User Access Reviews

The user access review (aka User access certification and access attestation) functionality provides for the configuration and execution of periodic user access certifications. These certifications should be an integral part of a larger strategy to improve security and ensure that users have only the required level of access. These reviews are also important for supporting regulatory requirements such as SOC-2 audits.

To implement user access reviews, you will need to address the topics listed below.

TopicDescription
Collect evidence of accessCollecting evidence of the access that user have can be achieved by using the connector and data synchronization tools to import data from the application which needs to reviewed to OpenIAM.
Configure the reviewThe review configuration process will require defining the scope of the review and the reviewer workflow. Use the table below to configure the review based on the type of review.
* User based review - Review all the access that users have. During the configuration, you will be able to determine which users should be included in the review
* Application + entitlements - Review a specific set of entitlements in an application or a group of applications. These are sometimes referred to as Micro-certifications.
Execute the review)During this step,the review will be executed and the reviewer will be notified so that they can start to start review access
Reports for AuditorsAfter the review has been completed, the UAR manager will need to obtain reports from OpenIAM for inclusion in the documentation being sent to the auditors. This section describes how to obtain these reports.