Workflow and Certification Settings
Customizing Workflow and Certification behavior for specific use cases
Workflows settings can be customized to fit the needs of individual organizations and use cases. These support-enabled options include toggling certification auto-expiration, or requiring a note with reviewer decisions. You can also manage how Veza integrates with a corporate identity provider (IdP) to enable single sign-on and least-privilege certification flows.
See the following sections for more information:
Suggest reviewers from an integrated IdP
By default, the possible reviewers for a certification result row are any Veza platform users. This includes admins
, operators
, and any users who have already logged in with single sign-on.
When notifications are configured for the workflow, any new reviewers are notified by email, with a link to log in and make decisions on their assigned rows.
If your organization federates access to Veza using an identity provider such as Okta or AzureAD, and that IdP is configured as an integration, reviewers can be suggested using entity metadata. This eliminates the need to create local Veza accounts for reviewers.
For example, if your organization's Okta domain is available in the Entity Catalog, all the domain's Okta Users will be suggested as possible reviewers. An assigned reviewer can then log in to Veza using Okta (assuming SSO is enabled).
With this option, it may be preferable for SSO users to have Reviewer role by default, to prevent unauthorized access to Veza Search and other functionality. Contact your Veza support team to change the default role for SSO users:
operator
(default) oraccess_reviewer
).
To enable a global Workflows Identity Provider, see Workflows IdP Settings.
Reviewer auto-assignment
When an integrated Identity Provider (IdP) is configured as the primary Workflows IdP, other employees can sign in as reviewers without first needing to create an account. Veza can use entity metadata such as manager
or resource manager
to automatically identify and assign reviewers when the certification is created.
This information can be populated in one of two ways:
Within your IdP, set the corresponding
manager
property on the user objectWithin Veza, add a Veza Tag that identifies the manager
When this metadata is available, you can choose to auto-assign reviewers for a new certification. Any rows in the certification that cannot be auto-assigned are assigned to the default reviewer.
Auto-assignment takes place during certification creation. To inform reviewers who are auto-assigned when creating the certification, ensure that "When a Certification is Started" is selected under Notification Settings.
For more information, see Workflow Reviewer Assignments.
Self-review prevention
Self-review prevention is enabled or disabled by your Veza support team. A graph Identity Provider must be configured as the primary Workflows IdP to enable reviewer auto-assignment.
You may want to prevent reviewers from being able to review and sign off on their own access. When self-review prevention is enabled:
Users with an ID that correlates to a certification result row can't be assigned as reviewers for that row: "john@cookie.ai" won't be a valid reviewer for Okta User "john@cookie.ai."
Users can't be assigned to review access for local user accounts for which they're the top-level identity (if Veza has detected a correlation between an IdP User with id
john@cookie.ai
and the local Snowflake Userjsmith
, John won't be allowed as a reviewer for rows that involve his accountjsmith
.Self-review prevention, as well as the deny list, applies when auto-assigning reviewers during certification creation.
Possible values are:
SELF_REVIEWER_CHECKING_DISABLED
(default)SELF_REVIEWER_CHECKING_ENABLED
Auto-assignment fallback behavior: If self-review prevention or the deny list would apply when auto-assigning reviewers, the fallback sequence is: Manager or resource manager (if not explicitly inactive) > Workflow creator > Veza system administrator.
Certification completion settings
Depending on how your organization conducts certification campaigns, you may prefer that users be able to complete certifications at any point, or want certifications to autocomplete when certain requirements are met.
Please contact your support team to adjust the following settings:
Autocompletion
By default, a Workflow certification must be manually marked "complete" once a reviewer has signed off on all decisions. This setting can be changed so that certifications move to the CERTIFIED
status once a reviewer signs off on the final row. You can also customize autocomplete behavior to allow or prevent autocompletion of certifications that contain "Rejected" decisions.
Example request:
Possible values are
COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION
(default): once all rows have a decision, the workflow will automatically marked as complete and no further changes can be made.COMPLETION_ALLOWED_ANYTIME
Any reviewer can click Complete to finish and close the workflow at any point.COMPLETION_ALLOWED_ALL_ROWS_HAVE_NON_REJECT_DECISION
autocompletion occurs only when all results are signed off asAPPROVED
.
