User Guide
Release Notes

Configuring Workflows Reviewer Assignment

Automatically delegate certifications and results using graph metadata

When creating a new certification and adding reviewers, prior workflow reviewers will appear as suggestions. If the identity provider (IdP) used to connect to Veza is configured as a discovery source, you can change the default Workflows Identity Provider, enabling Veza to assign a resource manager as the reviewer from authorization graph metadata.

When enabled, Veza will automatically suggest certification reviewers for Workflows that query a single named identity or resource. The targeted entity must have a manager property (on IdP users) or a SYSTEM_resource_managers tag (on resources) containing a valid Veza system user ID. This user ID is defined in the "idp_unique_id" property on the corresponding IdP User entity in the graph.

  • For natively supported IdPs such as Okta, you can assign a manager by setting a user's Manager attribute from the IdP's console.

  • An owner assignment tag can be assigned to any entity in the data catalog. Apply a tag with key SYSTEM_resource_managers where the value is a comma-delineated list of user ID's:

{
"tag": {
    "key": "SYSTEM_resource_managers",
    "value": "01a09253,928a24e4"
  }
}

The tag value must match the "IDP Unique ID" property on the user's graph entity. For Okta, OneLogin, and Azure AD identities, this is an email address. If using a custom IdP, the user or group identity can be any unique string.

Assigning resource managers (Veza Tags)

You can apply and remove tags programmatically using the Tags API. Assign owners "SYSTEM_resource_managers" as the tag key, where the value is a comma-separated list of IdP user IdP Unique IDs.

Add tag:

curl $BASEURL/api/v1/graph/nodes/veza_tags' \
-H 'authorization: Bearer '$TOKEN \
--data-raw '
{
  "node_id": "527398259632-c98becd0",
  "tags": [
    {
      "key": "SYSTEM_resource_managers",
      "value": "jim@cookie.ai"
    }
  ]
}'

Remove a tag by providing the entity id and the tag key to delete:

curl $BASEURL/api/v1/graph/veza_tags:remove \
-H 'authorization: Bearer '$TOKEN \
--data-raw '{
  "node_id": "dn44266.us-east-2.aws.snowflakecomputing.com/database/LOCATION/schema/COUNTRIES/table/USA",
  "tag_key": "SYSTEM_resource_managers"
}'

Tags can also be applied from the Veza UI, by selecting an entity in the Data Catalog or Authorization Graph and clicking Add tag. Note that it's not currently possible to remove tags using the Veza web interface.

For custom IdP users, you can also change the manager by pushing a new payload or using modify incremental updates.

Validating manager assignments

To test resource manager assignment using tags:

  1. Pick a resource on the graph that doesn't yet have an owner.

  2. Apply a system_resource_managers tag with the email address of another Veza user.

  3. Create a new Workflow. Select the entity type of the tagged resource, and Select a single entity and specify the resource name.

  4. Save the workflow and click New Certification.

  5. The resource manager's Veza account should be selected as the default reviewer.

To test manager assignments using Okta:

  1. Pick an IdP entity (such as OktaUser) on the graph.

  2. If the user already has a manager, create a corresponding Veza user for the manager's email address (you can give it the the Access Reviewer role).

  3. Otherwise, log in to Okta and set the user's Manager attribute to your Veza email address.

  4. Create a new workflow. Select the entity type (OktaUser) and choose to Select a single entity. Enter the Okta user name.

  5. Save the workflow and click New Certification.

  6. The manager's Veza account should be selected as the default reviewer.

Assigning owners for custom applications and identity providers

Assigning managers (Custom IdP)

You can use the custom identity provider template to create graph entities with metadata for your custom domains, identities, and groups. To assign manager relationships within the custom IdP, users and groups can be mapped to the identity of another user:

...
{
  "name": "Direct Report",
  "identity": "000001",
  "manager_id": "000011"
}
{
  "name": "Manager One",
  "identity": "00011",
  "manager_id": "00029"
}
{
  "name": "Senior Manager",
  "identity": "00029",
  "manager_id": null
}
...

Assigning resource managers (Custom IdP)

To assign an IdP user or group as the manager of any resource Veza has discovered, list the node type and node id in the entities_owned field, for example:

{
  "name": "Custom User",
  "identity": "000011",
  "entities_owned": [
    {
      "node_type": "S3Bucket",
      "id": "arn:aws:s3:::amazon-connect-53f87966654d"
    }
  ]
}

When the payload is parsed, resources in the data catalog will be updated with a system_resource_managers tag. The owner(s) will be suggested as reviewers for any Workflows that queries an individual named resource with a matching tag.

Assigning resource managers (Custom Application)

When using the custom application template to submit application/resource metadata, you can assign a resource manager by applying a Veza tag:

          "name": "release.vezacloud.com",
          "resource_type": "Cluster",
          "description": "release staging cluster",
          "sub_resources": [],
          "tags": [
            {
              "key": "system_resource_managers",
              "value": "ops@veza.com"
            }

You can use incremental updates to modify or remove tags on OAA entities.

PreviousWorkflows Global IdP SettingsNextSupport User Access

Last updated