# Entity Owners and Resource Manager Tags

### Overview

When creating an access review, operators can choose to assign the review to entity owners and resource owners as reviewers based on graph metadata:

* Veza can **automatically assign** reviewers to rows involving entities they own or manage.
* Veza will **suggest** default reviewers if the review scope is a single named identity or resource with an assigned owner.
* If the identity provider (IdP) used to log in to Veza is added as an integration, you can enable it as a [Global Identity Provider](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/global-idp-settings.md) to enable suggestions and auto-assignment for all users in your organization.

To identify a manager, Veza checks the `manager` attribute (for IdP users), the Entity Owners, or a `SYSTEM_resource_managers` [tag](/4yItIzMvkpAvMVFAamTf/features/search/tags.md) (on resources) containing a valid user ID. This user ID is defined in the `idp_unique_id` property on the corresponding IdP User entity in the graph.

### Access Reviews Auto-Assignment Logic

Veza auto-assigns reviewers with the following priority:

1. If an entity has an **Entity Owner**, that owner will be assigned as the reviewer
2. If no Entity Owner is configured on the graph node, Veza will check for a **Resource Manager Tag** and assign those owners.
3. If a secondary source of identity is configured [Alternate Manager Lookup rules can apply](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/global-idp-settings/alternate-manager-lookup.md)

See [Reviewer Selection Logic](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/reviewer-selection-methods.md#reviewer-selection-logic) for more details about default and fallback reviewers, and configuration settings.

### Assigning Entity Owners

Access Reviews supports both legacy tag-based manager assignment and Entity Owners. Entity Owners enable simplified manager assignment directly from the Veza UI and improved integration with other products and search features.

In Veza, you can assign Entity Owners directly from Graph search, Query Builder, and the **NHI** overview page.

#### Assigning Owners on the NHI Accounts Page

For non-human identity (NHI) accounts:

1. Go to the **NHI** > **Accounts** overview
2. Select one or more accounts from the list
3. Click the **Assign Owner** button to open the owners sidebar
4. Search for a user by name or email
5. Confirm the assignment

Once assigned, entity owners appear in the NHI accounts table's **Entity Owner** column.

#### Assigning Owners in Query Builder

For bulk-assigning owners to multiple entities of different types in Query Builder results:

1. Go to to **Access Visibility** > **Graph** > **Query Builder**
2. Run a query to return the desired entities
3. Select one or more entities from the results
4. Click the **Assign Entity Owners** button at the top of the results
5. Search for and select the appropriate owner(s)
6. Confirm the assignment

#### Assigning Owners in Graph Search

To assign an owner to individual entities in Graph Search:

1. Open **Access Visibility** > **Graph**
2. Search for and locate the entity
3. Click on the entity node to open the details sidebar
4. Click the **Set Entity Owners** option in the sidebar
5. Select the appropriate owner(s) and save your changes

### Supported entity types for owner assignment <a href="#supported-entity-types" id="supported-entity-types"></a>

Entity owners can be assigned to any entity type that includes the `owners` property in the Veza graph schema. This includes:

**OAA application template entities:** Application, Users, Groups, Roles, Resources, and Access Credentials. See [OAA Entity Owners](/4yItIzMvkpAvMVFAamTf/developers/api/oaa/best-practices/oaa-entity-owners.md) for details on setting owners in OAA payloads.

**IdP application entities:** `OktaApp`, `OneLoginApp`, `AzureADEnterpriseApplication`, `PingOneApplication`, `PingOneIdentityProvider`, `HashicorpVaultAuthMethodSubresource`, and `CustomIDPApp`. Owners for these entity types cannot be set in integration payloads. Assign them using one of the following methods:

* **Graph Search or Query Builder**: Find the entity and use the **Set Entity Owners** action in the sidebar, or select multiple entities and click **Assign Entity Owners**.
* **Enrichment rules**: Create an [enrichment rule](/4yItIzMvkpAvMVFAamTf/integrations/configuration/enrichment.md) of type **Assign Entity Owners** to automatically assign owners at extraction time.
* **Batch Set Owners API**: Use the [Batch Set Owners](/4yItIzMvkpAvMVFAamTf/developers/api/management/owners.md) endpoint for programmatic assignment.

### Resource Manager Tags

The following sections provide information about manager assignments using tags. This is supported as a legacy option, but no longer the recommended approach.

{% hint style="warning" %}
**Tag persistence:** `SYSTEM_resource_managers` tags can be lost if a provider, datasource, or specific entity is removed and recreated. If you rely on these tags for reviewer auto-assignment, be aware that removing and re-adding a provider or datasource will require you to reapply the tags. Export your tag assignments before making such changes. See [Tag persistence](/4yItIzMvkpAvMVFAamTf/features/search/tags.md#tag-persistence) for more details.

Note that Entity Owners assigned via the UI or API are also lost when entities are removed and recreated, as owner data is stored directly on entity nodes.
{% endhint %}

#### Manager Identification with Tags

Managers can be identified by a `SYSTEM_resource_managers` [tag](/4yItIzMvkpAvMVFAamTf/features/search/tags.md) (on resources) containing a valid user ID.

