Global Settings APIs

Use these APIs to configure global settings for Veza Access Reviews.

At present, the settings that can be configured by a Veza administrator are:

• Auto-completion: Automatically complete reviews once all rows have a signed-off decision, or a non-rejected signed-off decision.

• Completion requirements: Enable review completion at any time, or only when all rows are signed off with a non-rejected decision.

• Data Source Status Acknowledgement: Require review creators to view and acknowledge the data source status shown at review creation.

• Overdue Review Expiration: Enable or disable expiration of overdue reviews.

• Review Expiration Behavior: Reject and sign off incomplete rows when a review expires.

• Self Review Prevention: Prevent users from being assigned as reviewers for rows that relate to their own access and permissions.

• Column Customization: Configure default columns which reviewers will see when they open a review.

• UI Customization: Set whether notes are required when approving or rejecting access.

• Sort Order: Set the default sort order and sorting column when opening a review.

• Predefined Decision Notes: Add suggested notes as menu options when reviewers approve or reject rows.

• Reviewer Export Permissions: Control whether reviewers can export review data to CSV or PDF formats.

For each endpoint, a GET request returns the current setting, and a PUT request updates the setting. Use your unique Veza URL and API key in your request, for example:

curl -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/cert_completion_settings' \
-H 'authorization: Bearer mZ1eqKMACtP...' \
-d '{"value": "AUTO_COMPLETE_DISABLED"}'

Optionally, you can use the Postman collection linked below to customize Access Reviews global settings:

Review Completion Allowed Settings

Customize the requirements for completing a review.

Example:

{
    "value": "COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION"
}

An Admin or Operator user can complete a review by clicking the "Complete Review" button.

Once a review is marked as "completed," it becomes read-only and is no longer visible to reviewers. By default, a review can be completed when all rows have a signed-off decision.

This API allows you to modify this behavior, enabling a review to be completed at any time, or only when all rows are signed off with a non-rejected decision. The latter option is useful if your organization prefers to complete reviews only after all rejected access has been remediated.

Possible values are:

• COMPLETION_ALLOWED_UNKNOWN = 0

• COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION = 1 (Review can be completed only when all result rows have a decision)

• COMPLETION_ALLOWED_ANYTIME = 2 (Review can be completed any time)

Get Review Completion Allowed Settings

Set Review Completion Allowed Settings

Review Auto-Complete Settings

Enable or disable the "auto-complete" feature. When auto-complete is enabled, a review will automatically be completed once all rows have a signed-off decision, or a non-rejected signed-off decision, depending on the "Completion Allowed Settings."

Possible values are:

• AUTO_COMPLETE_UNKNOWN

• AUTO_COMPLETE_ENABLED

• AUTO_COMPLETE_DISABLED

Example:

{
    "value": "AUTO_COMPLETE_DISABLED"
}

Get Review Auto-Complete Settings

Set Review Auto-Complete Settings

Self Review Prevention

Enable or disable self-review prevention. When self-review prevention is enabled, users are prevented from being assigned as reviewers for rows that relate to their own access and permissions.

The value can be:

• SELF_REVIEWER_CHECKING_UNKNOWN = 0

• SELF_REVIEWER_CHECKING_DISABLED = 1

• SELF_REVIEWER_CHECKING_ENABLED = 2

{
    "value": "SELF_REVIEWER_CHECKING_DISABLED"
}

Review UI Customizations

By default, when a reviewer approves a row, a "notes" pop-up appears, allowing the user to optionally add a note explaining their decision. When a reviewer rejects a row, the "notes" pop-up appears, and adding a note is required. This API allows you to customize this behavior. For example, you can choose to disable the pop-up when a row is approved and make the notes pop-up optional when a row is rejected.

Additionally, this API can enable the historical "Approve & Signoff" action in the reviewer experience when multiple rows are selected. Note: It is recommended that this feature remains disabled to ensure a more streamlined reviewer experience.

