Access Reviews

Article 7: Completing a Review — Reviewer Guide

This article is written for reviewers — the people who are assigned accounts to certify during an access review cycle. If you're a Ploy admin setting up or overseeing reviews, see the articles on creating campaigns and the approval workflow.

How you access your review

When you're assigned to a review, Ploy notifies you by email or Slack (depending on your organisation's notification settings). The notification includes a link directly to your review in the Ploy employee portal.

The portal is a separate, dedicated app for employees and reviewers — it's different from the main Ploy admin dashboard. Your organisation's portal is accessed at a unique subdomain address that will be included in your notification link.

If you've previously logged into the portal, you may already have an active session. If not, clicking the link will take you through a quick magic-link login — no password required.

Finding your assigned review

Once you're logged in to the portal, navigate to Access Reviews. You'll see a list of campaigns you currently have active reviews in. Each campaign card shows:

  • The campaign name and description

  • The review due date

  • How many accounts are assigned to you and how many you've completed

Click into a campaign to see your full list of accounts to review.

What you'll see for each account

For every account assigned to you, Ploy displays:

  • Employee details — name, email, department, job title (snapshotted at the time the review was created)

  • Application — which app or resource is being reviewed

  • Access level / role — what role the employee holds in that app

  • Entitlements — the specific permissions or groups they're assigned within the app (where available)

  • Last accessed — when the employee last actively used this account (where usage data is available)

  • Access granted — when the employee was first given this access

  • Luna's recommendation — Ploy's AI suggestion for this account (see Article 8: Luna AI Suggestions)

This context is there to help you make an informed decision. If you're unsure about any of it, you can also view the employee's full access history in Ploy.

Making a decision

For each account, you select one of the outcome options configured for your campaign. The exact options depend on how your admin set up the campaign, but typically they include:

Appropriate / Required / Compliant

Select this if the employee should keep this access as-is. This closes the review for this account with no further action.

Not Appropriate / Not Required / Non-Compliant

Select this if the employee should not have this access. When you select this and submit, Ploy will trigger a remediation action (removing access automatically or creating a task for manual removal, depending on the app's configuration). You may be asked to add a note explaining your decision. This note becomes part of the audit record.

Adjust Entitlements

Select this if the employee should keep access to the app, but their specific permissions need to change (e.g. they should move from admin to read-only). This opens an entitlement editing panel where you can flag the specific permissions to be changed.

Out of Scope

Select this if this account isn't relevant to this particular review (e.g. it's a shared service account, a contractor who operates under different rules, or an account you don't have the context to review). You'll be asked to provide a reason.

Adding notes

You can add a free-text note to any decision. Notes are visible to the admin who approves the review and become part of the audit record. They're particularly useful when:

  • Your decision isn't straightforward and you want to explain your reasoning

  • You're flagging something for the admin's attention

  • The outcome is "out of scope" (a reason is typically required)

Uploading evidence

If you have supporting documentation for your decisions — access logs, usage reports, screenshots, approval emails — you can attach these as evidence to the review. Evidence files are uploaded at the review level (not per-account), so one set of evidence covers all the accounts in your assigned set.

To upload evidence:

  1. Open the review in the portal

  2. Click Evidence or the evidence upload option

  3. Drag and drop files or browse to select them (PDF, Excel, images, and other common formats are supported; maximum 50MB per file)

Evidence appears in the review record and is available to the approving admin and to auditors.

Working through accounts in bulk

If you have a large number of accounts to review and many of them have the same outcome (e.g. a long list of accounts you've verified are all appropriate), you can select multiple accounts and apply a decision in bulk using the floating action bar at the bottom of the screen.

Select the checkboxes next to the accounts you want to act on, choose your outcome from the action bar, and confirm.

Luna's recommendations can also help you work through routine approvals faster (see Article 8).

Submitting your review

Once you've made a decision on all accounts in your assigned set, a Submit button becomes available. Submitting sends your completed decisions to the admin for approval.

After submission:

  • The account set status changes to Submitted

  • The admin is notified that your review is ready for their review

  • Your decisions are locked — you can no longer change them unless the admin sends the review back to you

Important: You must submit your review before the due date shown on the campaign. If you miss the deadline, the admin will be notified and may send you a reminder.

If your review is sent back for revision

If the admin reviewing your submission has questions or wants you to reconsider a decision, they can send your account set back to you with a revision message. You'll receive a notification, and the review will reappear in your portal with the admin's comments.

Review the revision message, update your decisions as needed, and resubmit.

What happens after you submit

Once the admin approves your submitted account set:

  • Any accounts you marked as "not appropriate" will have their access removed (automatically or via a manual task, depending on the app)

  • Any entitlement adjustments you flagged will be actioned

  • A compliance certificate is generated for the review

  • Your decisions, notes, and evidence become part of the permanent audit record

You'll receive a notification when the review is fully complete and approved.

Was this helpful?