Most organizations don’t struggle to define “access review” as a concept. They struggle to run reviews as an operational practice:
- Scopes change every time.
- Evidence is scattered across emails and spreadsheets.
- Reviewers don’t know what “good” looks like.
- Actions are inconsistent, and exceptions become permanent.
- Audits turn into frantic evidence collection.
Syba Identity’s governance and recertification features are designed to solve that operational reality: run repeatable campaigns with consistent scoping, reviewer workflows, and audit-ready outcomes. And importantly, campaigns are system-aware. Syba supports different target systems, but keeps actions conservative where enforcement is intentionally limited. That aligns to the broader platform goals of governance automation and audit readiness (Syba Identity).
What Syba means by “campaigns”
In Syba, a campaign is a structured review workflow with:
- A campaign type (what you are reviewing)
- A target system (for example, Okta or Entra)
- A target population (who/what is in-scope)
- A review workflow (who reviews, how decisions are captured)
- Optional post-review actions, where supported
- A record of what was reviewed and when
This is intentionally not a “one-off report.” It’s an operational process you can run repeatedly, measure, and defend later.
Campaign types you can run (high level)
Syba supports multiple campaign types to cover common governance scenarios, including:
- User account recertification: validate that user accounts should remain enabled/active.
- App access recertification: review user-to-app relationships for ongoing appropriateness.
- Group membership recertification: review membership in groups (often used as access control).
The key is that these campaign types aren’t just labels; they define what target data is assembled for reviewers and what “actions” can be considered after review.
Target systems: Okta and Entra are both supported, actions vary by system
A critical point for accuracy: Syba supports campaigns that target multiple systems, but action enforcement is system-dependent.
Okta campaigns
Okta is a mature area of governance automation for many organizations, and Syba supports richer “action sets” for Okta campaign outcomes, such as:
- Removing app access (where applicable)
- Removing group membership / group relationships (where applicable)
- Notifications and webhooks for workflow integration
Entra campaigns (conservative by design)
Syba supports campaigns that target Entra, but keeps actions conservative (especially for app access and group membership reviews) where targets may be modelled at an aggregate level and where “per-user removal” isn’t always the right operational shape.
What Syba can support for Entra campaigns includes:
- Log-only outcomes (decision recording without enforcement)
- Notifications / webhooks for downstream workflow execution
- User disable actions for user-account recertification scenarios (where configured/appropriate)
This is intentional: it allows teams to use Syba for structured reviews and auditability without claiming broad “automatic removals everywhere” in Entra when that is not universally safe or implemented.
Approver workflows: making reviews doable for humans
Campaigns succeed or fail based on reviewer experience. Syba’s campaign model is designed to support practical review workflows:
- Assigning reviewers using defined strategies (e.g., manager-based or role-based patterns)
- Capturing decisions consistently (approve/deny/exception) with optional notes
- Supporting escalation and follow-up paths when reviewers are unavailable or unsure
The goal is to reduce the friction that causes reviews to stall, and to ensure outcomes are captured in a way that can be explained later.
The output you actually want: a defensible decision trail
Auditors typically don’t want to see a screenshot of a dashboard. They want evidence that:
- The review occurred
- The scope is defined and repeatable
- Reviewers made decisions
- Exceptions were recorded intentionally
- Outcomes can be retrieved later
Syba campaigns are structured to provide that trail without teams building a parallel “audit workbook” manually.
Pairing governance with optimization (without overclaiming)
Governance and cost optimization often overlap. For example:
- Reviewing access to high-cost apps
- Validating dormant accounts
- Identifying “never logged in” or “inactive” users in Okta reporting
- Prioritizing app access reviews where license cost exposure is material
Syba can surface these signals in reporting and feed them into campaigns, but the guiding principle is consistent: use analytics to focus reviewer attention, then use a campaign to make decisions explicit and repeatable.
A practical way to start
If governance campaigns are new to your organization, start small:
- Run a user-account recertification with a narrow scope (e.g., contractors)
- Choose a simple review strategy
- Keep actions conservative at first (log-only or notifications)
- Measure completion and friction points
Then expand to app access and group membership reviews once the workflow is stable.
Closing thought: governance is a system, not a quarterly event
The goal is not “we did an access review.” The goal is “we have an operational review system.” Syba’s governance campaigns help teams build that system across their identity stack, with system-appropriate enforcement and a defensible audit trail (Syba Identity).
CTA: Want to see campaign creation, reviewer experience, and the audit-ready outcomes in practice? Request a demo and we’ll walk through governance workflows at a high level.