Workflow Parameters Reference
Workflows, certifications, and result details
Last updated
Was this helpful?
Workflows, certifications, and result details
Last updated
Was this helpful?
This page describes common properties for listing workflows, certifications, and certification results:
When , all Veza Workflows are returned within a values array. Each has the properties:
workflow_id
string
Workflow GUID
name
string
Workflow display name
description
string
Extended description
owner
Owner user details
notes
string
Workflow notes
query
WorkflowQuery object
Workflow search conditions
creator
Creator user details
created_at
string (RFC 3339 timestamp)
Creation date
returns all Certifications for a workflow, within a values array.
Note that to maintain certification integrity, some properties are immutable and can't be modified, while other values system-updated. Mutable fields such as "name," "notes," "reviewers" and "due date" can be changed by operators and admins using the Veza UI:
certification_id
string
Certification GUID
workflow_id
string
Workflow GUID
query_used
WorkflowQuery
The query for the workflow (immutable).
name
string
Certification name (not used)
notes
string
Certification notes
due_date
string (RFC 3339 timestamp)
Due date timestamp
reviewers
List of reviewers
Internal fields are updated by the workflow service to store important metadata:
state
AccessCertState
Certification status
snapshot_time
string (RFC 3339 timestamp)
Date of graph snapshot at certification creation
started_at
string (RFC 3339 timestamp)
Certification creation date
query_completed_at
string (RFC 3339 timestamp)
Timestamp indicating when certification results were generated
completed_at
string (RFC 3339 timestamp)
Certification completion date
created_by
Certification creator details
completed_by
User who marked certification as complete
total_result_count
int
Total query results
results_updated_at
string (RFC 3339 timestamp)
Timestamp
results_updated_by
User details
total_complete_count
int
Number or result rows with an accept, reject, or fixed decision
creator
User details
created_at
string (RFC 3339 timestamp)
Timestamp
updated_at
string (RFC 3339 timestamp)
Timestamp
updated_by
User details
error_reason
string
Error message, if the workflow query failed
expired_at
string (RFC 3339 timestamp)
Timestamp
total_result_count
int
Total number of results
total_complete_count
int
Results with a final decision
total_rejected_count
int
Results with a "reject" decision
total_accepted_count
int
Results with an "accept" decision
total_fixed_count
int
Results that have been "marked as fixed"
States can be:
CERT_STATE_SEARCHING // The query is still running
CERT_STATE_IN_PROGRESS // the certification is being reviewed
CERT_STATE_COMPLETED // the review of the certification is complete
accumulated_effective_permissions
string list
Cumulative canonical (C/R/U/D) permissions to the resource
accumulated_raw_permissions
string list
List of concrete system permissions to the resource
action_log_entries
Log of previous actions on the result
decision
string
Row decision
destination
The result destination (typically a resource)
notes
string
The most recent note applied to the result
notification_response_infos
array
notification_status
string
Whether the integration triggered successfully
result_id
int
Result unique identifier for the certification
reviewers
Reviewer details
reviewer_assignment
ReviewerAssignmentInstructions object
Instructions for fallback and auto-assigned reviewers
signed_off_at
string (RFC 3339 timestamp)
signed_off_by
Details for a single reviewer
signed_off_state
string
UNKNOWN_SIGNED_OFF NOT_SIGNED_OFF SIGNED_OFF
source
Result source (typically a principal)
updated_at
string (RFC 3339 timestamp)
updated_by
waypoint
Related intermediate entity details, if specified by the workflow query
Valid decisions are:
RESULT_DECISION_NONE // No decision has been made
RESULT_DECISION_ACCEPTED // The access described in the result row is acceptable
RESULT_DECISION_REJECTED // The access described in the result row isn't correct
RESULT_DECISION_FIXED // The access was rejected, but has been fixed
Both the number or string value for the decision are allowed, for example "decision": 4 or "decision": RESULT_DECISION_FIXED.
Shows source, destination, or intermediate entity details for a query result:
type
string
Entity type
name
string
Entity name
id
string
Entity UID
properties
key:value pair
Entity properties
user_type
string
SSO entity type or localCookieUser
id
string
User GUID
email
string
User email address
name
string
Full username
When assigning reviewers using preview Workflows APIs, requested users are validated before assigning them to a certification result, and not assigned when the user can’t be found. Assignee id and user_type are required to identify reviewers. name and email are optional but if provided must match the Veza user record.
Results contain a record of all prior actions on a certification result.
action
string
Action log event type
user
Reviewer details
time
string
RFC 3339 timestamp
decision_detail
object
Decision type and any notes
Possible actions are:
NOTE_ADDED
REVIEWER_ASSIGNED
DECISION
The response will include the type, id, email, and name of the user who made the change:
The reviewer_assignment specifies how reviewers should be assigned to rows, during initial certification create or when reviewers are re-assigned by smart action.
users_manager and resource_managers assigns reviewers based on Global IdP settings.
reviewers is a way to specify one or more reviewers to apply to every row. fallback_reviewers is one or more reviewers that to assign to rows if auto assign by user or resource manager fails for any reason
object
object
object
See for more details on query construction.
object
object
object
object
object
include a numeric ID, the query details, and any decisions and notes. Each result includes entity details for the source -> destination nodes and the cumulative permissions under review:
array
object
Error message and status for Webhook integrations, pushed with
Array of
object
object
object
object
The notes field will always contain the most recent note. Previous notes can be reviewed in the using the List Cert Results API.
Reviewer details, typically a Veza user account. If are configured, the user type and id refer to Veza graph entities:
You can get details for a local Veza user from Administration > User Management. For graph entities (identities from an external identity provider), inspect the entity details using Access Search or the Entities page. will return all users for a given certification.
object