Drata’s Access Review feature streamlines the process for gathering users and access levels, with a UI focused on quickly examining an account’s application permissions and properly communicating out any accounts that need to have their access levels changed.
Note: User Access Review in Drata examines connected applications across all workspaces and auto-generates evidence when access review is completed to the primary workspace.
BEFORE DIVING IN
Verify your role has access. Access Reviewers role in Drata allows personnel to perform access reviews.
Ensure that your applications have the correct permissions and setup.
Access Review overview
On the Access Review page, there are two tabs:
Applications: View the latest data that Drata has synchronized from applicable connections. The ongoing data is pulled nightly.
Reviews: Displays active review periods, their current status, and a list of any review periods previously completed. The review can be scoped to a subset of all applications detected by Drata and manually added applications. Only one review may be active at a time.
Set up access review
Reviews do not carry over to different review periods. You will need to restart this process for a new review period.
Create a review period
Create a review period within the Applications or Reviews tab.
Define the starting and ending dates of your review period and continue.
Choose the applications you want to include in the review. Ensure each application has an assigned reviewer. If an application does not have a reviewer, select on the application row to assign one.
Note: Ensure that personnel assigned to reviews have the Access Reviewers role in Drata. Administrators do not need this role to perform reviews.
If the application you would like to include is not found, you can manually add an application while setting up the review period.
To manually add an application, select the Add Application button. For further instructions such as adding personnel, refer to the following sections.
Add applications and personnel manually (if needed)
Manually add an application:
Navigate to Access Review page
Add an application (if needed).
You can manually add an application when setting up a review period under the Reviews tab or by selecting Add Application under the Applications tab.
Enter the relevant URL. This URL allows Drata to retrieve the appropriate logo for the application.
Manually upload personnel:
After adding the application, you can upload personnel data for user access review.
Navigate to the application. You can find the application under the Applications tab and then select View personnel.
If a CSV personnel file has not been uploaded, select the Upload Personnel button.
If personnel data changes, you can always update the personnel data and select the Upload New Personnel CSV button. This option is only available after uploading a personnel list.
Download the template and enter values in the following columns: First Name, Last Name, Email Address, and Access.
If you wish to exclude a column, enter NULL for all rows in that column.
Once your file is uploaded, you can approve, reject, or mark users as out of scope for your access review.
Update personnel list manually (if needed):
If personnel data changes during the review, navigate to the application and select the Upload New Personnel CSV button.
Upload the CSV file with the updated information.
Choose how to re-upload your data:
Only Pull Personnel Changes: Use this if only minor changes were made. Drata will compare the new file with the previous one and highlight the differences.
Overwrite All Data: Select this if you want to replace all previously stored data with the new information.
Performing a Review
In an active review period, every selected application will have two options: Review Application and Review details. The former will open an application user list, detailing the assigned reviewers, a status summary of all personnel, and the list of all detected account data for that application.
Select Review Applications to view more information about the desired applications. When entering an individual application to perform a review, there will be a pane of options to help filter the user set.
All personnel: Displays all personnel who have any level of access to the selected application.
Review Status: Filters the user list based on the current review status of each account. Options include:
Out of scope: Accounts that are excluded from the review.
Not reviewed: Accounts that haven't been reviewed yet.
Rejected: Accounts where access was denied or flagged.
Approved: Accounts where access was reviewed and confirmed.
Warnings
Former personnel with access: Displays accounts where the personnel is marked as a Former Employee but still has access to the application.
Unlinked users: Displays personnel who are not linked to the HRIS/IdP data from your connections . To link a personnel, go to the Connections page and select manage accounts to ensure they are associated with a Drata identity profile.
Service accounts: Identifies service accounts by detecting an
isBot = Trueor a similar attribute in the JSON response from the platform.
Permissions
Admin: Identifies applications that have an admin accounts, identified by the presence of
isAdminstatus, or roles likeAdminTypeorAdminin the JSON response.
Filter by connection: Allows you to filter accounts by specific connections (for example, if you have multiple AWS connections and want to view accounts from only AWS).
Filter by employee status: Provides additional filtering options based on employee status, such as
Out of ScopeandCurrent Contractor.Missing MFA: Shows personnel who do not have Multi-Factor Authentication (MFA) properly configured in Version Control, Infrastructure, and Identity applications.
The top right of the user table also has a search bar to find individual personnel, or certain job titles you may want to explicitly check for.
During an active review, there may also be a ‘Change Status’ button present. This button will allow a bulk action to update the status of every selected account and, with one click, change them to a new status. This action can also be performed on each individual account from the account detail drawer, opened by selecting any line of account information from the presented list.
If you click on any individual account record, you can also enter a user detail drawer. This drawer will show much of the same information that the table displays, and includes some additional helpful information, such as a direct link to the user record in the source system (only viewable if you have permissions to view the administration UIs of those systems), that can be pulled up from clicking the ‘View account details’ link in the ‘Access’ section. We also display the raw access information Drata found in the queried system here, and any banners detailing why a warning was detected for the account.
If this drawer is open while performing a review, you can also perform additional actions:
Changing the status of an account to ‘Reviewed’, ‘Rejected’, or ‘Out of Scope’
Adding a note to ask more detail about a particular account
At any time, the applications or timing of the review period can be adjusted by clicking the ‘Edit review period’ prompt in the Reviews view. This will reopen the options selected during review period setup, which can be adjusted with the edit button shown on the right side of each section.
Completing a Review Period
When each account has been reviewed and updated to be audit-ready, an application can be completed by entering its ‘Application Review’ view and clicking the ‘Complete review’ button in the top right corner. This will convert the application review to the ‘Completed’ status, and generate a CSV report of account-related review evidence for the application. A user can also choose to upload additional documents by selecting the ‘Upload additional evidence’ checkbox, but the documents will not be saved or generated until the ‘Submit’ button is clicked.
Only when every Application has moved to a ‘Completed’ status will the final action to ‘Complete Review’ be accepted. When the review period is completed, all generated evidence will be combined in a zip file, with sub folders for each reviewed application, and added directly as evidence to DCF-11: Annual Access Control Review. Note that at this time, account utilizing workspaces will only see this generated for the Primary workspace and it may be needed to copy the evidence elsewhere. The evidence can also be found in the Drata Evidence Library, with a default evidence renewal set one year in the future.
Reviewing a completed Review Period
A completed review period will display the period the access review took place in for purposes of organization. If you need to examine the evidence generated for each application, you can click the ‘Evidence’ download button in each application. If instead you want to review the entire combined data set generated for an access review, you can click the ‘Evidence package’ download button to examine everything collected.
To review some of these details directed in the UI, you can click the ‘Review details’ option under any completely reviewed application to view information such as: who the review was completed by, the date it was completed, who all the assigned reviewers were, additional evidence added to the review, and any notes about the particular application made to explain data amongst you team, or for auditors.
Finally, if an administrator wants to reopen a review because some key piece of evidence was missed, they can re-open the period with the ‘Re-open review’ button. This will force the completed review to become the active review, and will allow you to edit any application's review within this period. Drata only allows one active review period to be open at a time.
Our solution is focused on review and does not include remediation and advanced access management functionality such as workflow automation. If you are interested in those functionalities, we have partnerships with other vendors. Please reach out to your CSM to learn more.