Access Reviews

Access reviews (also known as access certifications or recertifications) are periodic audits of user access rights.

They help organizations ensure that users have appropriate permissions and that unnecessary or risky access is identified and removed.

Overview

An access review is a structured process where designated reviewers examine and validate user access to applications, roles, and resources. This is a critical control for:

Compliance: Meeting regulatory requirements (SOX, GDPR, ISO 27001)
Security: Reducing the attack surface by removing excessive privileges
Governance: Ensuring access aligns with business needs

How It Works

Create a review campaign with a defined scope
Start the review to notify reviewers
Review each assignment and decide to certify or revoke
Complete the review to apply decisions
Track completion and generate audit reports

Review Lifecycle

Access reviews follow a defined lifecycle with four statuses:

Status	Description
Draft	The review is being configured. Scope and reviewers are defined.
In Progress	The review is active. Reviewers are making certification decisions.
Completed	All decisions have been made and applied.
Cancelled	The review was stopped before completion. No changes applied.

Status Transitions

Draft → In Progress → Completed
         ↓
      Cancelled

Creating a Review

Step 1: Basic Information

When creating a new access review, provide:

Field	Description
Name	A clear, descriptive name for the review (e.g., “Q4 2024 Admin Access Review”)
Description	Optional context explaining the purpose or scope
Scope	What access will be reviewed (see Scope Types below)

Step 2: Define the Scope

The scope determines which access assignments will be included in the review:

Scope Type	Description
All assignments	Review all access across the organization
By role	Review access to specific roles
By application	Review access within specific applications
By principal	Review access for specific users or groups

Choosing an appropriate scope ensures reviewers focus on relevant access and aren’t overwhelmed with irrelevant assignments.

Step 3: Configure Reviewers

Define who will review each type of access:

Reviewer Type	Best For
Manager	The user’s direct manager reviews their access
Application Owner	The owner of each application reviews its users
Role Owner	The owner of each role reviews its members
Specific Users	Named individuals review all access in scope

Running a Review

Starting the Review

When you start a review:

All in-scope assignments are identified
Reviewers are notified (if notifications are configured)
The review dashboard shows progress metrics
Reviewers can begin making decisions

Once started, the review moves to In Progress status.

Making Decisions

For each access assignment, reviewers can:

Decision	Effect
Certify	Confirm the access is appropriate and should continue
Revoke	Flag the access for removal
Delegate	Assign the decision to another reviewer

Reviewers may also add comments to explain their decisions, which are valuable for audit trails.

Tracking Progress

While a review is in progress, you can monitor:

Completion percentage: How many decisions have been made
Pending items: Assignments awaiting review
Decisions by type: Breakdown of certify vs. revoke

Completing a Review

Finalizing Decisions

When you complete a review:

All pending items are marked as reviewed (or flagged for follow-up)
Revocation decisions are queued for execution
The review is locked and marked as Completed
An audit trail is generated

Applying Revocations

Access flagged for revocation can be:

Automatically removed: Integrations remove access in target systems
Exported for manual action: IT teams receive a list of changes to apply
Held for approval: A secondary approval before changes take effect

Cancelling a Review

If a review needs to be stopped before completion:

Click Cancel on the review
Confirm the cancellation
The review moves to Cancelled status

When cancelled:

No revocation decisions are applied
Partial progress is preserved for reference
The review can be deleted if no longer needed

Best Practices

Planning Reviews

Schedule regular reviews: Quarterly for high-risk access, annually for standard access
Define clear ownership: Ensure every application and role has a designated owner
Communicate in advance: Notify reviewers before the review starts

Scoping Reviews

Start focused: Begin with high-risk access (admin roles, sensitive data)
Avoid reviewer fatigue: Don’t overload reviewers with too many assignments
Use meaningful groupings: Scope by business unit or risk level

During the Review

Set deadlines: Give reviewers a clear timeline
Send reminders: Follow up on pending items
Escalate delays: Have a process for unresponsive reviewers

After the Review

Apply changes promptly: Don’t let revocations linger
Document exceptions: If access is retained despite concerns, note why
Analyze patterns: Look for trends across reviews

Reporting

Review Summary

After completing a review, generate reports including:

Executive summary: High-level metrics and key findings
Decision details: Full list of certify/revoke decisions
Reviewer activity: Who reviewed what and when
Exceptions: Access retained despite policy concerns

Audit Evidence

Access review reports serve as evidence for auditors:

Who had access during the review period
Who reviewed and approved that access
What changes were made as a result
When decisions were made (timestamps)

Getting Started

Navigate to Access Reviews in the Big ACL console
Click “New Review” to create a campaign
Configure the scope and name the review
Add reviewers who will certify access
Start the review when ready
Monitor progress and send reminders as needed
Complete the review and apply revocations