SAP GRC Access Control

User Access Review

User Manual
VERSION CONTROL

VERSION
AUTHOR PURPOSE CHANGE DATE
NUMBER

V0.1 RUBENS MULLER FIRST VERSION (V0.1) 2022/08/16

V0.2 RUBENS MULLER UPDATE PROCESS REVIEW AND DIAGRAMS 2022/08/17
V0.3 RUBENS MULLER GENERAL UPDATE 2022/08/22
V0.4 RUBENS MULLER GENERAL UPDATE 2022/08/22
V0.5 RUBENS MULLER ADJUST DIAGRAMS AND PROCESS 2022/08/24
V.0.6 JOANA ADJUST REPORTS 2022/08/24
GONÇALVES,RUBENS
MULLER, NUNO
OLIVEIRA
V0.7 RUBENS MULLER PERIODIC USER ACCESS REVIEW PROCESS 2022/09/29
USER ACCESS PARTICIPANTS
2B - PROCESS
V0.8 RUBENS MULLER ADJUSTMENT DIAGRAM STEP 2B 2022/09/30

2
INDEX
VERSION CONTROL ................................................................................................................................................ 2
INDEX .................................................................................................................................................................... 3
INTRODUCTION (Context) ...................................................................................................................................... 4
PROCESS REVIEW ................................................................................................................................................... 5
BENEFITS OF UAR ................................................................................................................................................... 6
PERIODIC USER ACCESS REVIEW PROCESS ............................................................................................................. 7
USER ACCESS PARTICIPANTS .................................................................................................................................. 8
PHASES PREREQUISITES ......................................................................................................................................... 9
FIRST STEP (Line Manager) ................................................................................................................................... 10

Opening the request ................................................................................................................................................10

Approve, forward, reject or maintain access...........................................................................................................15

Diagram...................................................................................................................................................................19

Process ....................................................................................................................................................................20
SECOND STEP A (Group Manager) ........................................................................................................................ 21

Opening the request ................................................................................................................................................21

Approve, forward, reject or maintain access...........................................................................................................26

Diagram...................................................................................................................................................................30

Process ....................................................................................................................................................................31
SECOND STEP B (Company Controller) ................................................................................................................. 32

Opening the request ................................................................................................................................................32

Approve, maintain or forward access .....................................................................................................................37

Diagram...................................................................................................................................................................40

Process ....................................................................................................................................................................41
REPORTS .............................................................................................................................................................. 42

UAR History Report (Detail) .....................................................................................................................................42

User Review Report (Summary)...............................................................................................................................45

Report Export ..........................................................................................................................................................47

3
INTRODUCTION (CONTEXT)

The purpose of this document is to document the expected scenario for CIL SAP GRC User Access Review
workflows. based on best practices recommended by SAP and internal/external audit, to meet
compliance, efficiency, flexibility and transparency requirements.

For each Workflow, a graphic image of each process is presented, detailing for each actor, assigned
activities, the decisions that must be taken and the system in which they occur. Additionally, two tables
are included: one describing the process in detail and the other describing the messages received at
each step.

In some cases, the processes have different approvers depending on the accesses (or profiles) related to
the campaign type of campaign.

These campaigns will be defined throughout the manual as Steps, being:

Step 1: Responsible Reviewer will be the User's Line Manager;

Step 2a: Responsible Reviewer will be the User's Group Manager;

Step 2b: The responsible reviewer of the Roles will be the Company Controller

4
PROCESS REVIEW

The UAR module of GRC-AC is used to perform the periodic review of user accesses in the Satellite
environments PS0, PM0, PG0 and PB0 (BPC).

The UAR comes to assist in governance, risk and compliance, since we can have periodic reviews of user
access (according to CIL policies), always maintaining continuous compliance in the Access Management
processes.

With the UAR, we can generate user access review requests based on various user attributes and can
maintain or delete a user's role based on, for example:

• Role;
• User Group;
• System.

5
BENEFITS OF UAR

• Automated process for periodic user access review;

• Decentralized review of user access;
• Workflow of user access review requests with their respective approval;
• Automatic removal of Roles after a decision is made;
• Status reports, audit trail and histories to help follow up the review process and support internal
and external auditing;
• Support for back-end systems integrated with GRC-AC;
• Support for business functions.

