LogoLogo
User GuideDeveloper DocumentationIntegrationsRelease Notes
  • 🏠Veza Documentation
  • ☑️Getting Started
  • 📖Veza Glossary
  • ❓Product FAQ
  • 🛡️Security FAQ
    • Advanced Security FAQ
  • Release Notes
    • 🗒️Release Notes
      • Release Notes: 2025-05-28
      • Release Notes: 2025-05-14
      • Release Notes: 2025-04-30
      • Release Notes: 2025-04-16
      • Release Notes: 2025-04-02
      • Release Notes: 2025-03-19
      • Archive
        • 2024.9.23
        • 2024.9.16
        • 2024.9.9
        • 2024.9.2
        • 2024.8.26
        • 2024.8.19
        • 2024.8.12
        • 2024.8.5
        • 2024.7.29
        • 2024.7.22
        • 2024.7.15
        • 2024.7.1
        • 2024.6.24
        • 2024.6.17
        • 2024.6.10
        • 2024.6.3
        • 2024.5.27
        • 2024.5.20
        • 2024.5.13
        • 2024.5.6
        • 2024.4.29
        • 2024.4.22
        • 2024.4.15
        • 2024.4.8
        • 2024.4.1
        • 2024.3.25
        • 2024.3.18
        • 2024.3.11
        • 2024.3.4
        • 2024.2.26
        • 2024.2.19
        • 2024.2.12
        • 2024.2.5
        • 2024.1.29
        • 2024.1.22
        • 2024.1.15
        • 2024.1.8
        • 2024.1.1
        • 2023.12.18
        • 2023.12.11
        • 2023.12.4
        • 2023.11.27
        • 2023.11.20
        • 2023.11.13
        • 2023.11.6
        • 2023.10.30
        • 2023.10.23
        • 2023.10.16
        • 2023.10.9
        • 2023.10.2
        • 2023.9.25
        • 2023.9.18
        • 2023.9.11
        • 2023.9.4
        • 2023.8.28
        • 2023.8.21
        • 2023.8.14
        • 2023.8.7
        • 2023.7.31
        • 2023.7.24
        • 2023.7.17
        • 2023.7.10
        • 2023.7.3
        • 2023.6.26
        • 2023.6.19
        • 2023.6.12
        • 2023.6.5
        • 2023.5.29
        • 2023.5.22
        • 2023.5.15
        • 2023.5.8
        • 2023.5.1
        • 2023.4.24
        • 2023.4.17
        • 2023.4.10
        • 2023.4.3
        • 2023.3.27
        • 2023.3.20
        • 2023.3.13
        • 2023.3.6
        • 2023.2.27
        • 2023.2.20
        • 2023.2.13
        • 2023.2.6
        • 2023.1.30
        • 2023.1.23
        • 2023.1.16
        • 2023.1.9
        • 2023.1.2
        • 2022.12.12
        • 2022.12.5
        • 2022.11.28
        • 2022.11.14
        • 2022.11.7
        • 2022.10.31
        • 2022.10.24
        • 2022.10.17
        • 2022.10.1
        • 2022.6.2
        • 2022.6.1
        • 2022.5.1
        • 2022.4.1
        • 2022.3.1
  • Features
    • 🔎Access Visibility
      • Graph
      • Query Builder
      • Saved Queries
      • Filters
      • Query Mode
      • Intermediate Entities
      • Regular Expressions
      • Tags
      • Tagged Entity Search
      • Assumed AWS IAM Roles
      • Veza Query Language
        • Quick Start
        • Syntax
        • VQL API
    • 💡Access Intelligence
      • Overview
      • Dashboards
        • Reports
        • Scheduled Exports of Query Results via a Secure Email Link
      • Risks
      • Analyze
      • Compare
      • Rules and Alerts
      • Entities
      • NHI Identify Classification Logic
      • NHI Secrets
    • 🔏Access Reviews
      • Get Started: Access Reviewers
      • Get Started: Review Operators
      • Access Review Tasks
        • Assign Reviewers
        • Create a Configuration
        • Create a Review
        • Draft Reviews
        • Edit a Configuration
        • Filters and Bulk Actions
        • Manage Access Reviews
        • Using the Reviewer Interface
        • Row Grouping for Access Reviews
        • Schedule an Access Review
      • Access Review Configuration
        • Access Reviews Query Builder
        • Access Reviews Global Settings
        • Configuring a Global Identity Provider
          • Alternate Manager Lookup
        • Customizing Default Columns
        • Email Notifications and Reminders
        • Identity Provider and HRIS Enrichment
        • Entity Owners and Resource Manager Tags
        • Multi-Level Review
        • 1-Step Access Reviews
        • On-Demand Reviews
        • Veza Actions for Access Reviews
        • Review Intelligence Policies
        • Review Presentation Options
        • Reviewer Selection Methods
        • Reviewer Digest Notifications
      • Access Review Scenarios
        • Access Reviews: Active Directory Security Groups
        • Access Reviews: Okta App Assignments
        • Access Reviews: Okta Group Membership
        • Access Reviews: Okta Admin Roles
        • Access Reviews: Azure AD Roles
        • Access Reviews with Saved Queries
        • Source-Only Access Reviews
    • 📊Access Monitoring
    • 🔄Lifecycle Management
      • Implementation and Core Concepts
