FI Finnish
SE Swedish
FR French
PL Polish
DE German
US English (US)

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

English (US)
FI Finnish
SE Swedish
FR French
PL Polish
DE German
US English (US)
  • Log in
  • Home
  • Identity Governance and Administration (IGA)
  • IGA solution library
  • Processes and use cases
  • Use case library
  • Governance

Review access rights

Contact Us

If you still have questions or prefer to get help directly from an agent, please submit a request.
We’ll get back to you as soon as possible.

Please fill out the contact form below and we will reply as soon as possible.

  • Service Management
    Matrix42 Professional Solution Matrix42 Core Solution Enterprise Service Management Matrix42 Intelligence
  • Identity Governance and Administration (IGA)
    IGA overview IGA solution library
  • Platform
    ESM ESS2 ESS Efecte Chat for Service Management Integrations Add-ons
  • Release Notes for M42 Professional, IGA, Conversational AI
    2026.1 2025.3 2025.2 2025.1 2024.2 2024.1 2023.4 2023.3 2023.2 2023.1 2022.4 2022.3 Release Information and Policies
  • Other Material
    Terms & Documentation Guidelines Accessibility Statements
  • Services
+ More

    • Service Management

    • Identity Governance and Administration (IGA)

    • Platform

    • Release Notes for M42 Professional, IGA, Conversational AI

    • Other Material

    • Services

Review access rights

Review access rights

In this use case are described review access right use cases for end-users and IGA admins. Generally re-certification and review access rights are used for different purpose, but for especially for end-users clarity in IGA solution these use cases are combined under review access right use cases.  

Access right reviews are periodic audits or evaluations of the access that users have to various applications and resources within an organization. The goal is to ensure that access is appropriate based on the individual's current role, responsibilities, and needs. Reviews can help detect and remove excessive or unnecessary access, reduce security risks, and improve compliance.

Difference to re-certification, is that it refers to the formal process of reviewing and confirming that users' access rights are still appropriate and necessary for their role, typically at regular intervals. This process often requires managers or system owners to affirm or "re-certify" that a user still requires access to specific resources, systems, or data.

Key aspects of access right reviews & re-certification:

  • Periodic assessments: Regular reviews (e.g., quarterly, annually) of user access rights to ensure they are up-to-date and formal request to managers or access owners to confirm whether the access levels granted to users are still valid.
  • Role-based access checks: Verifying that the access granted aligns with the user's job role and current responsibilities.
  • Identifying risks: Spotting unauthorized access, access to sensitive data that’s not needed, or potential vulnerabilities.
  • Compliance with regulations: Some industries require access re-certification to meet regulatory standards, such as GDPR, NIS2, DORA or applying requirements for certifications like ISO27001 etc.

Both access right reviews and re-certifications are essential for maintaining a strong security posture, minimizing risks, and ensuring compliance with internal policies and external regulations. These activities are typically supported by automated tools and require coordination between IT, security teams, and business units to be effective.

Bring M42 Intelligence - Comms assistance (add-on) to ensure that communication towards end-users is clear and it is easy to understand why access right review requests are important to perform periodically and what is expected from the user. This feature for example ensures that users get the information in their native language. 

 

Use cases

 

Use cases for end-users

User can also review access rights by using My Things functionality in the Self-Service and managers have similar capabilities to review subordinates access rights by using My Employees functionality. 

Use case described here are guided services, which enables end-users also to request access rights or removal of access rights, and at the end of the service end-user gives review comments which are stored for auditing purposes. 

End-users use cases described below:

  • Review my access rights
  • Review access rights (manager)
  • Review access rights (approver)

 

  Description
Overview

In this use case are described review access right services in Self-Service, and how end-users can review active access rights at any time, or when there are open review requests like for example need to review if one single access right is still valid for all the users (also known as re-certification).

 

  1. Review my access rights: for reviewing your own active access rights.
  2. Review access rights (managers): This service allows you to review access rights of your team members.
  3. Review access rights (approvers): This service is designed for reviewing access rights and business roles for users in your organization for those access rights where you are defined as approver.
Operators

End-user

Manager

Approver

Self-Service

IGA solution
Prerequisites

For reviewing access rights at any time end-users will need access to review service(s) in the Self-Service. 

