Best Practices for Implementing User Access Reviews (UAR) for Application Owners in the ServiceNow ?

RohitV244459055
Kilo Contributor

we currently handle our periodic User Access Reviews (UARs) through a painful manual process involving spreadsheets. We want to leverage our ServiceNow platform to streamline this entirely.

My goal is to have a process where, as an application owner, I can receive a task in ServiceNow, view a list of all users who have access to my specific application, and then take direct action (i.e., click an "Approve" or "Revoke" button) for each user right from my dashboard or the Service Portal. The results (especially the "Revoke" actions) should then ideally trigger a fulfillment task to our IT support team.

I am looking for guidance on the best way to implement this in ServiceNow, keeping the non-admin (manager/owner) experience as the top priority.

Specifically, I'm wondering:

  1. What is the recommended approach? Is building a custom application on the App Engine the standard way to go, or is this a feature of the ServiceNow GRC: Identity and Access Management module that we should be looking into?

  2. How can we design the end-user experience? What's the best way to present the list of users and their access rights to a manager in the Service Portal? Should it be a custom widget, a list view, or something else?

  3. How can we handle the data import? For applications not integrated with ServiceNow, we would need to kick off the review by uploading a CSV/Excel file of users and their entitlements. How is this typically handled in a UAR process?

  4. What does the fulfillment process look like? After I click "Revoke," what's a good way to automatically generate a task (e.g., a sc_task or incident) assigned to the correct team to carry out the removal of access?

I'd be very grateful for any best practices, examples, or high-level steps on how to architect this solution effectively. Our main goal is to make this process simple and intuitive for the business users who have to perform these reviews.

Thanks in advance!

1 REPLY 1

Mark Manders
Mega Patron

If you can ensure you have the related data in the system (I wouldn't just upload the data for this, but really make sure that every user is added when he/she gets access to an application), you can just have your application owners manage this from the portal (no need for backend access). Let them open a catalog item with a list field showing who has access, and select the ones they want to revoke. Your flow can take care of the tickets to revoke that access by the IT team (or even put automation in place).


Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark