Access Reviews
Prove who has access to what. Continuously.
Automated user access review campaigns across identity providers, cloud platforms, and SaaS applications. Detect orphaned accounts, excessive privileges, and MFA gaps. Satisfy NIS2 Article 21(2)(i) access control requirements and DORA Article 9(4)(c) access rights management. SCIM 2.0 provisioning for automated lifecycle management.
What you get
Automated Access Review Campaigns
Launch access review campaigns that pull current entitlements from connected identity providers and present them to managers for certification. Managers confirm or revoke each access entitlement through a simple approve/revoke interface. Campaign completion is tracked with SLA deadlines and escalation for non-responsive reviewers.
Orphaned Account Detection
Cross-references user accounts across all connected systems with HR data to identify orphaned accounts — active system accounts belonging to terminated employees, contractors past contract end dates, or users who have changed roles. Orphaned accounts are flagged for immediate review and deprovisioning to eliminate a common attack vector.
Excessive Privilege Alerts
Analyses user entitlements against role definitions and peer group patterns to identify excessive privileges. Flags users with admin access they do not need, service accounts with overly broad permissions, and privilege accumulation from role changes without corresponding access removal. Alerts trigger access reduction workflows.
MFA Compliance Monitoring
Continuously monitors MFA enrollment and enforcement across all connected identity providers. Identifies users who have not enrolled in MFA, accounts with MFA exceptions, and authentication events using single-factor only. MFA compliance is tracked against NIS2 Article 21(2)(j) requirements for multi-factor authentication.
SCIM 2.0 Provisioning
Automated user lifecycle management via SCIM 2.0 integration. When access review decisions are made — revocations, role changes, deprovisioning — actions are pushed to connected systems automatically via SCIM. This closes the gap between access review decisions and actual enforcement, eliminating manual deprovisioning delays.
Identity Risk Scoring
Each user identity receives a composite risk score based on privilege level, MFA status, access anomalies, account age, and review history. High-risk identities are prioritised for more frequent review cycles and deeper investigation. Risk scores feed into the overall risk management module for identity-related risk tracking.
How it works
Connect Identity Sources
Connect your identity providers (Okta, Entra ID, Google Workspace), cloud platforms (AWS IAM, Azure AD, GCP IAM), and SaaS applications via pre-built integrations. FortisEU imports the complete entitlement model including users, groups, roles, and permissions.
Run Campaign
Launch an access review campaign scoped by department, application, privilege level, or risk score. Campaign assignments are distributed to managers who review each entitlement on their team. Automated reminders and escalations ensure campaigns complete within the defined SLA window.
Review & Certify
Managers review each user's access entitlements and certify (approve continued access) or revoke (remove access). The review interface shows context including last access date, peer comparison, and risk indicators to support informed decisions.
Remediate Gaps
Revocation decisions are executed automatically via SCIM provisioning or queued as manual tasks for systems without SCIM support. Orphaned accounts are deprovisioned. Excessive privileges are reduced. MFA non-compliance is flagged for immediate enrollment. All actions are logged for audit trail.
Built for your team
Access Hygiene Maintenance
The IT manager runs quarterly access review campaigns across all enterprise applications. The platform identifies 23 orphaned accounts from employees who left in the last quarter, 8 users with admin privileges they no longer need after role changes, and 12 accounts without MFA. Automated remediation deactivates orphaned accounts via SCIM and triggers MFA enrollment reminders, resolving 90% of findings without manual intervention.
Access Certification Evidence
An auditor conducting an ISO 27001 A.9.2.5 access rights review receives a complete campaign report showing every user access entitlement, the manager who certified it, the certification date, and any revocations executed. The report demonstrates a systematic, organisation-wide access review process with full audit trail — satisfying the auditor's evidence requirements in a single export.
Identity Risk Oversight
The CISO monitors the identity risk dashboard showing aggregate risk scores across the organisation. A spike in high-risk identities after a company acquisition triggers an emergency access review campaign for all acquired employees. The CISO presents identity risk trends to the board as part of NIS2 Article 20 management body reporting, demonstrating continuous improvement in access control maturity.
Supports your compliance stack
Common questions
Which identity providers does FortisEU support?
FortisEU integrates with major identity providers including Okta, Microsoft Entra ID (Azure AD), Google Workspace, OneLogin, Ping Identity, and JumpCloud. Cloud platform IAM systems (AWS IAM, Azure RBAC, GCP IAM) are supported for cloud entitlement review. SaaS applications with SCIM 2.0 or REST API support can be connected for automated provisioning. Custom LDAP/Active Directory connections are available for on-premises directory services. The integration library expands monthly based on customer requirements.
How often should access review campaigns run?
Campaign frequency depends on regulatory requirements and risk appetite. ISO 27001 A.9.2.5 requires regular review of user access rights. NIS2 Article 21(2)(i) requires access control policies to be maintained. Industry practice for privileged access is quarterly review, standard access semi-annual, and read-only access annual. FortisEU supports configurable campaign schedules with different frequencies for different entitlement tiers. High-risk identities and privileged accounts can be placed on continuous review with monthly certification cycles.
What is the scope of SCIM 2.0 provisioning?
SCIM 2.0 provisioning automates user lifecycle management — creating, updating, and deactivating accounts in connected applications based on access review decisions and HR events. When a manager revokes access during a review campaign, the revocation is pushed to the target application via SCIM within minutes. When HR marks an employee as terminated, all connected applications receive a deactivation signal. SCIM scope covers identity providers, SaaS applications, and cloud platforms that support the SCIM 2.0 standard. For applications without SCIM support, FortisEU generates remediation tasks for manual execution.
How does FortisEU map to NIS2 Article 21(2)(i) requirements?
NIS2 Directive 2022/2555 Article 21(2)(i) requires essential and important entities to implement access control policies and asset management. FortisEU maps this requirement to concrete controls: systematic access review campaigns demonstrate that access is regularly validated, orphaned account detection ensures terminated access is removed promptly, excessive privilege alerts enforce least-privilege principles, and MFA monitoring satisfies Article 21(2)(j) multi-factor authentication requirements. Campaign completion reports serve as direct evidence of Article 21(2)(i) compliance for supervisory authority reviews.
How does the remediation workflow operate after a review campaign?
When a reviewer revokes access, FortisEU executes the remediation through the most efficient available channel. For SCIM-connected applications, revocations are pushed automatically within minutes. For API-connected applications without SCIM, FortisEU triggers API calls to disable access. For applications with no automated connection, a remediation task is created and assigned to the application owner with an SLA deadline. All remediation actions — automated and manual — are tracked in a unified remediation dashboard with completion status, evidence of execution, and time-to-remediate metrics.
Related features
See Access Reviews in Action
Create an account and explore the platform, or talk to our team about enterprise deployment.