For reviewing open access right review requests, IGA admin has created re-view request in the IGA solution, and user has received an email notification about review requests waiting for actions. 
Result

Users access rights are reviewed, updated, unnecessary ones are removed. Results are stored for auditing purposes, and review in ended.
Review my access rights
  1. User logins to Self-Service and opens “Review my access rights” -service. 
    • User will receive email if user has open access right review requests
    • User can review all active access rights at any time
  2. User selects either
    1. Ongoing access right review requests (re-certification)
    2. Review all my access rights (review access rights)
  3. When user has selected “ongoing access right review request”
    • User selects one of the ongoing requests from the list
    • User can immediately see list of access rights under review which user has active at the moment
    • On the next page user can request more access rights
    • One the next page user can request access rights to be removed 
    • On the last page user gives result for the review and sends the review request forward
  4. When user has selected “review all my access rights”
    • User selects one of the users work periods
    • User can immediately review active access rights
      • List of applications where user has accesses
      • List of access rights requested from Self-Service
      • List of business roles requested from Self-Service
      • List of automatically granted access rights
      • List of automatically granted business roles
      • List of owner responsibilities in the IGA solution
      • List of approver responsibilities in the IGA solution
      • List of team memberships in the IGA solution
    • On the next page user can request more access rights
    • One the next page user can request access rights to be removed 
    • On the last page user gives result for the review and sends the review request forward
  5. IGA solution receives information from Self-Service and based on results, either adds, removes or stores auditing details that review was successful
Review access rights (managers)
  1. Manager logins to Self-Service and opens "Review access rights (managers) -service
    • Manager will receive email if manager has open access right review requests
    • Manager can review subordinates all active access rights at any time
  2. Manager selects either
    1. Ongoing access right review requests (re-certification)
    2. Review all application related access rights (review access rights)
  3. When manger has selected “ongoing access right review request”
    • Manager selects one of the ongoing requests from the list
    • Manager can immediately see list of access rights under review
    • Manager can review subordinates who has the selected access right or business role active at the moment
    • On the next page manager can request more access rights to all subordinates
    • One the next page manager can request access rights to be removed from all subordinates
    • On the last page manager gives result for the review and sends the review request forward
  4. When manager has selected “review application related access rights”
    • Manager can see list of all applications used by subordinates and manager selects one of the applications
    • Manager selects one of the related access rights or business roles
    • Manager can see list of subordinates who has the selected access right or business role active at the moment.
    • On the next page manager can request more access rights
    • One the next page manager can request access rights to be removed 
    • On the last page manager gives result for the review and sends the review request forward
  5. IGA solution receives information from Self-Service and based on results, either adds, removes or stores auditing details that review was successful 
Review access rights (approvers)
  1. Approver logins into Self-Service and selects "review access rights (approvers) -service
    • Approver will receive email if user has open access right review requests
    • Approver can review all application related access rights at any time
  1. Approver selects either
    1. Ongoing access right review requests (re-certification)
    2. Review all application related access rights (review access rights)
  2. When approver has selected “ongoing access right review request”
    • Approver selects one of the ongoing requests from the list
    • Approver can immediately see list of access rights under review
    • Approver can review users who has the selected access right or business role active at the moment
    • On the last page approver gives result for the review and sends the review request forward
  3. When approver has selected “review all application related access rights”
    • Approver selects from the list of the applications requiring my approval for access rights 
    • Approver selects one of the related access rights
    • Approver can see list of users who has the access right or business role active at the moment
    • On the last page approver gives result for the review and sends the review request forward
  4. IGA solution receives information from Self-Service and based on results, either adds, removes or stores auditing details that review was successful 
 
 

Use cases for IGA admins

Here are described use cases for IGA admins to start, cancel, re-review, monitor and report access right reviews. Customer can decide if other users like for example application owners can start etc. access right reviews for the application where the user is marked as owner. 

IGA admin use cases described here:

  • Create new review request 
  • Cancel ongoing review request
  • Start re-review
  • Monitor and report
     
  Description
Overview

In this use case are described how IGA admin can start, define, monitor and audit access right review requests. 

