Access Reviews

Scope

Access reviews sit at the boundary between identity governance and compliance evidence. This guide keeps the review model and accountability guidance while leaving private implementation paths out.

Creating a Review Campaign

1. Navigate to a compliance program
2. Click “Access Reviews” or navigate to the relevant workflow
3. Click “New Review”
4. Set:
5. Name: Descriptive name (e.g., “Q1 2026 Privileged Access Review”)
6. Review Type: Privileged, Application, Manager, or Custom
7. Due Date: Optional deadline for completion

Importing Access Data

The review starts in draft status. Import your access snapshot:

1. Prepare a CSV file with the following format:
2. Click Import CSV in the header of the review detail page. The button is only visible while the review is in draft status — importing after decisions have been recorded would wipe them, so the workflow locks the import action once the review moves past draft.
3. The review automatically advances to in_progress after a successful import.
4. A snapshot hash is computed for audit integrity and a success toast reports the item count.

CSV Requirements

• Optional column: manager_email
• Email addresses must be valid format
• No duplicate rows (same email + resource + entitlement)
• Import is idempotent within the draft state only — re-importing replaces all items. Once the review moves to in_progress, the import button disappears and the snapshot is locked.

Importing from an IdP Connector (WS-12.5)

Instead of CSV, reviews can be populated directly from an IdP connector (currently Okta):

1. Ensure an Okta connector is configured and active in Settings > Connectors.
2. Create or open a review in draft or in_progress status.
3. Use the API to trigger a connector import:
4. The endpoint pulls the current user-entitlement snapshot from Okta, creates review items, and resolves managers by email match against Meridian users.
5. The review auto-advances to in_progress if it was in draft.

Scope Options

• "all" — Every user in the Okta org with their group memberships and admin roles.
• "privileged" — Only users holding admin role assignments.
• "groups" — Users in specific groups. Pass "scope_value": "group1,group2" with comma-separated group ids or names.

Idempotent Re-Import

If the Okta data has not changed since the last import, the endpoint returns {"status": "no_change"} and does not create duplicate items.

Manager Resolution

The import resolves manager assignments by matching each user’s Okta manager email against Meridian users in the same tenant. Unresolved items are assigned to the operator who ran the import.

Limits

The connector import supports up to 10,000 users per snapshot. For larger organizations, narrow the scope with scope_kind='groups' or 'privileged'.

Making Decisions

For each item in the review, record one of: - Approved: Access is appropriate, no action needed - Revoke: Access should be removed - Not Applicable: Out of scope (e.g., service account, excluded by policy)

Click “Decide” next to an item to open the decision panel. You can optionally add a reason.

All items must have a decision before the review can be submitted.

Submitting the Review

When all decisions are recorded: 1. Click “→ submitted” to submit the review 2. An evidence artifact is automatically generated containing the full decision log 3. The snapshot hash ties the decisions to the original import for audit integrity

After Submission

1. Execute any “Revoke” decisions in the actual systems
2. Once all revocations are confirmed, click “→ closed”

Exporting Evidence

requests in any other state). The export contains:

• Review metadata (id, name, type, status, snapshot hash, started/completed timestamps, evidence id)
• Decision summary statistics (total, pending, approved, revoke, not_applicable)
• Full item-by-item decision log with subject email, resource, entitlement, decision, reason, deciding user, and decision timestamp

The file is delivered as a browser download with the filename provided to auditors as evidence of access reviews.

Running an Automated Access Review (WS-12)

Automated access reviews pull user-entitlement data directly from an IdP connector (currently Okta) instead of a CSV file. This eliminates the manual data extraction step and ensures the review reflects the current state of the identity provider.

Prerequisites

• An active Okta connector configured in Connectors (see manual/idp-connector.md).
• A compliance program with an access review in draft or in_progress status.

Step-by-Step

1. Create the review. Navigate to the program’s Access Reviews page, click New Review, and set the name, type, and optional due date.

2. Trigger the connector import. Use the API:

3. Review the import results. The response includes:

4. item_count — total review items created.
5. managers_resolved — items successfully routed to a manager.

6. managers_unresolved — items assigned to you (the importing operator) because the manager email did not match a Meridian user.

7. Make decisions. The review auto-advances to in_progress. Each item shows the user’s email, the entitlement type (group or role), and the entitlement name. Decide: Approved, Revoke, or Not Applicable.

8. Submit and close. Same as the manual flow — all items must have decisions before submission.

Re-Importing

If you need to refresh the data (e.g., users were added to Okta since the last import), re-run the import endpoint. If the Okta data has not changed, the endpoint returns {"status": "no_change"} and no duplicate items are created.

Manager Review Queue

Items routed to a manager appear in their review queue. Managers can approve or revoke items assigned to them. Items without a resolved manager go to the campaign creator (the operator who ran the import).

Limits

The connector import supports up to 10,000 users per snapshot. For larger organizations, narrow the scope or split into multiple review campaigns.