Annual Access Review in IDAC

The access review is KI’s yearly check of permissions that have been manually approved in IDAC. The purpose is to ensure that every access right is up to date, justified and approved – and that only authorised individuals have access to KI’s systems and resources.

What is an access review?

An access review in IDAC is a systematic examination of permissions that have been manually assigned in addition to the employee’s regular organisational role. 

These permissions are called explicitly approved and are characterised by the following: 

  • the employee, manager or IDAC administrator has applied for the permission, and
  • the permission has been approved before it is activated. 

The review ensures that each permission is still relevant, accurate and has a valid reason to remain active – especially in cases of changes in role, assignment or organisational affiliation. 

Why is it needed?

The annual review is important in order to:

  • ensure that employees have correct and necessary permissions over time,
  • identify permissions that are no longer needed,
  • maintain KI’s requirements for information security and compliance with laws and regulations,
  • reduce the risk of unauthorised access. 

Who carries out the review?

Depending on the system, the review is carried out by the manager and/or the resource owner: 

  • Manager – responsible for a specific resource for which the manager has been designated as responsible.
  • Resource Owner – responsible for a specific system or resource. If there are several resource owners (primary owner and co-owners), they receive the same access review. 

The review is conducted once per year and may be divided into rounds if there are many permissions. The resource owner/manager receives an automated email from IDAC when it is time to act on an access review. 

When does the review take place?

The access review is carried out once per year, in spring or autumn, based on the agreement established when the system was connected to IDAC. 

How it works

1. You receive an email from IDAC

As the responsible party (resource owner, manager or appointed responsible person), you receive an email with a link that takes you to IDAC, where you will find a summary of the permissions you are responsible for. 

If there are several resource owners (primary and co-owners), all will receive the same email with a link to the same access review. In such cases, you must agree among yourselves on who will handle which parts of the review. 

2. Review

Check that each permission is current, justified and correct. 

If you have many permissions to process, you can edit multiple items or rows at once. 

You may also save your completed reviews so you can make decisions at a later time. 

3. Decide

Approve or reject assigned permissions directly in IDAC. If you reject a permission, you should provide a brief explanation in the Comments (Action comment) field, as this will be shown to the recipient in the email generated after the decision.

Good to know

  • At present, only the User can extend their own permissions in IDAC via the “Extend Access” service. Read more on the IDAC for staff page.
  • Resource owners automatically receive access to their resource/group. More information can be found on the IDAC for resource owners page. 

If you receive an access review on unknown resources 

If, as a manager, you receive an access review on resources such as project folders or applications, and you do not know what it concerns, it may be because the previous owner was one of your employees.

If the employee has not transferred ownership to anyone else, responsibility has automatically been passed on to you as their immediate manager. If this happens, you as the resource owner need to investigate this together with those concerned to determine who should be responsible.

A glossary with relevant terms

Authorization:
The process of deciding and controlling which users are allowed to access specific systems, resources or functions.  

Attestation / Approval: 
The process in which a resource owner or manager reviews and decides whether a requested permission should be granted. 

Permission: 
A right that gives a user access to a system, a resource, or a function. 

Access Request: 
A formal request for access to a specific permission in IDAC. 

Compliance: 
Ensuring that permissions and access comply with KI’s guidelines, rules, laws, and security requirements. 

IDAC: 
KI’s platform for identity and access management. 

IDAC Administrator: 
A person with extended rights to manage users and permissions in IDAC. 

Implicit Permission / Implicit Assignment: 
A permission that is assigned automatically, for example because it is included within another permission or based on the user’s organisational identity. 

Organisational Affiliation: 
The institution, unit, or organisational role a user belongs to – often determines which automatic permissions are granted. 

Resource: 
An object in IDAC to which permissions can be assigned – for example a system, role, group, or function. 

Resource Owner: 
A person responsible for a resource and for approving or rejecting access requests to it. 

Role: 
A defined access profile containing a set of permissions, often assigned based on function or work duties. 

Role Package: 
A collection of multiple permissions assigned together. 

End Date / Validity Period: 
The point in time when a permission automatically expires unless extended. 

System Owner / Requester: 
A person who sets overarching directives for how permissions to a system should be handled in IDAC. 

Explicitly Approved: 
A permission that is assigned manually and intentionally to an employee based on a specific need, task, or role. The employee, manager, or IDAC administrator applies for the permission, and it must be approved by the resource owner or manager before becoming active.