Education

What Is Uar (user Access Review) In Sap Grc?

By saphana 18 Nov, 2025 195
What is UAR (User Access Review) in SAP GRC?

User Access Review (UAR) in the SAP GRC Access Control is a periodic, workflow-driven process that allows the managers or role owners to review and certify the user access assigned to the employees in the SAP systems. It ensures that each user has only the access necessary for their current job responsibilities. UAR is a workflow-driven review cycle where the role owners or managers validate whether the each user still needs the roles and authorizations assigned to them. It helps the organizations meet internal controls and audit requirements (e.g., SOX, ISO, internal IT governance).

Key Goals:

  • Ensure users have only the access they needed(least-privilege principle).

  • Identify and remove the outdated, excessive, or risky access.

  • Reduce Segregation of Duties (SoD) and sensitive access violations.

  • Maintain clean and compliant SAP security.

UAR Works in SAP GRC Access Control:

  1. Scheduler/Administrator launches a UAR review for one or more systems or user groups.

  2. UAR requests are sent to the managers or role owners.

  3. They review the list of user-role assignments and choose to:

    • Approve (user keeps the role), or

    • Remove (the role is removed through provisioning).

  4. Workflow triggers provisioning the approved removals are executed via GRC ARM (Access Request Management).

  5. Reports and audit logs show the review evidence.

Features of UAR:

  • Automated notifications and reminders

  • Multi-level approval workflow

  • Integration with BRF+ for routing logic

  • Detailed audit trail for compliance

  • Supports both SAP and non-SAP systems (via connectors)

Why UAR Is Important:

  • Prevents unauthorized access

  • Reduces audit findings

  • Ensures that employee access changes when roles change (transfers, exits, etc.)

  • Strengthens internal security posture

How to Configure UAR (User Access Review) in SAP GRC:

1. Pre-Requisites:

Before configuring UAR, ensure:

Connectors Created & Maintained:

  • SPRO → GRC → Common Component Settings → Maintain Connectors

  • Ensure correct RFCs and connection types (authorization, user, and role fetch)

 Repository Sync Performed:

  • Sync Users and Roles from connected systems

  • Without this, UAR lists will be empty or outdated

 Managers Stored in HR System or GRC:

  • UAR requires manager relationship (e.g., A008)

  • If missing, routing will fail

 2. Configuration Steps:

Step 1 — Define Review Frequency / UAR Schedules:

SPRO → GRC → Access Control → User Access Review → Maintain Review Frequency

  • Set quarterly/annual/monthly intervals

  • Assign default reviewers (manager, role owner, or custom route)

Step 2 — Maintain UAR Workflow:

GRC → IMG → Access Control → Workflow → Maintain Paths & Stages

Typical workflow:

  1. Manager Review

  2. Role Owner Review (optional)

  3. Auto-Provisioning removal tasks

Configure:

  • Approvers

  • Escalation

  • Reminder notifications

  • Timeout rules

Step 3 — Define Access Request Provisioning for Removal:

SPRO → GRC → Access Control → Access Request → Maintain Provisioning Settings

Enable:

  • Allow Removal of Access via UAR”

  • Provisioning actions (role removal)

  • Plug-in settings for back-end system provisioning

Step 4 — Create and Schedule a UAR:

NWBC → Access Management → User Access Review → Create Review

Select:

  • System / connector

  • Selected users, roles, or org units

  • Review period

  • Reviewer (manager or role owner)

  • Due dates & reminders

After launching:

  • Workflow triggers for each reviewer

Step 5 — Reviewer Actions:

Managers/role owners see:

  • Users

  • Assigned roles

  • Risks (optional)

  • “Approve” or “Remove”

When “Remove” is chosen:

  • Auto-ARM request triggers

  • Provisioning removes the role

 Best Practices for UAR:

1. Start with High-Risk Roles Only:

Including all roles creates overload.
Start with:

  • Sensitive Roles

  • Firefighter access

  • SoD risk roles

2. Use Manager as Primary Reviewer: Managers know user job responsibilities best.

3. Use Role Owner Only for Technical Roles: Not all roles need role owners to review.

4. Include SoD Risk Information: Helps reviewers make better decisions.

5. Automate Escalations:

Avoid overdue UAR tasks by:

  • Reminders at 30/60/90 days

  • Escalation to higher manager

6. Keep Repository Sync Regular: At least weekly, ideally daily.

Common Challenges & Fixes:

1. Managers Missing or Incorrect:- Fix: HR mini-master sync or SU01 managers must be updated.

2. Role Removal Not Happening:

Causes:

  • Provisioning disabled

  • Missing plug-in

  • Connector not mapped

3. Review Work Item Not Visible:

Commonly due to:

  • Wrong routing

  • Reviewer is inactive

  • Workflow errors

4. Duplicate Users / Missing Roles:

Caused by:

  • Incomplete repository sync

  • Connectors not set to “active”

5. Too Many Roles → Reviewer Fatigue:

Fix: Apply filters to include only:

  • Business-critical roles

  • Roles with risks

  • Access changed during review period

Summary:

UAR is a periodic review process in SAP GRC that allows managers or role owners to confirm whether users still need the roles and access assigned to them. It helps maintain least-privilege access, removes unnecessary roles, and ensures compliance with audit and security requirements. The review results are processed through automated workflows, creating a complete audit trail.