User Access Review - User Manual

Reviewer User Manual- Oracle

ERP
User Access Review Process

Document V1.0

Sensitivity: Internal & Restricted

Reviewer User Manual- Oracle ERP

Table of Contents
Version History: -.....................................................................................................................................................2
 UAR Process Review Screen:...........................................................................................................................3
 ACTION:............................................................................................................................................................5
 REVOKE............................................................................................................................................................6
 REASSIGN.........................................................................................................................................................6
 SUBMIT:.........................................................................................................................................................10

Page 1 of 14

Sensitivity: Internal & Restricted

Reviewer User Manual- Oracle ERP

Version History: -

Version Created By Date Change

1.0 Venugopal Reddy 28-Aug-2020 No Previous Document

Page 2 of 14

Sensitivity: Internal & Restricted

Reviewer User Manual- Oracle ERP

USER ACCESS REVIEW (UAR)

Objective:

UAR is developed, to support the Group Internal Audit findings on review of ERP privilege access (Non-Basic
access). This program is in line with Petrofac Access Control Standard requirements.

This UAR Program facilitate Head Of Department (HOD)/ Designated Reviewer to review privileged (Non-Basic
responsibilities) access assigned to users and remove any unauthorized access from the system.

UAR Review process:

Head of the Department (HOD)/ Designated Reviewer, will be assigned with the responsibility, “PFC User
Access Review“

 UAR Process Review Screen:

PFC USER Access review  Click on HOD/Manager Review Page

 If login person is HOD/Reviewer, Respective User Access privilege Records will be shown.
 If No Users available under HOD/Reviewer for Review, No Records shown.
 A HOD cannot review his own record.

Page 3 of 14

Sensitivity: Internal & Restricted

Reviewer User Manual- Oracle ERP

Page Fields:
HOD/Reviewer: Application login HOD User Name.

Business Unit: HOD Business Unit.

Service Line: HOD Service Line

Records to Be Reviewed: No of User Access Privileges to be reviewed.

Emp Number: User employee number

Designation: Employee designation

Organization: Employee Organization

Access Privilege Name: Responsibility Name

Last Logon: User last logged into the application

Active Status: Display whether the user is “Active” or “Inactive”(End dated in the System)

Action: This field has the following List of Values

 “Retain” – Choose this option, if the responsibility assigned to the User is valid
 “Reassign for review” – Choose this option is used to Reassign the line Item to other reviewer
 “Revoke” – Choose this option, to revoke the user responsibility
 “User Account End Dated” – This is auto populated and not required to be selected. This will
display the date on which the user account was closed (i.e., end dated)

In HOD/ Reviewer Page two links are available as shown below. By clicking on the links HOD can download
respective documents.

 Access Control Standard link: Petrofac Access Control Standard document.

 User Guide: User Guide document for HOD to perform operations in HOD/Manager Review page.

Page 4 of 14

Sensitivity: Internal & Restricted

Reviewer User Manual- Oracle ERP

 ACTION:
 Action is where the HOD/ Reviewer reviews the user’s access and decide to either –

o RETAIN
o REVOKE
o REASSIGN FOR REVIEW
o USER ACCOUNT END DATED

 RETAIN:

 BY default, all active user’s access are in ‘Retain’ state, which means the user’s access rights are
appropriate, i.e., to be retained. So if HOD / Reviewer wants to ‘retain’ the users’s access of that
particular record (which means user access is appropriate), then HOD/ Reviewer need to select that
particular record(s) and needs to submit. Thus the review is completed for that user with respect to that
record

 As the user’s access are retained which also means all the business ‘transactions processed’ by the users
using his access are valid (‘Yes’). So if the HOD/ Reviewer selects to retain the access, then by default
HOD/ Reviewer cannot select ‘Transactions Processed - Valid?’ as ‘No’.

Page 5 of 14

Sensitivity: Internal & Restricted

Reviewer User Manual- Oracle ERP

 REVOKE
 If the HOD/ Reviewer wants to revoke that user’s access of that particular record (i.e., which means the
user’s access rights are not appropriate, going forward), then HOD/ Reviewer needs to select ‘Revoke’
action for that particular record(s) and submit. Thus the review is completed for that user with respect
to that record.
 Here the HOD/ Reviewer has the option to review the past business ‘transactions processed’ by the
users using that particular access by selecting the ‘Transactions Processed - Valid?’ as ‘No’ . In that
case, HOD/ Reviewer needs to provide an additional comment on the rationale why it is required to be
reviewed. In such a scenario, IT will send to HOD, dump of users’s finance/ master data related
transactions to review.
 By default ‘Transactions Processed - Valid?’ as ‘Yes’ and no comments are required to provide.

 REASSIGN
 HOD/Reviewer can reassign the same record to other HOD or Reviewer by selecting Action as ‘REASSIGN
FOR REVIEW’ from the Action List of Values.
 For Action ‘REASSIGN FOR REVIEW’, Reassign Email Address field is mandatory. When HOD/ Reviewer
selects this option with the email address and submits the record, will trigger an email to the reassigned
reviewer and will be notified to action on the line item and that particular record will be removed from
the HOD screen.
 Without Reassign email address, Page will not be allowed to submit the Record as per the below
message.

Page 6 of 14

Sensitivity: Internal & Restricted

Reviewer User Manual- Oracle ERP

 ‘Reassign Email Address’ should be provided only if the HOD/ Reviewer chooses the Action ‘REASSIGN
FOR REVIEW’.
 For any of the other Action items (i.e., ‘RETAIN’,’REVOKE’,’USER ACCOUNT END DATED’, it is not
applicable). If HOD/ Reviewer tries to assign Reassign Email Address for other than ‘REASSIGN FOR
REVIEW’ the page will not allow to submit, It will show below message screen.

Page 7 of 14

Sensitivity: Internal & Restricted

Reviewer User Manual- Oracle ERP

Page 8 of 14

Sensitivity: Internal & Restricted

Reviewer User Manual- Oracle ERP

Similarly for Action ‘REASSIGN FOR REVIEW’, as the records were reassigned to other HOD/ reviewer,
‘Transactions Processed - Valid?’ option as ‘No’,cannot be selected & submitted.

Page 9 of 14

Sensitivity: Internal & Restricted

Reviewer User Manual- Oracle ERP

 USER ACCOUNT END DATED:

 By default every Action will have ‘USER ACCOUNT END DATED’ for Inactive Records.

 For an Inactive Record, we can’t select Action other than ‘USER ACCOUNT END DATED’.
 If HOD tries to select any value (i.e., like RETAIN, REVOKE, REASSIGN FOR REVIEW) other than ‘USER
ACCOUNT END DATED’ for Inactive Records, system will not allow and shows below message.

 Similarly, HOD cannot submit an Action as ‘USER ACCOUNT END DATED’ for Active user Records. If HOD
tries to do the same page will show below message and Records are not submitted.

Page 10 of 14

Sensitivity: Internal & Restricted

Reviewer User Manual- Oracle ERP

 SUBMIT:

1. Need to select at least one Record by clicking on checkbox before Submit.

2. Without selecting checkbox and clicking on submit button, Page will show the following message and
not allowed to submit.

NOTE: Hod can select specific checkbox of selected Record or select all Records by clicking on Select All link and
click on Submit button.

 Once Records Submitted for Review will not available for HOD/Reviewer in the screen.
 Kindly verify the records before submitting.

Page 11 of 14

Sensitivity: Internal & Restricted

Reviewer User Manual- Oracle ERP

References:

 Petrofac Access Control Standard - Refer link

->https://petronet.petrofac.com/documents/20123/169978/IT+Access+Control+Standard.pdf/c901e82d-
f435-8a11-0327-18253b68b972?version=1.0&t=1584382771612&download=true
 Description of the Privileged access (i.e., Responsibility) – Refer link - >

Global Active
Responsibility List.xlsx

Page 12 of 14

Sensitivity: Internal & Restricted