If your joiner-mover-leaver automation or user provisioning runs through IdP or SSO groups in Okta, Microsoft Entra ID, JumpCloud, or Google Workspace, traditional access reviews (typically app-based) may not meet your needs. 

The Risk of Not Monitoring Access Granted via SSO Groups

• Privilege Creep: Employees retain memberships from previous roles while acquiring new ones, thereby expanding the attack surface through excessive access. Ex: A former engineer moving to sales may have "AWS-Admin" access alongside new "Salesforce-Admin" access.
• Security Risk Exposure: Unused (Dormant) accounts remain in groups, creating silent entry points for attackers to access and exploit your sensitive customer and proprietary business data.
• Shadow IT Proliferation: Groups created for temporary projects often linger long after their purpose is served, staying connected to critical applications. This leaves behind unmonitored and unintended access that slips past IT and security teams’ oversight.
• Audit Failure: Regulations such as SOX, HIPAA, and ISO 27001 require proof that every access path has been reviewed. Lack of governance over groups can lead to failed audits, penalties, or rushed remediation under pressure.

These issues cannot be solved through app-based access reviews and require certification campaigns designed specifically for group-based access.

Today, we are excited to share that Group-Based Access Reviews is now live in Zluri! This feature transforms how organizations manage access certifications at scale.

How Zluri Provides Complete SSO Group Governance

To help IT and security teams tackle the aforementioned challenges, Zluri has built group-based access reviews. Let’s look at the key ways it makes the process easier and more effective. 

Unified Group Management

Zluri consolidates SSO groups from all your identity providers—Okta, Google Workspace, JumpCloud, and more. Instead of switching between multiple SSO/IdP systems, reviewers get complete context about group memberships, member count, user names, user job title, account type, department, and more in a single, unified view. This provides IT and security teams with comprehensive insights to make informed, data-backed decisions about group access permissions.

‍

Flexible Reviewer Assignment & Fallback Support

Certifications require owners, who are responsible for managing the entire review lifecycle.
Group-based access reviews support role and user-level reviewer assignments. Whether you need reporting managers for team-level decisions, department heads for broader oversight, a specific user to review, or multi-level review chains, Zluri supports all your requirements. Zluri also allows setting up fallback reviewers to prevent delays when primary reviewers are unavailable.

Assign Reviewers by Type

Assign Reviewers by Role

‍

Granular Filtering and Custom Views

Advanced filtering capabilities let reviewers target specific users by account type, department, or custom attributes.

For example, you can filter by "external" account types to focus specifically on contractor access. Customizable column displays allow reviewers to show only the most relevant user attributes while hiding unnecessary information.

‍

Automated Remediation 

Reviewers can approve, revoke, or modify group memberships for individual users or through bulk actions. Each decision is captured with timestamps and justifications for complete audit trails. Once reviewers confirm their reviews, Zluri automatically executes changes through deprovisioning playbooks with two remediation options:

• Source-specific app playbooks that run actions within the SSO/IdP system, where users initially gained access to multiple apps, remediating access from multiple apps directly at the source level.
  

• Global playbooks, serving as organizational default, maintain remediation consistency across all certifications, ensuring that one policy covers every group and eliminates the need for repetitive setup.

‍

Automated Scheduling and Reminders

Admins can configure custom review schedules with specific start and end dates, and set up automated recurring certifications with configurable timelines. Reviewers get reminder notifications for on-time certification completion. 

Centralized dashboards provide complete oversight of all active certifications, showing ownership details, progress tracking, completion percentages, and timeline views that highlight overdue reviews. Reviewers can click "sign off" to confirm completion, and once all reviewers have signed off, admins can conclude reviews and trigger remediation directly from the interface.

‍

Comprehensive, Real-time Audit Documentation

Upon completion, Zluri allows you to generate detailed reports in CSV or PDF format. This report contains member details, review decisions, timestamps, reviewer information, and remediation actions. This provides complete audit-ready documentation that satisfies regulatory requirements without additional compilation work.

Additional Features That Simplify Access Reviews

Zluri offers additional capabilities that simplify both application and group-level reviews, facilitate scaling, and enhance auditability.

Self-Reviews and Reassignment

Self-reviews enable users to review their own group memberships when appropriate. Sometimes, the group owner is the best reviewer—such as your "Engineering Lead" reviewing the "Engineering" group.

In case you don't want to allow this option and such a condition arises, you can set who will review their access via auto-reassignment. You can route to the reporting manager, department head, certification owner, fallback reviewer, or a specific user. All reassignments are logged for audit purposes

Enable Self-Reviews

Automatic Reviewer Reassignment

‍

Simplified Cloning and Drafting

Moreover, setting up reviews doesn’t always have to start from scratch. Zluri lets you draft certifications and clone existing ones to create similar setups. Drafts can be saved, edited, archived, or resumed at any time. Cloned certifications can be modified and customized for new scenarios. 

And before anything goes live, the system validates the setup—catching missing reviewers or unpublished playbooks so nothing gets stuck.

Draft Certifications for Future Use

Clone Existing Certifications for Quick Setup

‍

Reviewer View

Reviewers have a dedicated view with all the information needed for review decisions. They can see all assigned certifications, review each group's users and memberships. 

The platform automatically highlights potential security exposures from the UI directly—showing inactive accounts, external users, and service users—so attention goes to critical risks first. Reviewers can then revoke access for individual users or remove access in bulk.

‍

How Does Group-based Access Reviews Work in Zluri?

1. Connect sources. Okta, Entra ID, Google Workspace, JumpCloud, and others.
2. Create a certification. Pick one or many groups. Cross-directory selection is supported.
3. Assign reviewers. Choose primary, multi-level, fallback reviewers, or enable self-reviews.
4. Set cadence. One-time or recurring. Add due dates to trigger automatic reminders.
5. Review. Approve, revoke, or modify access for a single user or multiple users in bulk. 
6. Remediate. Playbooks push changes back to SSOs/IdPs and update the access to the connected apps. No manual follow-ups needed.
7. Report. Export reports in CSV or PDF format. Store as audit evidence.

‍

You can check out the video below to see how Zluri’s group-based access reviews work in action: