title: The Review Process category: Access Reviews tags: access-review, reviewer, approve, deny, delegate, certification priority: Normal
The Review Process
This guide covers how reviewers conduct access reviews in IdentityCenter -- from receiving an assignment through making decisions to completing the review.
Receiving a Review Assignment
When a campaign launches, reviewers are notified in two ways:
| Notification Method | Details |
|---|---|
| An email with a direct link to the review items, the campaign name, item count, and deadline | |
| MyApprovals Page | A persistent list of pending reviews at /access-review/my-approvals that reviewers can check at any time |
Reviewers can begin working on their items as soon as they receive the notification. The MyApprovals page always shows the current state of all assigned reviews, including completed ones.
The Reviewer Interface
Review Item List
When a reviewer opens their review assignment, they see a list of items, each representing a specific access right to evaluate.
| Column | Description |
|---|---|
| User | The person whose access is being reviewed, with a link to their detail page |
| Access | The group or resource the user has access to |
| Access Type | Security Group, Distribution List, Application Role, etc. |
| Status | Pending, Approved, Denied, or Delegated |
| Risk | Risk score badge (Low, Medium, High, Critical) if Intelligence features are enabled |
Review Context Panel
For each item, IdentityCenter provides context to help the reviewer make an informed decision:
| Context Information | Description |
|---|---|
| User Department | The user's department and title |
| User Manager | Who manages this person |
| Last Login | When the user last authenticated |
| Account Status | Whether the account is active, disabled, or locked |
| Risk Score | AI-calculated risk assessment |
| Group Purpose | Description of the group or resource |
| Membership Duration | How long the user has been a member |
| Other Members | Summary of who else has the same access |
Tip: The context panel is designed to provide everything a reviewer needs without leaving the review interface. Use the "Last Login" field to quickly identify users who may no longer need access.
Making Decisions
Reviewers have three decision options for each item:
Approve
Select Approve when the access is appropriate and should continue. The user retains their current access without any change.
When to approve:
- The user actively needs this access for their role
- The access level is appropriate (not excessive)
- There are no risk flags that raise concern
Deny
Select Deny when the access is no longer appropriate and should be removed. Denials trigger a remediation action (either automated removal or a manual task, depending on campaign configuration).
When to deny:
- The user no longer needs the access for their current role
- The user has changed departments and the access is no longer relevant
- The user has not logged in for an extended period
- The access violates a compliance policy
Important: Denied items require a comment explaining the reason. This comment becomes part of the audit trail and is available to compliance auditors.
Delegate
Select Delegate when you are not the right person to make this decision. Delegation forwards the review item to another reviewer who has better context.
When to delegate:
- The user recently transferred from another team and you do not know their access needs
- The resource is outside your area of expertise
- You have a conflict of interest
When delegating, you must:
- Select the person to delegate to (search by name or email)
- Provide a reason for the delegation
The delegated reviewer receives their own notification and deadline.
Adding Comments
Comments can be added to any decision. They are required for denials and optional for approvals and delegations.
Best practices for comments:
- Be specific: "User transferred to Marketing; no longer needs Finance-ReadOnly access"
- Reference policies: "Violates SoD policy -- user should not be in both AP-Requesters and AP-Approvers"
- Note context: "Confirmed with user's manager that this access is still needed for Project Atlas"
Bulk Actions
For large review sets, bulk actions speed up the process:
| Action | Description |
|---|---|
| Approve All | Approve all remaining pending items at once |
| Deny All | Deny all remaining pending items at once |
| Approve Filtered | Approve only the items matching the current filter |
Bulk actions always require confirmation. When using Deny All, you are prompted to enter a comment that applies to all denied items.
Caution: Use bulk approve carefully. Rubber-stamping approvals defeats the purpose of the review. Auditors often look at the approve-to-deny ratio and review times to identify reviewers who are not performing thorough evaluations.
SLA Tracking
Each review assignment has a deadline, and the interface shows the time remaining prominently.
| SLA Indicator | Meaning |
|---|---|
| Green | More than 5 days remaining |
| Yellow | 2-5 days remaining |
| Orange | Less than 2 days remaining |
| Red | Overdue |
Reminder Notifications
As the deadline approaches, the system sends automatic reminders:
| Timing | Action |
|---|---|
| 7 days before due | First reminder email |
| 3 days before due | Second reminder email |
| 1 day before due | Urgent reminder email |
| Due date | Final warning |
| After due date | Escalation begins (per campaign configuration) |
What Happens After Decisions
Approved Items
Approved items require no further action. The access remains in place and the approval is recorded in the audit trail with the reviewer's name, timestamp, and any comments.
Denied Items
Denied items trigger the remediation workflow:
| Remediation Type | How It Works |
|---|---|
| Automated | IdentityCenter uses AD write-back to remove the group membership or access automatically |
| Manual | A remediation task is created for an administrator to execute the removal |
| Approval Required | High-impact removals may require a second approval before execution |
The specific remediation type depends on the campaign configuration. See Violation Remediation for details on how automated actions are executed.
Delegated Items
Delegated items are transferred to the new reviewer. The original reviewer's delegation decision and reason are recorded. The new reviewer sees the full context plus the delegation note.
Completing a Review
A review is considered complete when every assigned item has a decision (Approve, Deny, or Delegate). The interface shows a progress bar indicating how many items remain.
Saving Progress
Reviewers can save their progress at any time and return later. Decisions are saved individually as they are made -- there is no risk of losing work if the session ends unexpectedly.
Partial Completion
If the campaign closes before all items are reviewed, the remaining items are handled according to the campaign's escalation rules:
| Escalation Rule | Outcome |
|---|---|
| Escalate to Manager | Unreviewed items are reassigned to the reviewer's manager |
| Auto-Approve | Remaining items are automatically approved (less secure) |
| Auto-Deny | Remaining items are automatically denied (more secure, but may disrupt access) |
| Leave Open | Items remain pending until manually resolved |
Best Practices for Reviewers
- Do not batch everything to the last day. Review a few items daily to maintain quality and avoid deadline pressure.
- Use the context panel. The "Last Login" and "Risk Score" fields surface the items most likely to need denial.
- Add meaningful comments. Future auditors will review your decisions. A brief explanation demonstrates due diligence.
- Delegate promptly. If you cannot evaluate an item, delegate it early so the new reviewer has time.
- Question approvals, not just denials. Auditors are more concerned about inappropriate approvals than aggressive denials.
Next Steps
- Access Reviews Overview -- Understand the access review framework
- Creating an Access Review Campaign -- Set up a new campaign
- Campaign Tracking & Reports -- Monitor progress and generate compliance reports
- Automated & Scheduled Reviews -- Set up recurring review campaigns
- Compliance Frameworks -- Regulatory requirements driving reviews
- Workflow Triggers -- Automate actions based on review decisions