Enable or disable self-review prevention. When self-review prevention is enabled, users are prevented from being assigned as reviewers for rows that relate to their own access and permissions.

Parameters

The value can be either an integer or string:

• SELF_REVIEWER_CHECKING_DISABLED = 1 (or "SELF_REVIEWER_CHECKING_DISABLED" as string)

• SELF_REVIEWER_CHECKING_ENABLED = 2 (or "SELF_REVIEWER_CHECKING_ENABLED" as string)

Examples

Example using string value:

{
    "value": "SELF_REVIEWER_CHECKING_DISABLED"
}

Example using integer value:

{
    "value": 1
}

Example cURL request:

curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/self_reviewer_settings' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "value": 1
  }'

Get Self Review Settings

Set Self Review Settings

Enable or disable the "auto-complete" feature. When auto-complete is enabled, a review will automatically be completed once all rows have a signed-off decision, or a non-rejected signed-off decision, depending on the "Completion Allowed Settings."

Parameters

Possible values are:

• AUTO_COMPLETE_UNKNOWN

• AUTO_COMPLETE_ENABLED

• AUTO_COMPLETE_DISABLED

Example

{
    "value": "AUTO_COMPLETE_DISABLED"
}

Get Review Auto-Complete Settings

Set Review Auto-Complete Settings

Configure predefined notes as menu options when reviewers approve or reject rows. This feature can be configured globally for all reviews or specifically for individual review configurations. When configured for a specific review configuration (using workflow_id), those settings override any global predefined notes.

The predefined notes appear as selectable options in the notes dialog when making decisions, suggesting standardized responses alongside free-form text entry.

Parameters

The request body accepts:

• reject_notes: Array of predefined note options shown when rejecting rows

• accept_notes: Array of predefined note options shown when approving rows

• workflow_id: (Optional) Specific review configuration ID to override global settings

Example

Example request body:

{
    "value": {
        "reject_notes": [
            "Rotate now",
            "Delete secret"
        ],
        "accept_notes": []
    },
    "workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"  // Optional
}

Get Predefined Notes Settings

Retrieve the current predefined notes settings. Include the optional workflow_id query parameter to get settings for a specific review configuration.

Global Settings Request:

curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/predefined_decision_notes' \
-H 'Authorization: Bearer YOUR_API_KEY'

Configuration-Specific Request:

curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/predefined_decision_notes?workflow_id=8ae1c414-3a76-46cb-950a-925316b3f264' \
-H 'Authorization: Bearer YOUR_API_KEY'

Example response:

{
    "value": {
        "reject_notes": [
            "Rotate now",
            "Delete secret"
        ],
        "accept_notes": []
    }
}

Set Predefined Notes Settings

Update the predefined notes settings globally or for a specific review configuration.

Configuration-Specific Request:

curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/predefined_decision_notes' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-d '{
    "value": {
        "reject_notes": [
            "Rotate now",
            "Delete secret"
        ],
        "accept_notes": []
    },
    "workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"
}'

An Admin or Operator user can complete a review by clicking the "Complete Review" button.

Once a review is marked as "completed," it becomes read-only and is no longer visible to reviewers. By default, a review can be completed when all rows have a signed-off decision.

This API allows you to modify this behavior, enabling a review to be completed at any time, or only when all rows are signed off with a non-rejected decision. The latter option is useful if your organization prefers to complete reviews only after all rejected access has been remediated.

Parameters

Possible values are:

• COMPLETION_ALLOWED_UNKNOWN = 0

• COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION = 1 (Review can be completed only when all result rows have a decision)

• COMPLETION_ALLOWED_ANYTIME = 2 (Review can be completed any time)

Example

{
    "value": "COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION"
}

Get Review Completion Settings

Set Review Completion Settings

This setting is configurable on the Access Reviews > Settings page. Enable Reject incomplete rows to reject and sign off on undecided rows when a review expires.

This API allows you to change the behavior when a review expires (which can be enabled in Review Auto-Complete Settings). Depending on the behavior, incomplete rows can be auto-rejected when the review deadline passes.

Review expiration behavior can be configured globally, or for all reviews for a single Review Configuration, specified by workflow_id in the request.

Request Structure

The request body must include a setting object with the following structure:

{
  "workflow_id": "string",
  "setting": {
    "behavior": 0,
    "note_to_add": "string"
  }
}

Parameters

Where:

• workflow_id (string, optional): Specific review configuration ID. If omitted, applies globally to all reviews.

• setting.behavior (integer): The expiration behavior mode:

  • 0 = DO_NOTHING: No action is made on incomplete rows (default)

  • 1 = AUTO_REJECT_INCOMPLETE_RESULTS: Reject and sign-off any results that are incomplete when the review expires

• setting.note_to_add (string, optional): Note to be added when auto-rejecting incomplete results

Example

Example request:

{
  "workflow_id": "string",
  "setting": {
    "behavior": 1,
    "note_to_add": "Rejected incomplete result due to review expiration."
  }
}

Get Review Expiration Behavior

Set Review Expiration Behavior

By default, when a reviewer approves a row, a "notes" pop-up appears, allowing the user to optionally add a note explaining their decision. When a reviewer rejects a row, the "notes" pop-up appears, and adding a note is required. This API allows you to customize this behavior. For example, you can choose to disable the pop-up when a row is approved and make the notes pop-up optional when a row is rejected.

