LogoLogo
User GuideDeveloper DocumentationIntegrationsRelease Notes
  • 🏠Veza Documentation
  • ☑️Getting Started
  • 📖Veza Glossary
  • ❓Product FAQ
  • 🛡️Security FAQ
    • Advanced Security FAQ
  • Release Notes
    • 🗒️Release Notes
      • Release Notes: 2025-05-14
      • Release Notes: 2025-04-30
      • Release Notes: 2025-04-16
      • Release Notes: 2025-04-02
      • Release Notes: 2025-03-19
      • Archive
        • 2024.9.23
        • 2024.9.16
        • 2024.9.9
        • 2024.9.2
        • 2024.8.26
        • 2024.8.19
        • 2024.8.12
        • 2024.8.5
        • 2024.7.29
        • 2024.7.22
        • 2024.7.15
        • 2024.7.1
        • 2024.6.24
        • 2024.6.17
        • 2024.6.10
        • 2024.6.3
        • 2024.5.27
        • 2024.5.20
        • 2024.5.13
        • 2024.5.6
        • 2024.4.29
        • 2024.4.22
        • 2024.4.15
        • 2024.4.8
        • 2024.4.1
        • 2024.3.25
        • 2024.3.18
        • 2024.3.11
        • 2024.3.4
        • 2024.2.26
        • 2024.2.19
        • 2024.2.12
        • 2024.2.5
        • 2024.1.29
        • 2024.1.22
        • 2024.1.15
        • 2024.1.8
        • 2024.1.1
        • 2023.12.18
        • 2023.12.11
        • 2023.12.4
        • 2023.11.27
        • 2023.11.20
        • 2023.11.13
        • 2023.11.6
        • 2023.10.30
        • 2023.10.23
        • 2023.10.16
        • 2023.10.9
        • 2023.10.2
        • 2023.9.25
        • 2023.9.18
        • 2023.9.11
        • 2023.9.4
        • 2023.8.28
        • 2023.8.21
        • 2023.8.14
        • 2023.8.7
        • 2023.7.31
        • 2023.7.24
        • 2023.7.17
        • 2023.7.10
        • 2023.7.3
        • 2023.6.26
        • 2023.6.19
        • 2023.6.12
        • 2023.6.5
        • 2023.5.29
        • 2023.5.22
        • 2023.5.15
        • 2023.5.8
        • 2023.5.1
        • 2023.4.24
        • 2023.4.17
        • 2023.4.10
        • 2023.4.3
        • 2023.3.27
        • 2023.3.20
        • 2023.3.13
        • 2023.3.6
        • 2023.2.27
        • 2023.2.20
        • 2023.2.13
        • 2023.2.6
        • 2023.1.30
        • 2023.1.23
        • 2023.1.16
        • 2023.1.9
        • 2023.1.2
        • 2022.12.12
        • 2022.12.5
        • 2022.11.28
        • 2022.11.14
        • 2022.11.7
        • 2022.10.31
        • 2022.10.24
        • 2022.10.17
        • 2022.10.1
        • 2022.6.2
        • 2022.6.1
        • 2022.5.1
        • 2022.4.1
        • 2022.3.1
  • Features
    • 🔎Access Visibility
      • Graph
      • Query Builder
      • Saved Queries
      • Filters
      • Query Mode
      • Intermediate Entities
      • Regular Expressions
      • Tags
      • Tagged Entity Search
      • Assumed AWS IAM Roles
      • Veza Query Language
        • Quick Start
        • Syntax
        • VQL API
    • 💡Access Intelligence
      • Overview
      • Dashboards
        • Reports
        • Scheduled Exports of Query Results via a Secure Email Link
      • Risks
      • Analyze
      • Compare
      • Rules and Alerts
      • Entities
      • NHI Identify Classification Logic
      • NHI Secrets
    • 🔏Access Reviews
      • Get Started: Access Reviewers
      • Get Started: Review Operators
      • Access Review Tasks
        • Assign Reviewers
        • Create a Configuration
        • Create a Review
        • Draft Reviews
        • Edit a Configuration
        • Filters and Bulk Actions
        • Manage Access Reviews
        • Using the Reviewer Interface
        • Row Grouping for Access Reviews
        • Schedule an Access Review
      • Access Review Configuration
        • Access Reviews Query Builder
        • Access Reviews Global Settings
        • Configuring a Global Identity Provider
          • Alternate Manager Lookup
        • Customizing Default Columns
        • Email Notifications and Reminders
        • Identity Provider and HRIS Enrichment
        • Entity Owners and Resource Manager Tags
        • Multi-Level Review
        • 1-Step Access Reviews
        • On-Demand Reviews
        • Veza Actions for Access Reviews
        • Review Intelligence Policies
        • Review Presentation Options
        • Reviewer Selection Methods
        • Reviewer Digest Notifications
      • Access Review Scenarios
        • Access Reviews: Active Directory Security Groups
        • Access Reviews: Okta App Assignments
        • Access Reviews: Okta Group Membership
        • Access Reviews: Okta Admin Roles
        • Access Reviews: Azure AD Roles
        • Access Reviews with Saved Queries
        • Source-Only Access Reviews
    • 📊Access Monitoring
    • 🔄Lifecycle Management
