Performing User Access Reviews Quickly & Efficiently.


Common in many companies, various teams with differing philosophies installed the customer’s 25 enterprise applications over the last ten years. This disjointed approach has resulted in an application landscape with 5-10 unique user identifiers that may not be consistent with each other. Additionally, active directory manages some of the applications and other applications utilize local accounts.

The company’s HR system only includes full-time employees and less than 25% of active contractors. The existing HR configuration means part-time employees and 75% of the contractors are not assigned a universal identifier, making user access reviews complicated.

Compiling the information and running the correlations for the user access report takes the company weeks to complete. After the report is complete, the IT team must wait for all the managers to respond before remediating any findings. The responses often take weeks or months to collect.

Company Profile

Since the company is responsible for over 750 websites, they face regulatory requirements to perform user access reviews on a semi-annual basis. The purpose of these reviews is to ensure that employees do not have inappropriate access.

Company Profile

Since the company is responsible for over 750 websites, they face regulatory requirements to perform user access reviews on a semi-annual basis. The purpose of these reviews is to ensure that employees do not have inappropriate access.

Clarity Security’s Solution

The customer’s goal is to speed up the time it takes to complete a user access review without compromising accuracy.

Once ratified during the onboarding process, these policies will automatically provision accounts based on a user’s position in the company. Access is not granted on a user-by-user basis but through a role-based system. This approach removes the dependency on managers’ in-depth understanding of the enterprise application landscape and knowing all their employee’s access points. With Clarity Security, managers only need to verify that their employees are still employed and have the correct title.

Our manager portal caters to the non-IT professionals by presenting the users and information for manager review in a simple-to-understand format. Once the managers review the items, their change submissions trigger the remediation activities automatically.

The Results

Non-Personal Data

Before Clarity Security, the company’s user access review cycle was a 6-week process twice a year. The effort includes running reports, generating spreadsheets, and performing hundreds of correlation searches – all taking anywhere from 40 to 80 hours to complete.

With Clarity Security, the 40 to 80 hours compresses into a 5-minute effort consisting of logging into the portal and clicking “Initiate User Access Review.” Managers are then immediately notified, and their responses and changes are tracked and maintained within our system.

Review & Remediation

Without Clarity Security, the IT team would need to contact all of the managers after the user access report is generated and compile their responses into a master spreadsheet. Once all responses were received, tickets were created with the respective teams to disable or correct access with an SLA of 14 days. Ticket-based remediation means that ticket submission occurs after the full user review is complete. Each application requires a remediation ticket.

After implementing Clarity Security, managers can log into their portal to see the items they need to review. As the managers log their responses, corrective actions (adding and removing access) occur in real-time. This approach eliminates the time to remediate and allows the IT teams to focus on other initiatives.

Reducing Costs by Identifying Orphaned Accounts


This company faces a familiar problem for many organizations. While there may be HR procedures for terminating an employee, the other departments are often disjointed and are not a part of the formal termination procedure. This means any applications that are not centrally managed begin to accumulate a wealth of former employees. When coupled with contractors and temp employees not being managed through the HR system, the number of accounts that stay active post departure gets out of hand quickly.

Due to the subscription model many SaaS apps use, these accounts incur unnecessary license costs the moment employees leave the company.

Company Profile

The Digital Marketing Company has faced rapid growth, resulting in the expansion of departments and new employees. In turn, new applications and tools are onboarded across the organization.

Key Challenge

The company has found hundreds of active application accounts for terminated employees. Due to SaaS subscription models, the company has unknowingly been paying for these users even though the accounts are unused.

Clarity Security’s Solution

Clarity Security provides instantaneous proof of value through our Identity Unification™ process. Once the APIs and Webhooks are established into the enterprise applications and HR system, we automatically begin to match the accounts using proprietary mapping algorithms. After the algorithms complete (less than an hour), a report is prepared for administrators that outlines every instance where:

  • Unique usernames appear

  • An account has not been logged into in 30 days

  • A username appears in a handful of applications but none of the directory services

As administrators review the findings, they can act immediately by deprovisioning the accounts directly from our portal.

The Results

The Digital Marketing Company’s IT team speculated that there were 200 active user accounts associated with employees no longer with the company. After completing Identity Unification™, we identified 350 active user accounts in AD, all of which were no longer employed by the company. After deprovisioning these accounts, we were able to free up 10% of their IT license spend.

The Digital Marketing Company has successfully freed up 10% of their IT license spend by eliminating orphaned accounts.