Identity Provider and HRIS Enrichment
Create access reviews to include information from an integrated identity provider or human resource information system.
Last updated
Create access reviews to include information from an integrated identity provider or human resource information system.
Last updated
Early Access: Enrichment is currently provided on an opt-in basis. Please contact Veza Support to enable this feature. Enrichment requires an IDP or HRIS integration such as Okta, Active Directory, Azure AD, Workday, or a Custom Identity Provider.
You can configure access reviews to show additional human resource or identity metadata for users under review. When enabled, Veza will check for matching entities in an integrated Identity Provider or HRIS platform when creating the review. The linked user attributes are shown in columns, which reviewers can show, hide, or filter by for faster and more accurate decision-making.
For example, when reviewing local Snowflake user access to Snowflake databases, enabling this option will show the attributes of the linked Okta user for each local user, such as their risk score, first and last name, and whether MFA is enabled. Local users with no linked Okta users could be machine identities, or represent risky misconfigurations.
Similarly, an access review of Okta users to Okta applications can use this option to show information about the Workday Worker associated with each user, such as the cost center, hire date, or active status.
To enable IDP User columns in the reviewer interface, enable enrichment in the configuration scope:
Create or edit a configuration.
In the review scope, enable Advanced Options > Enrich with IdP/HRIS data.
Select from the list of supported entity types to enable result enrichment (such as "Workday Worker" for "Okta User"):
Save the configuration and create a review.
In the reviewer interface, use the column selector to enable columns for the "IDP User."
To configure the reviewer interface to show these columns by default, see Customizing Default Columns.
In the configuration builder, choosing an entity type under the Enrich with IdP/HRIS data option enables filters on that entity type. For example, you might choose 'Okta User' as the source entity type under review and enable 'Workday Worker' as the enrichment entity type. You can then apply filters on both Okta User and Workday Worker attributes.
It is important to understand how these filters affect the review results. If an enrichment attribute does not meet the filter criteria, the enrichment data for that row is hidden, but the original access relationship remains visible. This behavior ensures that you can still see all source and destination entities, and identify rows where the enrichment data does not match the filter.
Filters on enrichment data do not remove source or destination entities from the review. You will still see all access relationships.
If the enrichment data does not meet the filter criteria, only the enrichment columns are affected.
This behavior helps identify users who may not have corresponding enrichment data, potentially presenting misconfigurations.
Example:
Suppose you have a review of Local Users to Local Groups, enriched with Okta User data:
| Okta User | Local User | Local Group |
|---|---|---|
Bob | Bob | Group1 |
Bob | Bob | Group2 |
Alice | Alice | Group2 |
Now, you apply a filter on the Okta User column to exclude users whose names start with "A" (e.g., Okta User does not start with "A"). The updated review results will be:
| Okta User | Local User | Local Group |
|---|---|---|
Bob | Bob | Group1 |
Bob | Bob | Group2 |
(blank) | Alice | Group2 |
In this filtered view:
Bob's enrichment data continues to appear because it meets the filter criteria.
Alice's enrichment data is blank because it does not meet the filter criteria (Alice starts with "A").
The access relationship between Alice and Group2 remains visible.
