Multi-Level Review

Controlled Access: This feature is currently only enabled for customer tenants on a controlled basis.

Veza Access Reviews optionally supports a two-tier review and approval process, where two different parties sequentially review and approve a Review.

When second-level reviewers are enabled for a new review, two levels of review and sign-off are needed before rows in the review are marked "completed.". Each review level is assigned to different reviewers. Both levels of a review support reviewer auto-assignment, though options vary depending on the review level.

Note that each review level can have multiple reviewers assigned per row — just like a typical single-level review.

Key concepts for multi-level reviews include:

• First-Level Review: The initial review phase where primary reviewers make decisions.

• Second-Level Review: The final review phase where secondary approvers act after all rows have first-level decisions.

• Sequential Approval: The first-level review must be completed before moving to the second level.

• Decision Models: Configurable rules that determine how decisions are evaluated across review levels (see Decision Models below).

Decision Models

Access Reviews support different decision models that determine how multi-reviewer decisions are evaluated at each level. You configure the decision model in the Multi-level Reviews step when creating or editing a review configuration.

To configure a decision model:

1. Go to Access Reviews > Configurations and create or edit a review configuration.

2. Navigate to the Multi-level Reviews step in the configuration wizard.

3. Select one of the following decision models:

• Unanimous Approval: All reviewers at a level must approve for the row to be approved. A single rejection results in rejection.

• Unanimous Rejection: All reviewers at a level must reject for the row to be rejected. A single approval results in approval. When configured with this model, the review automatically advances to the next level or completes once all reviewers at the current level have made their decisions.

• Last Decision: The decision made by the final reviewer at each level determines the outcome for that level.

Auto Advance Level at Due Date

You can configure multi-level reviews to automatically advance to the next level when the current level's due date is reached, even if some rows remain undecided. This prevents reviews from stalling when reviewers don't complete their decisions in time.

To enable auto-advance:

1. In the Multi-level Reviews step of the configuration wizard, enable the Auto advance level at due date toggle.

2. Select the default decision for undecided rows:

   • Approve: Automatically approve undecided rows when advancing

   • Reject: Automatically reject undecided rows when advancing

   • Do nothing: Leave rows undecided (only available with the Last Decision model)

3. Optionally customize the message that will be added to auto-decided rows.

Multi-Level Review Process

Multi-level reviews allow organizations to optionally configure reviews that require multiple parties to review rows of access and sign off sequentially to complete the review. For instance, the first level of review may be performed by a user's manager while the subsequent second level of review is completed by the application owner.

1. First-Level Review

   • Starts upon creation of a multi-level review.

   • First-level reviewers can see and act on all assigned rows.

   • All rows must be signed off before the review progresses to the second level.

2. Second-Level Review

   • Begins after first-level reviews are complete.

   • Second-level reviewers see rows based on the configured decision model and first-level decisions.

Notifications Behaviors for Reviewers in Multi-Level Reviews

For typical reviews with one level of reviewer, all reviewers may receive email notifications when the review is started. Inactivity reminders also go only to all reviewers. Notifications of any type are only sent if they are explicitly configured.

The following rules apply with second-level review enabled:

• If configured, review start notifications are sent to first-level reviewers.

  • Second-level reviewers are notified when their review phase begins.

• If configured, reminders are sent only to reviewers at the current level.

• If configured, completion notifications are sent to all reviewers.

Veza Actions in Multi-Level Reviews

Multi-level reviews can include Veza Actions to trigger actions such as sending emails, creating service desk tickets, or activating webhooks for revoking access.

• Veza Actions configured for when rejected rows are signed off will trigger at the first level that the rejection decision is made and signed-off. This could be the first- or second-level of the review.

• Veza Actions for approved rows only trigger when a row is signed off in the second and final approval level.

Enabling and Assigning Second-Level Reviewers

You can assign second-level reviewers explicitly (by username or email) or through auto-assignment. In addition to auto-assigning the manager of a source user or the owner of a destination resource, second-level reviews can be assigned to the manager of each first-level reviewer using information from your identity provider.

To enable and assign second-level reviewers:

1. Go to Access Reviews > Configurations and click New Review to create an access review.

2. Define the scope, set a due date, and assign initial reviewers.

3. In the Second Level Reviewers section, click Enable.

4. Assign specific reviewers, or auto-assign the user's manager, the resource's owner, or the first-level reviewer's manager.

5. Review your selection and finish configuring the review.

6. Click Create and Publish to start the review (notifying reviewers), or Create to save it as a draft.

See How To: Assign Reviewers and Managers and Resource Owners for more information about assigning reviewers, auto-assignment, and fallback behavior. Auto-assignment requires that an integrated identity provider is set as the Global IdP for Access Reviews.

Multi-Level Approval in the Reviewer Interface

In the reviewer interface, an information bar above the rows shows whether the review is in the first or second approval level. A progress bar displays the status of rows (approved, rejected, or without decisions) at the current level.

Users with an Operator or Administrator role can view all rows at the current review level. Users with the Access Reviewer role can only view and update their assigned rows in their review level.

Otherwise, the review interface remains identical compared to typical single-level reviews. Reviewers inspect each row, reassign reviewers, add notes, and make decisions. You can add custom reminders and help pages to inform users about your specific guidelines for multi-level approvals.

FAQs

• What happens if a row is rejected at the first level? This depends on the decision model. With Unanimous Approval, the row is considered rejected and hidden from second-level review. With Unanimous Rejection or Last Decision, second-level reviewers can still see and potentially override the decision.

• Can a first-level reviewer view or change their decisions on a review after they have signed off on the review and it has proceeded to second-level review? No.

• Can second-level reviewers see first-level reviewers' comments? Yes, comments and annotations are visible to second-level reviewers, enabling communication between review levels.

• Can I adjust the timeline for completing first and second-level reviews? Both levels of the review must be completed by the due date set when the review is created. If Auto advance level at due date is enabled, undecided rows will receive automatic decisions (approve, reject, or do nothing) based on your configuration. Otherwise, the review may expire depending on the Global Settings. Ensure prompt first-level reviews to allow time for second-level decisions.