Skip to content

Making Access Decisions

These are the decisions reviewers can make directly on an access review item:

Approve the access

When you approve access, you are indicating that it's OK for this user to have this access. That means no action will be taken, and the user's access will remain the same as it is now.

Revoke the access

When the reviewer revokes access, IdentityIQ will remove the access, in whatever way the system is configured to do it. It's important to note that this revocation doesn't necessarily happen immediately. This is another option that is configurable by the person who set up the certification. It can be set up so that revocation happens as soon as you make the decision, or it could be set up so that nothing is revoked until the entire certification campaign is complete is complete and signed off. If you're unsure about when a revocation will take effect, you can check with the owner of the certification – which, remember, is something you can see on the main review page.

Revoke an account

Revoking an account is similar to revoking an individual entitlement or role, but it lets you revoke both the account and all the entitlements associated with the account, at once. This is one of the options that is configurable, so whether you have this option or not will depend on how the certification was set up.

Remediate a policy violation

There is a specific type of revoke option for Separation of Duties policy violations. This type of violation occurs when a user has two or more accesses that conflict with each other, in violation of a defined company policy. For example, your company may have a policy that says that one person can't both approve vendors and make payments to them. For separation of duties policy violations, revoking access involves choosing which of the two conflicting accesses the user will keep, and which will be revoked.

Allow an exception for access

This is another configurable option that you may or may not have. What the "allow" option means is that you don't want the user to have this access indefinitely, but you do want to allow the access for some particular period of time, after which you'll revisit the access and potentially revoke it. A typical use case for this is when someone is on a temporary assignment and needs time-limited access to some system, or perhaps is transitioning between job responsibilities and will be losing access to a system or account at some known date in the future. When you allow access, you're prompted to choose an ending date for the access. Allowing an exception is always an option on policy violation items in an access review, but only appears for other access review items if the certification is configured to include this option.

For separation-of-duties policy violations, allowing an exception marks the item as allowed for a specified duration, so any policy checking during that time will not reflag the violation.

One of the options that your administrator or certification owner can configure is sending email notifications when an exception period expires – so keep in mind that it is up to the certification owner whether or not you will be alerted when an exception period expires.

Automatic Approvals

If you have implemented AI-Driven Identity Security, you can enable automatic approvals of access based on access recommendations. With this feature enabled, any access review item that has a recommendation of "thumbs up" is automatically moved from the reviewer's Open tab to the Review tab, with an Approved decision. Reviewers retain the option of changing the automated decision, as needed, before signing off on the review. Automated approvals help your reviewers process access reviews quickly and more efficiently by taking easy decisions out of the way so that they can focus on exceptional items. See Using Automatic Approvals(LINK IN DOC) for more information.

Item-by-Item versus Bulk Decisions

Review decisions can be made one at a time, or in bulk. The ability to decide on items in bulk is configurable; it can be turned off or on, both per certification, and globally.

If bulk processing is enabled for your review, you will see a Bulk Decisions button in the header area of your listing of items. To select the items you want to process in bulk, you can select them one by one using the checkboxes, or you can click in the header row to select either all the items on the current page, or all the items in the entire access review. You can deselect items in the same way.

Once you've chosen your items, click Bulk Decisions to approve, revoke, or allow.

Changing Decisions

Until you have signed off on the full review, you have the option to change the decisions you've saved. You can do this immediately when you make a decision, before saving it, by re-clicking the decision button or unchecking the decision from the flyout menu.

Once a decision has been saved, you can still go to the Review tab and make changes there. Click the 3-line menu beside the item, then choose Undo Decision from the flyout menu.