It's important to let Drata know the appropriate level of access each user should have across your company's infrastructure provider. Drata's daily, automated tests will confirm and collect evidence for future audits. If unauthorized access is detected, your team will be alerted automatically.

Remember, Drata is only provided with Read-Only access to your company's systems. The toggles on this page are not changing any permissions or access levels on your actual infrastructure provider.

1. Select "Connections" from the left side navigational menu.

2. Click "Manage Accounts" next to your company's connected Infrastructure.

(Note: you need to first connect your Infrastructure provider to Drata.)

Note: Azure is shown in the photo above, but your company might be using a different provider.

3. The first time you view the "Manage Accounts" page after connecting your infrastructure, it will look something like this:

You'll notice that the list of IAM users are not currently linked to any of your personnel. You'll need to make those initial connections one time here in Drata. To do so, simply click on the dropdown in the User column and begin typing the name of the matching personnel.

Now that user is linked and the icon in the first column has been updated to a link. Use the arrow icon in the far right column to unlink this record and relink it to another employee account in the User column if an adjustment is needed.

Now, let's look at the last 5 columns of the table:

When you remove a user from your connected infrastructure system, it can take up to 24 hours to see the updates appear within Drata. This is due to the connection API.

Deleting an account in your infrastructure system will not remove it from Drata. Instead, Drata will add a timestamp under 'Access Revoked' on the Managed Accounts screen. This is important as it creates an audit trail allowing for tracking of access control SLAs.

The toggles in the "DB Access" and "Admin Access" columns do not yet influence any automated monitoring tests in Drata. These toggles are optional to set.

The next column is "Has MFA". This column is 100% automated and pulling in from the infrastructure provider. It's important that IAM users have MFA enabled.

The last column has a Gear icon. If you hover over the icon, you'll see a tooltip that says "Make Out of Scope (Ignore)." Click this gear only for IAM users that are not actual real people at your company, but instead are accounts meant for conducted specific services automatically. When you click the icon, you'll see a modal window that looks like this:

You'll be prompted to provide the business rationale for having an account that is not unique to any individual at your company. Inputting this information here will save you time during your next audit. This action also makes this record appear with the link icon in the far left column, and will help avoid test failures for this record.

Learn more about how identity sync updates are made in Drata in connection to your Infrastructure and how accounts are revoked.

Future iterations of this page can include the ability to conduct and record evidence of formal system access control reviews. Automatic alerts can be sent to appropriate individuals on a regular cadence to conduct these reviews in an efficient way.

Have ideas or feedback for our product team? Please never hesitate to reach us!