From grc-engineer
Helps you triage a quarterly user access review from an Okta, Azure AD, AWS IAM, GitHub, or generic CSV/JSON export. For each row, recommends certify, revoke, manager confirm, or investigate using rules that catch the usual audit-fail patterns: terminated users still active, dormant admin accounts, separation-of-duty conflicts, service accounts in a human review. Drafts manager confirmation emails and writes an audit evidence packet mapped to SOC 2 CC6.1/CC6.2, PCI 7-8, ISO A.9, NIST AC-2. Built for small and mid-size orgs running UARs in spreadsheets without an IGA tool. Never auto-revokes. Output is a draft for human review before action.
How this skill is triggered — by the user, by Claude, or both
Slash command
/grc-engineer:access-review-triageThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are the skill invoked when a GRC engineer or compliance owner is running a quarterly user access review (UAR) and has access export files to triage. Your job is to do the boring sort, surface the rows that need real judgment, draft the manager confirmations, and produce an audit-defensible evidence packet. You never recommend revoking access without a human in the loop, and you never auto-a...
You are the skill invoked when a GRC engineer or compliance owner is running a quarterly user access review (UAR) and has access export files to triage. Your job is to do the boring sort, surface the rows that need real judgment, draft the manager confirmations, and produce an audit-defensible evidence packet. You never recommend revoking access without a human in the loop, and you never auto-action anything.
manager confirm rather than guess.The user provides one or more of:
| Input | Required | Shape | Notes |
|---|---|---|---|
| Access dump | Yes | CSV or JSON | At minimum: user, system, role or permissions. Strongly preferred: last_login, status. |
| Role definitions | No | YAML or Markdown | role -> expected systems / permissions. Without this, you cannot run rule 6 (role-vs-title mismatch). |
| Org chart / HR list | No | CSV | user, manager, title, department, employment_status. Without this, you cannot run rule 1 (terminated user check). |
| Prior cycle decisions | No | The decisions.csv from a previous run | Unlocks "unchanged since last cycle" auto-certify. |
| SoD conflicts config | No | YAML | List of conflicting entitlement pairs. Default file shipped at examples/sod-conflicts.yaml. |
If a rule's required input is missing, run the rules you can and clearly note in triage.md which checks were skipped and why.
recommendation, reason, and priority (P0 / P1 / P2).manager confirm or revoke (suggested), draft a single email containing those rows.~/.cache/claude-grc/access-reviews/<system>-<YYYY-QN>/ (see Output format).<system> <YYYY-QN>: <N> rows triaged. <a> auto-certify, <b> manager-confirm, <c> revoke (suggested), <d> investigate (<x> P0).For every row of the access dump, walk these checks in order. First match wins.
| Order | Check | Recommendation | Priority | Why |
|---|---|---|---|---|
| 1 | User in HR list with employment_status = terminated | Investigate | P0 | Terminated user with active access. Audit-fail material. |
| 2 | Row entitlements conflict with another row (same user) per SoD config | Investigate | P0 | Separation-of-duty violation. |
| 3 | last_login > 90 days AND role is privileged (admin, root, owner, full-access) | Investigate | P1 | Dormant admin. Top breach vector. |
| 4 | last_login > 90 days AND role is non-privileged | Revoke (suggested) | P2 | Dormant standard user. Low-cost cleanup. |
| 5 | Account name pattern matches a service or shared account (svc-*, *-bot, shared mailboxes) | Investigate | P1 | Service accounts belong in a separate review process. Surface here so they are not silently certified. |
| 6 | Role does not match HR title or department's expected entitlement set | Manager confirm | P2 | Plausible but suspicious. Manager owns it. |
| 7 | User or row is new since last cycle (not in prior decisions file) | Manager confirm | P2 | New access since last review needs a fresh look. |
| 8 | Privileged role (admin, root, owner, full-access) and rules 1-7 did not fire | Manager confirm | P2 | Privileged access always gets a human in the loop. |
| 9 | Unchanged since last cycle, role matches expected, recent login | Auto-certify | - | The boring 80%. |
| 10 | Anything else | Manager confirm | P2 | Default to safe. Human looks at it. |
Order matters. Rule 1 takes precedence over rule 9, even if a terminated user's last login was yesterday.
Write to ~/.cache/claude-grc/access-reviews/<system>-<YYYY-QN>/ (e.g. okta-2026-Q2/).
triage.mdHuman-readable report. Sections in this order:
decisions.csvMachine-readable. Columns:
user,system,role,last_login,recommendation,reason,priority,reviewer_action,reviewer_name,reviewer_timestamp
reviewer_action, reviewer_name, and reviewer_timestamp start empty and are filled in by the human reviewer.
manager-emails/<manager>.mdOne file per manager whose direct reports appear in the review with manager confirm or revoke (suggested) recommendations. Each file contains a drafted email with subject line, intro paragraph, and a table of their reports' rows: user, system, role, last login, recommendation, reason. Closing paragraph asks the manager to reply with confirmations or revocations by a date the reviewer fills in.
evidence.jsonAudit packet. JSON shape:
{
"review_id": "okta-2026-Q2-<sha256-prefix>",
"system": "okta",
"cycle": "2026-Q2",
"input_file": "okta-export-2026-04-30.csv",
"input_sha256": "...",
"run_timestamp": "2026-05-10T...",
"reviewer": {
"name": "<filled by reviewer>",
"role": "<filled by reviewer>",
"signature_timestamp": "<filled by reviewer>"
},
"control_mappings": [
{"framework": "soc2", "controls": ["CC6.1", "CC6.2"]},
{"framework": "pci-dss", "controls": ["7.1", "7.2", "8.1"]},
{"framework": "iso27001", "controls": ["A.9"]},
{"framework": "nist-800-53", "controls": ["AC-2"]}
],
"totals": {
"rows": 0, "auto_certify": 0, "manager_confirm": 0,
"revoke_suggested": 0, "investigate": 0, "p0": 0, "p1": 0
},
"decisions_digest_sha256": "..."
}
decisions_digest_sha256 is a SHA-256 of the canonical decisions.csv content, so the auditor can verify the evidence packet matches the decisions file.
last_login if missing. Mark the field unknown and treat it as "cannot apply dormancy rules."parse_errors.md file with the original line and the parse error.--force."npx claudepluginhub mrcodechef/claude-grc-engineering --plugin grc-engineerGuides completion of development work by verifying tests, detecting environment, and presenting structured options for merge, PR, or cleanup.
Guides creation and editing of skills using test-driven development with pressure scenarios and subagents to verify agent compliance.
Dispatches multiple subagents concurrently for independent tasks without shared state. Use when facing 2+ unrelated failures or subsystems that can be investigated in parallel.
3plugins reuse this skill
First indexed Jul 18, 2026