⚠️ Select your experience
The steps depend on your interface version. Select a link to skip to the instructions for your version.
Customers who joined Drata on or after Feb 24, 2026 are automatically on the New Experience.
Instructions for the New Experience ⬇️
Drata centralizes application permissions so you can confirm appropriate access, identify risks, and generate audit-ready evidence for annual access control reviews.
Prerequisites
Required Drata role:
Admin
Access Reviewer
Workspace manager
Connection setup: Ensure your identity connections (such as Okta or Microsoft) are properly configured and syncing successfully.
Step 1: Navigate to Access Reviews
Go to Governance → Access Reviews.
The Access Reviews page includes three tabs:
Applications
Shows the latest synced access data from connected applications.
Data refreshes nightly
Applications can be manually added if needed
Active Review
Shows the currently active review period.
Tracks review progress across applications
Only one review period can be active at a time
Completed Reviews
Shows previously completed review periods.
Includes downloadable evidence packages
Displays reviewer and completion details
Step 2: Create a Review Period
Only one review period can be active at a time.
Go to Governance → Access Reviews.
Select Create review.
Choose a start and end date.
Drata does not take a snapshot of access data during the review period. Instead, access is shown as it exists on the day you perform the review.
For example, if you set your review period from April 1 to June 30 but complete the review on July 5, you’ll see access data as it exists on July 5.
Choose which applications to include in the review period.
Assign a reviewer to each application. Reviewers must have the Access Reviewer or Admin role.
Step 3: Review Access for an Application
Once a review period is active, reviewers validate access one application at a time.
To open the Active Review:
Go to Governance → Access Reviews
Select the Active Review tab
Choose an application in scope
Inside the application view, you can:
View the assigned reviewer
Upload or view all users with access
Track review progress across accounts
Identify warnings and potential risks
Step 4: Complete an Application Review
When all accounts in the application have been reviewed:
Open the application from the Active Review period
Select Complete review
(Optional) Upload additional evidence
Select Submit
When the review period is completed, Drata combines all application evidence into a single ZIP file, with a separate folder for each reviewed application. This file is automatically attached to DCF-11: Annual Access Control Review and saved into evidences. The evidence renewal date is set to one year from the completion date by default.
For accounts using workspaces, evidence is generated only for the Primary workspace. You may need to manually copy the evidence to other workspaces if required.
Account Warnings in Your Active Review
While performing an access review, you may notice accounts flagged with specific Warnings. These are proactive indicators designed to help you identify security risks or data gaps that require your attention.
To view these warnings, navigate to the Access Reviews page and select the specific application you are reviewing.
Warning | Action to Take |
Former personnel with access | Review and Offboard: Verify if the user should still have access in the source application. If they have already been offboarded from your company, manually remove their access within that specific application. |
Missing MFA | Enable MFA: Determine if Multi-Factor Authentication (MFA) is required for this user. If so, update their security settings directly in the source application where supported. |
Unlinked users | Map the Identity: These accounts are not currently tied to a Drata identity. On the Access Review page, check the Status column. If an account is unlinked, click the Link Personnel button to map the account to the correct personnel profile. |
Service accounts | Informational Only: No action is required unless the account appears misclassified. These flags help you distinguish between human users and automated system/integration accounts. |
Admin | Verify Privileges: Confirm that this user requires administrative access. If elevated permissions are no longer necessary for their role, downgrade their privileges in the source application. |
Reopen a Completed Review
Admins can reopen a completed review period if updates are needed. To do this, go to Governance → Access Reviews, open the Completed Reviews tab, and select Re-open review.
Reopening makes the review active again and allows edits to application reviews. This option is only available when no other review is currently active, since only one review period can be active at a time.
Instructions for the Classic Experience ⬇️
Drata's Access Review feature streamlines and automates the user access review process, ensuring that organizations can effectively manage who has access to their systems, applications, and data. This helps reduce risk and supports compliance with various regulatory frameworks.
