> ## Documentation Index
> Fetch the complete documentation index at: https://help.dsalta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# User access to Critical System should be valid

> Checks that the connected Granola account belongs to an active employee on your People page.

Checks that the connected Granola account belongs to an active employee on your People page.

## About

When you connect Granola to DSALTA, the platform records the connected Granola account — the email and workspace of whoever authorized the connection — using read-only access. On every sync DSALTA compares that account against your **People** page, matched by email within your organization, and activates this check when the account is not an active employee on the People page.

<Note>
  Granola does not provide a team member list, so the Access page shows a single row for the connected account rather than individual people. If the connected account's email does not match a person in your directory, this check may not resolve automatically — confirm the account is owned by a current, authorized employee.
</Note>

## Why This Matters

Access tends to accumulate over time as roles change, leaving accounts with more reach than they need. Access to a meeting-notes tool that can capture and store conversation content should belong only to current, authorized employees. Regularly validating who holds that access is a core control in SOC 2 and ISO 27001, which require access to critical systems to be restricted to authorized personnel.

## How to Fix

**Before you begin**

* Ensure the Granola integration is connected so DSALTA has the current connected account.

**Review Granola access**

1. In **Granola → Settings**, review the connected account and remove access for anyone who is not a current employee.
2. In DSALTA, go to **People** and confirm the Granola account exists and is active.
3. In **Data Library → Access**, filter for **Granola** and confirm the connected account maps to an active employee on the **People** page.
4. Mark the reviewed account as **In Scope** (valid) or **Not in Scope** (to be revoked), and record the reviewer.

Once the connected Granola account maps to an active, documented employee, DSALTA retrieves the change on the next sync and sets the check status to **Passing**.

## Frequently Asked Questions

<AccordionGroup>
  <Accordion title="How often does this check run?">
    This check runs automatically every 24 hours while the Granola integration is connected. You can also trigger a manual sync from **Integrations** in the sidebar.
  </Accordion>

  <Accordion title="Why does the Access list show a single account instead of people?">
    Granola does not expose an individual member roster, so DSALTA records the connected Granola account (the person who authorized the connection). Review that account's owner manually against your People page.
  </Accordion>

  <Accordion title="Can I exclude this check?">
    Yes. If it does not apply to your environment, mark it as **Not Applicable** with a justification. The exclusion is documented for auditors.
  </Accordion>

  <Accordion title="Does DSALTA change my Granola configuration?">
    No. DSALTA uses **read-only access** and never modifies, creates, or deletes resources. All remediation is performed by your team directly in Granola.
  </Accordion>
</AccordionGroup>
