Workflow Builder
Defining the scope of new access and entitlement reviews
Workflows overview
To create a workflow, a Veza operator constructs a query defining the scope of access or entitlement review. For example, a review can include all federated users, all resources, or all roles or policies. Or, reviewers can certify a selection of those users, such as identities or resources managed by Cathy Calbert
or relationships involving permissions on resources tagged environment:production
, or a CONTRACTORS
group.
Workflow owners can add email reminders for participants and owners, and configure integrations to enable external processes when certification events occur. Each individual certification on a workflow will have its own due date and reviewers. The certification results will show the state of authorization based on the most recent graph snapshot at the certification creation date.
Creating a workflow
A workflow query can be broad or granular to match your organization structure, review processes, and the integrations you have connected to Veza. A single review might cover all users to many cloud services and data assets, or focus on individual departments or applications. A workflow might also review relationships connecting Policies, Groups, or Roles.
To create a workflow and set the underlying query used for certification:
Open the Workflows page and click the New Workflow button.
Give the workflow a unique name and a description.
Build a query to define the scope of the review:
The source dropdown menu will contain all entity types discovered by Veza. You can start typing or scroll to pick any category of entity.
Specify an optional destination to filter results by. This will limit the scope of certification to only the identities or resources with a relationship to the chosen category of entity.
Preview the returned entities and save the workflow.
Workflows query examples
An access review can be business-wide or constrained to specific applications or sets of users. When creating a workflow, structure the query to meet the needs of your organization. Consider what data sources you have integrated, compliance requirements, and review processes. A Workflows might:
Certify all user permissions on all databases of a certain type.
Certify all access granted to an individual application.
Certify access for groups of users based on a property, such as "department," or a role or local user account they assume to access a resource with single sign on.
Consider creating workflows that can function as repeatable campaigns. Any number of certifications can exist for a workflow, each with the most recent Authorization Graph snapshot data for integrated identity, data, and application providers.
Example queries:
All Okta Users to S3 Buckets
All Principals to All Applications
All Top Level Principals to GitHub Role with Data Write permission
All GitHub Users to GitHub Resource with Data Delete and Metadata Delete system permissions
All Google Workspace Accounts to Google Cloud Projects with Domain=βveza.comβ constraint
All AWS Accounts to Redshift Databases with intermediate entity=AWS IAM Role
All AWS Accounts to Redshift Clusters with intermediate entity=Redshift Local Role, excluding entities related to AWS IAM Group, with Data Create and Metadata Create effective permissions, with attribute filter
Datasource ID=βRedshiftCluster1β
Notes
When choosing a resource (for example "SQL Table") for the query source, certification will be identity-centric (approve the users that can access those resources). The workflow preview will show resources of the chosen category.
When choosing a principal (for example a User or Group from an Identity Provider) for the source category, certification will be identity-oriented and reviewers will certify permissions the identity has on resources of the destination entity category.
The workflow source or destination can be
All Principals
orAll Resources
, or a single named entity.You can click to preview the source or destination results based on current graph data. Certifications will use graph data at the time of certification creation.
Workflow queries can use permissions filters to find results that contain, or do not contain, a matching effective permission.
For compliance purposes, a workflow query is immutable after saving it. You will need to create another workflow to change a query.
Each certification has a unique deadline and runs and completes individually.
Certifications will load faster when the underlying query returns fewer results.
You can filter workflow results based on any entity properties Veza has discovered.
Last updated