Skip to main content
Access reviews help you verify that the right people have the right access — and that nobody retains permissions they no longer need. Layer supports both scheduled review campaigns and cost-based approval rules for new access requests.

Approval rules

Approval rules define who must approve a new access request based on its estimated monthly cost. You configure rules in Settings → Access approval rules.

How rules work

Each rule specifies:
  • A cost range — a minimum and optional maximum monthly cost.
  • Required approval stages — one or more of: Manager, IT, Security, or Finance.
  • Priority — when multiple rules match, all matching stages are combined into a single approval chain.
When someone requests access to a tool, Layer evaluates the request’s estimated monthly cost against all active rules. Every stage required by any matching rule is added to the approval chain, and stages always execute in a fixed order:
  1. Manager approval
  2. IT approval
  3. Security approval
  4. Finance approval
If no rules match a request, Layer defaults to requiring IT approval.

Create an approval rule

1

Open approval rules

Go to Settings → Access approval rules in your Layer dashboard.
2

Add a rule

Click Add rule and configure:
  • Name — a descriptive label (e.g. “High-value requests”).
  • Minimum monthly cost — the lower bound of the cost range.
  • Maximum monthly cost — the upper bound, or leave blank for no cap.
  • Required stages — toggle on the approval stages this rule requires.
  • Priority — a number to control rule ordering in the list.
3

Save

Click Save. The rule takes effect immediately for new requests.

Example

RuleCost rangeStages required
Low-value00–50/moManager
Mid-value5050–500/moManager, IT
High-value$500+/moManager, IT, Security, Finance
A request for a $200/month tool matches the mid-value rule, so it requires both manager and IT approval.

Access grants

When a request is approved, Layer creates an access grant. Grants can be:
  • Permanent — no expiration.
  • Temporary — expires after a set duration (1 to 168 hours). If no duration is specified, temporary grants default to 24 hours.
Expired temporary grants are automatically revoked.

Review campaigns

Review campaigns let you audit existing access on a regular cadence. You can run campaigns ad-hoc or on a quarterly or annual schedule.

Create a campaign

When you create a review campaign, you configure:
  • Scope — which identities and applications to include.
  • Reviewer strategy — how reviewers are assigned:
    • Explicit — you manually assign reviewers.
    • App owner — the designated owner of each application reviews access.
    • Manager — each user’s manager reviews their access.
  • Deadline — days until the review is due (1–365 days, default 7).
  • Escalation — days after the deadline before escalation triggers (1–90 days, default 3).

Review lifecycle

Each review in a campaign moves through these states:
StatusMeaning
PendingAwaiting reviewer action
CompletedReviewer confirmed or revoked access
ExpiredDeadline passed without action
OverduePast deadline but still pending
EscalatedEscalation triggered after overdue period
Campaign dashboards show real-time completion percentages, overdue counts, and escalation status so you can track progress.

Export results

You can export review results for compliance reporting. Exports include all review decisions, reviewer identities, timestamps, and any notes. Use this for SOC 2 evidence or internal audit documentation.