How can we help?

Search

User Access Reviews

Marina Rogachov
Marina Rogachov
  • Updated

Overview

Regular user access reviews are an essential part of SaaS management. They help organizations ensure that only the right people have access to the right applications—reducing security risk, minimizing excessive permissions, and meeting compliance requirements such as SOC 2, ISO 27001, and HIPAA.

Torii supports easy end-to-end management of user access reviews by representing the process in a centralized, intuitive way. Whether you're managing dozens or hundreds of apps, Torii helps you assign reviewers, track decisions, and document results in a consistent, audit-friendly format. Instead of managing reviews in disconnected spreadsheets, teams can collaborate directly in Torii to streamline operations and ensure complete visibility.

Available for customers on the Enterprise plan.

 

Benefits

Streamlined & Auditable: Replace manual spreadsheets with a built-in, end-to-end access review process.

Data-Backed Decisions: Leverage usage insights, SSO, and HRMS data, as well as Torii recommendations, to inform reviewer actions.

Integrated & Flexible: Launch reviews across integrated and non-integrated apps, covering all user accounts.

Collaborative: Assign multiple reviewers to each app, decentralizing the process to app or account owners.

Audit-Ready & Shareable: Submit and export reviews as shareable reports, perfect for compliance.

 

How It Works

General

Torii’s access reviews are designed to support both IT administrators and app owners with distinct, user-friendly capabilities.

For IT Admins:

  • Launch and assign access reviews from the Security > Access Reviews tab

  • Monitor review progress across multiple applications

  • Download and distribute completed access review reports for compliance purposes

For App Owners and Reviewers:

  • Receive email notifications when assigned to a review 

  • Conduct the review directly in Torii using a clear, guided interface

  • Leverage app usage insights and Torii-generated recommendations to make informed decisions

  • Add comments to explain your decisions or flag additional context

  • Submit the review when all users have been evaluated

This structured approach helps distribute responsibility while ensuring a consistent, trackable process across your organization.

 

Prerequisites

  • Fresh user data. Connect integrations for apps you need to review. or upload user files to populate the user list for non-integrated apps. Please note that for non-integrated apps that are fully managed by app owners or other stakeholders, Torii will guide the reviewer to upload a user file first.

  • Permissions. In case you want to assign reviewers who are not app owners, ensure they have the "Access Reviews - Take Action" scope. Please note that users with the Take Action scope will have access to all reviews, no matter if they have been assigned as a reviewer or not. For app owners, the access will be limited to their owned apps only.

  • App owners access. If you assign reviews to app owners, ensure that app owners have access to Torii. Read more about how to give app owners access here.

 

How to Launch an Access Review

As an IT admin, you can initiate access reviews for one or more applications directly from the Torii platform. Follow these steps to get started:

  1. Go to the Access Reviews tab

    Navigate to the Security page and open the Access Reviews tab.

  2. Click “Launch Access Review”

    Select the applications you want to review and assign one or more reviewers. You can assign specific users or use a dynamic field such as App Owner.

    Note: If an application already has an active review in “To Do” or “In Progress” status, it cannot be selected again until the current review is completed.

  3. Reviewers are notified

    Once the review is launched, reviewers receive an email notification for each assigned app. These are sent separately per application.

  4. Monitor progress

    After launching, you can track the progress of all reviews from the Access Reviews page. You’ll see which reviews have been started, their status, and completion timestamps.

💡 Tip: You can launch reviews for multiple apps in one go by selecting them together in the “Launch” popup. Each access review will be created as a separate record and managed individually.

 

 

How to Conduct a Review

Starting a Review

App owners and reviewers with the appropriate permission scope can start an access review in one of the following ways:

  • By clicking the “Start review” button in the email notification

  • By clicking the link in the notification banner that appears at the top of the application page

  • Directly from the Access Reviews tab (available to users with the “Access Reviews – Take Action” permission scope)

Step 1 – Preview the User List

Before proceeding to the main review page, Torii automatically checks the quality and freshness of the app’s user data. This step ensures that decisions are based on reliable information.

To pass the check, the data must:

  • Originate from a connected integration or be uploaded via a user file

  • Be synced or uploaded recently

If the data is outdated or incomplete, Torii will display an error message and disable the “Continue” button until the issue is resolved.

💡 Tip: Even if the system marks the data as valid (green), verify the user count matches your expectations. If needed, re-sync the integration or upload a fresh user file. Keep in mind—once you proceed, the user list becomes fixed and cannot be updated during the review.

