LogoLogo
User GuideDeveloper DocumentationIntegrationsRelease Notes
  • 🏠Veza Documentation
  • ☑️Getting Started
  • 📖Veza Glossary
  • ❓Product FAQ
  • 🛡️Security FAQ
    • Advanced Security FAQ
  • Release Notes
    • 🗒️Release Notes
      • Release Notes: 2025-04-30
      • Release Notes: 2025-04-16
      • Release Notes: 2025-04-02
      • Release Notes: 2025-03-19
      • Archive
        • 2024.9.23
        • 2024.9.16
        • 2024.9.9
        • 2024.9.2
        • 2024.8.26
        • 2024.8.19
        • 2024.8.12
        • 2024.8.5
        • 2024.7.29
        • 2024.7.22
        • 2024.7.15
        • 2024.7.1
        • 2024.6.24
        • 2024.6.17
        • 2024.6.10
        • 2024.6.3
        • 2024.5.27
        • 2024.5.20
        • 2024.5.13
        • 2024.5.6
        • 2024.4.29
        • 2024.4.22
        • 2024.4.15
        • 2024.4.8
        • 2024.4.1
        • 2024.3.25
        • 2024.3.18
        • 2024.3.11
        • 2024.3.4
        • 2024.2.26
        • 2024.2.19
        • 2024.2.12
        • 2024.2.5
        • 2024.1.29
        • 2024.1.22
        • 2024.1.15
        • 2024.1.8
        • 2024.1.1
        • 2023.12.18
        • 2023.12.11
        • 2023.12.4
        • 2023.11.27
        • 2023.11.20
        • 2023.11.13
        • 2023.11.6
        • 2023.10.30
        • 2023.10.23
        • 2023.10.16
        • 2023.10.9
        • 2023.10.2
        • 2023.9.25
        • 2023.9.18
        • 2023.9.11
        • 2023.9.4
        • 2023.8.28
        • 2023.8.21
        • 2023.8.14
        • 2023.8.7
        • 2023.7.31
        • 2023.7.24
        • 2023.7.17
        • 2023.7.10
        • 2023.7.3
        • 2023.6.26
        • 2023.6.19
        • 2023.6.12
        • 2023.6.5
        • 2023.5.29
        • 2023.5.22
        • 2023.5.15
        • 2023.5.8
        • 2023.5.1
        • 2023.4.24
        • 2023.4.17
        • 2023.4.10
        • 2023.4.3
        • 2023.3.27
        • 2023.3.20
        • 2023.3.13
        • 2023.3.6
        • 2023.2.27
        • 2023.2.20
        • 2023.2.13
        • 2023.2.6
        • 2023.1.30
        • 2023.1.23
        • 2023.1.16
        • 2023.1.9
        • 2023.1.2
        • 2022.12.12
        • 2022.12.5
        • 2022.11.28
        • 2022.11.14
        • 2022.11.7
        • 2022.10.31
        • 2022.10.24
        • 2022.10.17
        • 2022.10.1
        • 2022.6.2
        • 2022.6.1
        • 2022.5.1
        • 2022.4.1
        • 2022.3.1
  • Features
    • 🔎Access Visibility
      • Graph
      • Query Builder
      • Saved Queries
      • Filters
      • Query Mode
      • Intermediate Entities
      • Regular Expressions
      • Tags
      • Tagged Entity Search
      • Assumed AWS IAM Roles
      • Veza Query Language
        • Quick Start
        • Syntax
        • VQL API
    • 💡Access Intelligence
      • Overview
      • Dashboards
        • Reports
        • Scheduled Exports of Query Results via a Secure Email Link
      • Risks
      • Analyze
      • Compare
      • Rules and Alerts
      • Entities
      • NHI Identify Classification Logic
      • NHI Secrets
    • 🔏Access Reviews
      • Get Started: Access Reviewers
      • Get Started: Review Operators
      • Access Review Tasks
        • Assign Reviewers
        • Create a Configuration
        • Create a Review
        • Draft Reviews
        • Edit a Configuration
        • Filters and Bulk Actions
        • Manage Access Reviews
        • Using the Reviewer Interface
        • Row Grouping for Access Reviews
        • Schedule an Access Review
      • Access Review Configuration
        • Access Reviews Query Builder
        • Access Reviews Global Settings
        • Configuring a Global Identity Provider
          • Alternate Manager Lookup
        • Customizing Default Columns
        • Email Notifications and Reminders
        • Identity Provider and HRIS Enrichment
        • Managers and Resource Owners
        • Multi-Level Review
        • 1-Step Access Reviews
        • On-Demand Reviews
        • Veza Actions for Access Reviews
        • Review Intelligence Policies
        • Review Presentation Options
        • Reviewer Selection Methods
        • Reviewer Digest Notifications
      • Access Review Scenarios
        • Access Reviews: Active Directory Security Groups
        • Access Reviews: Okta App Assignments
        • Access Reviews: Okta Group Membership
        • Access Reviews: Okta Admin Roles
        • Access Reviews: Azure AD Roles
        • Access Reviews with Saved Queries
        • Source-Only Access Reviews
    • 📊Access Monitoring
    • 🔄Lifecycle Management
