# Attestation Sets {% hint style="info" %} This feature is currently in **Early Access**. Contact us if you'd like to have this enabled for your tenant(s). {% endhint %} Attestation Sets let you define **standardized, auditable questions** that reviewers must answer when they **approve** or **deny** access during a User Access Review (UAR) campaign. They capture reviewer intent and due diligence in a structured format. This improves audit readiness. It also standardizes review outcomes across teams. Unlike comments, attestation answers are **formal records**. They’re permanently retained. They’re tied to the exact reviewer action. *** ### How Attestation Sets work An **Attestation Set** is a reusable collection of questions. You attach a set to a campaign (while creating a campaign, or editing a draft). When attached: * Reviewers must answer the configured questions **before** they can approve or deny. * Answers are stored with the approve/deny action. * Risk Managers and Admins can view response summaries on the campaign. Each campaign can have **at most one** attestation set attached. *** ### Roles and permissions * **Risk Managers** and **Administrators** can [create and manage Attestation Sets](#manage-attestation-sets-risk-managers-and-admins), and can [view response summaries](#reporting-and-response-summaries). * **Reviewers** [answer attestations](#reviewer-experience) while actioning access reviews. *** ### Key concepts #### Set lifecycle Attestation Sets have three states: * **Active**: usable in campaigns and enforced for reviewers. * **Disabled**: temporarily suspended. * **Retired**: permanently removed from use. Remains read-only for audit. #### Questions Each set contains one or more questions. Supported question types: * Yes / No * Radio * Checkbox * Dropdown * Multi-select dropdown * Short answer * Long answer Questions can be: * **Required** or optional. * Scoped to apply on: * **Approve** only * **Deny** only * **Both** Choice-based questions can include predefined options. They can also allow a **custom option**. #### Audit immutability Attestations are designed to be audit-grade. * Question labels can’t be edited after creation. * Questions can be soft-deleted only. * Sets can be retired only. They can’t be permanently deleted. * Attestation answers can’t be deleted or modified. Retired sets and deleted questions stay visible in a read-only state. This supports audit and historical reporting. They can’t be reinstated. *** ### Manage Attestation Sets (Risk Managers and Admins) You manage Attestation Sets from the campaigns area, via the **"Manage attestation sets"** button. Available views: * Grid view * Table view Both support filtering and sorting.

#### Create a set {% stepper %} {% step %} ### Create the set Create a new set. Add a name and description. {% endstep %} {% step %} ### Add questions Add one or more questions. Pick the question type. Mark questions as required if you want to block approvals/denials until answered. Reorder questions if needed. {% endstep %} {% step %} ### Configure applicability Set whether each question applies on **approve**, **deny**, or **both**. {% endstep %} {% endstepper %}

#### Update, duplicate, disable, or retire a set * **Edit**: only available while the set is active. * **Duplicate**: creates a copy you can use as a template. * **Disable**: temporarily suspends enforcement. * **Retire**: permanently removes it from use. *** ### Disable vs retire #### Disable

Use disable to pause enforcement temporarily. * Temporary state. * Prevents enforcement in active campaigns. * Can be re-enabled later. * Meant for pausing further action in a campaign while Risk Managers or Admins discuss and implement potential changes in audit/compliance policy in terms of what reviewers are required to attest to as part of their reviews. {% hint style="warning" %} If a disabled attestation set is attached to a campaign, reviewers **can’t approve or deny** reviews in that campaign until the set is re-enabled. {% endhint %} #### Retire

Use retire to remove an attestation set permanently. * Permanent, read-only state. * Can’t be attached to new or draft campaigns. * Retained for audit, reporting, and historical reference. {% hint style="warning" %} From the reviewers' PoV, a retired attestation set attached to a campaign will behave as if there is no attestation set attached. They will be able to proceed with review approval/denial without seeing any indication of attestation questions. {% endhint %} *** ### Attach a set to a campaign Attach an attestation set while creating a campaign or editing a draft. * Each campaign supports **one** attached set. * The campaign summary shows the attached set and its status. If a set is retired, it remains visible for historical and audit purposes. Once a campaign has started, you can’t replace the attached set. *** ### Reviewer experience #### If no set is attached (or only a retired set) There’s no change to the current workflow. Reviewers can approve or deny as usual. #### If an active set is attached Reviewers must answer attestation questions before approving or denying. This applies to: * Single actions * Bulk actions * Quick actions (dialogs or side panels) Required questions must be completed before the action can be submitted. Reviewers can save in-progress answers locally. This is saved: * Per campaign * Per action type (approve vs deny)

Reviewers need to answer attestation questions before proceeding with an approve or deny action, as configured

#### If the attached set is disabled Approve and deny actions are blocked. Reviewers will see a message explaining that attestations are unavailable.

Reviews are blocked if a disabled attestation set is attached to the campaign

*** ### Reporting and response summaries Risk Managers and Admins can view attestation results from the campaign summary, via the **"View submitted attestations"** button available for every campaign which has an attached set. This includes: * Overall response summaries * Per-question response tables * For option-based questions, charts (including **dual-layer pie charts**) showing: * Distribution of answers * Resulting approve/deny outcomes tied to those answers

Response summary of a multi-select question. You can see responses in the inner ring of the chart, with the corresponding action taken (approved or denied) in the outer ring

*** ### Audit trail All reviewer actions continue to show in the workflow trail. When an approve/deny action includes attestations: * The full question set and answers are stored with that action. * Entries are visible in the per-review audit log. * Responses are immutable and permanently retained. *** ### Relationship to comments and requests for information Use Attestation Sets for policy-driven, standardized prompts, like: * “Is this access required for the user’s role?” * “Have you verified this access against precedent?” * “Does this user belong to a high-risk group?” Use review comments and "requests for information" for case-specific collaboration and other discussion. These features work together: * Attestations capture the formal record. * Comments capture the discussion. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.balkan.id/user-access-reviews/access-review-management/configuring-access-reviews-and-campaigns/attestation-sets.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.