Create a Configuration

Overview

In Veza, a configuration sets the parameters for conducting access or entitlement reviews. Operators initiate reviews based on these configurations, which occur periodically or as one-time assessments. Each review is tied to a unique due date and a designated set of reviewers.

Configurations allow for varying scope—ranging from broad, covering all users across numerous cloud services and data assets, to specific, focusing on individual departments or applications. Additionally, configurations can address relationships between policies, groups, or roles. Using queries, you can conduct different types of reviews in Veza:

• Access Reviews: Ensure appropriate access levels across services and resources, verifying that permissions align with user roles and pose no security risks.

• Entitlement Reviews: Validate and certify actual permissions on specific resources, ensuring they are necessary and comply with organizational policies.

Each configuration includes a:

• Name and Description: Used for internal reference and identification.

• Query: Defines what to review, with options to filter by tags, attributes, or other criteria.

• Notifications and Veza Actions: Automate communications and actions, inherited by future reviews.

For detailed steps on setting up a new configuration, see the sections below.

Create a new review configuration

To create a configuration and set the underlying query:

1. Open the Configurations page and click the + Create Configuration button.

2. Give the configuration a unique name and a description.

3. Build a query to define the scope of the review.

4. Add email notifications to inform reviewers of assignments. You can also set reminders based on when the review is due. You can enable these for reviewers, the configuration creator, or additional recipients.

5. Enable Veza Actions by choosing integrations or webhooks to trigger based on decisions and reviewer changes. For example, you can create a service desk issue on row rejection, and send an email when all results are signed off.

6. Preview the results and save the configuration.

Step 1: Add basic configuration details

To create a configuration:

1. Log in to Veza and open the Access Reviews section. On the navigation sidebar, open the Configurations page.

2. Click + Create Configuration to open the builder.

Give the configuration a name and description.

1. Configuration Name: Enter a brief title to describe the access review. Reviews for this configuration will show the name in email notifications and reminders.

2. Configuration Description (Optional): Describe the query used, and the purpose of the configuration for other administrators and operators.

Step 2: Define the review scope

Each configuration must be scoped to a single graph query that specifies a set of entities or an access relationship, such as "Okta User to Snowflake Database." You can create a query or pick a saved query to scope the review.

Starting a review from a saved query enables action on queries featured in dashboard tiles, and queries that have been assigned a risk level. Queries constructed in the Query Builder can also define more complex review scopes with Saved Query Filters.

To review entities of several types at once, pick an entity type grouping as the source or destination. These appear at the top of the list and contain multiple entity types. Groupings include:

• All Resources: All "resource"-type entities that Veza has discovered, including AWS S3 Buckets, Snowflake Tables, and GitHub Repositories.

• All Principals: Includes all entities that Veza has discovered and labeled as “identities” that can have permissions on a resource, including Active Directory Users, Okta Users, and Snowflake Local Users.

• All Top Level Principals: All identities that cannot be assumed by another identity. Use this entity type grouping to show primary corporate identities, and filter out any low-level identities (such as local users) they can assume. Reviews for this configuration will include any local account users and service accounts that don’t correlate to any upper-level identity.

To define the review scope in the configuration builder, select a query from Saved Queries or create one with using the Query Builder tab:

1. Type to search for a Source entity type. This could be a specific type of user, role, group, or resource, such as “Okta User” or “S3 Bucket.” Reviewers will sign off on source entities and, if defined, the source entity’s relationship to a destination entity, presented in rows for approval or rejection. You can preview these source entities based on the current graph data.

2. Click to add Destination entity types. These could be specific resources, roles, or groups assigned to entities of the source type. In the reviewer interface, each row will contain a source > destination pair (e.g., a single Okta User and an S3 bucket they have permissions on.)

   2.1. Click to open the selection menu.

   2.2. Entity type groupings appear at the top of the list. Scroll down to search for a single entity type.

   2.3. Tick the boxes to enable one or more destinations

   2.4. Click Preview Destination Entities to view the current results in the table.

   The destination can be a data resource or a related IAM or RBAC entity, such as a role or group. You can also reverse the query to certify applications or resources accessible by users.

3. Customize the review with Advanced Options:

   Depending on the query, rows can include extra details about the path connecting the source and destination. Advanced options enable reviewers to evaluate and certify not only an identity's access and permissions, but how that access is granted:

   3.1. Include source/destination tags in review results: If the source or destination data source supports tagging, the reviewer interface will include a column listing any of these tags or labels, along with any Veza Tags.

