LogoLogo
User GuideDeveloper DocumentationIntegrationsRelease Notes
  • 🏠Veza Documentation
  • ☑️Getting Started
  • 📖Veza Glossary
  • ❓Product FAQ
  • 🛡️Security FAQ
    • Advanced Security FAQ
  • Release Notes
    • 🗒️Release Notes
      • Release Notes: 2025-05-28
      • Release Notes: 2025-05-14
      • Release Notes: 2025-04-30
      • Release Notes: 2025-04-16
      • Release Notes: 2025-04-02
      • Release Notes: 2025-03-19
      • Archive
        • 2024.9.23
        • 2024.9.16
        • 2024.9.9
        • 2024.9.2
        • 2024.8.26
        • 2024.8.19
        • 2024.8.12
        • 2024.8.5
        • 2024.7.29
        • 2024.7.22
        • 2024.7.15
        • 2024.7.1
        • 2024.6.24
        • 2024.6.17
        • 2024.6.10
        • 2024.6.3
        • 2024.5.27
        • 2024.5.20
        • 2024.5.13
        • 2024.5.6
        • 2024.4.29
        • 2024.4.22
        • 2024.4.15
        • 2024.4.8
        • 2024.4.1
        • 2024.3.25
        • 2024.3.18
        • 2024.3.11
        • 2024.3.4
        • 2024.2.26
        • 2024.2.19
        • 2024.2.12
        • 2024.2.5
        • 2024.1.29
        • 2024.1.22
        • 2024.1.15
        • 2024.1.8
        • 2024.1.1
        • 2023.12.18
        • 2023.12.11
        • 2023.12.4
        • 2023.11.27
        • 2023.11.20
        • 2023.11.13
        • 2023.11.6
        • 2023.10.30
        • 2023.10.23
        • 2023.10.16
        • 2023.10.9
        • 2023.10.2
        • 2023.9.25
        • 2023.9.18
        • 2023.9.11
        • 2023.9.4
        • 2023.8.28
        • 2023.8.21
        • 2023.8.14
        • 2023.8.7
        • 2023.7.31
        • 2023.7.24
        • 2023.7.17
        • 2023.7.10
        • 2023.7.3
        • 2023.6.26
        • 2023.6.19
        • 2023.6.12
        • 2023.6.5
        • 2023.5.29
        • 2023.5.22
        • 2023.5.15
        • 2023.5.8
        • 2023.5.1
        • 2023.4.24
        • 2023.4.17
        • 2023.4.10
        • 2023.4.3
        • 2023.3.27
        • 2023.3.20
        • 2023.3.13
        • 2023.3.6
        • 2023.2.27
        • 2023.2.20
        • 2023.2.13
        • 2023.2.6
        • 2023.1.30
        • 2023.1.23
        • 2023.1.16
        • 2023.1.9
        • 2023.1.2
        • 2022.12.12
        • 2022.12.5
        • 2022.11.28
        • 2022.11.14
        • 2022.11.7
        • 2022.10.31
        • 2022.10.24
        • 2022.10.17
        • 2022.10.1
        • 2022.6.2
        • 2022.6.1
        • 2022.5.1
        • 2022.4.1
        • 2022.3.1
  • Features
    • 🔎Access Visibility
      • Graph
      • Query Builder
      • Saved Queries
      • Filters
      • Query Mode
      • Intermediate Entities
      • Regular Expressions
      • Tags
      • Tagged Entity Search
      • Assumed AWS IAM Roles
      • Veza Query Language
        • Quick Start
        • Syntax
        • VQL API
    • 💡Access Intelligence
      • Overview
      • Dashboards
        • Reports
        • Scheduled Exports of Query Results via a Secure Email Link
      • Risks
      • Analyze
      • Compare
      • Rules and Alerts
      • Entities
      • NHI Identify Classification Logic
      • NHI Secrets
    • 🔏Access Reviews
      • Get Started: Access Reviewers
      • Get Started: Review Operators
      • Access Review Tasks
        • Assign Reviewers
        • Create a Configuration
        • Create a Review
        • Draft Reviews
        • Edit a Configuration
        • Filters and Bulk Actions
        • Manage Access Reviews
        • Using the Reviewer Interface
        • Row Grouping for Access Reviews
        • Schedule an Access Review
      • Access Review Configuration
        • Access Reviews Query Builder
        • Access Reviews Global Settings
        • Configuring a Global Identity Provider
          • Alternate Manager Lookup
        • Customizing Default Columns
        • Email Notifications and Reminders
        • Identity Provider and HRIS Enrichment
        • Entity Owners and Resource Manager Tags
        • Multi-Level Review
        • 1-Step Access Reviews
        • On-Demand Reviews
        • Veza Actions for Access Reviews
        • Review Intelligence Policies
        • Review Presentation Options
        • Reviewer Selection Methods
        • Reviewer Digest Notifications
      • Access Review Scenarios
        • Access Reviews: Active Directory Security Groups
        • Access Reviews: Okta App Assignments
        • Access Reviews: Okta Group Membership
        • Access Reviews: Okta Admin Roles
        • Access Reviews: Azure AD Roles
        • Access Reviews with Saved Queries
        • Source-Only Access Reviews
    • 📊Access Monitoring
    • 🔄Lifecycle Management
      • Implementation and Core Concepts
      • Access Profiles
      • Policies
      • Conditions and Actions
      • Attribute Sync and Transformers
        • Lookup Tables
      • Integrations
        • Active Directory
        • Exchange Server
        • Okta
        • Salesforce
        • Workday
    • ⚖️Separation of Duties (SoD)
      • Managing SoD Risks with Veza
      • Creating SoD Detection Queries
      • Analyzing Separation of Duties Query Results
      • Example Separation of Duties Queries
      • SoD Manager Assignment
      • Access Reviews for SoD
  • Integrations
    • ✨Veza Integrations
      • Adobe Enterprise
      • Amazon Web Services
        • Add Existing AWS Accounts
        • Automatically Add New AWS Accounts
        • AWS DynamoDB
        • AWS KMS
        • AWS RDS MySQL
        • AWS RDS PostgreSQL
        • AWS Redshift
        • Activity Monitoring for AWS
        • Using AWS Secrets Manager for RDS Extraction
        • Notes & Supported Entities
      • Anaplan
      • Atlassian Cloud Products
      • Auth0
      • BambooHR
      • Bitbucket Data Center
      • BlackLine
      • Beeline
      • Boomi
      • Box
      • Bullhorn
      • Cassandra
      • Cisco Duo
      • Clickhouse
      • Concur
      • Confluence Server
      • Confluent
      • Coupa
      • Coupa Contingent Workforce
      • Crowdstrike Falcon
      • CSV Upload
        • CSV Upload Examples
        • CSV Upload Troubleshooting
        • CSV Upload API
      • Databricks (Single Workspace)
      • Databricks (Unity Catalog)
      • Delinea Secret Server
      • Device42
      • DocuSign
      • Dropbox
      • Egnyte
      • Expensify
      • Exchange Online (Microsoft 365)
      • Fastly
      • Google Cloud
        • Check Google Cloud Permissions
        • Notes & Supported Entities
      • Google Drive
      • GitHub
      • GitLab
      • HashiCorp Vault
      • HiBob
      • Hubspot
      • IBM Aspera
      • iManage
      • Ivanti Neurons
      • Jamf Pro
      • Jenkins
      • JFrog Artifactory
      • Jira Data Center
      • Kubernetes
      • LastPass
      • Looker
      • MongoDB
      • Microsoft Active Directory
      • Microsoft Azure
        • Azure SQL Database
        • Azure PostgreSQL Database
        • Microsoft Dynamics 365 CRM
        • Microsoft Dynamics 365 ERP
        • Notes & Supported Entities
      • Microsoft Azure AD
      • Microsoft SharePoint Online
      • Microsoft SharePoint Server
      • Microsoft SQL Server
      • MuleSoft
      • MySQL
      • NetSuite
      • New Relic
      • Okta
        • Okta MFA status
      • OneLogin
      • OpenAI
      • Oracle Cloud Infrastructure
      • Oracle Database
      • Oracle Database (AWS RDS)
      • Oracle E-Business Suite (EBS)
      • Oracle EPM
      • Oracle Fusion Cloud
      • Oracle JD Edwards EnterpriseOne
      • PagerDuty
      • Palo Alto Networks SASE/Prisma Access
      • PingOne
      • PostgreSQL
      • Power BI
      • Privacera
      • PTC Windchill
      • Qualys
      • QNXT
      • Ramp
      • Redis Cloud
      • Rollbar
      • Salesforce
      • Salesforce Commerce Cloud
      • SCIM integration
      • ServiceNow
      • Slack
      • Smartsheet
      • Snowflake
        • Snowflake Native Application
        • Snowflake Row Access Policies
        • Snowflake Masking Policies
        • Exporting Saved Query Results to Snowflake
        • Audit Log Export
        • Event Export
      • Solarwinds
      • Spotio
      • Sumo Logic
      • Tableau Cloud
      • Teleport
      • Terraform
      • ThoughtSpot
      • Trello
      • Trino (PrestoSQL)
      • UKGPro
      • Veza
      • Windows Server
        • Enterprise Deployment
      • Workato
      • Workday
      • YouTrack
      • Zendesk
      • Zip
      • Zoom
      • Zscaler
      • 1Password
    • 🎯Integrations Overview
    • ⚠️Prerequisites and Connectivity
      • Insight Point
        • Deploying an Insight Point using the install script
        • Deploy with AWS EC2
        • Deploy with Virtual Appliance
          • Deploy with Virtual Appliance (Legacy)
        • Deploy with Azure Container Instances
        • Insight Point (Helm Chart)
      • Certificates with OpenSSL
    • ⚙️Configuring Integrations
      • Integrations FAQ
      • Extraction and Discovery Intervals
      • Custom Identity Mappings
      • Limiting Extractions
      • Enrichment Rules
      • ℹ️Running Veza Scripts with Python
  • Administration
    • 🛠️Veza Administration
      • Securing Your Veza Tenant
      • Veza Actions
        • Slack
        • ServiceNow