 
Operators

IGA admin

IGA solution
Prerequisites Relations between users entitlements, business roles, access right records, accounts and work periods needs to be correctly in place. 
Result

One-time or recurring review request has been created, reviewers are notified, results are visible and auditing details are saved. 
Create new review request
  1. IGA admin opens list view for IGA Review Access Rights and selects new from the list view. 
  2. IGA admin fulfills following information
    • Review information
      • Name & description
  3. IGA admin chooses type
    • Review
  4. If review type, IGA admin fulfills following information
    • Choose content
      • Application 
      • Single entitlement 
      • Multiple entitlements (more than 1)
      • Single business role 
      • Multiple business roles (more than 1)
    • If application is selected IGA admin selects the application from the list which entitlements are going to be reviewed 
      • All related entitlements under review are automatically listed, but IGA admin can remove unnecessary ones
    • If single entitlement or single business role is selected IGA admin selects the entitlement or business role from the list which is going to be reviewed
      • IGA admin selects if approval type is
        • Approval request, which will generate approval request to Self-Service
        • Review service, which will generate review request and expects user to use one of the review services in Self-Service 
    • If multiple entitlements or business roles is selected, IGA admin selects one or more entitlements or business roles which are going to be reviewed
      • In these cases approval type is always: Review service, which will generate review request and expects user to use one of the review services in Self-Service 
  5. IGA admin selects target for the review
    • Users who has selected entitlements or business role active at the moment
    • Users with certain title(s)
      • One or more can be selected
    • Users with certain cost center
      • One or more can be selected
    • Users in certain organizational unit
      • One or more can be selected
  6. IGA admin defines scheduling for the review
    • Recurrence, one-time
    • Start date for the review (when review requests are send to users)
    • End date for the review (last day for users to review their access rights)
  7. IGA admin defines reviewers and communication 
    • If users whose access rights are under review are required to give own opinion if the access right is still needed, IGA admin can select: Include users in the review
      • Entitlements or business roles are not automatically added or removed from the user based on users decision, but user can suggest changes to own access rights, but removal / granting is made based on manager and/or approver decisions.
    • Reviewers
      • Managers - review request is required only from managers whose subordinate has the access rights active at the moment
      • Approvers - review request is required only from approvers defined in the selected entitlement(s) or business role(s)
      • Managers + Approvers - review request is required from both
      • Selected persons - IGA admin can select individual person(s) to review the access rights
    • Notification to reviewers
      • Automatic - pre-defined email is send to users whose actions are needed for the review
      • Manual - IGA admin can write email which is send to users whose actions are needed for the review
        • If customer is using M42 Intelligence - Comms assistance can assist IGA admin to write the email and translate it to different languages
  8. IGA admin saves the data card and review is started and review requests are send to users according to defined scheduling.
  9. IGA admin can immediately see and report from the saved review request
    • Number of generated review requests
    • Number of users under review
    • List of users under review
    • Number of reviewers IGA
    • List of reviewers
  10. When end date occurs  the review process ends, or IGA admin takes one of the following actions, 
    • Cancel ongoing and scheduled review requests 
    • Start re-review 
    • Creates and schedules next review 
    • Audit & report review results
Cancel ongoing review request
  1. IGA admin opens the ongoing review request, which needs to be cancelled
  2. IGA admin edits scheduling for the review request
  3. IGA admin selects “cancel review” and saves the data card
  4. IGA solution closes all open review requests and sets status to cancelled and result is set to closed, has open requests for the review request
    • IGA admin can review from results how many requests was cancelled
  5. Process ends and auditing details are saved
Start re-review for requests which were not approved in during the review period (scheduling)
  1. End date for the review request has occurred, but there are still open review requests
  2. IGA admin opens the ongoing review request, which has open requests, even the end date has occurred and re-review is required to start. 
    • From review results IGA admin can see how many and which of the requests were not review in time
  3. IGA admin edits review results by setting result re-review required and saves the data card
  4. IGA solution creates new review requests and informs only the users who did not finalize the original review in time.
  5. IGA admin monitors re-review and ensures that all requests are reviewed
  6. IGA admin can start re-review request as many times as needed
Monitoring & reporting review requests
  1. IGA admin has several pre-defined reports, views and dashboards for monitoring and reporting access right review results
    • IGA admin can create new, update or remove existing reports/views/dashboards
    • All review requests
    • Ongoing and scheduled requests
    • Last reviewed entitlements, business roles and users
    • Never reviewed entitlements, business roles and users
    • Most reviewed entitlements and applications
    • % of users and entitlements whose/which accesses are never reviewed
  2. IGA admin can monitor results of the review request
    • Total number of requests
    • Number of unhandled requests
    • Number of approved requests
    • Number of rejected requests
    • Number of cancelled requests
  3. IGA admin can see timestamps for the review from statistics
    • Review time 
    • Review done
    • Review canceled
  4. IGA admin can review workflow information, and in case provisioning fails during access right requests or removal requests, IGA admin task is generated from the IGA service request. Please follow up IGA administration instructions.
 