   3.2. Enrich with IdP/HRIS metadata (Early Access): Veza can map identities to a corresponding user in an Identity Provider, or worker record in a Human Resource Information System (HRIS). Enable this option and choose a data source to use for enrichment. In the review interface, additional columns show the linked entity's attributes.

   3.3. Relationship: This option is typically used to enable constraints on an entity that connects the source and destination, such as a Snowflake role granting access to a Snowflake schema.

   • Reviewers can enable extra columns to show details about the intermediate entity, and filter the rows based its properties, such as the name or last updated time of Okta Groups connecting Okta Users and Okta Applications.

   3.4. Summary Entities: Adding Summary Entities enables an additional column in the review, showing intermediate relationships in the path connecting the source and destination entity. These entities can include nested groups or roles, projects, or policies.

   See Review Presentation Options for more about these query parameters.

   3.5. Exclude or Require Entities: Hide or only show source and destination pairs with any of the chosen entity types in the path. Use this option to review, for example, users with no relationships to groups.

4. Add Filters to constrain results (optional):

   Applying filters narrows the scope of a review to find exactly the relationships and entities you want to review. Filter groups can apply to any attribute Veza has collected for entities in the search.

   To create attribute filters:

   4.1. Click +Add Filter Group.

   4.2. Choose the Entity Type to apply the filter to.

   4.3. Choose from possible Attribute Fields available for that entity type.

   4.4. Choose an Operator. Available operators depend on the attribute type, such as contains for lists, before for dates, or equals.

   4.5. Choose an Attribute Value from the dropdown. Possible selections auto-fill when filtering by Name, or you can enter any value.

   You can combine groups of filters to create finely-focused reviews, and filter on tags and permissions. See Filters for more information.

5. Filter by Tags (optional):

   You can optionally filter the review scope by adding tag filters, which support both Veza tags and provider-native tags. For example, you might use a 3rd-party tool to tag certain resources in AWS, or automatically label entities according to business unit, compliance requirement, or environment type.

   5.1. Click +Add Tag Filter.

   5.2. Pick the Entity Type to filter.

   5.3. Choose Tags to Include. Click to show a short list of tags, or type to search from all available tags.

   5.4. Optionally pick Tags to exclude. Any entities with these tags are omitted from the results.

6. Filter by Permissions (optional):

   To only review access for entities with certain permissions on the destination entity, add a permissions filter:

   6.1. Toggle a permission type: Effective or System.

   • To show users with specific Create/Read/Update/Delete capabilities, select Effective Permissions.

   • Use System Permissions to filter by specific permissions based on the provider's native terminology.

   6.2. Select Permissions: Use the dropdown menu to pick one or more individual permissions.

   6.3. Operator: Filter results when they have any of the chosen permissions (OR), or match the specified conditions exactly (AND).

Step 3 (Optional): Enable email notifications

Set default email notifications to alert reviewers and other stakeholders. Reviews for the configuration inherit these notification and reminder settings. See Email Notifications and Reminders for more details.

1. Notifications: Emails to inform reviewers, managers, and stakeholders based on events such as review start or reviewer reassignments.

   1.1 Tick the boxes to enable notification recipients. These can be the assigned reviewers, their managers, and additional recipients specified by email.

   1.1 Pick the events that will trigger notifications (on row reassignment, on review start, and on review completion).

2. Reminders: Action Needed: These emails inform users after a period of inactivity, or before, on, or after the due date.

   2.1 Enable recipients for reminders.

   2.2 Pick the events and relative dates when emails trigger (on row reassignment, review start, and review completion).

3. Final Reminders: Action Needed: Escalated reminders, typically used to emphasize a missed deadline or extended period of inactivity:

   3.1 Enable recipients for final reminders.

   3.2 Pick the events and relative number of days when emails trigger (after a period of no changes, or before, on, or after the due date).

Reviewers can be auto-assigned to Entity Owners and Resource Manager Tags on review creation. To ensure that these users receive a notification, enable reviewer notifications on review start.

Step 4 (Optional): Enable Veza Actions

Veza can trigger actions in external systems on review completion, row reassignment, or sign-off of an approved or rejected row. Enable these in the Veza Actions section of the configuration builder.

1. Tick the box next to an event trigger to enable Veza Actions.

2. Use the dropdown to pick a Veza Action for each event.

If no targets are available, you can skip this step. See Veza Actions for Access Reviews for more details.

Step 5: Save the configuration

Confirm your choices and save the configuration:

1. Click Create Configuration at the top right to save your work.

You can now open the configuration details make adjustments or Create a Review.