1 of 40

Access Reviews APIs

Methods for interacting with workflows and certifications

These endpoints enable listing workflows, listing certifications, getting certification results, and updating certifications. They can be used to programmatically retrieve workflow and certification details, and update certification rows with a decision or note, such as ticket number.

These endpoints also provide utility functionality, such as managing the reviewer deny list, populating results with webhook response info, and customizing quick filters, smart actions, and help pages.

Core Workflow Operations

List Workflows

APIs for Veza Access Reviews are subject to change, and as such are provided with the /preview API collection. Use the appropriate prefix when calling the API, for example, your-org.vezacloud.com/api/preview/.

First, save your and Veza base URL as environment variables:

Get all workflows and IDs:

Use a workflow id to get active and pending certifications for that workflow:

The response will include certification details, including the certification ids.

Using a certification id, you can get results for the certification, including entity attributes:

Update a certification result row with a note:

Workflow Parameters Reference

Workflows, certifications, and result details

This page describes common properties for listing workflows, certifications, and certification results:

Workflow Properties

When listing access workflows, all Veza Workflows are returned within a values array. Each has the properties:

Name

Type

Description

returns all Certifications for a workflow, within a values array.

Note that to maintain certification integrity, some properties are immutable and can't be modified, while other values system-updated. Mutable fields such as "name," "notes," "reviewers" and "due date" can be changed by operators and admins using the Veza UI:

Name

Type

Description

See for more details on query construction.

Internal fields are updated by the workflow service to store important metadata:

Name

Type

Description

States can be:

CERT_STATE_SEARCHING // The query is still running
CERT_STATE_IN_PROGRESS // the certification is being reviewed
CERT_STATE_COMPLETED

include a numeric ID, the query details, and any decisions and notes. Each result includes entity details for the source -> destination nodes and the cumulative permissions under review:

Name

Type

Description

Valid decisions are:

RESULT_DECISION_NONE // No decision has been made
RESULT_DECISION_ACCEPTED // The access described in the result row is acceptable
RESULT_DECISION_REJECTED

Both the number or string value for the decision are allowed, for example "decision": 4 or "decision": RESULT_DECISION_FIXED.

The notes field will always contain the most recent note. Previous notes can be reviewed in the using the List Cert Results API.

Shows source, destination, or intermediate entity details for a query result:

Name

type

Description

Reviewer details, typically a Veza user account. If are configured, the user type and id refer to Veza graph entities:

Name

Type

Description

You can get details for a local Veza user from Administration > User Management. For graph entities (identities from an external identity provider), inspect the entity details using Access Search or the Entities page. will return all users for a given certification.

When assigning reviewers using preview Workflows APIs, requested users are validated before assigning them to a certification result, and not assigned when the user can’t be found. Assignee id and user_type are required to identify reviewers. name and email are optional but if provided must match the Veza user record.

Results contain a record of all prior actions on a certification result.

Name

Type

Description

Possible actions are:

NOTE_ADDED
REVIEWER_ASSIGNED
DECISION

The response will include the type, id, email, and name of the user who made the change:

The reviewer_assignment specifies how reviewers should be assigned to rows, during initial certification create or when reviewers are re-assigned by smart action.

users_manager and resource_managers assigns reviewers based on Global IdP settings.

reviewers is a way to specify one or more reviewers to apply to every row. fallback_reviewers is one or more reviewers that to assign to rows if auto assign by user or resource manager fails for any reason

Force Update Result

Update a single result with escalated privileges

ForceUpdateAwfResults allows administrators to modify results more than normally allowed, such as changing sign-off status, or changing a row's decision after a certification expires.

Method

syntax

Update Webhook Info

Update status info for custom webhooks

Updates webhook status and details for a certification result.

If you have configured a custom webhook to conduct automated access removal or another form of remediation, you can update Veza with the notification status.

Your application can use this endpoint to send a POST request updating the webhook state, visible to other reviewers from Veza's Certification UI.

This endpoint can also be called during the 7-day grace period after a certification completes or expires. Calls during the grace period require the admin, Access Reviews Admin, or operator role.

Method

syntax

Path parameters

certification_id - id of the certification containing the result to update.

Body

The request body must include the id of the result to update. Valid notification_status are:

PENDING
SUCCEED
FAILED

Webhook_info strings can contain up to 255 bytes.

Response

A successful response will be empty {}

Manage Reviewer Deny List

Prevent auto assignment for specific users

View or change the deny list for reviewer auto assignment.

Adding a user to the deny list will prevent that user from being auto assigned as a reviewer. That user will also be prevented from appearing in the drop-down menu when manually reassigning a user.

If a user's manager is on the deny list when auto assignment occurs, the certification will be assigned to the that manager's manager. If both the manager and the manager's manger are on the deny list, the result will be assigned to the workflow creator.

Returns the current denied users.

Method

syntax

Review Completion Settings

Customize the requirements for completing a review.

An Admin or Operator user can complete a review by clicking the "Complete Review" button.

Once a review is marked as "completed," it becomes read-only and is no longer visible to reviewers. By default, a review can be completed when all rows have a signed-off decision.

This API allows you to modify this behavior, enabling a review to be completed at any time, or only when all rows are signed off with a non-rejected decision. The latter option is useful if your organization prefers to complete reviews only after all rejected access has been remediated.

Possible values are:

COMPLETION_ALLOWED_UNKNOWN

Review Auto-Complete Settings

Enable or disable automatic review completion once all rows have decisions.

Enable or disable the "auto-complete" feature. When auto-complete is enabled, a review will automatically be completed once all rows have a signed-off decision, or a non-rejected signed-off decision, depending on the "Completion Allowed Settings."

Parameters

Possible values are:

AUTO_COMPLETE_UNKNOWN
AUTO_COMPLETE_ENABLED
AUTO_COMPLETE_DISABLED

Self Review Prevention

Prevent users from being assigned as reviewers for rows that relate to their own access and permissions.

Enable or disable self-review prevention. When self-review prevention is enabled, users are prevented from being assigned as reviewers for rows that relate to their own access and permissions.

The value can be either an integer or string:

SELF_REVIEWER_CHECKING_DISABLED = 1 (or "SELF_REVIEWER_CHECKING_DISABLED" as string)

Review UI Customizations

Customize notes behavior and UI elements for reviewers.

By default, when a reviewer approves a row, a "notes" pop-up appears, allowing the user to optionally add a note explaining their decision. When a reviewer rejects a row, the "notes" pop-up appears, and adding a note is required. This API allows you to customize this behavior. For example, you can choose to disable the pop-up when a row is approved and make the notes pop-up optional when a row is rejected.

Additionally, this API can enable the historical "Approve & Signoff" action in the reviewer experience when multiple rows are selected. Note: It is recommended that this feature remains disabled to ensure a more streamlined reviewer experience.

Parameters

accept_notes_behavior can be:

NOTES_BEHAVIOR_UNKNOWN = 0
NO_POP_UP = 1
POP_UP_OPTIONAL = 2
POP_UP_REQUIRED = 3

reject_notes_behavior can be:

NOTES_BEHAVIOR_UNKNOWN = 0
NO_POP_UP = 1
POP_UP_OPTIONAL = 2

approve_and_sign_off_button_behavior can be:

HIDE_OR_SHOW_BEHAVIOR_UNKNOWN = 0
SHOW = 1
HIDE = 2

diff_dropdown_behavior can be:

NORMAL = 1 (Enables all users to see decisions and access changes from previous reviews for the same configuration)
ALWAYS_HIDE_FOR_ACCESS_REVIEWER_ROLE = 2 (Prevents users with the "Access Reviewer" role from accessing this option)

Expire Overdue Reviews

Auto-expire overdue reviews.

This setting is configurable on the Access Reviews > Settings page. Enable Auto-Expire overdue reviews to automatically expire reviews that aren't completed by the due date.

Enables or disable expiration of overdue reviews. By default, overdue reviews are not expired and remain available to reviewers. When expiration is enabled, the review will be "expired" when it becomes overdue. An expired review is read-only and is not shown to reviewers.

Parameters

The value can be True or False.

Get Expire Overdue Reviews Setting

Set Expire Overdue Reviews Setting

Review Expiration Behavior

Configure what happens when reviews expire.

This setting is configurable on the Access Reviews > Settings page. Enable Reject incomplete rows to reject and sign off on undecided rows when a review expires.

This API allows you to change the behavior when a review expires (which can be enabled in Review Auto-Complete Settings). Depending on the behavior, incomplete rows can be auto-rejected when the review deadline passes.

Review expiration behavior can be configured globally, or for all reviews for a single Review Configuration, specified by workflow_id in the request.

The request body must include a setting object with the following structure:

Data Source Acknowledgement

Require data source status acknowledgement during review creation.

By default, when a review is created, a user can optionally view the status of the data sources involved in the review. This API allows the behavior to change, requiring that the data source status is shown to the user and acknowledged during review creation.

Acknowledgement settings apply only to manually created reviews in the Veza console and do not apply to on-demand, scheduled, or API-created reviews.

Parameters

Possible values are:

DATASOURCE_ACKNOWLEDGEMENT_UNKNOWN = 0
DATASOURCE_ACKNOWLEDGEMENT_NOT_SHOWN = 1
DATASOURCE_ACKNOWLEDGEMENT_REQUIRED = 2

Predefined Decision Notes

Add suggested notes for reviewer decisions.

Configure predefined notes as menu options when reviewers approve or reject rows. This feature can be configured globally for all reviews or specifically for individual review configurations. When configured for a specific review configuration (using workflow_id), those settings override any global predefined notes.

The predefined notes appear as selectable options in the notes dialog when making decisions, suggesting standardized responses alongside free-form text entry.

The request body accepts:

reject_notes: Array of predefined note options shown when rejecting rows

Reviewer Export Settings

Control export permissions for reviewers.

Control whether reviewers can view and export access review data. This setting provides granular control over different export formats, allowing administrators to enable or disable CSV and PDF exports independently based on organizational security policies.

When enabled, reviewers can export review data in the allowed formats for offline analysis or reporting. When disabled, the corresponding export options are hidden from the reviewer interface, ensuring review data remains within the Veza platform.

The default setting disables both CSV and PDF exports for security. This setting can be configured globally for all reviews or for specific review configurations using the workflow_id parameter.

Parameters

The request body accepts:

allow_csv_exports (boolean) - Enable or disable CSV export functionality for reviewers
allow_pdf_exports (boolean) - Enable or disable PDF export functionality for reviewers
workflow_id (optional string) - Specific review configuration ID to override global settings

Example request body:

Retrieve the current reviewer export permission settings. Include the optional workflow_id query parameter to get settings for a specific review configuration.

Global Settings Request:

Configuration-Specific Request:

Example response:

Update the reviewer export permission settings globally or for a specific review configuration.

Global Settings Request:

Configuration-Specific Request:

Example response:

Alternate Reviewer Settings

Configure the fallback reviewer selection methods used when a valid reviewer cannot be assigned.

Configure the ordered list of fallback selection methods that Veza uses when a valid reviewer cannot be assigned. When all specified reviewers are prevented from assignment (due to self-review prevention, the reviewer deny list, or missing managers/owners), Veza evaluates each selection method in order until an allowed alternate reviewer is found.

For more information, see .

The selection_methods array accepts integer or string values representing fallback methods to enable. Enabled methods are evaluated in the specified order.

