Access overview

Vendor access is one of the most critical areas of risk in any compliance program. Third-party vendors often have access to sensitive systems and data, making it essential to regularly review and monitor their access.

The Access page in Secureframe helps you centralize and manage this oversight by showing which vendors have access to your environment, what they can access, and whether that access is still appropriate. This visibility is key to maintaining compliance with frameworks like SOC 2, ISO 27001, and more.

You can quickly identify:

• Active vs. inactive accounts
• Whether accounts are in audit scope
• MFA status
• Details of the personnel who owns or are tied to each account
• Role assigned to the account 

This allows your team to monitor access risk and act quickly when required.

How to Search & Filter

Use the search bar, preset filters, or customize your filter at the top of the page to narrow your view. You can:

• Search by:
  
  • Personnel name
  • Email address
    
• Select preset filters for:
  
  • Terminated personnel- displays terminated personnel who still have active accounts
  • New accounts - displays accounts created in the last 30 days
  • Unknown account - displays accounts that are not linked to any personnel

• Customize filters for the following fields:
  
  • Account
  • Application
  • Roles
  • Active account status
  • MFA status
  • In audit scope
  • Active personnel
  • Account owner
  • Created at

Icon Meanings

The feature (e.g., MFA) is active:

The feature(e.g. MFA) is disabled:

Secureframe couldn’t retrieve the data, usually due to limitations in the third-party integration:

Frequently Asked Questions (FAQ)

Why do I see “Unknown” for some access attributes like MFA?

• If Secureframe can’t pull this information from a connected system, it's likely due to restrictions in that vendor's API. Some APIs don’t expose all relevant access details.

Why don’t I see “Roles” for all accounts?

• If Secureframe can’t pull this information from a connected system, it's likely due to restrictions in that vendor's API. Some APIs don’t expose all relevant access details.