Multi-Level Review
Require multiple levels of approval before access review decisions are final.
Last updated
Was this helpful?
Require multiple levels of approval before access review decisions are final.
Last updated
Was this helpful?
Was this helpful?
Controlled Access: This feature is currently only enabled for customer tenants on a controlled basis.
Veza Access Reviews optionally supports a two-tier review and approval process, where two different parties sequentially review and approve a Review.
When second-level reviewers are enabled for a new review, two levels of review and sign-off are needed before rows in the review are marked "completed.". Each review level is assigned to different reviewers. Both levels of a review support reviewer auto-assignment, though options vary depending on the review level.
Note that each review level can have multiple reviewers assigned per row — just like a typical single-level review.
Key concepts for multi-level reviews include:
First-Level Review: The initial review phase where primary reviewers make decisions.
Second-Level Review: The final review phase where secondary approvers act after all rows have first-level decisions.
Sequential Approval: The first-level review must be completed before moving to the second level.
Unanimous Approval, Single Rejection: Both levels must approve for acceptance. A rejection at either level is final.
Multi-level reviews allow organizations to optionally configure reviews that require multiple parties to review rows of access and sign off sequentially to complete the review. For instance, the first level of review may be performed by a user's manager while the subsequent second level of review is completed by the application owner. When enabled, reviewers at each level must approve the row before a decision is finalized.
First-Level Review
Starts upon creation of a multi-level review.
First-level reviewers can see and act on all assigned rows.
All rows must be signed off before the review progresses to the second level.
Second-Level Review
Begins after first-level reviews are complete.
By default, second-level reviewers only see rows approved by first-level reviewers. They may approve or reject previously approved rows but cannot change decisions on rows that were rejected at the first level.
Rejection at any level is final. Second-level reviewers do not sign off on access that a first-level reviewer rejected.
For typical reviews with one level of reviewer, all reviewers may receive email notifications when the review is started. Inactivity reminders also go only to all reviewers. Notifications of any type are only sent if they are explicitly configured.
The following rules apply with second-level review enabled:
If configured, review start notifications are sent to first-level reviewers.
Second-level reviewers are notified when their review phase begins.
If configured, reminders are sent only to reviewers at the current level.
If configured, completion notifications are sent to all reviewers.
Multi-level reviews can include Veza Actions to trigger actions such as sending emails, creating service desk tickets, or activating webhooks for revoking access.
Veza Actions configured for when rejected rows are signed off will trigger at the first level that the rejection decision is made and signed-off. This could be the first- or second-level of the review.
Veza Actions for approved rows only trigger when a row is signed off in the second and final approval level.
You can assign second-level reviewers explicitly (by username or email) or through auto-assignment. In addition to auto-assigning the manager of a source user or the owner of a destination resource, second-level reviews can be assigned to the manager of each first-level reviewer using information from your identity provider.
To enable and assign second-level reviewers:
Go to Access Reviews > Configurations and click New Review to create an access review.
Define the scope, set a due date, and assign initial reviewers.
In the Second Level Reviewers section, click Enable.
Assign specific reviewers, or auto-assign the user's manager, the resource's owner, or the first-level reviewer's manager.
Review your selection and finish configuring the review.
Click Create and Publish to start the review (notifying reviewers), or Create to save it as a draft.
See How To: Assign Reviewers and Managers and Resource Owners for more information about assigning reviewers, auto-assignment, and fallback behavior. Auto-assignment requires that an integrated identity provider is set as the Global IdP for Access Reviews.
This feature is not enabled by default and is controlled by a feature flag. Please contact Veza Support to enable multi-level reviews in your environment.
In the reviewer interface, an information bar above the rows shows whether the review is in the first or second approval level. A progress bar displays the status of rows (approved, rejected, or without decisions) at the current level.
Users with an Operator or Administrator role can view all rows at the current review level. Users with the Access Reviewer role can only view and update their assigned rows in their review level.
Otherwise, the review interface remains identical compared to typical single-level reviews. Reviewers inspect each row, reassign reviewers, add notes, and make decisions. You can add custom reminders and help pages to inform users about your specific guidelines for multi-level approvals.
What happens if a row is rejected at the first level? The row is considered rejected and is hidden by default during second-level review.
Can a first-level reviewer view or change their decisions on a review after they have signed off on the review and it has proceeded to second-level review? No.
Can second-level reviewers see first-level reviewers' comments? Yes, comments and annotations are visible to second-level reviewers, enabling communication between review levels.
Can I adjust the timeline for completing first and second-level reviews? Both Levels of the review must be completed by the due date set when the review is created. Rows without decisions by the due date may be auto-rejected, and the review may expire, depending on the Global Settings. Ensure prompt first-level reviews to allow time for second-level decisions.