Integer

String Value

Workflow Parameters Reference

Workflows, certifications, and result details

This page describes common properties for listing workflows, certifications, and certification results:

Workflow Properties

When listing access workflows, all Veza Workflows are returned within a values array. Each has the properties:

Name

Type

Description

returns all Certifications for a workflow, within a values array.

Name

Type

Description

See for more details on query construction.

Internal fields are updated by the workflow service to store important metadata:

Name

Type

Description

States can be:

CERT_STATE_SEARCHING // The query is still running
CERT_STATE_IN_PROGRESS // the certification is being reviewed
CERT_STATE_COMPLETED

include a numeric ID, the query details, and any decisions and notes. Each result includes entity details for the source -> destination nodes and the cumulative permissions under review:

Name

Type

Description

Valid decisions are:

RESULT_DECISION_NONE // No decision has been made
RESULT_DECISION_ACCEPTED // The access described in the result row is acceptable
RESULT_DECISION_REJECTED

Both the number or string value for the decision are allowed, for example "decision": 4 or "decision": RESULT_DECISION_FIXED.

The notes field will always contain the most recent note. Previous notes can be reviewed in the using the List Cert Results API.

Shows source, destination, or intermediate entity details for a query result:

Name

type

Description

Reviewer details, typically a Veza user account. If are configured, the user type and id refer to Veza graph entities:

Name

Type

Description

When assigning reviewers using preview Workflows APIs, requested users are validated before assigning them to a certification result, and not assigned when the user can’t be found. Assignee id and user_type are required to identify reviewers. name and email are optional but if provided must match the Veza user record.

Results contain a record of all prior actions on a certification result.

Name

Type

Description

Possible actions are:

NOTE_ADDED
REVIEWER_ASSIGNED
DECISION

The response will include the type, id, email, and name of the user who made the change:

The reviewer_assignment specifies how reviewers should be assigned to rows, during initial certification create or when reviewers are re-assigned by smart action.

users_manager and resource_managers assigns reviewers based on Global IdP settings.

{ "values": [ { "workflow_id": "b9dc2586-5f30-4462-b6be-53f62debc40f", "name": "demo", "description": "demo", "owner": { "user_type": "localCookieUser", "id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8", "email": "cookie@cookie.ai", "name": "earlypreview-auth0" }, "notes": "", "query": { "raw_permissions": null, "effective_permissions": null, "source_node_types": { "nodes": [ { "node_type": "GoogleWorkspaceUser", "tags": [], "conditions": [], "condition_expression": null, "node_id": "", "excluded_tags": [], "count_conditions": [], "direct_relationship_only": false, "node_type_grouping_constraint": null } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [], "nodes_operator": "AND" }, "destination_node_types": { "nodes": [ { "node_type": "GoogleCloudProject", "tags": [], "conditions": [], "condition_expression": null, "node_id": "", "excluded_tags": [], "count_conditions": [], "direct_relationship_only": false, "node_type_grouping_constraint": null } ], "nodes_operator": "AND" }, "no_relation": false, "snapshot_id": "1690354800", "waypoint_node_types": { "nodes": [ { "node_type": "GoogleCloudIamRoleBinding", "tags": [], "conditions": [], "condition_expression": null, "node_id": "", "excluded_tags": [], "count_conditions": [], "direct_relationship_only": false, "node_type_grouping_constraint": null } ], "nodes_operator": "AND" }, "path_summary_node_types": null, "node_relationship_type": "CONFIGURED", "include_all_source_tags_in_results": true, "include_all_destination_tags_in_results": false, "page_size": "0", "page_token": "" }, "creator": { "user_type": "localCookieUser", "id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8", "email": "cookie@cookie.ai", "name": "earlypreview-auth0" }, "created_at": "2023-07-27T03:34:56.166550127Z" }, { "workflow_id": "baecbd47-bd3d-4d52-acb8-34840a8973b2", "name": "Azure PS", "description": "", "owner": { "user_type": "localCookieUser", "id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8", "email": "cookie@cookie.ai", "name": "earlypreview-auth0" }, "notes": "", "query": { "raw_permissions": null, "effective_permissions": null, "source_node_types": { "nodes": [ { "node_type": "Principal", "tags": [], "conditions": [], "condition_expression": null, "node_id": "", "excluded_tags": [], "count_conditions": [], "direct_relationship_only": false, "node_type_grouping_constraint": null } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [], "nodes_operator": "AND" }, "destination_node_types": { "nodes": [ { "node_type": "AzureDataLakeFilesystem", "tags": [], "conditions": [], "condition_expression": null, "node_id": "", "excluded_tags": [], "count_conditions": [], "direct_relationship_only": false, "node_type_grouping_constraint": null } ], "nodes_operator": "AND" }, "no_relation": false, "snapshot_id": "1675900800", "waypoint_node_types": null, "path_summary_node_types": { "nodes": [ { "node_type": "AzureADGroup", "tags": [], "conditions": [], "condition_expression": null, "node_id": "", "excluded_tags": [], "count_conditions": [], "direct_relationship_only": false, "node_type_grouping_constraint": null }, { "node_type": "ActiveDirectoryGroup", "tags": [], "conditions": [], "condition_expression": null, "node_id": "", "excluded_tags": [], "count_conditions": [], "direct_relationship_only": false, "node_type_grouping_constraint": null }, { "node_type": "AzureRoleAssignment", "tags": [], "conditions": [], "condition_expression": null, "node_id": "", "excluded_tags": [], "count_conditions": [], "direct_relationship_only": false, "node_type_grouping_constraint": null }, { "node_type": "AzureAssignmentPermissions", "tags": [], "conditions": [], "condition_expression": null, "node_id": "", "excluded_tags": [], "count_conditions": [], "direct_relationship_only": false, "node_type_grouping_constraint": null } ], "nodes_operator": "AND" }, "node_relationship_type": "CONFIGURED", "include_all_source_tags_in_results": false, "include_all_destination_tags_in_results": false, "page_size": "0", "page_token": "" }, "creator": { "user_type": "localCookieUser", "id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8", "email": "cookie@cookie.ai", "name": "earlypreview-auth0" }, "created_at": "2023-02-09T03:07:24.458473708Z" } ] }

