Orchestration Actions and Reminders

Configuring email reminders and external destinations for certification events

Each Workflow can send email reminders and trigger Orchestration Actions when changes occur and certification deadlines approach. Integrating Workflows with external systems enables the decisions made by access reviewers to have downstream impact, such as a followup remediation task. Webhooks can enable custom tooling and automation when actions occur, such as:

On certification completion
When a row is assigned or re-assigned
When an item is accepted or rejected

Actions on row rejection can trigger actions such as automated access removal or the creation of a service desk ticket. In addition to webhooks, ServiceNow integrations can track remediation for "Reject" decisions.

Operators can configure notification settings for a workflow on the Access Reviews page. All certifications created for the workflow inherit these settings. Operators can also customize notification settings for an individual certification.

Email reminder settings

To set up email alerts for an existing Workflow, click Actions > View Workflow and click Open under Email Notifications and Reminders

Emails can be event-based notifications (such as for when certification is started or finished), and date-based reminders for alerting on inactivity and deadlines.
Reminder and notification settings apply to all certifications created against the original workflow. Emails can be customized using templates, which an administrator can create using the API.
Selecting "Reviewers" as recipients ensures that anyone assigned to the certification will be notified by email. Additional participants can be added to inform stakeholders about deadlines and delays.
Reminders are sent as the certification due date approaches.

Details

The option "When a certification row has been reassigned" only applies when a reviewer is assigned to a row via user operation (API or GUI), and not at workflow creation.
To notify reviewers who are auto-assigned on certification creation, enable notifications "when a certification has been started".
The entity catalog may contain the required metadata for reviewer auto-assignment. Reviewer managers are identified by Veza based on the Global IdP Settings.
Manager information is retrieved from the latest Authorization Graph snapshot (a manager property or tag must identify the correct reviewers for entities in the certification results).

Workflow Orchestration Action settings

To add an integration to a workflow, you will first need to configure a ServiceNow integration or webhook endpoint under Integrations > Orchestration Actions.

Orchestration Actions enable external processes around decisions made on certification results, such as creating a service desk ticket or posting announcements to a team channel when a decision is made on a certification.

To change these settings for an existing Workflow, open the workflow overview and click Configure Orchestration Actions. Choose the webhook or integration to use for each certification action. If ServiceNow is configured as an integration, you can select it as the destination for certification row "REJECTED" decisions.

Workflow Orchestration Actions with webhooks

Workflow and certification events can push a JSON payload to a configured webhook destination. You will need to configure a service (such as an AWS Lambda function) to parse the fields and create a corresponding ticket, typically via API call. The message from Veza will include the workflow name and ID, and details on the original event.

Completed certification example

{
  "workflow_id": "ae68b59e-d5b8-45cf-9d73-644beef7c8a6",
  "workflow_name": "Sample Workflow",
  "certification_id": "41ea28f2-fc3f-49fd-ac7c-8b85320a6d29",
  "message": "Certification completed",
  "requestor": "veza@veza.com"
}

workflow_id

Workflow UUID

workflow_name

Workflow name

certification_id

Unique certification ID, for when more than one certification exists for a workflow

message

Summary of the change. The affected results are shown as details

requestor

Workflow creator email

Rejected row example

{
  "workflow_id": "b6a4e8ed-9bf9-4a5f-8545-cbe5e3e12702",
  "workflow_name": "User to Role to Github",
  "certification_id": "8e4de1b5-2045-4dd4-9844-3a4fbe3d0ad7",
  "certification_started_at": "2022-06-21T16:58:23Z",
  "certification_snapshot_id": 1655830200,
  "message": "1 row(s) rejected",
  "requestor": {
    "id": "e0c03c28-7999-4079-9d58-6cbcc314b85b",
    "name": "cookie.ai",
    "email": "cookie@cookie.ai"
  },
  "details": [
    {
      "result_id": 96,
      "source": {
        "canonical_name": "Brittany Smith",
        "datasource_id": "f9145343-2205-491a-b77a-7ac59bb5743d",
        "datasource_name": "Olympus",
        "department": "",
        "email": "bsmith@cookiebeta.ai",
        "guest": false,
        "id": "custom_provider:idp:f9145343-2205-491a-b77a-7ac59bb5743d:idp_type:olympus_idp:user:500044",
        "idp_type": "olympus_idp",
        "idp_unique_id": "500044",
        "is_active": true,
        "manager_email": "jharris@cookiebeta.ai",
        "manager_idp_unique_id": "500032",
        "manager_name": "jharris",
        "name": "bsmith",
        "property_five": "",
        "property_four": "",
        "property_one": "",
        "property_three": "",
        "property_two": "",
        "provider_id": "custom_idp_ctr01",
        "provider_name": "Custom_IDP_CTR01",
        "type": "CustomIDPUser"
      },
      "destination": {
        "application_type": "Github",
        "datasource_id": "5686863f-1628-41c5-a06d-b2c4f678d201",
        "description": "",
        "id": "custom_provider:application:5686863f-1628-41c5-a06d-b2c4f678d201:github_-_engineering:resource:repo01",
        "name": "repo01",
        "provider_id": "github",
        "provider_name": "GitHub",
        "resource_type": "repo",
        "type": "CustomResource"
      },
      "accumulated_effective_permissions": [
        "Read",
        "Write"
      ],
      "accumulated_raw_permissions": [
        "Fork",
        "Merge",
        "Pull",
        "Push"
      ],
      "updated_at": "2022-06-21T23:30:47.623828883Z",
      "updated_by": {
        "user_type": "localCookieUser",
        "id": "e0c03c28-7999-4079-9d58-6cbcc314b85b",
        "email": "cookie@cookie.ai",
        "name": "cookie.ai"
      },
      "waypoint": {
        "id": "custom_provider:application:5686863f-1628-41c5-a06d-b2c4f678d201:github_-_engineering:role:push:assignment:9",
        "name": "Push",
        "type": "CustomRoleAssignment"
      },
      "decision": "REJECTED",
      "notes": "this is the rejection note",
      "signed_off_state": "SIGNED_OFF"
    }
  ]
}

Details

The full entity details are included for rejected or approved rows.

details: includes Name, ID, and type of the principal and resource selected for the Workflow query.
If available, the response will include effective C/R/U/D and raw ("system") permissions the principal has to the resource
Valid decisions are 1: NONE, 2: ACCEPTED, 3: REJECTED, 4: FIXED.

PreviousIntelligent Automations NextWorkflow and Certification Settings

Last updated 4 months ago