Verify Remediations
Automatically confirm that access rejected during a review has been removed, and mark remediated rows as fixed.
Access Reviews help organizations identify and remediate inappropriate entitlements. The Verify Remediations feature helps you reconcile that rejected access has actually been revoked, by automatically confirming that access rejected during a review is no longer detected by Veza. When this reconciliation occurs, Access Reviews marks those rejected rows as Fixed in the review.
How it works
When a reviewer rejects a row in an access review, Veza runs background validation that can detect whether the access described by that rejected row still exists after Veza re-extracts user and access data for the applicable integration and datasource. If the rejected access is no longer detected, it is removed from the Access Graph, and Access Reviews will also mark the applicable row in the review as Fixed. For example, for a review of Okta Users to Okta Groups:
A reviewer rejects an Okta user's access to a particular Okta group.
The decision is signed off.
Once the review has been completed or reaches its due date, Veza will periodically query the Access Graph to check if the rejected Okta User → Okta Group access relationship still exists in your environment.
If the access is no longer present, Veza marks the rejected row as Fixed and records a note: "Rejected access no longer detected by Veza." The action log records the change as performed by the System.
This provides an auditable record of successful remediations without requiring manual follow-up.
Note: The Verify Remediations feature is agnostic to the method of access revocation. Access can be removed automatically using Veza's auto-revocation capabilities, programmatically removed, or manually removed using out-of-band means. Once the rejected access is no longer detected in the Access Graph, the corresponding row in the access review is marked as Fixed.
Automated datasource extractions, CSV file uploads, and data pushes for OAA-based integrations should continue at regular intervals post-review completion to ensure Verify Remediations remains effective.
The feature is disabled by default. To use it, enable it in Access Reviews > Settings or within a review configuration.
Sign-off requirements
A sign-off must occur on the rejected row before Veza will check that row against the Access Graph. The verification only processes rows that have been both Rejected and Signed Off by a reviewer.
Sign-off can occur in two ways:
Manually: A reviewer explicitly signs off on their rejected decisions using the sign-off action in the Reviewer Interface, or uses the Reject & Sign-Off combined action.
Automatically: Rows that are auto-rejected by system events (such as review auto-expiration or auto-advance at due date) are signed off automatically.
Validation timing and duration
Depending on the configured trigger, the validation job starts either when the review reaches its due date or when all rows are completed. Processing continues until all signed-off rejected rows are validated or the configured maximum validation duration is reached (default is 30 days).
Configuring Verify Remediations
The Access Reviews section in the Veza administrative console provides a simple on/off toggle for enabling Verify Remediations, either globally or per-Review Configuration. When enabled, the following defaults are applied automatically:
Trigger
On review completion or expiration
Maximum validation duration
Up to 30 days
For full trigger options and custom durations, use the API.
Global Settings
To enable Verify Remediations for all Review Configurations that do not have their own override:
Go to Access Reviews → Settings.
On the Reviews tab, scroll down to the Verify Remediations card.
Toggle Mark verified remediations as fixed on.
Review Configuration
To enable Verify Remediations for a specific review configuration:
Go to Access Reviews → Configurations.
Click the configuration name, then click Edit.
In the configuration wizard, scroll to or click Verify Remediations in the right-side step navigation.
Toggle Mark verified remediations as fixed on.
Settings configured at the review configuration level override the global setting for that configuration.
Configure via the API
Administrators can configure all options for Verify Remediations via API, including the trigger condition, the validation duration, and the behavior when validation succeeds. Settings can apply globally or to a specific review configuration.
The toggle in the administrative interface enables Verify Remediations with fixed defaults: validation triggers on review completion and runs for up to 30 days. To use any of the following, configure the feature via API:
Trigger on due date — start validation as soon as a review reaches its due date, without waiting for completion or expiration
Custom validation windows — set a duration other than the default 30 days
Per-configuration overrides — enable globally but disable for a specific configuration, or use different settings per configuration
Required permissions
Update settings
admin, operator, access_reviews_admin
Read settings
admin, operator, access_reviews_admin, access_reviewer, viewer, reassigner, watcher, access_reviews_monitor, nhi_security_admin
Update settings
Request body
Fields
workflow_id
string
No
If provided, applies settings only to this review configuration. If omitted, applies globally to all configurations that do not have their own settings.
value.max_validation_duration_days
integer
Yes
How many days the job continues attempting to validate before giving up. Must be greater than 0. Once all signed-off rejected rows are validated, the job stops immediately regardless of this value.
Behavior values
ACCESS_REMEDIATION_VALIDATION_BEHAVIOR_DISABLED
Validation does not run.
ACCESS_REMEDIATION_VALIDATION_BEHAVIOR_MARK_AS_FIXED
When a rejected row's access is no longer detected in the graph, the row is marked as Fixed and the action log records the change.
Trigger values
ACCESS_REMEDIATION_VALIDATION_TRIGGER_ON_COMPLETION
The validation job starts when a review enters the Completed or Expired state. Note: a review that is past its due date is not the same as an expired review. For a review to expire, it must have a due date and review expirations must be enabled.
ACCESS_REMEDIATION_VALIDATION_TRIGGER_ON_DUE_DATE
The validation job starts as soon as the review reaches its due date, regardless of whether review expiration is enabled. If the review has no due date, this behaves identically to ON_COMPLETION and the job will not start until the review is completed.
Get current settings
Query parameters
workflow_id
string
No
If provided, returns the settings for this review configuration. If omitted, returns the global settings.
Response
Example: Enable with on-due-date trigger and 14-day window
Enables Verify Remediations globally. Validation starts as soon as a review reaches its due date, and the job will continue checking for up to 14 days.
Example: Disable for a specific review configuration
Disables Verify Remediations for a single review configuration, overriding the global setting for that configuration. Replace the workflow_id value with the ID of the target configuration.
Last updated
Was this helpful?