      • Implementation and Core Concepts
      • Access Profiles
      • Policies
      • Conditions and Actions
      • Attribute Sync and Transformers
        • Lookup Tables
      • Integrations
        • Active Directory
        • Exchange Server
        • Okta
        • Salesforce
        • Workday
    • ⚖️Separation of Duties (SoD)
      • Managing SoD Risks with Veza
      • Creating SoD Detection Queries
      • Analyzing Separation of Duties Query Results
      • Example Separation of Duties Queries
      • SoD Manager Assignment
      • Access Reviews for SoD
  • Integrations
    • ✨Veza Integrations
      • Adobe Enterprise
      • Amazon Web Services
        • Add Existing AWS Accounts
        • Automatically Add New AWS Accounts
        • AWS DynamoDB
        • AWS KMS
        • AWS RDS MySQL
        • AWS RDS PostgreSQL
        • AWS Redshift
        • Activity Monitoring for AWS
        • Using AWS Secrets Manager for RDS Extraction
        • Notes & Supported Entities
      • Anaplan
      • Atlassian Cloud Products
      • Auth0
      • BambooHR
      • Bitbucket Data Center
      • BlackLine
      • Beeline
      • Boomi
      • Box
      • Bullhorn
      • Cassandra
      • Cisco Duo
      • Clickhouse
      • Concur
      • Confluence Server
      • Confluent
      • Coupa
      • Coupa Contingent Workforce
      • Crowdstrike Falcon
      • CSV Upload
        • CSV Upload Examples
        • CSV Upload Troubleshooting
        • CSV Upload API
      • Databricks (Single Workspace)
      • Databricks (Unity Catalog)
      • Delinea Secret Server
      • Device42
      • DocuSign
      • Dropbox
      • Egnyte
      • Expensify
      • Exchange Online (Microsoft 365)
      • Fastly
      • Google Cloud
        • Check Google Cloud Permissions
        • Notes & Supported Entities
      • Google Drive
      • GitHub
      • GitLab
      • HashiCorp Vault
      • HiBob
      • Hubspot
      • IBM Aspera
      • iManage
      • Ivanti Neurons
      • Jamf Pro
      • Jenkins
      • JFrog Artifactory
      • Jira Data Center
      • Kubernetes
      • LastPass
      • Looker
      • MongoDB
      • Microsoft Active Directory
      • Microsoft Azure
        • Azure SQL Database
        • Azure PostgreSQL Database
        • Microsoft Dynamics 365 CRM
        • Microsoft Dynamics 365 ERP
        • Notes & Supported Entities
      • Microsoft Azure AD
      • Microsoft SharePoint Online
      • Microsoft SharePoint Server
      • Microsoft SQL Server
      • MuleSoft
      • MySQL
      • NetSuite
      • New Relic
      • Okta
        • Okta MFA status
      • OneLogin
      • OpenAI
      • Oracle Cloud Infrastructure
      • Oracle Database
      • Oracle Database (AWS RDS)
      • Oracle E-Business Suite (EBS)
      • Oracle EPM
      • Oracle Fusion Cloud
      • Oracle JD Edwards EnterpriseOne
      • PagerDuty
      • Palo Alto Networks SASE/Prisma Access
      • PingOne
      • PostgreSQL
      • Power BI
      • Privacera
      • PTC Windchill
      • Qualys
      • QNXT
      • Ramp
      • Redis Cloud
      • Rollbar
      • Salesforce
      • Salesforce Commerce Cloud
      • SCIM integration
      • ServiceNow
      • Slack
      • Smartsheet
      • Snowflake
        • Snowflake Native Application
        • Snowflake Row Access Policies
        • Snowflake Masking Policies
        • Exporting Saved Query Results to Snowflake
        • Audit Log Export
        • Event Export
      • Solarwinds
      • Spotio
      • Sumo Logic
      • Tableau Cloud
      • Teleport
      • Terraform
      • ThoughtSpot
      • Trello
      • Trino (PrestoSQL)
      • UKGPro
      • Veza
      • Windows Server
        • Enterprise Deployment
      • Workato
      • Workday
      • YouTrack
      • Zendesk
      • Zip
      • Zoom
      • Zscaler
      • 1Password
    • 🎯Integrations Overview
    • ⚠️Prerequisites and Connectivity
      • Insight Point
        • Deploying an Insight Point using the install script
        • Deploy with AWS EC2
        • Deploy with Virtual Appliance
          • Deploy with Virtual Appliance (Legacy)
        • Deploy with Azure Container Instances
        • Insight Point (Helm Chart)
      • Certificates with OpenSSL
    • ⚙️Configuring Integrations
      • Integrations FAQ
      • Extraction and Discovery Intervals
      • Custom Identity Mappings
      • Limiting Extractions
      • Enrichment Rules
      • ℹ️Running Veza Scripts with Python
  • Administration
    • 🛠️Veza Administration
      • Securing Your Veza Tenant
      • Veza Actions
        • Slack
        • ServiceNow
        • Jira
