Skip to main content

Role-Based Access Control & Least Privilege › Conducting an Access Rights Review

Conducting an Access Rights Review

Access rights decay over time. Even in organisations with well-defined roles, permissions drift. People change teams, take on temporary projects, cover for colleagues on leave, and accumulate access they no longer need. An access rights review is the process of systematically checking that every user’s permissions are still appropriate — and removing anything that is not.

If you have never conducted an access rights review, you almost certainly have users with access they should not have. This is not a failure of individuals — it is a failure of process. This lesson gives you the process.

What Is an Access Rights Review?

An access rights review (sometimes called an access recertification or entitlement review) is a structured process where you examine who has access to what, verify that each permission is still justified, and remove anything that is no longer needed. It is the security equivalent of a financial audit — checking that reality matches what the books say.

The review answers three questions for every user-system combination:

  1. Does this person still need this access? — based on their current role and responsibilities
  2. Is the access level appropriate? — read-only vs. read/write vs. admin
  3. Is there a legitimate business justification? — documented and approved

Diagram

The Access Rights Review Lifecycle

Circular process diagram showing: Scope Definition → Data Extraction → Manager Review → Remediation (remove/adjust) → Documentation → Schedule Next Review. Each step includes a brief description of what happens and who is responsible.

How Often Should You Review?

The frequency depends on the sensitivity of the systems involved and the rate of change in your organisation. As a general framework:

  • Quarterly: High-sensitivity systems — financial platforms, customer databases containing personal data, admin/privileged accounts
  • Semi-annually: Medium-sensitivity systems — CRM, project management tools, internal communication platforms
  • Annually: Lower-sensitivity systems — general collaboration tools, shared drives, standard business applications

Additionally, access should be reviewed whenever a trigger event occurs:

  • An employee changes role or department
  • An employee leaves the organisation
  • A contractor’s engagement ends
  • A security incident is detected
  • A significant organisational restructure takes place

Running the Review: A Practical Process

An access rights review does not need to be a painful exercise. With the right structure, it can be completed efficiently even in organisations without dedicated security teams.

Step 1: Define the scope. Decide which systems and user populations you are reviewing. Start with your most sensitive systems — you do not need to review everything at once.

Step 2: Extract current access data. Pull a list of all users and their permissions from each in-scope system. Most business applications can export user lists. For cloud platforms like Microsoft 365, admin centres provide access reports.

Step 3: Distribute to business owners. Send each department head the list of their team members and their current access. Ask them to confirm or reject each permission. This is the critical step — business owners must take responsibility for validating access.

Step 4: Identify anomalies. Look for patterns that indicate problems:

  • Users with access to systems unrelated to their department
  • Former employees or contractors with active accounts
  • Excessive admin-level access
  • Accounts that have not logged in for 90+ days
  • Permissions that were granted temporarily but never revoked

Diagram

Access Review Dashboard: Common Anomaly Indicators

Dashboard mockup showing key metrics: total users reviewed, permissions confirmed, permissions revoked, orphaned accounts found, admin accounts flagged, and average days since last login for inactive accounts. Colour-coded status indicators highlight areas requiring attention.

Step 5: Remediate. Remove or adjust any access that is no longer appropriate. This should happen within a defined timeframe — typically 5-10 business days after the review is completed.

Step 6: Document everything. Record what was reviewed, what was found, what was changed, and who approved each decision. This documentation is your audit trail and your evidence for compliance.

Who Should Be Involved?

An access rights review is a joint effort between IT and the business:

  • IT/Security team: Extracts access data, identifies technical anomalies, executes permission changes
  • Department heads/managers: Validate whether their team members’ access is appropriate and current
  • HR: Confirms current employee roster, identifies leavers and role changes that may have been missed
  • Compliance/risk: Reviews the overall findings and ensures the process meets regulatory requirements

Diagram

RACI Chart for Access Rights Reviews

RACI matrix showing Responsible, Accountable, Consulted, and Informed parties for each step of the review process. IT is responsible for data extraction, managers are accountable for validation, HR is consulted for personnel data, and leadership is informed of results.

Why This Matters

Access rights reviews are not optional in any serious compliance framework. ISO 27001 explicitly requires regular reviews of user access rights. Cyber Essentials expects that access to data and services is limited to what is needed. GDPR requires that access to personal data is appropriate and justified.

