09 Nov 19 Part 1: So What is a User Access Review Anyway?
So What is a User Access Review Anyway?
A User Access Review (sometimes referred to as a User Recertification Process) is precisely what it says it is; it is the process of reviewing who has access to what within a given system.
Whether we are talking about Oracle EBS or another large-scale ERP system or a smaller suite of applications or even a home-grown custom application then you will (or rather should) review who can access the applications from time to time.
Why Does Access Need to be Reviewed?
There are several reasons for wanting to review user access, some of which are…
- Ensure users only have access to what is required for their job/role
- Help remediate undue risk due to inappropriate access
- Catch scenarios where terminated employees still have access
- Ensure access is still appropriate after employee promotions/job/department changes
- Can help when trying to remain compliant with your user license agreements
- A requirement from your external auditor
Whatever the reason, reviewing user access for all of your IT systems is an essential task that all organizations should be doing.
A Typical Access Review
Typically, during a review, reviewers will be presented with a list of users and a list of what they have access to, this might be in the form of a spreadsheet or other type of report.
They review the list and note down what access is still required and what is no longer appropriate (if they can); perhaps adding additional information to explain things as they go.
Then the security administration team takes over and revokes access where needed.
The information gathered during the review is often saved so that it can be used if needed during an audit.
By and large, most organizations find that performing a user access review is a major administrative overhead that requires a lot of manual effort.
Information is Key
During a review, if the only information available to the reviewer is a user name and a responsibility name, this may lead to reviews being inaccurate because, without the correct information at hand, it can be tricky for a reviewer to know if access is appropriate or not.
The types of information that should be available to the reviewer might include…
- Besides the responsibility being reviewed, what else does the user have access to (i.e., General Ledger, Inventory)
- What functionality does the responsibility provide (i.e., the ability to create and approve invoices)
- The results of past reviews (i.e., what was the outcome when access was reviewed previously)
- Segregation of Duties and Sensitive Access information (i.e., are there any SoD or single function risk issues)
The more information that is made available to the reviewer, the more accurate the review will be.
Different Types of Review
Different types of reviews may be needed, for example…
- Managers/supervisors might need to review access for all the people that report directly to them
- Process Owners might review access for all the users that have access to specific modules within the system
- Smaller, more focused reviews might be needed more frequently for areas that represent a higher risk
If you don’t currently have a process in place where user access is reviewed, then now is the time to start thinking about how and when you will conduct your first review.
Want to know how we can help you streamline and automate your Oracle EBS user access reviews? Get in touch today and ask us about CS*Provisum PAR. Also ask about a more comprehensive review using data from CS*Comply.
Want a quick overview of CS*Provisum PAR, check out the video below…
Next Week & Early Access
The next article in this series is “Why are user access reviews often difficult to perform?“.
If you want to get access to these articles before anyone else, please subscribe to our newsletter.