Protect and automate

Identity and access reviews

Review application accounts, identify unmatched access, track required changes, and retain evidence of access decisions.

Reviewed Jul 12, 2026 · Product

Overview

Access Review brings application-account reviews and access-change evidence into elba. Use it to define a review scope, collect accounts, record access decisions, follow required changes, investigate unmatched accounts, and export results.

The workspace is organized into four areas:

  • Reviews for periodic account reviews and decisions
  • Identity gaps for source accounts that are not matched to an elba employee
  • Activity for detected access and permission changes
  • Sources for the applications that provide account data

Create an access review

1. Create and configure the review

Open Access Review, then select Create review. Give the review a clear name and configure its deadline and reminders.

2. Define the application scope

Add applications from your inventory or create an entry for another application that should be reviewed.

Account collection depends on the source:

  • A connected application can import its available accounts into elba.
  • For an application without a connection, import accounts from a CSV file or a screenshot, then review the detected data before adding it to the scope.

Connected data provides the most direct source of account information. For manual imports, confirm the data with the application's owner before starting the review.

3. Review accounts

For each account, choose the appropriate decision:

  • Maintain to keep the current access
  • Revoke to request removal of access
  • Change role to maintain access while requesting a different role

Use the available filters to work by application, owner, employee, group, or review decision.

4. Apply required changes

The Required changes view collects revocation and role-change decisions.

For some connected applications, elba can present a direct Revoke access action when the integration and account support it. Otherwise, make the change in the source application and mark the item as done in elba.

A role-change decision records the requested role. Apply that change in the source application, then mark it as complete in the review.

Integration capabilities vary by application and account. Always use the action shown for the specific item rather than assuming that elba can change access directly.

5. Complete and export

Review progress for both account decisions and required changes before completing the review. After completion, decisions and required changes can no longer be edited.

Export the completed review when you need a record for internal controls or further analysis. You can also duplicate a review to prepare a later review with a similar scope.

Investigate identity gaps

Identity gaps are accounts found in connected sources that elba has not matched to an employee and that have not already been identified as external.

elba may group an unmatched account as a potential former employee when its email domain matches your organization. This is a signal for investigation, not confirmation that the person has left the organization. Accounts with a different domain may be presented as external users.

For each identity gap:

  1. Confirm the person's identity and employment status using your authoritative systems.
  2. Check whether the account is a legitimate external collaborator, service account, shared account, or emergency account.
  3. Review the application's owner, role, permissions, and recent business need.
  4. Add the account to an access review or handle it through your established access process.

You can export identity gaps to CSV for investigation or reconciliation.

Use elba during offboarding

Identity gaps and access reviews can support your offboarding process, but employment status and revocation decisions remain under your organization's control.

A safe workflow is:

  1. Confirm the departure in your authoritative HR or identity system.
  2. Review accounts associated with the employee across relevant applications.
  3. Check for ownership transfers, shared resources, service dependencies, or retention requirements.
  4. Record revoke or role-change decisions in an access review.
  5. Use direct revocation only where elba offers it for that integration and account; make all other changes in the source application.
  6. Mark manually completed changes as done and retain the completed review as evidence.

Do not treat an identity-gap label as authorization to revoke access. Validate each account before acting, especially privileged, shared, service, and emergency-access accounts.

Review access activity

The Activity view records supported changes detected in connected applications, including:

  • Access granted
  • Access revoked
  • Role changed
  • Permissions changed
  • Authentication method changed

Filter the activity view to investigate changes, and export it to CSV when you need to reconcile it with another control or retain supporting evidence.

Before completing a review:

  1. Confirm that all intended applications and accounts are in scope.
  2. Resolve ambiguous identities with the application or business owner.
  3. Check privileged and service accounts separately.
  4. Ensure every revoke and role-change decision has an owner.
  5. Confirm manual changes in the source application before marking them done.
  6. Export the final review and document any accepted exceptions.

On this page