Action Allow List

Restrict which users can delete In Progress reviews or modify their due dates, independent of their assigned Veza role.

The Action Allow List restricts two sensitive review operations to users granted roles that explicitly permit these operations:

Deleting an In Progress review
Modifying the due date of an In Progress review

When the action allow list is enabled, only users on the list can perform these operations, regardless of their assigned Veza role. When it is disabled, the standard role-based access controls apply unchanged — no behavior changes for users.

The allow list is configured using the API. There is no UI for managing the list itself.

How It Works

When the allow list is enabled:

Users on the list retain the ability to delete In Progress reviews and modify their due dates.
Users not on the list will not see the Delete or Edit Due Date options in the review management interface. These controls are hidden (they do not appear in a disabled state). API requests to delete or modify the due date of In Progress reviews are also rejected with a permission error for users not on the allow list.
Draft reviews are not affected. The allow list only restricts actions on reviews in the IN_PROGRESS state.

Disabling the allow list restores default behavior immediately. No entries are removed — the list persists if you re-enable later.

Role Requirements

Operation

Required Role

Enable or disable the allow list

admin

Add or remove users from the list

admin or access_reviews_admin

When the action allow list is disabled, the standard role-based permissions apply. By default, users with the admin, operator, or access_reviews_admin role can delete In Progress reviews and modify their due dates.

Enable the Action Allow List

To check the current state:

curl -L -X GET 'https://your-organization.vezacloud.com/api/private/workflows/access/settings/action_allowlist_enabled' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN'

Returns {"enabled": true} or {"enabled": false}.

To enable:

curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/settings/action_allowlist_enabled' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{"value": true}'

To disable:

curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/settings/action_allowlist_enabled' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{"value": false}'

Add Users and Groups to the Allow List

Both individual users and Veza groups can be added to the allow list. A user is permitted if their user ID is directly on the list, or if any group they belong to is on the list.

All IDs must be Veza internal UUIDs — not email addresses or usernames.

To find a user's UUID:

Administration console: Go to Administration > Users, click the user's name, and copy the UUID from their profile page.
Users API: Use the Users and Teams API to retrieve users and locate the id field in the response.

To find a group's UUID:

Administration console: Go to Administration > Group Management. The group UUID is not shown in the table view — use the API to retrieve it.
Groups API: Use GET /api/private/groups to list groups and locate the id field for the target group.

curl -L -X GET 'https://your-organization.vezacloud.com/api/private/groups' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN'

Use the filter query parameter to narrow results by name: ?filter=name eq 'Your Group Name'.

Add a user:

curl -L -X POST 'https://your-organization.vezacloud.com/api/private/workflows/access/action_allowlist' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "principals": [{"type": "USER", "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"}],
    "allowed_action": ["DELETE_IN_PROGRESS_REVIEW", "MODIFY_IN_PROGRESS_REVIEW_DUE_DATE"]
  }'

Add a group:

curl -L -X POST 'https://your-organization.vezacloud.com/api/private/workflows/access/action_allowlist' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "principals": [{"type": "GROUP", "id": "b2c3d4e5-f6a7-8901-bcde-f12345678901"}],
    "allowed_action": ["DELETE_IN_PROGRESS_REVIEW", "MODIFY_IN_PROGRESS_REVIEW_DUE_DATE"]
  }'

Remove a user or group:

curl -L -X POST 'https://your-organization.vezacloud.com/api/private/workflows/access/action_allowlist:delete' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "principals": [{"type": "USER", "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"}],
    "allowed_action": ["DELETE_IN_PROGRESS_REVIEW", "MODIFY_IN_PROGRESS_REVIEW_DUE_DATE"]
  }'

List all permitted principals:

curl -L -X GET 'https://your-organization.vezacloud.com/api/private/workflows/access/action_allowlist' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN'

API Reference

For the complete API reference including request and response schemas, see Action Allow List.

PreviousReviewer Selection Methods NextPredefined Question Sets

Last updated 1 day ago

Was this helpful?

hashtagHow It Works

hashtagRole Requirements

hashtagEnable the Action Allow List

hashtagAdd Users and Groups to the Allow List

hashtagAPI Reference

How It Works

Role Requirements

Enable the Action Allow List

Add Users and Groups to the Allow List

API Reference