Create an access certification

Access certifications let users configure and launch access review campaigns from the Access Reviews module. Each certification defines a set of entities to review (applications, groups, or users), along with the user population, reviewers, data visibility, and remediation actions.

Certifications support one-time and recurring schedules. Users can save a certification as a draft at any step and resume it later.

When to use each review type

Choose the entity type based on what you want to review first.

Entity type	Use when	Example
Applications	Reviewing who has access to a specific application	Quarterly Okta review or annual Salesforce certification
Groups	Reviewing membership in a specific group	Active Directory group cleanup or Okta group certification
Users	Reviewing the access held by specific users across applications or groups	Contractor reviews, post-project cleanup, security response, or access reviews after internal role changes

Configure certification details

Navigate to Access Reviews in the left sidebar and select Create New Certification in the top-right corner. A three-step configuration wizard opens: Provide Details, Set Up Certification, and Complete Setup.

Steps

Enter a Certification Name.
Assign a Certification Owner.
- Owners must have Owner, Admin, or IT Admin privileges.
Optionally add a Certification Description. The description field supports rich text and links.
- For example, link to a knowledge base article with review process guidelines, or attach an access matrix that reviewers can reference while making decisions.
Select the entity type to review: Applications, Groups, or Users.
- This selection determines the scoping order in the next step and what the certification reviews.
- Select Users to review the access held by specific people across applications or groups.
If you selected Users, choose whether the review relates to Applications or Groups. This determines what the certification reviews for each user.
Select Next to continue.

Set up the certification

The Set Up Certification step is divided into four sections: Scope Applications/Groups, Scope Users, Set Defaults, and Configure Overrides. The order of the first two sections depends on the entity type you selected.

Application-based review: scope applications first, then define the users to review within those applications.
Group-based review: scope groups first, then define the users to review within those groups.
User-based review: scope users first, then define the applications or groups to review for those users.

The remaining sections (Set Defaults, Configure Overrides, and Validation) follow the same steps regardless of review type.

Scope applications (application-based and user-based reviews)

For application-based reviews, this is the first scoping section. For user-based reviews, this section follows user scoping.

The Scope Applications panel lists the applications included in the certification. Define the scope by selecting applications individually or by criteria.

Steps

Select applications using one of the following methods.

Add specific applications

Search and select applications by name.

Use this option when you already know which applications are relevant to the review.

Add applications by criteria

Define scope with filters such as application type, category, restricted status, or archive status.

Use this option when you want to review a class of applications instead of selecting each one manually.

Optionally exclude specific applications or applications matching criteria.
Select Preview to view the final set of applications included after applying filters.

Scope groups (group-based reviews)

For group-based reviews, this is the first scoping section.

The Scope Groups panel lists the groups included in the certification. Define the scope by selecting groups individually or by criteria.

Steps

Select groups using one of the following methods.

Add specific groups

Search and select groups by name.

Use this option when you already know which groups are relevant to the review.

Add groups by criteria

Define scope with filters such as group type or category.

Use this option when you want to review a class of groups instead of selecting each one manually.

Optionally exclude specific groups or groups matching criteria.
Select Preview to view the final set of groups included after applying filters.

Scope users

For application-based and group-based reviews, this section follows resource scoping and defines which users Zluri includes in the review of those resources. For user-based reviews, this is the first scoping section and defines the people whose access the certification covers.

Steps

Select users using one of the following methods.

Add specific users

Add users individually by name.

Use this option for small, targeted reviews. For example, review access for a short-term project team or a set of users identified during an investigation.

Add users by criteria

Define a user population with attribute-based criteria. Filters include default attributes such as department, employment status, and location, and account-level attributes such as app roles, licenses, and last login. Multiple criteria can be combined to narrow or expand the scope.

Use this option for larger reviews that target a category of users, such as external employees, service accounts, or region-specific populations.

Optionally exclude specific users or users matching criteria.
- For example, include all external users but exclude users in a specific country if another team manages that population.
Select Preview to verify the number of users included. The preview refreshes as you add or update inclusion and exclusion rules. For user-based certifications, switch between users in the preview to inspect each user's review scope before continuing.

Set defaults

Configure default settings that apply across all selected entities. Setting defaults is optional; individual configurations can be applied later using overrides.

Steps

Configure Default Reviewers.

Assign reviewers for applications

Select role-based or specific reviewers. Multi-level reviews are supported. Options include App Owner and Reporting Manager.

Assign reviewers for groups

Select role-based or specific reviewers. Options include Reporting Manager and Department Head.

Configure Data Visibility. Select which columns reviewers see during the review.

Columns include:

Column	Description
App Role	The role assigned to the user in the application
License Type	The license assigned to the user
Last Login	The date the user last logged in
Department	The user's department
Employment Status	Whether the user is an employee, contractor, or other type

Reorder columns to prioritize critical information.

Configure Default Remediations. Assign playbooks for revoke or modify actions.

