When conducting an access review using Thoropass, you'll generate an Access Review Report detailing the changes to user access you've recommended. The team responsible for your change management process will use this report to enact the changes.
As the last step before completing a review, the System Owner is required to validate those changes.
π‘ We've found that errors during the change management process are a frequent source of delays and exceptions during audit. The change validation process mitigates or eliminates these problems to keep your audits running smoothly.
How does change validation work?
For integrated access reviews, we'll re-import your user list directly and compare the results to your review. If we find any issues or errors with your results, we'll highlight and explain how to resolve them.
For non-integrated access reviews, the System Owner will capture and upload evidence that the access changes have occurred.
Once the access changes have been validated, the System Owner will attest that the changes have been made and complete the review.
If my access review is integrated, can't you make the access changes for me?
Automating the change management process would require giving Thoropass edit access to the system being reviewed. This is far too much control for an outside service and would make your systems less secure, not more.
For this and other reasons, Thoropass will never automate this process.