Overview

Regular user access reviews are an essential part of SaaS management. They help organizations ensure that only the right people have access to the right applications—reducing security risk, minimizing excessive permissions, and meeting compliance requirements such as SOC 2, ISO 27001, and HIPAA.

Torii supports easy end-to-end management of user access reviews by representing the process in a centralized, intuitive way. Whether you're managing dozens or hundreds of apps, Torii helps you assign reviewers, track decisions, and document results in a consistent, audit-friendly format. Instead of managing reviews in disconnected spreadsheets, teams can collaborate directly in Torii to streamline operations and ensure complete visibility.

Available for customers on the Enterprise plan.

Benefits

Streamlined & Auditable: Replace manual spreadsheets with a built-in, end-to-end access review process.

Data-Backed Decisions: Leverage usage insights, SSO, and HRMS data, as well as Torii recommendations, to inform reviewer actions.

Integrated & Flexible: Launch reviews across integrated and non-integrated apps, covering all user accounts.

Collaborative: Assign multiple reviewers to each app, decentralizing the process to app or account owners.

Audit-Ready & Shareable: Submit and export reviews as shareable reports, perfect for compliance.

How It Works

General

Torii’s access reviews are designed to support both IT administrators and app owners with distinct, user-friendly capabilities.

For IT Admins:

• Launch and assign access review campaigns from Access Reviews page
• Monitor campaign progress 
• Download and distribute completed campaign reports for compliance purposes

For App Owners and Reviewers:

• Receive notifications when assigned to a review 
• Conduct the review directly in Torii using a clear, guided interface
• Leverage app usage insights and Torii-generated recommendations to make informed decisions
• Add comments to explain your decisions or flag additional context
• Submit the review when all users have been evaluated

This structured approach helps distribute responsibility while ensuring a consistent, trackable process across your organization.

Prerequisites

• Fresh user data. Connect integrations for apps you need to review. or upload user files to populate the user list for non-integrated apps. Please note that for non-integrated apps that are fully managed by app owners or other stakeholders, Torii will guide the reviewer to upload a user file first.
• Permissions. In case you want to assign reviewers who are Torii members, ensure they have the "Access Reviews - Take Action" scope. Please note that users with the Take Action scope will have access to all reviews, no matter if they have been assigned as a reviewer or not.  

How to Launch an Access Review Campaign

Access review campaigns allow IT admins to launch, group, and track access reviews across multiple applications in a single, structured process. Campaigns can be scheduled, making them ideal for compliance cycles such as quarterly audits.

Follow these steps to get started:

1. Go to the Access Reviews page

2. Click “Create campaign”

   This opens the campaign creation wizard, which includes three setup steps:

   Step 1: App Selection

   Use filters to define which applications should be included in the campaign. For example, you might filter for apps that are Sanctioned and have more than 10 users.

   A live preview of matching applications will appear below the filter.

   

   Step 2: User Scope Selection

Use filters to define which users will be reviewed for the selected apps. All users are selected by default, but you can narrow the scope to users with privileged access or any custom user group.

If Users with privileged access is selected, users whose role in the app contains “Admin” will be included in the review.

If Users that match specific filter criteria is selected, you can use user filters to define the exact user segment. Note that app-specific user fields (such as role, license, status, usage, etc.) appear in the advanced user filters only after an App name filter is applied in the “Select applications” stage. For example, if you select App name = Salesforce, you’ll be able to filter users by Salesforce-specific attributes, such as profiles or roles.

Generic user fields (such as user type, past user status, Hibob department, etc.) are always available when defining the user scope.

Step 3: Review and Remediation Assignment

Assign reviewers to the apps. You can choose specific individuals or use dynamic fields like App Owner to auto-assign based on app metadata.

Assign remediation owners. These stakeholders will be responsible for removing or downgrading access for users whose access was rejected during the review.

You can assign the same person to handle both review and remediation, or different owners — depending on your organization’s policy. In most cases, app owners act as reviewers, while IT team members are assigned as remediation owners.

Step 4: Schedule the Campaign 

Choose whether to launch the campaign immediately or schedule it for a future date. Set the campaign duration to help track progress and upcoming deadlines.

You can mark the campaign as recurring, and Torii will automatically relaunch it based on the schedule you define.

