User Access Reviews

  • Published on Mar 25, 2026
  • 2 minute(s) read
Prev Next

WHAT ARE USER ACCESS REVIEWS (UARs) AND WHY ARE THEY IMPORTANT?

About This Control

Summary: User Access Reviews (UARs) are a process executed to check that access which has been granted is appropriate and is approved by management.

Purpose: The UAR process confirms if access that was granted is still required. It is a secondary control to get access removed if 1) it was never required, 2) the user has changed positions and access that had been required is no longer needed, and 3) the user has left the organization, and their access was inadvertently not revoked at termination.

Implementation Guidance: UARs are typically performed on a schedule that is determined by the organization’s cybersecurity policy. Higher levels of privilege, such as admin accounts, or access to sensitive applications or data are typically reviewed on a more frequent cycle than less sensitive access.

Why It Matters

Importance of this control

  • An essential part of cyber hygiene is revoking access that is excessive or no longer needed. UARs are a check to confirm that such access is being removed.

  • UARs are required for most control framework to demonstrate proper management of access and privileges.

Risks Addressed

  • Primary controls that are intended to revoke access when users transfer within or leave the organization may fail, and UAR is a secondary control to catch such failures.

  • Excessive levels of access, such as unjustified administrative access, are frequently exploited by attackers.

  • Unnecessary access can also be exploited by insiders.

CONTROLS THIS DASHBOARD REPORTS ON

This dashboard reports on your organization’s level of compliance with these controls:

  • NIST CSF 2.0:

    PR.AA-05 Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties

  • PCI DSS v4.0.1:

    7.2.2 Access is assigned to users, including privileged users, based on:

    • Job classification and function.

    • Least privileges necessary to perform job responsibilities.

    7.2.3 Required privileges are approved by authorized personnel.

    7.2.4 All user accounts and related access privileges, including third-party/vendor accounts, are reviewed as follows:

    • At least once every six months

    • To ensure user accounts and access remain appropriate based on job function.

    • Any inappropriate access is addressed.

    • Management acknowledges that access remains appropriate.

  • CIS CSC v8.1:

    5.1 Establish and Maintain an Inventory of Accounts

    5.5 Establish and Maintain an Inventory of Service Accounts

    6.2 Establish an Access Revoking Process

PRIMARY KEY PERFORMANCE INDICATOR (KPI)

The dashboard reports on this Primary KPI:

  • Numerator: Number of accounts that are compliant for assigned UARs. This can be either 1) UAR was completed by due date, or 2) UAR has not reached its due date.

  • Denominator: Total of all accounts in scope for UAR.

COLUMNS DISPLAYED ON THE DETAIL DASHBOARD

  • Leading: Compliance Status User, Compliance Status User No UARs, Compliance Status Unique Id, User Account Name

  • Account Information: User Account Status, User Account Type, User Account Last Login

  • User Information: User Email Address, User Groups, User OUS, User Type Id

  • User Termination info: Compliance Status Revoked Access, User Termination Datetime, User Termination Revoked Datetime, User Termination Revoked Duration

  • UAR product account identifier: User Identity Name, User Identity Id

  • Campaign Information: Campaign Id, Campaign Name, Campaign Status, Campaign Type, Campaign Description

  • Certification Information: Certification Id, Certification Name, Certification Closed Automatically, Certification Reviewer Email Address, Certification Reviewer Name, Certification State, UAR Source

  • Certification Dates: Certification Start Date, Certification Due Date, Certification End Date, Certification End Due Difference, Certification Is Past Due

  • Org Hierarchy: Owner Databee Id, Owner Email Address, Owner Employee Id, Owner Full Name, Owner Job Title, Owner Name, Manager Databee Id, Manager Email Address, Manager Full Name, Level 2, Level 3, Level 4, Level 5, Level 6

OCSF TABLES USED BY THE DASHBOARD

  • User Entity View

  • CDP.User

  • OCSF.Ticket Inventory

Copyright © 2026 DataBee®, A Comcast Company.
DataBee® is a registered trademark of Comcast.