> ## Documentation Index
> Fetch the complete documentation index at: https://docs.opal.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Assign and complete reviews

> Learn how to assign and complete User Access reviews in Opal.

This guide assumes you have already [created a User Access Review](/docs/access-reviews).

## Assign reviewers

<Info>
  If you don't see an option to assign reviewers, ensure you're an **Opal
  Auditor** or an owning team admin.
</Info>

If you are an **Auditor **or **owning team admin**, you can assign reviewers.

In the **User Review** tab, you can manage and assign reviewers for user access points. Assign reviewers to a single user row by clicking **Assign Reviewers** for that row, or bulk assign by selecting multiple rows and clicking **Assign Reviewers** in the top right. If you've chosen an auto-assignment policy, you can still manually re-assign reviews.

<img src="https://mintcdn.com/opalsecurity/odnvD_MsXBxTor9u/images/docs/9303bbfbee9b245a373c715b94c6ec22a5859ccb20d1e4d61d18b45ef051fbf2-uar-assign-reviewers.png?fit=max&auto=format&n=odnvD_MsXBxTor9u&q=85&s=c035c4410fc09386cdf323ea17e0929a" alt="" width="2869" height="1383" data-path="images/docs/9303bbfbee9b245a373c715b94c6ec22a5859ccb20d1e4d61d18b45ef051fbf2-uar-assign-reviewers.png" />

In the **Group Review** tab, you can manage and assign reviewers for group access points. Assign reviewers to a single user row by clicking **Assign Reviewers** for that row, or bulk assign by selecting multiple rows and clicking **Assign Reviewers** in the top right.

<img src="https://mintcdn.com/opalsecurity/4Xj9diJ3E3kX-9Xd/images/docs/d9d268d0396d5688a7a4893d965541c7e0642e17bf58412a93acf6b1f7d3a872-uar-assign-groups.png?fit=max&auto=format&n=4Xj9diJ3E3kX-9Xd&q=85&s=38255cc4973f0b8210360133e8be05af" alt="" width="2862" height="1352" data-path="images/docs/d9d268d0396d5688a7a4893d965541c7e0642e17bf58412a93acf6b1f7d3a872-uar-assign-groups.png" />

After you assign a reviewer, Opal shows one of several reviewer statuses.

<img src="https://mintcdn.com/opalsecurity/lwwIeFbsleftxaXx/images/docs/bc4708fe95c05a9e2cb24f35682f08e3421cef990ceed587cb13ea1f72bc3a09-uar-status.png?fit=max&auto=format&n=lwwIeFbsleftxaXx&q=85&s=9ca38450a8d4aad14e485a7cc71eb10b" alt="" width="2733" height="1365" data-path="images/docs/bc4708fe95c05a9e2cb24f35682f08e3421cef990ceed587cb13ea1f72bc3a09-uar-status.png" />

The following are possible status types:

* **Not Started: **No reviewer(s) have taken action

* **Completed**: All reviewer(s) have completed the review

* **Partially Completed: **If there is only one reviewer, then the reviewer has started but has not completed the review. If there are multiple reviewers, then not all reviewers have completed the review.

* **Needs Attention:**
  * This status type indicates an error that needs to be addressed. Click on the **Needs Attention **status to see error details. In this example, the warning indicates **Self reviews are not allowed**, and an admin must add another owner for approval.

<img src="https://mintcdn.com/opalsecurity/E-CmJXh0QNjZUl4g/images/docs/6c9d9e3-Screenshot_2023-07-26_at_3.27.31_PM.png?fit=max&auto=format&n=E-CmJXh0QNjZUl4g&q=85&s=34fb3a0157ab37efd677a21813eaef58" alt="" width="1322" height="1096" data-path="images/docs/6c9d9e3-Screenshot_2023-07-26_at_3.27.31_PM.png" />

## Complete reviews

After an admin assigns a reviewer, a snapshot for the resource and/or group is created for review. If an admin changes a resource or group after a review begins, the review won't capture this change.

**My Reviews** shows reviews assigned to the logged-in user. After reviewers select a row to review, they are shown an overview of users and groups whose access to a resource must be reviewed.

