On-Demand Reviews
Enable Access Intelligence alert rules to create access reviews when query results change.
Last updated
Was this helpful?
Enable Access Intelligence alert rules to create access reviews when query results change.
Last updated
Was this helpful?
Was this helpful?
Early Access: On-Demand Reviews are currently provided as an Early Access feature. Please contact the Customer Success team to enable this functionality on your Veza platform.
Veza Access Reviews support on-demand reviews using Access Intelligence alert rules and Lifecycle Management triggers. By attaching review creation rules to saved queries, you can trigger the creation of new reviews in response to changes in your authorization environment. This type of access review might be initiated whenever new user accounts are detected within an application, new entitlements are granted, a user's risk level increases, or if MFA is removed or disabled for an account.
On-demand reviews support Review Intelligence rules, and are created with a duration and reviewer assignments based on the rule configuration. These reviews automatically focus only on changed items, filtering out entities that haven't been modified since the last review.
Common scenarios for implementing on-demand reviews include:
Automatically reviewing access for terminated employees
Certifying access when users are added to new roles
Validating permissions after attribute changes
Reviewing orphaned or inactive accounts
Important concepts:
Rules are conditions attached to saved queries that trigger automated actions when met.
Create Reviews settings define how new reviews will be created when rule conditions are met.
Rule Triggers are attribute-based or change-based criteria that initiate review creation (for example, when the query results have increased, or when an entity's is_active attribute changes).
Launch Configuration determines how reviews are created when rules trigger: as a single consolidated review or as separate individual reviews.
Creation Source: On the Access Reviews page, you can identify the source of a review by checking the Creation Source column. On-demand reviews will have the source RULE_TRIGGERED for Access Intelligence alerts or LCM_TRIGGERED for Lifecycle Management actions.
Before configuring on-demand reviews, you will need to:
Create at least one access review configuration defining the scope of reviews.
Build and save a query that identifies the entities requiring review, or use a built-in query.
To add a review creation rule:
Navigate to the saved query
Select "Manage Rules" from the actions menu
Click "Add New Rule"
Configure the rule details:
Name and description
Severity level
Trigger conditions
Click Action -> Create Review to open the review creation plan.
Configure the plan and save it.
Save the rule, and click Save again to finish modifying the query.
See Saved Queries for more on working with existing queries.
To configure the Create Reviews settings:
Click Configure New On-Demand Review
Select an existing review configuration that is compatible with the entity types returned by your rule query.
For example:
If your query returns Okta users, select a configuration designed for user reviews
If your query returns AWS roles, select a configuration designed for role reviews
For mixed entity types, select a configuration that can handle all types or expect fallback behavior
Configure Launch Options - Choose how reviews are created when the rule triggers:
Launch a single Access Review for the entire result set (Consolidated Mode: CONSOLIDATED) - Creates one review containing all triggered results
Launch a separate Access Review per result entity (Individual Mode: INDIVIDUAL) - Creates separate reviews for each result entity (up to 20 results)
Set the duration for the review
Specify the reviewer assignment logic
Enable any Review Intelligence Rules
Save the plan.
New reviews will start based on this creation plan when the rule conditions are met. Note that on-demand reviews are always created from the most recent graph snapshot data when the rule activates.
See Create Access Review for details on configuring new reviews.
On-demand reviews are created in one of two modes depending on review requirements and the scope of results.
Consolidated Mode (CONSOLIDATED) creates a single access review containing all entities that triggered the rule. The review uses the full scope of the original query. This typically works best for large datasets, broad policy enforcement, and simplified review management.
Individual Mode (INDIVIDUAL) creates separate access reviews for each entity that triggered the rule. Each review is filtered to show only the specific entity that triggered the rule. This mode enables entity-specific reviews, allowing more granular oversight with unique reviews for each result that can be distributed across reviewers.
Automatic Fallback Behavior
Veza implements automatic fallback mechanisms for automated review creation:
Performance Thresholds: When more than 1,000 results are triggered, Veza falls back to creating a review using the standard query configuration without entity-specific information. This fallback applies to both Consolidated and Individual modes to ensure optimal performance.
Individual Mode Limitations: Individual mode is currently limited to 20 triggered entities. When this limit is exceeded, the system automatically creates a single consolidated review containing all triggered entities instead of separate individual reviews.
Configuration Validation Fallback: When triggered entities don't match the configuration's expected identity types, the system automatically creates a broader review using the original query scope without entity-specific filtering. This ensures reviews are still created even when there are configuration mismatches.
On-demand reviews include built-in error handling to ensure reliable operation:
Configuration Compatibility Issues: When triggered entities don't match the configuration's expected identity types, the system automatically falls back to creating a broader review using the original query scope without entity-specific filtering. This means the review will include the full result set of your original query, not just the specific entities that triggered the rule.
Mixed Entity Types: If the Query associated with the Rule returns different types of entities (users, roles, resources), ensure your configuration can handle all entity types, or expect the system to fall back to a broader review scope.
Review Creation Failures: Before creating reviews, the system validates that the review configuration is compatible with the triggered entities. If individual review creation encounters errors, the system logs the failure and continues processing remaining entities to ensure partial success rather than complete failure.
Rules are evaluated on a regular schedule aligned with data extraction intervals (typically during each data refresh cycle)
Multiple rules can be attached to a single query
Each rule can include more than one review creation plan
The same review configuration can be used across multiple rules