6
PERIODIC USER ACCESS REVIEW PROCESS
UAR Process is based in the following steps:
• Step 1: Where a job is executed/scheduled to generate the Requests and send it to the Manager to carry
out the reviews informing the Roles that need to be kept or removed from the user.
• Step 2a: Job execution to issue notifications for the user groups registered in
ZGRC_UAR_GRP_MNG table through the transaction ZGRC_UAR_GRP_MNG by its respective
appointed responsible.
• Step 2b: Where a job is performed/scheduled to generate the requests and send them to the Company
Controllers to perform the reviews informing the users that need to be kept or removed from the Role.

7
USER ACCESS PARTICIPANTS
Administrators
This person has the Administrator role assigned for Access Control. They can perform UAR-specific
administrator tasks, such as cancelling UAR requests and regenerating requests for rejected users. As
well as Administrator review before generating workflow for request.

Line Managers
It will participate in the review of the requests generated in Phase 1.
This is the Manager of a user, previously defined in the AD Data Source.

Group Manager (Global Reviewer)

Will participate in the review of the requests generated in Phase 2a.
This Reviewer needs to be previously registered on the ZGRC_UAR_GRP_MNG transaction based on the
User Group registered on the system master data that will participate on the review process.

Company Controllers
Will participate in the review of the requests generated in Phase 2b and responsible for the roles
assigned to the user.
They need to be defined as Role Owners responsible for assigning Roles in the User in the BRM
application of the GRC-AC.

Coordinators
Each reviewer registered in the system needs a Coordinator user. Coordinators monitor the UAR process
and coordinate activities through monitoring through reports to ensure that the process is completed in
a timely manner.

Alternative Reviewers
Are agents who optionally receive user review requests forwarded by the Line Manager, Group Manager
or Company Controller.

8
PHASES PREREQUISITES
For all phases, each Reviewer and Coordinator, needs:
• Exist in GRC Access Control;
• Have the Roles according to each responsibility;
• Be Registered in the "Manage Coordinators" section of the GRC Access Control

In addition to the above information, for each phase in Particular:

Line Manager
Manager of the user to be reviewed needs to exist in the Active Directory Data Source

Group Manager
The Manager of the Group to be reviewed needs to be registered in “UAR – User Group Manager
Replacement” (ZGRC_UAR_GRP_MNG transaction)

Company Controller
The Company Controller needs to be registered in the BRM as responsible for assigning a Role to a user.

Note:
The configuration of each item above is described in detail in the GRC UAR Administrator's manual

9
FIRST STEP (LINE MANAGER)

OPENING THE REQUEST

The purpose of this chapter is to support the CIL UAR Administrator in using the user access review
application in GRC Access Control perimeter environments.

Enter the NWBC transaction and click access Management, then Click on Background Scheduler option.

Selecione “Create”

10
Inform the name of the schedule in accord with the Campaign selecting the activity “Generates data for
access request UAR review” and set the periodicity of the Job execution.

Set the criteria of the collection of access of the users that will participate of the revision

We can inform in the selection criteria Roles that will not participate in the review process. With this, all
other Roles will be considered for the creation of revision requests

11
 Select “Finish”

Select “Close”

Follow the stats of the execution of the job to its conclusion

After the conclusion of the execution, select the according job, and after that just click “Open”

12
 Verify the status of the generation of the solicitations

To validate the generated requests, open in the Fiori Link:

https://sapgrc.cofcointernational.com/

Select the title “UAR: Scheduling Details”

13
 Copy the Job ID generated in the transaction NWBC and inform in the “Job No”

Generated request by the informed Job

14
APPROVE, FORWARD, REJECT OR MAINTAIN ACCESS
Reviewer are free to access requests in two ways:
• Via the link provided in the email once the request is opened.
• Through Work Inbox via NWBC transaction directly in SAP GRC Access Control.

Notification received in the email to start the review.

Enter the NWBC transaction and click My Home. Click on the Work Inbox option.

