Managers and Resource Owners

How to automatically assign reviewers with tags and attributes using your Identity Provider, Graph Search, or Veza APIs.

Overview

When creating an access review, operators can choose to assign the review to managers and resource owners as reviewers based on graph metadata:

  • Veza can automatically assign reviewers to rows involving entities they own or manage.

  • Veza will suggest default reviewers if the review scope is a single named identity or resource with an assigned owner.

  • If the identity provider (IdP) used to log in to Veza is added as an integration, you can enable it as a Global Identity Provider to enable suggestions and auto-assignment for all users in your organization.

Managers are identified by their manager attribute (for IdP users) or a SYSTEM_resource_managers tag (on resources) containing a valid user ID. This user ID is defined in the idp_unique_id property on the corresponding IdP User entity in the graph.

  • For natively-supported identity providers, such as Okta, you can assign a manager by setting a user's Manager attribute from the provider's admin console.

  • Any entity in the Veza graph can have a resource owner. Apply a tag with key SYSTEM_resource_managers. The tag's value is the comma-delineated list of user ID's, for example:

    {
    "tag": {
        "key": "SYSTEM_resource_managers",
        "value": "01a09253,928a24e4"
      }
    }

    The tag value must match the "IDP Unique ID" property on the user's graph entity. For Okta, OneLogin, and Microsoft Azure AD identities, this is an email address. If using a custom IdP, the user or group identity can be any unique string.

From the Veza UI, you can add a manager tag to any entity in Graph Search:

  1. In Veza, go to Access Visibility > Graph.

  2. Search for the entity.

  3. Click the entity in the search results to open the sidebar.

  4. Click Set Resource Owner.

  5. In the Add Resource Owner box, type to search for users by email and Save the changes.

Assigning resource owners (Tags API)

You can apply and remove tags programmatically using the Tags API. Assign owners "SYSTEM_resource_managers" as the tag key, where the value is a comma-separated list of IdP user IdP Unique IDs.

Add tag:

curl $BASEURL/api/v1/graph/nodes/veza_tags' \
-H 'authorization: Bearer '$TOKEN \
--data-raw '
{
  "node_id": "527398259632-c98becd0",
  "tags": [
    {
      "key": "SYSTEM_resource_managers",
      "value": "jim@cookie.ai"
    }
  ]
}'

Remove a tag by providing the entity id and the tag key to delete:

curl $BASEURL/api/v1/graph/veza_tags:remove \
-H 'authorization: Bearer '$TOKEN \
--data-raw '{
  "node_id": "dn44266.us-east-2.aws.snowflakecomputing.com/database/LOCATION/schema/COUNTRIES/table/USA",
  "tag_key": "SYSTEM_resource_managers"
}'

For custom IdP users, you can also change the manager by pushing a new payload or using modify incremental updates.

Validating manager assignments

To test resource owner assignment using tags:

  1. Pick a resource on the graph that doesn't yet have an owner.

  2. Apply a system_resource_managers tag with the email address of another Veza user.

  3. Create an Access Reviews configuration. Select the entity type of the tagged resource, and Select a single entity and specify the resource name.

  4. Save the configuration and create a review.

  5. The resource owner's Veza account should be selected as the default reviewer.

To test manager assignments using Okta:

  1. Pick an IdP entity (such as OktaUser) on the graph.

  2. If the user already has a manager, create a corresponding Veza user for the manager's email address (you can give it the Access Reviewer role).

  3. Otherwise, log in to Okta and set the user's Manager attribute to your Veza email address.

  4. Create a configuration. Select the entity type (OktaUser) and choose to Select a single entity. Enter the Okta user name.

  5. Save the configuration and start a review.

  6. The manager's Veza account will be a suggested default reviewer.

Assigning owners for custom applications and identity providers

Assigning managers (Custom IdP)

You can use the custom identity provider template to create graph entities with metadata for your custom domains, identities, and groups. To assign manager relationships within the custom IdP, users and groups can be mapped to the identity of another user:

...
{
  "name": "Direct Report",
  "identity": "000001",
  "manager_id": "000011"
}
{
  "name": "Manager One",
  "identity": "00011",
  "manager_id": "00029"
}
{
  "name": "Senior Manager",
  "identity": "00029",
  "manager_id": null
}
...

Assigning owned entities (Custom IdP)

To assign an IdP user or group as the manager of any resource Veza has discovered (from another integration), list the node type and node ID in the entities_owned field, for example:

{
  "name": "Custom User",
  "identity": "000011",
  "entities_owned": [
    {
      "node_type": "S3Bucket",
      "id": "arn:aws:s3:::amazon-connect-53f87966654d"
    }
  ]
}

When Veza parses the payload, graph entities are assigned a system_resource_managers tag. The owner(s) will be suggested as reviewers for any reviews when the configuration scope is a single named resource with a matching tag.

Assigning resource owners (Custom Application)

When using the custom application template to submit application and resource metadata, assign resource owners by applying a Veza tag:

          "name": "release.vezacloud.com",
          "resource_type": "Cluster",
          "description": "release staging cluster",
          "sub_resources": [],
          "tags": [
            {
              "key": "system_resource_managers",
              "value": "ops@veza.com"
            }

You can use incremental updates to modify or remove tags on OAA entities.

Last updated