Elimity allows you to create a campaign, which allows people who are responsible for applications / teams / departments / … to review the relevant accounts and access rights. These reviews are a key ingredient to mitigating cybersecurity risks, as cleaning up superfluous access rights reduces both the entry points and the abuse options malicious people have.

This guide will show you how to create such an access review in Elimity as an administrator as well as how to execute the reviews as one of the responsible.

To start, you first need to understand that there are two types of access reviews:

1. Review a list of entities
2. Review a list of entities and their assignments

Review a list of entities

To review a list of entities, you start from the data table of the entity itself. Apply the filters to get the population you want to review and click the menu icon (1) and select Create access review.

Create access review from an entity data table

This will open the creation form of an access review, in which you need to provide additional information regarding the access review.

Review a list of entities and their assignments

The easiest way to create an access review of entities and their assignments is to start from a peer review. If the peer review results are as expected, you can click the Create Access Review button. A pop-up window will appear for some additional details to finalize the creation.

Create an access review from a peer review

Create new access review

Regardless of the type of access review, the form for creating an access review looks similar.

Start completing the form by selecting the right campaign from the dropdownlist (1). If you did not yet create a campaign yet, please refer to Creating a campaign.

Next, provide the email address of the assignee, who will be responsible for the actual access review. Also provide the name of the responsible for a more personal approach in the automated communication by Elimity (2).

Lastly, the core of the actual access review is here (3), which differs depending on the type of review. Provide the questions that you want answered during the review, as well as the attributes you want to show. If you are only reviewing a list of entities, you only need to worry about asking the correct (row) question for the review.

For the guide, the default questions and attributes were kept, but these can be changed as you see fit! These questions and attributes will also be shown during the execution of the review, so make sure they are understandable and reflect the core of the review.

If you are not ready yet to send out the access review or would like to verify some things first, be sure to check the Save as draft checkbox! Otherwise the access review is immediately sent out to the assignee provided once you click Confirm.

Finalizing a draft

In a draft access review, you can verify what the assignee will have to evaluate. You have an overview of the details of the access review (1) and the list of entities (2) and its assignments (3), if they are included in the review.

Draft access review overview

Specifically, this is the place to make some final adaptations if need be, before sending anything out to the assignee. If you already have knowledge of certain future events, such as an employee moving to the team being reviewed, an application being decommissioned or an employee leaving the company shortly, you may want to consider adding (4) or removing (5) those entities to either save some time of the assignee or to add those entities to have an even more correct review.

Adding a row to a draft access review

Once you have completed all necessary adaptations, simply press Finalize and send to send out the access review! An email will be sent to the assignee, but Elimity will also provide you a link so you can share it manually if necessary.