Pro-Owner perspective: This document frames your systems as a technical estate — an asset to be stewarded, documented, and bequeathed. Treat these steps as craftsmanship: protect the continuity, auditability, and transferability of your digital legacy.
What it is
A repeating four-step process to validate that every user has appropriate access (no more, no less) to every system: Grant (provision with justification), Validate (confirm user still requires access), Review (identify stale/over-privileged accounts), Remove (de-provision and audit). The cycle runs quarterly with automated flagging and mandatory owner sign-off.
Unlike ad-hoc access reviews, this is systematic: every system, every quarter, with automated enforcement. Stale accounts (90+ days inactive) are flagged for removal. Over-privileged accounts (admin without recent justification) trigger manager review.
Why it matters
Access creep is inevitable without systematic reviews. People change roles, leave companies, or stop using systems—but access persists. Quarterly reviews enforce least-privilege, reduce attack surface, and create audit trails proving compliance with access control policies.
Without reviews, you accumulate dormant admin accounts (prime targets for compromise), orphaned service accounts (unmonitored for abuse), and users with access to systems they haven't touched in years.
How we do it
- Grant step: When access is requested, require: requestor name, system, role, business justification, expiration date (or "review quarterly"). No open-ended access grants.
- Validate step: Automated weekly checks: user last login, permissions diff vs baseline, failed login attempts (potential compromise). Alerts sent to system owners.
- Review step (quarterly):
- Export all users, roles, last activity from every system (LDAP, IAM, SaaS admin panels).
- Flag accounts: 90+ days inactive, admin roles without recent justification, contractor access past project end date.
- Send certification form to system owners: "Confirm these users still require access, or approve removal."
- Remove step: De-provision flagged accounts after 7-day grace period. Log all removals (who, when, reason). Retain logs 7 years (compliance).
What you receive
- Access inventory: Every user, every system, role, last activity date, provisioning justification.
- Stale account report: Accounts flagged for removal, sorted by risk (admin > standard > read-only).
- Over-privileged alerts: Admin accounts without recent activity or justification.
- De-provisioning log: Audit trail of all access removals with approval chain.
- Quarterly certification: Signed attestation from system owners confirming access accuracy.
All data exported as CSV (for compliance audits) and stored in immutable log (S3 with object lock).
Evidence
Interactive access loop visualization:
- Grant: Expandable section showing access request template, justification fields, approval workflow.
- Validate: Automated check script (sample), alerting rules.
- Review: Certification form template, flagging criteria.
- Remove: De-provisioning procedure, audit log format.
Each section includes copyable templates and sample automation scripts.
Download access review toolkit (scripts + templates + compliance mapping): [Link]
Failure modes & guardrails
Failure mode: Reviews become rubber-stamp exercise
Guardrail: Random sampling of certified users. If sampled user doesn't require access, escalate to manager.
Failure mode: Automated flags ignored
Guardrail: Unresolved flags within 14 days trigger auto-escalation to next management level.
Failure mode: De-provisioning breaks production
Guardrail: Dry-run all removals in test environment. Maintain emergency re-provisioning procedure.
Failure mode: Service accounts exempt from reviews
Guardrail: Service accounts reviewed with same rigor as user accounts. Unused service accounts removed.