Controlled Access: This feature is currently only enabled for customer tenants on a controlled basis.
Veza Access Reviews optionally supports a two-tier review and approval process, where two different parties sequentially review and approve a Review.
When second-level reviewers are enabled for a new review, two levels of review and sign-off are needed before rows in the review are marked "completed.". Each review level is assigned to different reviewers. Both levels of a review support reviewer auto-assignment, though options vary depending on the review level.
Note that each review level can have multiple reviewers assigned per row — just like a typical single-level review.
Key concepts for multi-level reviews include:
First-Level Review: The initial review phase where primary reviewers make decisions.
Second-Level Review: The final review phase where secondary approvers act after all rows have first-level decisions.
Sequential Approval: The first-level review must be completed before moving to the second level.
Unanimous Approval, Single Rejection: Both levels must approve for acceptance. A rejection at either level is final.
Multi-Level Review Process
Multi-level reviews allow organizations to optionally configure reviews that require multiple parties to review rows of access and sign off sequentially to complete the review. For instance, the first level of review may be performed by a user's manager while the subsequent second level of review is completed by the application owner. When enabled, reviewers at each level must approve the row before a decision is finalized.
First-Level Review
Starts upon creation of a multi-level review.
First-level reviewers can see and act on all assigned rows.
All rows must be signed off before the review progresses to the second level.
Second-Level Review
Begins after first-level reviews are complete.
By default, second-level reviewers only see rows approved by first-level reviewers. They may approve or reject previously approved rows but cannot change decisions on rows that were rejected at the first level.
Rejection at any level is final. Second-level reviewers do not sign off on access that a first-level reviewer rejected.
Notifications Behaviors for Reviewers in Multi-Level Reviews
The following rules apply with second-level review enabled:
If configured, review start notifications are sent to first-level reviewers.
Second-level reviewers are notified when their review phase begins.
If configured, reminders are sent only to reviewers at the current level.
If configured, completion notifications are sent to all reviewers.
Orchestration Actions in Multi-Level Reviews
Orchestration Actions configured for when rejected rows are signed off will trigger at the first level that the rejection decision is made and signed-off. This could be the first- or second-level of the review.
Orchestration Actions for approved rows only trigger when a row is signed off in the second and final approval level.
Enabling and Assigning Second-Level Reviewers
You can assign second-level reviewers explicitly (by username or email) or through auto-assignment. In addition to auto-assigning the manager of a source user or the owner of a destination resource, second-level reviews can be assigned to the manager of each first-level reviewer using information from your identity provider.
To enable and assign second-level reviewers:
Go to Access Reviews > Configurations and click New Review to create an access review.
Define the scope, set a due date, and assign initial reviewers.
In the Second Level Reviewers section, click Enable.
Assign specific reviewers, or auto-assign the user's manager, the resource's owner, or the first-level reviewer's manager.
Click Create and Publish to start the review (notifying reviewers), or Create to save it as a draft.
Multi-Level Approval in the Reviewer Interface
Users with an Operator or Administrator role can view all rows at the current review level. Users with the Access Reviewer role can only view and update their assigned rows in their review level.
In the reviewer interface, an information bar above the rows shows whether the review is in the first or second approval level. A progress bar displays the status of rows (approved, rejected, or without decisions) at the current level.
FAQs
What happens if a row is rejected at the first level? The row is considered rejected and is hidden by default during second-level review.
Can a first-level reviewer view or change their decisions on a review after they have signed off on the review and it has proceeded to second-level review? No.
Can second-level reviewers see first-level reviewers' comments? Yes, comments and annotations are visible to second-level reviewers, enabling communication between review levels.
Last updated
Was this helpful?