Example:

{
    "value": {
        "diff_dropdown_behavior": "ALWAYS_HIDE_FOR_ACCESS_REVIEWER_ROLE",
        "accept_notes_behavior": "NO_POP_UP",
        "reject_notes_behavior": "POP_UP_REQUIRED",
        "approve_and_sign_off_button_behavior": "SHOW"
    }
}

accept_notes_behavior can be:

• NOTES_BEHAVIOR_UNKNOWN = 0

• NO_POP_UP = 1

• POP_UP_OPTIONAL = 2

• POP_UP_REQUIRED = 3

reject_notes_behavior can be:

• NOTES_BEHAVIOR_UNKNOWN = 0

• NO_POP_UP = 1

• POP_UP_OPTIONAL = 2

• POP_UP_REQUIRED = 3

approve_and_sign_off_button_behavior can be:

• HIDE_OR_SHOW_BEHAVIOR_UNKNOWN = 0

• SHOW = 1

• HIDE = 2

diff_dropdown_behavior can be:

• NORMAL = 1 (Enables all users to see decisions and access changes from previous reviews for the same configuration)

• ALWAYS_HIDE_FOR_ACCESS_REVIEWER_ROLE = 2 (Prevents users with the "Access Reviewer" role from accessing this option)

Review Column Defaults

This API configures the default columns which reviewers will see when they open a review. If workflow_id is specified then the configuration will only be applied to reviews related to the particular Review Configuration identified by workflow_id.

The valid values to show entity attributes include:

• source.ATTR

• destination.ATTR

• waypoint.ATTR

• path_summary.ATTR

• idp.ATTR

Where ATTR is an attribute name such as "id" or "name".

The following column values are also valid:

• status

• abstract_permissions

• concrete_permissions

• updated_at

• notes

• reviewers

• decision

• decision_by

• decision_by_id

• decision_by_name

• decision_by_email

• decision_at

• marked_fixed_by_id

• marked_fixed_by_name

• marked_fixed_by_email

• marked_fixed_at

• signed_off_state

• signed_off_by_id

• signed_off_by_name

• signed_off_by_email

• signed_off_at

• notification_status

• automation_run_ids

• no_decision_or_decision_by

• Is_signed_off

Example:

{
  "value": {
    "default_ordered_columns": [
      "source.name",
      "source.department",
      "source.customprop_worker_status",
      "source.tags",
      "path_summary.name",
      "concrete_permissions",
      "destination.name",
      "destination.customprop_display_name",
      "reviewers"
    ]
  },
  "workflow_id": "002063d2-7898-4183-b5fb-1192758fdec7"
}

Review Default Sort Order

Configure the default order in which review rows are displayed. Note: Users can later sort the rows as they prefer.

The order is specified using a SCIM "order by" expression. The default value is source.type asc.

Valid values include:

• source.ATTR

• destination.ATTR

• waypoint.ATTR

• idp.ATTR

Where ATTR is an attribute name such as "id" or "name".

Example

{
    "value": {
        "order_by": "destination.name desc"
    }
}

Expire Overdue Reviews

This setting is configurable on the Access Reviews > Settings page. Enable Auto-Expire overdue reviews to automatically expire reviews that aren't completed by the due date.

Enables or disable expiration of overdue reviews. By default, overdue reviews are not expired and remain available to reviewers. When expiration is enabled, the review will be "expired" when it becomes overdue. An expired review is read-only and is not shown to reviewers.

The value can be True or False.

Review Expiration Behavior

This setting is configurable on the Access Reviews > Settings page. Enable Reject incomplete rows to reject and sign off on undecided rows when a review expires.

This API allows you to change the behavior when a review expires (which can be enabled in Review Auto-Complete Settings). Depending on the behavior, incomplete rows can be auto-rejected when the review deadline passes.

Possible values are:

• DO_NOTHING: No action is made on incomplete rows (default).

• AUTO_REJECT_INCOMPLETE_RESULTS: Reject and sign-off any results that are incomplete when the review expires.

Review expiration behavior can be configured globally, or for all reviews for a single Review, specified by workflow_id in the request.