        • Webhooks
      • Virtual Private Veza
      • System Events
      • Sign-In Settings
        • Single Sign-On with Okta
        • Single Sign-On with Okta (OIDC)
        • Single Sign-On with Microsoft Entra
      • User Management
        • Multi-factor Authentication
        • Team Management
        • Support User Access
  • Developers
    • 🌐Veza APIs
      • Authentication
      • Troubleshooting
      • Pagination
      • Open Authorization API
        • Getting Started
        • Core Concepts
          • Connector Requirements
          • Using OAA Templates
          • Providers, Data Sources, Names and Types
          • Sourcing and Extracting Metadata
          • Naming and Identifying OAA Entities
          • Modeling Users, Permissions, and Roles
          • Custom Properties
          • Tagging with OAA
          • Cross Service IdP Connections
          • Incremental Updates
        • OAA Push API
          • OAA Operations
        • OAA Templates
          • Custom Application
          • Custom Identity Provider
          • Custom HRIS Provider
        • OAA .NET SDK
          • C# OAA Application Connector
        • OAA Python SDK
          • Application Outline
          • oaaclient modules
            • Client
            • Structures
            • Templates
            • Utils
        • Sample Apps
        • Example Connectors
      • Integration APIs
        • Enable/Disable Providers
        • Cloud Platforms and Data Providers
        • Identity Providers
        • Data Sources
        • Sync and Parse Status
      • Query APIs
        • Quick Start
        • Query Builder Terminology
        • Query Builder Parameters
        • Query Builder Results
        • List saved queries
        • Save a query
        • Get a saved query
        • Update a query
        • Delete a query
        • Get query node destinations
        • Get query nodes
        • Get query result
        • Get query spec node destinations
        • Get query spec nodes
        • Get query spec results
        • Private APIs
          • Get Access Relationship
          • Role Existence
          • Role Maintenance
          • Cohort Role Analysis
        • Tags
          • Create, Add, Remove Tag
          • Promoted Tags
      • Access Reviews APIs
        • Workflow Parameters Reference
        • List Workflows
        • List Certifications
        • List Certification Results
        • Update Certification Result
        • Force Update Result
        • Update Webhook Info
        • Get Certification Result
        • Manage Reviewer Deny List
        • Quick Filters
        • Help Page Templates
        • Smart Action Definitions
        • Delegate Reviewers
        • List Reviewer Infos
        • Get Access Graph
        • Automations API
        • Global Settings APIs
      • System Audit Logs
      • System Events
      • Notification Templates
        • Notification Templates API
      • Team and User Management APIs
        • Team API Keys
      • SCIM Provisioning
        • SCIM API Reference
        • SCIM Provisioning with Okta
  • Product Updates
    • 🆕Product Updates
      • Product Update: March'25
      • Product Update: February'25
      • UX Update - Integration Management
      • Product Update: January'25
      • Product Update: December'24
      • Product Update: November'24
      • Product Update: October'24
      • Product Update: September'24
      • Product Update: August'24
      • UX Update: Veza Integrations
      • Product Update: July'24
      • Product Update: June'24
      • Product Update: May'24
      • Product Update: April'24
      • UX Update - Enhanced Reviewer Experience for Veza Access Reviews
      • Product Update: March'24
      • Product Update: February'24
      • Design Update: February'24
      • UX Update - New Navigation Experience
      • UX Update - Access Review Dashboards
      • Building Veza’s Platform and Products
      • Veza Product Update - Jan'24
      • Veza Product Update - 2H 2023
      • Veza Product Update - December'23
      • Veza Product Update - November'23
      • Veza Product Update - October'23
      • Veza Product Update - September'23
      • Veza Product Update - August'23
      • Veza Product Update - July'23
      • Veza Product Update - June'23
      • Veza Product Update - May'23
      • Veza Product Update - April'23
      • Veza Product Update - March'23
      • Veza Product Update - Feb'23
      • Veza Product Update - Jan'23
Powered by GitBook
On this page
  • Overview
  • Configuring Veza Actions
  • Lifecycle Management Auto-Revocation
  • Webhook payload

