Skip to main content

Skillber v1.0 is here!

Learn more

Access Certifications

Checking access...

Access certification (also called access review or recertification) is the process of periodically reviewing and validating whether users still need their current access entitlements. It is the primary mechanism for detecting and remediating privilege creep, orphan accounts, and excessive permissions.

Certifications are the most visible governance activity for business managers — and often the most disliked. A well-designed certification program minimises reviewer burden while maximising security and compliance value.

Why Certifications Matter

Without periodic access certification, access entitlements accumulate indefinitely:

New Hire (Day 1): 5 entitlements
After 1 year: 12 entitlements (role changes, project access, temporary grants)
After 3 years: 23 entitlements (accumulated but never reviewed)
After 5 years: 31 entitlements (many no longer relevant)

This accumulation — entitlement creep — is the primary source of excessive access risk. Certifications are the mechanism that reverses this trend.

BenefitDescription
Risk reductionIdentify and remove excessive access before it is abused
ComplianceSatisfy regulatory requirements for periodic access review (SOX, PCI, HIPAA)
Cost savingsReduce licence costs by deprovisioning unnecessary access
Audit readinessProvide evidence that access is regularly reviewed and controlled
Clean-upRemediate orphan accounts, unused entitlements, SoD violations

Certification Types

User Access Review (UAR)

The most common certification type. Managers review their direct reports’ access entitlements.

Scope: All entitlements for each user in the reviewer’s team. Reviewer: Direct manager. Frequency: Quarterly (high-risk), bi-annually (medium-risk), annually (low-risk).

Application Access Review

Application or resource owners review who has access to their application or system.

Scope: All users with access to a specific application or group of applications. Reviewer: Application owner, data owner, or delegated security contact. Frequency: Annually (standard apps), quarterly (critical apps).

Role Certification

Review role definitions and memberships to ensure roles remain aligned with business functions.

Scope: Role definitions, role membership lists. Reviewer: Role owner, business process owner. Frequency: Annually.

Privileged Access Review

Review privileged account memberships and usage.

Scope: Domain admin groups, local admin groups, privileged cloud roles, service accounts. Reviewer: Security team, PAM administrators. Frequency: Monthly or quarterly.

Certification Campaign Design

Campaign Lifecycle

Campaign Planning

Define campaign scope: which users, which entitlements, which systems. Identify reviewers (managers for UAR, application owners for app access). Set deadlines and escalation rules. Configure policy rules (auto-approve low-risk, auto-certify unchanged from last review).

Campaign Initiation

Launch the campaign through the IGA platform. Notifications sent to all reviewers with instructions, deadlines, and links to their review queues.

Reviewer Completion

Reviewers log into the certification portal, review their assigned users/applications, and make decisions (certify, revoke, or modify). Reviewers can be passive (review lists) or active (augmented with access usage data, SoD violation flags, and risk scores).

Escalation and Reminders

Automated reminders sent to reviewers approaching deadlines. Escalate to reviewer’s manager if deadline is missed. Escalation chain: reviewer → manager → compliance team.

Remediation

Decisions are enforced: revocations are executed, modifications are applied, certified access is confirmed. Remediation actions are automated where possible (SCIM deprovisioning, group membership changes).

Campaign Close and Reporting

Campaign results are compiled: certification rate, revocation rate, overdue items, exception reports. Generate compliance evidence package for auditors.

Reviewer Decision Options

DecisionDescriptionDefault?Effect
CertifyAccess is confirmed as appropriateOptionalNo action
RevokeAccess should be removedOptionalEntitlement deprovisioned
ModifyAccess should be changedOptionalEntitlement modified
Not ApplicableReviewer cannot assess this user/entitlementOptionalEscalated to next reviewer
DeferDecision postponed (with reason and timeframe)OptionalRe-presented in next review cycle

Reducing Reviewer Fatigue

Reviewer fatigue is the #1 challenge in certification programs. When reviewers are overloaded, they certify everything without proper scrutiny — defeating the purpose of the review.

TechniqueHow It WorksImpact
Risk-based reviewOnly high-risk or changed access requires active review; low-risk is auto-certified60-80% reduction in review items
Usage data augmentationShow last-used date for each entitlementReviewers make informed decisions (revoke unused access)
Access historyShow which entitlements are new since last reviewReviewers focus attention on changes
SoD flaggingHighlight toxic permission combinationsReviewers prioritise high-risk items
Smart groupingGroup similar entitlements so reviewers certify a logical bundleFewer decisions required
Self-certification firstUsers certify their own access statements, managers only review exceptionsManager burden reduced by 50%+

Tip

The single most impactful technique for improving certification quality is augmenting reviews with access usage data. When a manager sees that an employee has not used a system in 6 months, they are far more likely to revoke access than when faced with a bare list of entitlements.

Certification Automation

Rules-Based Auto-Certification

RuleLogicOutcome
No change since last certifiedIf entitlement was certified in previous campaign and is unchangedAuto-certified (skip review)
Low-risk entitlementIf entitlement is read-only or on a non-critical systemAuto-certified
Never usedIf entitlement has not been used in > 90 daysFlag for revocation (pre-certify as revoke)
Manager certifiedIf manager has already certified the user’s entire accessAuto-certify all entitlements for that campaign

Remediation Automation

Remediation ActionAutomationVerification
Account disableAutomated via SCIM or APIRe-run reconciliation to confirm removal
Group membership removalAutomated via directory APIVerify user no longer in group
Role removalAutomated via IGA role managementUpdate role assignment in IGA
SSO session terminationAutomated via IdP APIVerify session terminated
Data archiveManual (requires data owner)Confirm data archived before account removal

Certification Compliance Requirements

StandardReview FrequencyEvidence Requirements
SOXAt least annually for financial systemsCertification reports, remediation evidence
PCI DSS v4.0Every 6 months for cardholder data environmentsAccess review documentation, remedy action records
HIPAAPeriodically (no fixed frequency) for ePHI accessReview records, policy documentation
ISO 27001At planned intervals (typically annual) for user accessReview records, management approval
NIST SP 800-53At least annually or more frequently as neededAC-2 account review documentation

Key Takeaways

  • Access certifications are the primary mechanism for detecting and remediating privilege creep, orphan accounts, and excessive permissions — they reverse the natural accumulation of entitlements over time
  • Certification types include user access reviews (manager reviews team), application access reviews (owner reviews app access), role certifications, and privileged access reviews
  • The campaign lifecycle spans planning, initiation, reviewer completion, escalation, remediation, and close — each phase requires specific automation and governance
  • Reviewer fatigue is the #1 challenge — mitigate with risk-based review filtering, usage data augmentation, SoD flagging, and smart entitlement grouping
  • Automation rules (auto-certify unchanged items, flag unused access) reduce reviewer burden while maintaining control effectiveness
  • Compliance frameworks (SOX, PCI DSS, HIPAA, ISO 27001, NIST) mandate periodic access certification with specific review frequencies and evidence requirements