The three requirements you've described — custom reviewer routing beyond manager relationships, permission descriptions that give reviewers actual context, and multi-app consolidation into a single reviewer session — are the right requirements. They're also the specific capabilities where most UAR tools fall short of their marketing claims.
The stitchflowj comment in this thread identified the real problem precisely: if you don't solve the context and prioritization problem well, the review becomes a rubber-stamp exercise where reviewers bulk-approve everything because they're overwhelmed and don't understand what they're approving. The approval workflow mechanics are relatively easy; getting the right information to the right reviewer at the right granularity is what separates useful access reviews from compliance theater.
The Core Challenge: Context, Not Workflow
Most UAR tools are built around the workflow layer — scheduling campaigns, routing tasks, capturing decisions, generating reports. That part is table stakes and increasingly commoditized.
The harder problem is what Complete-Regular-953 (a 2-year Zluri user in this thread) identified as the "context of why": reviewers need to know whether a user actually needs access now, and that requires data — usage frequency, last login date, whether the account is dormant, whether the user's role has changed since access was granted. Without that data, managers are making decisions blind and will default to approve rather than risk disrupting someone's workflow.
The secondary context problem is permission descriptions. If a reviewer sees "Salesforce System Administrator" with no further context, they don't know whether to be alarmed or indifferent. If they see a description explaining that this role includes read/write access to all customer records, contract data, and reporting tools — and that it's flagged as privileged — they have the information to make a judgment rather than a guess.
Custom Reviewer Routing: How It Should Work
Manager-only routing misses two categories: technical reviewers who understand what permissions actually mean, and business reviewers who aren't the direct manager but have accountability for the resource.
The routing model that addresses this:
Primary reviewer by role. Rather than defaulting to the reporting manager, route reviews to designated stakeholders based on the resource being reviewed. Application owners — the person accountable for the application from a business or technical perspective — are better positioned than the reporting manager to evaluate whether a specific Salesforce permission level is appropriate. IT owners can evaluate whether an AD group membership represents a security concern.
User group routing. For reviews that should go to a security or compliance team rather than an individual owner, routing to a user group (a "Security Reviewers" group synced from your IdP) allows any member of the group to take action rather than creating a single point of failure on one person's availability.
Fallback logic. UAR campaigns fail or produce incomplete evidence when reviewers are unavailable — on leave, departed, or simply unresponsive. Fallback routing to a designated backup or the certification owner prevents campaigns from stalling while maintaining the audit trail.
Self-review prevention. Compliance frameworks consistently flag self-certification as a control weakness. The tool should either prevent a user from being assigned to certify their own access or automatically reassign to the fallback reviewer when a self-review is detected.
In Zluri's implementation, these routing options are configurable per certification campaign: you can assign by App Owner, IT Owner, Finance Owner, specific named user, or user group — with fallback logic for each.
Permission Descriptions: What Reviewers Need to Know
The "providing clear permission descriptions/tooltips" requirement is technically harder than it sounds because it depends on how the target application exposes role metadata through its API.
The Cortex analysis from real deployments across 50 common integrations is worth knowing: only about 15 provided the full set of role metadata needed for a comprehensive review. For the rest, you either rely on manual CSV uploads, group-to-role mapping (inferring permissions from SSO group membership), or manual description entry.
What a well-implemented permission context layer provides:
Human-readable description of what the role does. Not the API name or technical identifier, but a plain-language explanation of what the permission enables — "can create, read, update, and delete customer records" rather than "SFDC_FullAccess_User."
Privileged flag. A clear indicator that this role carries elevated risk — admin access, write access to sensitive data, or permissions that could be exploited in a breach — gives reviewers a prioritization signal rather than treating all access as equivalent risk.
Usage data alongside the permission. Showing that a user with Admin access hasn't logged in for 90 days is more actionable than showing the access in isolation. The context that should inform "should this person have this access" includes whether they're actually using it.
For applications where the API doesn't surface role metadata, the practical workaround is either building a manual description library for the most common roles or using SSO group membership as a proxy — if the group controls the role, reviewing group membership effectively reviews the role.
Multi-App Consolidation: One Session, All Decisions
The "combining reviews from multiple apps into one session" requirement is about reviewer experience, not just administrative convenience. If a manager receives 8 separate review emails for 8 different applications covering the same 15 employees, they'll either complete them inconsistently or not complete them at all. A single consolidated session where they see all access for their direct reports across every application in scope dramatically reduces completion friction.
