User Access Review Process: What Is It?

Blog Articles

User Access Review Process: What Is It?

How does the User Access Review (UAR) process work?

The user access review process is an important control activity required to ensure that employees, contractors, and partners have the correct rights and permissions within different IT resources and data. This process is run periodically (quarterly or annually) to ensure compliance requirements are met. It also allows companies to undertake continuous improvement initiatives where, based on the access issues, new controls are set up. In general, the following steps are undertaken as a part of this process:

1️⃣ Collect a list of users, their roles, and permissions

This step is a laborious and time-intensive process for many organizations as it requires fetching user data from a number of locations for employees, contractors, vendors, and partners. Proper planning improves the efficiency of the process and greatly reduces the effort involved.

2️⃣ Correlate users (identities) to accounts

A user or identity can have different accounts in the system. For example, John Doe can use JD1 to log into an AD-authenticated application and use john.doe to log into Salesforce. Before reviews can be assigned, all accounts belonging to an identity must be tabulated.

3️⃣ Assign reviews to managers or application owners

Depending on the user review process being followed by the organization, reviews can be assigned to either the manager, application owner, department head, or a combination of these.

4️⃣ Resolve or remediate violations

Any time a policy violation is found (i.e. existence of an orphaned account, excessive privilege, etc.), user access must be adjusted. Additionally, the user access review process should create proof of compliance (reviewer name, approval or denial of access, date, etc.) for external auditors, especially if the organization falls under the requirements of SOX, HIPAA, etc. As a best practice, privileged accounts should be reviewed on a monthly basis while accounts in critical systems under SOX, HIPAA, etc. should be reviewed on a quarterly basis.

Manual or Automated?

A question that often arises is whether these reviews should be automated. This is largely a question of efficiency, risk mitigation and compliance than pure preference. Automating the user access process will greatly impact efficiency and accuracy. Automatic data ingestion using connectors makes data collection straightforward. A centralized reviewer dashboard notifies approvers of new reports and ensures the date and approval are tracked with an electronic signoff. The approval is then captured, along with any related change requests, in the documented workflow and stored for future audits.

#1 User Access Review Solution

SecurEnds is the leading user access review solution in the market with its lightweight, highly configurable and industry first flex-connector product that keeps companies secure while meeting audit and compliance requirements. Our software allows you to load user data from multiple systems of record, connect dynamically to applications, match identities with user credentials, manage heartbeat identities across connected and disconnected, schedule one-time or periodic access recertifications, and create proof of compliance for external auditors.

✍ Article by Abhi Kumar Sood