 

M42 Intelligence - Comms assistance

IGA solution supports different AI related use cases (add-on), and review access rights use case is one of the use cases when IGA admin needs to clearly communicate to end-users to ensure that they are aware why review requests are made and what is expected from the reviewers and end-users. 

M42 Intelligence - Comms assistance

When enabled, IGA can use Comms assistance for writing message to the reviewers (end-users, managers and approvers), which usually requires some comprehensive explaining what is the access right review about and what actions are expected from the user. 

Comms assistance helps IGA admin with, 

  • Correct and improve messages with end-users e.g.: via email 
  • Out of box use cases optimized for IGA admin communication towards end-users
  • Easy to setup & adjust towards your company language

 

 
 

 

 

Delivery instructions

 

Data Card Flow and Purpose

 

Data card purpose, 

  • IGA review access rights - is used by IGA admins to start new and re-review requests, follow and monitor ongoing requests, report and audit information related to review requests.
  • Approval - is created in cases when approval type is set to “approval request”, and approval is made by using Self-Service approval functionalities
  • IGA service request - is created for new review requests, and it created if user simultaneously requests access rights to be added or removed or re-review is required by IGA admin.
  • IGA entitlement - can be content of the review, and defines approvers for entitlement and application reviews. Is used also for reviewing last or never reviewed entitlements
  • IGA business role - can be content of the review and defines approvers for business role reviews
  • Application - is used for reviewing which applications accesses are reviewed last and when review was made
  • IGA work period - is used for reviewing last or never reviewed users
  • IGA identity storage - is used for reviewing and auditing all reviews related to the user
  • IGA access right record - stores auditing details about the reviews
 
 

Configuration Instructions

Please follow up correct instructions, based on if you are configuring new environment  (baseline version 2025.1 or newer) or adding these use cases into existing customer environment. 

Always remember to, 

  1. Configure use cases first into test environment
  2. Perform system and user approval testing in the test environment
  3. Fix all possible findings and perform re-testing
  4. Move configuration into production environment
  5. Validate that configuration is correctly moved to the production environment

Configuration instructions for new environment:

  1. Configuration in the IGA solution (platform)
    • Publish IGA service request template 
      • Publish IGA review access rights workflow
    • Publish IGA review access rights template
      • IGA review access rights workflow
  2. Configuration in Self-Service
    • Publish following services
      • Review my access rights
      • Review access rights (managers)
      • Review access rights (approvers)

Configuration instructions for existing environment (IGA solution):

  1. Import from One-Click-Demo (OCD) environments and/or make changes to following templates
    • Application
      • Add new attribute: Related entitlements
    • IGA Entitlement
      • Add new attribute in to xx: Review access rights
      • Add new attribute (technical field): ESS filtering (shared attribute) 
      • Save all entitlement data cards
      • Listener post-save: Save related application when added to entitlement (2025.1).
    • IGA Access Right Record
      • Add new class: Review access right information
      • Add new attribute: Review history
      • Update workflow: 2.0 Add or remove group membership 
    • IGA Business Role
      • Add new attribute: Review access rights
      • Add new attribute (technical field): ESS filtering (shared attribute) 
      • Save all business role data cards
    • Import NEW template: IGA review access rights, which includes
      • Listeners
      • Events
      • Workflow
    • IGA Service Request
      • Add new attributes:
        • IGA Review Access Rights
        • Unfinished related review access rights
        • Entitlements in review
        • Business roles in review
        • Request rejected
        • Requested approver(s)
        • Requested approver(s) help
      • Publish IGA Review access rights workflow
    • IGA Work Period
      • Add new class: Review access right information
      • Add new attribute: Review access right
    • Create new service items: 
      • Review access rights 
      • Review comments