{ "values": [ { "id": "text", "description": "text", "name": "text", "workflow_id": "text", "filter": "text", "mutable_fields": { "decision": 1, "notes": "text", "updated_at": "2026-06-23T04:49:41.465Z", "updated_by": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "notification_infos": { "values": [ { "notification_type": 1, "webhook_type": 1, "status": 1, "error_message": "text", "updated_at": "2026-06-23T04:49:41.465Z", "snow_info": { "ticket_number": "text", "sys_id": "text" }, "webhook_info": { "info": "text" }, "jira_info": { "keys": [ "text" ] }, "slack_app_info": {} } ] }, "notification_status": 1, "reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ], "signed_off_state": 1, "signed_off_at": "2026-06-23T04:49:41.465Z", "signed_off_by": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "action_log": { "entries": [ { "action": 1, "user": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "time": "2026-06-23T04:49:41.465Z", "note": "text", "reviewer_detail": { "old_reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ], "new_reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ] }, "decision_detail": { "decision": 1, "note": "text" }, "decision_cleared_detail": { "previous_decision": 1, "original_decider": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "reason": 1 }, "revocation_request_detail": { "request_id": "text" }, "approval_level": 1 } ] }, "reviewer_assignment": { "users_manager": true, "resource_managers": true, "reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ], "fallback_reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ], "reviewers_managers_for_approval_levels": [ 1 ] }, "automation_run_ids": [ "text" ], "decision_by": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "decision_at": "2026-06-23T04:49:41.465Z", "revoke_request_infos": [ { "id": "text", "state": 1, "error_message": "text" } ], "old_reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ], "predefined_question_response": [ { "question_id": "text", "answer_id": "text", "answer_text": "text", "respondent_user": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "responded_at": "2026-06-23T04:49:41.465Z" } ], "is_assigned_to_current_user": true, "ai_suggestion": { "suggestion": 1, "reason_codes": [ "text" ], "cohort_id": "text", "cohort_index": 1 }, "itsm_request_number": "text", "itsm_request_status": "text", "itsm_request_url": "text", "itsm_request_last_updated_at": "2026-06-23T04:49:41.465Z" }, "mutable_filter": "text", "apply_to_all_rows": true } ] }

POST /api/preview/awf/smart_action_definitions HTTP/1.1 Host: your-tenant.vezacloud.com Authorization: Bearer YOUR_SECRET_TOKEN Content-Type: application/json Accept: */* Content-Length: 2620 { "name": "text", "description": "text", "workflow_id": "text", "filter": "text", "mutable_fields": { "decision": 1, "notes": "text", "updated_at": "2026-06-23T04:49:41.465Z", "updated_by": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "notification_infos": { "values": [ { "notification_type": 1, "webhook_type": 1, "status": 1, "error_message": "text", "updated_at": "2026-06-23T04:49:41.465Z", "snow_info": { "ticket_number": "text", "sys_id": "text" }, "webhook_info": { "info": "text" }, "jira_info": { "keys": [ "text" ] }, "slack_app_info": {} } ] }, "notification_status": 1, "reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ], "signed_off_state": 1, "signed_off_at": "2026-06-23T04:49:41.465Z", "signed_off_by": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "action_log": { "entries": [ { "action": 1, "user": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "time": "2026-06-23T04:49:41.465Z", "note": "text", "reviewer_detail": { "old_reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ], "new_reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ] }, "decision_detail": { "decision": 1, "note": "text" }, "decision_cleared_detail": { "previous_decision": 1, "original_decider": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "reason": 1 }, "revocation_request_detail": { "request_id": "text" }, "approval_level": 1 } ] }, "reviewer_assignment": { "users_manager": true, "resource_managers": true, "reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ], "fallback_reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ], "reviewers_managers_for_approval_levels": [ 1 ] }, "automation_run_ids": [ "text" ], "decision_by": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "decision_at": "2026-06-23T04:49:41.465Z", "revoke_request_infos": [ { "id": "text", "state": 1, "error_message": "text" } ], "old_reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ], "predefined_question_response": [ { "question_id": "text", "answer_id": "text", "answer_text": "text" } ], "is_assigned_to_current_user": true, "ai_suggestion": { "suggestion": 1, "reason_codes": [ "text" ], "cohort_id": "text", "cohort_index": 1 }, "itsm_request_number": "text", "itsm_request_status": "text", "itsm_request_url": "text", "itsm_request_last_updated_at": "2026-06-23T04:49:41.465Z" }, "mutable_filter": "text", "apply_to_all_rows": true }