      • Implementation and Core Concepts
      • Access Profiles
      • Policies
      • Conditions and Actions
      • Attribute Sync and Transformers
        • Lookup Tables
      • Integrations
        • Active Directory
        • Exchange Server
        • Okta
        • Salesforce
        • Workday
    • ⚖️Separation of Duties (SoD)
      • Managing SoD Risks with Veza
      • Creating SoD Detection Queries
      • Analyzing Separation of Duties Query Results
      • Example Separation of Duties Queries
      • SoD Manager Assignment
      • Access Reviews for SoD
  • Integrations
    • ✨Veza Integrations
      • Adobe Enterprise
      • Amazon Web Services
        • Add Existing AWS Accounts
        • Automatically Add New AWS Accounts
        • AWS DynamoDB
        • AWS KMS
        • AWS RDS MySQL
        • AWS RDS PostgreSQL
        • AWS Redshift
        • Activity Monitoring for AWS
        • Using AWS Secrets Manager for RDS Extraction
        • Notes & Supported Entities
      • Anaplan
      • Atlassian Cloud Products
      • Auth0
      • BambooHR
      • Bitbucket Data Center
      • BlackLine
      • Beeline
      • Boomi
      • Box
      • Bullhorn
      • Cassandra
      • Cisco Duo
      • Clickhouse
      • Concur
      • Confluence Server
      • Confluent
      • Coupa
      • Coupa Contingent Workforce
      • Crowdstrike Falcon
      • CSV Upload
        • CSV Upload Examples
        • CSV Upload Troubleshooting
        • CSV Upload API
      • Databricks (Single Workspace)
      • Databricks (Unity Catalog)
      • Delinea Secret Server
      • Device42
      • DocuSign
      • Dropbox
      • Egnyte
      • Expensify
      • Exchange Online (Microsoft 365)
      • Fastly
      • Google Cloud
        • Check Google Cloud Permissions
        • Notes & Supported Entities
      • Google Drive
      • GitHub
      • GitLab
      • HashiCorp Vault
      • HiBob
      • Hubspot
      • IBM Aspera
      • iManage
      • Ivanti Neurons
      • Jamf Pro
      • Jenkins
      • JFrog Artifactory
      • Jira Data Center
      • Kubernetes
      • LastPass
      • Looker
      • MongoDB
      • Microsoft Active Directory
      • Microsoft Azure
        • Azure SQL Database
        • Azure PostgreSQL Database
        • Microsoft Dynamics 365 CRM
        • Microsoft Dynamics 365 ERP
        • Notes & Supported Entities
      • Microsoft Azure AD
      • Microsoft SharePoint Online
      • Microsoft SharePoint Server
      • Microsoft SQL Server
      • MuleSoft
      • MySQL
      • NetSuite
      • New Relic
      • Okta
        • Okta MFA status
      • OneLogin
      • OpenAI
      • Oracle Cloud Infrastructure
      • Oracle Database
      • Oracle Database (AWS RDS)
      • Oracle E-Business Suite (EBS)
      • Oracle EPM
      • Oracle Fusion Cloud
      • Oracle JD Edwards EnterpriseOne
      • PagerDuty
      • Palo Alto Networks SASE/Prisma Access
      • PingOne
      • PostgreSQL
      • Power BI
      • Privacera
      • PTC Windchill
      • Qualys
      • QNXT
      • Ramp
      • Redis Cloud
      • Rollbar
      • Salesforce
      • Salesforce Commerce Cloud
      • SCIM integration
      • ServiceNow
      • Slack
      • Smartsheet
      • Snowflake
        • Snowflake Native Application
        • Snowflake Masking Policies
        • Exporting Saved Query Results to Snowflake
        • Audit Log Export
        • Event Export
      • Solarwinds
      • Spotio
      • Sumo Logic
      • Tableau Cloud
      • Teleport
      • Terraform
      • ThoughtSpot
      • Trello
      • Trino (PrestoSQL)
      • UKGPro
      • Veza
      • Windows Server
        • Enterprise Deployment
      • Workato
      • Workday
      • YouTrack
      • Zendesk
      • Zip
      • Zoom
      • Zscaler
      • 1Password
    • 🎯Integrations Overview
    • ⚠️Prerequisites and Connectivity
      • Insight Point
        • Deploying an Insight Point using the install script
        • Deploy with AWS EC2
        • Deploy with Virtual Appliance
          • Deploy with Virtual Appliance (Legacy)
        • Deploy with Azure Container Instances
        • Insight Point (Helm Chart)
      • Certificates with OpenSSL
    • ⚙️Configuring Integrations
      • Integrations FAQ
      • Extraction and Discovery Intervals
      • Custom Identity Mappings
      • Limiting Extractions
      • Enrichment Rules
      • ℹ️Running Veza Scripts with Python
  • Administration
    • 🛠️Veza Administration
      • Securing Your Veza Tenant
      • Veza Actions
        • Slack
        • ServiceNow
        • Jira
        • Webhooks