Zluri's multi-app certification campaign allows administrators to group multiple applications — Salesforce, Zendesk, AD, Okta-managed apps — into a single campaign. When a reviewer logs into the portal, they see all assigned records across those applications in one interface, make decisions in one session, and submit once. The output is a single campaign report covering all applications rather than separate reports per application.
One implementation detail worth anticipating: if automated remediation is configured and you have 100 revocations across multiple applications, some platforms will generate 100 individual ITSM tickets rather than consolidating them. Look for bulk consolidation options that create one ticket per application or per fulfillment team rather than one per revocation — this prevents overwhelming IT support with a ticket flood after each campaign.
JIT vs. Periodic Reviews: Both Have a Role
JIT access — where access is requested with context about the specific task, time-limited, and automatically expired — addresses a different security problem than periodic certification. JIT prevents standing access from accumulating in the first place. Periodic certification addresses the access that already exists from previous grants, role changes, or onboarding decisions.
SOX, for example, requires quarterly certifications regardless of whether JIT controls are in place, because the compliance requirement is to demonstrate periodic review of who has access, not just to control how new access is granted. The two approaches address complementary problems rather than competing ones.
For high-risk, high-frequency access to production infrastructure, JIT (CyberArk, Opal, Hoop.dev) is the right architectural choice. For the broader access landscape — SaaS applications, AD group memberships, shared drive access — periodic certification with good context and reviewer routing is what satisfies compliance requirements.
Platform Selection Criteria for Your Evaluation
Verify connector depth for your specific applications. Salesforce and AD are well-supported by most IGA platforms. Verify that the platform pulls role/permission metadata from Salesforce's API (not just application-level access), and that AD group memberships are surfaced at the level of granularity your AD security groups represent.
Test the reviewer UX before committing. The actual experience of a non-technical manager completing a review is what determines completion rates and rubber-stamping rates. Request a test run with a non-technical internal stakeholder before finalizing selection.
Understand the remediation model. Some platforms create ITSM tickets for all revocations; others execute them directly via API. For applications where you want immediate revocation without IT intervention, direct API execution is necessary.
Budget at least two months for first-cycle setup. Real-world experience suggests this is the realistic timeline for setting up a first UAR cycle properly: gathering application data, configuring reviewer routing, validating role metadata, and running a test campaign before the compliance-facing cycle.
Frequently Asked Questions
What are the most important features for automated user access reviews across multiple apps?
The highest-value features are: custom reviewer routing beyond manager relationships (by application owner, user group, or fallback logic), permission context that shows reviewers what a role actually does rather than just its technical name, usage data alongside access records so reviewers can evaluate dormant or over-provisioned access, multi-app consolidation into a single reviewer session, and automated remediation that executes revocations via API rather than just creating ITSM tickets.
What is the difference between periodic access reviews and Just-in-Time access?
Periodic access reviews (certifications) address existing access — they're a retrospective process that verifies current access is still appropriate on a scheduled cadence. JIT access addresses new access requests — it grants time-limited, context-specific access rather than standing permissions. Compliance frameworks like SOX require periodic certifications regardless of JIT controls because the requirement is to demonstrate that existing access has been reviewed, not just that new access is controlled. Both serve different security and compliance functions.
How do you prevent rubber-stamping in access review campaigns?
The core countermeasures are: surfacing usage data (last login, activity frequency) alongside the access record so reviewers have a basis for decision rather than guessing, providing human-readable permission descriptions so reviewers understand what they're approving, risk-flagging privileged access so it receives proportional scrutiny, keeping review scope manageable by prioritizing stale and high-risk accounts rather than reviewing everything at once, and routing reviews to the person with actual context rather than defaulting to one reviewer type for everything.
Is SailPoint or Saviynt right for mid-market access review requirements?
SailPoint and Saviynt are enterprise IGA platforms with deep access review capabilities, but with corresponding implementation complexity and cost. For fewer than 5,000 FTE, modern IGA platforms (Zluri, Lumos, Zilla, SecurEnds) typically offer faster deployment, lower maintenance overhead, and competitive access review capability without the enterprise implementation investment. For organizations with complex on-premises systems, regulated industry requirements, or very large user populations, the enterprise platforms may be justified.
.svg)
