Request Demo
Glossary Term

User Access Review

The scheduled re-confirmation that each user's current access in each GxP system is still appropriate, by an independent reviewer, with documented disposition per user per role.

Complere Reference Team Glossary term Data Integrity & Governance Reference Last reviewed

Access drifts. People change roles, take on short-term needs, leave teams, leave the company. Without periodic access review, the access list slowly diverges from the people who should actually be on it, and the inspection finding writes itself.

User access review process showing role owner reviewing assigned users with documented keep / modify / revoke disposition
On this page
  1. Definition
  2. Why It Matters
  3. Regulatory Context
  4. In Practice
  5. Key Controls
  6. Complere Approach
  7. Related Terms

What user access review is

User access review is the periodic, documented re-confirmation that a user's current access in each GxP system is still appropriate. The role owner or an independent reviewer looks at who holds the role today, confirms whether each assignment is still justified by current job responsibilities, and records a per-user-per-role disposition: keep, modify, or revoke. Access that isn't actively re-confirmed gets removed.

It's the safety net for what provisioning misses. Joiner-mover-leaver processes handle the event-driven side: grant when someone joins or takes a new role, remove when they leave. Periodic access review catches the drift between those events. Short-term access that was never removed. Rights that accumulated when roles changed without the prior role being revoked. Vendor users whose engagement ended without the offboarding signal flowing back.

The regulatory expectation is clear and now explicit. EU GMP Annex 11 §12 expects access to reflect role. MHRA's GxP DI guidance treats periodic access review as a data integrity control. PIC/S PI 041-1 (July 2021) addresses it within the broader access governance section.

Access drifts even when nothing seems wrong

Users gain short-term permissions for one-off needs and never lose them. Mover events leave residual rights from prior roles. Vendor users come in for a project and stay in the system years after it ended. Without periodic review, the access list slowly diverges from the people who should actually be on it.

Why user access review has become an explicit inspection topic

Inspectors keep finding the same pattern. A firm has RBAC defined, provisioning controlled, and never went back to confirm that the resulting access list still matches current job responsibilities. Years later, the inspector finds analysts who'd left the lab still listed, admin accounts shared across functions, and contractors with active access whose engagements ended in 2019. The technical controls were fine. Nobody had ever closed the loop.

Modern data integrity guidance treats access review as a baseline expectation, not an optional best practice. The reasoning is straightforward: without periodic re-confirmation, the unique-attribution and authority checks Part 11 requires (§§11.10(d), 11.10(g), 11.100) degrade over time. Every signature applied by a user whose access wasn't reviewed inherits that doubt.

Inspector perspective: the last cycle's access review records usually tell the whole story. Three things matter — was every required system reviewed, was the disposition per user per role actually documented (not just "reviewed, OK"), and were the changes you'd expect (terminations, role changes) actually reflected in the system after the review. Records that answer all three cleanly are a reliable sign of a real program; gaps in any one usually open a much longer conversation.

Where user access review obligations come from

Access review isn't named in a single section of any predicate rule. The obligation comes from intersecting expectations:

  • 21 CFR §11.10(d): limiting system access to authorised individuals — the predicate for access being granted, and implicitly for access being re-confirmed over time.
  • 21 CFR §11.10(g): authority checks. The authority structure has to be maintained, not just established.
  • 21 CFR §11.100: unique signature attribution. Periodic review confirms the unique-attribution assumption still holds for current users.
  • 21 CFR §11.300: identification code and password controls including periodic testing — supports periodic review of who can use which codes.
  • 21 CFR §211.68(b): drug computerised systems controls including who is authorised to make changes — implicitly requires re-confirmation.
  • EU GMP Annex 11 §12 — Security: access control reflects role, authority defined, ongoing access governance expected.
  • EU GMP Annex 11 §2 — Personnel: clear responsibilities; access aligned with responsibilities and maintained as responsibilities change.
  • EU GMP Chapter 2: roles and responsibilities clearly defined.
  • MHRA "GxP" Data Integrity Definitions and Guidance for Industry (March 2018, updated September 2021): access control and segregation of duties as data integrity controls; periodic review implicit.
  • PIC/S PI 041-1 (July 2021): §§5-6 access governance and data integrity controls; periodic review treated as expected.
  • FDA Data Integrity and Compliance With Drug CGMP — Q&A (December 2018): addresses ongoing access management.
  • ICH Q10 §2: management responsibility for resources including ongoing access governance.
  • ISO 13485 §5.5: responsibility, authority — implicit ongoing maintenance.
  • ISO 27001 A.9.2.5: review of user access rights — the most explicit single statement of the requirement; often referenced by GxP firms.
  • NIST SP 800-53 AC-2: account management including periodic review — U.S. government context reference.

