Overview

User Access Reviews (UAR) help organizations periodically verify that users and service accounts have appropriate access to systems and applications.

In Secureframe, User Access Reviews allow you to:

• Review access across applications on a recurring basis
• Record decisions to maintain, modify, or revoke access
• Capture reviewer justification and remediation steps
• Produce clear, auditor-ready evidence of access governance

This article walks through the entire User Access Review workflow, from creating a review schedule to completing a review and understanding audit evidence.

Video Tutorial

Creating a User Access Review Schedule

Step 1: Navigate to User Access Reviews

Go to Access → Reviews and click Create review, then select Create recurring review schedule.

Recurring schedules help ensure access reviews happen consistently and align with common compliance and audit expectations.

Step 2: Set Review Details

In the Set details step, configure:

• Review name – Clearly describe the scope of the review (for example, “Quarterly Critical Application Access Review”)
  Review owner – The person accountable for managing the review process
• Review frequency – How often the review runs
  Review duration – How long reviewers have to complete the review
• Review start reminder (days) – Set how many days before the review start date assignees should be notified. Start reminders help ensure assignees are prepared before the review opens.
• Review end reminder (days) – Set how many days before the review due date assignees should receive a reminder. End reminders help prevent reviews from becoming overdue.
  

These details are stored as part of the audit record and demonstrate ownership and review cadence.

Step 3: Scope Applications

In the Scope applications step, select the applications included in this review schedule.

Applications may come from:

• Single sign-on detection
• Connected integrations
• Manually added vendors or applications

For each application, Secureframe displays contextual information such as:

• Vendor risk level (if available)
  Whether access data is available
• Number of detected accounts
• When access was last reviewed

This information helps determine which applications should be reviewed together and how frequently.

Step 4: Add or Remove Applications

• Click Add to include an application in this review schedule
• Click Remove to exclude an application from this schedule

Important:
Removing an application only affects the current review schedule.

It does not:

• Delete the application from Secureframe
• Remove vendor records
• Modify user access or integrations

Step 5: Link Applications to Vendors

If an application is not yet linked to a vendor, Secureframe will prompt you to link it.

Vendor linking:

• Aligns access reviews with vendor risk management
• Improves audit clarity
• Ensures records refer to the same underlying system

Linking an application to a vendor does not modify access, permissions, or integrations.

Step 6: Create the Schedule

Once applications are scoped and vendor links are confirmed, click Create to finalize the schedule.

Secureframe will now generate user access reviews automatically based on this cadence.

Note: If the review start date is today, a review instance will appear immediately in the In progress tab. If the review start date is in the future, you will only see the review schedule listed under Schedules until the start date is reached, at which point the review will automatically appear under In progress.

One-Time User Access Reviews

In addition to recurring review schedules, Secureframe also supports one-time User Access Reviews.

One-time reviews are useful when you need to review access outside of a regular cadence, such as:

• During an audit or security assessment
• After a security incident or internal investigation
• Following a major organizational change (for example, layoffs or reorgs)
• When validating access for a newly onboarded application

When to Use a One-Time Review vs. a Schedule

Use a one-time review when:

• You need to review access immediately
• The review is tied to a specific event or point in time
• You do not want the review to repeat automatically

Use a recurring review schedule when:

• You want access reviews to run automatically over time
• The same set of applications should be reviewed on a regular cadence
• You want to demonstrate ongoing access governance

Both one-time reviews and scheduled reviews produce the same audit evidence once completed.

Creating a One-Time User Access Review

To create a one-time review:

1. Navigate to Access → Reviews
2. Click Create review
3. Select Create one-time review

4. Enter review details, including:
   • Review name
   • Review owner
   • Review due date

5. Scope the applications to include in the review
6. Start the review

Once created, the review begins immediately and does not repeat.

Reviewing Access in a One-Time Review

The access review experience for one-time reviews is identical to scheduled reviews.

Reviewers will:

• Review access at the application and account level
• Select Maintain, Modify, or Revoke for each account
• Provide notes when modifying or revoking access
• Optionally create tasks to track follow-up actions

Completing a One-Time Review

After all required access decisions are recorded, the one-time review can be completed.

Completed one-time reviews:

• Are stored as audit evidence
• Include review scope, decisions, notes, and timestamps
• Do not generate future reviews

Audit Considerations for One-Time Reviews

From an audit perspective, one-time reviews:

• Demonstrate point-in-time access validation
  Are commonly used to support audits, investigations, or exceptional circumstances
  Provide the same level of evidence as scheduled reviews once completed

Auditors can clearly see:

• Why the review was performed
• Who completed it
  What access decisions were made

Running an Active User Access Review

Viewing Active Reviews

When a scheduled review begins, it appears under In progress on the Reviews page.

Each active review shows:

• Start and due dates
• Assigned reviewers
• Applications in scope
• Overall review progress

Click into a review to begin reviewing access.

The Summary tab shows a single view across all reviewed accounts in a review group, with progress widgets and a remediation column to see where things stand.

You can also export account review snapshots for offline analysis, stakeholder reporting, or audit evidence. 

Managing Reviews

You can do any of the following tasks to manage reviews, all with confirmation flows and smart auto-completion when remaining apps are all finished:

• Delete schedules
• Delete in-progress reviews
• Delete or reopen completed reviews
• Remove applications from active reviews 

Using Bulk Actions

Bulk actions allow reviewers and admins to perform operations on multiple applications or accounts at once, eliminating the need to make changes one by one. Bulk actions are available across three surfaces in User Access Reviews.

Reviews page bulk action

From the Reviews page, select one or more applications to access the following bulk actions:

• Send reminder – Sends reminder emails to the selected applications' assigned reviewers
• Edit assignees – Update reviewer assignments with two sub-options:
  • Add assignees – Add new reviewers to the selected applications
  • Remove assignees – Remove existing reviewers from the selected applications
• Remove – Removes the selected applications from the review schedule and the current review instance. You will be required to type "DELETE" to confirm. This action is irreversible.

Reviews → Application Bulk Actions

When reviewing a specific application, you can select multiple accounts and bulk-apply an access decision:

• Maintain – Marks all selected accounts as maintained
• Modify – Opens a modal to document the modification across selected accounts
• Revoke – Opens a modal to document the revocation across selected accounts

This is especially useful for large-scale reviews where many accounts need the same decision applied at once.

Uploading Access Data for Non-Integrated Applications

Some applications included in a User Access Review may not have a connected integration. This applies to internal tools, SaaS applications without API support, or SSO-only applications where Secureframe cannot automatically pull access data.

These applications will display "Access data required" in the review and cannot be reviewed until account data is uploaded.

How to Upload Access Data

There are two ways to upload account data for a non-integrated application:

1. From the Reviews tab, select the specific review and for any application that Secureframe is not automatically pulling data for, click "Add access data" under the Access Data column.
2. From the Application Details page, click the "…" menu in the top right and select "Import user access data from CSV", or click the "Upload CSV" button in the empty state if no accounts have been added yet.

Supported CSV Columns

Your CSV file can include the following columns:

Important Notes

• Every row must include either an email or a username — one of these fields is required
• CSV upload is only available for non-integrated applications — you cannot upload a CSV into an application that is connected via an integration
• Once uploaded, accounts will appear in the accounts table and can be reviewed using the standard Maintain, Modify, or Revoke workflow

Custom Integrations

To include a non-integrated tool into the UAR feature, you can also create a custom integration to push user account information into Secureframe. For more information, please see our article on how to create a custom integration. Once created, it will show up in the add applications list of a user access review.