Overview

This article explains Torii's automatic remediation capability for Access Governance: what it does, how to turn it on, how Torii fixes deviations, and how to review the actions it has taken.

It assumes you're already using Torii's Access Governance feature and have governance policies set up. If you're new to the feature, start with What is Access Governance? and Configuring and monitoring access governance policies.

Classic Access Governance is about detecting deviations and motivating the right people to fix them. Torii goes a step further by introducing automatic remediation to close the loop: Torii treats each user's intended access (as defined by your policies) as the source of truth and can automatically reconcile a user's actual access back to that intended state — with no manual effort.

In this article

• What is automatic remediation?
• Remediation levels
• How Torii remediates deviations
• What happens when a user has more than one expected role
• Setting your remediation level
• Policy Deviation tasks
• Reviewing actions taken by Torii
• Important notes
• Best practices

What is automatic remediation?

When a policy is monitored and Torii finds that a user's access doesn't match the policy, a policy deviation is created. Automatic remediation lets Torii fix that deviation on its own by changing the user's access in the app so it matches what your policies say it should be.

Torii always chooses the least-intrusive action that resolves the deviation. If it can't safely determine an action, or the action fails, it falls back to opening a task for the app owner instead — so nothing is left unresolved.

Remediation levels

Torii offers three levels of remediation. The remediation level controls what Torii does when a deviation is detected.

None (default)
Torii detects deviations and sends alerts, but takes no further action. This is the baseline behavior for discovered deviations.

Open Task
In addition to alerting, Torii opens a Policy Deviation task assigned to the relevant app owner, assigning them to fix the deviation.

Automatic Remediation
Torii first attempts to fix the deviation automatically by adjusting the user's access to match policy. If Torii can't find a valid action or the action fails, it falls back to the Open Task behavior and opens a task instead.

How Torii remediates deviations

What Torii does depends on the type of deviation (the Access Issue):

Missing access — the user should have birthright access but doesn't. Torii grants the missing access at the expected role.

Role mismatch — the user has access at the wrong level. Torii updates the user's role to the expected role.

Unauthorized access — the user has access they shouldn't have. Torii removes the user's access. Where the app supports more than one way to do this, Torii picks the lowest-impact option (for example, suspending or deactivating an account rather than deleting it).

In all cases, if Torii can't complete the change automatically, it falls back to opening a Policy Deviation task.

What happens when a user has more than one expected role?

A user who is out of policy may actually be eligible for more than one role — usually because they belong to multiple groups that allow different access levels for the same app. In that case, Torii decides which role to set based on the order of the rules in the policy: it applies the first matching rule, reading top to bottom.

Example: a user has the Admin role, which is out of policy. Their expected roles are Editor and Member.

• If the policy rules are ordered Admin → Editor → Member, the user is downgraded to Editor.
• If the rules are ordered Member → Admin → Editor, the user is downgraded to Member.

Because rule order determines the outcome, it's worth ordering your rules deliberately when you enable automatic remediation. You can reorder rules on the policy creation/edit screen.

Note:  rule order only applies during remediation of policy deviations. Torii always takes all rules into account when determining if a policy deviation exists.

Setting your remediation level

You can set a remediation level in two places:

Global default — In any tab of the Access Governance page, click Access governance settings. Under Remediation level, set the default level that applies to all policies. The default is None.

Per-policy — When creating or editing a policy, the Enforcement settings section has a Remediation level field. Setting a level manually here overrides the global default for that policy. By default it's set to Default configuration, which inherits the global level.

This lets you, for example, keep most policies on Open Task while turning on Automatic Remediation only for the apps you're most confident about.

Torii also provides a list of actions expected to run in case of a deviation on a per-policy basis. Clicking "What actions will Torii run?" (shown under the Automatic Remediation option as shown above) will open a popup detailing these actions per situation. In cases where an action is not available it will inform you that a task will be opened instead

Policy Deviation tasks

Whenever Torii opens a task — either because the policy is set to Open Task, or because automatic remediation fell back to a task — it creates a task of type Policy Deviation, named "Resolve Policy deviation for [app name]."

Tasks are assigned, in priority order, to the primary app owner; if there is none, the first user listed under All app owners; and if no owners exist, the first user with the Admin role. This ensures the task always lands with someone who can resolve it.

The task message explains exactly what needs to happen, based on the deviation type.

Note: marking a Policy Deviation task as done does not by itself close the deviation. Torii re-evaluates the policy and closes the deviation only if the underlying issue is actually resolved.

Reviewing actions taken by Torii

Every action Torii takes through automatic remediation is recorded in the Action log, so you have a full audit trail of action Torii took and can prove that access is being constantly governed. 

Each entry is logged under the trigger "Out of policy user access discovered," along with the relevant access policy and a description of what happened.

To get there quickly, the Access Policies page includes a button that links straight to the Action log, pre-filtered to the "Out of policy user access discovered" trigger.

Important notes

• Not yet supported for IdP group-membership policies. Automatic remediation is not currently available for policies governed via an IdP group. It will be introduced for those policies in a future release. 
• Settings only affect future changes. Changing a remediation level — globally or per-policy — applies going forward. It doesn't retroactively act on existing deviations. 
• Users in a grace period aren't remediated. A user in a grace period is considered in policy, so they won't be remediated until the grace period ends. 

• Rule order matters. When a user is eligible for multiple roles, rule order decides the result (see above).

   

Best practices

• Roll out remediation gradually. Start a new policy on None to confirm the deviations Torii detects look right. Move to Open Task to validate the fixes with app owners in the loop. Then switch to Automatic Remediation once you're confident.
• Order your rules intentionally. Because rule order determines which role a user is set to during remediation, review the order before enabling automatic remediation on a policy.
• Enable automatic remediation per-app where it makes sense. Keep sensitive or complex apps on Open Task and reserve Automatic Remediation for the apps where the intended state is unambiguous.
• Review the Action log regularly. Use the pre-filtered link from the Access Policies page to keep an eye on what Torii has changed.