SaaS Access Review: How to Run One That Actually Matters

Most SaaS access reviews I've seen are checkbox exercises — a manager clicks "approve" on a spreadsheet they didn't really read, and the same stale accounts get rubber-stamped for another quarter. Here's how to run a review that actually finds the risk: over-provisioned admins, former employees with lingering access, and apps nobody remembers approving.

40+

SaaS apps reviewed

500+

Users in scope

Quarterly

Review cadence

Why Most Access Reviews Fail

The typical access review process: export a user list from each app, paste it into a spreadsheet, email it to managers, wait two weeks, chase the ones who didn't respond, collect "approved" on 95% of rows, file the spreadsheet somewhere, repeat in three months.

The problem isn't the process — it's the data. A spreadsheet listing usernames tells a manager almost nothing useful. They don't know when each person last logged in, what permissions they have, or whether their role still requires that access level. So they approve everything, because saying "remove" feels risky without context.

An access review is only as good as the data that feeds it. The goal is to give reviewers enough context that they can make an informed decision in 10 seconds per row, not force them to guess.

What Good Review Data Looks Like

For each user in each app, reviewers need at minimum:

Last login date — anything older than 90 days is a red flag worth actioning immediately

Current role / permission level — admin vs. standard user vs. read-only makes a significant difference

How access was provisioned — via Okta group, manually, or through a third-party integration

Current employment status — still active? Left the company? On leave?

Department / team — so managers can spot users who shouldn't have access based on role change

With this data, a manager can look at a row and immediately spot "this person transferred to a different department six months ago, why do they still have admin access to our billing tool?" — and that's the point.

Step-by-Step: How I Run Ours

Step 01

Pull the user list from Okta, not from each app

Going app by app is slow and inconsistent. If you're using Okta as your identity provider, pull the access data directly from the Okta API — you get a single source of truth for which users are assigned to which apps, what their role is, and when the assignment was created. I built a tool to do exactly this: the Okta App Access Auditor exports a clean CSV of every user's app access in one shot, across all your Okta-connected applications.

💡 For apps not connected to Okta, you'll need to pull from the app directly. Prioritise getting everything through Okta — it makes every future review faster and the data more trustworthy.

Step 02

Layer in last-login data

Most apps expose last login via their API or admin export. Cross-reference this with your user list and flag anyone who hasn't logged in for 90+ days as "inactive." These are your highest-priority removals — the risk is real and the decision is easy. For Google Workspace, GAM makes this trivial: gam report users fields accounts:last_login_time. For Okta, the System Log API gives you last authentication events per user per app.

Step 03

Pre-flag the obvious removals before sending to managers

Don't send a manager a list of 200 users and ask them to review all of it. Before you send anything, automatically flag: users inactive 90+ days, users whose Okta account is suspended (they're offboarded), users whose department doesn't match the app's intended audience, and anyone with admin/owner permissions who isn't in your known-admins list. These should either be removed automatically or come to the manager's list already flagged as "recommended removal."

Step 04

Make the review as easy as possible for managers

The easier the review, the faster and more accurate the responses. Send managers only the users on their team, pre-sorted with flagged rows at the top. Include last login, role, and a simple "Keep / Remove / Change role" column. Set a deadline (one week is reasonable), send one reminder, and treat non-responses as "approve" for low-risk rows but escalate non-responses on admin accounts.

💡 Consider moving away from spreadsheets entirely. Okta's Access Certifications feature handles the workflow natively if you're on the right plan. For a lightweight alternative, a simple web form pre-populated from your API data cuts response time significantly.

Step 05

Act on the results immediately — same day if possible

The value of an access review evaporates if the removals sit in a queue for two weeks. Build the remediation step into your workflow: remove flagged users from Okta groups (which cascades to all connected apps), revoke direct app assignments, and downgrade permissions for anyone who should be read-only. Log every action with a reference back to the review. This is your audit trail.

The Accounts That Slip Through Most Often

Watch out for

Service accounts and shared logins

Service accounts often outlive the person who created them. A contractor sets up an integration using their personal admin account, leaves the company, gets offboarded — but the integration keeps running because nobody realised the account was being used for automation. Audit every non-human account quarterly and tie it to a named owner who is still active.

Watch out for

Privilege creep from role changes

Someone gets promoted or changes teams and picks up new app access. But their old access from the previous role rarely gets removed — there's no trigger for it. Over time, they accumulate permissions across three or four apps they no longer need. Okta lifecycle management handles this if your groups are set up correctly, but it requires intentional group design, not just "add everyone to this group."

Watch out for

Shadow admin accounts

In most orgs, the official admin list is not the complete admin list. Someone at some point granted themselves or a colleague admin access to an app directly, bypassing your identity provider. The Okta Admin Audit App I built exists exactly for this reason — it surfaces Okta admin accounts you might not know about, including those that haven't been used in months.

→ See the Admin Audit App project →

⚠️ Automate what you can, but don't automate the decision. You can automate data collection, flagging, and remediation of obvious cases (suspended users, 180+ day inactivity). But the actual access decision — keep or remove — should involve a human reviewer for anything non-trivial. Automated removals without review cause real operational disruption when you remove access someone actually needs.

Metrics Worth Tracking

Track these across reviews to show improvement over time — and to justify the effort to leadership:

Accounts removed per review — should trend down as your provisioning processes improve

Inactive accounts found — measures how well your offboarding is working

Admin accounts outside approved list — should be zero, or close to it

Review completion rate — percentage of managers who responded on time

Time from review completion to remediation — aim for same day

A well-run access review is one of the highest-ROI things an IT team can do for security posture. It doesn't require expensive tooling — just good data, a clear process, and the discipline to act on the results. If you want to talk through how to set this up for your specific stack, feel free to reach out at izzi@izzirenan.com.

Izzi Renan

IT Systems Administrator at Forter. Managing Okta, Google Workspace, and Jamf Pro for 500+ users across EMEA, APAC, and Israel. 10 years in IT.