# Action Allow List

The Action Allow List restricts two sensitive review operations to users granted roles that explicitly permit these operations:

* **Deleting an In Progress review**
* **Modifying the due date of an In Progress review**

When the action allow list is enabled, only users on the list can perform these operations, regardless of their assigned Veza role. When it is disabled, the standard role-based access controls apply unchanged.

{% hint style="info" %}
The allow list is configured using the API. There is no UI for managing the list itself.
{% endhint %}

## How It Works

When the allow list is enabled:

* Users **on the list** retain the ability to delete In Progress reviews and modify their due dates.
* Users **not on the list** will not see the **Delete** or **Edit Due Date** options in the review management interface.
* API requests to delete or modify the due date of In Progress reviews are also rejected with a permission error for users not on the allow list.
* **Draft reviews are not affected.** The allow list only restricts actions on reviews in the `IN_PROGRESS` state.

Disabling the allow list restores default behavior immediately. No entries are removed — the list persists if you re-enable later.

## Role Requirements

| Operation                         | Required Role                     |
| --------------------------------- | --------------------------------- |
| Enable or disable the allow list  | `admin`                           |
| Add or remove users from the list | `admin` or `access_reviews_admin` |

When the action allow list is disabled, the standard [role-based permissions](/4yItIzMvkpAvMVFAamTf/administration/administration/users/roles.md) apply. By default, users with the `admin`, `operator`, or `access_reviews_admin` role can delete In Progress reviews and modify their due dates.

## Enable the Action Allow List

To check the current state:

```bash
curl -L -X GET 'https://your-organization.vezacloud.com/api/private/workflows/access/settings/action_allowlist_enabled' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN'
```

Returns `{"enabled": true}` or `{"enabled": false}`.

To enable:

```bash
curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/settings/action_allowlist_enabled' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{"enabled": true}'
```

To disable:

```bash
curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/settings/action_allowlist_enabled' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{"enabled": false}'
```

## Add Users and Groups to the Allow List

{% hint style="warning" %}
The endpoint for managing list entries (`/api/private/workflows/access/action_allowlist`) is different from the settings endpoint used to enable or disable the allow list (`/api/private/workflows/access/settings/action_allowlist_enabled`). Sending a principals payload to the settings endpoint will not add entries to the list.
{% endhint %}

Both individual users and Veza groups can be added to the allow list. A user is permitted if their user ID is directly on the list, or if any group they belong to is on the list.

All IDs must be Veza internal UUIDs — not email addresses or usernames.

To find a user's UUID:

* **Administration console**: Go to **Administration** > **Users**, click the user's name, and copy the UUID from their profile page.
* **Users API**: Use the [Users and Teams API](/4yItIzMvkpAvMVFAamTf/developers/api/users-teams.md) to retrieve users and locate the `id` field in the response.

To find a group's UUID:

* **Administration console**: Go to **Administration** > **Group Management**. The group UUID is not shown in the table view — use the API to retrieve it.
* **Groups API**: Use `GET /api/private/groups` to list groups and locate the `id` field for the target group.

```bash
curl -L -X GET 'https://your-organization.vezacloud.com/api/private/groups' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN'
```

Use the `filter` query parameter to narrow results by name: `?filter=name eq 'Your Group Name'`.

**Add a user:**

```bash
curl -L -X POST 'https://your-organization.vezacloud.com/api/private/workflows/access/action_allowlist' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "principals": [{"type": "USER", "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"}],
    "allowed_action": ["DELETE_IN_PROGRESS_REVIEW", "MODIFY_IN_PROGRESS_REVIEW_DUE_DATE"]
  }'
```

**Add a group:**

```bash
curl -L -X POST 'https://your-organization.vezacloud.com/api/private/workflows/access/action_allowlist' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "principals": [{"type": "GROUP", "id": "b2c3d4e5-f6a7-8901-bcde-f12345678901"}],
    "allowed_action": ["DELETE_IN_PROGRESS_REVIEW", "MODIFY_IN_PROGRESS_REVIEW_DUE_DATE"]
  }'
```

**Remove a user or group:**

```bash
curl -L -X POST 'https://your-organization.vezacloud.com/api/private/workflows/access/action_allowlist:delete' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "principals": [{"type": "USER", "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"}],
    "allowed_action": ["DELETE_IN_PROGRESS_REVIEW", "MODIFY_IN_PROGRESS_REVIEW_DUE_DATE"]
  }'
```

**List all permitted principals:**

```bash
curl -L -X GET 'https://your-organization.vezacloud.com/api/private/workflows/access/action_allowlist' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN'
```

## API Reference

For the complete API reference including request and response schemas, see [Action Allow List](/4yItIzMvkpAvMVFAamTf/developers/api/workflows/access-review-settings/actionallowlist.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/action-allow-list.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.