<Info>
  To review access for a resource or group, ensure you select the **row**, not
  the resource or group name.
</Info>

The **Group by User** and **Group by Resource** buttons control how reviews are grouped, which can be useful to change based on your requirements. These options are available on Opal Cloud and self-hosted Opal versions 1.0.912 and later.

<img src="https://mintcdn.com/opalsecurity/E-CmJXh0QNjZUl4g/images/docs/6ffca1ac9e58cbcecb14f1b46b69600ad274d333d147db5682d9f559c9644cda-group-by.png?fit=max&auto=format&n=E-CmJXh0QNjZUl4g&q=85&s=1477482831736d9bb006f66ea780ec2b" alt="" width="2989" height="1387" data-path="images/docs/6ffca1ac9e58cbcecb14f1b46b69600ad274d333d147db5682d9f559c9644cda-group-by.png" />

<img src="https://mintcdn.com/opalsecurity/TlQj9FwRe9HHNEYB/images/docs/00bd257-ReviewModal.png?fit=max&auto=format&n=TlQj9FwRe9HHNEYB&q=85&s=a86f1badb17b0a9240fb0f459ba2cfdb" alt="" width="2958" height="1658" data-path="images/docs/00bd257-ReviewModal.png" />

For each row, reviewers can:

* **Approve** the user or resource by clicking on the **Accept** checkmark button

<img src="https://mintcdn.com/opalsecurity/lwwIeFbsleftxaXx/images/docs/d6c7265-Screenshot_2024-03-05_at_4.35.25_PM.png?fit=max&auto=format&n=lwwIeFbsleftxaXx&q=85&s=d38ee6b6ce5ccb5491b8b49d7fe42bec" style={{ width: "50%" }} width="618" height="216" data-path="images/docs/d6c7265-Screenshot_2024-03-05_at_4.35.25_PM.png" />

* **Reject** the user or resource by clicking on the **Revoke** x button

<img src="https://mintcdn.com/opalsecurity/CCjTTkaW-43B4efd/images/docs/f98b731-Screenshot_2024-03-05_at_4.36.19_PM.png?fit=max&auto=format&n=CCjTTkaW-43B4efd&q=85&s=e0c5f0d9c52973dd1e6f42f36d32176e" style={{ width: "50%" }} width="626" height="126" data-path="images/docs/f98b731-Screenshot_2024-03-05_at_4.36.19_PM.png" />

* Select **Add note** to explain access decisions:

<img src="https://mintcdn.com/opalsecurity/E-CmJXh0QNjZUl4g/images/docs/5b53148-Screenshot_2024-03-05_at_4.39.43_PM.png?fit=max&auto=format&n=E-CmJXh0QNjZUl4g&q=85&s=fb838568ed5b85f538f235c7deb7a537" style={{ width: "50%" }} width="502" height="332" data-path="images/docs/5b53148-Screenshot_2024-03-05_at_4.39.43_PM.png" />

UAR reviewers can also modify a user's role by selecting **Swap Roles** in User \< > Resource and User \< > Group mappings. This creates a request that follows the access request flow configured for that resource. This request has to be approved by that resource's reviewers in order for the role modification to propagate.

<Warning>
  If there is no request flow configured, the user's role will not be modified.
  A notification will be sent to the reviewer that an attempt to modify that
  user's role has failed.
</Warning>

<img src="https://mintcdn.com/opalsecurity/4oz8M5t3WSN3kPqR/images/docs/uars-swap-roles.png?fit=max&auto=format&n=4oz8M5t3WSN3kPqR&q=85&s=33456c0e10f22daf66584db18f7146e0" alt="" width="2757" height="1613" data-path="images/docs/uars-swap-roles.png" />

**Bulk action** can be performed on multiple rows by selecting rows and choosing an option from the top bulk action bar.

<img src="https://mintcdn.com/opalsecurity/TlQj9FwRe9HHNEYB/images/docs/0ee4ea1636a86fcf4b23b892e095bb90e807303361f1cf5665eaada384795f14-bulk-accept.png?fit=max&auto=format&n=TlQj9FwRe9HHNEYB&q=85&s=ff866ec1942e0abeb62df4c468eed7e9" alt="" width="2988" height="1509" data-path="images/docs/0ee4ea1636a86fcf4b23b892e095bb90e807303361f1cf5665eaada384795f14-bulk-accept.png" />

After you review all users or resources, select **Submit access review** in the bottom right. You cannot modify approvals and revocations after you've submitted. Changes are only propagated to end systems when all the UAR's items have been reviewed and the review is marked as completed.

