Zluri for Zluri: How We Do User Access Review at Zluri

At Zluri, we don’t just develop a User Access Review (UAR) solution for customers—we actively use it ourselves. This hands-on approach keeps us aligned with our customers’ needs, allows us to spot opportunities for improvement, and ensures we maintain our security and compliance standards.

As part of this process, we routinely review user access for applications that handle sensitive data, from identity providers (IDPs) and HR systems to finance apps and CRMs. To showcase how we automate these reviews at Zluri, we’ll use Salesforce as a practical example in this article.

Why User Access Reviews Matter for Zluri

Like most IT and security teams, we also need to ensure that the right people have the right level of access to the right tool at the right time, the core problem we are solving in the identity governance and administration (IGA) space.

• Meeting Regulatory Requirements. We comply with SOC 2, ISO 27001, GDPR, PCI-DSS, NIST, and more. These frameworks mandate regular access reviews to prove that only authorized individuals have access to sensitive information.
• Ensuring Least-Privilege Access. We treat security with utmost importance. Regular reviews help maintain least-privilege access, safeguarding sensitive employee, customer, and partner data.
• Optimizing License Costs. A side benefit of access reviews is that we can revoke unused licenses, freeing up budget that would otherwise go toward purchasing additional licenses for new users.

Before we show what our Salesforce access reviews look like, let's give you an overview of the UAR process.

The Access Review Process at a Glance

If you’re new to UAR, here’s a quick overview of the typical steps:

1. Data Collection: Gather who has access to each app and their respective roles.
2. Conduct Review: Validate the collected data and decide whether access should be approved or revoked.
3. Remediation: Remove or modify access for users who no longer need it.
4. Reporting: Compile an audit-ready report to satisfy internal policies and external auditors.

Without a tool like Zluri, these steps are usually manual and time-consuming, involving email exchanges and spreadsheets. Zluri automates and centralizes these tasks, making regular reviews manageable.

Access Reviews in Zluri: Step-by-Step Guide

Salesforce is our CRM of choice at Zluri, storing sensitive customer information and enabling our customer service operations. 

Here is a video on how we manage Salesforce access reviews with Zluri.

‍

Here are the steps in brief:

1. Auto-discovery of user access & roles

Zluri integrates directly with Salesforce, continuously tracking and mapping user access. It shows us:

• Who has access
• Which roles do they hold
• Last time they accessed the app

2. Creating a Certification

The basic steps in the creation of an Access Review Campaign are:

• Name the certification (e.g., “ISO 27001 Audit”).
• Select the Certification Owner (the person responsible for the overall review).
• Define Reviewers (they can be department heads, app owners, etc.). Multiple levels of review are supported (L1, L2, L3), each level can override previous decisions if needed.
• Add Applications to be included in the certification (e.g., Salesforce, Zoom, Zendesk, etc).
• Select Users to be reviewed (all users in that application, or filtered by department, title, or other attributes).
• Select Data Points / Columns to display (job title, department, manager, license type, etc.). Custom fields from the SaaS app or HRMS can also be added.
• Define Actions on Approval / Revocation / Modification (e.g., trigger a playbook to revoke a user or downgrade license).
• Set Review Dates (start and end date) and Remediation Dates (when changes kick in).
• Set Recurrence for periodic reviews (monthly, quarterly, yearly, etc.).

 3. Reviewing User Access

The reviewers receive notifications (Slack, Email, etc.) prompting them to complete the review. 

Then they:

• Can see insights like “inactive users,” “external users,” “orphaned accounts,” “privileged users” to accelerate bulk decisions.
  

• Bulk actions: Approve, Revoke, or Modify multiple user accounts at once.
• Comments are mandatory if a reviewer chooses to Revoke or Modify.
• Delegation is supported—reviewers can assign their review tasks to someone else if needed.
  

4. Closed-loop Remediation

Once a decision (e.g., revoke or modify) is recorded, Zluri automatically triggers the relevant playbook—removing or modifying the user’s access to that application.

If the decision is “Approve,” no action is taken; the user’s existing access remains.

5. Completion & Reporting

Final PDF Report includes:

• Audit details (who reviewed, timestamps, actions taken, comments).
• Logs are also visible in the platform for deeper auditing.

These reports are audit-ready reports, and you can share them directly with your auditors.

Automate UAR with Zluri

By actively using our own tool, we ensure Zluri’s UAR product meets our customers' actual requirements. We’re committed to helping mid-size enterprises maintain compliance and secure sensitive data through automated access reviews.

If you’d like to learn more—or if you need help implementing automated UAR at your organization—feel free to get in touch. We’re here to help you streamline and secure your user access review process.

Ready to Automate User Access Reviews?

Schedule a Demo with us today to see how Zluri can transform your access review process.