AccessReviewer — Quarterly Access Review (UAR) Workflow
8 reviewers × 142 employees × 12 systems. Per-grant decision (keep / reduce / revoke), justification, escalation, days-to-deadline. Sort by tier-0-system-first, dormant-first, employee, system. Surfaces 4 reviewers chronically overdue + 18 unattested grants on tier-0 systems + the SOC2 CC6.1 audit-trail.
What it is
The shape behind every quarterly UAR. AccessReview (batch 8) shipped the ad-hoc snapshot — AccessReviewer (this one) ships the orchestrated workflow with reviewer-load tracking, deadline clocks, and the audit-trail SOC2 CC6.1 demands.
What’s in it
- 8 reviewers across Security / SRE / Support / Sales / Finance / Legal / Data, with clear assignment of which employees they review.
- 142 employees × 12 systems = 130 active grants under review this quarter.
- Per-grant decision — keep / reduce-privilege / revoke / pending.
- Sort by tier-0-system-first / dormant-first / employee / system to drive the right triage order.
- Reviewer load tracking — who’s at 100% complete, who’s at 30% and 18 days overdue.
- Worst-offender findings:
- R04 Felix (EU support) — 8 days overdue, 10 of 14 grants unattested
- R05 Diego (NA sales) — 12 days overdue, 8 of 12 unattested including Salesforce admin
- R07 Lina (legal) — 18 days overdue, 4 of 6 including 1Password admin scope
- Tier-0 unattested count surfaced separately — these are the highest-impact unreviewed grants.
Why this shape
SOC2 CC6.1 + ISO 27001 A.5.18 + NIST 800-53 AC-2 all require periodic access review with documented decisions per grant. SOX §404 escalates the requirement for privileged-access on financial systems. Most companies build the report only at audit time and discover the long-tail of unreviewed grants then. AccessReviewer prototypes the pipeline that surfaces overdue reviewers + tier-0 unattested grants throughout the quarter.
How it ships
Single HTML file, ~15KB. Zero dependencies. 8 reviewers × 130 grants × 4 sort modes + reviewer-load tracking in 200 lines of vanilla JavaScript.