Entity Owners and Resource Manager Tags
How to automatically assign reviewers using your Identity Provider, Graph Search, or Veza APIs.
Last updated
Was this helpful?
How to automatically assign reviewers using your Identity Provider, Graph Search, or Veza APIs.
Last updated
Was this helpful?
Was this helpful?
When creating an access review, operators can choose to assign the review to entity owners and resource owners as reviewers based on graph metadata:
Veza can automatically assign reviewers to rows involving entities they own or manage.
Veza will suggest default reviewers if the review scope is a single named identity or resource with an assigned owner.
If the identity provider (IdP) used to log in to Veza is added as an integration, you can enable it as a Global Identity Provider to enable suggestions and auto-assignment for all users in your organization.
To identify a manager, Veza checks the manager attribute (for IdP users), the Entity Owners, or a SYSTEM_resource_managers tag (on resources) containing a valid user ID. This user ID is defined in the idp_unique_id property on the corresponding IdP User entity in the graph.
Veza auto-assigns reviewers with the following priority:
If an entity has an Entity Owner, that owner will be assigned as the reviewer
If no Entity Owner is configured on the graph node, Veza will check for a Resource Manager Tag and assign those owners.
If a secondary source of identity is configured Alternate Manager Lookup rules can apply
See Reviewer Selection Logic for more details about default and fallback reviewers, and configuration settings.
Access Reviews supports both legacy tag-based manager assignment and Entity Owners. Entity Owners enable simplified manager assignment directly from the Veza UI and improved integration with other products and search features.
In Veza, you can assign Entity Owners directly from Graph search, Query Builder, and the NHI overview page.
For non-human identity (NHI) accounts:
Go to the NHI > Accounts overview
Select one or more accounts from the list
Click the Assign Owner button to open the owners sidebar
Search for a user by name or email
Confirm the assignment
Once assigned, entity owners appear in the NHI accounts table's Entity Owner column.
For bulk-assigning owners to multiple entities of different types in Query Builder results:
Go to to Access Visibility > Graph > Query Builder
Run a query to return the desired entities
Select one or more entities from the results
Click the Assign Entity Owners button at the top of the results
Search for and select the appropriate owner(s)
Confirm the assignment
To assign an owner to individual entities in Graph Search:
Open Access Visibility > Graph
Search for and locate the entity
Click on the entity node to open the details sidebar
Click the Set Entity Owners option in the sidebar
Select the appropriate owner(s) and save your changes
The following sections provide information about manager assignments using tags. This is supported as a legacy option, but no longer the recommended approach.
Managers can be identified by a SYSTEM_resource_managers tag (on resources) containing a valid user ID.
The tag's value is the comma-delineated list of user IDs, for example:
{
"tag": {
"key": "SYSTEM_resource_managers",
"value": "01a09253,928a24e4"
}
}The tag value must match the "IDP Unique ID" property on the user's graph entity for the Global Identity Provider. For Okta, OneLogin, and Microsoft Azure AD identities, this is an email address. If using a custom IdP, the user or group
identitycan be any unique string.
You can apply and remove tags programmatically using the Tags API. Assign owners "SYSTEM_resource_managers" as the tag key, where the value is a comma-separated list of IdP user IdP Unique IDs.
Add tag:
curl -X POST $BASEURL/api/v1/graph/nodes/tags \
-H 'authorization: Bearer $TOKEN \
--data-raw '{
"node_id": "527398259632-c98becd0",
"tags": [
{
"key": "SYSTEM_resource_managers",
"value": "[email protected]"
}
]
}'Remove a tag by providing the entity id and the tag key to delete:
curl -X POST $BASEURL/api/v1/graph/nodes/tags:remove \
-H 'authorization: Bearer $TOKEN \
--data-raw '{
"node_id": "dn44266.us-east-2.aws.snowflakecomputing.com/database/LOCATION/schema/COUNTRIES/table/USA",
"tag_key": "SYSTEM_resource_managers"
}'You can update the manager of a Custom IdP User by pushing a new OAA payload or using modify incremental updates.
To test resource owner assignment using tags:
Pick a resource on the graph that doesn't yet have an owner.
Apply a system_resource_managers tag with the email address of another Veza user.
Create an Access Reviews configuration. Select the entity type of the tagged resource, choose Select a single entity, and specify the resource name.
Save the configuration and create a review.
The resource owner's Veza account should be selected as the default reviewer.
To test manager assignments using Okta:
Pick an IdP entity (such as OktaUser) on the graph.
If the user already has a manager, create a corresponding Veza user for the manager's email address (you can give it the Access Reviewer role).
Otherwise, log in to Okta and set the user's Manager attribute to your Veza email address.
Create a configuration. Select the entity type (OktaUser) and choose to Select a single entity. Enter the Okta user name.
Save the configuration and start a review.
The manager's Veza account will be a suggested default reviewer.
When using the custom application template to submit application and resource metadata, you can assign entity owners via tags (legacy method).
"name": "demo.vezacloud.com",
"resource_type": "Cluster",
"description": "demo cluster",
"sub_resources": [],
"tags": [
{
"key": "system_resource_managers",
"value": "[email protected]"
}
]The tagged manager will only be used if no Entity Owner property is present.
You can use Incremental Updates to modify or remove tags and properties on OAA entities.
You can use the custom identity provider template to create graph entities with metadata for your custom domains, identities, and groups. To assign manager relationships within the custom IdP, users and groups can be mapped to the identity of another user:
...
{
"name": "Direct Report",
"identity": "000001",
"manager_id": "000011"
}
{
"name": "Manager One",
"identity": "00011",
"manager_id": "00029"
}
{
"name": "Senior Manager",
"identity": "00029",
"manager_id": null
}
...To assign an IdP user or group as the manager of any resource Veza has discovered (from another integration), list the node type and node ID in the entities_owned field, for example:
{
"name": "Custom User",
"identity": "000011",
"entities_owned": [
{
"node_type": "S3Bucket",
"id": "arn:aws:s3:::amazon-connect-53f87966654d"
}
]
}When Veza parses the payload, graph entities are assigned a system_resource_managers tag. The owner(s) will be suggested as reviewers for any reviews when the configuration scope is a single named resource with a matching tag.