Access Reviews for SoD

Create and manage access reviews directly from Separation of Duties queries.

Overview

Veza supports creating access reviews directly from Separation of Duties (SoD) queries. This can enable a streamlined sign-off and remediation process when users with conflicting entitlements are detected. There are two primary methods for integrating SoD with Veza Access Reviews:

  • 1-Step Access Reviews: Create an immediate review of current SoD query results

  • On-demand Access Reviews: Schedule recurring reviews or whenever SoD results change

Both options provide ways to assign SoD conflicts to the appropriate reviewers for approval, rejection, and remediation. User access reviews can be used as documentation to capture the review of SoD results.

Note that users need the Administrator or Operator root team role to create Access Reviews.

1-Step Access Reviews

Use the 1-Step review creation workflow to create an access review with the latest query results. This is ideal for quickly acting on conflicting users, without creating a full configuration for on-demand or scheduled reviews.

For any saved query in Veza, you can open the query to view details, and expand the menu in the top right corner to view query actions. Choose the Launch Access Review option to create a review using the 1-step builder.

You can launch an access review directory from the Separation of Duties overview page:

  1. Open the Separation of Duties page and locate the query you want to review

  2. Open the "Actions" dropdown menu and select "Launch Access Review"

    Launch Access Review from SoD overview actions menu
  3. Configure the review:

    Launch Access Review configuration options
    • Review name: Enter a descriptive name for the review

    • Due date: Set the deadline for review completion

    • Reviewers: Assign default reviewers for all rows

    • Auto-assign reviewers: Optionally enable automatic assignment based on Veza metadata

    • Fallback reviewers: Specify reviewers to use when auto-assignment fails

    • Second-level Reviewers: Optionally require multi-level approval, if applicable

    • Access Intelligence: Enable display of risk scores and levels in the reviewer interface

  4. Choose to either:

    • Create and Publish: Make the review immediately available to assigned reviewers

    • Create: Save a draft review to preview and customize before publishing

After creation, you can manage the review through the Access Reviews interface. If created as a draft, you can make further adjustments to the review before publishing it and notifying reviewers.

On-demand Access Reviews

On-demand reviews can be triggered by rule conditions when SoD query results change, such as when new conflicts are detected, or when the total conflicts (the query results) exceeds a threshold. On-demand reviews use alert rules to initiate reviews and auto-assign reviewers based on an existing review configuration, based on the query results when the rule is activated.

To enable on-demand reviews:

  1. Create a Review Configuration. Choose to use a saved query to define the review scope, select your SoD query, and save the configuration.

  2. On the Separation of Duties overview page, locate the SoD query for on-demand reviews

  3. Open the "Actions" dropdown menu and select "Manage Rules"

    Managing rules for on-demand reviews
  4. Click "Add a new Rule" to open the rule builder

    Adding an alert rule
  5. Configure the rule:

    • Name and describe the rule

    • Set the severity level

    • Define trigger conditions (e.g., results increase by more than one)

  6. As the Action, choose "Create Review"

  7. Configure the on-demand review plan:

    On-demand review configuration interface
    • Select a review configuration for the SoD query

    • Set the review duration

    • Specify reviewer assignment options, if available

    • Configure any review intelligence rules

  8. Save the rule, and click "Save Query" to finalize the changes

When the rule conditions are met, Veza will automatically create a new access review with the specified settings, and notify the assigned reviewers.

See On-Demand Reviews for more information about using alerts and rule conditions to create access reviews.

Scheduling Reviews

To conduct recurring reviews on a schedule, you will first need to create a review configuration.you can create a review configuration using the SoD query, and then enable scheduled reviews for the configuration.

  1. Create a Review Configuration. Choose to use a saved query to define the review scope, select your SoD query, and save the configuration

  2. On the Access Reviews > Configurations page, find the new configuration and choose Actions > Create Schedule

  3. Set the Duration of created reviews

  4. Choose the Frequency: Weekly, Biweekly, Monthly, Every other Month, or Quarterly

  5. Choose a Start Date for the schedule

  6. Choose the days of the week, time of day, and time zone to create reviews

  7. Assign default reviewers

  8. Save the schedule

See Schedule an Access Review for more details.

Managing Reviews

All reviews created from SoD queries, whether 1-Step or on-demand, are managed through the Access Reviews interface. From there, operators can:

  • Monitor review progress

  • Modify reviewer assignments if needed

  • Send reminders to reviewers

  • View decision history

  • Export review results

See the Access Reviews documentation for more information on managing reviews, including reviewer assignment, decision-making workflows, and reporting capabilities.

Integration with Access Reviews Features

Reviews generated from SoD queries support all standard Access Reviews features, including:

Last updated

Was this helpful?