Confidential

[Title] Confidential

SAP GRC Programme

UAR Requirements for S4 and MDG
Version 1.0 | 02 May 2022

Revision History

Version Created by Creation date Approved by Approval date Comments

0.1 José Sampaio 14-April-2022 Duarte Monteiro 20-April-2022 First Version

1.0 José Sampaio 20-April-2022 Miguel Aparicio 02-May-2022 IC Review

1
 Confidential
[Title] Confidential

1/ Purpose

This document provides the requirements definition for the SAP GRC User Access Review (UAR).

The purpose of this document is to describe the requirements for COFCO Intl.’s UAR functional process for S4
and MDG system. In this document will be detailed the UAR workflow and the functional procedure for the process.

2/ Scope
User Access Review (UAR) is a module withing SAP GRC to assist on the review of user access authorizations.
In user access revision Managers, Head of Departments or other responsible party must confirm or reject if current
user authorizations are valid. Adding new authorizations is outside UAR scope. Addition of authorizations must
follow the User Access Request standard process.

Systems: S4, MDG

3/ Pre-requirements
SAP GRC-AC System deployed.

4/ Procedure
The UAR should be a two steps process for access authorizations revisioning.
The process starts with GRC selecting all active users in target system and respective roles they have access to.
The process then takes the following steps:
1. STEP 1: Task submission to Line Managers
The process starts with GRC selecting all active users in a selected target system.
A task with the identification of the user, detail of roles and system is to be sent for the respective line
managers.
In this revision task, the line managers must confirm or reject the following:

• Access to the user to the system and environment in question.

• Each one of the roles assigned to the user at that time.

Once completed the review and submitted by line manager in GRC, the following automatic tasks must
be conducted by the system:

• If line manager fully rejects the access to the user to the system, perform the user termination in S4
or MDG. Implemented by JOB or automatically.

If line manager accepts the access to the user but reject some roles, all rejected roles must be removed
from the user

Based on all the confirmed users and roles assignment are pointed by the Line Manager, a new phase
of review is started (Step 2).

2. STEP 2: Task submission to Company Controllers or Global Managers

2
 Confidential
[Title] Confidential

Once review from step 1 – Line Manager – is completed and based on those results, a second layer of
review is necessary.
All users that remain active must be divided by their SAP group.
The authorization from users within an SAP group from “Standard Local Access Review” type, must be
split by user and company code (role) and one compiled review request by company code must be sent
to Internal Controls1.
For all other SAP groups, the creation of review requests must be completed by group and sent out for
the person included in column “Current Reviewer 2” in the table below.
For the cases in which Global Internal Controls (IC) Team is appointed as a reviewer in GRC, the team
will be required to export reports to excel and gather the approval from “Future Reviewer 2” by email
and or request clarifications by email also. Therefore, the system should allow to add notes and
attachments before final review is submitted.
As for step 1, once the review is completed and submitted by second level reviewer, the following
automatic tasks must be conducted by the system:

• Any rejected role or user access must be automatically removed by GRC.

Reviewers Matrix
System User User Type/Group Reviewer 1 Split for Step 2 Current Reviewer 2 Future Reviewer 2
Type Review
Split users and roles
Standard Local Entity Controller of the
S4 Business Line Manager assigned by Global IC team
Access Review company code
company code
S4 Business Global Teams Line Manager Global IC team Head of department
MDM Global - Dalia
MDG Business Local / Global Teams Line Manager Global IC team
Sequeira
Global Indirect Tax
S4 IT PWC - Taxmarc Line Manager João Cordeiro
Manager
Split by SAP group IT Infra - Head of
S4/MDG IT IT BASIS Line Manager Sid Siddiqui
department
IT Transformation -
S4/MDG IT IT SILK Line Manager Ruben Fuentes Perez
Head of department
Global Apps – SAP
S4/MDG IT IT NO BASIS* Line Manager Jorge Santos
Lead
* Auditor and FireFighter accounts are considered as IT NO BASIS accounts.

Additional tasks required for Business User second submission:

▪ User groups must be reviewed to identify properly which are local and global users.
▪ Global users should have individual groups: Treasury, Tax, IC, Risk...
▪ All other tasks already appointed in step 1.

Illustrative Workflow for each submission (system perspective). This is illustrative, must be reviewed based on
above.

1In an upcoming stage of the project, these requests should be sent to each one of the company code
controllers.

3

[Title]
User Access Review (via GRC-AC) Workflow (illustrative, to be reviewed based on above).
No. Activity Input
Beginning of the
1 Start
Review process
2 Job Execution 1/2
3 Execution review 2 4/5
Assign Reviewer to
4 3
request
Review process for
5 3
defective users
6 Submitting request 4 7
Receive User Access
7 7
Review Request List
Confidential
Confidential
Activity Description Output
SAP Security creates the Job with the list of users to be
2
reviewed.
GRC-AC system creates the User Access Review Request
3
based on the data provided when creating the Job.
SAP Security verifies if the User Access Review Request
created is compliant with initial requirements.
SAP Security confirms the data presented and assigns User
6
Access Review Request to the respective Reviewer.
SAP Security corrects user selection parameters and re-
2
submits request.
SAP Security creates the Job for sending User Access Review
requests to Reviewer. Notification (L.01) sent via email.
Reviewer will receive one or more User Access Review
Request and start the process of recertification
In this stage, Reviewer will have the possibility to export the
request with all details to be shared by email, or similar, and
request additional approval or clarification outside the system.
After Reviewer queries, must be possible to attach any
4
 Confidential
[Title] Confidential

No. Activity Input Activity Description Output

information (email, excel) that Reviewer would consider relevant
to justify any decision.

Validate User Access Reviewer will validate the User Access and their items and 10 /
8
and their items. evaluate (approve / reject) existing authorizations. End
Specify which Access Reviewer will confirm the access removals and send to
9 10
or items to remove. deprovisioning
Access automatically
With the input on item 9, GRC-UAR system automatically
10 assigned by the 9 End
remove authorizations marked as to be deleted for the user.
system

5/ References
04. Functional To-Be Report GRC-AC v09.pdf

6/ Definitions
UAR – User Access Review