Attesting to user access updates

Roles and permissions

The following roles can attest to user access updates for an access review:

Administrators who have been assigned as the Sysadmin for user records in the access review
Compliance managers who have been assigned as the Sysadmin for user records in the access review
Users who have been assigned as the Sysadmin for user records in the access review

Updating user access and attesting to those updates can be done by one or more people in your organization. For example, application administrators or other IT personnel could update access to an application and attest to the updates in Hyperproof.

Note

To attest to user access updates, the access review status must be In progress and the reviewer should have completed the entries in the Maintain access and Access notes columns of the review page. See Setting access review status.

You may have a case where a change to user access has been requested, but it is not necessary. For example, if you have a user who is out on extended leave, you may decide that the account can be suspended temporarily, instead of updating user access. This should be noted in Hyperproof.

These instructions walk you through attesting to user access updates from an automated task. If you want to begin your work before the update task is created by Hyperproof, open the Review tab for the access review and select an application to access the user records you have been assigned. You can only record access changes for records that have been reviewed and marked by the revieworganizationer.

The day after the Application reviews due date, Hyperproof creates an update task for each sysadmin in the access review. If an assigned sysadmin doesn't have an account in Hyperproof, they are invited to the organization and must accept the invitation before recording any account updates in Hyperproof.

Sysadmins are notified that they have user accounts to update either via email or a task created in an integrated system, such as Jira. Notification emails and tasks contain a link sysadmins can use to directly access the list of applications and user accounts they need to update. Due to the sensitive nature of the data being accessed, sysadmins are asked to log in to Hyperproof to record their updates.

Note

If you access your update assignments using the link in the notification email or task, you can skip to the images in Step 5 and continue following the instructions from there.

To attest to user access updates

From the left menu, select Access reviews.
Select the access review you want to update.
Select the Tasks tab.
A list of tasks displays. Unless you are the owner of the access review, you only see the tasks assigned to you to review or update.
Click your update task. Update task names start with the name of the assignee.
The task Details panel displays.
Click the Start review button.
The applications and associated lists of users to be updated display.
Note
Only the user records that require an update are displayed.
For each user click either Yes or No in the Access updated column.
- If you select Yes for a user, you are attesting that the user access updates have been done in the application.
- If you select No, the Edit sysadmin notes window displays. In the text field, enter any pertinent information about why the changes weren't made to this user's access. This information is required.
To edit notes, click in the Sysadmin notes field to open the Edit admin notes window.
To add individual pieces of proof verifying that the update to user access was done, click Upload proof.
The Proof Picker displays.
Add your proof in one of the following ways:
- Drag and drop files onto the proof grid.
- Click Add proof and select one of the following:
  My Computer - To use proof stored on your computer, click My Computer in the upper-left corner.
  This <object> - To use proof stored on objects linked to an evaluation or audit request, click This <object>.
  Cloud storage integration - To use proof stored in an integration, such as Drive, select the integration’s icon from the Add integration section in the bottom-left corner. Optionally, turn on LiveSync to automatically keep your proof up to date.
  Paste a link - Select this option to use a website URL as proof. The URL is rendered as a “Link” file type in Hyperproof; the only information shown in the file is the URL.
  Paste an image - Select this option to use a screenshot as proof. Take a screenshot (Cmd-Shift-5 on Mac, Shift-S on Windows), copy it to the clipboard, and then paste it in Hyperproof. Chrome users may need to allow this functionality. If prompted by the browser, refresh the page after clicking Allow.
  Existing proof - To reuse proof that already exists in your organization, select either Labels, Proof, My Controls, Vendors, Risks, Policies, or Programs from the left menu.
  Note
  When selecting existing proof on a policy, only effective and retired policy versions display.
If you have not completed all the system updates, click Save and close. You can return to the updates task anytime to complete it.
When your task is complete, click Submit.
A new window displays indicating that the task has been submitted. Submitting the updates task sets the task status to Closed.

Update window fields

Field	Definition
<Application name>	Displays a tab with the name of each application being reviewed. Click the name of the application you want to review.
Status	Statuses include: - Not started - Reviewer has not entered a response under Maintain access. - In progress - Reviewer has entered No under Maintain access, meaning an update to the user account is required. - Complete - Reviewer has entered Yes under Maintain Access or the sysadmin has entered a response under Access updated.
Account to review	Full name and username or email of the user whose access is being reviewed. Note If both username and email were included when creating the application user list, the username takes precedence and is displayed. Email is hidden.
Role	Role assigned to the user for this application, such as user or administrator. Role names are determined by the application.
Job title / Department	The job title and department of the user being reviewed. This information is pulled from the employee directory and is matched to the user record based on the user's email address. If the email address is unavailable, Hyperproof tries to match based on the user's full name.
Access notes	Notes containing information about the access changes needed for a user. Notes are required for any user where the Maintain access field is set to No. To update or add a note, click in the notes field.
Access updated	Indicates whether or not the user's access has been updated in the application. This is where the person responsible for updating user access attests that the update has been done. Options include: Note If you view records where you are not the sysadmin, the Yes and No icons display in gray with the selected icon outlined in dark gray. Yes - Indicates that the user's access has been changed for the application being reviewed. No - Indicates that the user's access has not been changed and requires that you enter additional information in the Sysadmin notes field indicating why the changes were not made.
Sysadmin notes	Notes about updating a user's access. Notes are required for any user where the Access updated field is set to No, indicating that the requested updates were not done. For example, if a user is on a temporary leave, it may be better to suspend the user account than to remove permissions. When the user returns, you can reinstate their account without having to reconfigure all of the permissions. To update or add a note, click in the notes field.

In this section:

Attesting to user access updates

Roles and permissions

Note

Note

Note

Note

Update window fields

Note

Note

Search results