Note: User Access Review in Drata examines connected applications across all workspaces and auto-generates evidence when access review is completed to the primary workspace.
Prerequisites
Verify that your role in Drata is Access Reviewers.
Ensure that your applications have the correct permissions and setup.
Additionally, connect Drata to your identity providers, such as Okta or Google Workspace, and other integrated systems as part of the setup process.
Access Review overview
On the Access Review page, there are two tabs:
Applications: View the latest data that Drata has synchronized from applicable connections. The ongoing data is pulled nightly.
Reviews: Displays active review periods, their current status, and a list of any review periods previously completed. The review can be scoped to a subset of all applications detected by Drata and manually added applications.
Only one review may be active at a time.
Reviews don’t carry over between review periods. You will need to restart this process for a new review period.
Create a review period
Note: Only one review may be active at a time.
Start a New Review:
Go to the Applications or Reviews tab and select the option to create a new review period.
Set the Review Dates:
Choose the start and end dates for your review period. These dates help organize your review but do not lock in data from that specific timeframe.
Drata does not take a snapshot of access data during the review period. Instead, access is shown as it exists on the day you perform the review.
For example, if you set your review period from April 1 to June 30 but complete the review on July 5, you’ll see access data as it exists on July 5.
Select Applications:
Pick which applications you want to include in the review.
Make sure each application has a reviewer assigned.
If a reviewer is missing, select the application row to assign one.
Make sure reviewers have the Access Reviewers or Admin roles in Drata.
If the application does not show in the list to choose from, you can manually add it.
FAQ for review periods
FAQ for review periods
Does Drata take a snapshot of access at the start of the review period?
No. Drata shows the most up-to-date access data when you perform the review. It doesn’t preserve access history unless you export it manually.
What happens if I review access after the review period ends?
You’ll be reviewing access as it exists on the day you perform the review. The review will still be tracked under the selected review period for reporting purposes.
Can I meet audit requirements with this approach?
Yes, in many cases. But if your auditor requires point-in-time data, we recommend exporting a CSV of access at the start of the review period for added evidence.
Add an application manually
In the Applications tab, select Add Application.
Enter the application's URL to display its logo in Drata.
You can manually add an application when setting up a review period under the Reviews tab or by selecting Add Application under the Applications tab.
Upload or Update personnel
Upload personnel CSV:
Select the Application.
Select Upload Personnel in the upper-right corner. The label may change depending on your current step.
Download the template and enter values in the following columns: First Name, Last Name, Email Address, and Access.
If you wish to exclude a column, enter
NULLfor all rows in that column.
Once your file is uploaded, you can approve, reject, or mark users as out of scope for your access review.
Update personnel list:
If personnel data changes during the review, navigate to the application and select the Upload New Personnel CSV button.
Upload the CSV file with the updated information.
Choose how to re-upload your data:
Only Pull Personnel Changes: Use this if only minor changes were made. Drata will compare the new file with the previous one and highlight the differences.
Overwrite All Data: Select this if you want to replace all previously stored data with the new information.
Performing a Review
In an active review period, every selected application will have two options: Review Application and Review details. The former will open an application user list, detailing the assigned reviewers, a status summary of all personnel, and the list of all detected account data for that application.
During an active review period, each selected application includes two options:
Review Application: Opens the user list for that application, showing assigned reviewers, user statuses, and access data.
Review Details: Provides metadata about the review, including who completed it and when.
Select Review Applications to view more information about the desired applications. When entering an individual application to perform a review, there will be a pane of options to help filter the user set.
All personnel: Displays all personnel who have any level of access to the selected application.
Review Status: Filters the user list based on the current review status of each account. Options include:
Out of scope: Accounts that are excluded from the review.
Not reviewed: Accounts that haven't been reviewed yet.
Rejected: Accounts where access was denied or flagged.
Approved: Accounts where access was reviewed and confirmed.
