Professional Documents
Culture Documents
[Title] Confidential
Revision History
1
Confidential
[Title] Confidential
1/ Purpose
This document provides the requirements definition for the SAP GRC User Access Review (UAR).
The purpose of this document is to describe the requirements for COFCO Intl.’s UAR functional process for S4
and MDG system. In this document will be detailed the UAR workflow and the functional procedure for the process.
2/ Scope
User Access Review (UAR) is a module withing SAP GRC to assist on the review of user access authorizations.
In user access revision Managers, Head of Departments or other responsible party must confirm or reject if current
user authorizations are valid. Adding new authorizations is outside UAR scope. Addition of authorizations must
follow the User Access Request standard process.
3/ Pre-requirements
SAP GRC-AC System deployed.
4/ Procedure
The UAR should be a two steps process for access authorizations revisioning.
The process starts with GRC selecting all active users in target system and respective roles they have access to.
The process then takes the following steps:
1. STEP 1: Task submission to Line Managers
The process starts with GRC selecting all active users in a selected target system.
A task with the identification of the user, detail of roles and system is to be sent for the respective line
managers.
In this revision task, the line managers must confirm or reject the following:
Once completed the review and submitted by line manager in GRC, the following automatic tasks must
be conducted by the system:
• If line manager fully rejects the access to the user to the system, perform the user termination in S4
or MDG. Implemented by JOB or automatically.
If line manager accepts the access to the user but reject some roles, all rejected roles must be removed
from the user
Based on all the confirmed users and roles assignment are pointed by the Line Manager, a new phase
of review is started (Step 2).
2
Confidential
[Title] Confidential
Once review from step 1 – Line Manager – is completed and based on those results, a second layer of
review is necessary.
All users that remain active must be divided by their SAP group.
The authorization from users within an SAP group from “Standard Local Access Review” type, must be
split by user and company code (role) and one compiled review request by company code must be sent
to Internal Controls1.
For all other SAP groups, the creation of review requests must be completed by group and sent out for
the person included in column “Current Reviewer 2” in the table below.
For the cases in which Global Internal Controls (IC) Team is appointed as a reviewer in GRC, the team
will be required to export reports to excel and gather the approval from “Future Reviewer 2” by email
and or request clarifications by email also. Therefore, the system should allow to add notes and
attachments before final review is submitted.
As for step 1, once the review is completed and submitted by second level reviewer, the following
automatic tasks must be conducted by the system:
Reviewers Matrix
System User User Type/Group Reviewer 1 Split for Step 2 Current Reviewer 2 Future Reviewer 2
Type Review
Split users and roles
Standard Local Entity Controller of the
S4 Business Line Manager assigned by Global IC team
Access Review company code
company code
S4 Business Global Teams Line Manager Global IC team Head of department
MDM Global - Dalia
MDG Business Local / Global Teams Line Manager Global IC team
Sequeira
Global Indirect Tax
S4 IT PWC - Taxmarc Line Manager João Cordeiro
Manager
Split by SAP group IT Infra - Head of
S4/MDG IT IT BASIS Line Manager Sid Siddiqui
department
IT Transformation -
S4/MDG IT IT SILK Line Manager Ruben Fuentes Perez
Head of department
Global Apps – SAP
S4/MDG IT IT NO BASIS* Line Manager Jorge Santos
Lead
* Auditor and FireFighter accounts are considered as IT NO BASIS accounts.
Illustrative Workflow for each submission (system perspective). This is illustrative, must be reviewed based on
above.
1In an upcoming stage of the project, these requests should be sent to each one of the company code
controllers.
3
Confidential
[Title] Confidential
User Access Review (via GRC-AC) Workflow (illustrative, to be reviewed based on above).
SAP Security creates the Job for sending User Access Review
6 Submitting request 4 7
requests to Reviewer. Notification (L.01) sent via email.
4
Confidential
[Title] Confidential
Validate User Access Reviewer will validate the User Access and their items and 10 /
8
and their items. evaluate (approve / reject) existing authorizations. End
Specify which Access Reviewer will confirm the access removals and send to
9 10
or items to remove. deprovisioning
Access automatically
With the input on item 9, GRC-UAR system automatically
10 assigned by the 9 End
remove authorizations marked as to be deleted for the user.
system
5/ References
04. Functional To-Be Report GRC-AC v09.pdf
6/ Definitions
UAR – User Access Review