When an option other than "Any Time" is selected, reviewers won't have the option to manually Complete Certification from the user interface, and empty certifications (ones created with no results) will always autocomplete.
Cert Auto Complete Settings sets whether certifications automatically move to "completed" status once the deadline is passed. Possible values are:
AUTO_COMPLETE_DISABLED
(default)AUTO_COMPLETE_ENABLED
Example request:
Enable or disable certification expiration
When enabled, all Certifications will move to the EXPIRED
status and become read-only once 24 hours have passed since the due date. Possible values are true
or false
(default)
Example request:
Requiring notes with decisions
By default, adding a note is optional when making decisions on certification results. However, you may prefer that reviewers be required to leave a note under certain conditions. For example, you might want to require a note for REJECTED
rows, while prompting (but not requiring) a note for ACCEPTED
rows.
Notes pop-up behavior sets whether the "Notes" modal appears and if a note is required when making decisions on rows. This behavior can be customized for "Approve" and "Reject" actions:
"Accepted" Notes Behavior:
No pop-up (default)
Optional
Required
"Rejected" Notes Behavior:
No pop-up (default)
Optional
Required
Example request:
When "No pop up" is selected, no prompt is shown, and notes must be added by clicking Add Note. Otherwise, a note will be required or optional depending on the decision.
Change default columns and sorting
Your support team can customize the default columns shown in Certification View, and the sorting order and sorting column.
The following example sets the default columns based on the source, destination node, and intermediate (waypoint) node properties, as well as the result's row's Reviewers:
The default sort value is source.type asc
.
Example sort setting:
Certification view preferences are saved to the browser. If a user has already customized a certification's columns, changes to the default settings won't apply.
Certification diff mode
Currently, this option must be configured by your Veza Customer Success team.
By default, users with the Access Reviewer role can view previous decisions on certification results, if prior completed certifications exist for that workflow. This information can be useful to inform decisions about the current level of access based on historical data.
Change certification behavior for access reviewers:
diff_dropdown_behavior
defines whether access reviewers can view historical decisions on certifications. Values can beALWAYS_HIDE_FOR_ACCESS_REVIEWER_ROLE
Normal
(default).
accept_notes_behavior
andreject_notes_behavior
set whether a node is prompted or required with accept and reject decisions, respectively. Possible values for each are:NO_POP_UP
POP_UP_OPTIONAL
POP_UP_REQUIRED
If you would prefer reviewers not to have access to this information, the option to Always Hide Certification Diffs for Access Reviewers can be enabled. This global setting will apply to all workflows.
Customize reminder and notification emails
Emails sent by Veza can include customized instructions, unique branding, and placeholders for workflow and certification metadata. See email templates for more information.
A template can be set for each potential usage (certification created, row assigned, due date reminders, and others).
Placeholders can be used to include direct links to the certification, dates, and reviewer metadata such as Name, depending on the selected usage.
Custom HTML/CSS can be included in a base64-encoded body template.
Templates can include links to images hosted externally or you can upload small files to Veza.
Currently, templates are configured using an API.
Workflow presentation rules
To enable easier identification of potentially dangerous results, Veza supports custom styling rules to highlight disabled (inactive) users. In addition to these rows appearing in red when reviewing a certification, the text summary shown when hovering the row will indicate that the user is inactive.
Please contact your Veza customer success team to enable this option. To highlight results based on a custom presentation rule, provide:
The filter string to use (for example
source.is_active eq false
). The property to match can be either on the source or destination entity selected for the workflow query.(Optional) a list of workflow
id
s the presentation rule should apply to (affecting all certifications on that workflow). Otherwise, rules apply to all certifications.
Saved filters
Administrators can add preset filters for users, enabling them to quickly generate common certification views. Quick filters can be accessed under the Certification Filters menu. When creating a saved filter, you can enable it for all workflows or just one.
Saved Filters are managed using a preview API.
Last updated