Global Settings APIs
API operations for customizing the behavior and functionality of Veza Access Reviews.
Last updated
Was this helpful?
API operations for customizing the behavior and functionality of Veza Access Reviews.
Last updated
Was this helpful?
These endpoints can be called by providing a Veza admin user API key. See Authentication to generate a bearer token for use in requests. Note that API operations in the private namespace are subject to change as features are added or modified.
Use these APIs to configure for Veza Access Reviews.
At present, the settings that can be configured by a Veza administrator are:
Auto-completion: Automatically complete reviews once all rows have a signed-off decision, or a non-rejected signed-off decision.
Completion requirements: Enable review completion at any time, or only when all rows are signed off with a non-rejected decision.
Data Source Status Acknowledgement: Require review creators to view and acknowledge the data source status shown at review creation.
Overdue Review Expiration: Enable or disable expiration of overdue reviews.
Review Expiration Behavior: Reject and sign off incomplete rows when a review expires.
Self Review Prevention: Prevent users from being assigned as reviewers for rows that relate to their own access and permissions.
Column Customization: Configure default columns which reviewers will see when they open a review.
UI Customization: Set whether notes are required when approving or rejecting access.
Sort Order: Set the default sort order and sorting column when opening a review.
Predefined Decision Notes: Add suggested notes as menu options when reviewers approve or reject rows.
For each endpoint, a GET request returns the current setting, and a PUT request updates the setting. Use your unique Veza URL and API key in your request, for example:
Optionally, you can use the Postman collection linked below to customize Access Reviews global settings:
Customize the requirements for completing a review.
Example:
An Admin or Operator user can complete a review by clicking the "Complete Review" button.
Once a review is marked as "completed," it becomes read-only and is no longer visible to reviewers. By default, a review can be completed when all rows have a signed-off decision.
This API allows you to modify this behavior, enabling a review to be completed at any time, or only when all rows are signed off with a non-rejected decision. The latter option is useful if your organization prefers to complete reviews only after all rejected access has been remediated.
Possible values are:
COMPLETION_ALLOWED_UNKNOWN = 0
COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION = 1 (Review can be completed only when all result rows have a decision)
COMPLETION_ALLOWED_ANYTIME = 2 (Review can be completed any time)
Enable or disable the "auto-complete" feature. When auto-complete is enabled, a review will automatically be completed once all rows have a signed-off decision, or a non-rejected signed-off decision, depending on the "Completion Allowed Settings."
Possible values are:
AUTO_COMPLETE_UNKNOWN
AUTO_COMPLETE_ENABLED
AUTO_COMPLETE_DISABLED
Example:
Enable or disable self-review prevention. When self-review prevention is enabled, users are prevented from being assigned as reviewers for rows that relate to their own access and permissions.
The value can be:
SELF_REVIEWER_CHECKING_UNKNOWN = 0
SELF_REVIEWER_CHECKING_DISABLED = 1
SELF_REVIEWER_CHECKING_ENABLED = 2
By default, when a reviewer approves a row, a "notes" pop-up appears, allowing the user to optionally add a note explaining their decision. When a reviewer rejects a row, the "notes" pop-up appears, and adding a note is required. This API allows you to customize this behavior. For example, you can choose to disable the pop-up when a row is approved and make the notes pop-up optional when a row is rejected.
Additionally, this API can enable the historical "Approve & Signoff" action in the reviewer experience when multiple rows are selected. Note: It is recommended that this feature remains disabled to ensure a more streamlined reviewer experience.
Example:
accept_notes_behavior can be:
NOTES_BEHAVIOR_UNKNOWN = 0
NO_POP_UP = 1
POP_UP_OPTIONAL = 2
POP_UP_REQUIRED = 3
reject_notes_behavior can be:
NOTES_BEHAVIOR_UNKNOWN = 0
NO_POP_UP = 1
POP_UP_OPTIONAL = 2
POP_UP_REQUIRED = 3
approve_and_sign_off_button_behavior can be:
HIDE_OR_SHOW_BEHAVIOR_UNKNOWN = 0
SHOW = 1
HIDE = 2
This API configures the default columns which reviewers will see when they open a review. If workflow_id is specified then the configuration will only be applied to reviews related to the particular Review Configuration identified by workflow_id.
