Login
    Contents x
    How to Review Items
    • 30 Jan 2025
    • 13 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    How to Review Items

    • Updated on 30 Jan 2025
    • 13 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    This guide will walk you through how to review items assigned to you in an Access Review. Check out the Quick Summary section near the top of this article if you just need a quick refresher on the Approve and Deny actions, and the options available to you.

    Before you begin

    User Access Review Examples

    The images below were taken from a User Access Review.  If you are performing a different category of review, the options and wording may differ.

    Reviewing Items - Quick Summary

    1. Log in to Clarity and click on Access Reviews on the left side.

    2. Click the Actions drop-down for the Access Review

    3. Select Review My Items

      1. Utilize the Filters and Sorting (both detailed below) to organize the review.

    4. Select Approve or Deny. Use the More Info pop-out (the eye icon  in the Info column for expanded details about the user and the access).

      1. Selecting Approve with fill in the green bubble (check out the Approve section below if options pop up during Approval action).  

        1. You can control which items are shown using the Filter Items menu (see expanded details below).

      2. Selecting options in the Deny pop-out does not immediately remove the access, it must be reviewed and remediated by your security team before access is removed.

        1. No Longer Needs Access - Denotes access is no longer necessary.

        2. Access is Inappropriate - This access should not have been granted in the first place.

        3. Terminate User Account - All Access within this application should be removed, and the account deactivated/deleted.

        4. Terminate All Access for {Identity Name} - Terminate ALL access for this Identity, this would mean deactivating/deleting accounts across ALL applications, not just the one you are reviewing.

    5. Once you have approved or denied all the items assigned to you (see progress bar in top right), your part in this review is complete and it's ready to be remediated by your security team.

    Approve

    Reviewer Actions Note

    The actions you recommend when reviewing access is not immediately reflected in your downstream applications. Approvals occur when a review is completed, and Denials require Remediation from your Security Team.

    To approve an item for the access review, simply click the green radial button in the Approve column (you may briefly see “saving…” as your entry is saved), then you should see the button fill in, indicating the item is complete (see below).

    Approve Access Popout

    If a popout appears with additional options see the section below for Unreconciled Users.

    If you would like more information about this User and their access, see the More Info Popout section below.

    Unreconciled Users

    Unreconciled Users are user accounts found in your Downstream Application that have not been automatically reconciled, depicted below. These users are denoted by a small red flag icon next to the value in the Full Name / Identifier column (see example below). This item will also have an automatic Risk Score of 100.

    Once you press the green Approve radial button, you will be presented with the following options:

    You are provided the follow options (depicted above) for completing the review item:

    • Grant to Identity: You can search (using the text field to the left) for an existing Identity in Clarity to match this Service User in the application listed to that Identity.

    • Create New Identity: Create a new Identity in Clarity to reconcile the Service User to.

    • Approve without Reconciling: Approve this access without reconciling to an existing Identity or creating a new one.

    • Unsure: This marks the item for further review by your Security team, while Approving the access.

    Deny

    Reviewer Actions Note

    Any options you select are not immediately acted upon by Clarity, they will be reviewed by your Security Team during the Remediation Phase of this Access Review

    When you click Deny, you will be presented with the Deny Access pop-out, which presents you with 4 options for denying access for the Identity. You can makes notes for your admin or audit teams using the Leave a note field in the top right (see the next section below to learn more).

    These are the options you will select most often, and refers to denying access to this single user/identity from access to this single entitlement.

    • No Longer Needs Access - Denotes access is no longer necessary.

    • Access is Inappropriate - This access should not have been granted in the first place.

    These options are escalations tiers above the two options listed above, these involve either removing access from the Entire Application, or removing access for ALL applications.

    • Terminate User Account - All Access within this application (in the example below Application: Clarity) should be removed, and the account deactivated/deleted.

    • Terminate All Access for {Identity Name} - Terminate ALL access for this Identity, this would mean deactivating/deleting accounts across ALL applications, not just the one you are reviewing.

    Notes (required or optional)

    Your security team has the option when a review is created to require a note to be left when performing the Deny action. Depicted in the image below, the note field in the top right says “You are required to leave a note:”.  This corresponds to the four Deny Access pop-out button just below being a lighter shade of red and un-clickable until you populate the notes field in the top right.

