Drata’s Access Review feature streamlines the process for gathering users and access levels, with a UI focused on quickly examining an account’s application permissions and properly communicating out any accounts that need to have their access levels changed.
Note: User Access Review in Drata examines connected applications across all workspaces and auto-generates evidence when access review is completed to the primary workspace.
BEFORE DIVING IN
Verify your role has access. Access Reviewers role in Drata allows personnels to perform access reviews.
Ensure that your applications have the correct permissions and setup.
HERE'S HOW
First Usage
Go to 'Access Review'.
When a personnel enters the ‘Access Review’ feature, there are two options at the top of the screen.
‘Applications’: View the latest data that Drata has synchronized from applicable connections. The ongoing data is pulled nightly.
‘Reviews’ tab: Displays active review periods, their current status, and a list of any review periods previously completed. The review can be scoped to a subset of all applications detected by Drata, and can be include manually to added applications. Only one review may be active at a time.
Starting a Review
To start your first access review, you can either click the ‘Create review period’ button in the ‘Applications’ tab or from an empty state in the ‘Reviews’ tab.
Define the starting and ending dates of your review period and continue.
Select the applications you would like to include. You can also add applications manually by selecting the ‘Add Application’ button. Ensure that each application has an assigned reviewer before continuing on. If an application does not have reviewers, select the row of the application to access the drawer. You can assign the reviewer in the drawer.
Note: Ensure that the personnel you assigned have the Access Reviewers role in Drata. If they have an admin role, they do not need to be assigned Access Reviewers.
Performing a Review
In an active review period, every selected application will have two options: Review Application and Review details. The former will open an application user list, detailing the assigned reviewers, a status summary of all personnel, and the list of all detected account data for that application.
When entering an individual application user set to perform a review, there will be a right-hand pane of options to help filter the user set.
All Personnel: The default option to show all user’s found having some access to the chosen application.
Review Status: These filters allow filtering of the user list based on the assigned review status of a given account. The options are Out of scope, Not reviewed, Rejected, and Approved.
Access level change: Only populates after a completed review. Displays a user with a difference between the detected ‘Access’ information between the current and previous review.
Former personnel with access: Displays any account with ‘Employee Status’ set as ‘Former Employee’
Missing MFA: Shows any user who hasn’t had MFA configured properly through the detected system.
Filter by connection: Allows you to filter accounts to a certain connection (for example, if you have multiple connections to AWS and only want to see one).
Filter by employee status: Additional employee status filtering options, like Out of scope and Current Contractor
The top right of the user table also has a search bar to find individual personnel, or certain job titles you may want to explicitly check for. During an active review, there may also be a ‘Change Status’ button present. This button will allow a bulk action to update the status of every selected account and, with one click, change them to a new status. This action can also be performed on each individual account from the account detail drawer, opened by selecting any line of account information from the presented list.
Note: When examining AWS, GCP, and Azure connections, the list will only populate accounts that have been linked in the ‘Manage Accounts’ view of the connection. This will be remedied in a future change.
If you click on any individual account record, you can also enter a user detail drawer. This drawer will show much of the same information that the table displays, and includes some additional helpful information, such as a direct link to the user record in the source system (only viewable if you have permissions to view the administration UIs of those systems), that can be pulled up from clicking the ‘View account details’ link in the ‘Access’ section. We also display the raw access information Drata found in the queried system here, and any banners detailing why a warning was detected for the account.
If this drawer is open while performing a review, you can also perform additional actions:
Changing the status of an account to ‘Reviewed’, ‘Rejected’, or ‘Out of Scope’
Adding a note to ask more detail about a particular account
At any time, the applications or timing of the review period can be adjusted by clicking the ‘Edit review period’ prompt in the Reviews view. This will reopen the options selected during review period setup, which can be adjusted with the edit button shown on the right side of each section.
Completing a Review Period
When each account has been reviewed and updated to be audit-ready, an application can be completed by entering its ‘Application Review’ view and clicking the ‘Complete review’ button in the top right corner. This will convert the application review to the ‘Completed’ status, and generate a CSV report of account-related review evidence for the application. A user can also choose to upload additional documents by selecting the ‘Upload additional evidence’ checkbox, but the documents will not be saved or generated until the ‘Submit’ button is clicked.
Only when every Application has moved to a ‘Completed’ status will the final action to ‘Complete Review’ be accepted. When the review period is completed, all generated evidence will be combined in a zip file, with sub folders for each reviewed application, and added directly as evidence to DCF-11: Annual Access Control Review. Note that at this time, account utilizing workspaces will only see this generated for the Primary workspace and it may be needed to copy the evidence elsewhere. The evidence can also be found in the Drata Evidence Library, with a default evidence renewal set one year in the future.
Reviewing a completed Review Period
A completed review period will display the period the access review took place in for purposes of organization. If you need to examine the evidence generated for each application, you can click the ‘Evidence’ download button in each application. If instead you want to review the entire combined data set generated for an access review, you can click the ‘Evidence package’ download button to examine everything collected.
To review some of these details directed in the UI, you can click the ‘Review details’ option under any completely reviewed application to view information such as: who the review was completed by, the date it was completed, who all the assigned reviewers were, additional evidence added to the review, and any notes about the particular application made to explain data amongst you team, or for auditors.
Finally, if an administrator wants to reopen a review because some key piece of evidence was missed, they can re-open the period with the ‘Re-open review’ button. This will force the completed review to become the active review, and will allow you to edit any application's review within this period. Drata only allows one active review period to be open at a time.
Our solution is focused on review and does not include remediation and advanced access management functionality such as workflow automation. If you are interested in those functionalities, we have partnerships with other vendors. Please reach out to your CSM to learn more.