Configuration instructions for existing Self-Service:

  1. Import new services:
    • Review my access rights
    • Review access rights (managers)
    • Review access rights (approvers)
  2. Import related MyServices:
    • IGA Review / User requests (User)
    • IGA Review / Manager requests (Manager)
    • IGA Review / Approver requests (Approver)
    • IGA Review Business roles (User, Manager, Approver)
    • IGA Review Entitlements (User, Manager, Approver)
    • IGA Review WPs/Business roles (Manager, Approver)
    • IGA Review WPs/Entitlement (Manager, Approver)
    • IGA WP Active access rights (User)
    • IGA WP Automatic Business role (User)
    • IGA WP Automatic entitlements (User)
    • IGA WP Requested Business role (User)
    • IGA Business role / Approvers (Approver)
    • IGA Entitlement / Approvers (Approver)
    • IGA Work (my) period - Request and Remove access (User)
    • My application accessess (User)
    • My application /subordinate accessess (Manager)
    • My application /approver
    • IGA Review WPs/Application entitlements (Manager)
    • IGA Review WPs/Application Business role (Manager)
    • My Teams (User)
    • IGA Entitlement Approver 1 (User)
    • IGA Entitlement Approver 2 (User)
    • IGA Business role Approver 1 (User)
    • IGA Business role Approver 2 (User)

 

 
 

System- and Approval Testing Instructions

Testing preparations, 

  1. IGA solution contains users who has all needed relations to entitlements, applications, managers, access right records etc. 
  2. Create test users for Self-Service with correct accesses to following services and relations in place in the IGA solution 
    • User - review my access rights
    • Manager - review access rights (managers), has relations to subordinates
    • Approver - review access rights (approvers), marked as approver to entitlements and/or business roles

Testing instructions for IGA admins, 

  1. Create different type of review requests according to use case for IGA admins
    • Choose all type of content for the reviews
    • Choose both type of approvals
    • Create at least ten (10) different type of review requests for end users to be able to test different results for the reviews
  2. Move to testing end-user actions
  3. After some of the end-users has reviewed their accesses, cancel one of the ongoing requests
  4. When end-date occurs 
    • For one of the requests, start re-review for those users who did don't perform the review in defined time frame. 
    • Validate results and ensure that reports are showing information correctly
  5. Validate that review requests status and results are showed correctly

Testing instructions for end-users, 

  1. Login to Self-Service
    • All users should see review my access rights service
    • Managers who have subordinates should see review access rights (manager) service
    • Approvers who have approver responsibilities defined in IGA entitlement and/or IGA business role data cards should see review access rights (approvers) service
    • In case end-user have several review responsibilities, it is possible that one or more review services are visible in the Self-Service
  2. Validate that correct service(s) are available for the test user according to assigned role
  3. Open the service
    • Validate that text and instructions are correct
    • Select review all my access rights
      • Validate the service is working according to the use cases described for the role
    • Select ongoing access right request
      • Select the request where IGA admin has included user review
    • Validate that information is showed correctly for the end-users.
      • Compare the visible information to related users IGA identity storage data card
    • Validate that managers can only see own subordinates, not all users
    • Validate that approvers can see only information related to accesses where they are marked as approver (IGA entitlement or IGA business role)
  4. Approve and decline single entitlement or business role approval requests, visible in the front page
    • Validate that enough information is visible to review the access rights
 
 

 

 

 

inspect permissions analyze access assess rights

Was this article helpful?

Yes
No
Give feedback about this article

Table of Contents

Related Articles

  • Access Rights Management process
  • Risk Management Use Case: Access Rights Re-Certification (requires IGA solution)
  • Risk Management Use Case: Risk Monitoring and Review

Copyright 2026 – Matrix42 Professional.

Matrix42 homepage


Knowledge Base Software powered by Helpjuice

0
0
Expand