Orchestration Actions
Enable third-party integrations or custom webhooks for Veza Access Reviews.
Last updated
Enable third-party integrations or custom webhooks for Veza Access Reviews.
Last updated
Orchestration Actions enable external processes when decisions and other events occur during an access review. Actions might trigger automated remediation, or announce to a team when a row is rejected, reviewers change, or the review is complete.
For example, you can use Veza to create a Jira issue or ServiceNow ticket for rejected access, or trigger actions in a custom application using a webhook.
To enable Orchestration Actions for a configuration or review, an administrator will need to configure integrations. See and for more information about supported targets.
Administrators and operators can add actions when creating or editing a configuration, or by opening the Review Details sidebar in the reviewer’s interface. Then, map actions to events they will trigger.
Events that can trigger Orchestration Actions:
Reassign reviewer: When a user reassigns a row to another user.
Approve row: When an approved row is signed off.
Reject row: When a rejected row is signed off.
Complete review: When the review is marked "Complete."
Possible actions depend on the event:
Webhooks: Supports Reassign Reviewer, Approve Row, Reject Row, and Complete Review.
Email Notifications: Supports Approve Row and Reject Row.
Jira: Supports Reject Row.
ServiceNow: Supports Reject Row.
When adding a configuration, use the Orchestration Actions section of the configuration builder to map events to actions in a target system. To enable default actions at the configuration level:
Go to Access Reviews> Reviews to create or edit a configuration.
Scroll down to Orchestration Actions:
Toggle events that will trigger actions.
Pick an Orchestration Action for each event.
Save the configuration.
To configure unique Orchestration Actions for an active review:
Go to Access Reviews > Reviews, or open the review from the Configuration Details page.
Click on the review's name to open the reviewer's interface.
On the Review Details sidebar, find Orchestration Actions and click Configure Orchestration Actions.
Edit Orchestration Actions and click Save when finished.
Early Access: Please contact your Veza support team to learn more about enabling this feature.
Access Reviews integrate with Lifecycle Management for auto-revocation. When access is rejected during user access review, Veza Lifecycle Management can revoke a user's group membership automatically. For example, if the scope is Active Directory user to Active Directory security group, a lifecycle management workflow can remove a user from the group described in a rejected row.
Benefits:
Revoke users from groups, roles, profiles, and permission sets automatically on reject.
Supports all target apps supported by Lifecycle Management
No custom integration - no webhooks
To enable LCM integration, edit a review configuration and choose the orchestration action "Revoke access on Sign-off of Rejected Rows".
Requirements:
Lifecycle Management and Access Plans must be enabled for your tenant.
The Lifecycle Management integration for the target application must have permissions to remove roles, group membership, or otherwise manage relationships for users.
Implementation Considerations:
The Revoke access on Sign-off of Rejected Rows action appears in Orchestration Actions for Configurations with supported source and destination pairs.
Reviews must be structured with users as the source and the destination being roles, groups, or permission sets within the same target application.
Auto-revocation does not support source-only Reviews.
Source and destination have to be entities from a common application, such as Active Directory for a review covering Active Directory Users to Active Directory Security Groups.
Auto-revocation does not support heterogeneous scenarios, such as Okta Users to Snowflake Databases.
Access review events can trigger a JSON payload sent to an external listener, which parses the payload to trigger remediation actions.
The message from Veza will include the configuration (workflow) and review (certification) name and ID, and the event message or details about the review.
You must configure a service (such as an AWS Lambda function) to read the payload and take action, typically with an API call to the 3rd-party application.
Access review events trigger this JSON payload. The payload includes critical identifiers and names for both the review configuration (workflow) and the specific review (certification), and details about the row and relationship under review.
If available, the response will include the accumulated raw system permissions a source has on a destination, and their equivalent effective permissions.
details: The payload includes the full entity details for rejected or approved rows, including information about the source node, destination node, and possibly a related intermediate entity.
Included entity attributes are: canonical_name, datasource_id, id, name, department, email, guest, idp_type, idp_unique_id, is_active, manager_email, manager_idp_unique_id, manager_name, property_*, provider_id, provider_name, type.
decision: possible values are decisions are 1: NONE, 2: ACCEPTED, 3: REJECTED, 4: FIXED.
Tag example:
Enrichment data example:
| Field | Type | Description |
|---|
The AwfResult preview API object includes tags and if these options are enabled in the review configuration. Webhook payload details also include these fields:
| UUID | A unique identifier for the review configuration. |
| String | The name of the review configuration. |
| UUID | A unique identifier for the review. |
| String | A summary message describing the event. |
| String | The email address of the user who initiated the review. |