      • Access Profiles
      • Policies
      • Conditions and Actions
      • Attribute Sync and Transformers
        • Lookup Tables
      • Integrations
        • Active Directory
        • Exchange Server
        • Okta
        • Salesforce
        • Workday
    • ⚖️Separation of Duties (SoD)
      • Managing SoD Risks with Veza
      • Creating SoD Detection Queries
      • Analyzing Separation of Duties Query Results
      • Example Separation of Duties Queries
      • SoD Manager Assignment
      • Access Reviews for SoD
  • Integrations
    • ✨Veza Integrations
      • Adobe Enterprise
      • Amazon Web Services
        • Add Existing AWS Accounts
        • Automatically Add New AWS Accounts
        • AWS DynamoDB
        • AWS KMS
        • AWS RDS MySQL
        • AWS RDS PostgreSQL
        • AWS Redshift
        • Activity Monitoring for AWS
        • Using AWS Secrets Manager for RDS Extraction
        • Notes & Supported Entities
      • Anaplan
      • Atlassian Cloud Products
      • Auth0
      • BambooHR
      • Bitbucket Data Center
      • BlackLine
      • Beeline
      • Boomi
      • Box
      • Bullhorn
      • Cassandra
      • Cisco Duo
      • Clickhouse
      • Concur
      • Confluence Server
      • Confluent
      • Coupa
      • Coupa Contingent Workforce
      • Crowdstrike Falcon
      • CSV Upload
        • CSV Upload Examples
        • CSV Upload Troubleshooting
        • CSV Upload API
      • Databricks (Single Workspace)
      • Databricks (Unity Catalog)
      • Delinea Secret Server
      • Device42
      • DocuSign
      • Dropbox
      • Egnyte
      • Expensify
      • Exchange Online (Microsoft 365)
      • Fastly
      • Google Cloud
        • Check Google Cloud Permissions
        • Notes & Supported Entities
      • Google Drive
      • GitHub
      • GitLab
      • HashiCorp Vault
      • HiBob
      • Hubspot
      • IBM Aspera
      • iManage
      • Ivanti Neurons
      • Jamf Pro
      • Jenkins
      • JFrog Artifactory
      • Jira Data Center
      • Kubernetes
      • LastPass
      • Looker
      • MongoDB
      • Microsoft Active Directory
      • Microsoft Azure
        • Azure SQL Database
        • Azure PostgreSQL Database
        • Microsoft Dynamics 365 CRM
        • Microsoft Dynamics 365 ERP
        • Notes & Supported Entities
      • Microsoft Azure AD
      • Microsoft SharePoint Online
      • Microsoft SharePoint Server
      • Microsoft SQL Server
      • MuleSoft
      • MySQL
      • NetSuite
      • New Relic
      • Okta
        • Okta MFA status
      • OneLogin
      • OpenAI
      • Oracle Cloud Infrastructure
      • Oracle Database
      • Oracle Database (AWS RDS)
      • Oracle E-Business Suite (EBS)
      • Oracle EPM
      • Oracle Fusion Cloud
      • Oracle JD Edwards EnterpriseOne
      • PagerDuty
      • Palo Alto Networks SASE/Prisma Access
      • PingOne
      • PostgreSQL
      • Power BI
      • Privacera
      • PTC Windchill
      • Qualys
      • QNXT
      • Ramp
      • Redis Cloud
      • Rollbar
      • Salesforce
      • Salesforce Commerce Cloud
      • SCIM integration
      • ServiceNow
      • Slack
      • Smartsheet
      • Snowflake
        • Snowflake Native Application
        • Snowflake Row Access Policies
        • Snowflake Masking Policies
        • Exporting Saved Query Results to Snowflake
        • Audit Log Export
        • Event Export
      • Solarwinds
      • Spotio
      • Sumo Logic
      • Tableau Cloud
      • Teleport
      • Terraform
      • ThoughtSpot
      • Trello
      • Trino (PrestoSQL)
      • UKGPro
      • Veza
      • Windows Server
        • Enterprise Deployment
      • Workato
      • Workday
      • YouTrack
      • Zendesk
      • Zip
      • Zoom
      • Zscaler
      • 1Password
    • 🎯Integrations Overview
    • ⚠️Prerequisites and Connectivity
      • Insight Point
        • Deploying an Insight Point using the install script
        • Deploy with AWS EC2
        • Deploy with Virtual Appliance
          • Deploy with Virtual Appliance (Legacy)
        • Deploy with Azure Container Instances
        • Insight Point (Helm Chart)
      • Certificates with OpenSSL
    • ⚙️Configuring Integrations
      • Integrations FAQ
      • Extraction and Discovery Intervals
      • Custom Identity Mappings
      • Limiting Extractions
      • Enrichment Rules
      • ℹ️Running Veza Scripts with Python
  • Administration
    • 🛠️Veza Administration
      • Securing Your Veza Tenant
      • Veza Actions
        • Slack
        • ServiceNow
        • Jira
        • Webhooks
      • Virtual Private Veza
      • System Events
      • Sign-In Settings
