Article 10: Outcomes & Automated Remediation
The decision options
When a reviewer makes a decision on an account, they choose from the outcome options configured for the campaign. The exact labels depend on how your admin set up the campaign, but they map to one of these underlying types:
Underlying type | What it means |
|---|---|
Appropriate / Compliant / Required | Access is correct — keep it |
Not Appropriate / Non-Compliant / Not Required | Access should be removed |
Out of Scope | This account isn't part of this review |
Already Removed | Access was manually removed before the review completed |
Adjust Entitlements | Keep the account, but change the specific permissions |
What happens when access is marked as not appropriate
For accounts marked as not appropriate (or the equivalent label in your campaign), Ploy triggers a remediation action once the account set is approved by an admin. The action depends on how the campaign outcome was configured:
Deprovision
Ploy automatically removes access through its provisioning integration with the app. This requires a live SCIM or provisioning connection between Ploy and the relevant application.
When deprovision succeeds, the account is removed from the app and the review record is updated.
Adjust Entitlements
Ploy creates a task for the relevant team to manually update the employee's permissions in the app. This is used when the employee should keep some access but their specific roles or permission levels need to change. The assigned person receives a notification with the details of what needs adjusting.
Mark as Removed (manual)
No automated action is taken — the record is updated to indicate the access should be treated as removed. Use this when access has already been manually cleaned up outside of Ploy, or when the app doesn't have a provisioning integration.
Remediation tracking
Every account that requires remediation has a tracked status:
Status | What it means |
|---|---|
In Progress | Remediation has been triggered and is being processed |
Complete | Access has been successfully removed or adjusted |
Failed | The remediation action encountered an error |
You can view the remediation status for every account in the cycle detail view in the admin dashboard, under the Tasks section.
Remediation deadlines
Each cycle has a remediation window — a number of days from the approval date by which remediation must be complete. The default is 7 days, but this can be configured per campaign.
The remediation due date for each account is calculated from when the account set was approved, not when the cycle started.
What to do if remediation fails
If an automated deprovision fails — for example, because the app's integration is down, a connection has lapsed, or the account was already removed — the failure is logged against the account record with the error details.
Failed remediations:
Show as Failed in the remediation status
Include an error log that admins can view from the account detail
Do not automatically retry — an admin needs to investigate and act
Steps when remediation fails:
Check the error detail on the account (available in the cycle detail view)
Confirm whether access was actually removed manually in the app itself
If removed: mark the account as removed in Ploy to close the record
If not removed: fix the underlying integration issue and re-trigger, or remove access manually and update the record
Entitlement adjustments
When a reviewer marks an account as "Adjust Entitlements," they flag which specific entitlements or roles need to change. Ploy creates an assigned task for the appropriate person to carry out the change manually in the app.
When the task is completed, the assignee marks it as done in Ploy, which:
Updates the remediation status to Complete
Archives the flagged entitlements from the review record
Records who completed the adjustment and when
This creates a full trail: reviewer flagged it → assignee actioned it → record confirms it.