Overview
User Access Reviews (UAR) help organizations periodically verify that users and service accounts have appropriate access to systems and applications.
In Secureframe, User Access Reviews allow you to:
Review access across applications on a recurring basis
Record decisions to maintain, modify, or revoke access
Capture reviewer justification and remediation steps
Produce clear, auditor-ready evidence of access governance
This article walks through the entire User Access Review workflow, from creating a review schedule to completing a review and understanding audit evidence.
Video Tutorial
Creating a User Access Review Schedule
Step 1: Navigate to User Access Reviews
Go to Access → Reviews and click Create review, then select Create recurring review schedule.
Recurring schedules help ensure access reviews happen consistently and align with common compliance and audit expectations.
Step 2: Set Review Details
In the Set details step, configure:
Review name – Clearly describe the scope of the review (for example, “Quarterly Critical Application Access Review”)
Review owner – The person accountable for managing the review processReview frequency – How often the review runs
Review duration – How long reviewers have to complete the reviewReview start reminder (days) – Set how many days before the review start date assignees should be notified. Start reminders help ensure assignees are prepared before the review opens.
Review end reminder (days) – Set how many days before the review due date assignees should receive a reminder. End reminders help prevent reviews from becoming overdue.
These details are stored as part of the audit record and demonstrate ownership and review cadence.
Step 3: Scope Applications
In the Scope applications step, select the applications included in this review schedule.
Applications may come from:
Single sign-on detection
Connected integrations
Manually added vendors or applications
For each application, Secureframe displays contextual information such as:
Vendor risk level (if available)
Whether access data is availableNumber of detected accounts
When access was last reviewed
This information helps determine which applications should be reviewed together and how frequently.
Step 4: Add or Remove Applications
Click Add to include an application in this review schedule
Click Remove to exclude an application from this schedule
Important:
Removing an application only affects the current review schedule.
It does not:
Delete the application from Secureframe
Remove vendor records
Modify user access or integrations
Step 5: Link Applications to Vendors
If an application is not yet linked to a vendor, Secureframe will prompt you to link it.
Vendor linking:
Aligns access reviews with vendor risk management
Improves audit clarity
Ensures records refer to the same underlying system
Linking an application to a vendor does not modify access, permissions, or integrations.
Step 6: Create the Schedule
Once applications are scoped and vendor links are confirmed, click Create to finalize the schedule.
Secureframe will now generate user access reviews automatically based on this cadence.
Note: If the review start date is today, a review instance will appear immediately in the In progress tab. If the review start date is in the future, you will only see the review schedule listed under Schedules until the start date is reached, at which point the review will automatically appear under In progress.
One-Time User Access Reviews
In addition to recurring review schedules, Secureframe also supports one-time User Access Reviews.
One-time reviews are useful when you need to review access outside of a regular cadence, such as:
During an audit or security assessment
After a security incident or internal investigation
Following a major organizational change (for example, layoffs or reorgs)
When validating access for a newly onboarded application
When to Use a One-Time Review vs. a Schedule
Use a one-time review when:
You need to review access immediately
The review is tied to a specific event or point in time
You do not want the review to repeat automatically
Use a recurring review schedule when:
You want access reviews to run automatically over time
The same set of applications should be reviewed on a regular cadence
You want to demonstrate ongoing access governance
Both one-time reviews and scheduled reviews produce the same audit evidence once completed.
Creating a One-Time User Access Review
To create a one-time review:
Navigate to Access → Reviews
Click Create review
Select Create one-time review
Enter review details, including:
Review name
Review owner
Review due date
Scope the applications to include in the review
Start the review
Once created, the review begins immediately and does not repeat.
Reviewing Access in a One-Time Review
The access review experience for one-time reviews is identical to scheduled reviews.
Reviewers will:
Review access at the application and account level
Select Maintain, Modify, or Revoke for each account
Provide notes when modifying or revoking access
Optionally create tasks to track follow-up actions
Completing a One-Time Review
After all required access decisions are recorded, the one-time review can be completed.
Completed one-time reviews:
Are stored as audit evidence
Include review scope, decisions, notes, and timestamps
Do not generate future reviews
Note: Completed one-time reviews can now be reopened if corrections are needed, or deleted from the Completed tab if the review is no longer relevant. Reviewer decisions are preserved when reopening, so you pick up from where you left off rather than starting over. Deleting a completed review removes it from the UI but preserves the underlying audit record.