What a working user access review program contains

A defensible user access review program contains these elements:

  • System scope defined. A maintained list of GxP systems requiring access review, with risk-based frequency per system. Critical systems quarterly, lower-risk semi-annual or annual.
  • Review schedule controlled. Calendar of upcoming reviews per system, with assigned reviewer, scope, and due date. Overdue reviews tracked and escalated.
  • Defined reviewer per role. Each role has a designated reviewer (typically the role owner). The reviewer is independent of access provisioning.
  • Review inputs assembled in advance. The reviewer receives the current list of users in each role, recent role assignment and removal events, last login date per user, and the SoD matrix to check against. Without these inputs, the review's improvised.
  • Per-user disposition documented. For each user holding the role, the reviewer records a decision: keep (still appropriate), modify (role change needed), or revoke (access no longer warranted). "Reviewed, OK" without per-user records doesn't satisfy.
  • SoD conflict check explicit. The review checks for users holding combinations of roles that violate the SoD matrix. SoD-aware reviewers know which combinations matter.
  • Inactive user handling. Users with no login activity within a defined period (commonly 90 days) flagged for revocation unless justified. Long-term inactives are usually the leaver signal that didn't flow back.
  • Privileged access separately scrutinised. Administrator and super-user roles reviewed separately, more often, with tighter justification expected.
  • Remediation actually performed. Revoke and modify decisions get executed in the system, not just recorded. Verification of remediation closes the review cycle.
  • External / contractor users included. Same discipline for vendors, consultants, auditors. Often the highest revoke rate.
  • Review evidence retained. Per-cycle records under document control, retained for the predicate-rule period. Records show which users were reviewed, dispositions, remediation evidence, and reviewer sign-off.
  • Findings drive systemic action. Recurring drift patterns (for example, many users with stale prior-role rights) feed back into provisioning process improvement.
  • Management Review input. Cycle completion, finding rates, remediation closure timeliness — standing MR inputs.

What strong user access review programs do

The patterns that hold up at inspection:

The 'reviewed — OK' pattern

Inspectors see access review records with a single line per cycle: "Reviewed on [date] by [name] — no changes needed." Even when the review was thorough, the record doesn't prove it. Per-user-per-role disposition is what makes the review defensible. Programs that produce just the summary line tend to get cited even when the underlying review was real, because the evidence doesn't show what was examined.

  • System scope explicit, frequency justified. Per system, with risk-based rationale. Not one-size-fits-all.
  • Schedule maintained, overdue tracked. Reviews don't silently slip.
  • Reviewer independent from provisioning. The person who granted access doesn't decide whether it's still appropriate.
  • Inputs assembled before review. Current user list, role assignment history, last login, SoD matrix all in front of the reviewer.
  • Per-user disposition recorded. Keep, modify, revoke. Not aggregate "OK".
  • SoD check is part of the review. Not a separate exercise; integrated.
  • Inactive user policy enforced. Defined inactivity threshold, automatic flagging, justified retention or revocation.
  • Privileged access elevated treatment. Separate review track, more frequent, tighter justification.
  • Remediation executed and verified. Revoke decisions actually remove access; verified afterward.
  • External users included. Same discipline. Often biggest revoke source.
  • Review records as controlled records. Under document control, predicate-rule retention, signed.
  • Findings drive systemic action. Drift patterns feed provisioning process improvement.
  • Management Review input. Cycle metrics standing inputs.

How Complere supports user access review

Access review is a discipline your team owns. What Complere gives you is a clean picture of who has access to what right now, and the controlled-record infrastructure to turn each review cycle into evidence an inspector will accept.

At any moment, your role owner can see the current assignments inside Complere: who holds which role, when each assignment was made, and who made it. Every assignment, change, and removal is captured in the underlying record history with identity, action, and timestamp — so when your reviewer asks "how did this user end up with this access?", the answer is in front of them. Login activity and recent record activity are visible too, so your inactive-user check has the signal it needs.