The valid values to show entity attributes include:
source.ATTR
destination.ATTR
waypoint.ATTR
path_summary.ATTR
idp.ATTR
Where ATTR is an attribute name such as “id” or “name”.
The following column values are also valid:
status
abstract_permissions
concrete_permissions
updated_at
notes
reviewers
decision
decision_by
decision_by_id
decision_by_name
decision_by_email
decision_at
marked_fixed_by_id
marked_fixed_by_name
marked_fixed_by_email
marked_fixed_at
signed_off_state
signed_off_by_id
signed_off_by_name
signed_off_by_email
signed_off_at
notification_status
automation_run_ids
no_decision_or_decision_by
Is_signed_off
Example:
Configure the default order in which review rows are displayed. Note: Users can later sort the rows as they prefer.
The order is specified using a SCIM "order by" expression. The default value is source.type asc.
Valid values include:
source.ATTR
destination.ATTR
waypoint.ATTR
idp.ATTR
Where ATTR is an attribute name such as “id” or “name”.
Example
This setting is configurable on the Access Reviews > Settings page. Enable Auto-Expire overdue reviews to automatically expire reviews that aren't completed by the due date.
Enables or disable expiration of overdue reviews. By default, overdue reviews are not expired and remain available to reviewers. When expiration is enabled, the review will be “expired” when it becomes overdue. An expired review is read-only and is not shown to reviewers.
The value can be True or False.
This setting is configurable on the Access Reviews > Settings page. Enable Reject incomplete rows to reject and sign off on undecided rows when a review expires.
This API allows you to change the behavior when a review expires (which can be enabled in Review Auto-Complete Settings). Depending on the behavior, incomplete rows can be auto-rejected when the review deadline passes.
Possible values are:
DO_NOTHING: No action is made on incomplete rows (default).
AUTO_REJECT_INCOMPLETE_RESULTS: Reject and sign-off any results that are incomplete when the review expires.
Review expiration behavior can be configured globally, or for all reviews for a single Review, specified by workflow_id in the request.
By default, when a review is created, a user can optionally view the status of the data sources involved in the review. This API allows the behavior to change, requiring that the data source status is shown to the user and acknowledged during review creation.
Possible values are:
DATASOURCE_ACKNOWLEDGEMENT_UNKNOWN = 0
DATASOURCE_ACKNOWLEDGEMENT_NOT_SHOWN = 1
DATASOURCE_ACKNOWLEDGEMENT_REQUIRED = 2
Configure predefined notes as menu options when reviewers approve or reject rows. This feature can be configured globally for all reviews or specifically for individual review configurations. When configured for a specific review configuration (using workflow_id), those settings override any global predefined notes.
The predefined notes appear as selectable options in the notes dialog when making decisions, suggesting standardized responses alongside free-form text entry.
Example request body:
The request body accepts:
reject_notes: Array of predefined note options shown when rejecting rows
accept_notes: Array of predefined note options shown when approving rows
workflow_id: (Optional) Specific review configuration ID to override global settings
Retrieve the current predefined notes settings. Include the optional workflow_id query parameter to get settings for a specific review configuration.
Global Settings Request:
Configuration-Specific Request:
Example response:
Update the predefined notes settings globally or for a specific review configuration.
Configuration-Specific Request:
application/jsonapplication/json{"value":{"diff_dropdown_behavior":"<integer>","accept_notes_behavior":"<integer>","reject_notes_behavior":"<integer>","approve_and_sign_off_button_behavior":"<integer>"}}OK
application/jsonapplication/json{"value":{"default_ordered_columns":["source.name","source.identity_unique_id","concrete_permissions","idp.on_premises_distinguished_name","idp.name","destination.name","destination.type","reviewers","notes","decision_by","decision_at","notification_status","automation_run_ids"]}}OK