Audit Considerations for One-Time Reviews
From an audit perspective, one-time reviews:
Demonstrate point-in-time access validation
Are commonly used to support audits, investigations, or exceptional circumstances
Provide the same level of evidence as scheduled reviews once completed
Auditors can clearly see:
Why the review was performed
Who completed it
What access decisions were made
If a completed review is deleted, the underlying audit record is retained and remains accessible for audit purposes
Running an Active User Access Review
Viewing Active Reviews
When a scheduled review begins, it appears under In progress on the Reviews page.
Each active review shows:
Start and due dates
Assigned reviewers
Applications in scope
Overall review progress
Click into a review to begin reviewing access.
Managing Completed Reviews
Once a User Access Review is marked complete, Secureframe gives you flexibility to correct mistakes, address missed items, or clean up your completed reviews list without losing your audit history.
Reopen an Entire Review
If something needs correcting across an entire completed review, you can reopen it. Reopening a review returns all applications within it to in-progress status so the review can be reworked and re-completed.
Because this resets all applications in the review, Secureframe requires a confirmation step before proceeding.
Navigate to Access → Reviews and open the Completed tab
Open the review you want to reopen
Select Reopen from the review details menu
Confirm the action when prompted
Reviewer decisions (who reviewed, what was approved or revoked) are preserved when you reopen, so you are correcting from where you left off rather than starting over.
Reopen a Single Application
If only one application within a completed review needs correction, you can reopen that application on its own without affecting the rest of the review. The parent review automatically reflects the change.
Open the completed review
Locate the application you want to reopen
Select Reopen from the application's options
Delete a Completed Review
Completed reviews can now be deleted from the Completed tab or from the review details menu. This is useful for removing test runs or reviews that were completed in error.
Deleting a completed review removes it from the UI but does not delete the underlying record or audit trail. Your history is preserved.
Navigate to Access → Reviews and open the Completed tab
Open the review you want to delete, or select it from the list
Select Delete from the review details menu
Confirm the action when prompted
Note: Deleting a review is permanent and cannot be undone. The audit record is retained, but the review will no longer appear in your Completed tab.
Using Bulk Actions
Bulk actions allow reviewers and admins to perform operations on multiple applications or accounts at once, eliminating the need to make changes one by one. Bulk actions are available across three surfaces in User Access Reviews.
Reviews page bulk action
From the Reviews page, select one or more applications to access the following bulk actions:
Send reminder – Sends reminder emails to the selected applications' assigned reviewers
Edit assignees – Update reviewer assignments with two sub-options:
Add assignees – Add new reviewers to the selected applications
Remove assignees – Remove existing reviewers from the selected applications
Remove – Removes the selected applications from the review schedule and the current review instance. You will be required to type "DELETE" to confirm. This action is irreversible.
Reviews → Application Bulk Actions
When reviewing a specific application, you can select multiple accounts and bulk-apply an access decision:
Maintain – Marks all selected accounts as maintained
Modify – Opens a modal to document the modification across selected accounts
Revoke – Opens a modal to document the revocation across selected accounts
This is especially useful for large-scale reviews where many accounts need the same decision applied at once.
Uploading Access Data for Non-Integrated Applications
Some applications included in a User Access Review may not have a connected integration. This applies to internal tools, SaaS applications without API support, or SSO-only applications where Secureframe cannot automatically pull access data.
These applications will display "Access data required" in the review and cannot be reviewed until account data is uploaded.
How to Upload Access Data
There are two ways to upload account data for a non-integrated application:
From the Reviews tab, select the specific review and for any application that Secureframe is not automatically pulling data for, click "Add access data" under the Access Data column.
From the Application Details page, click the "…" menu in the top right and select "Import user access data from CSV", or click the "Upload CSV" button in the empty state if no accounts have been added yet.
Supported CSV Columns
Your CSV file can include the following columns:
Column | Notes |
Required if no username | |
username | Required if no email |
firstName | Optional |
lastName | Optional |
roles | Optional; comma-separated values |
active | Optional; true/false |
privileged | Optional; true/false |
twoFactorEnabled | Optional; true/false |
ssoEnabled | Optional; true/false |
Important Notes
Every row must include either an email or a username — one of these fields is required
CSV upload is only available for non-integrated applications — you cannot upload a CSV into an application that is connected via an integration
Once uploaded, accounts will appear in the accounts table and can be reviewed using the standard Maintain, Modify, or Revoke workflow