Access Reviews Overview
Access Reviews (also known as Access Certifications) are a critical component of identity governance. They ensure that users have appropriate access to resources and that access rights are regularly validated by responsible parties.
What are Access Reviews?
Access Reviews are periodic campaigns where managers, resource owners, or other reviewers verify that:
- Users still need their current access
- Access levels are appropriate for job roles
- Segregation of duties is maintained
- Orphaned or inappropriate access is removed
Why Access Reviews Matter
Compliance Requirements
| Framework | Requirement |
|---|---|
| SOX | Section 404 requires regular access review controls |
| HIPAA | Regular review of access to PHI systems |
| GDPR | Data access must be limited and verified |
| ISO 27001 | A.9.2.5 Review of user access rights |
| PCI-DSS | Requirement 7: Restrict access, review quarterly |
| SOC 2 | CC6.1, CC6.2, CC6.3 access control criteria |
Security Benefits
- Reduce Risk - Remove unnecessary access before it's exploited
- Detect Anomalies - Identify unusual access patterns
- Clean Up - Remove orphaned accounts and stale permissions
- Audit Trail - Document who approved what and when
Access Review Concepts
Campaigns
A campaign is a time-bound access review initiative with:
- Defined scope (which access to review)
- Assigned reviewers
- Start and end dates
- Escalation rules
Review Items
Each item represents a specific access right to be reviewed:
- User + Resource/Group combination
- Current access level
- Reviewer assignment
- Decision (Approve/Revoke/Delegate)
Reviewers
People responsible for making access decisions:
- Managers - Review their direct reports' access
- Resource Owners - Review who has access to their resources
- Application Owners - Review application-level access
- Delegates - Receive forwarded reviews
Decisions
| Decision | Description | Action |
|---|---|---|
| Approve | Access is appropriate | Keep access |
| Revoke | Access is not needed | Remove access |
| Delegate | Cannot decide | Forward to another reviewer |
| Flag | Needs investigation | Mark for follow-up |
Access Review Process
┌─────────────────────────────────────────────────────────────┐
│ Campaign Lifecycle │
├─────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Planning │ → │ Running │ → │ Closing │ → │ Complete │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ │ │ │ │ │
│ ▼ ▼ ▼ ▼ │
│ Define scope Reviewers Escalation Report & │
│ Set dates make & reminders remediation │
│ Assign decisions │
│ reviewers │
│ │
└─────────────────────────────────────────────────────────────┘
Phase 1: Planning
- Define what access to review
- Select reviewer strategy
- Set campaign timeline
- Configure notifications
Phase 2: Running
- Review items generated
- Notifications sent to reviewers
- Reviewers make decisions
- Progress tracked on dashboard
Phase 3: Closing
- Reminder notifications sent
- Escalations triggered
- Overdue items flagged
- Campaign closes
Phase 4: Complete
- Compliance reports generated
- Revocation decisions executed
- Audit trail documented
- Analytics updated
Types of Access Reviews
Manager-Based Review
Managers review all access for their direct reports.
| Pros | Cons |
|---|---|
| Managers know their team | May rubber-stamp approvals |
| Simple assignment | Large review load for some managers |
| Familiar relationships | May miss technical nuances |
Resource Owner Review
Application or resource owners review all users with access.
| Pros | Cons |
|---|---|
| Technical expertise | May not know users personally |
| Focused scope | Single point of failure |
| Consistent decisions | Resource owners may be unavailable |
Peer Review
Colleagues review each other's access.
| Pros | Cons |
|---|---|
| Different perspective | May lack context |
| Distributed workload | Potential for collusion |
| Cross-training benefit | Relationship dynamics |
Self-Attestation
Users review and attest to their own access.
| Pros | Cons |
|---|---|
| User knows their needs | Conflict of interest |
| Quick responses | Limited audit value |
| Awareness building | Not sufficient alone |
Review Frequency
| Access Type | Recommended Frequency |
|---|---|
| Privileged/Admin | Monthly |
| Sensitive Data | Quarterly |
| Standard Access | Semi-annually |
| Low Risk | Annually |
Campaign Metrics
Track these metrics for campaign health:
| Metric | Description | Target |
|---|---|---|
| Completion Rate | % of items reviewed | >95% |
| On-Time Rate | % completed before deadline | >90% |
| Revocation Rate | % of access revoked | 5-15% typical |
| Average Response Time | Time to complete review | <3 days |
Best Practices
Campaign Design
- Keep campaigns focused and manageable
- Set realistic deadlines (2-4 weeks typical)
- Provide clear instructions to reviewers
Reviewer Experience
- Make the interface simple and intuitive
- Provide context about each access right
- Allow bulk actions for efficiency
Escalation
- Configure automatic reminders
- Have backup reviewers identified
- Escalate to management if needed
Remediation
- Automate revocation where possible
- Have a process for exceptions
- Document all decisions
Access Review Reports
IdentityCenter generates these compliance reports:
| Report | Description |
|---|---|
| Campaign Summary | Overall completion and decision stats |
| Reviewer Performance | Response times and completion by reviewer |
| Decision Audit Trail | Detailed log of all decisions |
| Revocation Report | List of all revoked access |
| Exception Report | Access approved despite risk flags |
Integration with Other Features
Synchronization
- Access reviews pull current access from synced sources
- Revocations can trigger sync-back to source systems
Policies
- Policy violations flagged during reviews
- Risk scores displayed to reviewers
Intelligence
- AI recommendations for decisions
- Anomaly detection highlights unusual access