    Before leaving a note when required:

    After leaving a required note:

    Filters and Sorting

    In the Clarity Reviewer interface, you have the option to filter on one or more columns to limit the visible review items. You can also apply sorting to the columns, so you can review the items in the order you wish.

    Don’t Forget!

    If you have applied filters to your review, you still need to go back and complete the hidden items.

    Filters

    This pop-out is triggered by clicking the Filter Items button near the top left of the Review interface.  Once filters are applied, they will be listed to the right of the Filter Items button.  

    As you apply select items using the Filter pop-out, you can see the changed in the Review interface in the background. Filters are reset if you refresh the page, or leave the page and return to the review.

    The Filter options available to you are listed and depicted below, you can select multiple items from the list:

    • Application: Limit the scope of the items shown to particular applications. Ex: MS Active Directory,

    • Entitlement: Limit the scope of items shown to particular Entitlements.

    • Entitlement Type: Limit the scope of items shown to particular types of Entitlements, Ex: Groups, Roles, Policy.

    • Entitlement Tag: Limit the scope of the items shown to tags created by your Security Team.

    • Full Name/Identifier: Limit the scope of the items shown to particular Identities/Users.

    • Show Completed Items: Toggle this item off to show or hide any items you have already completed in this review. This is toggled on by default.

    Sorting

    You can sort a column simply by clicking on the column header itself. Just before you click the column header you will see an upward arrow and AZ (see image above). This indicates the first sorting method will be Ascending, once you click the column one time it will change to just an upward arrow indicating Ascending has been applied (see image below).  If you click again, the icon will switch to a downward arrow, and apply the Descending sorting method. Each subsequent click on the same column will swap between ascending and descending.

    To adjust sorting to another column, you simply need to click the other columns header, and that column will now be the sorted column.  To remove all column sorting, you need to refresh the page.

    More Info Pop-out

    The context of this More Info screen is for the specific line item you clicked, so the data will be relevant to the Junction of the User/Identity and the specific Entitlement from the row you selected.  This modal will open on the right side of your screen when you click the Eye icon indicated above. Below is an example of what this page will look like when it first opens.

    User/Identity

    This shows you some basic details about the User/Identity indicated in the row in which you clicked More Info.

    Expand for additional information

    Full Name: This is the full name of Identity that you are reviewing.  This may include Service Accounts.

    User Identifier: This is the unique identifier value from your Downstream Application, this is typically a username, ID number, or GUID.

    Email: This is the email address of the Identity.

    Identity’s Status: This is the Active status of the Identity (active vs inactive).

    Identity’s Role: This is the Role for the Identity as determined by the Organizational Units.

    Supervisor’s Name: This is the name of the Supervisor determined by your Source(s) of Truth.

    Entitlement

    This section of the More Info Pop-out has additional tabs outlined below, if you see (conditional) that means this tab will only appear if the Entitlement you are reviewing has nested relationships to other Entitlements or Permissions in your environment.

    Information

    Application: What is the source of the Entitlement/User relationship you are viewing.

    Entitlement Type: The type of Entitlement object are you reviewing. Common examples include: Groups, Roles, Permissions

    Entitlement Name: The direct name of the Entitlement from the Application Source.

    Friendly Name: An optional name configurable in Clarity to provide a more user-friendly or human-readable name for a particular Entitlement

    Description: Text field (from either Application source or configurable in Clarity) to provide additional information about what the Entitlement does and what access it may provide.

    Expiration: Timestamp value (if configured) of when Clarity would be expected to automatically remove this Entitlement from this user at a future point in time.

    Nested Access Graph (conditional)

    This tab will show you a graphical representation of relevant nested access relationships (Entitlement-Entitlement junctions).

    Grants Access To (conditional)

    This tab will show you all other Entitlements that the Entitlement you are reviewing that are granted to the user through nested relationships.

    Access Granted By (conditional)

    Similar to the Grants Access To tab, but shows the nested relationships of other Entitlements that grant access to the Entitlement you are reviewing.

    Permissions (conditional)

    Very similar to Grants Access To, this table will show you a list of permissions that are granted as a result of the Entitlement you are currently reviewing. Permissions are more common in Dynamic Databases.