Additionally, this API can enable the historical "Approve & Signoff" action in the reviewer experience when multiple rows are selected. Note: It is recommended that this feature remains disabled to ensure a more streamlined reviewer experience.

Parameters

accept_notes_behavior can be:

• NOTES_BEHAVIOR_UNKNOWN = 0

• NO_POP_UP = 1

• POP_UP_OPTIONAL = 2

• POP_UP_REQUIRED = 3

reject_notes_behavior can be:

• NOTES_BEHAVIOR_UNKNOWN = 0

• NO_POP_UP = 1

• POP_UP_OPTIONAL = 2

• POP_UP_REQUIRED = 3

approve_and_sign_off_button_behavior can be:

• HIDE_OR_SHOW_BEHAVIOR_UNKNOWN = 0

• SHOW = 1

• HIDE = 2

diff_dropdown_behavior can be:

• NORMAL = 1 (Enables all users to see decisions and access changes from previous reviews for the same configuration)

• ALWAYS_HIDE_FOR_ACCESS_REVIEWER_ROLE = 2 (Prevents users with the "Access Reviewer" role from accessing this option)

Example

{
    "value": {
        "diff_dropdown_behavior": "ALWAYS_HIDE_FOR_ACCESS_REVIEWER_ROLE",
        "accept_notes_behavior": "NO_POP_UP",
        "reject_notes_behavior": "POP_UP_REQUIRED",
        "approve_and_sign_off_button_behavior": "SHOW"
    }
}

Get Review UI Customizations

Set Review UI Customizations

Configure the default order in which review rows are displayed. Note: Users can later sort the rows as they prefer.

The order is specified using a SCIM "order by" expression. The default value is source.type asc.

Valid Values

Valid values include:

• source.ATTR

• destination.ATTR

• waypoint.ATTR

• idp.ATTR

Where ATTR is an attribute name such as "id" or "name".

Example

Get Review Sort Order

Set Review Sort Order

This API configures the default columns which reviewers will see when they open a review, as well as columns that should be hidden from reviewers but visible to administrators. If workflow_id is specified then the configuration will only be applied to reviews related to the particular Review Configuration identified by workflow_id.

The request body includes two main fields:

• default_ordered_columns: Array of column names that will be visible to all users (reviewers, administrators, and operators)

• hide_from_reviewers_columns: Array of column names that will be hidden from users with the reviewer role but remain visible to administrators and operators

Validation Rules

Important validation rules:

• Column names cannot appear in both default_ordered_columns and hide_from_reviewers_columns simultaneously

• Column names cannot be empty strings

• Column names cannot contain spaces or commas

• The system validates these constraints and returns an error if violations are found

Valid Column Values

The valid values to show entity attributes include:

• source.ATTR

• destination.ATTR

• waypoint.ATTR

• path_summary.ATTR

• idp.ATTR

Where ATTR is an attribute name such as "id" or "name".

The following column values are also valid:

• status

• abstract_permissions

• concrete_permissions

• updated_at

• notes

• reviewers

• decision

• decision_by

• decision_by_id

• decision_by_name

• decision_by_email

• decision_at

• marked_fixed_by_id

• marked_fixed_by_name

• marked_fixed_by_email

• marked_fixed_at

• signed_off_state

• signed_off_by_id

• signed_off_by_name

• signed_off_by_email

• signed_off_at

• notification_status

• automation_run_ids

• no_decision_or_decision_by

• Is_signed_off

Example

This example configuration shows sensitive identity information (unique IDs and distinguished names) to administrators while hiding them from reviewers, allowing for better security and privacy control in access reviews.

Get Review Column Defaults

Set Review Column Defaults

List All Column Settings

This setting is configurable on the Access Reviews > Settings page. Enable Auto-Expire overdue reviews to automatically expire reviews that aren't completed by the due date.

Enables or disable expiration of overdue reviews. By default, overdue reviews are not expired and remain available to reviewers. When expiration is enabled, the review will be "expired" when it becomes overdue. An expired review is read-only and is not shown to reviewers.

Parameters

The value can be True or False.

Get Expire Overdue Reviews Setting

Set Expire Overdue Reviews Setting

By default, when a review is created, a user can optionally view the status of the data sources involved in the review. This API allows the behavior to change, requiring that the data source status is shown to the user and acknowledged during review creation.

Parameters

Possible values are:

• DATASOURCE_ACKNOWLEDGEMENT_UNKNOWN = 0

• DATASOURCE_ACKNOWLEDGEMENT_NOT_SHOWN = 1

• DATASOURCE_ACKNOWLEDGEMENT_REQUIRED = 2

Get Data Source Acknowledgement Setting

Set Data Source Acknowledgement Setting

Use these APIs to configure for Veza Access Reviews.