      • Virtual Private Veza
      • System Events
      • Sign-In Settings
        • Single Sign-On with Okta
        • Single Sign-On with Okta (OIDC)
        • Single Sign-On with Microsoft Entra
      • User Management
        • Multi-factor Authentication
        • Team Management
        • Support User Access
  • Developers
    • 🌐Veza APIs
      • Authentication
      • Troubleshooting
      • Pagination
      • Open Authorization API
        • Getting Started
        • Core Concepts
          • Connector Requirements
          • Using OAA Templates
          • Providers, Data Sources, Names and Types
          • Sourcing and Extracting Metadata
          • Naming and Identifying OAA Entities
          • Modeling Users, Permissions, and Roles
          • Custom Properties
          • Tagging with OAA
          • Cross Service IdP Connections
          • Incremental Updates
        • OAA Push API
          • OAA Operations
        • OAA Templates
          • Custom Application
          • Custom Identity Provider
          • Custom HRIS Provider
        • OAA .NET SDK
          • C# OAA Application Connector
        • OAA Python SDK
          • Application Outline
          • oaaclient modules
            • Client
            • Structures
            • Templates
            • Utils
        • Sample Apps
        • Example Connectors
      • Integration APIs
        • Enable/Disable Providers
        • Cloud Platforms and Data Providers
        • Identity Providers
        • Data Sources
        • Sync and Parse Status
      • Query APIs
        • Quick Start
        • Query Builder Terminology
        • Query Builder Parameters
        • Query Builder Results
        • List saved queries
        • Save a query
        • Get a saved query
        • Update a query
        • Delete a query
        • Get query node destinations
        • Get query nodes
        • Get query result
        • Get query spec node destinations
        • Get query spec nodes
        • Get query spec results
        • Private APIs
          • Get Access Relationship
          • Role Existence
          • Role Maintenance
          • Cohort Role Analysis
        • Tags
          • Create, Add, Remove Tag
          • Promoted Tags
      • Access Reviews APIs
        • Workflow Parameters Reference
        • List Workflows
        • List Certifications
        • List Certification Results
        • Update Certification Result
        • Force Update Result
        • Update Webhook Info
        • Get Certification Result
        • Manage Reviewer Deny List
        • Quick Filters
        • Help Page Templates
        • Smart Action Definitions
        • Delegate Reviewers
        • List Reviewer Infos
        • Get Access Graph
        • Automations API
        • Global Settings APIs
      • System Audit Logs
      • System Events
      • Notification Templates
        • Notification Templates API
      • Team and User Management APIs
        • Team API Keys
      • SCIM Provisioning
        • SCIM API Reference
        • SCIM Provisioning with Okta
  • Product Updates
    • 🆕Product Updates
      • Product Update: March'25
      • Product Update: February'25
      • UX Update - Integration Management
      • Product Update: January'25
      • Product Update: December'24
      • Product Update: November'24
      • Product Update: October'24
      • Product Update: September'24
      • Product Update: August'24
      • UX Update: Veza Integrations
      • Product Update: July'24
      • Product Update: June'24
      • Product Update: May'24
      • Product Update: April'24
      • UX Update - Enhanced Reviewer Experience for Veza Access Reviews
      • Product Update: March'24
      • Product Update: February'24
      • Design Update: February'24
      • UX Update - New Navigation Experience
      • UX Update - Access Review Dashboards
      • Building Veza’s Platform and Products
      • Veza Product Update - Jan'24
      • Veza Product Update - 2H 2023
      • Veza Product Update - December'23
      • Veza Product Update - November'23
      • Veza Product Update - October'23
      • Veza Product Update - September'23
      • Veza Product Update - August'23
      • Veza Product Update - July'23
      • Veza Product Update - June'23
      • Veza Product Update - May'23
      • Veza Product Update - April'23
      • Veza Product Update - March'23
      • Veza Product Update - Feb'23
      • Veza Product Update - Jan'23
Powered by GitBook
On this page
  • Overview
  • User access and entitlement reviews
  • Review scopes
  • Constraining the review scope

