Facilities, Assets & IT Operations / Access & Provisioning Requests

Privileged Access Recertification

Build an internal tool that runs your periodic access reviews: launch a time-boxed campaign, send each manager or app owner the exact list of people who currently hold access to their systems, make them attest keep or remove on every user, route the removals through a security-lead approval, and produce an auditor-ready certification plus a clean revocation batch - so access reviews stop living in a stack of spreadsheets nobody can defend at audit time.

IntermediateA weekendBuilds onNext.js (App Router) on VercelSupabase (Postgres, Storage, Auth + RLS)Resend (review invites, reminders, approval requests, certification notices)

What you'll build

A login-protected access-recertification tool: you launch a time-boxed review campaign, each reviewer gets the exact list of users who hold access to their systems and attests keep or remove on every one, non-responders get automatic reminders and default to flagged (never silently auto-removed), the security lead approves the batch of removals, and the app produces an immutable certification record plus a revocation batch CSV - with a hard rule that no revocation task is generated until both the reviewer attests and security approves.

Before you start

A free Vercel account
A free Supabase account
A free Resend account (and a sender address you can use)
A current access export per system: who holds access and when it was granted (CSV/sheet)
A manager / application-owner mapping (which person reviews which system)
Your review cadence and rules (campaign length, reminder schedule, what happens on no response)

The problem this kills

Twice a year (or every quarter, or whenever the auditor emails) you have to prove that the right people - and only the right people - have access to your systems. So you export a user list from each app, paste it into a spreadsheet, email the spreadsheet to each manager or application owner, and ask them to mark who still needs access. Then you wait. Half of them respond; the rest you chase. The responses come back as a reply-all, a marked-up spreadsheet with three new columns, and a "looks fine to me" with no detail. You stitch it all together by hand, try to remember who you still owe a reminder, and hope you can reconstruct - months later, for an auditor - who attested what, and when.

The cost isn't just the days you burn herding spreadsheets. It's the accounts that quietly keep access nobody confirmed: the contractor who left, the person who changed roles, the service account everyone forgot. It's the removal that got actioned with no sign-off, and the "who approved revoking this?" question you can't answer. And it's the audit finding when you can't produce a clean, tamper-evident record that every access holder was reviewed and explicitly kept or removed.

This tool replaces the spreadsheet scramble with a clean, enforced campaign: launch a time-boxed review, each owner gets exactly their users and attests keep or remove on each one, non-responders get chased automatically and default to flagged, the security lead approves the removal batch, and you get a certification record and a revocation batch you can hand to whoever runs deprovisioning - with a complete, immutable record of every attestation.

What you'll build

A small internal web app, just for your team, that:

Lets you import the current access for each system - who holds access and when it was granted - from a CSV or sheet, and a manager / app-owner mapping so the right reviewer gets the right users.
Launches a time-boxed recertification campaign: a named review with a start, a deadline, and the exact scope of systems and users in it.
Gives each reviewer their own list of the users who currently hold access to the systems they own, and makes them attest keep or remove on every single one - with an optional reason.
Chases non-responders automatically with reminders as the deadline nears, and defaults to flagged (not auto-removed) for anyone the reviewer never got to - so nothing is revoked by silence.
Routes every "remove" decision through a security-lead approval - the reviewer proposes removals, security reviews and approves the batch, and only then is a revocation task generated.
Dedupes on user + system + campaign so the same access line can't be reviewed or revoked twice.
Produces an auditor-ready certification record and a revocation batch CSV in the columns your deprovisioning process expects, backed by an immutable attestation log.

What's inside the Implementation Plan

The plan is a single markdown file you paste into Claude Code (a free AI coding agent). It walks the agent through building the whole tool, step by step, each step ending with a ready-to-paste prompt.

The most important part: the plan opens by interviewing you about your business. Before it writes a single line, the agent asks how you run access reviews today, which systems are in scope and how their access exports are shaped, the real field names and ID conventions in your data (usernames, employee IDs, entitlement names), how you map systems to owners, your campaign cadence and reminder schedule, your exact rule for non-responders, who the security lead is that approves removals, and your messiest edge cases - shared and service accounts, a reviewer who left, an owner with hundreds of users, access granted mid-campaign. It reads a short tailored spec back to you, you confirm it, and only then does it build - so you get a tool shaped to your access-review process, not a generic template you have to fight.

Inside you'll find:

The discovery interview and how the agent turns your answers into the data model, the campaign scope, and the attestation rules.
The full build: database, login, access + owner-mapping import with duplicate guards, the campaign launcher, the per-reviewer keep/remove attestation screens, the non-responder reminders and flag-on-no-response default, the security-lead removal-approval gate, and the certification + revocation exports.
The hard human-in-the-loop lock - reviewer attests, then security approves - enforced in code, so no revocation task exists without both.
Verification steps so you can prove it works, and the CSV-export fallback so it's fully usable even before you connect it to any identity system.

The governance it includes (this is the point)

This isn't a toy. The plan builds in the controls an IT security / GRC team actually needs:

Login so only your team can see or touch anything.
Row-level security so people only see their own organization's data - and each reviewer only sees the users on the systems they own.
A complete, immutable audit trail - every import, attestation, reminder, approval, certification, and export is logged with who and when, and attestations can't be quietly edited after the fact.
A hard human-in-the-loop gate - the AI organizes and chases and drafts, but a real reviewer must attest keep/remove on each user and a real security lead must approve the removal batch; nothing is ever auto-revoked.
Default to flag, never auto-remove - a user the reviewer never got to is flagged for follow-up, not silently revoked by the deadline.
Duplicate guards so the same user + system + campaign can't be reviewed or revoked twice.

Who it's for

IT security and GRC analysts, application and system owners, compliance and audit liaisons, and IT managers who own periodic access reviews (user access recertification, entitlement reviews, SOX / SOC 2 / ISO 27001 access controls) and are tired of running them out of email and spreadsheets. If you have to prove, on a schedule, that every person with access to your systems was reviewed and explicitly kept or removed - and you want a real, auditable tool without buying a heavyweight identity-governance platform or hiring a developer - this is for you. You don't need to write code. You need your access exports, your owner mapping, and an afternoon-to-a-weekend.

You've got this - paste the first prompt and let the agent interview you.