The primary responsibility of the Business Objects User Reviewer (ASRs) is to ensure that the proper security administration controls are followed at their institution(s) in regard to the Business Objects role authorizations held by the institution’s employees. As such, an institution’s User Reviewer is responsible for conducting the quarterly access reviews required by Business Computing Services and reporting these results when submitting the Business Objects Quarterly User Review Form.
Performing these regularly scheduled reviews is an important responsibility that provides real security to the A&M System enterprise applications and its employees. The review also provides demonstrable proof of the System’s due diligence in regard to security, which could be important in the event of an external audit or a major security incident.
These reports should be reviewed by one or more Reviewer/ASR at each System Member to confirm that all of the listed users are still active employees and that their security access level is appropriate. This review should be used to verify the following:
- Listed users are currently employed at the system member being reported.
- Listed users are still in a position that requires them to have access to the Universe(s) specified in the report.
- Active users have the appropriate level of security for their job duties.
Upon completion of the review, the Business Objects Quarterly User Review Form should be submitted by one or more Reviewer/ASR at your System Member. If your System Member has four ASRs, only one is required to complete the audit form, it must include results for both HR/Payroll and Financials. If your System Member prefers to have one ASR fill out the form for HR/Payroll and another ASR to fill out the form for Financials, that is acceptable as well. Any change to a user should be noted on the form. This form is expected back before the last working day of the month following the quarter being reported. For example, if the review is for Jan-Mar, the certification form should be returned before the last working day of April.