Three Pre-Built Review Processes
- User level
Do these users belong to me? - User-Application level
Do they need these apps? - User-System-Role level
Do they need these accesses?
- Do the Group Owners belong to me?
- Do they really own these Groups?
(1 Group, 2 Owners) - Group Owner reviews within Group
Why our UAR tool?
Easy, Complete, Audit-Proof Review Process
User recommendations
Users can review their own access first and recommend Keep / Remove decisions to their Reviewers.
Review made easy
Easy-to-use, efficient review platform for managers or system/process owners
Compliance
Many regulatory frameworks and standards, such as GDPR, HIPAA, PCI DSS, and SOX, require organizations to perform user access reviews on a regular basis. Our tool has passed several external audits successfully.
Protect sensitive data
Protect sensitive data by ensuring that only authorized individuals have access to it.
Application Review Process in Detail
1. User self-review
The process begins with the user being asked to review their own access rights and permissions. The user will be provided with a list of the applications, systems, and data they have access to, along with a description of the type of access they have (read-only, read-write, admin, etc.). The user will then be asked to confirm whether their access is still necessary for their job role or whether any changes need to be made.
2. Manager or system owner review
After the user has completed their self-review, their manager or system owner will be asked to review the access rights and permissions of their direct reports. This review process will involve the manager or system owner confirming that each user’s access is necessary for their job role, that they have the appropriate level of access, and that there are no potential security risks associated with their access.
First the Reviewer validates if the users really belong to him/her and if they are still active. Users can be delegated to other Reviewers.
For the confirmed users the Reviewer decides about accesses on an application (system) level. The User self-review data are available for the Review, but the decision stays with the Reviewer.
If the accesses within the applications are grouped to roles or profiles then these are reviewed on a third screen.
3. Reviewer decision
The Reviewer (manager or system owner) decides if their direct reports need the access on a system level, and where possible, on a role level with a simple click: Keep or Remove
4. Access removal
The accesses that are marked for removal are submitted to the relevant teams. The UAR tool provides the lists with the accesses to be removed in a User, Application and Role level, ready for submission. The submission process is not automated by default as it depends on internal company processes.
The user access review process should be performed on a regular basis (e.g., every six months or at least annually) to ensure that users continue to have the appropriate level of access and that there are no security risks associated with their access.