Access Reviews
Overview
Access Reviews help you periodically verify that users have appropriate access to systems and data. Regular access reviews are a key compliance requirement for frameworks like SOC 2, ISO 27001, and HIPAA.
Why Access Reviews?
Access reviews address common security risks:
- Privilege Creep - Users accumulate access over time
- Orphan Accounts - Access remains after role changes
- Excessive Permissions - More access than needed
- Compliance Requirements - Required by most frameworks
Access Review Process
Define Scope
Determine which systems and users to review.
Collect Access Data
Gather current access information from systems.
Assign Reviewers
Assign managers or owners to review access.
Conduct Review
Reviewers approve or revoke access.
Remediate
Remove inappropriate access.
Document
Record review results for compliance.
Creating Access Reviews
Review Campaigns
- Navigate to Compliance → Access Reviews
- Click Create Review
- Configure the review:
- Name - Descriptive campaign name
- Scope - Systems to review
- Reviewers - Who will review (managers, system owners)
- Due Date - Review deadline
- Frequency - One-time or recurring
- Click Create
Review Scope Options
| Scope Type | Description |
|---|---|
| All Users | Review all user access |
| By Group | Review specific compliance groups |
| By System | Review access to specific systems |
| Privileged | Review only privileged access |
| New Access | Review recently granted access |
Automated Data Collection
Integration-Based Collection
With connected integrations, Bastion automatically collects:
- Identity Provider - User accounts and group memberships
- Cloud Services - Application access and roles
- Code Repositories - Repository permissions
- SaaS Applications - Application entitlements
Manual Data Entry
For systems without integrations:
- Open the review
- Click Add Access Data
- Upload access listing (CSV format)
- Map columns to access fields
Conducting Reviews
Reviewer Experience
Reviewers see a list of user access to evaluate:
| Column | Description |
|---|---|
| User | Employee name |
| System | Application or system |
| Access Level | Permission or role |
| Last Used | Recent access activity |
| Granted Date | When access was granted |
| Decision | Approve or Revoke |
Review Actions
| Action | Meaning |
|---|---|
| Approve | Access is appropriate |
| Revoke | Access should be removed |
| Flag | Needs further investigation |
| Delegate | Assign to another reviewer |
Bulk Actions
For efficiency:
- Select multiple rows
- Apply bulk approve/revoke
- Add comments to bulk actions
Remediation
Handling Revocations
When access is revoked:
- Revocation creates a task
- Task assigned to system owner or IT
- Owner removes access in the system
- Marks task complete in Bastion
- Verification confirms removal
Remediation Tracking
Monitor remediation progress:
- Pending - Awaiting removal
- In Progress - Removal underway
- Completed - Access removed
- Verified - Removal confirmed
Review Reports
Completion Reports
Generate reports showing:
- Coverage - Users and systems reviewed
- Decisions - Approve vs. revoke breakdown
- Completion Rate - Percentage reviewed
- Reviewer Performance - Reviews by reviewer
Audit Evidence
Access review documentation includes:
- Review scope and methodology
- Complete decision records
- Remediation evidence
- Timestamps and reviewer identities
Recurring Reviews
Setting Up Recurrence
Schedule automatic review campaigns:
| Frequency | Use Case |
|---|---|
| Quarterly | Critical systems, privileged access |
| Semi-Annual | Standard systems |
| Annual | Low-risk systems |
Recurrence Configuration
- Open existing review
- Click Schedule Recurrence
- Select frequency
- Set start date for next review
- Configure notifications
Best Practices
Review Privileged Access More Often
Admin and privileged accounts should be reviewed quarterly or more frequently due to their elevated risk.
Involve the Right Reviewers
Managers should review their direct reports. System owners should review system-specific access.
Set Realistic Deadlines
Give reviewers enough time to make informed decisions, but not so long that reviews become stale.
Enforce Completion
Follow up on incomplete reviews. Incomplete reviews don't satisfy compliance requirements.
Compliance Mapping
Access reviews provide evidence for:
| Framework | Requirements |
|---|---|
| SOC 2 | CC6.1, CC6.2, CC6.3 |
| ISO 27001 | A.9.2.5, A.9.2.6 |
| HIPAA | §164.308(a)(4) |