The tag's value is the comma-delineated list of user IDs, for example:

```json
{
"tag": {
    "key": "SYSTEM_resource_managers",
    "value": "01a09253,928a24e4"
  }
}
```

> The tag value must match the *"IDP Unique ID"* property on the user's graph entity for the Global Identity Provider.\
> For Okta, OneLogin, and Microsoft Azure AD identities, this is an email address.\
> If using a [custom IdP](/4yItIzMvkpAvMVFAamTf/developers/api/oaa/templates/custom-identity-provider-template.md), the user or group `identity` can be any unique string.

#### Assigning resource owners (Tags API)

You can apply and remove tags programmatically using the [Tags API](/4yItIzMvkpAvMVFAamTf/developers/api/tags/tags-api.md). Assign owners "SYSTEM\_resource\_managers" as the tag key, where the value is a comma-separated list of IdP user `IdP Unique ID`s.

Add tag:

```bash
curl -X POST $BASEURL/api/v1/graph/nodes/tags \
-H 'authorization: Bearer $TOKEN \
--data-raw '{
  "node_id": "527398259632-c98becd0",
  "tags": [
    {
      "key": "SYSTEM_resource_managers",
      "value": "jim@cookie.ai"
    }
  ]
}'
```

Remove a tag by providing the entity id and the tag key to delete:

```bash
curl -X POST $BASEURL/api/v1/graph/nodes/tags:remove \
-H 'authorization: Bearer $TOKEN \
--data-raw '{
  "node_id": "dn44266.us-east-2.aws.snowflakecomputing.com/database/LOCATION/schema/COUNTRIES/table/USA",
  "tag_key": "SYSTEM_resource_managers"
}'
```

You can update the manager of a Custom IdP User by pushing a new OAA payload or using `modify` [incremental updates](/4yItIzMvkpAvMVFAamTf/developers/api/oaa/best-practices/incremental-updates.md).

### Validating manager assignments

To test resource owner assignment using tags:

1. Pick a resource on the graph that doesn't yet have an owner.
2. Apply a `system_resource_managers` tag with the email address of another Veza user.
3. Create an Access Reviews configuration. Select the entity type of the tagged resource, choose *Select a single entity*, and specify the resource name.
4. Save the configuration and create a review.
5. The resource owner's Veza account should be selected as the default reviewer.

To test manager assignments using Okta:

1. Pick an IdP entity (such as `OktaUser`) on the graph.
2. If the user already has a manager, create a corresponding Veza user for the manager's email address (you can give it the `Access Reviewer` role).
3. Otherwise, log in to Okta and set the user's Manager attribute to your Veza email address.
4. Create a configuration. Select the entity type (`OktaUser`) and choose to *Select a single entity*. Enter the Okta user name.
5. Save the configuration and start a review.
6. The manager's Veza account will be a suggested default reviewer.

### Assigning owners for custom applications and identity providers

When using the [custom application template](/4yItIzMvkpAvMVFAamTf/developers/api/oaa/templates/custom-application-template.md) to submit application and resource metadata, you can assign entity owners via tags (legacy method).

```json
"name": "demo.vezacloud.com",
"resource_type": "Cluster",
"description": "demo cluster",
"sub_resources": [],
"tags": [
  {
    "key": "system_resource_managers",
    "value": "ops@veza.com"
  }
]
```

The tagged manager will only be used if no Entity Owner property is present.

You can use [Incremental Updates](/4yItIzMvkpAvMVFAamTf/developers/api/oaa/best-practices/incremental-updates.md) to modify or remove tags and properties on OAA entities.

#### Assigning managers (Custom IdP)

You can use the [custom identity provider template](/4yItIzMvkpAvMVFAamTf/developers/api/oaa/templates/custom-identity-provider-template.md) to create graph entities with metadata for your custom domains, identities, and groups. To assign manager relationships within the custom IdP, `users` and `groups` can be mapped to the `identity` of another user:

```json
...
{
  "name": "Direct Report",
  "identity": "000001",
  "manager_id": "000011"
}
{
  "name": "Manager One",
  "identity": "00011",
  "manager_id": "00029"
}
{
  "name": "Senior Manager",
  "identity": "00029",
  "manager_id": null
}
...
```

### Assigning owned entities (Custom IdP)

To assign an IdP user or group as the manager of any resource Veza has discovered (from another integration), list the node type and node ID in the `entities_owned` field, for example:

```json
{
  "name": "Custom User",
  "identity": "000011",
  "entities_owned": [
    {
      "node_type": "S3Bucket",
      "id": "arn:aws:s3:::amazon-connect-53f87966654d"
    }
  ]
}
```

When Veza parses the payload, graph entities are assigned a `system_resource_managers` tag. The owner(s) will be suggested as reviewers for any reviews when the configuration scope is a single named resource with a matching tag.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/managers-and-resource-owners.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.