Structured Attestations and Policy-Driven Access Decisions

Attestation Sets help teams capture structured, audit-ready reasoning during access reviews, while Access Approval Policies automate access decisions and routing using configurable rules. Together, these features reduce manual work, standardize decisions, and improve audit readiness across identity governance processes.

Attestation Sets (Early Access)

Attestation Sets allow organizations to define standardized questions that reviewers must answer when approving or denying access during a User Access Review (UAR) campaign. These responses capture reviewer intent and due diligence in a structured format and are permanently stored with the review action for audit and reporting.

What’s new:

• Structured attestations during reviews Risk Managers and Administrators can create reusable sets of questions that reviewers must answer before approving or denying access. Supported question types include yes/no, dropdowns, multi-select options, and text responses. These can be attached to review campaigns, and submitted attestations are immutable and tied directly to reviewer action for an audit-grade record of reviewer decisions.

• Built-in reporting and response summaries Risk Managers and Admins can review aggregated attestation responses from the campaign summary, including per-question breakdowns and response distributions linked to approve or deny outcomes.

Policies

Policies allow administrators to automate access decisions and reviewer routing using configurable rules. Policies evaluate requests against defined conditions and automatically apply the appropriate action.

What’s new:

• Automated approvals and denials Policies can automatically approve low-risk access requests or deny restricted access based on attributes such as user role, department, or entitlement.

• Automatic reviewer assignment Requests can be routed to a specific reviewer or approval group when policy conditions match, ensuring consistent ownership and predictable workflows.

• Ordered policy evaluation Policies evaluate clauses from top to bottom, with the first matching rule determining the outcome. This allows teams to implement precise governance logic.

• Transparent and auditable policy actions When a policy triggers an action, BalkanID records the policy and rule responsible in the workflow history and audit logs.