SAP access review workflows: are your certification cycles keeping up?

TL;DR: SAP Access Control user access reviews automate scheduling, delegation, approvals, removals, and audit trails to validate that users still need assigned permissions, according to Pathlock. The core governance issue is not the workflow itself but whether review design, role modelling, and data quality are strong enough to prevent stale or excessive access from surviving the cycle.

NHIMG editorial — based on content published by Pathlock: SAP GRC Access Control user access review workflow guidance

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

Questions worth separating out

Q: How should security teams run access reviews without turning them into a compliance checkbox?

A: Security teams should run access reviews against current entitlement data, current approver assignments, and a clear remediation path.

Q: Why do business-role reviews sometimes miss excessive access?

A: Business-role reviews can hide excessive technical permissions when the reviewer sees only a broad functional grouping.

Q: What breaks when reviewer assignment is based on outdated org data?

A: When reviewer assignment is based on outdated org data, the wrong manager or role owner certifies access and the control loses business accountability.

Practitioner guidance

• Revalidate reviewer assignments before each cycle Check that every manager and role owner still has current authority over the users and roles in scope.
• Separate business-role convenience from technical-role assurance Use business roles to simplify the review experience, but drill into the underlying technical roles for privileged or sensitive access.
• Test whether removals actually de-provision access Verify that a rejection or removal decision triggers the downstream entitlement change in the connected SAP system or integrated target system.

What's in the full article

Pathlock's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step SAP Access Control navigation for generating UAR jobs and configuring background scheduler parameters
• Configuration examples for admin review, reviewer stage, rejection handling, and workflow notifications
• Detailed role-type selection guidance for technical, business, composite, and derived roles
• History report and campaign-status fields that auditors and administrators can use during evidence collection

👉 Read Pathlock's guide to SAP Access Control user access review workflows →

SAP access review workflows: are your certification cycles keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →