System Access Review (SAR)
The System Access Review (SAR) is an important control activity required for internal and external audits.
The SAR process provides assurance that the appropriate users have access to financial systems. The process is performed within the Berkeley Financial System (BFS) on a quarterly basis. As a part of the process, the Divisional Finance Leaders (DFLs) are required to verify and approve access for their teams.
User Roles
The System Access Review module assigns a user one of three roles: Review, Approve, or Inquire.
Review
Those with the Review role can view and request changes to someone's level of system access.
Approve
Those with the Approve role can view, make changes, and approve.
Inquire
Those with the Inquire role can view the System Access Review report but not make any changes to the data.
2. Enter Search Criteria to Locate the Needed Report
Enter the criteria for your search and then click the Search button.
The system presents the reports that you have access to that match the search criteria. Click the link to open the desired report.
Click the magnifying glass button to open a list of values that you can select. Or, if you already know the value you need, you can type it in the text box, e.g. 03/31/2022 for Quarter End Date.
- If you are a Reviewer, use Quarter End Date to find your reports
- If you are an Approver, use Quarter End Date and Approved to find your reports
Search Criteria
Quarter End Date
Quarter End Date is the last date in the quarter for the report period. Dates are presented in MM/DD/YYYY format.
Report
Report is the name of the report. You can search by Distribution Code, e.g. D-001 or Description, e.g. COLLE_CENVD.
Approver
Approver is the DFL who approved the report. You can search by Employee ID or Approver (name).
Approved
Approved is Yes if the report was approved and No if the report is still pending approval.
3. Filter the Report Results as Desired
Review Report Page Sections
The Review Report page has three main sections. From top to bottom, the sections are Approvals, Report Filters, and Results and Actions.
Approvals
The Approvals section is used by the DFL to approve the report.
Report Filters
The Report Filters section allows you to focus on specific records in the report such as system, user, org node, etc. See Using the Report Filters for searching strategies.
Results and Actions
The Results and Actions section shows the rows in the report that match the filters applied. Reviewers and Approvers can Accept or Remove access.
Using the Report Filters
Find an Employee
There are three ways to filter by employee: User ID, Employee ID (Empl ID), or Name. We recommend using Employee ID, the number used by UCPath, because it quickly identifies a unique employee. If you don’t have the Employee ID, Name is the next best way to filter.
Filter on System
Once you have the employee selected, you can further refine your search by filtering on System.
Find Records Not Yet Approved
To find out which rows are still not approved in your report, use the Review Action filter and select Pending.
Remove a Filter
To remove a filter, delete the data in the text box and then move the cursor out of the text box.
Report Filter Options
Once the report is opened, the results can be filtered to focus on specific records. Anyone with access to the page can use the filters. There are eight filters available: System, User ID, Role, Empl ID, Review Actions, Name, Org Node, and Update ID.
System
System is the application for which access will continue or be removed
User ID
User ID is the ID used within the system to uniquely identify the user
Role
Role is the role(s) the user has access to
Empl ID
Empl ID is the Employee ID number from UCPath
Review Actions
Review Actions include:
- Pending
- Pending is the default when the report is generated
- Accept
- Remove
Name
Name is the User Name
Org Node
Org Node allows you to select an org node to which you have access
Update ID
Update ID is the name of the employee that took the review action
4. Change the Action for Each Employee for Each System
The results and actions grid presents the rows in the report that match the filters. In the Review Action column, Reviewers and Approver can accept or remove access.
Use the drop-down menu in the Review Action column to select Accept or Remove to indicate whether the employee should continue to have access to the system or not.
Once either Accept or Remove has been selected, the system populates the Update ID and the Update Date/Time stamp. If the Review Action is returned to Pending, the system removes the Update ID and Update Date Time Stamp values.
The review is complete when all rows have a Review Action of Accept or Remove. Any rows that have a Review Action of Pending need to be updated.
Add a Comment
The Comments column allows you to add comments, which can be particularly useful for communications between Reviewers and Approvers.
Update All
If you have a long list to review, you might find it easier to use the Update All function. This allows you to pick an action to apply to every row in the grid. For instance, you could change all rows to Accept and then overwrite the roles where you wish to remove the user's access.
The Update All function is located below the Report Filter section and above the Results and Actions section.
When using the Update All function to remove roles, you may receive a warning message if you are trying to remove a role for a user who has multiple roles for a system within the same org node. See Error Messages for details.
Error Messages
In some cases, a user will have multiple roles for an org node for a system such as BFS or BearBUY. If you attempt to remove one role with removing all of the roles for the org node, the system will present an error message.
Message (30000,410)
You cannot remove only this org node from this role. The user has other roles which use this org node. If you want to remove this role entirely from the user, mark all the org nodes from the role. If you want to remove the org node for every approver (or preparer) roles, please remove the org node for all approver (or preparer) roles. If the user has this role on another SAR report, this may also prevent removal of the role/org node."
Message (30000,412)
You cannot remove only this org node from this BearBUY role. The user has other BearBUY roles which use this org node. If you want to remove the role entirely from the user, mark all the org nodes from the role. If you want to remove the org node for every BearBUY approver (or preparer) roles, please remove the org node for all BearBUY approver (or preparer) roles. If the user has this BearBUY role on another SAR report, this may also prevent removal of the role/org node.
Employee Records
To find all records for an employee, including those that are not on your SAR report, you can use the Employee Records query.
1. From the menu in the upper right section of the window, select Related Content and then select Employee Records from the drop-down menu.
2. Enter the Employee ID and then click the View Results button.
The query returns all rows for the employee on the current quarter's reports. You can use this information to find and remove all roles as needed.
Supervisor Lookup
When you find an unfamiliar name on your SAR report, you can use the Supervisor Lookup query to find the employee’s supervisor.
1. From the menu in the upper right section of the window, select Related Content and then select Supervisor Lookup from the drop-down menu.
2. Enter the Employee ID and then click the View Results button.
The query returns the Employee ID, Name, and DeptID along with the Supervisor Name and Supervisor Email.
5. Approve the Report
After reviewing the report for the division and making any needed corrections, the Divisional Finance Leader (DFL) approves the report by clicking the Approve Report button. This functionality is only available to DFLs.
By approving the report, the DFL is certifying that they have performed the System Access Review and that as of the Approved On date, the access for employees in their division is accurate and appropriate for their current job responsibilities and supports proper segregation of duties within their division.
The Approve Report section remains active until the DFL has approved the report. Once the DFL has approved the report, all fields on the report will be in display mode only, and the Submitted By, Submitted On, Approved By, and Approved On fields will be populated.
6. Update Reviewers in SAR as Needed
View the SAR Distribution List
- From the BFS home page, click the Review System Access Report button
- Click on Report Distribution on the left hand menu which will open a search page
- Enter either your departmental fields (Organization, Division, Department, Disc/Group, Sub Unit) or your Report Distribution Code, if you know it, to display the distribution for reports
- If multiple reports are shown in search results, just click on the one you wish to see
Please note that some reports are no longer active due to reorganizations.
Update the SAR Distribution List
If you need to add or remove a reviewer to a distribution list, please email your request, including approval from the DFL, to secbfs@berkeley.edu.
Please be sure to include:
- Employee name
- Employee ID number
- Report distribution code
- Action: add or remove from distribution list
Reminder
Approval from the DFL is required before requests can be processed.