        • Single Sign-On with Okta
        • Single Sign-On with Okta (OIDC)
        • Single Sign-On with Microsoft Entra
      • User Management
        • Multi-factor Authentication
        • Team Management
        • Support User Access
  • Developers
    • 🌐Veza APIs
      • Authentication
      • Troubleshooting
      • Pagination
      • Open Authorization API
        • Getting Started
        • Core Concepts
          • Connector Requirements
          • Using OAA Templates
          • Providers, Data Sources, Names and Types
          • Sourcing and Extracting Metadata
          • Naming and Identifying OAA Entities
          • Modeling Users, Permissions, and Roles
          • Custom Properties
          • Tagging with OAA
          • Cross Service IdP Connections
          • Incremental Updates
        • OAA Push API
          • OAA Operations
        • OAA Templates
          • Custom Application
          • Custom Identity Provider
          • Custom HRIS Provider
        • OAA .NET SDK
          • C# OAA Application Connector
        • OAA Python SDK
          • Application Outline
          • oaaclient modules
            • Client
            • Structures
            • Templates
            • Utils
        • Sample Apps
        • Example Connectors
      • Integration APIs
        • Enable/Disable Providers
        • Cloud Platforms and Data Providers
        • Identity Providers
        • Data Sources
        • Sync and Parse Status
      • Query APIs
        • Quick Start
        • Query Builder Terminology
        • Query Builder Parameters
        • Query Builder Results
        • List saved queries
        • Save a query
        • Get a saved query
        • Update a query
        • Delete a query
        • Get query node destinations
        • Get query nodes
        • Get query result
        • Get query spec node destinations
        • Get query spec nodes
        • Get query spec results
        • Private APIs
          • Get Access Relationship
          • Role Existence
          • Role Maintenance
          • Cohort Role Analysis
        • Tags
          • Create, Add, Remove Tag
          • Promoted Tags
      • Access Reviews APIs
        • Workflow Parameters Reference
        • List Workflows
        • List Certifications
        • List Certification Results
        • Update Certification Result
        • Force Update Result
        • Update Webhook Info
        • Get Certification Result
        • Manage Reviewer Deny List
        • Quick Filters
        • Help Page Templates
        • Smart Action Definitions
        • Delegate Reviewers
        • List Reviewer Infos
        • Get Access Graph
        • Automations API
        • Global Settings APIs
      • System Audit Logs
      • System Events
      • Notification Templates
        • Notification Templates API
      • Team and User Management APIs
        • Team API Keys
      • SCIM Provisioning
        • SCIM API Reference
        • SCIM Provisioning with Okta
  • Product Updates
    • 🆕Product Updates
      • Product Update: April'25
      • Product Update: March'25
      • Product Update: February'25
      • UX Update - Integration Management
      • Product Update: January'25
      • Product Update: December'24
      • Product Update: November'24
      • Product Update: October'24
      • Product Update: September'24
      • Product Update: August'24
      • UX Update: Veza Integrations
      • Product Update: July'24
      • Product Update: June'24
      • Product Update: May'24
      • Product Update: April'24
      • UX Update - Enhanced Reviewer Experience for Veza Access Reviews
      • Product Update: March'24
      • Product Update: February'24
      • Design Update: February'24
      • UX Update - New Navigation Experience
      • UX Update - Access Review Dashboards
      • Building Veza’s Platform and Products
      • Veza Product Update - Jan'24
      • Veza Product Update - 2H 2023
      • Veza Product Update - December'23
      • Veza Product Update - November'23
      • Veza Product Update - October'23
      • Veza Product Update - September'23
      • Veza Product Update - August'23
      • Veza Product Update - July'23
      • Veza Product Update - June'23
      • Veza Product Update - May'23
      • Veza Product Update - April'23
      • Veza Product Update - March'23
      • Veza Product Update - Feb'23
      • Veza Product Update - Jan'23
Powered by GitBook
On this page
  • Overview
  • Access Reviews Auto-Assignment Logic
  • Assigning Entity Owners
  • Resource Manager Tags
  • Validating manager assignments
  • Assigning owners for custom applications and identity providers
  • Assigning owned entities (Custom IdP)

