Get Started: Review Operators

Welcome to Veza Access Reviews! This guide is intended to help review owners and administrators create and manage recurring certification campaigns.

Overview

Thank you for choosing Veza Access Reviews β€” we're excited to support you on your journey! This document provides a quick overview to help you get started creating and managing access review campaigns with Veza.

See the included sections to create your first configuration, start a review, and assign it to reviewers.

For users logging in to approve or reject access for the first time, see Get Started: Access Reviewers

Access review concepts

Access Reviews enable you to create user access and entitlement review campaigns using the user, resource, and RBAC metadata that Veza stores in the authorization graph. Two basic concepts enable scalable, repeatable campaigns:

  • Configurations: Settings that define the scope of a review, along with scheduling, orchestration, and notification settings. Each review configuration is tied to a graph query. This query can include source and destination entities and requirements for related or unrelated entities such as intermediate groups or roles. The scope can be further constrained with filters on tags, attributes, permissions, or specific entities.

  • Reviews: Individual instances of access reviews, each with a unique deadline and reviewers. Each review uses a snapshot of graph data at the time of review creation. Upon review creation, individual reviewers can log in to Veza to view their assigned reviews, approve or reject line items, and sign off on decisions.

Before you start

  • You will need an account with the administrator or operator role to manage Access Reviews.

  • The relationships available for review depend on the Veza Integrations you have enabled. This guide assumes you've already added an identity provider, cloud service provider, or other data sources to review.

  • To configure orchestration actions, you'll first need to add a destination system by enabling communication with an external target by enabling built-in Orchestration Actions or configuring custom Webhooks.

  • You can choose reviewers from all users in your organization by adding a Veza integration for your identity provider. See Configuring a Global Identity Provider to enable reviewer suggestion and auto-assignment using your IdP.

  • To manage access to Veza from within your organization's identity provider and enable single sign-on for reviewers, see Sign-In Settings.

  • The Veza support team can customize some settings for your tenant. The exact options and behavior will depend on Access Reviews Global Settings.

Create an access review configuration

A review configuration defines the scope of a periodic or one-time access or entitlements review, including:

  • A Query defining the entities and relationships under review, such as Active Directory Users assigned to Active Directory Groups. The rows under review are the results of this query. You can select whether the query runs against the current graph, the most recent snapshot, or historical data, depending on the chosen time frame.

  • Default Notification and Orchestration Action settings, inherited by all future reviews for that configuration.

  • Basic attributes such as Name and Description for identification and internal reference.

See Create a Configuration for more details.

Typically, you'll want to review relationships for an entity type in the graph that corresponds to your organization’s identities, such as Okta Users or Microsoft Azure AD Users, and some entitlement or resource, such as Okta Groups, Azure AD Roles, or Snowflake Databases.

However, queries can enable a wide range of potential reviews, including resource-based entitlements, machine identities, and group-to-group or role-to-role relationships.

Starting and scheduling reviews

After saving a configuration, you can create reviews for it. When creating a review, you will pick a due date, and add default reviewers for all rows.

  • The Configurations page shows all saved configurations. Choose one and click New Review to create an individual review instance. See Create a Review for detailed steps.

  • To Schedule a review on this page, open the configuration Actions dropdown menu. See Schedule an Access Review to initiate reviews on a set frequency automatically.

  • Review Intelligence Policies enable automatic actions on rows that already were signed off in the last review for the same configuration. More sophisticated rules can be configured by administrators using an API. See Review Intelligence Policies to add custom automations.

  • Assign Managers: Assign reviewers by email address. These reviewers are assigned to all rows by default, after which row-level reviewers can be assigned.

    • Reviewers can be local Veza users or any user in your organization, from your Identity Provider (IdP). See Configuring a Global Identity Provider to enable assigning IdP users as reviewers.

    • Veza can auto-assign user managers or resource owners based on tags or graph metadata upon review creation.

    • Operators can also assign fallback reviewers for when an owner cannot be identified. See Reviewer Selection Methods for the default fallback behavior and tunable settings.

  • See Draft Reviews to inspect the results and assign reviewers for individual rows before publishing it and sending notifications.

The reviewer interface

Opening a review shows the reviewer interface, displaying each row of access to be reviewed. These rows of access are the results of the configured query, shown in a table for individual approval or rejection and final sign-off.

Each row can represent a relationship between two entities, such as Okta users and Okta Admin Roles, or a single entity, such as a list of local users in Snowflake or public AWS S3 buckets. The table can show additional information about each entity, including the resulting permissions for a source and destination pair (such as Okta user permissions on Snowflake tables).

For each result, reviewers will approve or reject, add notes, and finalize their decision before signing off. They can:

  • Approve the row. This means that the reviewer agrees that the access described by this row is appropriate.

  • Reject, indicating that the level of access on this row is inappropriate.

  • Mark as Fixed: If a remediation action has been taken on a rejected row, operators can mark the issue as fixed before completing the review. Notes can provide additional detail (such as a ticket number or remediation steps).

  • Re-assign a reviewer: This allows the reviewer to reassign the review of this row to another individual. This is convenient when somebody else has more decision-making authority to approve or reject access for a specific row

  • Sign off: Signing off prevents any further decisions. Once signed off the only allowed change is to update the β€œMarked As Fixed” status if the row was rejected.

  • Update the note: This allows reviewers to annotate individual rows of access. This is useful if a reviewer wants to explain or justify their decision.

Reviewers can customize their views by filtering the results and rearranging columns to show important details or hide unwanted information. Using filters in combination with bulk actions enables actions over pages of results for faster decision-making. See Filters and Bulk Actions.

Operators can use the reviewer interface to customize settings unique to the review. Use the sidebar to update the due date or enable unique email notifications or Orchestration Action settings to override the configuration defaults.

Your Veza support team can help you customize default columns and other behaviors. For more information see Customizing Default Columns.

Administrators can customize instructions for reviewers with Help Page Templates.

Completing a review

An administrator or operator can close a review by marking it Complete. No further changes are possible after the review is final.

Depending on Access Reviews Global Settings, all rows may require sign-off before completion.

Last updated