<Frame caption="Submit reviews to mark approvals and revocations for users or resources.">
  <img src="https://mintcdn.com/opalsecurity/KunPWigry5GIeB5g/images/docs/474912732659e3e594d15c38aa4ea46ee7fef7762e3e4a219c0ccbeebedfb546-submit-uar.png?fit=max&auto=format&n=KunPWigry5GIeB5g&q=85&s=ae42810ea4e2303c0417d9bbb43c4696" width="3463" height="1794" data-path="images/docs/474912732659e3e594d15c38aa4ea46ee7fef7762e3e4a219c0ccbeebedfb546-submit-uar.png" />
</Frame>

<Frame caption="Mark reviews as completed to propagate access changes in the end system.">
  <img src="https://mintcdn.com/opalsecurity/CCjTTkaW-43B4efd/images/docs/f7ff8e4539706b3b05ab9f74bd96497128837b2a83ae469c2becf2ba95e0cb77-completed-access-review.png?fit=max&auto=format&n=CCjTTkaW-43B4efd&q=85&s=c18255c3ea7bb5310359824d9b9c840b" width="3464" height="1432" data-path="images/docs/f7ff8e4539706b3b05ab9f74bd96497128837b2a83ae469c2becf2ba95e0cb77-completed-access-review.png" />
</Frame>

### Access Changes

To view and manage proposed changes, go to the **Access Changes** tab.

<img src="https://mintcdn.com/opalsecurity/lt0M-hBs5yNe5ff5/images/docs/af31e7e9933b6486e2b1499632d9dbf327a1dbba674bb1cc49a0b0aa319e1d5c-access-changes.png?fit=max&auto=format&n=lt0M-hBs5yNe5ff5&q=85&s=e5d555ae8afe253fd2d605bb295eb277" alt="" width="2678" height="1345" data-path="images/docs/af31e7e9933b6486e2b1499632d9dbf327a1dbba674bb1cc49a0b0aa319e1d5c-access-changes.png" />

### Revocation rules

**For connected applications**, Opal automatically revokes access on the end system based on the reviewer's decision, so after submitting a revoke decision, you do not need to perform any more actions.

If your connection uses a **custom connector**, you must implement the [DELETE](/docs/api-spec#delete-%2Fgroups%2F%7Bgroup-id%7D%2Fusers%2F%7Buser-id%7D) `/groups/{group_id}/users/{user_id}` or [DELETE](/docs/api-spec#delete-%2Fresources%2F%7Bresource-id%7D%2Fusers%2F%7Buser-id%7D) `/resources/{resource_id}/users/{user_id}` endpoints to revoke users on your end system.

If the endpoint returns a 200 success code, Opal marks the access as revoked. If the endpoint is not implemented or returns an error code, access is marked **Needs end-system revocation** and you must manually update it.

<img src="https://mintcdn.com/opalsecurity/KunPWigry5GIeB5g/images/docs/3ede9ba-SCR-20230726-oszh.png?fit=max&auto=format&n=KunPWigry5GIeB5g&q=85&s=55a4529ddfaa8679f552588f9ef1a7ad" alt="" width="2144" height="246" data-path="images/docs/3ede9ba-SCR-20230726-oszh.png" />

<img src="https://mintcdn.com/opalsecurity/4Xj9diJ3E3kX-9Xd/images/docs/eef151b-SCR-20230726-otib.png?fit=max&auto=format&n=4Xj9diJ3E3kX-9Xd&q=85&s=1ebc9498bf4b57832755c4d4f6ca2603" alt="" width="2152" height="244" data-path="images/docs/eef151b-SCR-20230726-otib.png" />

If the connection uses **webhooks**, access will be marked as **Needs end-system revocation**, because webhooks only perform push events. Opal does not interpret webhook responses, so you'll need to manually mark access as revoked.