Orchestration Actions

Overview

Orchestration Actions enable external processes when decisions and other events occur during an access review. Actions might trigger automated remediation, or announce to a team when a row is rejected, reviewers change, or the review is complete.

For example, you can use Veza to create a Jira issue or ServiceNow ticket for rejected access, or trigger actions in a custom application using a webhook.

To enable Orchestration Actions for a configuration or review, an administrator will need to configure integrations. See Orchestration Actions and Webhooks for more information about supported targets.

Configuring Orchestration Actions

Administrators and operators can add actions when creating or editing a configuration, or by opening the Review Details sidebar in the reviewer’s interface. Then, map actions to events they will trigger.

Events that can trigger Orchestration Actions:

• Reassign reviewer: When a user reassigns a row to another user.

• Approve row: When an approved row is signed off.

• Reject row: When a rejected row is signed off.

• Complete review: When the review is marked "Complete."

Possible actions depend on the event:

• Webhooks: Supports Reassign Reviewer, Approve Row, Reject Row, and Complete Review.

• Email Notifications: Supports Approve Row and Reject Row.

• Jira: Supports Reject Row.

• ServiceNow: Supports Reject Row.

When adding a configuration, use the Orchestration Actions section of the configuration builder to map events to actions in a target system. To enable default actions at the configuration level:

1. Go to Access Reviews> Reviews to create or edit a configuration.

2. Scroll down to Orchestration Actions:

   
3. Toggle events that will trigger actions.

4. Pick an Orchestration Action for each event.

5. Save the configuration.

To configure unique Orchestration Actions for an active review:

1. Go to Access Reviews > Reviews, or open the review from the Configuration Details page.

2. Click on the review's name to open the reviewer's interface.

3. On the Review Details sidebar, find Orchestration Actions and click Configure Orchestration Actions.

   
4. Edit Orchestration Actions and click Save when finished.

Lifecycle Management Auto-Revocation

Access Reviews integrate with Lifecycle Management for auto-revocation. When access is rejected during user access review, Veza Lifecycle Management can revoke a user's group membership automatically. For example, if the scope is Active Directory user to Active Directory security group, a lifecycle management workflow can remove a user from the group described in a rejected row.

Benefits:

• Revoke users from groups, roles, profiles, and permission sets automatically on reject.

• Supports all target apps supported by Lifecycle Management

• No custom integration - no webhooks

• To enable LCM integration, edit a review configuration and choose the orchestration action "Revoke access on Sign-off of Rejected Rows".

Requirements:

• Lifecycle Management and Access Plans must be enabled for your tenant.

• The Lifecycle Management integration for the target application must have permissions to remove roles, group membership, or otherwise manage relationships for users.

Implementation Considerations:

• The Revoke access on Sign-off of Rejected Rows action appears in Orchestration Actions for Configurations with supported source and destination pairs.

• Reviews must be structured with users as the source and the destination being roles, groups, or permission sets within the same target application.

• Auto-revocation does not support source-only Reviews.

• Source and destination have to be entities from a common application, such as Active Directory for a review covering Active Directory Users to Active Directory Security Groups.

• Auto-revocation does not support heterogeneous scenarios, such as Okta Users to Snowflake Databases.

Webhook payload

Access review events can trigger a JSON payload sent to an external listener, which parses the payload to trigger remediation actions.

The message from Veza will include the configuration (workflow) and review (certification) name and ID, and the event message or details about the review.

You must configure a service (such as an AWS Lambda function) to read the payload and take action, typically with an API call to the 3rd-party application.

Example webhook: review completed

{
  "workflow_id": "ae68b59e-d5b8-45cf-9d73-644beef7c8a6",
  "workflow_name": "Access Review",
  "certification_id": "41ea28f2-fc3f-49fd-ac7c-8b85320a6d29",
  "message": "Certification completed",
  "requestor": "veza@veza.com"
}

Example webhook: rejected row

Access review events trigger this JSON payload. The payload includes critical identifiers and names for both the review configuration (workflow) and the specific review (certification), and details about the row and relationship under review.

{
  "workflow_id": "b6a4e8ed-9bf9-4a5f-8545-cbe5e3e12702",
  "workflow_name": "User to Role to Github",
  "certification_id": "8e4de1b5-2045-4dd4-9844-3a4fbe3d0ad7",
  "certification_started_at": "2022-06-21T16:58:23Z",
  "certification_snapshot_id": 1655830200,
  "message": "1 row(s) rejected",
  "requestor": {
    "id": "e0c03c28-7999-4079-9d58-6cbcc314b85b",
    "name": "cookie.ai",
    "email": "cookie@cookie.ai"
  },
  "details": [
    {
      "result_id": 96,
      "source": {
        "canonical_name": "Brittany Smith",
        "datasource_id": "f9145343-2205-491a-b77a-7ac59bb5743d",
        "datasource_name": "Olympus",
        "department": "",
        "email": "bsmith@cookiebeta.ai",
        "guest": false,
        "id": "custom_provider:idp:f9145343-2205-491a-b77a-7ac59bb5743d:idp_type:olympus_idp:user:500044",
        "idp_type": "olympus_idp",
        "idp_unique_id": "500044",
        "is_active": true,
        "manager_email": "jharris@cookiebeta.ai",
        "manager_idp_unique_id": "500032",
        "manager_name": "jharris",
        "name": "bsmith",
        "property_five": "",
        "property_four": "",
        "property_one": "",
        "property_three": "",
        "property_two": "",
        "provider_id": "custom_idp_ctr01",
        "provider_name": "Custom_IDP_CTR01",
        "type": "CustomIDPUser"
      },
      "destination": {
        "application_type": "Github",
        "datasource_id": "5686863f-1628-41c5-a06d-b2c4f678d201",
        "description": "",
        "id": "custom_provider:application:5686863f-1628-41c5-a06d-b2c4f678d201:github_-_engineering:resource:repo01",
        "name": "repo01",
        "provider_id": "github",
        "provider_name": "GitHub",
        "resource_type": "repo",
        "type": "CustomResource"
      },
      "accumulated_effective_permissions": [
        "Read",
        "Write"
      ],
      "accumulated_raw_permissions": [
        "Fork",
        "Merge",
        "Pull",
        "Push"
      ],
      "updated_at": "2022-06-21T23:30:47.623828883Z",
      "updated_by": {
        "user_type": "localCookieUser",
        "id": "e0c03c28-7999-4079-9d58-6cbcc314b85b",
        "email": "cookie@cookie.ai",
        "name": "cookie.ai"
      },
      "waypoint": {
        "id": "custom_provider:application:5686863f-1628-41c5-a06d-b2c4f678d201:github_-_engineering:role:push:assignment:9",
        "name": "Push",
        "type": "CustomRoleAssignment"
      },
      "decision": "REJECTED",
      "notes": "this is the rejection note",
      "signed_off_state": "SIGNED_OFF"
    }
  ]
}

If available, the response will include the accumulated raw system permissions a source has on a destination, and their equivalent effective permissions.

• details: The payload includes the full entity details for rejected or approved rows, including information about the source node, destination node, and possibly a related intermediate entity.

• Included entity attributes are: canonical_name, datasource_id, id, name, department, email, guest, idp_type, idp_unique_id, is_active, manager_email, manager_idp_unique_id, manager_name, property_*, provider_id, provider_name, type.

• decision: possible values are decisions are 1: NONE, 2: ACCEPTED, 3: REJECTED, 4: FIXED.

Tags and enrichment metadata

The AwfResult preview API object includes tags and enrichment data if these options are enabled in the review configuration. Webhook payload details also include these fields:

Tag example:

"tags": [
  {
    "key": "tag_one",
    "type": "VEZA",
    "value": ""
  },
  {
    "key": "tag_two",
    "type": "VEZA",
    "value": "value"
  }
]

Enrichment data example:

"joined_nodes": {
  "idp": {
      "canonical_name": "Ashley Abbott",
      "customprop_birthday": "1988-08-09T00:00:00Z",
      "customprop_cube": "D-jO452",
      "customprop_last_login": "2021-07-19T15:43:14Z",
      "datasource_id": "2691af72-b1d1-41ac-a714-ace1ae54d9a5",
      "datasource_name": "Custom IdP",
      "department": "",
      "email": "aabbott@cookiebeta.ai",
      "guest": false,
      "id": "custom_provider:idp:2691af72-b1d1-41ac-a714-ace1ae54d9a5:idp_type:custom_idp:user:507710",
      "identity_type": "HUMAN",
      "idp_unique_id": "507710",
      "is_active": true,
      "last_pushed_at": "2024-08-29T17:40:39Z",
      "manager_email": "wmccormick@cookiebeta.ai",
      "manager_idp_unique_id": "504975",
      "manager_name": "wmccormick",
      "name": "aabbott",
      "provider_id": "oaa_external:intuit-demo",
      "provider_name": "intuit-demo",
      "risk_score": 0,
      "tags": [],
      "type": "OAA.custom_idp.IDPUser"
  }
}