Show TOC

Process documentationUser Access Review Locate this document in the navigation structure

 

User Access Review is used by managers and role approvers to automate the periodic process of reviewing and reaffirming end user role assignments.

The system notifies managers to review their direct reports' access to applications. Approvers must review the list of user role assignments and determine if the user still needs those roles based on their current responsibilities. Approvers either approve or remove the roles that are assigned to each user.

If the user no longer requires a role, the role is automatically or manually de-provisioned from back-end systems.

If the reviewer does not complete the review in the defined period, the process can be escalated. Escalation could include the deactivation of a user’s account until the review is completed.

Process

To complete the UAR process:

  1. The Access Control administration team schedules and executes the Role User Synchronization job in Enterprise Role Management.

  2. The Reviewer, who is the manager or role approver, receives e-mail notifications for each of the requests that the system created for their review. Reviewers can use the link in the e-mail to access CUP.

  3. Reviewers check the users’ role assignments. They must address each user role combination listed on the request. They can either approve the roles, or remove them.

  4. When completed, the reviewer submits the request to the next review stage.

    Note Note

    Based on the configuration, items marked for removal can be sent to a detour path and go to another stage, such as IT Security, for review. If a detour has been defined, the user role approvals advance on the User Access Review path, which frequently is to close that portion of the request.

    If you are using CUP, it is not necessary to configure a detour for the role removals if you think that approval by the manager or role approver is sufficient. Without the detour, closing the request deprovisions these roles whether or not the security team is involved.

    End of the note.

  5. If a detour for role removals is defined and IT Security is the stage, IT Security receives an e-mail notification for the request, and, using the link in the e-mail, logs on to CUP.

  6. IT Security reviews and analyzes the roles that are selected for removal.

    1. If you are using CUP for requesting user access, the security person approves the role removal, and then the auto-provisioning feature removes these roles from the user.

    2. If you are not using CUP for requesting user access, the security team uses existing procedures to remove roles from the users.

    3. IT Security enters comments and approves the request.

Reporting

The system maintains a complete audit trail and reporting functionality for actions that are performed during User Reviews. Reviewers may use the Comments tab of the request. These comments are date and time stamped and become part of the Request Comments.