Skip to main content
The Access Reviews page lets you run periodic reviews of user access across all connected systems. Access reviews are a core requirement of SOC 2, ISO 27001, and HIPAA — auditors need evidence that you regularly validate who has access to what.

How access data is collected

DSALTA pulls user access data from every connected integration. When you connect an identity provider (Google Workspace, Microsoft Entra ID, Okta), a cloud platform (AWS, GCP, Azure), or any other integration, DSALTA syncs the full list of users, their roles, and their permissions into the Access module. Each access record shows:
ColumnDescription
UserName and email of the person with access
SystemWhich integration or system they have access to
Role / PermissionTheir assigned role or permission level
MFA StatusWhether MFA is enabled for this account
Last ActiveWhen the user last logged in or used the system
Account TypeHuman user or service account
SourceIntegration name or “Manual”

Running an access review

Access reviews let you validate that every user’s access is still appropriate. To start a review:
  1. Navigate to Data Library → Access in the DSALTA sidebar.
  2. Click Start Review to create a new access review campaign.
  3. Select which systems to include in the review (e.g., all systems, or specific integrations).
  4. Assign reviewers — the people responsible for validating access for each system.
  5. Set a due date for the review to be completed.
For each user in the review, the assigned reviewer marks the access as:
  • Approved — Access is appropriate and should remain
  • Revoke — Access should be removed (creates a task for the system admin)
  • Modify — Access level should be changed (e.g., demote from admin to viewer)
Once all users are reviewed, the review campaign is marked as complete. The full review history — who reviewed, what decisions were made, and when — is stored as audit evidence.

Review scope and filtering

You can filter the access review to focus on specific areas:
  • By system — Review access for a single integration (e.g., only AWS)
  • By role — Review users with admin or privileged access first
  • By status — Focus on users who have not been active in the last 90 days
  • By type — Separate human users from service accounts

Automated access checks

In addition to manual reviews, DSALTA runs automated tests that flag access issues:
  • Offboarded users with active access — Detects users marked as offboarded in your HRMS who still have active accounts in connected systems
  • MFA not enabled — Flags users without MFA across all systems
  • Stale access — Identifies users who have not logged in for 90+ days
  • Excessive permissions — Flags users with admin access who may not need it
These automated checks run on every sync cycle and appear as tests in your Data Library → Tests dashboard.

Compliance frameworks

Access reviews provide evidence for:
  • SOC 2 — CC6.1 (Logical access controls), CC6.2 (Prior to access), CC6.3 (Access removal)
  • ISO 27001 — A.9.2.5 (Review of user access rights)
  • HIPAA — §164.312(a)(1) (Access control)
  • PCI DSS — Requirement 7 (Restrict access by need to know)