        • Jira
        • Webhooks
      • Virtual Private Veza
      • System Events
      • Sign-In Settings
        • Single Sign-On with Okta
        • Single Sign-On with Okta (OIDC)
        • Single Sign-On with Microsoft Entra
      • User Management
        • Multi-factor Authentication
        • Team Management
        • Support User Access
  • Developers
    • 🌐Veza APIs
      • Authentication
      • Troubleshooting
      • Pagination
      • Open Authorization API
        • Getting Started
        • Core Concepts
          • Connector Requirements
          • Using OAA Templates
          • Providers, Data Sources, Names and Types
          • Sourcing and Extracting Metadata
          • Naming and Identifying OAA Entities
          • Modeling Users, Permissions, and Roles
          • Custom Properties
          • Tagging with OAA
          • Cross Service IdP Connections
          • Incremental Updates
        • OAA Push API
          • OAA Operations
        • OAA Templates
          • Custom Application
          • Custom Identity Provider
          • Custom HRIS Provider
        • OAA .NET SDK
          • C# OAA Application Connector
        • OAA Python SDK
          • Application Outline
          • oaaclient modules
            • Client
            • Structures
            • Templates
            • Utils
        • Sample Apps
        • Example Connectors
      • Integration APIs
        • Enable/Disable Providers
        • Cloud Platforms and Data Providers
        • Identity Providers
        • Data Sources
        • Sync and Parse Status
      • Query APIs
        • Quick Start
        • Query Builder Terminology
        • Query Builder Parameters
        • Query Builder Results
        • List saved queries
        • Save a query
        • Get a saved query
        • Update a query
        • Delete a query
        • Get query node destinations
        • Get query nodes
        • Get query result
        • Get query spec node destinations
        • Get query spec nodes
        • Get query spec results
        • Private APIs
          • Get Access Relationship
          • Role Existence
          • Role Maintenance
          • Cohort Role Analysis
        • Tags
          • Create, Add, Remove Tag
          • Promoted Tags
      • Access Reviews APIs
        • Workflow Parameters Reference
        • List Workflows
        • List Certifications
        • List Certification Results
        • Update Certification Result
        • Force Update Result
        • Update Webhook Info
        • Get Certification Result
        • Manage Reviewer Deny List
        • Quick Filters
        • Help Page Templates
        • Smart Action Definitions
        • Delegate Reviewers
        • List Reviewer Infos
        • Get Access Graph
        • Automations API
        • Global Settings APIs
      • System Audit Logs
      • System Events
      • Notification Templates
        • Notification Templates API
      • Team and User Management APIs
        • Team API Keys
      • SCIM Provisioning
        • SCIM API Reference
        • SCIM Provisioning with Okta
  • Product Updates
    • 🆕Product Updates
      • Product Update: April'25
      • Product Update: March'25
      • Product Update: February'25
      • UX Update - Integration Management
      • Product Update: January'25
      • Product Update: December'24
      • Product Update: November'24
      • Product Update: October'24
      • Product Update: September'24
      • Product Update: August'24
      • UX Update: Veza Integrations
      • Product Update: July'24
      • Product Update: June'24
      • Product Update: May'24
      • Product Update: April'24
      • UX Update - Enhanced Reviewer Experience for Veza Access Reviews
      • Product Update: March'24
      • Product Update: February'24
      • Design Update: February'24
      • UX Update - New Navigation Experience
      • UX Update - Access Review Dashboards
      • Building Veza’s Platform and Products
      • Veza Product Update - Jan'24
      • Veza Product Update - 2H 2023
      • Veza Product Update - December'23
      • Veza Product Update - November'23
      • Veza Product Update - October'23
      • Veza Product Update - September'23
      • Veza Product Update - August'23
      • Veza Product Update - July'23
      • Veza Product Update - June'23
      • Veza Product Update - May'23
      • Veza Product Update - April'23
      • Veza Product Update - March'23
      • Veza Product Update - Feb'23
      • Veza Product Update - Jan'23
Powered by GitBook
On this page
  • Overview
  • Create a new review configuration