🔍 Note:  For scheduled and recurring campaigns, the application filter is applied at the time of launch. For example, if you create a recurring quarterly campaign and choose to review sanctioned apps only, Torii will reevaluate the list of sanctioned apps before each launch. This ensures that any newly sanctioned apps added since the previous run are included in the campaign.

If no apps match the selected application filter when the campaign is launched, the campaign occurrence will be skipped and added to the Archived campaigns tab with an indication that no apps matched the filter.

3. Click “Create Campaign” and Close the Wizard

If you chose to launch immediately, access reviews will be created for all apps matching the filter, and the campaign will appear in the Active tab.

If scheduled, the campaign will appear in the Scheduled tab and will launch automatically at the selected date and time.

🔍 Note: App filters are applied at the time of campaign launch, not at creation. This ensures that the reviews reflect your most current app environment.

✏️ You can edit or delete scheduled campaigns, but once a campaign becomes active, it is locked and cannot be modified.

4. Reviewers are notified

Once the campaign is launched, reviewers receive notifications for their assigned reviews via email, Slack or Teams, based on the configured Task settings. Assignees also receive automated reminders for incomplete reviews.

5. Monitor progress

Use the Active, Scheduled, Completed, and Archived tabs to track campaigns throughout their lifecycle.

After a campaign is launched, you can monitor its progress from the Access Reviews > Active tab.

Each campaign displays a completion summary, showing how many reviews have been completed out of the total.

Click on a campaign to drill into its details, where you can see:

1. Which app reviews have been started

2. Which are still pending

3. Which have been completed

4. This view gives you full visibility into campaign status and helps you follow up with reviewers if needed.

Main page:

Active campaign page:

How to Conduct a Review

Starting a Review

App owners with access to Torii and Torii members with the appropriate permission scope can start an access review in one of the following ways:

• By clicking the “Start review” button in the notification

• Directly from the Access Reviews tab (available to users with the “Access Reviews – Take Action” permission scope)

Reviewers who do not have access to the Torii platform will be redirected from the notification to the Torii Employee Portal, where they can see their assigned tasks. Access review tasks can be completed directly in the portal.

Step 1 – Preview the User List

Before proceeding to the main review page, Torii automatically checks the quality and freshness of the app’s user data. This step ensures that decisions are based on reliable information.

To pass the check, the data must:

• Originate from a connected integration or be uploaded via a user file

• Be synced or uploaded recently

If the data is outdated or incomplete, Torii will display an error message and disable the “Continue” button until the issue is resolved.

💡 Tip: Even if the system marks the data as valid (green), verify the user count matches your expectations. If needed, re-sync the integration or upload a fresh user file. Keep in mind—once you proceed, the user list becomes fixed and cannot be updated during the review.

💡 Tip: For non-integrated apps, Torii may still allow you to proceed if you are confident that the user list captured from indirect sources (such as SSO or the browser extension) is accurate. We still recommend uploading an up-to-date user list, since critical details like user roles are only available when data is synced or uploaded and will not be included otherwise.

Step 2 – Review Users Access

Once the data passes the check, reviewers can proceed to the main user review page.

Here, they can:

• View and customize the user list
  The user list reflects a fixed snapshot from the date the review was started. You can add additional columns to display user attributes relevant to your review, such as department or license type. Offboarded users are flagged with badges for quick identification.

💡 Tip: Add the “Is past user” column to easily spot users whose status in the employee source of truth system indicates they’ve left the company. These are strong candidates for access revocation.

• Approve or reject access for individual users or groups

  You can make decisions on a per-user basis using the dropdown in the Review Status column to mark each user as Approved or Rejected.

  For quicker bulk actions, use the Approve All in View or Reject All in View buttons located above the table. These buttons will apply your selected action to all users currently visible in the filtered view.

  💡 Tip: Use filters to efficiently review and take action on specific user segments.
  For example, when reviewing access to the Salesforce app, you may decide to approve only users in the Sales department:

  • Apply the Department = Sales filter.

  • Click Approve All in View to approve all Sales users.

  • Then, either:

    • Remove the filter and manually reject remaining users, or

    • Change the filter to Department ≠ Sales and click Reject All in View to reject the rest in bulk.

  This approach saves time and ensures your reviews are both accurate and audit-friendly.