Your team can author the review record itself inside the controlled-document workflow — template-driven, with per-user per-role disposition fields (keep, modify, revoke), role-based reviewer sign-off, and retention for the period your regulations require. When your reviewer decides to revoke or modify an assignment, that change can be enacted inside Complere and is itself captured in the record history — closing the loop between the decision and the remediation in one place.

What stays with your team: choosing which systems are in scope, setting the right frequency for each one, naming the reviewer who's independent of provisioning, making the actual judgment call per user, and following through on revoke decisions promptly. Complere gives you the assignment picture and the evidence rails; the program is yours to run.

Frequently asked questions

Common questions about User Access Review sourced from regulatory references and inspection patterns.

What is user access review?

It's the periodic, documented re-confirmation that a user's current access in each GxP system is still appropriate. The role owner (or another independent reviewer) looks at who holds the role today, confirms whether each assignment is still justified by current job responsibilities, and records a disposition: keep, modify, or revoke. Access that isn't actively re-confirmed gets removed.

How often does user access review need to happen?

Risk-based. EU GMP Annex 11 §12 doesn't fix a frequency. Most firms run quarterly review on critical GxP systems (LIMS, MES, eQMS, ERP, batch release), and semi-annual or annual on lower-risk systems. The frequency should be documented and justified per system. MHRA's GxP DI guidance (March 2018, updated September 2021) and PIC/S PI 041-1 (July 2021) both treat periodic access review as an expected control.

What's the difference between access review and access provisioning?

Provisioning grants access when someone needs it (joiner or mover). Access review is the periodic check that the access still makes sense afterwards. Provisioning is event-driven; access review is calendar-driven. You need both. Firms with strong provisioning but weak periodic review find that drift accumulates between reviews.

Who should perform the access review?

The role owner (the function accountable for what the role allows), or another reviewer independent of access provisioning. The same person who granted the access shouldn't be the one deciding whether it's still appropriate. Many firms have the role owner do the review and QA sign off on the disposition records.

What's the scope of a user access review?

Roles each user holds, what each role grants, any shared accounts that persist, administrative and privileged access (scrutinised separately), inactive users whose accounts haven't been logged into within a defined period, and SoD conflicts where one user holds combinations that violate the SoD matrix. A review without the SoD check is incomplete.

What are the most common user access review findings in inspections?

Review not performed at all. Reviews run at the wrong frequency (annual on a critical system that should be quarterly). Reviews where the reviewer signed but the actual scope wasn't covered. SoD conflicts never checked. Inactive users not removed. Leaver access still active months after the leaver event. Privileged access never separately scrutinised. The chromatography enforcement actions of the last several years pushed several of these into focus.

What's the connection to joiner-mover-leaver provisioning?

Periodic access review is the safety net that catches what JML misses. Even with solid JML processes, mover events often don't fully remove prior-role rights, and leaver events sometimes lag if the HR signal doesn't reach IT promptly. The periodic review catches both, and it's usually the only mechanism that catches the second one before an inspector does.

Does user access review apply to vendor / external users?

Yes. Contractors, consultants, auditors, anyone external with system access falls under the same review discipline. External access is often the weakest link because the offboarding signal (contract end, project completion) doesn't always make it back to access management. Periodic review tends to surface external users whose engagement ended months ago but whose access stayed active.

About the author

Complere Reference Team

Compliance and quality-systems specialists maintaining the Complere glossary for regulated quality, validation, and inspection-readiness teams. Entries are reviewed against current FDA, MHRA, EMA, ICH, and PIC/S guidance.

Continue Exploring

Explore related topics, modules, and compliance resources for a deeper understanding of your quality system.

Data integrity hub
Related

Data Integrity & Audit Trails

Explore this topic in more depth to build a complete picture of your quality and compliance operations.

Explore
Electronic records and signatures
Related

Electronic Records & Signatures

Explore this topic in more depth to build a complete picture of your quality and compliance operations.

Explore
21 CFR Part 11
Related

21 CFR Part 11

Explore this topic in more depth to build a complete picture of your quality and compliance operations.

Explore

See user access review supported in Complere

Walk through Complere's role assignment records, role-based access model, and audit trail per role assignment — the evidence base a user access review depends on.

Request a demo Read the RBAC entry →