Click on the request link for more information

15
 Select the assigned Roles to the user informing to all of them, one by one, if the access can be handle
(Approve) or removed (Removed Role)

If a user is assigned to your review but the user is not in your team or has left the company you should
reject the task, to do so, mark the user, select the "Reject User" option, enter the “Reason for
Rejection” and select "Submit". Note that this action will not block / remove the user from the system.
This action will only remove the user from the review task and make the Coordinator take action upon
the user, based on further analysis.

When submitting, review any revision made in the previous phase and confirm by selecting Approve. If
there is any incorrect data, select Back and make the necessary adjustments

16
If instead of submitting, the main reviewer wants to forward the users review to an alternate reviewer,
save the entered actions and select Other Options > Forward.
If you feel that a specific user needs to be forwarded to the alternate reviewer, select the user by
clicking Forward. This forward may be necessary if the Line Manager does not have a complete grasp on
the user’s activities and would like input from, for example, a coordinator or team leader.

Enter the ID of the new reviewer and add a note with relevant data about the review.
Check Forward with return if you want the request to be automatically forwarded to the Line Manager
after the alternate reviewer submits the review. Select OK.
Keep in mind that if you do not check the box the alternate approver’s review will be final and you will
not be able to change anything done by the alternate reviewer.

17
18
DIAGRAM

19
PROCESS
No. Actvity Entry Activity Description Exit
Programs the Job for Start
Creating the Revision Administrator schedules Jobs informing the
A Process or B
necessary attributes
Request J

Receive Request Line Manager receives the request to start

B A and G C
review inbox and open the review form

Line Manager can define:

- Maintain/Remove the Role in User or
C Set Access B and E Reject User; D or F
- Save and forward the request to the
Alternate Reviewer

Submit Request Line Manager submit request to

D C E
keep/remove Role or reject user

Line Manager reviews all the actions done in

Confirm changes in the previous session.
E Validation screen D - If it is in order, it sends the request. C, J or K
- If it is not in order, it returns the request
and adjusts it.

Receive Request Alternate Reviewer receives the request to

F C G
start review inbox and open the review form

Alternate Reviewer can define:

Set Access - Maintain/Remove the Role in User or
G F and I H or B
Reject User;
- Save and resend to original Reviewer

Submit Request Alternate Reviewer submit request to

H G I
keep/remove Role or reject user

Alternate Reviewer reviews all the actions

Confirm changes in done in the previous session.
I Validation screen H - If it is in order, it sends the request. G, J or K
- If it is not in order, it returns the request
and adjusts it.
Administrator reviews rejected the user,
Review Rejections resend to reviewer or confirm and explains the A or End
J E and I
reason (Can export to PDF and send via e- Process
mail1)

Provisioning GRC Access Control removes the roles defined End

K E and I
by the reviewer not to be kept for the user. Process

20
SECOND STEP A (GROUP MANAGER)

OPENING THE REQUEST

The purpose of this chapter is to support the CIL UAR Administrator in using the user access review
application in GRC Access Control perimeter environments.

Enter the NWBC transaction and click access Management, then Click on Background Scheduler option.

Selecione “Create”

21
 Inform the name of the schedule in accord with the Campaign selecting the activity “UAR Step 2a -
Generates data for access request UAR review” and set the periodicity of the Job execution.

Set the criteria of the collection of access of the users that will participate of the revision.

Obs.: For this activity, it will be necessary to inform the user group that will participate in the Review
process. If the Administrator understands the need to inform more than one group for the same Job, add new lines
by selecting the “+” sign.

22
The same case applies in the inverse mode. We can inform in the selection criteria only the groups that
will not participate in the review process. With this, all other groups will be considered for the creation
of revision requests:

We can also inform in the selection criteria the roles that will not participate in the review process. With
this, all other Roles will be considered for the creation of review requests:

Select “Finish”

23
 Select “Close”

Follow the stats of the execution of the job to its conclusion

After the conclusion of the execution, select the according job, and after that just click “Open”

Verify the status of the generation of the solicitations

24
 To validate the generated requests, open in the Fiori Link:
https://sapgrc.cofcointernational.com/

Select the title “UAR: Scheduling Details”

Copy the Job ID generated in the transaction NWBC and inform in the “Job No”

25
 Generated request by the informed Job

APPROVE, FORWARD, REJECT OR MAINTAIN ACCESS

Reviewer are free to access requests in two ways:
• Via the link provided in the email once the request is opened.
• Through Work Inbox via NWBC transaction directly in SAP GRC Access Control.