The settings that can be configured by a Veza administrator are:

• : Automatically complete reviews once all rows have a signed-off decision, or a non-rejected signed-off decision.

• : Enable review completion at any time, or only when all rows are signed off with a non-rejected decision.

• : Require review creators to view and acknowledge the data source status shown at review creation.

• : Enable or disable expiration of overdue reviews.

• : Reject and sign off incomplete rows when a review expires.

• : Prevent users from being assigned as reviewers for rows that relate to their own access and permissions.

• : Configure default columns which reviewers will see when they open a review.

• : Set whether notes are required when approving or rejecting access.

• : Set the default sort order and sorting column when opening a review.

• : Add suggested notes as menu options when reviewers approve or reject rows.

• : Configure default grouping behavior for review rows to organize data by column values.

• : Control whether reviewers can export review data to CSV or PDF formats.

For each endpoint, a GET request returns the current setting, and a PUT request updates the setting. Use your unique Veza URL and API key (see ) in your request, for example:

Postman Collection

Use the Postman collection as an alternative to cURL commands for testing and configuring Veza Access Reviews global settings:

Import Instructions

To import the collection into Postman:

Configure Variables

Before using the collection, configure these required variables on the Variables tab:

The collection uses Bearer token authentication. Your apiToken variable automatically populates the Authorization header for all requests.

Control whether reviewers can view and export access review data. This setting provides granular control over different export formats, allowing administrators to enable or disable CSV and PDF exports independently based on organizational security policies.

When enabled, reviewers can export review data in the allowed formats for offline analysis or reporting. When disabled, the corresponding export options are hidden from the reviewer interface, ensuring review data remains within the Veza platform.

The default setting disables both CSV and PDF exports for security. This setting can be configured globally for all reviews or for specific review configurations using the workflow_id parameter.

Parameters

The request body accepts:

• allow_csv_exports (boolean) - Enable or disable CSV export functionality for reviewers

• allow_pdf_exports (boolean) - Enable or disable PDF export functionality for reviewers

• workflow_id (optional string) - Specific review configuration ID to override global settings

Example

Example request body:

{
  "value": {
    "allow_csv_exports": true,
    "allow_pdf_exports": false
  },
  "workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"  // Optional
}

Get Reviewer Export Settings

Retrieve the current reviewer export permission settings. Include the optional workflow_id query parameter to get settings for a specific review configuration.

Global Settings Request:

curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports' \
-H 'Authorization: Bearer YOUR_API_KEY'

Configuration-Specific Request:

curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports?workflow_id=8ae1c414-3a76-46cb-950a-925316b3f264' \
-H 'Authorization: Bearer YOUR_API_KEY'

Example response:

{
  "value": {
    "allow_csv_exports": false,
    "allow_pdf_exports": false
  }
}

Set Reviewer Export Settings

Update the reviewer export permission settings globally or for a specific review configuration.

Global Settings Request:

curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-d '{
  "value": {
    "allow_csv_exports": true,
    "allow_pdf_exports": false
  }
}'

Configuration-Specific Request:

curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-d '{
  "value": {
    "allow_csv_exports": true,
    "allow_pdf_exports": false
  },
  "workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"
}'

Example response:

{}

Configure default grouping behavior for access review rows. When enabled, review rows are automatically organized by the specified column values, making it easier for reviewers to process large datasets by grouping related items together.

The setting allows admins to configure a default group by column and collapsed/expanded behavior, either globally or per-workflow.

Parameters

Get Row Grouping Settings

GET /api/private/workflows/access/global_settings/rows_group_by_setting

Get Global Setting

curl 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/rows_group_by_setting' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer YOUR_BEARER_TOKEN'

Get Workflow-Scoped Setting

curl 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/rows_group_by_setting?workflow_id=01983256-911c-7906-9d75-d69871c877fd' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer YOUR_BEARER_TOKEN'

Example Response

{
  "value": {
    "group_by_column": "status",
    "expand_groups_by_default": true
  }
}

Set Row Grouping Settings

PUT /api/private/workflows/access/global_settings/rows_group_by_setting

Example: Set Global Setting

curl -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/rows_group_by_setting' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer YOUR_BEARER_TOKEN' \
    -d '{
      "value": {
        "group_by_column": "destination.veza_unique_name",
        "expand_groups_by_default": false
      }
    }'

Example: Set Workflow-Scoped Setting

curl -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/rows_group_by_setting' \
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer YOUR_BEARER_TOKEN' \
    -d '{
      "workflow_id": "01983256-911c-7906-9d75-d69871c877fd",
      "value": {
        "group_by_column": "destination.veza_unique_name",
        "expand_groups_by_default": false
      }
    }'

Response

{}  // Empty on success

Common Column Examples

• destination.veza_unique_name - Group by resource name

• source.veza_unique_name - Group by identity name

• status - Group by review status

• risk_level - Group by risk level

• destination.type - Group by resource type

• decision - Group by decision status