Trelica by 1Password: Access Reviews

Access Reviews Self-Serve Guide:

Trelica’s Access Reviews feature gives administrators and app owners a centralized, streamlined way to manage and verify user access. There are possibilities to create and launch reviews, track their progress in real time, and view all reviews at a glance or sort them by date or status. This provides a comprehensive context for making informed access decisions.

Note: This feature is part of the wider access governance component of Trelica and will have overlaps with offboarding and access requests.

Creating an Access Review

To create a new access review, first you’ll need to navigate to the ‘Access’ page within your Trelica account, then under “Access reviews”, select ‘New’.

A pop-up window will appear with the fields to create the new access review. There are three different types of access review options within Trelica: Application Field, Status, and Manual Selection. Below is a breakdown of each option.

OPTION A: APPLICATION FIELD

The first option is to create a review based on a custom application field. This option requires you to have custom application fields created (see here for instructions on creating custom application fields).

Note: Only the custom application fields with the type set as ‘Option’ will appear in Access reviews.

OPTION B: APP STATUS

The second option is to create a review based on the Application Status of various applications in your Application Inventory. This option can be useful for upcoming security audits (for example, reviewing all of your 'managed' applications) or when decommissioning applications ('plan to close' status).

OPTION C: MANUAL SELECTION

The third option is to create a review by Manual Selection. This option can be used when you would like to assess one or more applications at a time that do not fall into the Access Review categories (custom field or by status).

The application can be chosen once the review type has been created.

Note: This is the only option that will allow you to choose an application after the review has been created as a draft.

Creating access reviews: step by step

1. Name: Enter a name for your review.
2. Choose how to enroll applications: three different types of access reviews that can take place within Trelica: Application Field, Status, and Manual Selection. Above is a breakdown of each option.
3. Reviewer: Choose the default app role responsible for reviewing their users’ access. You can select a default role or use custom fields to assign reviewers. This may assign multiple reviewers if multiple users have the assigned role. You can optionally add or remove specific users as reviewers. Those users will be notified by email or Slack that they’ve been assigned a review, depending on standard notification settings.
4. Start date: Choose a date for the new access review to go into effect.
5. Review due: Choose how long reviewers have before the review is due. Notifications and reminders will be sent for the review based on the selected timeframe.
6. Frequency: Choose how often the review should be performed. For example, one-off or quarterly. A new snapshot of users is created each time the review is set to run.
7. Select Create to save a draft of your access review.

Reviewing the App Review

Double-check any information in this draft state before launching the review

• Are all the applications you are looking to review in this list? - If a manual selection review, you can add more applications; this cannot otherwise be edited. If there are issues, edit the status or custom field information, then create a new review.
• Is the information up-to-date from the integrations/sources? - User data for access reviews comes from a variety of sources. For example, data may come from an IdP, directly from apps via an integration, manual imports, or log-in information from browser extensions or SAML.
• Is there an active Reviewer for every application? - You can edit, add, and remove users by using the plus sign or the ellipses for each application. Ensure that these individuals are not terminated or placed on leave for the duration of your review.
• Does the review date or frequency need to be updated? This can be edited by using the ellipses next to the launch button.

Complete assigned access reviews

Once your access review is launched, reviewers will get notified when reviews become active and when they’re due. Administrators will get notified when access reviews are completed.

STARTING A REVIEW

Once the review is launced, reviewers can log into Trelica and start the process of reviewing users’ access to the associated applications. There will be a checklist for each application if user information needs to be updated or refreshed.

There are options to filter for anything that might be beneficial in the review stage: Person type, Team. Access level, Review status, Issue Type, and more custom filters (Risk, Role, Line manager, and many more). If you would like any of these items to be added to the column view, simply press the ellipsis button and choose column.

ACTING ON ACCESS

User data generated by access reviews includes information such as last login date, employment details such as start and termination dates, as well as job title, system information, and financial data. This provides a comprehensive context for making informed access decisions.

With this information, reviewers can act on each individual’s access, regardless of the issue (which may include a leaver with access or an external person with access)

There are multiple options to choose from in the review process

• Shield with tick - No action needed
• Exclamation point in Circle - Action required
• Tick in circle with plus - Create a task

These actions can be bulk-edited when using the tick box next to the user’s name

For further actions, depending on the integrations you have set up with that application, you may have the choice to delete, suspend, deactivate, or record manual action.

As these actions start taking place, the progress bar at the top of the page will be updated with a grey bar (to do), a red bar (to remediate), or a green bar (completed). Once everything is green and resolved, select Mark complete to finish the review. Administrators will be notified when reviews are finished, and can then export reviews as needed to provide for auditors or other stakeholders.

Digging Deeper

Export a review

This feature has been created to help with understanding for internal users, the C-suite, and auditors. To share this information with selected individuals, there is the ability to export this data, either by a single application or the entire review. The review will export as a `.zip` that includes `.xlsx` and `.csv` files, so you can share just one file that contains all supporting documents with your auditors.

Access Requests

As mentioned, the Access Reviews feature is part of the wider Access Governance component within Trelica. For more information on Access Requests, take a look at these help documents or book a call with your Implementation Project Manager or Customer Success Manager for a training session.

This widget specifically refers to the Access Requests report.

See Review Issues

The Access Issues tile on the Access tab is to highlight any issues that are happening across the platform. This is to aid the access issues that have been flagged based on a person leaving or a leaver with access. This will link to the Access Issues report that highlights every single issue, rather than being application-specific. It could be a starting point in understanding which applications should be reviewed.

Wrap-Up

Once you've completed the above steps, you’ll be able to:

• Create an Access Review
• Administer Access Reviews
• Complete Access Reviews
• Export information for Auditors

Here are some useful help documents to assist in your understanding.

• Administrating Access Reviews
• Completing Assigned Access Reviews
• Defining Custom Attributes



Still have questions? Reach out to your Implementation Project Manager or Customer Success Manager for a tailored walkthrough.

FAQ: