Orchestration Actions
Enable third-party integrations or custom webhooks for Veza Access Reviews.
Overview
Orchestration Actions enable external processes when decisions and other events occur during an access review. Actions might trigger automated remediation, or announce to a team when a row is rejected, reviewers change, or the review is complete.
For example, you can use Veza to create a Jira issue or ServiceNow ticket for rejected access, or trigger actions in a custom application using a webhook.
To enable Orchestration Actions for a configuration or review, an administrator will need to configure integrations. See Orchestration Actions and Webhooks for more information about supported targets.
Configuring Orchestration Actions
Administrators and operators can add actions when creating or editing a configuration, or by opening the Review Details sidebar in the reviewer’s interface. Then, map actions to events they will trigger.
Events that can trigger Orchestration Actions:
Reassign reviewer: When a user reassigns a row to another user.
Approve row: When an approved row is signed off.
Reject row: When a rejected row is signed off.
Complete review: When the review is marked "Complete."
Possible actions depend on the event:
Webhooks: Supports Reassign Reviewer, Approve Row, Reject Row, and Complete Review.
Email Notifications: Supports Approve Row and Reject Row.
Jira: Supports Reject Row.
ServiceNow: Supports Reject Row.
When adding a configuration, use the Orchestration Actions section of the configuration builder to map events to actions in a target system. To enable default actions at the configuration level:
Go to Access Reviews> Reviews to create or edit a configuration.
Scroll down to Orchestration Actions:
Toggle events that will trigger actions.
Pick an Orchestration Action for each event.
Save the configuration.
To configure unique Orchestration Actions for an active review:
Go to Access Reviews > Reviews, or open the review from the Configuration Details page.
Click on the review's name to open the reviewer's interface.
On the Review Details sidebar, find Orchestration Actions and click Configure Orchestration Actions.
Edit Orchestration Actions and click Save when finished.
Lifecycle Management Auto-Revocation
Early Access: Please contact your Veza support team to learn more about enabling this feature.
Access Reviews integrate with Lifecycle Management for auto-revocation. When access is rejected during user access review, Veza Lifecycle Management can revoke a user's group membership automatically. For example, if the scope is Active Directory user to Active Directory security group, a lifecycle management workflow can remove a user from the group described in a rejected row.
Benefits:
Revoke users from groups, roles, profiles, and permission sets automatically on reject.
Supports all target apps supported by Lifecycle Management
No custom integration - no webhooks
To enable LCM integration, edit a review configuration and choose the orchestration action "Revoke access on Sign-off of Rejected Rows".
Requirements:
Lifecycle Management and Access Plans must be enabled for your tenant.
The Lifecycle Management integration for the target application must have permissions to remove roles, group membership, or otherwise manage relationships for users.
Implementation Considerations:
The Revoke access on Sign-off of Rejected Rows action appears in Orchestration Actions for Configurations with supported source and destination pairs.
Reviews must be structured with users as the source and the destination being roles, groups, or permission sets within the same target application.
Auto-revocation does not support source-only Reviews.
Source and destination have to be entities from a common application, such as Active Directory for a review covering Active Directory Users to Active Directory Security Groups.
Auto-revocation does not support heterogeneous scenarios, such as Okta Users to Snowflake Databases.
Webhook payload
Access review events can trigger a JSON payload sent to an external listener, which parses the payload to trigger remediation actions.
The message from Veza will include the configuration (workflow
) and review (certification
) name and ID, and the event message
or details
about the review.
You must configure a service (such as an AWS Lambda function) to read the payload and take action, typically with an API call to the 3rd-party application.
Example webhook: review completed
workflow_id
UUID
A unique identifier for the review configuration.
workflow_name
String
The name of the review configuration.
certification_id
UUID
A unique identifier for the review.
message
String
A summary message describing the event.
requestor
String
The email address of the user who initiated the review.
Example webhook: rejected row
Access review events trigger this JSON payload. The payload includes critical identifiers and names for both the review configuration (workflow
) and the specific review (certification
), and details about the row and relationship under review.
If available, the response will include the accumulated raw system permissions a source has on a destination, and their equivalent effective permissions.
details
: The payload includes the full entity details for rejected or approved rows, including information about the source node, destination node, and possibly a related intermediate entity.Included entity attributes are:
canonical_name
,datasource_id
,id
,name
,department
,email
,guest
,idp_type
,idp_unique_id
,is_active
,manager_email
,manager_idp_unique_id
,manager_name
,property_*
,provider_id
,provider_name
,type
.decision
: possible values aredecisions
are 1:NONE
, 2:ACCEPTED
, 3:REJECTED
, 4:FIXED
.
Tags and enrichment metadata
The AwfResult
preview API object includes tags and enrichment data if these options are enabled in the review configuration. Webhook payload details
also include these fields:
Tag example:
Enrichment data example:
Last updated