Was this helpful?

Export as PDF
  1. Features
  2. Access Reviews
  3. Access Review Tasks

Create a Configuration

How to create and customize new access review configurations.

Overview

In Veza, a configuration sets the parameters for conducting access or entitlement reviews. Operators initiate reviews based on these configurations, which occur periodically or as one-time assessments. Each review is tied to a unique due date and a designated set of reviewers.

Configurations allow for varying scope—ranging from broad, covering all users across numerous cloud services and data assets, to specific, focusing on individual departments or applications. Additionally, configurations can address relationships between policies, groups, or roles. Using queries, you can conduct different types of reviews in Veza:

  • Access Reviews: Ensure appropriate access levels across services and resources, verifying that permissions align with user roles and pose no security risks.

  • Entitlement Reviews: Validate and certify actual permissions on specific resources, ensuring they are necessary and comply with organizational policies.

Each configuration includes a:

  • Name and Description: Used for internal reference and identification.

  • Query: Defines what to review, with options to filter by tags, attributes, or other criteria.

  • Notifications and Veza Actions: Automate communications and actions, inherited by future reviews.

For detailed steps on setting up a new configuration, see the sections below.

Create a new review configuration

To create a configuration and set the underlying query:

  1. Open the Configurations page and click the New Configuration button.

  2. Give the configuration a unique name and a description.

  3. Build a query to define the scope of the review.

  4. Add email notifications to inform reviewers of assignments. You can also set reminders based on when the review is due. You can enable these for reviewers, the configuration creator, or additional recipients.

  5. Enable Veza Actions by choosing integrations or webhooks to trigger based on decisions and reviewer changes. For example, you can create a service desk issue on row rejection, and send an email when all results are signed off.

