# Action Allow List API reference for the Action Allow List feature. For configuration guidance and how it works, see [Action Allow List](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/action-allow-list.md). ## Role Requirements | Operation | Required Role | | --------------------------------- | --------------------------------- | | Enable or disable the allow list | `admin` | | Add or remove users from the list | `admin` or `access_reviews_admin` | | Check whether a user is permitted | `admin` or `access_reviews_admin` | ## Principals Both **users** and **groups** can be added to the allow list. A user is permitted if their user ID is directly on the list, or if any Veza group they belong to is on the list. Each principal is specified as an object with a `type` and `id`: ```json {"type": "USER", "id": ""} {"type": "GROUP", "id": ""} ``` All IDs must be Veza internal UUIDs. Email addresses and usernames are not supported. To look up a user's UUID: * **Administration console**: Go to **Administration** > **Users**, click the user's name, and copy the UUID from their profile page. * **Users API**: Use the [Users and Teams API](/4yItIzMvkpAvMVFAamTf/developers/api/users-teams.md) to list users and locate the `id` field in the response. To look up a group's UUID: * **Groups API**: Use `GET /api/private/groups` to list groups and locate the `id` field for the target group. Use the `filter` query parameter to narrow by name (e.g., `?filter=name eq 'Your Group Name'`). ## Allowed Actions The `allowed_action` field controls which restricted operations the principal is permitted to perform. Specify one or both values: | Value | Description | | ------------------------------------ | --------------------------------------------------------- | | `DELETE_IN_PROGRESS_REVIEW` | Permitted to delete an In Progress review | | `MODIFY_IN_PROGRESS_REVIEW_DUE_DATE` | Permitted to modify the due date of an In Progress review | ## API Reference ### Check Whether the Allow List Is Enabled **GET** `/api/private/workflows/access/settings/action_allowlist_enabled` Returns the current enabled state of the allow list. **Example:** ```bash curl -L -X GET 'https://your-organization.vezacloud.com/api/private/workflows/access/settings/action_allowlist_enabled' \ -H 'Authorization: Bearer YOUR_SECRET_TOKEN' ``` **Response:** ```json {"enabled": false} ``` *** ### Enable or Disable the Allow List **PUT** `/api/private/workflows/access/settings/action_allowlist_enabled` Enable or disable the allow list globally. When disabled, existing RBAC governs access to all review operations. **Request body:** ```json { "enabled": true } ``` Set `enabled` to `true` to enable or `false` to disable. **Example (enable):** ```bash curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/settings/action_allowlist_enabled' \ -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \ -H 'Content-Type: application/json' \ -d '{"enabled": true}' ``` **Example (disable):** ```bash curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/settings/action_allowlist_enabled' \ -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \ -H 'Content-Type: application/json' \ -d '{"enabled": false}' ``` *** ### Add Principals to the Allow List **POST** `/api/private/workflows/access/action_allowlist` Add one or more users or groups to the allow list. A single request can include multiple principals of mixed types. **Request body:** ```json { "principals": [ {"type": "USER", "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"} ], "allowed_action": ["DELETE_IN_PROGRESS_REVIEW", "MODIFY_IN_PROGRESS_REVIEW_DUE_DATE"] } ``` **Example (add a user for both actions):** ```bash curl -L -X POST 'https://your-organization.vezacloud.com/api/private/workflows/access/action_allowlist' \ -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "principals": [{"type": "USER", "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"}], "allowed_action": ["DELETE_IN_PROGRESS_REVIEW", "MODIFY_IN_PROGRESS_REVIEW_DUE_DATE"] }' ``` **Example (add a group):** ```bash curl -L -X POST 'https://your-organization.vezacloud.com/api/private/workflows/access/action_allowlist' \ -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "principals": [{"type": "GROUP", "id": "b2c3d4e5-f6a7-8901-bcde-f12345678901"}], "allowed_action": ["DELETE_IN_PROGRESS_REVIEW", "MODIFY_IN_PROGRESS_REVIEW_DUE_DATE"] }' ``` *** ### Remove Principals from the Allow List **POST** `/api/private/workflows/access/action_allowlist:delete` Remove one or more principals from the allow list. Uses the same request shape as the add endpoint. **Request body:** ```json { "principals": [ {"type": "USER", "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"} ], "allowed_action": ["DELETE_IN_PROGRESS_REVIEW", "MODIFY_IN_PROGRESS_REVIEW_DUE_DATE"] } ``` **Example:** ```bash curl -L -X POST 'https://your-organization.vezacloud.com/api/private/workflows/access/action_allowlist:delete' \ -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "principals": [{"type": "USER", "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"}], "allowed_action": ["DELETE_IN_PROGRESS_REVIEW", "MODIFY_IN_PROGRESS_REVIEW_DUE_DATE"] }' ``` *** ### List All Permitted Principals **GET** `/api/private/workflows/access/action_allowlist` Returns all users and groups currently on the allow list. Each entry represents one principal–action pair; a principal with two allowed actions appears as two separate entries. **Example:** ```bash curl -L -X GET 'https://your-organization.vezacloud.com/api/private/workflows/access/action_allowlist' \ -H 'Authorization: Bearer YOUR_SECRET_TOKEN' ``` **Response:** ```json { "entries": [ { "principal": {"type": "USER", "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Jane Smith"}, "allowed_action": "DELETE_IN_PROGRESS_REVIEW" }, { "principal": {"type": "USER", "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "name": "Jane Smith"}, "allowed_action": "MODIFY_IN_PROGRESS_REVIEW_DUE_DATE" }, { "principal": {"type": "GROUP", "id": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "name": "Review Admins"}, "allowed_action": "DELETE_IN_PROGRESS_REVIEW" } ], "next_page_token": "", "has_more": false, "total_count": 3 } ``` *** ### Check Whether a User Is Permitted **GET** `/api/private/workflows/access/action_allowlist/{user_id}` Returns the resolved allowed actions for the specified user, including permissions inherited from group memberships. Pass a user UUID — passing a group UUID will return an empty `allowed_actions` array rather than an error. **Example:** ```bash curl -L -X GET 'https://your-organization.vezacloud.com/api/private/workflows/access/action_allowlist/a1b2c3d4-e5f6-7890-abcd-ef1234567890' \ -H 'Authorization: Bearer YOUR_SECRET_TOKEN' ``` **Response:** ```json {"allowed_actions": ["DELETE_IN_PROGRESS_REVIEW", "MODIFY_IN_PROGRESS_REVIEW_DUE_DATE"]} ``` Returns an empty array if the user is not on the list and belongs to no permitted groups. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/developers/api/workflows/access-review-settings/actionallowlist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.