💡 Still using the classic Drata experience? Refer to Access Reviews for the original UI.
Drata centralizes application permissions so you can confirm appropriate access, identify risks, and generate audit-ready evidence for annual access control reviews.
Prerequisites
Required Drata role:
Admin
Access Reviewer
Workspace manager
Connection setup: Ensure your identity connections (such as Okta or Microsoft) are properly configured and syncing successfully.
Step 1: Navigate to Access Reviews
Go to Governance → Access Reviews.
The Access Reviews page includes three tabs:
Applications
Shows the latest synced access data from connected applications.
Data refreshes nightly
Applications can be manually added if needed
Active Review
Shows the currently active review period.
Tracks review progress across applications
Only one review period can be active at a time
Completed Reviews
Shows previously completed review periods.
Includes downloadable evidence packages
Displays reviewer and completion details
Step 2: Create a Review Period
Only one review period can be active at a time.
Go to Governance → Access Reviews.
Select Create review.
Choose a start and end date.
Drata does not take a snapshot of access data during the review period. Instead, access is shown as it exists on the day you perform the review.
For example, if you set your review period from April 1 to June 30 but complete the review on July 5, you’ll see access data as it exists on July 5.
Choose which applications to include in the review period.
Assign a reviewer to each application. Reviewers must have the Access Reviewer or Admin role.
Step 3: Review Access for an Application
Once a review period is active, reviewers validate access one application at a time.
To open the Active Review:
Go to Governance → Access Reviews
Select the Active Review tab
Choose an application in scope
Inside the application view, you can:
View the assigned reviewer
Upload or view all users with access
Track review progress across accounts
Identify warnings and potential risks
Step 4: Complete an Application Review
When all accounts in the application have been reviewed:
Open the application from the Active Review period
Select Complete review
(Optional) Upload additional evidence
Select Submit
When the review period is completed, Drata combines all application evidence into a single ZIP file, with a separate folder for each reviewed application. This file is automatically attached to DCF-11: Annual Access Control Review and saved into evidences. The evidence renewal date is set to one year from the completion date by default.
For accounts using workspaces, evidence is generated only for the Primary workspace. You may need to manually copy the evidence to other workspaces if required.
Account Warnings in Your Active Review
While performing an access review, you may notice accounts flagged with specific Warnings. These are proactive indicators designed to help you identify security risks or data gaps that require your attention.
To view these warnings, navigate to the Access Reviews page and select the specific application you are reviewing.
Warning | Action to Take |
Former personnel with access | Review and Offboard: Verify if the user should still have access in the source application. If they have already been offboarded from your company, manually remove their access within that specific application. |
Missing MFA | Enable MFA: Determine if Multi-Factor Authentication (MFA) is required for this user. If so, update their security settings directly in the source application where supported. |
Unlinked users | Map the Identity: These accounts are not currently tied to a Drata identity. On the Access Review page, check the Status column. If an account is unlinked, click the Link Personnel button to map the account to the correct personnel profile. |
Service accounts | Informational Only: No action is required unless the account appears misclassified. These flags help you distinguish between human users and automated system/integration accounts. |
Admin | Verify Privileges: Confirm that this user requires administrative access. If elevated permissions are no longer necessary for their role, downgrade their privileges in the source application. |
Reopen a Completed Review
Admins can reopen a completed review period if updates are needed. To do this, go to Governance → Access Reviews, open the Completed Reviews tab, and select Re-open review.
Reopening makes the review active again and allows edits to application reviews. This option is only available when no other review is currently active, since only one review period can be active at a time.