User Access Review: Process & Best Practice Guide
Who has access to which apps and data, and do they actually need it? User access reviews help you answer this basic question. By auditing the current authorizations held by staff, contractors and guests, access reviews allow organizations to identify and remove unnecessary privileges โ ensuring that only the right people have access.
What Is a User Access Review?
A user access review is the process of auditing access rights within an organization and confirming that each user can only access data that is required for their current role. Access reviews ensure that user access remains up-to-date and appropriate โ even as staff roles change.
Access reviews, also known as entitlement reviews or access certification, are an essential control that enables organizations to follow the principle of least privilege and minimize access risks.
Who Counts as a User in Access Reviews?
For the purpose of auditing access, a “user” is anyone who has access to one of your information systems, whether they are a member of your staff or an external contractor. An effective review policy should include:
Employees: Your staff needs access to IT systems to perform their job duties, but when employees switch roles, are moved off projects or leave your organization, their previous access privileges can remain active and endanger sensitive business information.
Business partners: As part of your working relationship with other companies, you may grant them access to certain information systems or set up file shares for exchanging information. This makes it critical to control who has access to shared information and for how long.
Consultants: Experts you bring in to perform specific tasks may need sensitive levels of access to do their job. Reviews ensure that these privileges are removed once their job has been completed.
Contractors: From freelancers to temps, it is essential to ensure that IT access does not outlast their contract with your organization.
While user access reviews often focus on staff and guests, do not forget to audit non-human identities as well, such as apps or service accounts.
What Makes User Access Reviews Important?
Roles and responsibilities change over time. Employees get promoted, switch to different departments or are assigned to new projects. Changes like these are a normal part of the user lifecycle. However, without a review process, users often retain old access privileges, which are no longer relevant to their current job.
This leads to overprivileged users which increase the risk of malicious access, whether a member of your own team turns into an insider threat or their account is compromised by an outside actor. This process can be broken down into three stages.
Privilege creep: Privilege creep describes the gradual accumulation of unnecessary access rights over time. This typically occurs because users continue to receive new privileges, but outdated access is never reviewed or removed. This leads to increased risk of malicious activity.
Privilege misuse: Users that have access they do not need may accidentally mishandle sensitive data or cause leaks. Unnecessary access rights can also be compliance violation by themselves, especially when it comes to privacy legislation like HIPAA or the GDPR.
Privilege abuse: Worst of all, overprivileged users may intentionally exploit access for their own gain. This could take the form of stealing and selling company data, spying on coworkers for personal reasons or using internal information as leverage when switching to a competitor.
Advantages of User Access Reviews
The dangers of failing to review user access are clear: privilege creep, insider threats, account compromise and data theft. However, access reviews are far more than just a security issue. In fact, a well-thought out review process brings many advantages to your organization.
Meet compliance requirements: Regular access audits are a required by many regulations, from privacy laws like the GDPR and CCPA to healthcare regulation like HIPAA or security standards such as NIST and ISO 27001. Without access reviews, meeting these obligations is a non-starter.
Reduce license costs: Access reviews help organizations identify unused software licenses. This allows them to reduce their SaaS spend significantly. Studies estimate that as many as half of all SaaS licenses go unused.
Provide an audit trail: It’s not enough to be compliant, you also need to be able to prove your compliance. Access reviews provide a full audit trail of who held which privileges at which point in time, making it easy demonstrate appropriate access to any external auditor.
Minimize damages: Experts agree that the steep rise in cybercrime means it’s no longer a question of if your network will be breached, only when it will be breached. By eliminating unnecessary access rights, you also reduce the damage attackers can cause when one of your accounts falls into the wrong hands.
Which Standards and Regulations Require User Access Reviews?
| Standard | Requirement for User Access Reviews |
|---|---|
| GDPR | Access to personal data must be limited to authorized individuals whose job requires access. Regular reviews are necessary to ensure this requirement is met. Source: GDPR Article 5 |
| HIPAA | Access to protected health information (PHI) must be limited to authorized individuals whose job requires access. Regular reviews are necessary to ensure this requirement is met. Source: HIPAA ยง 164.308(a)(4) & 164.312(a)(1) |
| CCPA | Covered entities must implement reasonable security procedures to protect personal information. This includes reviewing user accounts for appropriate access. Source: California Civil Code Section 1798.81.5 |
| GLBA | GLBA requires financial institutions to protect against unauthorized access to customer records. This requires regular access reviews. Source: GLBA Section 501(b) |
| SOX | Sarbanes-Oxley requires companies to maintain effective internal controls, which includes access control to limit access to financial records. Source: SOX Act Section 404 |
| NIS2 | Important entities operating in the EU must protect their information systems through access control and audits. Source: NIS2 Article 21 2. (i) |
| NIST 800-53 | Businesses working with Controlled Unclassified Information (CUI) must implement access controls and regularly review user accounts for compliance. Source: NIST SP 800-53 Rev. 5, AC-2 (j) |
| ISO 27001 | To achieve ISO 27001 certification, organizations must manage access rights in accordance with the principle of least privilege, which includes recurring audits. Source: ISO/IEC 27001:2022, Annex A 5.15 |
| SOC2 | As part of SOC2 compliance, organizations must have processes to assign and revoke access authorizations, which must include regular reviews. Source: SOC2 CC6.3 |
User Access Review: 5 Step Process
Establish a Review Policy
The process of reviewing access is most effective when guided by a clear policy that lays out which systems must be reviewed, how often reviews must be carried out, who is responsible for them and so on.
