User Access Reviews

The user access review (aka User access certification and access attestation) functionality, provides for the configuration and execution of periodic user access certifications. These certifications should be an integral part of a larger strategy to improve security and ensure that users have only the required level of access. These reviews are also important for supporting regulatory requirements such as SOC-2 audits.

To implement user access reviews, you will need to address the topics listed below.

Collect evidence of accessCollecting evidence of the access that user have can be achieved by using the connector and data synchronization tools to import data from the application which needs to reviewed to OpenIAM.
Configure the reviewThe review configuration process will require defining the scope of the review and the reviewer workflow.
Execute the review)During this step,the review will be executed and the reviewer will be notified so that they can start to start review access
Reports for AuditorsDuring this steps, the user access review manager, will obtain reports from OpenIAM for inclusion in the documentation being sent to the auditors

To configure a User Access Review (UAR), you must first determine the scope:

Type of reviewDescription
User based reviewReview all the access that users have. During the configuration, you will be able to determine which users should be included in the review
Application + entitlementsReview a specific set of entitlements in an application or a group of applications. These are sometimes referred to as Micro-certifications.