Notification received in the email to start the review.

26
 Enter the NWBC transaction and click My Home. Click on the Work Inbox option.

Click on the request link for more information

27
 Select the assigned Roles to the user informing to all of them, one by one, if the access can be handle
(Approve) or removed (Removed Role)

If a user is assigned to your review but the user is not in your team or has left the company you should
reject the task, to do so, mark the user, select the "Reject User" option, enter the “Reason for
Rejection” and select "Submit". Note that this action will not block / remove the user from the system.
This action will only remove the user from the review task and make the Coordinator take action upon
the user, based on further analysis.

28
When submitting, review any revision made in the previous phase and confirm by selecting Approve. If
there is any incorrect data, select Back and make the necessary adjustments

If instead of submitting, the main reviewer wants to forward the users review to an alternate reviewer,
save the entered actions and select Other Options > Forward.
If you feel that a specific user needs to be forwarded to the alternate reviewer, select the user by
clicking Forward. This forward may be necessary if the Group Manager does not have a complete grasp
on the user’s activities and would like input from, for example, a coordinator or team leader.

Enter the ID of the new reviewer and add a note with relevant data about the review.
Check Forward with return if you want the request to be automatically forwarded to the Group
Manager after the alternate reviewer submits the review. Select OK.
Keep in mind that if you do not check the box the alternate approver’s review will be final and you will
not be able to change anything done by the alternate reviewer.

29
DIAGRAM

30
PROCESS
No. Actvity Entry Activity Description Exit
Programs the Job for Start
Creating the Revision Administrator schedules Jobs informing the
A Process or B
necessary attributes
Request J

Receive Request Group Manager receives the request to start

B A and G C
review inbox and open the review form

Group Manager can define:

- Maintain/Remove the Role in User or
C Set Access B and E Reject User; D or F
- Save and forward the request to the
Alternate Reviewer

Submit Request Group Manager submit request to

D C E
keep/remove Role or reject user

Group Manager reviews all the actions done

Confirm changes in in the previous session.
E Validation screen D - If it is in order, it sends the request. C, J or K
- If it is not in order, it returns the request
and adjusts it.

Receive Request Alternate Reviewer receives the request to

F C G
start review inbox and open the review form

Alternate Reviewer can define:

Set Access - Maintain/Remove the Role in User or
G F and I H or B
Reject User;
- Save and resend to original Reviewer

Submit Request Alternate Reviewer submit request to

H G I
keep/remove Role or reject user

Alternate Reviewer reviews all the actions

Confirm changes in done in the previous session.
I Validation screen H - If it is in order, it sends the request. G, J or K
- If it is not in order, it returns the request
and adjusts it.
Administrator reviews rejected the user,
Review Rejections resend to reviewer or confirm and explains the A or End
J E and I
reason (Can export to PDF and send via e- Process
mail1)

Provisioning GRC Access Control removes the roles defined End

K E and I
by the reviewer not to be kept for the user. Process

31
SECOND STEP B (COMPANY CONTROLLER)

OPENING THE REQUEST

The purpose of this chapter is to support the CIL UAR Administrator in using the user access review
application in GRC Access Control perimeter environments.

Enter the NWBC transaction and click access Management, then Click on Background Scheduler option.

Selecione “Create”

32
 Inform the name of the schedule in accord with the Campaign selecting the activity “UAR Step 2b -
Generates data for access request UAR review” and set the periodicity of the Job execution.

Set the criteria of the collection of access of the users that will participate of the revision.

