What an access review covers
When you run an access review, you look at three areas:- Admin role assignments — which admins have which roles, and whether any sensitive permissions (billing, payroll export, confidential documents, role management, destructive settings) are assigned to the right people.
- Employee app access — which employees have self-service sections enabled, with particular attention to people who are terminated, inactive, on leave, seasonal, or in a pending state.
- Pending access requests — any outstanding requests created by external identity or sign-in flows that still need admin review before access is granted or denied.
Access review is a customer-controlled workflow. Yrka surfaces the current state of your roles and access; it does not make automatic recommendations about who should or should not have access. The decisions are yours.
When to run access reviews
- Before launch — complete a sign-off during the setup process to confirm access is correct before your team starts using Yrka.
- After major staffing changes — when people join, leave, change roles, or go on extended leave, re-run the review to confirm access matches their current status.
- On a regular cadence — most organizations run access reviews quarterly or after significant organizational changes, though your cadence should match your own operational and compliance requirements.
How to run an access review
1
Open the access review surface
You can start an access review from three places:
- The setup access-review step in the onboarding checklist (for pre-launch sign-off)
- The access-review card in Reports
- The security area in Settings
2
Review admin role assignments
Check each admin’s current role against their job responsibilities. Pay particular attention to sensitive permissions: billing, payroll export, confidential documents, role management, employee access grants, and destructive settings. If a role is broader than the person’s current work requires, this is the time to narrow it.
3
Review employee app access
Look at which employees have self-service sections enabled. Flag anyone who is terminated, inactive, on seasonal leave, or in a pending state — these employees may not need continued app access. An employee can appear in Personnel without having active app access, so check both the directory and the access flag.
4
Check pending access requests
If your organization uses external sign-in or identity flows, there may be pending access requests waiting for admin review. Check these and approve or deny each one based on the person’s current relationship with your organization.
5
Record sign-off
When access is in an acceptable state, record your sign-off. The sign-off is logged as audit evidence and updates the access-review status visible in Reports.
6
Create follow-up tasks
If you identify issues you cannot resolve immediately — a role that needs restructuring, a pending access request that needs more information, or a terminated employee whose data needs review — create follow-up tasks so the work is tracked and assigned.
What the access review report shows
After completing a review, the Reports access-review card reflects:- The date and identity of the last sign-off
- Whether any follow-up tasks were created and are still open
- The current set of active admin role definitions and their permission configuration
- Employees with self-service access enabled, grouped by status where supported
- Any pending request-capable grants from external identity flows