Scheduled Access Review

Approval flows for reviewing (auditing) access after preconfigured duration (customizable per role).

Access Review Deprovisioning

You should use audit_* values when you want to have the user's access manually reviewed by the AuthUser or AuthGroup that approved their access based on the ApprovalPolicy, and allow the approver to choose whether to extend their access or expire their access at predetermined time period intervals.

Each ApprovalPolicy allows you to optionally set an audit_after_count (int) and audit_after_period (enum:minute|hour|day|week|month|quarter|year). If a value is set, the audit date is calculated from the time that the ActionFlow is created after the ApprovalFlow is complete and a new ApprovalAuditTransaction is created and is a child relationship of both the ApprovalFlowTransaction and approvable relationship. This allows long term visibility into the audit history over multiple audit cycles, and allows for ApprovalAuditTransaction(s) to be handled in batches with dynamically grouped transactions in an ApprovalAuditBatch.

Multiple Audit Reviews

If an ApprovalChain has multiple ApprovalPolicies and more than one policy has a value, then multiple ApprovalAuditTransaction records are created with the respective duration and AuthUser or AuthGroup specified in the ApprovalPolicy.

Approver Workflow

When the audit_at date occurs, the ApprovalAuditTransaction appears on the approver's dashboard and a notification is sent.

The approver has the choice to:

  1. Extend the access for an additional period of time specified in audit_after_* of the ApprovalPolicy. A new ApprovalAuditTransaction is created for each period of time and sets the audit_at value based on the audit_after_* values in the ApprovalPolicy.
  2. Expire the access, and set an expiration date at the approver's discretion (ex. immediately or in 2 weeks for a smoother transition).

Since many approver's have a large number of requests to approve, the ApprovalAuditTransaction records are grouped into an ApprovalAuditBatch for each of the ApprovalPolicy(s) to allow approver's to do batch approvals at their convenience. This is simply for efficiency and organization purposes to a better user experience for the approver. This is analogous to how a manager approves an employee's expense report with multiple receipts rather than each receipt individually.

Unreviewed Access

If a approver does not extend or expire in a timely fashion, no action takes place to deprovision the user's access. The pending ApprovalAuditTransaction(s) will appear in a report with number of days outstanding, and an Access Manager global setting can be configured to send the approver reminders on customizable intervals. In this iteration, there is no manager or group escalation functionality.