Was this helpful?

Export as PDF
  1. Features
  2. Access Reviews
  3. Access Review Configuration

Entity Owners and Resource Manager Tags

How to automatically assign reviewers using your Identity Provider, Graph Search, or Veza APIs.

PreviousIdentity Provider and HRIS EnrichmentNextMulti-Level Review

Last updated 14 days ago

Was this helpful?

Overview

When creating an access review, operators can choose to assign the review to entity owners and resource owners as reviewers based on graph metadata:

  • Veza can automatically assign reviewers to rows involving entities they own or manage.

  • Veza will suggest default reviewers if the review scope is a single named identity or resource with an assigned owner.

  • If the identity provider (IdP) used to log in to Veza is added as an integration, you can enable it as a to enable suggestions and auto-assignment for all users in your organization.

To identify a manager, Veza checks the manager attribute (for IdP users), the Entity Owners, or a SYSTEM_resource_managers (on resources) containing a valid user ID. This user ID is defined in the idp_unique_id property on the corresponding IdP User entity in the graph.

Access Reviews Auto-Assignment Logic

Veza auto-assigns reviewers with the following priority:

  1. If an entity has an Entity Owner, that owner will be assigned as the reviewer

  2. If no Entity Owner is configured on the graph node, Veza will check for a Resource Manager Tag and assign those owners.

  3. If a secondary source of identity is configured

See for more details about default and fallback reviewers, and configuration settings.

Assigning Entity Owners

Access Reviews supports both legacy tag-based manager assignment and Entity Owners. Entity Owners enable simplified manager assignment directly from the Veza UI and improved integration with other products and search features.

In Veza, you can assign Entity Owners directly from Graph search, Query Builder, and the NHI overview page.

Assigning Owners on the NHI Accounts Page

For non-human identity (NHI) accounts:

  1. Go to the NHI > Accounts overview

  2. Select one or more accounts from the list

  3. Click the Assign Owner button to open the owners sidebar

  4. Search for a user by name or email

  5. Confirm the assignment

Once assigned, entity owners appear in the NHI accounts table's Entity Owner column.

Assigning Owners in Query Builder

For bulk-assigning owners to multiple entities of different types in Query Builder results:

  1. Go to to Access Visibility > Graph > Query Builder

  2. Run a query to return the desired entities

  3. Select one or more entities from the results

  4. Click the Assign Entity Owners button at the top of the results

  5. Search for and select the appropriate owner(s)

  6. Confirm the assignment

Assigning Owners in Graph Search

To assign an owner to individual entities in Graph Search:

  1. Open Access Visibility > Graph

  2. Search for and locate the entity

  3. Click on the entity node to open the details sidebar

  4. Click the Set Entity Owners option in the sidebar

  5. Select the appropriate owner(s) and save your changes

Resource Manager Tags

The following sections provide information about manager assignments using tags. This is supported as a legacy option, but no longer the recommended approach.