Beyond compliance, access reviews are one of the most effective ways to detect insider risk, dormant accounts that could be exploited, and privilege creep that increases your exposure. Organisations that do not conduct regular access reviews are effectively flying blind — they do not know who has access to what, and they cannot demonstrate that access is controlled.

What to Do Now

  • Identify your three most sensitive systems and schedule an access review for them within the next 30 days
  • Pull a user access report from each system and check for obvious anomalies (former employees, inactive accounts)
  • Send department heads a list of their team’s current access and ask them to confirm it is appropriate
  • Establish a recurring calendar entry for access reviews — quarterly for sensitive systems, annually for others

Evidence to Collect

  • Completed access review reports showing what was reviewed, by whom, and what decisions were made
  • Evidence of remediation — records of permissions removed or adjusted following the review
  • Sign-off from business owners confirming the review was completed and access is appropriate
  • A schedule showing planned future reviews and their frequency

Common Mistakes

  • Treating the review as a tick-box exercise. If managers rubber-stamp every permission without actually checking, the review has no value. Provide clear guidance on what they should be looking for.
  • Reviewing only active employees. Former employees, contractors, and service accounts must be included. Orphaned accounts are a favourite target for attackers.
  • Not following through on remediation. Identifying excessive access is pointless if you don’t actually remove it. Set a deadline for remediation and track completion.
  • Doing it once and calling it done. Access drift is continuous. A single review is valuable, but the real benefit comes from making it a regular discipline.

Knowledge Check

Question 1 of 4

What three questions should an access rights review answer for every user-system combination?

  • How much does the licence cost? / Is the software up to date? / Does the user like it?
  • Does this person still need this access? / Is the access level appropriate? / Is there a legitimate business justification?
  • When was the account created? / Who created it? / What browser does the user use?
  • Is the user a permanent employee? / Have they completed security training? / Do they use MFA?
Reveal Answer

B. Every permission should be validated against three criteria: Does the person still need it? Is the level of access appropriate (not excessive)? Is there a documented business justification?

Question 2 of 4

How often should high-sensitivity systems (e.g., financial platforms, personal data stores) be reviewed?

  • Every five years
  • Only after a security incident
  • Quarterly
  • Only when an employee complains about their access
Reveal Answer

C. High-sensitivity systems should be reviewed quarterly. Medium-sensitivity systems semi-annually, and lower-sensitivity systems at least annually. Additional reviews should occur after trigger events such as role changes or departures.

Question 3 of 4

Who is primarily responsible for validating whether a team member’s access is appropriate?

  • The IT department
  • The employee themselves
  • The employee’s department head or line manager
  • The external auditor
Reveal Answer

C. Department heads and line managers are best placed to validate access because they understand what their team members need to do. IT extracts the data and implements changes, but the validation decision is a business responsibility.

Question 4 of 4

Which of the following is a common anomaly that should be flagged during an access review?

  • A user who logs in every day to do their job
  • An account that has not logged in for over 90 days but still has active permissions
  • A manager who has read access to their team’s project files
  • An IT administrator with access to the system administration console
Reveal Answer

B. Accounts that have not been used for 90+ days but retain active permissions are a red flag. They may belong to former employees, inactive contractors, or represent abandoned service accounts — all of which are potential attack vectors.


Summary Notes — Conducting an Access Rights Review

Key Takeaways

  • Access rights drift over time — regular reviews are essential to maintain appropriate access levels.
  • Reviews answer three questions: Does the person still need access? Is the level appropriate? Is there a business justification?
  • Frequency: quarterly for high-sensitivity systems, semi-annually for medium, annually for lower sensitivity.
  • Business owners validate, IT extracts data and implements changes, HR confirms the personnel roster.
  • Remediation must follow the review — identifying problems without fixing them achieves nothing.

Action Items

  1. Identify your three most sensitive systems and schedule access reviews within 30 days.
  2. Pull user access reports and check for former employees and inactive accounts.
  3. Send access lists to department heads for validation.
  4. Set up a recurring review calendar (quarterly, semi-annual, annual by system sensitivity).

Compliance Relevance

Access rights reviews are explicitly required by ISO 27001 A.9.2.5 (Review of user access rights), Cyber Essentials (Access Control — ensure access is appropriate), NIST CSF PR.AC-1 (Identities and credentials managed), and GDPR Articles 5(1)(f) and 32 (appropriate security measures for personal data). Completed review records are primary audit evidence.