Skill reviewed
skills/identity/access-review/
Summary
The access-review skill covers scope definition, certification, orphan detection, role explosion, SoD, and enforcement, but it does not require evidence that the entitlement sources feeding a review campaign are fresh, complete, and replayable. A campaign can therefore look fully certified while using stale HRIS, IdP, SaaS, SCIM, or cloud IAM exports.
Gap
Access reviewers may approve a population that is missing:
- terminated users absent from a stale HRIS-to-IdP reconciliation;
- failed SCIM delta syncs before campaign launch;
- app-local accounts outside IdP-managed assignments;
- manual privileged grants created after the campaign snapshot;
- immutable export identifiers, checksums, or run IDs needed to reproduce the reviewed population during audit.
Security impact
This creates false confidence in least-privilege and account-review controls. Production or privileged access can survive outside the reviewed population even when reviewer completion is 100%.
Proposed improvement
Add an access-review evidence gate for source freshness and reconciliation covering HRIS, IdP groups, SaaS/native app users, cloud IAM exports, and IGA campaign snapshots. Include AR-SRC findings, freshness targets, reconciliation checks, severity guidance, output category updates, and benign/vulnerable fixtures.
Validation planned
git diff --check- Markdown fence-balance check
- AR-SRC marker checks
- Benign/vulnerable fixture marker checks
- ASCII check for new fixture files
- Added-line sensitive-pattern scan
Bounty target: structured review issue plus Improver Moderate if accepted. Payment details can be provided privately after maintainer acceptance.
Skill reviewed
skills/identity/access-review/Summary
The access-review skill covers scope definition, certification, orphan detection, role explosion, SoD, and enforcement, but it does not require evidence that the entitlement sources feeding a review campaign are fresh, complete, and replayable. A campaign can therefore look fully certified while using stale HRIS, IdP, SaaS, SCIM, or cloud IAM exports.
Gap
Access reviewers may approve a population that is missing:
Security impact
This creates false confidence in least-privilege and account-review controls. Production or privileged access can survive outside the reviewed population even when reviewer completion is 100%.
Proposed improvement
Add an access-review evidence gate for source freshness and reconciliation covering HRIS, IdP groups, SaaS/native app users, cloud IAM exports, and IGA campaign snapshots. Include AR-SRC findings, freshness targets, reconciliation checks, severity guidance, output category updates, and benign/vulnerable fixtures.
Validation planned
git diff --checkBounty target: structured review issue plus Improver Moderate if accepted. Payment details can be provided privately after maintainer acceptance.