We can also inform in the selection criteria the roles that will not participate in the review process. With
this, all other Roles will be considered for the creation of review requests:

33
 Select “Finish”

Select “Close”

Follow the stats of the execution of the job to its conclusion

After the conclusion of the execution, select the according job, and after that just click “Open”

34
 Verify the status of the generation of the solicitations

To validate the generated requests, open in the Fiori Link:

https://sapgrc.cofcointernational.com/
Select the title “UAR: Scheduling Details”

35
 Copy the Job ID generated in the transaction NWBC and inform in the “Job No” (Bug identified)

Generated request by the informed Job (Bug identified)

36
APPROVE, MAINTAIN OR FORWARD ACCESS
Reviewer are free to access requests in two ways:
• Via the link provided in the email once the request is opened.
• Through Work Inbox via NWBC transaction directly in SAP GRC Access Control.

Notification received in the email to start the review.

Enter the NWBC transaction and click My Home. Click on the Work Inbox option.

Click on the request link for more information

37
 Select the assigned Users to the user informing to all of them, one by one, if the access can be handle
(Approve) or removed (Removed User)

When submitting, review any revision made in the previous phase and confirm by selecting Approve. If
there is any incorrect data, select Back and make the necessary adjustments

If instead of submitting, the main reviewer wants to forward the Roles review to an alternate reviewer,
save the entered actions and select Other Options > Forward.
If you feel that a specific Role needs to be forwarded to the alternate reviewer, select the Role by
clicking Forward. This forward may be necessary if the Line Manager does not have a complete grasp on
the user’s activities and would like input from, for example, a coordinator or team leader.

38
 Enter the ID of the new reviewer and add a note with relevant data about the review.
Check Forward with return if you want the request to be automatically forwarded to the Company
Controller after the alternate reviewer submits the review. Select OK.
Keep in mind that if you do not check the box the alternate approver’s review will be final and you will
not be able to change anything done by the alternate reviewer.

39
DIAGRAM

40
PROCESS
No. Actvity Entry Activity Description Exit
Programs the Job for
Creating the Revision Start Administrator schedules Jobs informing the
A B
Process necessary attributes
Request

Receive Request Company Controller receives the request to

B A and G C
start review inbox and open the review form

Company Controller can define:

- Maintain/Remove the User in Role or
C Set Access B and E Reject Role;
D or F
- Save and forward the request to the
Alternate Reviewer

Submit Request Company Controller submit request to

D C E
keep/remove Role or reject user

Company Controller reviews all the actions

Confirm changes in done in the previous session.
E Validation screen D - If it is in order, it sends the request. C or J
- If it is not in order, it returns the request
and adjusts it.

Receive Request Alternate Reviewer receives the request to

F C G
start review inbox and open the review form

Alternate Reviewer can define:

Set Access - Maintain/Remove the role access to a
G F and I H or B
User;
- Save and resend to original Reviewer

Submit Request Alternate Reviewer submit request to

H G I
keep/remove User

Alternate Reviewer reviews all the actions

Confirm changes in done in the previous session.
I Validation screen H - If it is in order, it sends the request. G or J
- If it is not in order, it returns the request
and adjusts it.

Provisioning GRC Access Control removes the roles defined End

J E and I
by the reviewer not to be kept for the user. Process

41
REPORTS
In this section we have two main reports with various types of criteria for searching the review requests.

UAR HISTORY REPORT (DETAIL)

This report informs you about the details of the created requests

Search Criteria

42
Search Examples
Search by request number

Search by Coordinator

43
Search by Reviewer
(Line Manager, Group Manager, Company Controller and Alternative Reviewer)

Search by User

44
USER REVIEW REPORT (SUMMARY)
This report informs you about the summary of the created requests

Search Criteria

45
Summary Search

46
REPORT EXPORT
For both the UAR HISTORY REPORT (DATAIL) and the USER REVIEW REPORT (SUMMARY) reports, you
can extract the information for monitoring and controlling review activities as follows:

1. Set the search criteria

2. Define the number of lines per Page
3. Execute the analysis
4. Select the page to be displayed by clicking on the GO option

In this excel extraction option, the data presented refers to the whole result found:

47
 Result:

In this excel extraction option, the data presented refers only to the selected page

Result:

48