Overview
Run review campaigns to verify that users still have the right access to the right apps.
Access reviews help your team regularly confirm that users still need the access they already have. In Iden, reviews are organized into campaigns, cycles, and stages. This structure lets you repeatedly verify access for the right people, apps, and permissions - and keep a clear record of every decision.
Access reviews are especially useful for meeting compliance requirements such as ITGC (IT General Controls), SOX (Sarbanes-Oxley), SOC 2, and ISO 27001. These are common security and financial audit standards that require organizations to regularly check and document who has access to what.
What access reviews are and why they matter
Over time, employees change teams, contractors finish their work, and software accounts collect more permissions than needed. If access is only granted and never reviewed, organizations typically end up with outdated access, over-permissioned accounts, and weak records to show auditors.
Access reviews solve that problem. They ask designated reviewers to regularly answer one simple question:
Does this person still need this access?
That matters for three reasons:
| Why it matters | How access reviews help |
|---|---|
| Least privilege (giving people only the access they need for their role) | Remove access that a person no longer needs |
| Security risk reduction | Catch dormant, excessive, or inappropriate access before it causes a problem |
| Audit readiness | Produce evidence that access was reviewed, decisions were recorded, and flagged access was cleaned up |
For compliance frameworks like SOC 2, SOX, and ITGC programs, access reviews help prove that your organization actively manages who has access to your systems. A completed review gives you evidence of:
- Which apps and users were included in the review
- Who reviewed each access item
- What decision they made
- When they made it
- What follow-up action happened afterward
Key terms you will see in Iden
| Term | Meaning |
|---|---|
| Campaign | The reusable setup for a review program - for example, "Quarterly critical apps review" |
| Cycle | One run of that campaign - for example, "Q2 2026" |
| Stage | One reviewer step inside the cycle - for example, managers review first, then app owners review second |
| Review item | A specific user account or access record that a reviewer must evaluate |
Access review docs
Use the pages in this section to go deeper into each part of the workflow:
Campaign Creation
Define what is in scope, assign reviewers, and schedule recurring cycles.
Review Process
How cycles run and what reviewers do during a review.
Remediation
What happens after access is flagged for removal or change.
Recommended checklist for your first access review
If you are setting up access reviews for the first time, follow these steps:
- Choose a small set of apps for your first campaign. This keeps the review manageable.
- Make sure every app you include has a valid app owner assigned before you add an app-owner review stage.
- Decide whether reporting managers, app owners, or both should review access first.
- Set realistic timeframes for each reviewer stage so reviewers have enough time to complete their work.
- Agree in advance on who will handle follow-up actions once reviewers flag access.
- Save the cycle reports as part of your audit evidence.
Starting small makes your first campaign easier to complete and reduces the chance of unresolved follow-up work after decisions are submitted.