Workflow Queries
Reference for the Workflows query builder.
Overview
A Workflow represents a periodic or one-time access or entitlement review, and includes:
A query defining the entities and relationships under review.
Default notification and integration settings, inherited by future certifications for that workflow.
Basic workflow attributes such as name and description, for identification and internal reference.
To create a workflow and configure these settings, open the main Workflows page and click Add New next to the list of workflows. Users with the Operator or Admin role can view and edit Veza workflow configurations.
Each workflow will have an underlying query, which can be broad ("All Users" -> "All Resources") or drill down on providers and identities ("Okta Users" where department = "Finance" -> "Snowflake Table"). When a certification begins, Veza will run the query and show results for each source>permissions>destination pair. Reviewers approve, reject, annotate, or re-assign these result rows from Certification view.
Workflow queries are most powerful when entities in your data catalog have attributes or tags defining team or resource managers, compliance requirements, regions, and other organizational attributes. You can add additional context to nodes with Veza Tags, provider tags, Open Authorization API entity properties, or by setting values such as manager for users within an identity provider.
Workflow query builder
Each workflow consists of a query that defines the scope of access review. The certification will contain the results of this query for review and certification. The results are will include any entities of the Source category with a relationship to entities of the Destination category, constrained by any other filters that apply.
The following options apply to workflow creation:
| Field | Description |
|---|---|
Workflow Name | A friendly name for the workflow, used in notification messages and on the Workflows page. |
Description | Used to add internal notes, such as details about the workflow query used |
Source Entity Type | Selects the entities that to review during certification (typically an identity). The results will include all entities of the chosen category with a relationship to the chosen Destination. |
Destination Entity Type | Typically, the resource category that certifications will audit permissions on. However, any entity can be the final node of the authorization path (such as a role, service, or group). |
Query Mode: Effective | When enabled, returns effective permission calculations for the source and destination pair. |
Query Mode: System | When enabled, returns system-level entities and permissions for the source and destination pair. |
Relationship Options: Exclude Entity Types | Prevents entities from appearing in results if they do not have a relationship to the chosen category. |
Relationship Options: Exclude Entity Types | Returns only results with a relationship to the chosen entity category. |
Relationship Options: Summary Entities | The certification will include a column indicating the names and hierarchical relationships of the specified entity types. |
Relationship Options: Relationship | An intermediate entity category to require, such as local user account, group, or role. When specified, details on this intermediate node appear in an additional Certification column. |
Advanced Options: Certification includes source tags | When enabled, certifications include a column showing the keys of any tags on the source entity. |
Advanced Options: Certification includes destination tags | When enabled, certifications include a column showing the keys of any tags on the source entity. |
Filters: Permissions | When specified, only return results that have the specified permissions. Permissions can be effective or system. Based on the operator, matches can be "all" or "any". |
Filters: Attributes | Adding a filter constrains results based on an entity property, such as User |
Filters: Tags |
The entity types available for source or destination depend on your configured integrations. Some workflows will focus on user- or resource-based review and certification - others can specify a wide range of possible entities, including Service Accounts, Key Vaults, or IdP Groups.
Selecting A single entity will restrict the search to a single entity of the chosen source or destination category.
Previewing the source or destination entity shows the current results based on Veza's most recent graph data. Reviewers will certify the query results based on graph data at the time of certification creation.
When finished, Save the Workflow to return to the main Workflows page to you can start a certification.
"All Resources" and "All Principals"
In addition to single entity types, you can specify All Resources for query source or destination. This option will audit permissions on all "resource"-type entities that Veza has discovered, including storage objects, databases, and others. This option can enable broad workflow queries, such as "Google Users to All Resources." The resources included will depend on your Entity Catalog and integrations.
Selecting All Top Level Principals for the query source or destination will return only identities that cannot be assumed by another identity. You can use this option to show primary corporate identities and filter out any low-level identities (such as local user accounts) they can assume. Certifications on the workflow will still include local account users and service accounts that don’t correlate to any upper-level identity.
All Principals will select all "Identity" type entities that Veza has discovered, similarly to All Resources.
"All {Entity Types} for All Apps"
Specifying All "entity types" for All Apps will return all "custom" users, roles, resources, and other entities added to the Entity Catalog with the Open Authorization API. These aggregated search options enable a single workflow to query against several connected providers.
Possible selections are:
All IdP Users
All Applications
All Subresources
All Users
All Resources
All Roles
All Role Assignments
All IdP Domains
All IdP Groups
All Groups
All Permissions
Searching for individual custom apps
As an alternative to "All Apps" search, you can review access to a specific Open Authorization API data source by typing the custom application name into a search field:
For more information about Custom Application and Custom Identity Provider entity types (defined within the OAA JSON push payload generated by OAA connectors), see the OAA Templates documentation.
Related entity requirements
A Workflow query can require that a specific Relationship entity connects the query source and destination (such as an AWS IAM role connecting users and storage buckets). When a Relationship is specified and an entity of that category exists for a result, node details appear in additional Certification view columns. This can offer reviewers visibility into the RBAC role or local user account enabling access to a resource.
Excluded and required entity types
Specifying Excluded entity types will filter out any search results with a relationship to the chosen entity category. This option enables workflows, for example, on groups that do not have a corresponding IAM role, or users that are not part of a group. This option is not available when "All Parent Principals" is the query source.
Specifying Included entity types will only return results that have a relationship to the chosen entity types. This option enables review of users and resources connected to a specific intermediate group, role, or policy.
See Intermediate Entities for information on queries that use this option.
Workflow notifications and reminders
Click Notifications > Edit in the workflow builder to configure default email messages for certification reviewers.
Reviewers can be auto assigned when you create the certification. To ensure that these users receive a link to the certification, enable notifications When a certification has been started.
Workflow integrations
Click Configure Orchestration Actions in the workflow builder to enable webhooks or a ServiceNow instance to publish certification events to.
Last updated
