AccessReview — Quarterly User Access Review
Automates SOC2 CC6.2 quarterly access review. 38 seeded grants across production DB, AWS root, GitHub admin, Stripe, Vault, Datadog. Flags dormant accounts, over-permissioned users, offboarded employees. Reviewer attests or revokes; the audit trail is the SOC2 evidence.
What it is
The quarterly user-access-review screen every SOC2-compliant company should have but most maintain in Google Sheets. 38 user-system grants. Each carries last-login, job title, and a flag set that surfaces the gaps.
What it surfaces
- 38 seeded grants across 12 systems (production DB, AWS root, GitHub admin, Stripe admin, Vault, Datadog, Snowflake, Kubernetes, HubSpot, Klaviyo, Zendesk, BR services).
- Flag detection:
- OFFBOARDED — user marked “former” / “offboarded” still has admin access. Seeded: George Adebayo (former CTO with AWS root + GitHub admin still active), Otto Reinhardt (offboarded 4mo ago, still has prod DB admin).
- Over-permissioned — sales/marketing/CSM with admin on production. Seeded: Diana Park (VP Sales with read on prod DB), Maya Patel (Marketing with admin on prod DB).
- Dormant >90d — last login > 90 days. Seeded: Imani Hayes on parental leave (180d dormant), Frank Liu (210d dormant on Snowflake admin).
- On leave — informational, no revocation needed.
- Action flow: each row has Attest / Revoke buttons. Click to record. Bulk-attest visible rows for quick zero-finding reviews.
- Sortable with bad flags first, dormant-by-default sort.
Why this shape
The biggest quarterly access review finding is always “we found an offboarded employee with admin access for 4 months.” The pattern is always the same: HR offboarded them, IT didn’t catch all the access grants, no one checked until the auditor pulled the report. AccessReview catches it at week 0 of each quarter, before the audit window.
How it ships
Single HTML file, ~26KB. Zero dependencies. The 38-grant seed, flag detection logic, attestation state, and bulk-attest are 240 lines of vanilla JavaScript.