Certifications

Initiating access reviews and assigning reviewers

Certifications can be created once you have defined the scope of the audit by creating a Workflow. These certifications can be assigned to teams of compliance engineers and team or resource managers for review and attestation. Workflows can be the subject of multiple certifications over time.

For an end-user's guide to access reviews with Veza, please see the Access Reviewer's Guide. This document includes details on:

Starting a certification

To create and open a new certification for review, choose the workflow on the Workflows panel, and click New Certification.

While some access reviews may be one-time procedures, most should be conducted routinely as part of good operational practice. Each new certification runs the workflow query parameters against the most recent Veza snapshot.

You will be prompted to verify the data source status for the most recent entity catalog snapshot (as some sources may not have been configured, or display an error state).

To check data source status after starting certification, click View Datasource Snapshot Status on the certification details panel.

Click Continue if the results are as expected, or View Events for more details on an error or warning. Once you have confirmed the data source status, select a deadline and reviewers:

Next, set the due date and assign reviewers:

Pick a due date, which will be used to send reminder emails and set a campaign deadline.
Select one or more "Default Reviewers" for the certification. Default reviewers can act on any row, or reassign them to other users. If the workflow has other certifications, previous reviewers may be suggested as default reviewers.
Automatically assign any identified managers for each row (assuming the graph metadata is available)
- Using “default reviewers” assigns all rows to the specified default reviewer(s).
- Auto assigning the “manager” assigns each row based on the user or resource manager. The fallback is the specified default reviewer(s).

Users with the Access Reviewer role can only access the Workflows interface, and only see results for certifications to which they're assigned. You can change a user's role under Administration > User Management.

Draft certifications

To prevent reviewers from being notified immediately, workflow owners can start a certification in unpublished, draft state. From a draft certification, operators can inspect the results and ensure that the rows are assigned correctly before notifying reviewers based on the email reminder settings.

Click Draft when starting a Certification to create and open it.

To make a draft certification available for reviewers and trigger notifications, open the parent Workflow to view certifications, and click Publish.

Reviewers cannot view any unpublished certifications, even when they contain rows assigned to them.
The owner can make decisions on results for unpublished certifications, including approving or rejecting, assigning reviewers, and signing off. Webhooks will trigger normally.
After publishing the certification, emails associated with the certification start are triggered.
Note that Draft mode is optional, and not selected by default.

Reminders and deadlines

Reminder emails are sent at 11 AM PST.
Certifications expire at 8 PM PST on the due date.
To enable a grace period for followup remediation, certification results can be "marked as fixed" up to 7 days after certification expiration.

Continuing a certification

To resume an incomplete certification, find the original workflow on the Workflows page and pick View Certifications from the options dropdown. Any pending and completed certifications will appear, with the option to continue or delete a pending certification.

Find the certification and click Continue, to resume the certification from where you left off (decisions will auto-save).

Viewing past workflows and certifications

Once a certification is complete, it can't be modified, although you can always restart with a new certification. You can retrieve the decisions and notes for a completed audit by choosing Certifications from the workflow options, and choosing the entry you want to view.

You can also export a CSV file for a certified workflow, or delete the certification:

To delete a pending certification, choose workflow actions > Certifications, and choose Delete Certification for the entry you want to remove.
You can delete an uncertified workflow by choosing Delete Workflow from the workflow actions.
Completed certifications can't be deleted.

Reviewing a certification

The certification interface displays the principal type, the principal name, effective permissions, resource type, and resource name for each item to review. You can resize, rearrange, or customize columns to display additional details:

For each entry, you can:

Approve the row.
Reject, indicating that the level of access is inappropriate.
Mark as Fixed: If action has been taken on a rejected row, you may want to mark the issue as fixed before certifying the workflow. When using this option, you can add more details in a note (such as a ticket number or remediation steps).
Re-assign a reviewer
Sign off preventing any further decisions. Once signed-off the only allowed change is to the mark as fixed status of a rejected row.
Update the note which will be submitted along with the notification email or webhook payload.

You may be prompted to add a note when making an approve/reject decision, depending on the global workflow settings.

Adding a note will replace the previous value. Only the most recent note is shown in the "Notes" column. Previous entries can be retrieved using the List Certification Results API.

Records can be approved, annotated, or rejected line-by-line or with a bulk selection. Once a decision is final, the row must be signed off so that no further changes can be made.

Once the all results are "signed off," click Certify to finish the certification. No changes are possible once you proceed. Alternatively, you can close the workflow to resume at a later point (any changes are saved automatically).

Filter-based Smart Actions

You can use Smart Actions to update many results at once with a note, decision, sign off state, or updated reviewer assignment. A smart action applies to all results that match a given filter (either the current one, or one you specify). This method of interacting with certification items in bulk is useful when working with large certifications containing many pages of results.