PUT /api/preview/awf/smart_action_definitions HTTP/1.1 Host: your-tenant.vezacloud.com Authorization: Bearer YOUR_SECRET_TOKEN Content-Type: application/json Accept: */* Content-Length: 2642 { "value": { "id": "text", "description": "text", "name": "text", "workflow_id": "text", "filter": "text", "mutable_fields": { "decision": 1, "notes": "text", "updated_at": "2026-06-23T04:49:41.465Z", "updated_by": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "notification_infos": { "values": [ { "notification_type": 1, "webhook_type": 1, "status": 1, "error_message": "text", "updated_at": "2026-06-23T04:49:41.465Z", "snow_info": { "ticket_number": "text", "sys_id": "text" }, "webhook_info": { "info": "text" }, "jira_info": { "keys": [ "text" ] }, "slack_app_info": {} } ] }, "notification_status": 1, "reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ], "signed_off_state": 1, "signed_off_at": "2026-06-23T04:49:41.465Z", "signed_off_by": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "action_log": { "entries": [ { "action": 1, "user": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "time": "2026-06-23T04:49:41.465Z", "note": "text", "reviewer_detail": { "old_reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ], "new_reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ] }, "decision_detail": { "decision": 1, "note": "text" }, "decision_cleared_detail": { "previous_decision": 1, "original_decider": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "reason": 1 }, "revocation_request_detail": { "request_id": "text" }, "approval_level": 1 } ] }, "reviewer_assignment": { "users_manager": true, "resource_managers": true, "reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ], "fallback_reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ], "reviewers_managers_for_approval_levels": [ 1 ] }, "automation_run_ids": [ "text" ], "decision_by": { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" }, "decision_at": "2026-06-23T04:49:41.465Z", "revoke_request_infos": [ { "id": "text", "state": 1, "error_message": "text" } ], "old_reviewers": [ { "user_type": "text", "id": "text", "email": "text", "name": "text", "alternate_email": "text" } ], "predefined_question_response": [ { "question_id": "text", "answer_id": "text", "answer_text": "text" } ], "is_assigned_to_current_user": true, "ai_suggestion": { "suggestion": 1, "reason_codes": [ "text" ], "cohort_id": "text", "cohort_index": 1 }, "itsm_request_number": "text", "itsm_request_status": "text", "itsm_request_url": "text", "itsm_request_last_updated_at": "2026-06-23T04:49:41.465Z" }, "mutable_filter": "text", "apply_to_all_rows": true } }

{ "values": [ { "result_id": 0, "source": { "aliases": [], "created_at": "2023-05-03T14:25:43Z", "datasource_id": "datasource:google_cloud_workspace", "email_addresses": [ "jdoe@cookiebeta.ai", "jdoe@cookiebeta.ai.test-google-a.com", "jdoe@veza.com" ], "full_admin": false, "google_cloud_organization_name": "organizations/123456789012", "guest": false, "id": "datasource:112655590859538682841", "idp_unique_id": "jdoe@cookiebeta.ai", "is_active": true, "last_login_at": "2023-05-10T15:25:04Z", "location_areas": [], "mfa_enabled": false, "name": "jdoe@cookiebeta.ai", "organization_names": [], "provider_id": "datasource", "suspended": false, "type": "GoogleWorkspaceUser", "tags": [ { "key": "department", "type": "VEZA", "value": "engineering" } ] }, "destination": { "created_at": "2021-11-01T14:23:35Z", "datasource_id": "datasource:google_cloud_iam", "google_cloud_organization_name": "organizations/123456789012", "id": "projects/743979515322", "name": "Dev GCP Project", "parent_id": "organizations/123456789012", "project_id": "striped-graph-330814", "provider_id": "datasource", "type": "GoogleCloudProject", "updated_at": "2022-04-07T22:08:48Z" }, "accumulated_effective_permissions": [], "accumulated_raw_permissions": [ "bigquery.datasets.get", "bigquery.datasets.getIamPolicy", "bigquery.tables.get", "bigquery.tables.getIamPolicy", "bigquery.tables.list", "iam.roles.get", "iam.roles.list", "iam.serviceAccounts.create", "iam.serviceAccounts.list", "resourcemanager.folders.create", "resourcemanager.folders.delete", "resourcemanager.folders.get", "resourcemanager.folders.getIamPolicy", "resourcemanager.folders.list", "resourcemanager.folders.move", "resourcemanager.folders.setIamPolicy", "resourcemanager.folders.undelete", "resourcemanager.organizations.get", "resourcemanager.organizations.getIamPolicy", "resourcemanager.organizations.setIamPolicy", "resourcemanager.projects.create", "resourcemanager.projects.delete", "resourcemanager.projects.get", "resourcemanager.projects.getIamPolicy", "resourcemanager.projects.list", "resourcemanager.projects.move", "resourcemanager.projects.setIamPolicy", "resourcemanager.projects.update", "storage.buckets.create", "storage.buckets.createTagBinding", "storage.buckets.delete", "storage.buckets.deleteTagBinding", "storage.buckets.get", "storage.buckets.getIamPolicy", "storage.buckets.list", "storage.buckets.listTagBindings", "storage.buckets.setIamPolicy", "storage.buckets.update" ], "updated_at": null, "updated_by": null, "signed_off_at": null, "signed_off_by": null, "notification_response_infos": [], "notification_status": "UNKNOWN", "waypoint": { "id": "organizations/123456789012_policy_role_binding0", "name": "CookieAIDevServicePrincipalRole", "type": "GoogleCloudIamRoleBinding" }, "action_log_entries": [], "decision": "NONE", "notes": "", "reviewers": [ { "user_type": "localCookieUser", "id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8", "email": "cookie@cookie.ai", "name": "External User" } ], "signed_off_state": "NOT_SIGNED_OFF", "reviewer_assignment": null, "joined_nodes": { "idp": { "canonical_name": "Jane Doe", "department": "Engineering", "email": "jdoe@cookiebeta.ai", "identity_type": "HUMAN", "is_active": true, "manager_email": "manager@cookiebeta.ai", "name": "jdoe", "type": "OAA.custom_idp.IDPUser" } } }, { "result_id": 1, "source": { "aliases": [], "created_at": "2023-05-03T14:25:43Z", "datasource_id": "datasource:google_cloud_workspace", "email_addresses": [ "jdoe@cookiebeta.ai", "jdoe@cookiebeta.ai.test-google-a.com", "jdoe@veza.com" ], "full_admin": false, "google_cloud_organization_name": "organizations/123456789012", "guest": false, "id": "datasource:112655590859538682841", "idp_unique_id": "jdoe@cookiebeta.ai", "is_active": true, "last_login_at": "2023-05-10T15:25:04Z", "location_areas": [], "mfa_enabled": false, "name": "jdoe@cookiebeta.ai", "organization_names": [], "provider_id": "datasource", "suspended": false, "type": "GoogleWorkspaceUser" }, "destination": { "created_at": "2021-11-01T14:23:35Z", "datasource_id": "datasource:google_cloud_iam", "google_cloud_organization_name": "organizations/123456789012", "id": "projects/743979515322", "name": "Dev GCP Project", "parent_id": "organizations/123456789012", "project_id": "striped-graph-330814", "provider_id": "datasource", "type": "GoogleCloudProject", "updated_at": "2022-04-07T22:08:48Z" }, "accumulated_effective_permissions": [], "accumulated_raw_permissions": [ "cloudkms.cryptoKeyVersions.create", "cloudkms.cryptoKeyVersions.destroy", "cloudkms.cryptoKeyVersions.get", "cloudkms.cryptoKeyVersions.list", "cloudkms.cryptoKeyVersions.restore", "cloudkms.cryptoKeyVersions.update", "cloudkms.cryptoKeyVersions.useToDecryptViaDelegation", "cloudkms.cryptoKeyVersions.useToEncryptViaDelegation", "cloudkms.cryptoKeys.create", "cloudkms.cryptoKeys.get", "cloudkms.cryptoKeys.getIamPolicy", "cloudkms.cryptoKeys.list", "cloudkms.cryptoKeys.setIamPolicy", "cloudkms.cryptoKeys.update", "cloudkms.keyRings.create", "cloudkms.keyRings.createTagBinding", "cloudkms.keyRings.deleteTagBinding", "cloudkms.keyRings.get", "cloudkms.keyRings.getIamPolicy", "cloudkms.keyRings.list", "cloudkms.keyRings.listTagBindings", "cloudkms.keyRings.setIamPolicy", "cloudkms.locations.get", "cloudkms.locations.list", "resourcemanager.projects.get" ], "updated_at": null, "updated_by": null, "signed_off_at": null, "signed_off_by": null, "notification_response_infos": [], "notification_status": "UNKNOWN", "waypoint": { "id": "organizations/123456789012_policy_role_binding11", "name": "cloudkms.admin", "type": "GoogleCloudIamRoleBinding" }, "action_log_entries": [], "decision": "NONE", "notes": "", "reviewers": [ { "user_type": "localCookieUser", "id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8", "email": "cookie@cookie.ai", "name": "External User" } ], "signed_off_state": "NOT_SIGNED_OFF", "reviewer_assignment": null } ], "next_page_token": "EAI=", "has_more": true, "has_previous": false }

