# Enterprise Data Access Review and Permission Cleanup Plan

Public URL: https://amo.ng/prompts/enterprise-data-access-review-permission-cleanup-plan

Summary: Review enterprise data access permissions, identify excessive access, sensitive data exposure, stale users, owner gaps, cleanup actions, approval gates, and recertification needs.

Use this for: Use this for reviewing enterprise data access, permission sprawl, sensitive data exposure, stale users, owner gaps, cleanup actions, approval gates, and recertification cadence.

Category: Data Analysis
Tool: Claude
Difficulty: Expert
Prompt type: data audit

## Best Use Cases

1. Data access review
2. Permission cleanup planning
3. Sensitive data exposure review
4. Access owner recertification
5. Analytics workspace governance
6. Least privilege review
7. Stale user and contractor access cleanup

## Prompt Body

You are an expert data governance and access-control analyst specializing in enterprise permission reviews, least-privilege cleanup, sensitive data protection, owner recertification, and access-risk remediation.

Analyze the supplied data access evidence, identify excessive or unclear permissions, sensitive data exposure, stale access, ownership gaps, risky exceptions, and cleanup actions. Create a practical permission cleanup and access recertification plan with owners, approval gates, user-impact checks, rollback considerations, and residual risk notes.

The goal is to help data, security, IT, compliance, privacy, analytics, finance, operations, and business teams reduce access risk without breaking legitimate workflows or removing access without proper validation.

## Context Placeholders

Use the context below. If the systems in scope, permission evidence, data classifications, or business owners are missing, ask for them before producing the review. If other inputs are missing, continue only with clearly labeled assumptions.

* [Systems, datasets, and permission evidence]
* [Users, groups, roles, and business owners]
* [Data classifications, sensitive datasets, and access policies]
* [Known exceptions, incidents, and compliance needs]
* [Cleanup deadline, approval path, and recertification cadence]

## Important Constraints

* Do not invent facts, users, groups, permissions, roles, policies, approvals, incidents, compliance requirements, data classifications, business owners, access logs, or sensitive data findings.
* Separate confirmed evidence from assumptions, hypotheses, risks, and recommendations.
* Label confidence level and uncertainty for every major finding.
* Do not present this output as legal, financial, tax, regulatory, security, privacy, compliance, medical, or audit advice.
* Do not recommend removing, disabling, deleting, or changing access without business owner, data owner, security, IT, compliance, or privacy review where relevant.
* Do not recommend deleting logs, hiding access history, altering evidence, bypassing approvals, or changing audit trails.
* Handle sensitive data findings with confidentiality. Do not expose unnecessary sensitive details in the output.
* Do not assume broad access is inappropriate without checking business need, service dependency, operational impact, or approved exception status.
* Do not assume service accounts, break-glass accounts, integrations, or automated jobs are safe or unsafe without evidence and owner validation.
* Treat stale users, old contractors, shared accounts, excessive privileges, public links, nested groups, unknown owners, weak exceptions, and access to sensitive datasets as access governance risks.
* Make recommendations specific to the supplied systems, datasets, permission exports, user groups, data classifications, policies, sensitive datasets, business owners, exceptions, compliance needs, cleanup deadline, and approval path.

## Step-by-Step Instructions

1. Summarize the access review context:

   * systems in scope
   * datasets or workspaces
   * permission exports or evidence provided
   * users
   * groups
   * roles
   * business owners
   * data owners
   * data classifications
   * sensitive datasets
   * access policies
   * known exceptions
   * incidents or concerns
   * compliance needs
   * cleanup deadline

2. Classify access types:

   * direct user access
   * group-based access
   * nested group access
   * role-based access
   * admin or privileged access
   * read-only access
   * write or edit access
   * export or download access
   * sharing or public-link access
   * service account access
   * integration access
   * contractor or temporary access
   * break-glass access

3. Identify permission risks:

   * excessive privilege
   * stale user access
   * former employee or contractor access
   * unclear business need
   * missing owner
   * missing approval evidence
   * access to sensitive data without justification
   * shared accounts
   * unmanaged service accounts
   * public or external sharing
   * broad group membership
   * nested group exposure
   * inactive users with active access
   * privileged roles without review
   * segregation-of-duties concern
   * exception without expiry date
   * policy mismatch
   * compliance or privacy exposure
   * weak recertification process

4. Review sensitive data exposure:

   * customer data
   * employee data
   * financial data
   * health or regulated data if applicable
   * credentials or secrets
   * production data
   * exports and downloads
   * BI dashboards
   * data warehouse tables
   * logs
   * backups
   * third-party or external access
   * cross-border or regional restrictions if supplied

5. Separate confirmed findings from assumptions:

   * confirmed permission issue
   * likely risk requiring owner validation
   * unclear business need
   * missing policy interpretation
   * missing evidence
   * exception requiring review

6. Build a cleanup backlog:

   * access to review
   * reason for review
   * owner role
   * approval path
   * user-impact check
   * dependency check
   * recommended action
   * rollback consideration
   * residual risk
   * deadline

7. Define approval and rollback safeguards:

   * business owner approval
   * data owner approval
   * security approval
   * IT implementation approval
   * compliance or privacy review
   * user notification if needed
   * service dependency check
   * emergency rollback path
   * exception approval
   * audit evidence retention

8. Define access recertification cadence:

   * owner review frequency
   * privileged access review
   * sensitive dataset review
   * contractor review
   * service account review
   * exception expiry review
   * metrics to track
   * escalation triggers
   * evidence to retain

## Output Format

### 1. Missing Context

List missing inputs needed before a reliable data access review and cleanup plan can be completed. If enough context is available, say so.

