> ## Documentation Index
> Fetch the complete documentation index at: https://help.dsalta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# User access to Critical System should be valid

> Checks that the connected Pipedream account belongs to an active employee on your People page.

Checks that the connected Pipedream account belongs to an active employee on your People page.

## About

When you connect Pipedream to DSALTA, the platform records the connected Pipedream account — the username and email of whoever provided the API key — using read-only API access. On every sync DSALTA compares that account against your **People** page, matched by email within your organization, and activates this check when the account is not an active employee on the People page.

<Note>
  Pipedream does not provide a workspace member list, so the Access page shows a single row for the connected account rather than individual people. If the connected account's email does not match a person in your directory, this check may not resolve automatically — confirm the account is owned by a current, authorized employee.
</Note>

## Why This Matters

Access tends to accumulate over time as roles change, leaving accounts with more reach than they need. A workflow automation platform can connect to and move data between your other systems, so access to it should belong only to current, authorized employees. Regularly validating who holds that access is a core control in SOC 2 and ISO 27001, which require access to critical systems to be restricted to authorized personnel.

## How to Fix

**Before you begin**

* Ensure the Pipedream integration is connected so DSALTA has the current connected account.

**Review Pipedream access**

1. In **Pipedream → Settings**, review the connected account and workspace members, and remove access for anyone who is not a current employee.
2. In DSALTA, go to **People** and confirm the Pipedream account exists and is active.
3. In **Data Library → Access**, filter for **Pipedream** and confirm the connected account maps to an active employee on the **People** page.
4. Mark the reviewed account as **In Scope** (valid) or **Not in Scope** (to be revoked), and record the reviewer.

Once the connected Pipedream account maps to an active, documented employee, DSALTA retrieves the change on the next sync and sets the check status to **Passing**.

## Frequently Asked Questions

<AccordionGroup>
  <Accordion title="How often does this check run?">
    This check runs automatically every 24 hours while the Pipedream integration is connected. You can also trigger a manual sync from **Integrations** in the sidebar.
  </Accordion>

  <Accordion title="Why does the Access list show a single account instead of people?">
    Pipedream's API does not expose an individual member roster, so DSALTA records the connected Pipedream account (whoever provided the API key). Review that account's owner manually against your People page.
  </Accordion>

  <Accordion title="Can I exclude this check?">
    Yes. If it does not apply to your environment, mark it as **Not Applicable** with a justification. The exclusion is documented for auditors.
  </Accordion>

  <Accordion title="Does DSALTA change my Pipedream configuration?">
    No. DSALTA uses **read-only API access** and never modifies, creates, or deletes resources. All remediation is performed by your team directly in Pipedream.
  </Accordion>
</AccordionGroup>