{ "nodes": [ { "properties": { "id": "arn:aws:iam::973979857296:role/FederatedS3", "name": "FederatedS3", "type": "AwsIamRole" }, "out_edges": [ { "destination_node_id": "arn:aws:iam::973979857296:role/FederatedS3::eperm::877042069677/S3Bucket/2ce2cbf45bcc5d748c800358d9932a251d670509" } ] }, { "properties": { "id": "0bba9374-d4f5-4c77-93d2-7dfde581fa8a", "name": "Abel_Maclead", "type": "AzureADUser" }, "out_edges": [ { "destination_node_id": "arn:aws:iam::973979857296:role/FederatedS3" } ] }, { "properties": { "id": "arn:aws:iam::973979857296:role/FederatedS3::eperm::877042069677/S3Bucket/2ce2cbf45bcc5d748c800358d9932a251d670509", "name": "Read", "type": "AwsIamEffectivePermission" }, "out_edges": [ { "destination_node_id": "arn:aws:s3:::cct-cct02-finance" } ] }, { "properties": { "id": "arn:aws:s3:::cct-cct02-finance", "name": "cct-cct02-finance", "type": "S3Bucket" }, "out_edges": [] } ], "accumulated_effective_permissions": [ "Read" ], "accumulated_raw_permissions": [ "s3:GetObject" ], "datasource_infos": [ { "datasource_id": "160e97cf-4b8a-4841-800b-49f8d6fa17ef", "external_id": "160e97cf-4b8a-4841-800b-49f8d6fa17ef", "name": "", "last_sync_time": "2022-09-12T22:15:34.874682421Z", "agent_type": "", "has_error": false, "is_deleted": false, "reason": "", "last_error_message": "", "has_warning": false }, { "datasource_id": "", "external_id": "", "name": "", "last_sync_time": "2022-09-12T22:09:47.245436023Z", "agent_type": "", "has_error": false, "is_deleted": false, "reason": "", "last_error_message": "", "has_warning": false } ] }

