Veza Actions for Access Reviews

Overview

Veza Actions enable external processes when decisions and other events occur during an access review. Actions might trigger automated remediation, or announce to a team when a row is rejected, reviewers change, or the review is complete.

For example, you can use Veza to create a Jira issue or ServiceNow ticket for rejected access, or trigger actions in a custom application using a webhook.

To enable Veza Actions for a configuration or review, an administrator will need to configure integrations. See Veza Actions and Webhooks for more information about supported targets.

Configuring Veza Actions

Administrators and operators can add actions when creating or editing a configuration, or by opening the Review Details sidebar in the reviewer's interface. Then, map actions to events they will trigger.

Events that can trigger Veza Actions:

• Reassign reviewer: When a user reassigns a row to another user.

• Approve row: When an approved row is signed off.

• Reject row: When a rejected row is signed off.

• Complete review: When the review is marked "Complete."

Possible actions depend on the event:

• Webhooks: Supports Reassign Reviewer, Approve Row, Reject Row, and Complete Review.

• Email Notifications: Supports Approve Row and Reject Row.

• Jira: Supports Reject Row.

• ServiceNow: Supports Reject Row.

When adding a configuration, use the Veza Actions section of the configuration builder to map events to actions in a target system. To enable default actions at the configuration level:

1. Go to Access Reviews> Configurations to create or edit a configuration.

2. In the configuration editor, scroll down to Veza Actions:

3. Toggle events that will trigger actions.

4. Pick a Veza Action for each event.

5. Save the configuration.

To configure Veza Actions for a 1-step review:

1. Go to Access Reviews > Reviews, or open the review from the Configuration Details page.

2. Click on the review name to open the reviewer's interface.

3. On the Review Details sidebar, find the Veza Actions section and click Configure Veza Actions.
4. Use the modal to assign or change the actions associated with different event types, and click Save when finished.

Lifecycle Management Auto-Revocation

Access Reviews integrate with Lifecycle Management for auto-revocation. When access is rejected during user access review, Veza Lifecycle Management can revoke a user's group membership automatically. For example, if the scope is Active Directory user to Active Directory security group, a lifecycle management workflow can remove a user from the group described in a rejected row.

Benefits:

• Revoke users from groups, roles, profiles, and permission sets automatically on reject.

• Supports all target apps supported by Lifecycle Management

• No custom integration - no webhooks

• To enable LCM integration, edit a review configuration and choose the Veza Action "Revoke access on Sign-off of Rejected Rows".

Requirements:

• Lifecycle Management and Access Plans must be enabled for your tenant.

• The Lifecycle Management integration for the target application must have permissions to remove roles, group membership, or otherwise manage relationships for users.

Implementation Considerations:

• The Revoke access on Sign-off of Rejected Rows action appears in Veza Actions for Configurations with supported source and destination pairs.

• Reviews must be structured with users as the source and the destination being roles, groups, or permission sets within the same target application.

• Auto-revocation does not support source-only Reviews.

• Source and destination have to be entities from a common application, such as Active Directory for a review covering Active Directory Users to Active Directory Security Groups.

• Auto-revocation does not support heterogeneous scenarios, such as Okta Users to Snowflake Databases.

Webhook payload

Access review events can trigger a JSON payload sent to an external listener, which parses the payload to trigger remediation actions.

The message from Veza will include the configuration (workflow) and review (certification) name and ID, and the event message or details about the review.

You must configure a service (such as an AWS Lambda function) to read the payload and take action, typically with an API call to the 3rd-party application.

Example webhook: review completed

{
  "workflow_id": "ae68b59e-d5b8-45cf-9d73-644beef7c8a6",
  "workflow_name": "Access Review",
  "certification_id": "41ea28f2-fc3f-49fd-ac7c-8b85320a6d29",
  "message": "Certification completed",
  "requestor": "veza@veza.com"
}

Example webhook: rejected row

Access review events trigger this JSON payload. The payload includes critical identifiers and names for both the review configuration (workflow) and the specific review (certification), and details about the row and relationship under review.

