Attestation Sets

Attestation Sets let you define standardized, auditable questions that reviewers must answer when they approve or deny access during a User Access Review (UAR) campaign.

They capture reviewer intent and due diligence in a structured format. This improves audit readiness. It also standardizes review outcomes across teams.

Unlike comments, attestation answers are formal records. They’re permanently retained. They’re tied to the exact reviewer action.

How Attestation Sets work

An Attestation Set is a reusable collection of questions.

You attach a set to a campaign (while creating a campaign, or editing a draft). When attached:

• Reviewers must answer the configured questions before they can approve or deny.

• Answers are stored with the approve/deny action.

• Risk Managers and Admins can view response summaries on the campaign.

Each campaign can have at most one attestation set attached.

Roles and permissions

• Risk Managers and Administrators can create and manage Attestation Sets, and can view response summaries.

• Reviewers answer attestations while actioning access reviews.

Key concepts

Set lifecycle

Attestation Sets have three states:

• Active: usable in campaigns and enforced for reviewers.

• Disabled: temporarily suspended.

• Retired: permanently removed from use. Remains read-only for audit.

Questions

Each set contains one or more questions.

Supported question types:

• Yes / No

• Radio

• Checkbox

• Dropdown

• Multi-select dropdown

• Short answer

• Long answer

Questions can be:

• Required or optional.

• Scoped to apply on:

  • Approve only

  • Deny only

  • Both

Choice-based questions can include predefined options. They can also allow a custom option.

Audit immutability

Attestations are designed to be audit-grade.

• Question labels can’t be edited after creation.

• Questions can be soft-deleted only.

• Sets can be retired only. They can’t be permanently deleted.

• Attestation answers can’t be deleted or modified.

Retired sets and deleted questions stay visible in a read-only state. This supports audit and historical reporting. They can’t be reinstated.

Manage Attestation Sets (Risk Managers and Admins)

You manage Attestation Sets from the campaigns area, via the "Manage attestation sets" button.

Available views:

• Grid view

• Table view

Both support filtering and sorting.

Create a set

Update, duplicate, disable, or retire a set

• Edit: only available while the set is active.

• Duplicate: creates a copy you can use as a template.

• Disable: temporarily suspends enforcement.

• Retire: permanently removes it from use.

Disable vs retire

Disable

Use disable to pause enforcement temporarily.

• Temporary state.

• Prevents enforcement in active campaigns.

• Can be re-enabled later.

• Meant for pausing further action in a campaign while Risk Managers or Admins discuss and implement potential changes in audit/compliance policy in terms of what reviewers are required to attest to as part of their reviews.

Retire

Use retire to remove an attestation set permanently.

• Permanent, read-only state.

• Can’t be attached to new or draft campaigns.

• Retained for audit, reporting, and historical reference.

Attach a set to a campaign

Attach an attestation set while creating a campaign or editing a draft.

• Each campaign supports one attached set.

• The campaign summary shows the attached set and its status.

If a set is retired, it remains visible for historical and audit purposes. Once a campaign has started, you can’t replace the attached set.

Reviewer experience

If no set is attached (or only a retired set)

There’s no change to the current workflow.

Reviewers can approve or deny as usual.

If an active set is attached

Reviewers must answer attestation questions before approving or denying.

This applies to:

• Single actions

• Bulk actions

• Quick actions (dialogs or side panels)

Required questions must be completed before the action can be submitted.

Reviewers can save in-progress answers locally. This is saved:

• Per campaign

• Per action type (approve vs deny)

If the attached set is disabled

Approve and deny actions are blocked.

Reviewers will see a message explaining that attestations are unavailable.

Reporting and response summaries

Risk Managers and Admins can view attestation results from the campaign summary, via the "View submitted attestations" button available for every campaign which has an attached set.

This includes:

• Overall response summaries

• Per-question response tables

• For option-based questions, charts (including dual-layer pie charts) showing:

  • Distribution of answers

  • Resulting approve/deny outcomes tied to those answers

Audit trail

All reviewer actions continue to show in the workflow trail.

When an approve/deny action includes attestations:

• The full question set and answers are stored with that action.

• Entries are visible in the per-review audit log.

• Responses are immutable and permanently retained.

Relationship to comments and requests for information

Use Attestation Sets for policy-driven, standardized prompts, like:

• “Is this access required for the user’s role?”

• “Have you verified this access against precedent?”

• “Does this user belong to a high-risk group?”

Use review comments and "requests for information" for case-specific collaboration and other discussion.

These features work together:

• Attestations capture the formal record.

• Comments capture the discussion.