Using the Reviewer Interface

Reviewers and administrators can open the reviewer's interface to sign off on access and perform a range of other actions.

Overview

The review interface is a spreadsheet-style view for approving or rejecting different types of entities and access relationships. The review scope and Review Presentation Options dictate how query results appear in the reviewer interface, and what types of entities are source, destination, or intermediate nodes.

The reviewer's interface implements strict role-based access controls:

  • Review creators and administrators have full visibility into all rows and review metadata. This includes all reviewer assignments and overall progress.

  • Access Reviewers only have visibility into rows assigned to them and cannot see the full review metadata. They can see their individual progress, including the number of items they have acted on or completed and their total assigned rows.

Reviewers use this page to:

  • Approve or reject their assigned rows.

  • Assign other reviewers for a row.

  • Sign-off on their decisions.

Operators and administrators can use the reviewer's interface to:

  • Annotate rows and mark rejected rows as "Fixed."

  • View and edit review details, notifications, and orchestration actions.

  • Review overall progress, action logs, and automation status.

  • Mark the review "Complete" after all rows have decisions.

  • Export the view to share findings or import rows into another system.

The sections below describe actions and features after opening a review as an operator or access reviewer:

Accessing the reviewer interface

Opening the reviewer interface

You can access the reviewer interface from the Access Reviews overview. Click a review name on the Active Reviews tab to open it.

To open the results of an active review for a single configuration:

  1. Find the configuration on the Access Reviews > Configurations list.

  2. Click a configuration name to open the details page.

  3. Find a review on the list of Active Reviews and click Open to open it.

Mobile view

In addition to a full-featured UI for desktop use, Veza provides a mobile experience for reviewers on tablets and other devices with smaller screen sizes. Users can approve, reject, and sign off on results with a simplified "swipe" layout. The card representing a row is similar to the details view for desktop users, showing the attributes and permissions for each entity under review.

In swipe mode, reviewers can:

  • Swipe left to reject access.

  • Swipe right to approve access.

  • Use the options menu (...) to view details or reassign reviewers.

  • Add filters and apply bulk actions to update many cards at a time.

The mobile interface is only available for users with the Access Reviewer role. Administrators and operators can use the full reviewer interface when browsing reviews on mobile devices.

The behavior of swipe actions in mobile view can be configured by the Veza support team. Depending on your settings, left and right swipes can map to: APPROVE, APPROVE_AND_SIGN_OFF, REJECT, or REJECT_AND_SIGN_OFF.

Reviewing and managing rows

Row actions

Apply actions to individual results using the dropdown menu (⠇) to the right of each row. The available actions vary depending on your role and the row's state.

  • Approve

  • Reject

  • Re-assign reviewer

  • Sign off

  • Add Note

  • Clear Decision

  • Mark as Fixed

  • Open in Authorization Graph

Note that decisions can be reverted until they are signed off.

See Assign Reviewers for more details on assigning reviewers.

Row action logs

See all historical activity for a row by opening the action log:

  1. Expand the row actions menu.

  2. Click View Action Log.

  3. Review the events by type, description, user, and timestamp.

Row fixed status

Administrators can denote rejected rows as fixed following remediation.

"Fixed" is a unique state that denotes an access rejection is successfully remediated. Depending on your system settings, you can require that access reviews cannot be marked complete until all rows are either "Approved" or "Fixed."

To update the fixed status of a row:

  1. Expand the actions menu for a Rejected row.

  2. Click Mark as Fixed.

Annotating rows

Use the Add Note action to document a decision, suggest a resolution, or leave a comment on any row. Notes are visible to the review owner and other reviewers assigned to the row.

Reviewers can be required to add a note when they approve or reject access, depending on Access Reviews Global Settings.

To add a note to a row, use a bulk action or the row actions dropdown.

  • Adding a note replaces the current one.

  • Only the most recent note appears in the "Notes" column.

  • Earlier entries are available under Actions > View Action Log.

Depending on how your organization has configured Veza, marking a row as rejected can create a service desk ticket for remediation. In this case, the request details and status appear in optional metadata columns.

Tags in the reviewer interface

To show tags in the reviewer interface, source and/or destination tags must be included in review configuration (Advanced Options).

When enabled, all tags are shown in an additional column. Click a tag key to show the tag values.

An administrator can enable tags to appear as attributes in the reviewer interface by promoting individual tag keys. These keys are shown in columns, displaying the tag value for each row. See Promoted Tags. You can apply Veza tags to entities with an API or from the Graph search sidebar.

Show access for a single user

Early Access: The option to filter by a user is currently provided as an experimental feature and must be enabled by the Veza support team.

When reviewing access for a few different identities, it can be helpful to focus on rows related to a single user in the results. You can use the Show Users button to list each unique user involved in a review and open a filtered list of all the results related to an individual user.

To filter the reviewer interface on rows related to a single identity:

  1. Click the Show Users button above the results. The button only appears when the query's source node is a principal.

  2. The list of Unique Users will open, containing the full list of unique source entities in the query results.

  3. Choose an identity from the list. You can search by username, id, or email address to find a specific user.

  4. Click View Details to open the results related to that user in a new tab.

Note that in the current release, for users with the access reviewer role, the Show Users button lists all unique users in the review, which can include users from rows that are not assigned to the current reviewer.

Exporting review rows

Owners and administrators can export rows directly from the reviewer interface. CSV exports include all entity attributes and row metadata, suitable for importing into another tool. PDF exports include a title page and additional pages for metadata about the overall review status.

To download row metadata in CSV format:

  1. From the reviewer interface, click Export > Export to CSV.

  2. Enter a name for the downloaded file.

  3. Choose specific columns to export, or export all columns by default.

  4. Add transformations to convert Column Names > Export Names.

  5. Click Export.

To export rows in PDF format:

  1. From the reviewer interface, click Export > Export to PDF.

  2. Enter a name for the downloaded file.

  3. Enter a title for the document cover page.

  4. Pick columns to include (up to 12).

  5. Reorder and transform column names for readability.

  6. Click Export.

Customizing the reviewer interface

By default, the reviewer's interface shows each row's source (usually a user or other principal) name and type, effective permissions (if available), and the name and type of destination entity (usually a resource). Reviewers can resize, rearrange, and show or hide columns to focus on critical details. Any changes are saved to the browser.

Administrators can change the default columns for all reviews or customize review columns for a particular configuration. See Customizing Default Columns.

Show enriched columns in the review interface

Access reviews involving local user accounts that are associated with external IDP users can optionally support an IDP User column group. This group contains attributes specific to external users associated with the source user.

Reviewers and Operators can use the column selector to display these additional IDP User fields, such as risk score, title, department or activity status. These columns will be empty for local users without an ßassociated IDP user:

Completing a review

After all results are signed-off, operators can click Complete to finish the review, preventing further changes:

  1. Open the reviewer interface.

  2. Click Complete at the top right to finish the review.

See Access Reviews Global Settings for more information about possible completion settings for your tenant.

Last updated