Conducting an access review
Roles and permissions
The following roles can conduct an access review:
Administrators who have been assigned as the Reviewer or Sysadmin for user records in the access review
Compliance managers who have been assigned as the Reviewer or Sysadmin for user records in the access review
Users who have been assigned as the Reviewer or Sysadmin for user records in the access review
Limited access users who have been assigned as the Reviewer or Sysadmin for user records in the access review
Access reviews are conducted by a reviewer and a sysadmin. The reviewer checks user access for each user in an application user list and indicates in Hyperproof whether or not that user's access needs to be updated. The sysadmin first modifies the user's access in the application itself, then attests in Hyperproof that the update has been made. Reviews and updates can be done by any number of people in your organization and are not limited to the default reviewer and sysadmin configured when the application user list is created.
To begin the review process, make sure the following tasks are complete:
An employee directory has been imported on the Setup tab of the access review. This is optional, but recommended. The directory contains information about each user's job title and department, which may help determine the appropriate access to the application being reviewed.
One or more application user lists have been imported on the Setup tab of the access review. This is required. The application user lists create a grid with a row for each user record where reviewers and sysadmins can record their work.
The controls that will be satisfied by the access review have been linked to the access review. When you generate proof at the end of the review, it can be attached to the controls.
The labels where you want to attach access review proof have been linked to the access review.
The status of the access review has been changed from In setup to In progress. You have two options for changing the status:
Open the access review Details tab and set the Status field to In progress.
Open the access review and click the Launch review button.
The status next to the access review title now displays the percentage of the review that is complete.
Note
Changing the status of the access review to In progress triggers:
An email notification to all assigned reviewers indicating that the access review has started
A task for each reviewer containing a link to the lists of users whose access they must review. See Access review tasks.
An invitation to direct managers assigned as reviewers that are not already users in the Hyperproof organization. Those users must accept the invitation to Hyperproof and log in to begin reviewing user access. See Using direct managers as reviewers for user access.
When all of the setup tasks are complete, conduct your review as follows:
The reviewer checks each user's access and records the results. See Reviewing user access.
The sysadmin modifies user access as needed in the affected application and attests to the updates in the application user list. See Attesting to user access updates.
When all reviewer and sysadmin tasks are complete, set the review status to Complete. See Completing an access review.
Generate proof that the review has been done. See Generating proof for an access review.
Link proof to controls and/or labels. See Linking access review proof to controls or labels.