Access Reviews

In this article, you'll learn how to approve and manage user access for critical systems.

What is User Access and why is it important?

User access refers to the permissions given to employees to use specific data, applications, and systems within your company.

It's essential for compliance because it ensures that only authorized people can access sensitive information, protecting it from unauthorized access and potential misuse.

Effective user access management helps prevent data breaches and supports regulatory requirements such as SOC 2, GDPR, HIPAA and more. By controlling who can access what, organizations can better secure their systems and demonstrate their commitment to maintaining a safe and compliant environment.

Access Review screen

On the main Access Reviews screen, the table is divided into four columns:

  • System: Identifies the system for which the access review is being conducted.
  • Source: Specifies where the user's access comes from (Scytale integration or CSV upload).
  • Reviewer: Is the individual responsible for reviewing the access.
  • System Review Status: Indicates the current status of the review for the system, which can be "Approval Incomplete," "Processing Data," or "Approved."

When you click into one of the systems, another table will open, which is generally divided into 9 columns. 

  • Username: Displays the username of the critical system for which access is being reviewed. 
  • Role: Indicates the user's role or permissions in the critical system being reviewed for access.
  • Account: This field will appear if the user has access to different accounts in the system. If supported, it will be displayed as a column, such as "Workspace" or "Organization."

  • Employee Name: Shows the full name of the employee from the People page. 
  • Type: Specifies if the user is a "System User" or "Contractor." Note: This is used when no match is found for an employee in the People page, often due to system accounts or contractors.
  • Email: Lists the email address of the employee from the People page.
  • Job Title: Displays the job title of the employee from the People page.
  • Employee Status: Indicates whether the employee from the People page is "Active" or "Inactive."
  • Note: Provides space for any additional notes or comments. We recommend using this section to offer extra context for the auditor, especially for exceptions such as inactive employees who still have access to critical systems.
  • Action: Allows the reviewer to "Approve" the access of the user.

 

How to approve user access

1. Select the system that you want to give a user access to.

2. Find the user you want to give access to and click on "Approve"

To approve all users who have requested access to a system, click the "Quick Approve" button. This will grant access to all pending users of that system.

How to add a system for access reviews

1. Go to "Access Reviews" and select "Add System".

2. A dropdown will open and give you the choice to add a system from integrations or to import a CSV.

3. If you choose "Add integrations", click on the dropdown and scroll to select the integrations you want to add. Then select "Add".

4. If you choose "Import from CSV", go here to learn more about how to import user list from critical systems.

Signing and creating evidence 

Once you have successfully assigned reviewers for each system and approved all user access, select "Sign & Create Evidence".

This evidence will automatically be uploaded for monitoring and the relevant audits.