User Access Reviews (UAR)
This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.
It is meant as quick reference material for day-to-day use of the product.
How do User Access Reviews work in Secureframe?
User Access Reviews let you periodically verify that users and service accounts have appropriate access to in-scope applications. You create recurring schedules or one-time reviews under Access → Reviews, scope applications, assign reviewers, and record Maintain, Modify, or Revoke decisions with notes. Completed reviews are stored as audit evidence.
For the full workflow (schedules, CSV upload, bulk actions, and screenshots), see User Access Reviews (UAR).
How do I navigate to the User Access Reviews module?
Go to Access → Reviews in the left navigation. From there you can create recurring schedules, run one-time reviews, manage in-progress reviews, and export completed review evidence for auditors.
Why is the User Access Reviews test failing even though I uploaded evidence?
The test checks that completed access reviews cover the required date range for the test interval, not just that files were uploaded. Confirm each report includes all in-scope applications and accounts and that review completion dates fall inside the interval shown on the test.
If you use Secureframe UAR, complete reviews under Access → Reviews so decisions and timestamps are captured in-product. For manual uploads, set Completed on to the date the review was performed. See FAQs: Test uploads, tracking, and audit Testing tab.
What does "No completed User Access Review found within the required time window" mean?
Secureframe did not find a completed User Access Review whose completion date falls inside the test interval on the User Access Reviews test. Uploading a spreadsheet alone does not satisfy the test unless it is attached as evidence with the correct Completed on date and covers the full in-scope population.
To pass using in-product UAR, complete a review under Access → Reviews during the interval (or run a one-time review if you need evidence immediately). To pass with manual evidence, upload reports that cover the exact interval dates and set Completed on to when the review was performed.
After completing a review or uploading evidence, allow time for the test to re-evaluate. If the test still fails, confirm the review completion date and scope match the interval shown on the test page.
Manual access data (1Password and CSV upload)
Can I upload a CSV for 1Password access reviews?
Yes. Some password managers (including 1Password) connect via screenshot rather than live account sync. When included in a UAR, the application may show Access data required until you upload account data manually.
Export users from 1Password (email/username, role, MFA status), open the application in the active review, and click Add access data or Upload CSV. Use the supported columns documented in User Access Reviews (UAR), then review each account with Maintain, Modify, or Revoke as usual.
Which CSV columns does Secureframe require for manual UAR access data?
Each row must include either
emailorusername. Optional columns includefirstName,lastName,roles,active,privileged,twoFactorEnabled, andssoEnabled. See the full table in the UAR article.
Vendor risk reviews
When does an updated vendor question set take effect?
Updated question sets apply to new reviews created after the change. Reviews already scheduled or in progress keep the question set that was assigned when that review cycle started.
To use a new question set immediately, run a one-time vendor review (or wait for the next scheduled cycle to begin). This is the same pattern as one-time User Access Reviews when you need point-in-time evidence outside the regular cadence.
Is a one-time review the only way to apply a new question set right away?
For vendor security reviews, yes. Editing a question set on a schedule does not retroactively change an in-progress review. Start a one-time review to answer the updated questions immediately, or let the next scheduled review pick up the new set automatically.
Where is the Pipeline tab under Vendors → Configure Reviews?
Open Vendors, click Configure Reviews (top right), then look for the Pipeline tab for in-progress and upcoming reviews and Completed Reviews for finished cycles. You need vendor review schedules configured in Vendor Risk Management.
If you do not see Configure Reviews or Pipeline, confirm your plan includes the vendor review features you expect and that you have admin access to Vendors. See Vendor Risk Management (VRM) - Full Guide for setup steps.
How should I set vendor review schedules based on risk level?
Group vendors with similar risk and review cadence into the same schedule (for example, high-risk vendors quarterly, medium-risk annually). Assign review owners and assignees per vendor on the schedule. Advanced VRM supports multiple custom schedules by risk level or category.
Vendor review evidence
Can reviewers view uploaded vendor files before the vendor review is finalized?
Today, vendor-submitted files from the vendor portal are added to the vendor's Documentation tab after the external contact submits the portal. Internal reviewers complete internal question sets during the review cycle; viewing vendor uploads before final submission may be limited depending on review stage.
After a review is completed, uploaded documents, descriptions, and comments remain accessible on the vendor record. If your team needs reviewers to preview vendor files earlier in the workflow, contact your Customer Success Manager or Support to log product feedback.
How do I pass the Vendor security reviews test?
The test looks for evidence that in-scope vendors completed security reviews within the required interval. Complete vendor reviews in Vendors → Configure Reviews (Pipeline and Completed Reviews) rather than relying on manual uploads alone when possible.
The Last Reviewed or Reviewed columns on the vendor table reflect completed review activity; they are not editable fields you type into directly. Update them by completing a vendor review cycle for that vendor.
Can I bulk-upload spreadsheet answers for vendor internal security reviews?
Not today. Internal security review questions must be answered in the review workflow in Secureframe. Bulk CSV import of review answers is not supported. If this would materially improve your process, share the use case with Support or your CSM as a feature request.
Retired applications and audit evidence
How do I inactivate a retired application without losing prior access review history?
Remove the application from active UAR schedules going forward, but keep completed reviews in the Completed tab for audit history. Do not delete completed reviews you need auditors to see; deleting removes them from the UI (the underlying audit record is retained).
If you manually upload evidence on a test for a retired system, attach historical review reports with accurate Completed on dates from when the application was in scope, and document the retirement date in the evidence or test notes so auditors understand the scope change.
Related topics
Where can I learn about Completed on dates and audit Testing tab statuses?
Why is my privacy policy communication test still At Risk after I uploaded the policy?
Uploading the policy alone may not satisfy a communication or notice test. See FAQs: SOC 2 compliance documentation and evidence in Secureframe.