 

Step 2 – Review Users

Once the data passes the check, reviewers can proceed to the main user review page.

Here, they can:

  • View and customize the user list
    The user list reflects a fixed snapshot from the date the review was started. You can add additional columns to display user attributes relevant to your review, such as department or license type. Offboarded users are flagged with badges for quick identification.

💡 Tip: Add the “Is past user” column to easily spot users whose status in the employee source of truth system indicates they’ve left the company. These are strong candidates for access revocation.

  • Approve or reject access for individual users or groups

    You can make decisions on a per-user basis using the dropdown in the Review Status column to mark each user as Approved or Rejected.

    For quicker bulk actions, use the Approve All in View or Reject All in View buttons located above the table. These buttons will apply your selected action to all users currently visible in the filtered view.

    💡 Tip: Use filters to efficiently review and take action on specific user segments.
    For example, when reviewing access to the Salesforce app, you may decide to approve only users in the Sales department:

    • Apply the Department = Sales filter.

    • Click Approve All in View to approve all Sales users.

    • Then, either:

      • Remove the filter and manually reject remaining users, or

      • Change the filter to Department ≠ Sales and click Reject All in View to reject the rest in bulk.

    This approach saves time and ensures your reviews are both accurate and audit-friendly.

  • Leverage Torii recommendations
    Torii will suggest if to approve or reject user access, based on inactivity or HR signals to help you make informed, consistent decisions.

  • Add comments for documentation
    Use the Comment field to explain decisions or document manual actions.

    💡 Tip: If you manually revoke a user’s access in the app’s admin console, make sure to note this in the comment field for audit purposes.

  • Track review progress
    A progress bar at the bottom of the screen helps you track how many users have been reviewed.

Step 3 – Submit the Review

After all users have been reviewed:

  • Click Submit to finalize the review

  • Once submitted, the review status will update to Completed in the Access Reviews tab

  • A downloadable CSV report will be created and saved for reference or sharing

 

Best Practices

To get the most value from Torii's Access Reviews feature, consider implementing the following best practices:

  • Conduct reviews regularly
    Run access reviews at least quarterly for high-risk, high-cost, or sensitive applications.

  • Delegate to app owners
    Use custom fields (e.g., App Owner) to assign reviews to the most knowledgeable stakeholders and decentralize responsibility.

  • Establish clear ownership
    Identify and assign the right app owners or department leads early in the review process to avoid delays.

  • Prepare reviewers in advance
    Brief reviewers on expectations and data interpretation guidelines to ensure a smooth and consistent review process.

  • Ensure data accuracy before launch
    Sync integrations or upload updated user files to ensure reviewers are working with the most complete and current data.

  • Encourage context in comments
    When rejecting access, reviewers should document their rationale in the comment field to support future audits.

  • Log manual removals
    If access is revoked directly in the app, reviewers should record the action in the comments field for traceability.

  • Monitor review progress
    Use the Access Reviews tab to track which reviews are in progress, completed, or pending, and follow up as needed.

  • Standardize your review cadence
    Document your review schedule (e.g., quarterly or before compliance audits) and align it with internal security and audit workflows.

 

FAQs

Q: Can I launch reviews for apps with multiple accounts?
A: Yes. Torii includes users from all integrated accounts in one consolidated review.

Q: Can I launch reviews for non-integrated apps?
A: Yes. Reviewers will be prompted to upload a current user list before proceeding.

Q: Can I assign different reviewers to different accounts within the same app?
A: Not yet. However, you can assign multiple reviewers to the same app and ask each to focus on specific accounts.

Q: Can I cancel a review after it’s been launched?
A: Yes. Admins can delete a review from the Access Reviews page. Note that if a review is deleted, all the data will be lost.

Q: Will Torii automatically revoke rejected access?
A: Not yet. Today, removal must be done manually in the app and documented in the comments. Automation is planned to be supported later.

Q: What happens if integrations break or user lists change mid-review?
A: The review will be marked as Error and cannot be completed. A new review should be launched.

Q: Can reviewers access reports later?
A: Yes. Completed reviews remain available in the Access Reviews tab and can be exported anytime.

Q: Do reviewers need to complete a review in one-shot?

A: No. Reviewers can start a review, close it at any time, and return later to resume where they left off. All progress is automatically saved.

 

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request