Defining scope in an access review
Defining the scope of an access review determines which access is reviewed and who reviews it. A well-defined scope ensures reviews are actionable and enforceable.
What scope controls
Scope configuration determines:
Which resources and users are included in the review
Who is assigned as the reviewer
How access is removed when denied
Defining what is reviewed
Use filters to specify which resources are included. For example:
Resource → Managed app
Operator → Equals
Value → Enabled
This configuration includes only applications managed by Ploy that are currently enabled. Unmanaged or disabled resources are excluded automatically.
Use managed resources to ensure review decisions can be enforced automatically.
Assigning reviewers
Choose who reviews the access based on your organizational structure. Common options include:
Resource Owner — Each application is reviewed by its assigned owner
Multiple reviewers — Assign joint owners or add oversight for high-risk systems
Resource owner assignment scales automatically as applications are added.
Deprovisioning strategy
You must configure how Ploy removes access when a reviewer denies it. If no strategy exists, Ploy prompts you to configure one before continuing.
Available strategies:
Automatic (recommended) — Access is removed automatically via SCIM or API integration
Create ticket — Creates a Jira ticket for manual removal
Add/Remove tag — Uses tags to trigger downstream automation
Manual task — Assigns a manual task as a fallback if automatic deprovisioning fails
The deprovisioning configuration creates a managed access policy with minimum settings for enforcement. You can modify it later.
Best practices
Assign resource owners to scale responsibility naturally
Prefer automatic deprovisioning for enforceability
Use multiple reviewers only where necessary
Review deprovisioning strategies regularly