💡 Still using the classic Drata experience? Refer to Access Reviews for the original UI.
Drata centralizes application permissions so you can confirm appropriate access, identify risks, and generate audit-ready evidence for annual access control reviews.
Prerequisites
Required Drata role:
Admin
Access Reviewer
Workspace manager
Connection setup: Ensure your identity connections (such as Okta or Microsoft) are properly configured and syncing successfully.
Step 1: Navigate to Access Reviews
Go to Governance → Access Reviews.
The Access Reviews page includes three tabs:
Applications
Shows the latest synced access data from connected applications.
Data refreshes nightly
Applications can be manually added if needed
Active Review
Shows the currently active review period.
Tracks review progress across applications
Only one review period can be active at a time
Completed Reviews
Shows previously completed review periods.
Includes downloadable evidence packages
Displays reviewer and completion details
Step 2: Create a Review Period
Only one review period can be active at a time.
Go to Governance → Access Reviews.
Select Create review.
Choose a start and end date.
Drata does not take a snapshot of access data during the review period. Instead, access is shown as it exists on the day you perform the review.
For example, if you set your review period from April 1 to June 30 but complete the review on July 5, you’ll see access data as it exists on July 5.
Choose which applications to include in the review period.
Assign a reviewer to each application. Reviewers must have the Access Reviewer or Admin role.
Step 3: Review Access for an Application
Once a review period is active, reviewers validate access one application at a time.
To open the Active Review:
Go to Governance → Access Reviews
Select the Active Review tab
Choose an application in scope
Inside the application view, you can:
View the assigned reviewer
Upload or view all users with access
Track review progress across accounts
Identify warnings and potential risks
Step 4: Complete an Application Review
When all accounts in the application have been reviewed:
Open the application from the Active Review period
Select Complete review
(Optional) Upload additional evidence
Select Submit
When the review period is completed, Drata combines all application evidence into a single ZIP file, with a separate folder for each reviewed application. This file is automatically attached to DCF-11: Annual Access Control Review and saved into evidences. The evidence renewal date is set to one year from the completion date by default.
For accounts using workspaces, evidence is generated only for the Primary workspace. You may need to manually copy the evidence to other workspaces if required.
Reopen a Completed Review
Admins can reopen a completed review period if updates are needed. To do this, go to Governance → Access Reviews, open the Completed Reviews tab, and select Re-open review.
Reopening makes the review active again and allows edits to application reviews. This option is only available when no other review is currently active, since only one review period can be active at a time.