Was this helpful?

Export as PDF
  1. Features
  2. Access Reviews

Access Review Scenarios

Customize access review scopes to best suit your environment and compliance requirements.

Overview

Veza Access Reviews support a wide range of compliance scenarios, due to the flexibility of the query builder and the power of Veza's authorization graph. This document provides conceptual overviews to help scope access reviews for common use cases, based on your unique requirements.

The topics in this section include step-by-step instructions for common types of access reviews, which you can use to familiarize yourself with the configuration builder and customize to meet your needs.

  • Access Reviews: Okta Group Membership

  • Access Reviews: Okta App Assignments

  • Access Reviews: Okta Admin Roles

  • Access Reviews: Azure AD Roles, including built-in administrative roles.

  • Access Reviews: Active Directory Security Groups (Including admin groups such as Active Directory Domain Admins, Enterprise Admins, and Schema Admins).

  • Access Reviews with Saved Queries

  • Source-Only Access Reviews

User access and entitlement reviews

You can use Veza to conduct both user access reviews and entitlement reviews:

User Access Reviews (UARs) are a specific type of review focused on inspecting access granted to users, whether directly or through inherited roles and group memberships. User access reviews can also be conducted to review the access-granting relationships assigned to a user, such as reviewing a user’s group membership or role assignments in an application.

Users whose access is under review can include:

  • Employees: Full-time, part-time, or temporary staff.

  • Contractors: External individuals engaged by the organization for specific tasks or projects.

  • Consultants: External advisors given access to specific parts of the organization’s IT environment.

  • Partners: Business partners with access to specific systems or data due to collaborative relationships.

An Entitlement Review is a review verifying that permissions on a resource, such as a database, file repository, or object store, are appropriate for the entities granted access. Entities may be users or non-human entities. Veza can show both the normalized effective permissions or the native system permissions for each row of access, with the option to filter on specific permissions of interest, such as reviewing all users with WRITE access to a database.

For either UARs or Entitlement Reviews, Veza can assign responsibility for completing these reviews to managers, department heads, application owners, IT system administrators, and others based on business requirements.

Review scopes

Veza operators define the settings and scope for a review (its configuration) with a flexible step-by-step builder. Each review will have an underlying query that defines the scope of the review. The query can be very broad (All Users to all Applications) therefore increasing the scope of the entities included in the review. Or, the scope can be quite specific and narrow to drill down on individual providers, resources, or identities (Okta Users in the finance department with "Update" permissions on Snowflake Table "Transactions"). The scope will define the entities and access relationships included in the review.