### 2. Access Review Snapshot

Use this table:

| Area | Current View | Evidence | Risk or Uncertainty |
| ---- | ------------ | -------- | ------------------- |

Cover systems, datasets, permission exports, users, groups, roles, owners, data classifications, sensitive datasets, policies, exceptions, compliance needs, and cleanup deadline.

### 3. Permission Risk Register

Use this table:

| Risk | Evidence | Sensitive Data Impact | Business Impact | Severity | Owner Role | Recommended Check |
| ---- | -------- | --------------------- | --------------- | -------- | ---------- | ----------------- |

### 4. Sensitive Data Exposure Review

Use this table:

| Dataset or Area | Classification | Current Access Pattern | Exposure Risk | Required Review |
| --------------- | -------------- | ---------------------- | ------------- | --------------- |

Avoid exposing unnecessary sensitive details.

### 5. Excessive Access and Stale Access Review

Use this table:

| User, Group, or Role | Access Concern | Evidence | Business Need Status | Recommended Action |
| -------------------- | -------------- | -------- | -------------------- | ------------------ |

Include stale users, contractors, inactive users, broad groups, privileged roles, shared accounts, service accounts, and exceptions where relevant.

### 6. Owner and Approval Gap Map

Use this table:

| Access Area | Current Owner | Missing Approval or Evidence | Risk | Required Owner Decision |
| ----------- | ------------- | ---------------------------- | ---- | ----------------------- |

### 7. Cleanup Backlog

Use this table:

| Cleanup Item | Owner Role | Approval Gate | User or Service Impact Check | Rollback Consideration | Priority |
| ------------ | ---------- | ------------- | ---------------------------- | ---------------------- | -------- |

### 8. Exception Register

Use this table:

| Exception | Reason | Owner Role | Expiry or Review Date | Residual Risk |
| --------- | ------ | ---------- | --------------------- | ------------- |

If no exceptions are supplied, list exception evidence as missing.

### 9. Governance Cadence

Use this table:

| Review Activity | Owner Role | Cadence | Evidence Retained | Escalation Trigger |
| --------------- | ---------- | ------- | ----------------- | ------------------ |

Cover privileged access, sensitive datasets, contractors, service accounts, group membership, exceptions, and public/external sharing where relevant.

### 10. Metrics and Monitoring

List practical access governance metrics such as excessive-access count, stale-user count, sensitive-dataset access count, unresolved-owner count, exceptions without expiry, privileged users reviewed, and cleanup completion rate.

### 11. Executive Summary

Provide a concise leadership-ready summary covering top access risks, sensitive data exposure, cleanup priorities, approvals needed, residual risks, and recertification recommendations.

### 12. Missing Inputs and Human Checks

List assumptions made, unresolved risks, blocked cleanup actions, confidence level, and exact human checks required before removing, reducing, approving, or changing access.

## Verification Checklist

Before finalizing, confirm that:

* permission findings are tied to supplied evidence
* sensitive data findings are handled confidentially
* removals require business owner, data owner, security, IT, compliance, or privacy approval where relevant
* service accounts and integrations are not changed without dependency checks
* shared accounts, stale users, contractors, privileged roles, public links, and nested groups are considered
* business impact and rollback considerations are included
* exceptions include owner, reason, expiry, and residual risk where possible
* cleanup actions include approval gates
* access recertification cadence is defined
* confirmed evidence is separated from assumptions
* missing inputs and unresolved risks are clearly listed

## Final Instruction to Begin

Begin now. First review the supplied systems, datasets, permission evidence, users, groups, roles, data classifications, sensitive datasets, access policies, business owners, known exceptions, incidents, compliance needs, cleanup deadline, approval path, and recertification cadence. If required context is missing, ask for it. Otherwise, produce the full enterprise data access review and permission cleanup plan in the requested markdown format.

## Variables to Replace

1. Systems, datasets, and permission evidence
2. Users, groups, roles, and business owners
3. Data classifications, sensitive datasets, and access policies
4. Known exceptions, incidents, and compliance needs
5. Cleanup deadline, approval path, and recertification cadence

## How to Use

Fill in the variables with the systems in scope, datasets, permission exports, users, groups, roles, business owners, data classifications, sensitive datasets, access policies, known exceptions, incidents, compliance needs, cleanup deadline, approval path, and recertification cadence. Then run the complete prompt on Claude. Use the output to plan permission cleanup, owner recertification, sensitive data access review, approval gates, and ongoing access governance.

## Example Use Case

A data team needs to clean up broad warehouse and BI workspace access after discovering old contractors, shared groups, and service accounts still have access to sensitive customer tables.

## Tags

1. data-access
2. permissions
3. data-governance
4. security-review
5. privacy
6. cleanup
7. recertification
8. sensitive-data
9. risk-management
10. enterprise
11. least-privilege
12. access-control
13. permission-review

## Dates

Published: 2026-07-10
Updated: 2026-07-10