  6. Preview the results and save the configuration.

You can start or schedule reviews on the Access Reviews > Configurations page. Click a configuration name to view details and create or open an active review.

Step 1: Add basic configuration details

To create a configuration:

  1. Log in to Veza and open the Access Reviews section. On the navigation sidebar, open the Configurations page.

  2. Click New Configuration to open the builder.

Give the configuration a name and description.

  1. Configuration Name: Enter a brief title to describe the access review. Reviews for this configuration will show the name in email notifications and reminders.

  2. Configuration Description (Optional): Describe the query used, and the purpose of the configuration for other administrators and operators.

Step 2: Define the review scope

Each configuration must be scoped to a single graph query that specifies a set of entities or an access relationship, such as "Okta User to Snowflake Database." You can create a query or pick a saved query to scope the review.

To review entities of several types at once, pick an entity type grouping as the source or destination. These appear at the top of the list and contain multiple entity types. Groupings include:

  • All Resources: All "resource"-type entities that Veza has discovered, including AWS S3 Buckets, Snowflake Tables, and GitHub Repositories.

  • All Principals: Includes all entities that Veza has discovered and labeled as “identities” that can have permissions on a resource, including Active Directory Users, Okta Users, and Snowflake Local Users.

  • All Top Level Principals: All identities that cannot be assumed by another identity. Use this entity type grouping to show primary corporate identities, and filter out any low-level identities (such as local users) they can assume. Reviews for this configuration will include any local account users and service accounts that don’t correlate to any upper-level identity.

To define the review scope in the configuration builder, select a query from Saved Queries or create one with using the Query Builder tab:

  1. Type to search for a Source entity type. This could be a specific type of user, role, group, or resource, such as “Okta User” or “S3 Bucket.” Reviewers will sign off on source entities and, if defined, the source entity’s relationship to a destination entity, presented in rows for approval or rejection. You can preview these source entities based on the current graph data.

  2. Click to add Destination entity types. These could be specific resources, roles, or groups assigned to entities of the source type. In the reviewer interface, each row will contain a source > destination pair (e.g., a single Okta User and an S3 bucket they have permissions on.)

    2.1. Click to open the selection menu.

    2.2. Entity type groupings appear at the top of the list. Scroll down to search for a single entity type.

    2.3. Tick the boxes to enable one or more destinations

    2.4. Click Preview Destination Entities to view the current results in the table.

    The destination can be a data resource or a related IAM or RBAC entity, such as a role or group. You can also reverse the query to certify applications or resources accessible by users.

  3. Customize the review with Advanced Options:

    Depending on the query, rows can include extra details about the path connecting the source and destination. Advanced options enable reviewers to evaluate and certify not only an identity's access and permissions, but how that access is granted:

    3.2. Enrich with IdP/HRIS metadata (Early Access): Veza can map identities to a corresponding user in an Identity Provider, or worker record in a Human Resource Information System (HRIS). Enable this option and choose a data source to use for enrichment. In the review interface, additional columns show the linked entity's attributes.

    3.3. Relationship: This option is typically used to enable constraints on an entity that connects the source and destination, such as a Snowflake role granting access to a Snowflake schema.

    • Reviewers can enable extra columns to show details about the intermediate entity, and filter the rows based its properties, such as the name or last updated time of Okta Groups connecting Okta Users and Okta Applications.

    3.4. Summary Entities: Adding Summary Entities enables an additional column in the review, showing intermediate relationships in the path connecting the source and destination entity. These entities can include nested groups or roles, projects, or policies.

    See Review Presentation Options for more about these query parameters.

    3.5. Exclude or Require Entities: Hide or only show source and destination pairs with any of the chosen entity types in the path. Use this option to review, for example, users with no relationships to groups.

  4. Add Filters to constrain results (optional):

    Applying filters narrows the scope of a review to find exactly the relationships and entities you want to review. Filter groups can apply to any attribute Veza has collected for entities in the search.

