Release Notes

Access Reviews

Access Reviews terms and definitions in the Veza platform.

Access Review Scope

A query including a source entity type, destination entity type, and other search parameters defining the access under review. Individual reviews will show the query results as rows for review and sign-off, based on a historical snapshot or the current graph data. * Queries can be very broad (All Users to All Resources) or very specific, including filters on tags, property-based constraints, and intermediate node requirements. * Each query has a source and optionally a destination node. Entities of the Source type are included in the results for review and attestation if a relationship exists between that entity and another entity of the Destination type. * Results shown in the reviewer interface include source and destination entity details, the effective permissions for that relationship, and optionally, a summary of the path that made the connection.

Related documentation: Access Review Scope

Access Reviews

Features for user access and entitlement review. Access Reviews provide a framework for repeatable, multi-user review processes with a full audit trail, using the power of Veza graph search.

Related documentation: Access Reviews

Complete

Status indicating that all review rows were signed off by the due date.

Related documentation: Complete

Default Reviewer

Individuals explicitly specified as Reviewers (for all results) when creating a review.

Related documentation: Default Reviewer

Delegate Reviewer

An alternate user assigned to carry out the responsibilities of an original user who would be auto-assigned as a reviewer but is unavailable.

Related documentation: Delegate Reviewer

Expired

Status indicating that not all rows were signed off in a review by the due date.

Related documentation: Expired

Fallback Reviewers

Fallback Reviewers are specified when creating a review and assigned when rules prevent the assignment of the original user, or when a manager does not exist for a row.

Related documentation: Fallback Reviewers

Filter

In the context of an access review scope, graph, or query builder search, filters apply constraints based on attributes, tags, or permissions. When reviewing access, filters limit the number of results shown at one time and can be used to act on many results with the same attribute at once.

  • Filters can apply to the source or destination entity, or an intermediate entity property (such as Last Login).

  • In the reviewer interface, filters can apply to result properties such as decision state (Signed Off).

  • Bulk actions can be used to act on all review rows matching a filter.

Related documentation: Filter

Global IdP Settings

System-wide setting to enable reviewer recommendation and manager auto-assignment using an integrated Identity Provider. This enables any user in your organization to log in with Single Sign-On and review their assigned rows.

Related documentation: Global IdP Settings

Managers

In the context of an access review, a manager is another user from your identity provider, specified as in the manager attribute of the source entity. When this metadata is available, managers can be suggested or auto-assigned to each row.

Related documentation: Managers

Managers and Resource Owners

Managers or owners of resources, assigned as reviewers for an access review. Veza can identify potential reviewers using metadata from an identity provider, or with Veza Tags. Resource owners can be assigned as reviewers using auto-assignment.

Related documentation: Managers and Resource Owners

Mark as Fixed

Operator action to indicate that the recommendation has been carried out for a row. Rejected and Signed-off items can be Marked as Fixed to log that remediation took place.

Related documentation: Mark as Fixed

Notifications and Reminders

Emails sent to update users involved in an access review, including notifications when rows are reassigned, and reminders about inactivity and deadlines.

Related documentation: Notifications and Reminders

Pending

Status for reviews that are not expired, and still have items pending sign-off.

Related documentation: Pending

Presentation Rule

Support-enabled option to highlight special rows such as disabled users, based on filter criteria.

Related documentation: Presentation Rule

Reassign

Reviewer or operator action assigning one or more rows to another reviewer, after a review has begun.

Related documentation: Reassign

Reminder

Type of email notification sent to remind reviewers and stakeholders that action is needed due to inactivity or approaching deadlines. Final reminders can also be configured to escalate remaining tasks.

Related documentation: Reminder

Review Actions

When reviewing their assigned rows, reviewers will:

  • Accept: Reviewer decision to approve the access specified in the row (as legitimate access).

  • Reject: Reviewer decision to refute the current access as illegitimate. Reject actions can trigger remediation processes using webhooks integrations.

  • Sign Off: Action to finalize the decision for a row, making it immutable. Signed-off items can be marked as fixed by operators.

Reviewers can also re-assign rows to another user, add a note, or view more details.

Related documentation: Review Actions

Review Row

A row in an access review describes a source entity, and typically its permissions on a destination entity. Depending on the review scope, rows can describe a single entity, a relationship between two entities, or include a summary of intermediate entities such as groups, roles, or projects.

Reviewer Auto-Assignment

Option to assign managers and resource owners as reviewers using metadata Veza has discovered, with fallback reviewers if a match can't be found or a rule prevents review. Auto-assignment enables review owners to assign many reviewers at once, either to specific reviewers, or to resource or team managers using metadata from an identity provider, or Veza Tags. The identity provider must be integrated with Veza and Global IdP Settings must be enabled.

Related documentation: Reviewer Auto-Assignment

Reviewer Deny List

Global list of users who are blocked from being assigned as reviewers.

Related documentation: Reviewer Deny List

Show Relationship

Review scope option, enabling visibility into a single connecting entity and its properties, existing between the source and destination nodes. The reviewer interface will include optional columns for each intermediate attribute, such as the name and type of the connecting group or role.

Related documentation: Show Relationship

Summary Entities

Review scope option, enabling visibility into the RBAC configuration granting access to the destination entity. When configured, reviews will include a default Summary Entities column, showing the names and sequence of selected entities when they connect the source and destination. For example, when a group is selected as a summary entity, the column will contain either:

  • Group 1 (indicating access is granted directly by that group)

  • Group 1 > Group 2 (indicating that the first group allows access to the second).

Related documentation: Summary Entities

Uncertified

Status for pending reviews with no signed-off items.

Related documentation: Uncertified

← Back to Glossary

PreviousAccess SearchNextAdministration

Last updated

Was this helpful?