Release Notes

Entity Owners and Resource Manager Tags

How to automatically assign reviewers using your Identity Provider, Graph Search, or Veza APIs.

Overview

When creating an access review, operators can choose to assign the review to entity owners and resource owners as reviewers based on graph metadata:

  • Veza can automatically assign reviewers to rows involving entities they own or manage.

  • Veza will suggest default reviewers if the review scope is a single named identity or resource with an assigned owner.

  • If the identity provider (IdP) used to log in to Veza is added as an integration, you can enable it as a Global Identity Provider to enable suggestions and auto-assignment for all users in your organization.

To identify a manager, Veza checks the manager attribute (for IdP users), the Entity Owners, or a SYSTEM_resource_managers tag (on resources) containing a valid user ID. This user ID is defined in the idp_unique_id property on the corresponding IdP User entity in the graph.

Access Reviews Auto-Assignment Logic

Veza auto-assigns reviewers with the following priority:

  1. If an entity has an Entity Owner, that owner will be assigned as the reviewer

  2. If no Entity Owner is configured on the graph node, Veza will check for a Resource Manager Tag and assign those owners.

  3. If a secondary source of identity is configured Alternate Manager Lookup rules can apply

See Reviewer Selection Logic for more details about default and fallback reviewers, and configuration settings.

Assigning Entity Owners

Access Reviews supports both legacy tag-based manager assignment and Entity Owners. Entity Owners enable simplified manager assignment directly from the Veza UI and improved integration with other products and search features.

In Veza, you can assign Entity Owners directly from Graph search, Query Builder, and the NHI overview page.

Assigning Owners on the NHI Accounts Page

For non-human identity (NHI) accounts:

  1. Go to the NHI > Accounts overview

  2. Select one or more accounts from the list

  3. Click the Assign Owner button to open the owners sidebar

  4. Search for a user by name or email

  5. Confirm the assignment

Once assigned, entity owners appear in the NHI accounts table's Entity Owner column.

Assigning Owners in Query Builder

For bulk-assigning owners to multiple entities of different types in Query Builder results:

  1. Go to to Access Visibility > Graph > Query Builder

  2. Run a query to return the desired entities

  3. Select one or more entities from the results

  4. Click the Assign Entity Owners button at the top of the results

  5. Search for and select the appropriate owner(s)

  6. Confirm the assignment

Assigning Owners in Graph Search

To assign an owner to individual entities in Graph Search:

  1. Open Access Visibility > Graph

  2. Search for and locate the entity

  3. Click on the entity node to open the details sidebar

  4. Click the Set Entity Owners option in the sidebar

  5. Select the appropriate owner(s) and save your changes

Resource Manager Tags

The following sections provide information about manager assignments using tags. This is supported as a legacy option, but no longer the recommended approach.

Manager Identification with Tags

Managers can be identified by a SYSTEM_resource_managers tag (on resources) containing a valid user ID.

The tag's value is the comma-delineated list of user IDs, for example:

{
"tag": {
    "key": "SYSTEM_resource_managers",
    "value": "01a09253,928a24e4"
  }
}

The tag value must match the "IDP Unique ID" property on the user's graph entity for the Global Identity Provider. For Okta, OneLogin, and Microsoft Azure AD identities, this is an email address. If using a custom IdP, the user or group identity can be any unique string.

Assigning resource owners (Tags API)

You can apply and remove tags programmatically using the Tags API. Assign owners "SYSTEM_resource_managers" as the tag key, where the value is a comma-separated list of IdP user IdP Unique IDs.

Add tag:

curl -X POST $BASEURL/api/v1/graph/nodes/tags \
-H 'authorization: Bearer $TOKEN \
--data-raw '{
  "node_id": "527398259632-c98becd0",
  "tags": [
    {
      "key": "SYSTEM_resource_managers",
      "value": "[email protected]"
    }
  ]
}'

Remove a tag by providing the entity id and the tag key to delete:

curl -X POST $BASEURL/api/v1/graph/nodes/tags:remove \
-H 'authorization: Bearer $TOKEN \
--data-raw '{
  "node_id": "dn44266.us-east-2.aws.snowflakecomputing.com/database/LOCATION/schema/COUNTRIES/table/USA",
  "tag_key": "SYSTEM_resource_managers"
}'

You can update the manager of a Custom IdP User by pushing a new OAA payload or using modify incremental updates.

Validating manager assignments

To test resource owner assignment using tags:

  1. Pick a resource on the graph that doesn't yet have an owner.

  2. Apply a system_resource_managers tag with the email address of another Veza user.

  3. Create an Access Reviews configuration. Select the entity type of the tagged resource, choose Select a single entity, and specify the resource name.

  4. Save the configuration and create a review.

  5. The resource owner's Veza account should be selected as the default reviewer.

To test manager assignments using Okta:

  1. Pick an IdP entity (such as OktaUser) on the graph.

  2. If the user already has a manager, create a corresponding Veza user for the manager's email address (you can give it the Access Reviewer role).

  3. Otherwise, log in to Okta and set the user's Manager attribute to your Veza email address.

  4. Create a configuration. Select the entity type (OktaUser) and choose to Select a single entity. Enter the Okta user name.

  5. Save the configuration and start a review.

  6. The manager's Veza account will be a suggested default reviewer.

Assigning owners for custom applications and identity providers

When using the custom application template to submit application and resource metadata, you can assign entity owners via tags (legacy method).

"name": "demo.vezacloud.com",
"resource_type": "Cluster",
"description": "demo cluster",
"sub_resources": [],
"tags": [
  {
    "key": "system_resource_managers",
    "value": "[email protected]"
  }
]

The tagged manager will only be used if no Entity Owner property is present.

You can use Incremental Updates to modify or remove tags and properties on OAA entities.

Assigning managers (Custom IdP)

You can use the custom identity provider template to create graph entities with metadata for your custom domains, identities, and groups. To assign manager relationships within the custom IdP, users and groups can be mapped to the identity of another user:

...
{
  "name": "Direct Report",
  "identity": "000001",
  "manager_id": "000011"
}
{
  "name": "Manager One",
  "identity": "00011",
  "manager_id": "00029"
}
{
  "name": "Senior Manager",
  "identity": "00029",
  "manager_id": null
}
...

Assigning owned entities (Custom IdP)

To assign an IdP user or group as the manager of any resource Veza has discovered (from another integration), list the node type and node ID in the entities_owned field, for example:

{
  "name": "Custom User",
  "identity": "000011",
  "entities_owned": [
    {
      "node_type": "S3Bucket",
      "id": "arn:aws:s3:::amazon-connect-53f87966654d"
    }
  ]
}

When Veza parses the payload, graph entities are assigned a system_resource_managers tag. The owner(s) will be suggested as reviewers for any reviews when the configuration scope is a single named resource with a matching tag.

PreviousIdentity Provider and HRIS EnrichmentNextMulti-Level Review

Last updated

Was this helpful?