Access Review Scenarios
Customize access review scopes to best suit your environment and compliance requirements.
Overview
Veza Access Reviews support a wide range of compliance scenarios, due to the flexibility of the query builder and the power of Veza's authorization graph. This document provides conceptual overviews to help scope access reviews for common use cases, based on your unique requirements.
The topics in this section include step-by-step instructions for common types of access reviews, which you can use to familiarize yourself with the configuration builder and customize to meet your needs.
Access Reviews: Azure AD Roles, including built-in administrative roles.
Access Reviews: Active Directory Security Groups (Including admin groups such as Active Directory Domain Admins, Enterprise Admins, and Schema Admins).
User access and entitlement reviews
You can use Veza to conduct both user access reviews and entitlement reviews:
User Access Reviews (UARs) are a specific type of review focused on inspecting access granted to users, whether directly or through inherited roles and group memberships. User access reviews can also be conducted to review the access-granting relationships assigned to a user, such as reviewing a user’s group membership or role assignments in an application.
Users whose access is under review can include:
Employees: Full-time, part-time, or temporary staff.
Contractors: External individuals engaged by the organization for specific tasks or projects.
Consultants: External advisors given access to specific parts of the organization’s IT environment.
Partners: Business partners with access to specific systems or data due to collaborative relationships.
An Entitlement Review is a review verifying that permissions on a resource, such as a database, file repository, or object store, are appropriate for the entities granted access. Entities may be users or non-human entities. Veza can show both the normalized effective permissions or the native system permissions for each row of access, with the option to filter on specific permissions of interest, such as reviewing all users with WRITE access to a database.
For either UARs or Entitlement Reviews, Veza can assign responsibility for completing these reviews to managers, department heads, application owners, IT system administrators, and others based on business requirements.
Review scopes
Veza operators define the settings and scope for a review (its configuration) with a flexible step-by-step builder. Each review will have an underlying query that defines the scope of the review. The query can be very broad (All Users to all Applications) therefore increasing the scope of the entities included in the review. Or, the scope can be quite specific and narrow to drill down on individual providers, resources, or identities (Okta Users in the finance department with "Update" permissions on Snowflake Table "Transactions"). The scope will define the entities and access relationships included in the review.
Best Practices for Setting Source and Destination:
Setting the source entity to a user identity is not required, but is recommended for user access and entitlement reviews. When a resource is additionally set as the destination, reviewers will be prompted to approve individual identities and their access to resources.
User-to-resource scopes are preferred for reviews that involve manager auto-assignment and are required for auto-revocation with Veza Lifecycle Management.
Reviewers approve, reject, annotate, or re-assign the entities or access relationships defined by the review scope, represented as rows in the reviewer interface. Each row is assignable to reviewers for a decision and sign-off. Depending on the review configuration, reviewers may be asked to certify individual entities, source-destination pairs, and optionally permissions:
Types of review scope
Type | Scope | Use Case | Examples |
Source & Destination | Review access involving a relationship between two different entity types. | User access and entitlement reviews. | - Users and assigned roles in Azure AD - Users and assigned apps in Okta - Users and security group memberships in Active Directory - Users with permissions on Snowflake databases - All Okta Users to S3 Buckets |
Source-only | Review a single type of entity, shown as a list. | Simple user access reviews or reviewing lists of access-granting entities. | - All local user accounts in Snowflake - All roles in NetSuite - All security groups in Active Directory |
Saved Query | Review the results of any saved query in Veza, using the full functionality of Access Visibility > Query Builder. | Reviews based on out-of-the-box or customer-defined queries. | - Any saved query, including those powering Access Intelligence dashboards. |
See Access Reviews Query Builder for more about query builder options.
Constraining the review scope
Adding different types of filters to the review scope allows for finer-grained scoping of the review. Multiple filters and filter types can be combined for greater expressive power:
Single Entity: Constrain the review scope to a specific source and/or destination entity, such as reviewing all access for a single named Okta User, or all users assigned to a group named “Administrators”.
Entity Attributes: Constrain the review scope to entities with some common attribute(s), such as Active Directory Users belonging to Active Directory Groups containing ‘admin’ in the name.
Tags: Constrain the review scope to entities with specific tags applied, such as AWS IAM Users with access to S3 Buckets tagged as containing PII.
Permissions: Constrain the entitlements review scope to entities with specific permissions on resources, such as Snowflake Local Users with Update and Delete permissions on Snowflake Databases.
Tag filters
For more information about tags and tag filters, see Filters and Tags. For reviews that involve tagged entities, two additional options are available:
Promoted Tags: Administrators can promote tags to appear as custom attributes with dedicated columns in the reviewer interface. See Promoted Tags for more details.
Show Source/Destination Tags: Enable this option in the configuration builder to show columns containing all tags on the source or destination entities in the reviewer interface. Reviewers can refer to the tag keys and values to better inform their decisions, and use the columns for filtering.
Permission filters
Filtering by permissions helps constrain the scope of reviews to the riskiest access.
Permission filters can specify either type of permission - System or Effective. Effective and system permissions cannot both be specified for the same query. See Review Presentation Options for more about permission types.
Applying a permissions filter on a relationship that does not involve permissions (e.g., User-Group) will yield no rows.
Related entity requirements
The query can require a specific Relationship entity connecting the query source and destination (such as an AWS IAM role connecting users and storage buckets).
When a Relationship is specified and an entity of that category exists for a result, node details appear in additional review interface columns.
This can offer reviewers visibility into the role-based access controls such as groups or roles, or the local user account used to access a resource.
Excluded and required entity types
Specifying Excluded entity types will filter out any search results with a relationship to the chosen entity category. This option enables reviews, for example, on groups that do not have a corresponding IAM role, or users that are not part of a group. This option is not available when "All Parent Principals" is the query source.
Specifying Included entity types will only return results that have a relationship to the chosen entity types. This option enables review of users and resources connected to a specific intermediate group, role, or policy.
See Intermediate Entities for more on these query parameters.
Last updated