Managers and Resource Owners
How to automatically assign reviewers with tags and attributes using your Identity Provider, Graph Search, or Veza APIs.
Last updated
Was this helpful?
How to automatically assign reviewers with tags and attributes using your Identity Provider, Graph Search, or Veza APIs.
Last updated
Was this helpful?
When creating an access review, operators can choose to assign the review to managers and resource owners as reviewers based on graph metadata:
Veza can automatically assign reviewers to rows involving entities they own or manage.
Veza will suggest default reviewers if the review scope is a single named identity or resource with an assigned owner.
If the identity provider (IdP) used to log in to Veza is added as an integration, you can enable it as a to enable suggestions and auto-assignment for all users in your organization.
Managers are identified by their manager attribute (for IdP users) or a SYSTEM_resource_managers (on resources) containing a valid user ID. This user ID is defined in the idp_unique_id property on the corresponding IdP User entity in the graph.
For natively-supported identity providers, such as Okta, you can assign a manager by setting a user's Manager attribute from the provider's admin console.
Any entity in the Veza graph can have a resource owner. Apply a tag with key SYSTEM_resource_managers. The tag's value is the comma-delineated list of user ID's, for example:
The tag value must match the "IDP Unique ID" property on the user's graph entity. For Okta, OneLogin, and Microsoft Azure AD identities, this is an email address. If using a , the user or group
identitycan be any unique string.
From the Veza UI, you can add a manager tag to any entity in Graph Search:
In Veza, go to Access Visibility > Graph.
Search for the entity.
Click the entity in the search results to open the sidebar.
Click Set Resource Owner.
In the Add Resource Owner box, type to search for users by email and Save the changes.
Add tag:
Remove a tag by providing the entity id and the tag key to delete:
To test resource owner assignment using tags:
Pick a resource on the graph that doesn't yet have an owner.
Apply a system_resource_managers tag with the email address of another Veza user.
Create an Access Reviews configuration. Select the entity type of the tagged resource, and Select a single entity and specify the resource name.
Save the configuration and create a review.
The resource owner's Veza account should be selected as the default reviewer.
To test manager assignments using Okta:
Pick an IdP entity (such as OktaUser) on the graph.
If the user already has a manager, create a corresponding Veza user for the manager's email address (you can give it the Access Reviewer role).
Otherwise, log in to Okta and set the user's Manager attribute to your Veza email address.
Create a configuration. Select the entity type (OktaUser) and choose to Select a single entity. Enter the Okta user name.
Save the configuration and start a review.
The manager's Veza account will be a suggested default reviewer.
To assign an IdP user or group as the manager of any resource Veza has discovered (from another integration), list the node type and node ID in the entities_owned field, for example:
When Veza parses the payload, graph entities are assigned a system_resource_managers tag. The owner(s) will be suggested as reviewers for any reviews when the configuration scope is a single named resource with a matching tag.
When using the custom application template to submit application and resource metadata, assign resource owners by applying a Veza tag:
You can apply and remove tags programmatically using the . Assign owners "SYSTEM_resource_managers" as the tag key, where the value is a comma-separated list of IdP user IdP Unique IDs.
You can update the manager of a Custom IdP User by pushing a new OAA payload or using modify .
You can use the to create graph entities with metadata for your custom domains, identities, and groups. To assign manager relationships within the custom IdP, users and groups can be mapped to the identity of another user:
You can use to modify or remove tags on OAA entities.