Was this helpful?

Export as PDF
  1. Features
  2. Access Reviews
  3. Access Review Configuration

Veza Actions for Access Reviews

Enable third-party integrations or custom webhooks for Veza Access Reviews.

Overview

Veza Actions enable external processes when decisions and other events occur during an access review. Actions might trigger automated remediation, or announce to a team when a row is rejected, reviewers change, or the review is complete.

For example, you can use Veza to create a Jira issue or ServiceNow ticket for rejected access, or trigger actions in a custom application using a webhook.

To enable Veza Actions for a configuration or review, an administrator will need to configure integrations. See Veza Actions and Webhooks for more information about supported targets.

Configuring Veza Actions

Administrators and operators can add actions when creating or editing a configuration, or by opening the Review Details sidebar in the reviewer's interface. Then, map actions to events they will trigger.

Events that can trigger Veza Actions:

  • Reassign reviewer: When a user reassigns a row to another user.

  • Approve row: When an approved row is signed off.

  • Reject row: When a rejected row is signed off.

  • Complete review: When the review is marked "Complete."

Possible actions depend on the event:

  • Webhooks: Supports Reassign Reviewer, Approve Row, Reject Row, and Complete Review.

  • Email Notifications: Supports Approve Row and Reject Row.

  • Jira: Supports Reject Row.

  • ServiceNow: Supports Reject Row.

When adding a configuration, use the Veza Actions section of the configuration builder to map events to actions in a target system. To enable default actions at the configuration level:

  1. Go to Access Reviews> Configurations to create or edit a configuration.

  2. In the configuration editor, scroll down to Veza Actions:

  3. Toggle events that will trigger actions.

  4. Pick a Veza Action for each event.

  5. Save the configuration.

To configure Veza Actions for a 1-step review:

  1. Go to Access Reviews > Reviews, or open the review from the Configuration Details page.

  2. Click on the review name to open the reviewer's interface.

  3. On the Review Details sidebar, find the Veza Actions section and click Configure Veza Actions.

  4. Use the modal to assign or change the actions associated with different event types, and click Save when finished.

Lifecycle Management Auto-Revocation

Early Access: Please contact your Veza support team to learn more about enabling this feature.

