A company has an access package for a sensitive finance application whose members are external guests. The governance team wants the guests themselves to attest each quarter that they still need access, and any guest who does not respond should automatically lose access. Which access review configuration meets this requirement?
- ACreate a recurring quarterly access review of the access package assignments, set the reviewer to users review their own access, and set the action to apply results so non-responders have access removed. Correct
- BCreate a recurring access review of the access package assignments, set the reviewer to group owners, and configure the action on completion to remove access for unreviewed members.
- CCreate a one-time access review of the finance application's enterprise application assignments, assign the application owner as reviewer, and notify guests by email to confirm their access.
- DCreate a recurring access review of the access package assignments, set the reviewer to a designated manager, and leave the action on completion set to no change so access is preserved.
Why A is correct: Selecting users review their own access makes each guest attest to their own need, a quarterly recurrence matches the cadence, and applying results with removal for non-responders enforces loss of access for anyone who does not reply.
Why B is wrong: Group owners as reviewers would have the owners attest on behalf of the guests rather than the guests attesting for themselves, so this misses the self-attestation requirement even though the recurrence and removal action are right.
Why C is wrong: A one-time review does not repeat each quarter and an application owner is not the guest, so neither the recurrence nor the self-attestation requirement is satisfied despite reviewing the right resource.
Why D is wrong: A manager reviewing is not self-attestation, and an action of no change would never remove access from non-responders, so this fails both the attestation and the automatic removal requirements.