Note: Only global playbooks are available for selection in this step. Application-specific or group-specific playbooks cannot be assigned as defaults. To use a different playbook for a specific entity, configure it as an override in the next step.

Examples:

Deprovision user access
Modify access permissions
Trigger notifications or tickets

Configure overrides

Override the default configuration for specific applications, groups, or users. Each entity can switch between the default configuration and a custom configuration. Entities with overrides appear marked as Custom.

Steps

Select the entity to override.
Override any combination of the following:

Setting	Description
User scope	Narrow the user population for this entity
Reviewers	Assign a different reviewer for this entity
Data Visibility	Customize which columns reviewers see for this entity
Remediation Actions	Override the default playbooks for this entity

Use overrides when a small number of entities need different handling without splitting the review into separate certifications. For user-based certifications, overrides apply per user. For example, assign a different reviewer for a specific user or narrow the application or group scope for that user's review.

Validate the configuration

Before proceeding to the final step, check the certification for configuration issues.

Steps

Select Check Invalid Configurations.
Review the identified issues. Common issues include:

Deleted or unpublished remediation playbooks — a playbook assigned as a default or override has been removed or is no longer published. Reassign a valid global playbook to resolve.
Inactive or removed reviewers — a reviewer assigned at the default or override level is no longer active. Reassign to an active user or role.
Incomplete override configurations — an entity has been switched to Custom but required fields such as reviewers or remediation actions have not been filled in.

Resolve all issues before continuing.

Complete setup and launch

Steps

Choose when the certification starts:
- Start Now: Zluri launches the certification immediately. It appears under Ongoing and Zluri notifies reviewers to begin.
- Start Later: Schedule for a future date. The certification appears under Upcoming and remains locked until the start date.

Set timelines

Set the Review End Date, the deadline for reviewers to complete actions.
Set the Remediation End Date, the deadline for remediation tasks.

Zluri sends automated reminders to reviewers with pending actions before the review end date, and to the certification owner before the remediation end date.

Configure self-review handling

Select how self-review is handled:
- Allow Self Review: reviewers can approve or revoke their own records.
- Auto-Reassign: Zluri reassigns self-review records to another role or user.
If you selected Auto-Reassign, choose a reassignment option:

Option	Description
Reporting Manager	Reassigns to the user's reporting manager
Department Head	Reassigns to the user's department head
Certification Owner	Reassigns to the certification owner
Fallback Reviewer	Reassigns to a designated fallback reviewer
Specific user	Reassigns to a named user

Enable recurring certifications

Optionally turn on recurring certifications and select a frequency such as monthly or quarterly.

Launch

Select Create Certification to finalize and launch, or select Save Draft to continue later.

Common scenarios for user-based certifications

The scenarios below illustrate how each review type is used in practice.

Application-based certifications

Quarterly SaaS access review

A security or IT team runs a quarterly review of access to a business-critical application such as Salesforce or GitHub. Create an application-based certification, scope the application, define the user population (for example, all active employees), assign the App Owner or a designated reviewer, and schedule it to recur quarterly. This ensures access is validated on a regular cadence without requiring a manual process each time.

Post-integration cleanup

A new application is integrated into the environment and existing users have been provisioned with access as part of the rollout. Create an application-based certification to review who has access, what roles they hold, and whether that access is still appropriate now that the integration is live.

Compliance-driven application certification

An audit or compliance program requires evidence that access to regulated applications such as an HRIS or financial system has been reviewed. Create an application-based certification scoped to those applications, assign reviewers, configure remediations, and export the results as evidence after the review is complete.

Group-based certifications

Active Directory or Okta group cleanup

Groups accumulate members over time as people join projects, change roles, or move teams. Create a group-based certification scoped to stale or high-risk groups, assign the group owner or department head as reviewer, and use the certification to remove members who no longer belong.

Privileged group review

A group grants elevated permissions such as admin access or access to sensitive infrastructure. Create a group-based certification scoped to that group, assign a senior reviewer, and run the certification before a compliance deadline or after a team change to verify that membership is intentional and current.

User-based certifications

Post-project access cleanup

A confidential project ends and a set of users received elevated access to applications such as Slack, Okta, or Google Ads during the project. Create a user-based certification by selecting those users, scoping the applications used during the project, assigning the appropriate reviewer, and launching a single certification. This removes access that is no longer needed after the project closes.

Annual contractor or external user review

A compliance program requires an annual review of contractor or external user access. Create a user-based certification by defining the user population with criteria, excluding users managed by another team if needed, scoping critical applications or groups, assigning reviewers, and scheduling the certification to recur each year.

Security response

A user appears in a security alert or investigation. Create a user-based certification for that user or a group of users, scope sensitive applications or groups, assign the security team as reviewer, and launch the certification quickly. This gives a focused view of the user's access in one place.

Team changes and internal transfers

A team reorganizes or employees move to new roles. Create a user-based certification for the affected users to evaluate the access they still hold from their previous role, project, or business unit. This identifies and removes retained access that is no longer appropriate.