Manager Identification with Tags

The tag's value is the comma-delineated list of user IDs, for example:

{
"tag": {
    "key": "SYSTEM_resource_managers",
    "value": "01a09253,928a24e4"
  }
}

Assigning resource owners (Tags API)

Add tag:

curl -X POST $BASEURL/api/v1/graph/nodes/tags \
-H 'authorization: Bearer $TOKEN \
--data-raw '{
  "node_id": "527398259632-c98becd0",
  "tags": [
    {
      "key": "SYSTEM_resource_managers",
      "value": "jim@cookie.ai"
    }
  ]
}'

Remove a tag by providing the entity id and the tag key to delete:

curl -X POST $BASEURL/api/v1/graph/nodes/tags:remove \
-H 'authorization: Bearer $TOKEN \
--data-raw '{
  "node_id": "dn44266.us-east-2.aws.snowflakecomputing.com/database/LOCATION/schema/COUNTRIES/table/USA",
  "tag_key": "SYSTEM_resource_managers"
}'

Validating manager assignments

To test resource owner assignment using tags:

  1. Pick a resource on the graph that doesn't yet have an owner.

  2. Apply a system_resource_managers tag with the email address of another Veza user.

  3. Create an Access Reviews configuration. Select the entity type of the tagged resource, choose Select a single entity, and specify the resource name.

  4. Save the configuration and create a review.

  5. The resource owner's Veza account should be selected as the default reviewer.

To test manager assignments using Okta:

  1. Pick an IdP entity (such as OktaUser) on the graph.

  2. If the user already has a manager, create a corresponding Veza user for the manager's email address (you can give it the Access Reviewer role).

  3. Otherwise, log in to Okta and set the user's Manager attribute to your Veza email address.

  4. Create a configuration. Select the entity type (OktaUser) and choose to Select a single entity. Enter the Okta user name.

  5. Save the configuration and start a review.

  6. The manager's Veza account will be a suggested default reviewer.

Assigning owners for custom applications and identity providers

"name": "demo.vezacloud.com",
"resource_type": "Cluster",
"description": "demo cluster",
"sub_resources": [],
"tags": [
  {
    "key": "system_resource_managers",
    "value": "ops@veza.com"
  }
]

The tagged manager will only be used if no Entity Owner property is present.

Assigning managers (Custom IdP)

...
{
  "name": "Direct Report",
  "identity": "000001",
  "manager_id": "000011"
}
{
  "name": "Manager One",
  "identity": "00011",
  "manager_id": "00029"
}
{
  "name": "Senior Manager",
  "identity": "00029",
  "manager_id": null
}
...

Assigning owned entities (Custom IdP)

To assign an IdP user or group as the manager of any resource Veza has discovered (from another integration), list the node type and node ID in the entities_owned field, for example:

{
  "name": "Custom User",
  "identity": "000011",
  "entities_owned": [
    {
      "node_type": "S3Bucket",
      "id": "arn:aws:s3:::amazon-connect-53f87966654d"
    }
  ]
}

When Veza parses the payload, graph entities are assigned a system_resource_managers tag. The owner(s) will be suggested as reviewers for any reviews when the configuration scope is a single named resource with a matching tag.

Managers can be identified by a SYSTEM_resource_managers (on resources) containing a valid user ID.

The tag value must match the "IDP Unique ID" property on the user's graph entity for the Global Identity Provider. For Okta, OneLogin, and Microsoft Azure AD identities, this is an email address. If using a , the user or group identity can be any unique string.

You can apply and remove tags programmatically using the . Assign owners "SYSTEM_resource_managers" as the tag key, where the value is a comma-separated list of IdP user IdP Unique IDs.

You can update the manager of a Custom IdP User by pushing a new OAA payload or using modify .

When using the to submit application and resource metadata, you can assign entity owners via tags (legacy method).

You can use to modify or remove tags and properties on OAA entities.

You can use the to create graph entities with metadata for your custom domains, identities, and groups. To assign manager relationships within the custom IdP, users and groups can be mapped to the identity of another user:

🔏
tag
custom IdP
Tags API
incremental updates
custom application template
Incremental Updates
custom identity provider template
Global Identity Provider
tag
Alternate Manager Lookup rules can apply
Reviewer Selection Logic