Access Reviews integrate with Lifecycle Management for auto-revocation. When access is rejected during user access review, Veza Lifecycle Management can revoke a user's group membership automatically. For example, if the scope is Active Directory user to Active Directory security group, a lifecycle management workflow can remove a user from the group described in a rejected row.

Benefits:

  • Revoke users from groups, roles, profiles, and permission sets automatically on reject.

  • Supports all target apps supported by Lifecycle Management

  • No custom integration - no webhooks

  • To enable LCM integration, edit a review configuration and choose the Veza Action "Revoke access on Sign-off of Rejected Rows".

Requirements:

  • Lifecycle Management and Access Plans must be enabled for your tenant.

  • The Lifecycle Management integration for the target application must have permissions to remove roles, group membership, or otherwise manage relationships for users.

Implementation Considerations:

  • The Revoke access on Sign-off of Rejected Rows action appears in Veza Actions for Configurations with supported source and destination pairs.

  • Reviews must be structured with users as the source and the destination being roles, groups, or permission sets within the same target application.

  • Auto-revocation does not support source-only Reviews.

  • Source and destination have to be entities from a common application, such as Active Directory for a review covering Active Directory Users to Active Directory Security Groups.

  • Auto-revocation does not support heterogeneous scenarios, such as Okta Users to Snowflake Databases.

Webhook payload

Access review events can trigger a JSON payload sent to an external listener, which parses the payload to trigger remediation actions.

The message from Veza will include the configuration (workflow) and review (certification) name and ID, and the event message or details about the review.

You must configure a service (such as an AWS Lambda function) to read the payload and take action, typically with an API call to the 3rd-party application.

Example webhook: review completed

{
  "workflow_id": "ae68b59e-d5b8-45cf-9d73-644beef7c8a6",
  "workflow_name": "Access Review",
  "certification_id": "41ea28f2-fc3f-49fd-ac7c-8b85320a6d29",
  "message": "Certification completed",
  "requestor": "veza@veza.com"
}
Field
Type
Description

workflow_id

UUID

A unique identifier for the review configuration.

workflow_name

String

The name of the review configuration.

certification_id

UUID

A unique identifier for the review.

message

String

A summary message describing the event.

requestor

String

The email address of the user who initiated the review.

Example webhook: rejected row

Access review events trigger this JSON payload. The payload includes critical identifiers and names for both the review configuration (workflow) and the specific review (certification), and details about the row and relationship under review.