    Notes

    The Notes sections shows a threaded view of all notes entered by either Reviewers, Admins, or Remediators during this Access Review for this particular item.

    Expand for additional information

    Below you can see an example of the Notes interface with 2 notes left by different Clarity Users.  

    To leave a note, just populate the field called Create Note, and then click the Save Note button to save your note.

    Risk Score

    This section will show you the Risk Score and relevant details and datapoints that are factored into the Risk Score.

    Expand for additional information

    Risk Score: This is the overall risk score value determined by Clarity.

    Overlap %: This will show a breakdown of the Identity’s access overlap with other members of their roles. The most common example should show Global (overlap with the entire organization), Department (overlap with other members of the department, and Job Title (overlap with other employees with the same job title).  The Organizational Units used determine your role structure, and your Security team are not limited to the attributes Department and Job Title. Red values indicate a higher Risk, Green values indicate a lower risk.

    Desired Times Reviewed: This indicates the desired number of times the access should have been reviewed since Clarity learned about the access.  Clarity expects access to be reviewed every 180 days once detected during an application sync.

    Actual Times Reviewed: This will show the total count of how many times this access has been review for this user.

    Last Reviewed By: This provides the name of the person that last reviewed this access.

    Days Since Last Review: This is a timestamp for the last time this access was reviewed.

    Tags

    You will be shown any and all tags associated with the items you are reviewing.

    Expand for additional information

    Below you can see that the Review Item has the tag Privileged access.

    Bulk Actions

    Bulk Action Limitations

    Your Security team has the ability to limit which items are allow to be bulk approved based on the Risk Score.  They can pick a risk threshold that will allow bulk approval for items that are below this value.

    Access the Bulk actions interface by clicking the Enable Bulk Actions button near the title of the review.  You can hide these options once you are done with bulk actions, by clicking the Hide Bulk Actions button that appears.

    Enabling bulk actions also reveals a new column on the far left with named Selected, which is used for performing the bulk actions outlined below.

    Bulk Approval - Rubber Stamping

    This option allows you to approve items in bulk that are below a certain Risk threshold value (determined by your Security Team).

    1. Use the checkboxes in the Selected column to mark the items you would like to bulk review.

      1. You can use the Select All toggle to select/check all of the visible review items.

    2. Choose Approve Selected Items

    3. You will be presented with a pop-out summarizing the items you selected, and how many are eligible for bulk approval.

      1. In the example above 24 items were selected, but only 10 were below the allowed Risk threshold.

    4. Click Approve All Eligible Selected Items to approve ONLY the items that were below the Risk threshold set by your Security Team.

    Bulk Denial

    1. Use the checkboxes in the Selected column to mark the items you would like to bulk review.

      1. You can use the Select All toggle to select/check all of the visible review items.

    2. Choose Deny Selected Items.

    3. You will be presented with a pop-out allowing you to select your Deny All action and leave a note for these items.

      1. See the Deny section above for more information about each option.

      2. You may be required to leave a note by your Security team before you can choose an action.

      3. In the example above, 7 items were selected for bulk denial.

    4. Click the appropriate action from the options to deny the items you selected.

    Reassigning Items

    1. Use the checkboxes in the Selected column to mark the items you would like to bulk reassign.

      1. You can use the Select All to select/check all the items visible.

    2. Choose Reassign Selected Items.

    3. You will be presented with a pop-out allowing you to select your Reassignment options and leave a note for these items.

      1. Read the Rules on the left hand side regarding the bulk reassignment you are attempting.

      2. You may be required to leave a note by your Security team before you can choose an action.

    4. Select the New Reviewer(s).

      1. Begin typing the name of an Identity, then click the appropriate entry to add it to the list.

      2. You can add multiple entries to this list.

    5. Click the appropriate action from the options to reassign the items you selected.

      1. Replace My Assignments: This will replace your assignment in this review (this items will disappear from your review).

      2. Add Additional Reviewers: Add your selected Reviewer(s) to the list of assignees, these items will stay in your review. Only one of the Reviewers needs to complete the review item.

    Helpful Information and Articles

    Need help?

    If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.

    Was this article helpful?
    What's Next
    Identity Governance Made Easy.
    Platform
    Use Cases
    Resources
    Connect With Us
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout