TL;DR: SAP Access Control user access reviews automate scheduling, delegation, approvals, removals, and audit trails to validate that users still need assigned permissions, according to Pathlock. The core governance issue is not the workflow itself but whether review design, role modelling, and data quality are strong enough to prevent stale or excessive access from surviving the cycle.
NHIMG editorial — based on content published by Pathlock: SAP GRC Access Control user access review workflow guidance
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
Questions worth separating out
Q: How should security teams run access reviews without turning them into a compliance checkbox?
A: Security teams should run access reviews against current entitlement data, current approver assignments, and a clear remediation path.
Q: Why do business-role reviews sometimes miss excessive access?
A: Business-role reviews can hide excessive technical permissions when the reviewer sees only a broad functional grouping.
Q: What breaks when reviewer assignment is based on outdated org data?
A: When reviewer assignment is based on outdated org data, the wrong manager or role owner certifies access and the control loses business accountability.
Practitioner guidance
- Revalidate reviewer assignments before each cycle Check that every manager and role owner still has current authority over the users and roles in scope.
- Separate business-role convenience from technical-role assurance Use business roles to simplify the review experience, but drill into the underlying technical roles for privileged or sensitive access.
- Test whether removals actually de-provision access Verify that a rejection or removal decision triggers the downstream entitlement change in the connected SAP system or integrated target system.
What's in the full article
Pathlock's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step SAP Access Control navigation for generating UAR jobs and configuring background scheduler parameters
- Configuration examples for admin review, reviewer stage, rejection handling, and workflow notifications
- Detailed role-type selection guidance for technical, business, composite, and derived roles
- History report and campaign-status fields that auditors and administrators can use during evidence collection
👉 Read Pathlock's guide to SAP Access Control user access review workflows →
SAP access review workflows: are your certification cycles keeping up?
Explore further
Automated access review only works when the entitlement model is already trustworthy: SAP UAR can streamline certification, but it cannot correct bad source data, misaligned roles, or stale reviewer assignment by itself. The workflow simply scales whatever governance assumptions are already embedded in the repository and job logic. The practical implication is that organisations must treat UAR as a control surface that depends on upstream identity hygiene, not as a substitute for it.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing that governance lag often outlasts discovery.
A question worth separating out:
Q: How can organisations tell whether access review is actually reducing risk?
A: Organisations should look beyond campaign completion and measure downstream removal, reopened exceptions, and the number of high-risk roles still present after review. If rejected access does not disappear from the target system, or if repeated cycles keep certifying the same excess entitlements, the programme is not reducing risk effectively.
👉 Read our full editorial: SAP access review workflows expose the limits of manual certification