    To create attribute filters:

    4.1. Click +Add Filter Group.

    4.2. Choose the Entity Type to apply the filter to.

    4.3. Choose from possible Attribute Fields available for that entity type.

    4.4. Choose an Operator. Available operators depend on the attribute type, such as contains for lists, before for dates, or equals.

    4.5. Choose an Attribute Value from the dropdown. Possible selections auto-fill when filtering by Name, or you can enter any value.

    You can combine groups of filters to create finely-focused reviews, and filter on tags and permissions. See Filters for more information.

  5. Filter by Tags (optional):

    You can optionally filter the review scope by adding tag filters, which support both Veza tags and provider-native tags. For example, you might use a 3rd-party tool to tag certain resources in AWS, or automatically label entities according to business unit, compliance requirement, or environment type.

    5.1. Click +Add Tag Filter.

    5.2. Pick the Entity Type to filter.

    5.3. Choose Tags to Include. Click to show a short list of tags, or type to search from all available tags.

    5.4. Optionally pick Tags to exclude. Any entities with these tags are omitted from the results.

  6. Filter by Permissions (optional):

    To only review access for entities with certain permissions on the destination entity, add a permissions filter:

    6.1. Toggle a permission type: Effective or System.

    • To show users with specific Create/Read/Update/Delete capabilities, select Effective Permissions.

    • Use System Permissions to filter by specific permissions based on the provider's native terminology.

    6.2. Select Permissions: Use the dropdown menu to pick one or more individual permissions.

    6.3. Operator: Filter results when they have any of the chosen permissions (OR), or match the specified conditions exactly (AND).

Step 3 (Optional): Enable email notifications

Set default email notifications to alert reviewers and other stakeholders. Reviews for the configuration inherit these notification and reminder settings. See Email Notifications and Reminders for more details.

  1. Notifications: Emails to inform reviewers, managers, and stakeholders based on events such as review start or reviewer reassignments.

    1.1 Tick the boxes to enable notification recipients. These can be the assigned reviewers, their managers, and additional recipients specified by email.

    1.1 Pick the events that will trigger notifications (on row reassignment, on review start, and on review completion).

  2. Reminders: Action Needed: These emails inform users after a period of inactivity, or before, on, or after the due date.

    2.1 Enable recipients for reminders.

    2.2 Pick the events and relative dates when emails trigger (on row reassignment, review start, and review completion).

  3. Final Reminders: Action Needed: Escalated reminders, typically used to emphasize a missed deadline or extended period of inactivity:

    3.1 Enable recipients for final reminders.

    3.2 Pick the events and relative number of days when emails trigger (after a period of no changes, or before, on, or after the due date).

Reviewers can be auto-assigned to Entity Owners and Resource Manager Tags on review creation. To ensure that these users receive a notification, enable reviewer notifications on review start.

Step 4 (Optional): Enable Veza Actions

Veza can trigger actions in external systems on review completion, row reassignment, or sign-off of an approved or rejected row. Enable these in the Veza Actions section of the configuration builder.

  1. Tick the box next to an event trigger to enable Veza Actions.

  2. Use the dropdown to pick a Veza Action for each event.

If no targets are available, you can skip this step. See Veza Actions for Access Reviews for more details.

Step 5: Save the configuration

Confirm your choices and save the configuration:

  1. Click Create Configuration at the top right to save your work.

You can now open the configuration details make adjustments or Create a Review.

You can update a query if required (See [edit-configuration.md](edit-configuration.md "mention")). New reviews for the configuration will use the updated query. Existing reviews using the same configuration will continue to use an older query.

PreviousAssign ReviewersNextCreate a Review

Last updated 1 month ago

Was this helpful?

Starting a review from a saved query enables action on queries featured in tiles, and queries that have been assigned a . Queries constructed in the Query Builder can also define more complex review scopes with .

3.1. Include source/destination tags in review results: If the source or destination data source supports tagging, the reviewer interface will include a column listing any of these tags or labels, along with any .

🔏
dashboard
risk level
Veza Tags
Saved Query Filters