{ "value": { "result_id": 0, "source": { "aliases": [], "created_at": "2023-05-03T14:25:43Z", "datasource_id": "datasource:google_cloud_workspace", "email_addresses": [ "jdoe@cookiebeta.ai", "jdoe@cookiebeta.ai.test-google-a.com", "jdoe@veza.com" ], "full_admin": false, "google_cloud_organization_name": "organizations/123456789012", "guest": false, "id": "datasource:112655590859538682841", "idp_unique_id": "jdoe@cookiebeta.ai", "is_active": true, "last_login_at": "2023-05-10T15:25:04Z", "location_areas": [], "mfa_enabled": false, "name": "jdoe@cookiebeta.ai", "organization_names": [], "provider_id": "datasource", "suspended": false, "type": "GoogleWorkspaceUser", "tags": [ { "key": "department", "type": "VEZA", "value": "engineering" } ] }, "destination": { "created_at": "2021-11-01T14:23:35Z", "datasource_id": "datasource:google_cloud_iam", "google_cloud_organization_name": "organizations/123456789012", "id": "projects/743979515322", "name": "Dev GCP Project", "parent_id": "organizations/123456789012", "project_id": "striped-graph-330814", "provider_id": "datasource", "type": "GoogleCloudProject", "updated_at": "2022-04-07T22:08:48Z" }, "accumulated_effective_permissions": [], "accumulated_raw_permissions": [ "bigquery.datasets.get", "bigquery.datasets.getIamPolicy", "bigquery.tables.get", "bigquery.tables.getIamPolicy", "bigquery.tables.list", "iam.roles.get", "iam.roles.list", "iam.serviceAccounts.create", "iam.serviceAccounts.list", "resourcemanager.folders.create", "resourcemanager.folders.delete", "resourcemanager.folders.get", "resourcemanager.folders.getIamPolicy", "resourcemanager.folders.list", "resourcemanager.folders.move", "resourcemanager.folders.setIamPolicy", "resourcemanager.folders.undelete", "resourcemanager.organizations.get", "resourcemanager.organizations.getIamPolicy", "resourcemanager.organizations.setIamPolicy", "resourcemanager.projects.create", "resourcemanager.projects.delete", "resourcemanager.projects.get", "resourcemanager.projects.getIamPolicy", "resourcemanager.projects.list", "resourcemanager.projects.move", "resourcemanager.projects.setIamPolicy", "resourcemanager.projects.update", "storage.buckets.create", "storage.buckets.createTagBinding", "storage.buckets.delete", "storage.buckets.deleteTagBinding", "storage.buckets.get", "storage.buckets.getIamPolicy", "storage.buckets.list", "storage.buckets.listTagBindings", "storage.buckets.setIamPolicy", "storage.buckets.update" ], "updated_at": null, "updated_by": null, "signed_off_at": null, "signed_off_by": null, "notification_response_infos": [], "notification_status": "UNKNOWN", "waypoint": { "id": "organizations/123456789012_policy_role_binding0", "name": "CookieAIDevServicePrincipalRole", "type": "GoogleCloudIamRoleBinding" }, "action_log_entries": [], "decision": "NONE", "notes": "", "reviewers": [ { "user_type": "localCookieUser", "id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8", "email": "cookie@cookie.ai", "name": "External User" } ], "signed_off_state": "NOT_SIGNED_OFF", "reviewer_assignment": null, "joined_nodes": { "idp": { "canonical_name": "Jane Doe", "department": "Engineering", "email": "jdoe@cookiebeta.ai", "identity_type": "HUMAN", "is_active": true, "manager_email": "manager@cookiebeta.ai", "name": "jdoe", "type": "OAA.custom_idp.IDPUser" } } } }

{ "values": [ { "certification_id": "b2562ef3-a4b3-4b30-8a45-1ba36f945d10", "workflow_id": "b9dc2586-5f30-4462-b6be-53f62debc40f", "query_used": { "raw_permissions": null, "effective_permissions": null, "source_node_types": { "nodes": [ { "node_type": "GoogleWorkspaceUser", "tags": [], "conditions": [], "condition_expression": null, "node_id": "", "excluded_tags": [], "count_conditions": [], "direct_relationship_only": false, "node_type_grouping_constraint": null } ], "nodes_operator": "AND" }, "required_intermediate_node_types": { "nodes": [], "nodes_operator": "AND" }, "avoided_intermediate_node_types": { "nodes": [], "nodes_operator": "AND" }, "destination_node_types": { "nodes": [ { "node_type": "GoogleCloudProject", "tags": [], "conditions": [], "condition_expression": null, "node_id": "", "excluded_tags": [], "count_conditions": [], "direct_relationship_only": false, "node_type_grouping_constraint": null } ], "nodes_operator": "AND" }, "no_relation": false, "snapshot_id": "1690354800", "waypoint_node_types": { "nodes": [ { "node_type": "GoogleCloudIamRoleBinding", "tags": [], "conditions": [], "condition_expression": null, "node_id": "", "excluded_tags": [], "count_conditions": [], "direct_relationship_only": false, "node_type_grouping_constraint": null } ], "nodes_operator": "AND" }, "path_summary_node_types": null, "node_relationship_type": "CONFIGURED", "include_all_source_tags_in_results": true, "include_all_destination_tags_in_results": false, "page_size": "0", "page_token": "" }, "name": "demo", "notes": "", "due_date": "2023-07-30T03:44:00Z", "reviewers": [], "state": "IN_PROGRESS", "snapshot_time": "2023-07-26T07:00:00Z", "started_at": "2023-07-27T03:44:27.260812616Z", "query_completed_at": "2023-07-27T03:44:31.410373279Z", "completed_at": null, "created_by": { "user_type": "localCookieUser", "id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8", "email": "cookie@cookie.ai", "name": "earlypreview-auth0" }, "completed_by": null, "results_updated_at": "2023-07-27T03:44:31.410373665Z", "results_updated_by": { "user_type": "localCookieUser", "id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8", "email": "cookie@cookie.ai", "name": "earlypreview-auth0" }, "updated_at": "2023-07-27T03:44:31.410413829Z", "updated_by": { "user_type": "localCookieUser", "id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8", "email": "cookie@cookie.ai", "name": "earlypreview-auth0" }, "error_reason": "", "expired_at": null, "version": 1, "total_result_count": 2433, "total_complete_count": 0, "total_rejected_count": 0, "total_accepted_count": 0, "total_fixed_count": 0 } ] }

Outlier Detection

Configure outlier detection settings to identify anomalous access patterns in Access Reviews.

Early Access Feature: Outlier Detection is currently in Early Access and available via API only. The feature and API are subject to change. Contact your Veza Customer Success Manager to enable this feature for your tenant.

Configure outlier detection to automatically identify and flag anomalous access patterns during Access Reviews. The Manager-Centric algorithm compares each user's access to their peer group and detects access held by fewer than a specified threshold percentage of peers, helping reviewers focus on unusual or potentially risky permissions.