Instead of approaching the topic in isolation, it is best to incorporate your access review policy into an overarching access control policy and strategy that governs on/offboarding, authentication and privilege audits.
Step-by-step breakdown:
Create an access review policy that establishes review scope, interval and stakeholders.
Identify regulatory requirements affecting your organization.
Establish security goals and review objectives.
Include guest and third-party access in review scope.
Incorporate review policy into your larger access control strategy.
Assign Data Owners
To determine whether a user still requires access to an IT system, you need a reviewer who is familiar with both the system and user being audited. The data owner (i.e. the person who manages the resource in question) is the most logical choice for who should review access.
But while data owners have a clear picture of who on their team actually uses a resource, they may lack the technical skills needed to review access rights and must be trained to understand the security and compliance implications of privilege audits.
Step-by-step breakdown:
Assign data owners to review access rights for resources they control
Raise awareness of access risks and the importance of reviews
Provide role-specific training on the review process
Streamline reviews to support data owners in non-technical roles
Ensure data owners have a clear point-of-contact for questions and issues
Compile Access Information
Modern IT environments comprise dozens of IT systems, cloud apps and SaaS services. This sprawl makes it challenging to track who has access to what, as orgs need to compile access data from all parts of their environment to get the full picture. The only realistic way to collect this amount of data is through some form of automation.
Once you have assembled an up-to-date overview of existing access rights, the next step is to provide each reviewer with the relevant information they need to complete their part of the audit. Again, this can prove a logistical challenge as you also need to track audit completion to ensure review timelines meet your policy.
Step-by-step breakdown:
Create a snapshot of current access privileges across all information systems.
Use automated scripts, available APIs or IGA solutions to automate data collection.
Break down access information into segments relevant for each reviewer.
Provide each reviewer with relevant information through a secure channel.
Track review progress to ensure timely completion.
Review Access Rights
Your reviewers have now received a list of access privileges and must decide which of them they should renew and which of them they should flag for removal. This may sound trivial, but it’s not always obvious where to draw the line between necessary and unnecessary access.
For example, even a user that works in the finance department probably does not need access to all financial data. Determining which privileges are strictly necessary for each users’ role requires careful evaluation.
Step-by-step breakdown:
Review existing privileges to right-size access.
Check user access against their current job role.
Follow the principle of least privilege when evaluating access.
Revoke outdated and unnecessary access rights.
Close inactive accounts and unwanted guest access.
Document Outcomes & Adjust Access
Once the access review has been completed, you need to ensure that any problems identified by your reviewers are corrected. This means you need to remove any unnecessary access flagged during the audit.
Additionally, you need to document the results of the audit to ensure transparency and accountability: When did it take place? Who checked which permissions? Which reasons did they give for removing access?
Not only is this important to provide a full audit trail, it also allows you to evaluate and improve your access governance processes. If a review finds a lot of issues in a specific department, perhaps you need to adjust the provisioning for that role? If you uncover a lot of guest users, perhaps you should restrict who can invite guests?
Step-by-step breakdown:
Adjust user access based on review findings.
Document review outcome for both renewed and removed permissions.
Examine findings for larger trends or security concerns to address.
Update user roles and provisioning workflows as necessary.
Securely archive audit information to serve as paper trail.
Best Practices for User Access Reviews
Maintain an Up-to-Date System Inventory
In order to review user access, you need to have a complete picture of your IT environment: Which apps are in use? Who has access to what? Where is data stored and processed?
Maintaining an up-to-date network map and inventory of IT systems is a prerequisite to effective user access reviews. Without a clear understanding of the shape of your own IT, you run the risk of official systems being forgotten and falling off the grid, effectively turning them into Shadow IT over time.
5 Best Practices for Effective Access Reviews
Use Temporary & Role-Based Access
While access reviews are an essential safeguard, there are steps you can take to reduce the gradual accumulation of unnecessary privileges. These attack the problem of overprivileged users at the source. While they cannot replace periodic audits, they help you to keep the problem in check.
First, role-based access ensures that each user receives the right privileges for their job and loses them when they transition to a different role. Second, assigning temporary access with a predefined end date removes the need to audit privileges later on. This will require a sophisticated approach to access request management.
Automate the Review Process
The fact of the matter is: Even in a small organization there are far too many access rights to audit them manually. With dozens of systems and hundreds of accounts, reviews would take months to complete, meaning they would be out of date the second you finish.
