🔏Access Reviews

Veza Workflows enable repeatable, granular, and integrated certification campaigns, whether conducted by a single auditor, or involving collaborators from many departments and teams. Depending on the business and compliance requirements, Workflows can audit user access to data, resource entitlements, roles, groups, and policies, or any other source -> destination relationship discovered by Veza.

This document provides an overview of Workflow and Certification concepts and features. For more information, see the other topics in this section.

Workflows

Veza operators can create workflows from a flexible Workflow query builder. Depending on the search conditions, this might be an access (identity-to-resource) or entitlement (resource-to-identity) review.

Compliance managers (with the operator role) will use the workflow query builder to define the scope of a recurring access review process. Reviewers will assess the results to certify authorization relationships connecting any source (such as a user identity) and any destination (such as an application). Each certification against that workflow uses the most recent metadata from the Privilege Graph, which Veza maintains for the organization – including all the interconnected entities and relationships Veza has discovered.

A reviewer, such as a compliance engineer or manager, can be assigned to each source-to-destination path (such as Identity > Role > Storage Resource) in the Workflow query results. Reviewers use the certification view to review the data in a table format, with columns to show details such as roles, groups, permissions, and other intermediate entities.

When creating a workflow, you can also opt to integrate with external applications and set up email reminders and notifications. These settings will apply to all future certifications on the workflow to enable external processes around decisions, deadlines, and reviewer assignments.

See Workflows for more information about defining the scope of review, and customizing settings.

Certifications

After defining the workflow scope and saving it, operators can start a Certification from the main Workflows menu. When creating the certification, they will assign reviewers and set the due date. Reviewers for individual results can be automatically assigned based on Authorization Graph metadata such as a Resource Manager or Manager.

Each workflow can have any number of certifications associated with it, each with its own deadlines, settings, and reviewers. Each certification runs against the most recent data catalog snapshot.

The original workflow search conditions, final certification decisions, and the relationships under review are immutable by nature. Completed certifications represent a snapshot of access approval: frozen in time, unmodifiable, and vault-ready evidence for internal and external security and regulatory audit processes.

See Certifications to learn about reviewing the results of a Workflow query.

Reviewing certifications

Individuals or teams will review and certify each source-to-destination path, and approve or deny the level of access according to business policy and compliance requirements. Typically, these users are compliance engineers, managers, and system or data owners with the access_reviewer role.

When reviewing a certification, users will review each assigned row to take action and leave notes on each result. If the original reviewer cannot make a decision, they can re-assign the row to another user in the organization.

Downstream system integrations enable remediation processes. Email notifications keep stakeholders informed when decisions occur, deadlines approach, and reviewers are (re)assigned.

• Depending on the workflow settings, decisions can create service desk tickets, warning announcements, or trigger external actions with a custom webhook.

• To log that remediation has taken place, Operators can mark Rejected results "fixed" and approve them. The completed certification represents a full audit trail of actions, notes, and decisions for the results. See Orchestration Actions and Reminders for more information.

For a user's guide to the Certification process, see the Access Reviewer's Guide.

Learn more

Workflow features and resources administrators and operators include:

• Advanced Configuration and tunable settings

• Configuring Reminders and Notifications and Templates

• Enabling Orchestration Actions with external apps

• Changing Global Identity Provider Settings

• Enabling Auto-assignment and Reviewer Selection Methods

• Key concepts and terms

• Workflow Queries reference documentation

• Workflows API documentation

• Enable reviewers to see detailed authorization information with Presentation Options