Best Practices for Setting Source and Destination:

  • Setting the source entity to a user identity is not required, but is recommended for user access and entitlement reviews. When a resource is additionally set as the destination, reviewers will be prompted to approve individual identities and their access to resources.

  • User-to-resource scopes are preferred for reviews that involve manager auto-assignment and are required for auto-revocation with Veza Lifecycle Management.

Reviewers approve, reject, annotate, or re-assign the entities or access relationships defined by the review scope, represented as rows in the reviewer interface. Each row is assignable to reviewers for a decision and sign-off. Depending on the review configuration, reviewers may be asked to certify individual entities, source-destination pairs, and optionally permissions:

Types of review scope

Type

Scope

Use Case

Examples

Source & Destination

Review access involving a relationship between two different entity types.

User access and entitlement reviews.

- Users and assigned roles in Azure AD

- Users and assigned apps in Okta

- Users and security group memberships in Active Directory

- Users with permissions on Snowflake databases

- All Okta Users to S3 Buckets

Source-only

Review a single type of entity, shown as a list.

Simple user access reviews or reviewing lists of access-granting entities.

- All local user accounts in Snowflake

- All roles in NetSuite

- All security groups in Active Directory

Saved Query

Review the results of any saved query in Veza, using the full functionality of Access Visibility > Query Builder.

Reviews based on out-of-the-box or customer-defined queries.

- Any saved query, including those powering Access Intelligence dashboards.

See Access Reviews Query Builder for more about query builder options.

Constraining the review scope

Adding different types of filters to the review scope allows for finer-grained scoping of the review. Multiple filters and filter types can be combined for greater expressive power:

  • Single Entity: Constrain the review scope to a specific source and/or destination entity, such as reviewing all access for a single named Okta User, or all users assigned to a group named “Administrators”.

  • Entity Attributes: Constrain the review scope to entities with some common attribute(s), such as Active Directory Users belonging to Active Directory Groups containing ‘admin’ in the name.

  • Tags: Constrain the review scope to entities with specific tags applied, such as AWS IAM Users with access to S3 Buckets tagged as containing PII.

  • Permissions: Constrain the entitlements review scope to entities with specific permissions on resources, such as Snowflake Local Users with Update and Delete permissions on Snowflake Databases.

Tag filters

For more information about tags and tag filters, see Filters and Tags. For reviews that involve tagged entities, two additional options are available:

  • Promoted Tags: Administrators can promote tags to appear as custom attributes with dedicated columns in the reviewer interface. See Promoted Tags for more details.

  • Show Source/Destination Tags: Enable this option in the configuration builder to show columns containing all tags on the source or destination entities in the reviewer interface. Reviewers can refer to the tag keys and values to better inform their decisions, and use the columns for filtering.

Permission filters

  • Filtering by permissions helps constrain the scope of reviews to the riskiest access.

  • Permission filters can specify either type of permission - System or Effective. Effective and system permissions cannot both be specified for the same query. See Review Presentation Options for more about permission types.

  • Applying a permissions filter on a relationship that does not involve permissions (e.g., User-Group) will yield no rows.

Related entity requirements

  • The query can require a specific Relationship entity connecting the query source and destination (such as an AWS IAM role connecting users and storage buckets).

  • When a Relationship is specified and an entity of that category exists for a result, node details appear in additional review interface columns.

  • This can offer reviewers visibility into the role-based access controls such as groups or roles, or the local user account used to access a resource.

Excluded and required entity types

  • Specifying Excluded entity types will filter out any search results with a relationship to the chosen entity category. This option enables reviews, for example, on groups that do not have a corresponding IAM role, or users that are not part of a group. This option is not available when "All Parent Principals" is the query source.

  • Specifying Included entity types will only return results that have a relationship to the chosen entity types. This option enables review of users and resources connected to a specific intermediate group, role, or policy.

  • See Intermediate Entities for more on these query parameters.

PreviousReviewer Digest NotificationsNextAccess Reviews: Active Directory Security Groups

Last updated 9 months ago

Was this helpful?

🔏