Filtering the certification results view before applying a smart action allows you to apply an action to all filtered rows:

Customize the filter settings to show just the results you want to act on.
Click Smart Action, and choose the decision you want to apply (approve, reject, sign off, or add note).
Choose "Apply to the Filtered Set," add a note, and click Apply.

If you need more granular control over the conditions (such as acting on entities that don't match a keyword), select the conditions after choosing to apply the smart action on the unfiltered results.

For example, you can sign-off on all results by filtering on "User" "Name" "Not Equals" " " (empty value).

Click Smart Action, and choose the decision you want to apply (approve, reject, sign off, or add note).
Select the criteria by picking an entity property to search (such as a user, resource, or permission name)
Input the text to search, and pick a function (such as equals or contains)

After applying a smart action, a prompt will appear with the option to show just the filtered results.

Filtering on text fields: To treat a numeric value as a string (such as to match numbers in user names), enclose the numbers in quotes (NAME, CONTAINS, "00000"). Otherwise, the number will be treated as an integer (for filtering and applying smart actions to columns that contain numeric values). You can include leading or training spaces in the search text by enclosing the filter string in quotes, for example: Resource Name = " Bucket"

Smart Action Log

You can view a record of previous smart actions, and view the affected rows, using the Smart Actions log.

Smart actions on many results can take some time to complete. A progress indicator is shown for currently running tasks.

Clicking "View Filter" will refresh the certification view to show the filtered rows
You can dismiss an entry to hide it from the list
The action log entry will show if any rows were skipped
You can't start a new smart action while another one is running

Review access for individual users within a certification

Early Access: The option to list unique users for a certification is currently provided as an experimental feature, and must be enabled by the Veza support team.

When reviewing certifications that involve many different identities, it can be helpful to focus on results related to a single user. You can use the Show Users button to list each unique user involved in a certification, and open a filtered list of all the results related to an individual user.

To use the Unique Users list:

Open an active certification.
Click the Show Users button above the results. The button only appears when the query's source node is a principal.
The list of Unique Users will open, containing the full list of unique source entities in the query results.
Choose an identity from the list. You can search by username, id, or email address to find a specific user.
Click View Details to open the results related to that user in a new tab.

Note that in the current release, for Access Reviewers, the Show Users button lists all unique users in the certification, which can include users of certification rows that are not assigned to the current reviewer.

Reviewer Assignments

While some workflows are limited in scope and reasonably reviewed by a single person, others are best completed by multiple reviewers. When creating a new certification, you will be prompted to select the "Default Reviewer(s)" responsible for making decisions and signing off on any/all results. These initial users can re-assign individual results to additional reviewers as needed.

By default, the reviewers available for reassignment will be based on the system user list. If SSO is enabled and your identity provider is configured as a graph data source, Veza can automatically detect and suggest user or managers as reviewers. To get suggestions based on resource managers, the information needs to be added using Veza Tags.

You can delegate any combination of user managers, resource managers, or individually-specified reviewers when creating or editing a certification.

Fallback reviewers are assigned to any results where a user or resource manager cannot be found.
After a certification is created, you can auto-assign users using row actions or Smart Actions.

Creating local Veza accounts for all reviewers isn't typically recommended. Instead, you should enable SSO to allow employees restricted access via the access_reviewer role. Access reviewers can only view and act on their assigned certifications and results. [By default](../../administration/../../administration/usersted with the access_reviewer role on first log-in.

Assigning individual reviewers to results

The "Reviewers" column in the certification results table will show any non-default reviewer(s) assigned to each row. Open the row actions dropdown and click Reassign Reviewers to choose a new reviewer just for that result. Reassignment will send a notification to the new and current reviewers.

When viewing a certification as a non-default reviewer, users only see the rows they're currently assigned.

The list of users available to re-assign to will be based on the IdP settings (either Veza system users or identities within a discovered IdP). Self-review is prevented: when assigning reviewers, a user can't be selected if their identifier is the same as the user in the certification result.

If auto-assignment is enabled, Veza can identify user and resource managers using entity metadata. Fallback reviewers are used for results where a user or resource manager cannot be found.

To remove all reviewers from a row, leave the assignee field blank.

Re-assigning default reviewer(s)

If certification ownership needs to be reassigned, you can add a different Veza user as the default reviewer. From the main Workflows page, find workflow to reassign, click Certifications and click Edit next to the entry to modify.

By default, users will be suggested from the system user list. If an administrator has configured a graph identity provider as the Workflows Global IdP, any user from your organization may be available for selection.

Tracking Certification Progress

Certification creators have full visibility on all certification items and metadata, including all reviewer assignments, each reviewer's progress, and the total number of certification items that reviewers have acted on or completed.

Access Reviewers only have the visibility into the certification rows assigned to them for each certification, and can't view the entire certification or its metadata. They can see their individual progress, including the number of the items they have acted on or completed, as well as their total assigned rows.