User Guide
Release Notes

Workflow Builder

Defining the scope of new access and entitlement reviews

This page provides a basic overview of the workflow creation process. For more information about workflow options and the query builder, see Workflow Queries.

Workflows overview

To create a workflow, a Veza operator constructs a query defining the scope of access or entitlement review. For example, a review can include all federated users, all resources, or all roles or policies. Or, reviewers can certify a selection of those users, such as identities or resources managed by Cathy Calbert or relationships involving permissions on resources tagged environment:production, or a CONTRACTORS group.

Workflow owners can add email reminders for participants and owners, and configure integrations to enable external processes when certification events occur. Each individual certification on a workflow will have its own due date and reviewers. The certification results will show the state of authorization based on the most recent graph snapshot at the certification creation date.

After creating a workflow and defined the query to use, you can initialize the certification in draft or published state. After publishing it, the assigned reviewer(s) will be able to view, annotate and sign-off on their assigned results. Users can also re-assign a row's reviewer, if they do not have the information required to approve or reject access.

Creating a workflow

A workflow query can be broad or granular to match your organization structure, review processes, and the integrations you have connected to Veza. A single review might cover all users to many cloud services and data assets, or focus on individual departments or applications. A workflow might also review relationships connecting Policies, Groups, or Roles.

To create a workflow and set the underlying query used for certification:

  1. Open the Workflows page and click the New Workflow button.

  2. Give the workflow a unique name and a description.

  3. Configure Email Notifications for workflow events. You can also set reminders based on when the certification is due, delivered to the reviewers, workflow creator, or additional recipients.

  4. Enable Orchestration Actions by choosing notification integrations and webhooks to trigger based on certification events and reviewer changes. For example, you can create a service desk issue on "Reject" actions and email when certification is final.

  5. Build a query to define the scope of the review:

    • The source dropdown menu will contain all entity types discovered by Veza. You can start typing or scroll to pick any category of entity.

    • Specify an optional destination to filter results by. This will limit the scope of certification to only the identities or resources with a relationship to the chosen category of entity.

  6. Limit results with optional attribute filters, for example on an entity last active at or department.

  7. Preview the returned entities and save the workflow.

Workflows query examples

An access review can be business-wide or constrained to specific applications or sets of users. When creating a workflow, structure the query to meet the needs of your organization. Consider what data sources you have integrated, compliance requirements, and review processes. A Workflows might:

  • Certify all user permissions on all databases of a certain type.

  • Certify all access granted to an individual application.

  • Certify access for groups of users based on a property, such as "department," or a role or local user account they assume to access a resource with single sign on.

Consider creating workflows that can function as repeatable campaigns. Any number of certifications can exist for a workflow, each with the most recent Authorization Graph snapshot data for integrated identity, data, and application providers.

Example queries:

  • All Okta Users to S3 Buckets

  • All Principals to All Applications

  • All Top Level Principals to GitHub Role with Data Write permission

  • All GitHub Users to GitHub Resource with Data Delete and Metadata Delete system permissions

  • All Google Workspace Accounts to Google Cloud Projects with Domain=”veza.com” constraint

  • All AWS Accounts to Redshift Databases with intermediate entity=AWS IAM Role

  • All AWS Accounts to Redshift Clusters with intermediate entity=Redshift Local Role, excluding entities related to AWS IAM Group, with Data Create and Metadata Create effective permissions, with attribute filter Datasource ID=”RedshiftCluster1”

Notes

See Workflow Queries for more detail. To get started, consider constructing some workflows based on the following guidelines:

  • When choosing a resource (for example "SQL Table") for the query source, certification will be identity-centric (approve the users that can access those resources). The workflow preview will show resources of the chosen category.

  • When choosing a principal (for example a User or Group from an Identity Provider) for the source category, certification will be identity-oriented and reviewers will certify permissions the identity has on resources of the destination entity category.

  • The workflow source or destination can be All Principals or All Resources, or a single named entity.

  • You can click to preview the source or destination results based on current graph data. Certifications will use graph data at the time of certification creation.

  • You can filter "User" entities with the constraint: "manager" = your.manager@your.org. When combined with auto-assignment, you can easily assign managers to review direct reports.

  • The Query Mode determines how results will appear in certifications, and what types of entities can be source, destination, or intermediate nodes.

  • Workflow queries can use permissions filters to find results that contain, or do not contain, a matching effective permission.

  • For compliance purposes, a workflow query is immutable after saving it. You will need to create another workflow to change a query.

  • Each certification has a unique deadline and runs and completes individually.

  • Certifications will load faster when the underlying query returns fewer results.

  • If you use AWS, Google, or Veza tags to classify identities, resources, or other entities, you can filter on any tags (such as business unit, compliance-related, or environment tags).

  • You can filter workflow results based on any entity properties Veza has discovered.

PreviousConfiguring Access ReviewsNextWorkflow Queries

Last updated