How Outlier Detection Works

The Manager-Centric outlier detection algorithm uses statistical analysis to identify rare access patterns:

Peer Grouping: Users are grouped based on configurable properties (default: users sharing the same manager)
Statistical Analysis: For each destination (resource/permission) in the review, Veza calculates what percentage of the peer group has access using the Wilson score confidence interval method at 95% confidence
Threshold Comparison: Access paths where the statistical lower bound is at or below the configured threshold are flagged as outliers
Reviewer Visibility: Flagged items are highlighted in the reviewer interface with explanations indicating the access is rare within the peer group

By default, outlier detection uses:

Grouping: Users with the same manager (manager_idp_unique_id property)
Threshold: 15% (access held by ≤15% of peers is flagged as an outlier)

Consider an Access Review for Okta groups:

100 users report to Manager A
95 of them have access to the "Engineering-All-Hands" group
5 users have access to the "Admin-Production-Access" group

Given a 15% threshold:

"Engineering-All-Hands" access (95% of peers) is not flagged, as this is normal access
"Admin-Production-Access" (5% of peers) is flagged as an outlier, as this is rare access

The reviewer sees a warning on those 5 rows that this access is anomalous within the peer group — no more than 15% of peers with shared characteristics have it.

Administrators can customize outlier detection using APIs:

GET /api/private/workflows/access/global_settings/manager_centric_config

Retrieve the current outlier detection configuration, either globally or for a specific review configuration.

Name

Type

Required

Description

PUT /api/private/workflows/access/global_settings/manager_centric_config

Update the outlier detection configuration globally or for a specific review configuration.

Name

Type

Required

Description

Grouping properties define how users are organized into peer groups for outlier analysis. You can specify properties from:

Source nodes (the users/identities in the review)
Destination nodes (the resources/permissions being reviewed)
Enriched/joined nodes (additional data joined to the query, such as manager information from an IdP)

Each property reference has these fields:

Field

Type

Required

Description

Properties from the source entities in the review (typically users/identities).

Common source properties:

department - User's department
location - User's location
manager_idp_unique_id - User's manager identifier (default)

Example:

Properties from the destination entities (resources/permissions being reviewed).

Common destination properties:

classification - Resource classification level
data_sensitivity - Data sensitivity level
owner - Resource owner

Example:

Properties from enriched/joined metadata from another data source. These require the review query to include a JoinNodeSpec that joins additional data (such as manager information from an IdP).

Example:

This groups all users by their manager's department, requiring the review query to join the manager data with the alias "manager".

Groups users by manager with a 15% threshold (default configuration):

Use case: Identify access that's unusual compared to direct peers reporting to the same manager.

Groups users by both department and location with a 10% threshold:

Use case: Identify access that's rare among users in the same department and office location.

Compares each user to the entire population with 5% threshold:

Use case: Flag extremely rare access across the entire organization, regardless of role or department.

Groups by destination resource classification with a 20% threshold:

Use case: Identify unusual access patterns within resources of the same classification level.

Groups by the manager's department (requires query enrichment) with a 15% threshold:

Use case: Identify access that's unusual among users whose managers are in the same department, useful in matrix organizations.

Scenario: Reviewing access to financial systems where SOX compliance requires attention to outlier access.

Configuration:

Users with access held by ≤5% of their department peers are flagged for additional scrutiny.

Scenario: Reviewing production system access where most engineers shouldn't have admin rights.

Configuration:

Identifies engineers with production access that is unusual within their team, considering the environment.

Scenario: Reviewing access where job role should predict permissions.

Configuration:

Flags access held by ≤15% of users with the same job role, indicating potential role creep or over-provisioning.

Scenario: Detecting access patterns that are unusual for an entire department.

Configuration:

Identifies access held by ≤8% of users in the same department and location, flagging potentially inappropriate cross-functional access.

- Overview of all Access Reviews settings
- Complete Access Reviews documentation

Access Reviews APIs

Core Workflow Operations

Workflow Parameters Reference

Workflow Properties

Force Update Result

Update Webhook Info

Manage Reviewer Deny List

Review Completion Settings

Review Auto-Complete Settings

Parameters

Self Review Prevention

Review UI Customizations

Parameters

Expire Overdue Reviews

Parameters

Get Expire Overdue Reviews Setting

Set Expire Overdue Reviews Setting

Review Expiration Behavior

Data Source Acknowledgement

Parameters

Predefined Decision Notes

Reviewer Export Settings

Parameters

Alternate Reviewer Settings

Access Reviews APIs

Core Workflow Operations

Quick start

Update Webhook Info

Review UI Customizations

Parameters

Expire Overdue Reviews

Parameters

Get Expire Overdue Reviews Setting

Set Expire Overdue Reviews Setting

Review Auto-Complete Settings

Parameters

Data Source Acknowledgement

Parameters

Self Review Prevention

Predefined Decision Notes

Review Expiration Behavior

Review Completion Settings

Parameters

Example

Get Predefined Notes Settings

Set Predefined Notes Settings

Example

Get Review UI Customizations

Set Review UI Customizations

Parameters

Examples

Get Self Review Settings

Set Self Review Settings

Request Structure

Parameters

Example

Get Review Expiration Behavior

Set Review Expiration Behavior

Parameters

Example

Get Review Completion Settings

Set Review Completion Settings

Example

Get Review Auto-Complete Settings

Set Review Auto-Complete Settings

Get Data Source Acknowledgement Setting

Set Data Source Acknowledgement Setting

Workflow Parameters Reference

Workflow Properties

Reviewer Export Settings

Parameters

Force Update Result

Manage Reviewer Deny List

Alternate Reviewer Settings

Get Deny List

Add User

Remove User

Certification Properties

Result Properties

ResultNode

Re-assigning `reviewers`