Governance
Governance in AccessHive is the set of rules and automations that control who can access what, under what conditions, and for how long. It keeps your agency’s access secure, auditable, and compliant with regulatory requirements – without requiring constant manual oversight.
How governance works
AccessHive evaluates every access action against your governance policies. When a team member requests access, checks out a credential, or receives a new role, the system applies the relevant rules automatically: routing approvals, enforcing time limits, flagging over-provisioned users, and revoking access when it expires.
You configure these policies once in Settings > Governance, and the system enforces them across all platforms and clients.
Key terms
| Term | Meaning |
|---|---|
| Approval policy | A rule that determines who must approve a request and under what conditions |
| Risk level | A rating (low, medium, high, or critical) the system assigns to each request based on the sensitivity of the permissions involved |
| Role-Based Access Control (RBAC) | A model where users receive permissions through roles rather than individual grants |
| Auto-remediation | The system automatically revokes access that violates governance policies |
| Joiner-Mover-Leaver (JML) | Lifecycle automation that adjusts access when someone joins, changes roles, or leaves your agency |
Approval policies
Approval policies control who can approve access requests and what level of scrutiny each request receives.
| Risk level | Default behavior |
|---|---|
| Low | Auto-approve (when enabled in settings) |
| Medium | One approver required |
| High | Senior approver or manager required |
| Critical | Multiple approvers required |
You can customize these defaults by adjusting:
- Risk level thresholds that determine how requests are classified
- Escalation time limits for requests that go unanswered
- Approver group assignments for different platforms or clients
- Client-specific overrides that apply stricter rules for certain accounts
Role-Based Access Control (RBAC)
AccessHive uses RBAC to manage what your team members can see and do inside the platform.
Built-in roles
| Role | What they can do |
|---|---|
| Owner | Full access to the platform, including billing and agency settings |
| Admin | Manage clients, configure platforms, and create identities |
| Approver | Review and approve access requests and Privileged Access Management (PAM) session checkouts |
| Security Owner | View audit logs, run compliance reports, and manage governance policies |
| Client Manager | Handle client-scoped operations and team management |
You can also create custom roles with specific permission sets to match your agency’s structure.
Automatic role assignment
Directory groups from your identity source – such as Google Workspace (GWS) or Microsoft Entra ID – can be mapped to platform roles:
- Define a mapping – Link a directory group to a role on a specific platform.
- Users are assigned automatically – When someone is added to the group, they receive the mapped role.
- Removal is automatic too – Removing someone from the group revokes the role.
Use the mapping preview to see which users would be affected before activating a new role mapping. This prevents unintended access grants.
Permission analysis
The permission analysis tool helps you keep access tight by identifying:
- Over-provisioned users – People with more access than their role requires.
- Stale access – Permissions that have not been used in a configurable period.
- Least-privilege recommendations – Suggestions to reduce access to the minimum needed.
Auto-remediation
When enabled, auto-remediation enforces your governance policies automatically:
- Revokes access that violates active policies
- Sends a configurable warning to affected users and admins before revoking
- Logs every automated action in the audit trail
- Allows manual overrides when an admin needs to make an exception
Auto-remediation can revoke access without manual intervention. Configure warning periods and notification channels before turning it on to avoid disrupting active work.
Joiner-Mover-Leaver (JML) automation
JML automation adjusts access automatically when someone’s role in your agency changes.
| Event | What happens |
|---|---|
| Joiner – A new user joins | The system assigns a role template based on their job function, provisions platform access, creates client assignments, and sends a welcome notification |
| Mover – A user changes roles | The system revokes the old role template, applies the new one, reconciles platform permissions, and notifies affected approvers |
| Leaver – A user departs | The system revokes all access immediately, rotates shared credentials they had access to, archives their audit trail, and notifies the security team |
Compliance reports
AccessHive includes pre-built reports for regulatory and internal compliance:
| Report | What it shows |
|---|---|
| Access Matrix | A full map of who has access to what across all platforms |
| Stale Access | Unused permissions that should be reviewed or revoked |
| Drift Report | Deviations from your defined governance policies |
| Executive Dashboard | A high-level compliance and risk summary for leadership |
Reports can be generated on demand, scheduled for automatic delivery, exported to CSV or PDF, and filtered by client, platform, or time period. See Reports for details.
Related pages
- Set up approval workflows – See the Access Requests guide.
- Configure PAM checkout policies – See PAM Sessions.
- Assign roles with templates – See Role Templates.
- Review the audit trail – See Audit Trail.