{
  "workflow_id": "b6a4e8ed-9bf9-4a5f-8545-cbe5e3e12702",
  "workflow_name": "User to Role to Github",
  "certification_id": "8e4de1b5-2045-4dd4-9844-3a4fbe3d0ad7",
  "certification_started_at": "2022-06-21T16:58:23Z",
  "certification_snapshot_id": 1655830200,
  "message": "1 row(s) rejected",
  "requestor": {
    "id": "e0c03c28-7999-4079-9d58-6cbcc314b85b",
    "name": "cookie.ai",
    "email": "cookie@cookie.ai"
  },
  "details": [
    {
      "result_id": 96,
      "source": {
        "canonical_name": "Brittany Smith",
        "datasource_id": "f9145343-2205-491a-b77a-7ac59bb5743d",
        "datasource_name": "Olympus",
        "department": "",
        "email": "bsmith@cookiebeta.ai",
        "guest": false,
        "id": "custom_provider:idp:f9145343-2205-491a-b77a-7ac59bb5743d:idp_type:olympus_idp:user:500044",
        "idp_type": "olympus_idp",
        "idp_unique_id": "500044",
        "is_active": true,
        "manager_email": "jharris@cookiebeta.ai",
        "manager_idp_unique_id": "500032",
        "manager_name": "jharris",
        "name": "bsmith",
        "property_five": "",
        "property_four": "",
        "property_one": "",
        "property_three": "",
        "property_two": "",
        "provider_id": "custom_idp_ctr01",
        "provider_name": "Custom_IDP_CTR01",
        "type": "CustomIDPUser"
      },
      "destination": {
        "application_type": "Github",
        "datasource_id": "5686863f-1628-41c5-a06d-b2c4f678d201",
        "description": "",
        "id": "custom_provider:application:5686863f-1628-41c5-a06d-b2c4f678d201:github_-_engineering:resource:repo01",
        "name": "repo01",
        "provider_id": "github",
        "provider_name": "GitHub",
        "resource_type": "repo",
        "type": "CustomResource"
      },
      "accumulated_effective_permissions": [
        "Read",
        "Write"
      ],
      "accumulated_raw_permissions": [
        "Fork",
        "Merge",
        "Pull",
        "Push"
      ],
      "updated_at": "2022-06-21T23:30:47.623828883Z",
      "updated_by": {
        "user_type": "localCookieUser",
        "id": "e0c03c28-7999-4079-9d58-6cbcc314b85b",
        "email": "cookie@cookie.ai",
        "name": "cookie.ai"
      },
      "waypoint": {
        "id": "custom_provider:application:5686863f-1628-41c5-a06d-b2c4f678d201:github_-_engineering:role:push:assignment:9",
        "name": "Push",
        "type": "CustomRoleAssignment"
      },
      "decision": "REJECTED",
      "notes": "this is the rejection note",
      "signed_off_state": "SIGNED_OFF"
    }
  ]
}

If available, the response will include the accumulated raw system permissions a source has on a destination, and their equivalent effective permissions.

  • details: The payload includes the full entity details for rejected or approved rows, including information about the source node, destination node, and possibly a related intermediate entity.

  • Included entity attributes are: canonical_name, datasource_id, id, name, department, email, guest, idp_type, idp_unique_id, is_active, manager_email, manager_idp_unique_id, manager_name, property_*, provider_id, provider_name, type.

  • decision: possible values are decisions are 1: NONE, 2: ACCEPTED, 3: REJECTED, 4: FIXED.

Tags and enrichment metadata

Tag example:

"tags": [
  {
    "key": "tag_one",
    "type": "VEZA",
    "value": ""
  },
  {
    "key": "tag_two",
    "type": "VEZA",
    "value": "value"
  }
]

Enrichment data example:

"joined_nodes": {
  "idp": {
      "canonical_name": "Ashley Abbott",
      "customprop_birthday": "1988-08-09T00:00:00Z",
      "customprop_cube": "D-jO452",
      "customprop_last_login": "2021-07-19T15:43:14Z",
      "datasource_id": "2691af72-b1d1-41ac-a714-ace1ae54d9a5",
      "datasource_name": "Custom IdP",
      "department": "",
      "email": "aabbott@cookiebeta.ai",
      "guest": false,
      "id": "custom_provider:idp:2691af72-b1d1-41ac-a714-ace1ae54d9a5:idp_type:custom_idp:user:507710",
      "identity_type": "HUMAN",
      "idp_unique_id": "507710",
      "is_active": true,
      "last_pushed_at": "2024-08-29T17:40:39Z",
      "manager_email": "wmccormick@cookiebeta.ai",
      "manager_idp_unique_id": "504975",
      "manager_name": "wmccormick",
      "name": "aabbott",
      "provider_id": "oaa_external:intuit-demo",
      "provider_name": "intuit-demo",
      "risk_score": 0,
      "tags": [],
      "type": "OAA.custom_idp.IDPUser"
  }
}
PreviousOn-Demand ReviewsNextReview Intelligence Policies

Last updated 1 month ago

Was this helpful?

The AwfResult preview API object includes tags and if these options are enabled in the review configuration. Webhook payload details also include these fields:

🔏
enrichment data
Use the details sidebar to configure notifications or edit Veza Actions for a single review.