Tier 1 + Tier 2 · Access
Access configuration drifts silently. A permission is granted for one phase and never revoked; an administrator is switched to a local login and quietly loses single sign-on; a departed partner's privileged account stays live. This audit extracts the access picture, read-only, and surfaces the anomalies.
The full role-to-permission matrix is extracted read-only — a single, reviewable picture of who can do what.
Permissions that silently drop by phase, leaving users unable to act where they should — or able to act where they should not.
Configuration of security barriers and ODS information walls — two distinct mechanisms that this audit keeps separate rather than conflating.
Users flipped to a local 'Administrator' authentication type, which silently disables their single-sign-on (SSO) federation — a common and dangerous drift.
Privileged accounts with no login for 90 or more days — the accounts most worth disabling before an incident or an auditor asks.
The security layout is readable read-only over the provisioning (SCIM) interface; login recency comes from the administration and audit surface. No change is made — extraction only.
The role-to-permission matrix extracted cleanly; the anomalies were in the edges — phase-scoped permission gaps, a handful of administrators on local authentication (bypassing SSO), and dormant privileged accounts.
A defensible access picture — who can do what, where the walls leak, and which privileged accounts to disable — before an incident or an auditor asks the question for you.