Get Review Expiration Behavior

Set Review Expiration Behavior

Data Source Acknowledgement Settings

By default, when a review is created, a user can optionally view the status of the data sources involved in the review. This API allows the behavior to change, requiring that the data source status is shown to the user and acknowledged during review creation.

Possible values are:

• DATASOURCE_ACKNOWLEDGEMENT_UNKNOWN = 0

• DATASOURCE_ACKNOWLEDGEMENT_NOT_SHOWN = 1

• DATASOURCE_ACKNOWLEDGEMENT_REQUIRED = 2

Predefined Decision Notes

Configure predefined notes as menu options when reviewers approve or reject rows. This feature can be configured globally for all reviews or specifically for individual review configurations. When configured for a specific review configuration (using workflow_id), those settings override any global predefined notes.

The predefined notes appear as selectable options in the notes dialog when making decisions, suggesting standardized responses alongside free-form text entry.

Example request body:

{
    "value": {
        "reject_notes": [
            "Rotate now",
            "Delete secret"
        ],
        "accept_notes": []
    },
    "workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"  // Optional
}

The request body accepts:

• reject_notes: Array of predefined note options shown when rejecting rows

• accept_notes: Array of predefined note options shown when approving rows

• workflow_id: (Optional) Specific review configuration ID to override global settings

Get Predefined Notes Settings

Retrieve the current predefined notes settings. Include the optional workflow_id query parameter to get settings for a specific review configuration.

Global Settings Request:

curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/predefined_decision_notes' \
-H 'Authorization: Bearer YOUR_API_KEY'

Configuration-Specific Request:

curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/predefined_decision_notes?workflow_id=8ae1c414-3a76-46cb-950a-925316b3f264' \
-H 'Authorization: Bearer YOUR_API_KEY'

Example response:

{
    "value": {
        "reject_notes": [
            "Rotate now",
            "Delete secret"
        ],
        "accept_notes": []
    }
}

Set Predefined Notes Settings

Update the predefined notes settings globally or for a specific review configuration.

Configuration-Specific Request:

curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/predefined_decision_notes' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-d '{
    "value": {
        "reject_notes": [
            "Rotate now",
            "Delete secret"
        ],
        "accept_notes": []
    },
    "workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"
}'

Reviewer Export Settings

Control whether reviewers can view and export access review data. This setting provides granular control over different export formats, allowing administrators to enable or disable CSV and PDF exports independently based on organizational security policies.

When enabled, reviewers can export review data in the allowed formats for offline analysis or reporting. When disabled, the corresponding export options are hidden from the reviewer interface, ensuring review data remains within the Veza platform.

The default setting disables both CSV and PDF exports for security. This setting can be configured globally for all reviews or for specific review configurations using the workflow_id parameter.

Example request body:

{
  "value": {
    "allow_csv_exports": true,
    "allow_pdf_exports": false
  },
  "workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"  // Optional
}

The request body accepts:

• allow_csv_exports (boolean) - Enable or disable CSV export functionality for reviewers

• allow_pdf_exports (boolean) - Enable or disable PDF export functionality for reviewers

• workflow_id (optional string) - Specific review configuration ID to override global settings

Get Reviewer Export Settings

Retrieve the current reviewer export permission settings. Include the optional workflow_id query parameter to get settings for a specific review configuration.

Global Settings Request:

curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports' \
-H 'Authorization: Bearer YOUR_API_KEY'

Configuration-Specific Request:

curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports?workflow_id=8ae1c414-3a76-46cb-950a-925316b3f264' \
-H 'Authorization: Bearer YOUR_API_KEY'

Example response:

{
  "value": {
    "allow_csv_exports": false,
    "allow_pdf_exports": false
  }
}

Set Reviewer Export Settings

Update the reviewer export permission settings globally or for a specific review configuration.

Global Settings Request:

curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-d '{
  "value": {
    "allow_csv_exports": true,
    "allow_pdf_exports": false
  }
}'

Configuration-Specific Request:

curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-d '{
  "value": {
    "allow_csv_exports": true,
    "allow_pdf_exports": false
  },
  "workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"
}'

Example response:

{}