User access reviews require a dedicated governance solution that allows you to streamline the audit process. Even if the decision about who needs access must be made by a human, an access review tool can automate everything surrounding that decision, including:
Collecting access rights data
Scheduling reviews
Notifying reviewers
Creating personalized audit checklists
Tracking review completion
Escalating uncompleted reviews
Implementing access changes
Documenting review outcomes
It’s best to choose an IGA solution that combines access reviews with other helpful features like role-based access and lifecycle automation. This gives you more control both over how privileges are audited and how they are assigned in the first place.
Involve the Right Stakeholders
Many organizations treat access rights as purely an IT issue. Don’t make the mistake of making your IT team solely responsible for auditing access. Yes, IT staff understand the risks of overprivileged users. But they do not know what everyone’s job is and what level of access it requires.
For an accurate assessment of who needs access to what, delegate access reviews to stakeholders within the different parts of your org: department heads, team leads, managers etc. As people in non-tech roles, they will need to be briefed on what the goal of an access review is. But there’s no one better to give you an up-to-date access audit than the people closest to the action.
Conduct Time-, Risk- and Event-Based Reviews
Many security standards require periodic access reviews, such as quarterly or bi-annual audits. But the truth is that a lot can happen during these intervals. Supplement periodic audits with risk-based and event-based reviews to make sure you don’t miss anything important.
There two review types you should incorporate into your access control strategy here:
More frequent reviews for high-risk permissions: Identify which access rights pose the biggest risk and decrease the review interval for these privileges. For example, audit high-risk privileges monthly instead of quarterly.
Tie access reviews to specific events: Prompt department heads to review access when a staff member joins their team or leaves their team, ensuring that access remains appropriate during role changes.
Challenges for User Access Reviews
Complex IT Environment
Professional IT environments continue to grow more complicated with dozens of specialized systems, cloud apps and SaaS subscriptions. This complex structure makes it difficult to understand where data lives across your org, especially when you factor in the different tools and interfaces across all these applications.
Compiling access information from all these vastly different systems is one of the major challenges in the access review process.
Solution:
Implement a centralized platform for access governance to act as your single pane of glass.
Use integrations and automated scripts to feed access rights data into your IAM.
No Visibility Into User Access
Even within a single application, figuring out who has access to what can be surprisingly difficult. Built-in reporting tools are severely limited. At best, they give you a high-level view of access, but no way to zoom down for an in-depth look at individual users or objects.
But this kind of detailed analysis is exactly what you need in order to review access for different members of your team.
Solution:
Replace built-in reporting tools with a comprehensive reporting suite.
Choose a governance solution that offers in-depth reporting capabilities.
Time and Resource Intensive Process
As important as user access reviews are to data security, the process of auditing access takes considerable time and resources. First, there’s the effort required to collect and compile access data. Next, reviewers need to take time out of their day to complete their part of the audit, carefully evaluating whether each permission still aligns with business needs. Finally, access must be adjusted based on review findings.
Each step of the review process takes time and effort to complete. However, many of them can be successfully automated, freeing your staff up to focus on decisions about access rather than the busywork of collecting data and updating permissions.
Solution:
Automate the review process as much as possible.
Streamline data collection, review scheduling and access adjustments through an IGA solution.
High Staff Turnover
From internships to medical fellowships or guest lecturers at a university, some industries just have a higher rate of turnover or guest users. If access reviews follow a consistent schedule, this can lead to problems going unnoticed in between reviews. What if a visiting researcher leaves your organization in the middle of January, but the fact that their account remained active won’t be discovered until the review at the end of March?
There are two ways to go about solving this problem: A tighter net of time-based reviews or adding reviews outside of the normal schedule, for example as part of the offboarding workflow.
Solution:
Use stricter and more frequent reviews for guest users and high turnover roles
Supplement normal review schedules with audits triggered by offboarding workflows.
End User Dissatisfaction
Even if it is not required for their role, users can grow accustomed to having access and react negatively to the idea of it being withdrawn. Just as any change can trigger an impulsive negative reaction.
Since dealing with unnecessary access is unavoidable, the best thing you can do is address this problem head on and inform your users why and how their permissions are being adjusted.
Solution:
Educate end users on the security and compliance benefits of access reviews.
Offer a self-service process for requesting new access rights when necessary.
Automate User Access Reviews with tenfold
tenfold is a comprehensive IGA solution that offers centralized access reviews alongside a full suite of powerful governance features such as lifecycle automation, self-service requests, separation of duties and in-depth reporting.
Thanks to its no-code setup and out-of-the-box integrations, tenfold is ready to use much faster than comparable solutions, letting you automate access reviews and regain control of IT privileges in record time.
Advantages of user access reviews with tenfold:
Automate user access reviews from data collection to scheduling and privilege updates.
Right-size access from the start through role-based on- and offboarding.
Prevent conflicts of interest by enforcing Separation of Duties (SoD).
Empower end users with self-service access requests.
Keep a full paper trail of completed audits and changes to user access.
Easily integrate your stack with a library of off-the-shelf plugins.
With full visibility and powerful automation, tenfold makes access governance easier than ever before! Book a personal demo or sign up for a free trial to explore our solution yourself.