Warnings
Former personnel with access: Displays accounts where the personnel is marked as a Former Employee but still has access to the application.
Unlinked users: Displays personnel who are not linked to the HRIS/IdP data from your connections . To link a personnel, go to the Connections page and select manage accounts to ensure they are associated with a Drata identity profile.
Service accounts: Identifies service accounts by detecting an
isBot = Trueor a similar attribute in the JSON response from the platform.
Permissions
Admin: Identifies applications that have an admin accounts, identified by the presence of
isAdminstatus, or roles likeAdminTypeorAdminin the JSON response.
Filter by connection: Allows you to filter accounts by specific connections (for example, if you have multiple AWS connections and want to view accounts from only AWS).
Filter by employee status: Provides additional filtering options based on employee status, such as
Out of ScopeandCurrent Contractor.Missing MFA: Shows personnel who do not have Multi-Factor Authentication (MFA) properly configured in Version Control, Infrastructure, and Identity applications.
The top right of the user table also has a search bar to find individual personnel, or certain job titles you may want to explicitly check for.
During an active review, you may see a Change Status button. This button will allow a bulk action to update the status of every selected account and, with one click, change them to a new status. This action can also be performed on each individual account from the account detail drawer, opened by selecting any line of account information from the presented list.
If you click on any individual account record, you can also enter a user detail drawer. This drawer will show much of the same information that the table displays, and includes some additional helpful information, such as a direct link to the user record in the source system (only viewable if you have permissions to view the administration UIs of those systems), that can be pulled up from clicking the ‘View account details’ link in the ‘Access’ section. We also display the raw access information Drata found in the queried system here, and any banners detailing why a warning was detected for the account.
If this drawer is open while performing a review, you can also perform additional actions:
Changing the status of an account to ‘Reviewed’, ‘Rejected’, or ‘Out of Scope’
Adding a note to ask more detail about a particular account
At any time, the applications or timing of the review period can be adjusted by clicking the ‘Edit review period’ prompt in the Reviews view. This will reopen the options selected during review period setup, which can be adjusted with the edit button shown on the right side of each section.
Completing a Review Period
When each account has been reviewed and updated to be audit-ready, an application can be completed by entering its ‘Application Review’ view and clicking the ‘Complete review’ button in the top right corner. This will convert the application review to the ‘Completed’ status, and generate a CSV report of account-related review evidence for the application. A user can also choose to upload additional documents by selecting the ‘Upload additional evidence’ checkbox, but the documents will not be saved or generated until the ‘Submit’ button is clicked.
You can only complete the review period after all applications are marked as Completed. When the review period is completed, all generated evidence will be combined in a zip file, with sub folders for each reviewed application, and added directly as evidence to DCF-11: Annual Access Control Review. Note that at this time, accounts using workspaces will only see this generated for the Primary workspace and it may be needed to copy the evidence elsewhere. The evidence can also be found in the Drata Evidence Library, with a default evidence renewal set one year in the future.
Reviewing a completed Review Period
A completed review period will display the period the access review took place in for purposes of organization. If you need to examine the evidence generated for each application, you can click the ‘Evidence’ download button in each application. If instead you want to review the entire combined data set generated for an access review, you can click the ‘Evidence package’ download button to examine everything collected.
To review some of these details directed in the UI, you can click the ‘Review details’ option under any completely reviewed application to view information such as: who the review was completed by, the date it was completed, who all the assigned reviewers were, additional evidence added to the review, and any notes about the particular application made to explain data among you team, or for auditors.
Finally, if an administrator wants to reopen a review because some key piece of evidence was missed, they can re-open the period with the ‘Re-open review’ button. This will force the completed review to become the active review, and will allow you to edit any application's review within this period. Drata only allows one active review period to be open at a time.
Our solution is focused on review and does not include remediation and advanced access management functionality such as workflow automation. If you are interested in those functionalities, we have partnerships with other vendors. Please reach out to your CSM to learn more.