{
  "workflow_id": "b6a4e8ed-9bf9-4a5f-8545-cbe5e3e12702",
  "workflow_name": "User to Role to Github",
  "certification_id": "8e4de1b5-2045-4dd4-9844-3a4fbe3d0ad7",
  "certification_started_at": "2022-06-21T16:58:23Z",
  "certification_snapshot_id": 1655830200,
  "message": "1 row(s) rejected",
  "requestor": {
    "id": "e0c03c28-7999-4079-9d58-6cbcc314b85b",
    "name": "cookie.ai",
    "email": "cookie@cookie.ai"
  },
  "details": [
    {
      "result_id": 96,
      "source": {
        "canonical_name": "Brittany Smith",
        "datasource_id": "f9145343-2205-491a-b77a-7ac59bb5743d",
        "datasource_name": "Olympus",
        "department": "",
        "email": "bsmith@cookiebeta.ai",
        "guest": false,
        "id": "custom_provider:idp:f9145343-2205-491a-b77a-7ac59bb5743d:idp_type:olympus_idp:user:500044",
        "idp_type": "olympus_idp",
        "idp_unique_id": "500044",
        "is_active": true,
        "manager_email": "jharris@cookiebeta.ai",
        "manager_idp_unique_id": "500032",
        "manager_name": "jharris",
        "name": "bsmith",
        "property_five": "",
        "property_four": "",
        "property_one": "",
        "property_three": "",
        "property_two": "",
        "provider_id": "custom_idp_ctr01",
        "provider_name": "Custom_IDP_CTR01",
        "type": "CustomIDPUser"
      },
      "destination": {
        "application_type": "Github",
        "datasource_id": "5686863f-1628-41c5-a06d-b2c4f678d201",
        "description": "",
        "id": "custom_provider:application:5686863f-1628-41c5-a06d-b2c4f678d201:github_-_engineering:resource:repo01",
        "name": "repo01",
        "provider_id": "github",
        "provider_name": "GitHub",
        "resource_type": "repo",
        "type": "CustomResource"
      },
      "accumulated_effective_permissions": [
        "Read",
        "Write"
      ],
      "accumulated_raw_permissions": [
        "Fork",
        "Merge",
        "Pull",
        "Push"
      ],
      "updated_at": "2022-06-21T23:30:47.623828883Z",
      "updated_by": {
        "user_type": "localCookieUser",
        "id": "e0c03c28-7999-4079-9d58-6cbcc314b85b",
        "email": "cookie@cookie.ai",
        "name": "cookie.ai"
      },
      "waypoint": {
        "id": "custom_provider:application:5686863f-1628-41c5-a06d-b2c4f678d201:github_-_engineering:role:push:assignment:9",
        "name": "Push",
        "type": "CustomRoleAssignment"
      },
      "decision": "REJECTED",
      "notes": "this is the rejection note",
      "signed_off_state": "SIGNED_OFF"
    }
  ]
}

If available, the response will include the accumulated raw system permissions a source has on a destination, and their equivalent effective permissions.

• details: The payload includes the full entity details for rejected or approved rows, including information about the source node, destination node, and possibly a related intermediate entity.

• Included entity attributes are: canonical_name, datasource_id, id, name, department, email, guest, idp_type, idp_unique_id, is_active, manager_email, manager_idp_unique_id, manager_name, property_*, provider_id, provider_name, type.

• decision: possible values are decisions are 1: NONE, 2: ACCEPTED, 3: REJECTED, 4: FIXED.

Tags and enrichment metadata

Tag example:

"tags": [
  {
    "key": "tag_one",
    "type": "VEZA",
    "value": ""
  },
  {
    "key": "tag_two",
    "type": "VEZA",
    "value": "value"
  }
]

Enrichment data example:

"joined_nodes": {
  "idp": {
      "canonical_name": "Ashley Abbott",
      "customprop_birthday": "1988-08-09T00:00:00Z",
      "customprop_cube": "D-jO452",
      "customprop_last_login": "2021-07-19T15:43:14Z",
      "datasource_id": "2691af72-b1d1-41ac-a714-ace1ae54d9a5",
      "datasource_name": "Custom IdP",
      "department": "",
      "email": "aabbott@cookiebeta.ai",
      "guest": false,
      "id": "custom_provider:idp:2691af72-b1d1-41ac-a714-ace1ae54d9a5:idp_type:custom_idp:user:507710",
      "identity_type": "HUMAN",
      "idp_unique_id": "507710",
      "is_active": true,
      "last_pushed_at": "2024-08-29T17:40:39Z",
      "manager_email": "wmccormick@cookiebeta.ai",
      "manager_idp_unique_id": "504975",
      "manager_name": "wmccormick",
      "name": "aabbott",
      "provider_id": "oaa_external:intuit-demo",
      "provider_name": "intuit-demo",
      "risk_score": 0,
      "tags": [],
      "type": "OAA.custom_idp.IDPUser"
  }
}