• Leverage Torii recommendations
  Torii will suggest if to approve or reject user access, based on inactivity or HR signals to help you make informed, consistent decisions.

• Add comments for documentation
  Use the Comment field to explain decisions or document manual actions.

  💡 Tip: If you manually revoke a user’s access in the app’s admin console, make sure to note this in the comment field for audit purposes.

• Track review progress
  A progress bar at the bottom of the screen helps you track how many users have been reviewed.

Step 3 – Complete the Report and Submit the Review

After you finish reviewing all users and sign off the review, Torii will open a remediation task assigned to the Remediation owner, to verify that access has been revoked for rejected users.

Verification process:

•  

  • For integrated apps, Torii will resync accounts and check whether rejected users’ statuses have changed to Inactive or No longer in app.

  • For manually imported accounts, Torii will wait for you to upload a new file with the updated user list. It will then verify that rejected users have a new status which means they have no access or have been removed from this list.

  • If any rejected users remain Active, they will appear at the top of the User list and be flagged as “Action required.”

Next steps by account type:

•  

  • Integrated apps → You will be prompted to remove the rejected users from the app and resync the integration.

  • Manually imported accounts → You will need to upload the updated user list. Make sure that users whose access was removed have an updated user status or are removed from the list.

Submitting the report

Once all rejected users are marked Inactive or No longer in app, the banner at the top of the list will turn green, and you will be prompted to submit the report.

• Click Submit to finalize the review

• Once submitted, the review status will update to Completed in the Campaign page

• A downloadable CSV report will be created and saved for reference or sharing. You can also easily share it with other stakeholders via email or Slack by clicking the "Share" button.

• Once a campaign is completed, its report can be downloaded or shared as a ZIP file. The ZIP folder includes detailed CSV files for all access reviews conducted within the campaign, making it easy to store or share for audit and compliance purposes.

Best Practices

To get the most value from Torii's Access Reviews feature, consider implementing the following best practices:

• Conduct reviews regularly
  Run access reviews at least quarterly for high-risk, high-cost, or sensitive applications.

• Delegate to app owners
  Use custom fields (e.g., App Owner) to assign reviews to the most knowledgeable stakeholders and decentralize responsibility.

• Establish clear ownership
  Identify and assign the right app owners or department leads early in the review process to avoid delays.

• Prepare reviewers in advance
  Brief reviewers on expectations and data interpretation guidelines to ensure a smooth and consistent review process.

• Ensure data accuracy before launch
  Sync integrations or upload updated user files to ensure reviewers are working with the most complete and current data.

• Encourage context in comments
  When rejecting access, reviewers should document their rationale in the comment field to support future audits.

• Log manual removals
  If access is revoked directly in the app, reviewers should record the action in the comments field for traceability.

• Monitor review progress
  Use the Access Reviews tab to track which reviews are in progress, completed, or pending, and follow up as needed.

• Standardize your review cadence
  Document your review schedule (e.g., quarterly or before compliance audits) and align it with internal security and audit workflows.

FAQs

Q: Can I launch reviews for apps with multiple accounts?
A: Yes. Torii includes users from all integrated accounts in one consolidated review.

Q: Can I launch reviews for non-integrated apps?
A: Yes. Reviewers will be prompted to upload a current user list before proceeding.

Q: Can I assign different reviewers to different accounts within the same app?
A: Not yet. However, you can assign multiple reviewers to the same app and ask each to focus on specific accounts.

Q: Can I cancel a review after it’s been launched?
A: Yes. Admins can cancel a review from the dedicated campaign page. The cancelled review will be moved to the Cancelled tab.

Q: Will Torii send reminders or escalations when the campaign deadline date is getting close?
A: Torii will send reminders based on the frequency configured in Task settings. The campaign deadline will currently be used for monitoring only. 

Q: Will Torii automatically revoke rejected access?
A: Not yet. Today, removal must be done manually in the app and documented in the comments. Automation is planned to be supported later.

Q: What happens if integrations break or user lists change mid-review?
A: The review will be marked as Error and cannot be completed. A new review should be launched.

Q: Can reviewers access reports later?
A: Yes. Completed campaigns remain available under the Completed tab and their reports can be exported anytime.

Q: Do reviewers need to complete a review in one-shot?

A: No. Reviewers can start a review, close it at any time, and return later to resume where they left off. All progress is automatically saved.