Completing an Access Review

Last updated: October 7, 2024

Background

All the accounts in your access review have been approved or rejected. 

What's next?

🤔 How do I get that beautiful report to send to my auditor? 

Steps

1. Handle the Rejected Accounts

You (& your delegators) have approved/rejected access to all users! Once you have completed this, depending on the type of app, you'll see an orange button become clickable on the top right! 

In a previous step, you configured the default removal method for the app! 

If that was Manual, we will assume you are conducting the removal yourself and will not automate removal.

If that was a deprovisioning webhook, we will run the deprovisioning webhook for all the accounts you rejected.

For Suspend/Deprovision, this will depend on the source(s) on the app:

 

Is Okta delegated

Is not Okta delegated

Is a direct Lumos integration

We will attempt to deprovision via Okta (assuming “restrictive” sign-in mode) and also deprovision or suspend via Lumos integration.

We will deprovision or suspend via Lumos integration. 

Is not a direct Lumos integration

This assumes that the account has a “restrictive” sign-in mode. We will deprovision via Okta (e.g. remove the user from the application).

Deprovision will not be an option. We will request manual evidence for the user because there’s no way for us to automate the removal process for the account.

  • Automatic Removals

    start_account_removal.gif

    For Okta delegated apps & direct integrations, you'll see a button that says "Start Account Removal". This is because we can leverage your IdP and/or the direct Lumos integration to revoke access for rejected users.
    This process will abide by the removal method configured for that app in your access review.

    Modify Access: For accounts marked as "Modify Access", we will prompt you to upload evidence, similar to the Manual Removal workflow below.

  • Manual Removals

    For manual/custom apps, you'll see a button that says "Start Manual Evidence Upload". This is because we cannot leverage your IdP or the direct Lumos integration to revoke access, so you'll have to do this manually. You'll then be prompted to upload evidence, such as a screenshot. 

    Afterwards, you'll be prompted to "Complete Review".

    attach_evidence.gif

2. 📄 Generate your report

🧠 Did you know? You can generate this report even if your access review isn't completed yet. 

This will generate a beautiful PDF that will include all necessary timestamps & approvers, mark automated removals, and include the evidence you attached.

Navigate to to the top level review and click "Generate Report" at the top right.

Once generated, you'll see a button that appears that says "View Report".

generate_report.gif

The generated report will have a line-by-line breakdown of all approvals and rejections & timestamps of when it was reviewed and when access was automatically removed.

If you uploaded evidence, you'll see it attached at the end of the report

mceclip0.png

3. [Optional] Send that report to your auditor, or upload it into your auditing software.

4. 🥳 Celebrate that it's done! 

👋 Until the next one! 👋