want those re.uests to be sent throu*h the wor#flow to the securit' sta*e that contains line items for removal, % need to use the more advanced Detour feature in CUP Detours are standalone wor#flows that are en*a*ed throu*h a "rimar' wor#flow if certain conditions are encountered at a


GRC Expert - Perform Decentralized Periodic User Access Reviews with SAP Busines... Page 11 of 11

"articular sta*e of the "rimar' wor#flow +or this reason, % need to create a second "ath that has no initiator included, but the detour fla* chec#ed and the securit' sta*e selected as the sin*le sta*e &hen, follow menu "ath CUP A Confi*uration A Dor#flow A DetourF+or# and ma#e the selections shown in "ig#re $,

Detour definition "ig#re $, Re2ection Reasons 0ana*ers actin* as reviewers in the review sta*e need to select a reason from a dro"$down list when rejectin* users &hese reasons have to be u"loaded in the menu "ath CUP A Confi*uration A User Review A Reason for Rejection =ou can download the re.uired s"readsheet tem"late from there, fill it with data, and then u"load it a*ain ("ig#re %-)

U"loadin* reasons for rejection "ig#re %Coordinators =ou identif' a coordinator for each reviewer, re*ardless of whether the reviewer is a user9s mana*er or a role owner SAP BusinessObjects Access Control uses the coordinator information to *enerate re"orts that 'ou can use while mana*in* the review "rocess %f 'ou are not usin* Administrator Review, then 'ou must have a coordinator associated with the reviewer to *et a UAR re.uest *enerated =ou associate coordinators with reviewers in menu "ath CUP A Confi*uration A User Review A Coordinators =ou have to clic# Search before 'ou reach the maintenance screen ("ig#re %$) =ou enter this data either manuall' or download the tem"late, maintain the data in the s"readsheet, and u"load it a*ain when com"leted

"ig#re %$

Associatin* coordinators with reviewers

"rank Rambo, Ph D, is director of SAP 7RC Re*ional %m"lementation 7rou" (R%7) in the /0/A re*ion Prior to this "osition, he wor#ed ei*ht 'ears for SAP 7erman' as a senior consultant focusin* on SAP securit', identit' mana*ement, and the SAP EetDeaver Portal Before he joined SAP in :KKK, +ran# wor#ed as "h'sicist in an international research team +ran# lives in 1ambur*, 7erman' =ou ma' reach him at fran# ramboLsa" com