1 of 39

Access Reviews APIs

Methods for interacting with workflows and certifications

These endpoints enable listing workflows, listing certifications, getting certification results, and updating certifications. They can be used to programmatically retrieve workflow and certification details, and update certification rows with a decision or note, such as ticket number.

These endpoints also provide utility functionality, such as managing the reviewer deny list, populating results with webhook response info, and customizing quick filters, smart actions, and help pages.

Core Workflow Operations

APIs for Veza Access Reviews are subject to change, and as such are provided with the /preview API collection. Use the appropriate prefix when calling the API, for example, your-org.vezacloud.com/api/preview/.

Quick start

First, save your and Veza base URL as environment variables:

Get all workflows and IDs:

Use a workflow id to get active and pending certifications for that workflow:

The response will include certification details, including the certification ids.

Using a certification id, you can get results for the certification, including entity attributes:

Update a certification result row with a note:

Create Certification

Create a new access review certification from a workflow

Create a new access review certification from an existing workflow.

Overview

Use dynamic_information to filter certification results to specific identities at creation time. This enables you to use a broad query at the workflow level, and then scope individual reviews to certain identities when creating the certification.

Identity IDs and types are sourced from the Veza Authorization Graph and must match existing graph node values from your integrated identity providers.

Endpoint

POST /api/preview/awf/certifications

Request Body

Field

Type

Required

Description

workflow_id

string

Yes

The ID of the workflow to create a certification from

data_source

integer

Dynamic Information

The dynamic_information parameter allows you to filter certification results to specific user identities at creation time.

Field

Type

Required

Description

identities

array

Yes

List of identity objects to filter by

Identity Object

Field

Type

Required

Description

id

string

Yes

The identity ID from Veza Graph (e.g., IdP user ID)

type

string

Reviewer Assignment

The reviewer_assignment and reviewer_assignment_second_level objects configure how reviewers are assigned to certification rows.

Field

Type

Description

users_manager

boolean

Assign the user's manager as reviewer

resource_managers

boolean

Assign resource owners as reviewers

Response

{
  "certification_id": "b2562ef3-a4b3-4b30-8a45-1ba36f945d10"
}

Examples

Basic Certification

Create a certification using the latest data:

curl -X POST "$VEZA_URL/api/preview/awf/certifications" \
  -H "authorization: Bearer $VEZA_TOKEN" \
  -H "content-type: application/json" \
  -d '{
    "workflow_id": "b9dc2586-5f30-4462-b6be-53f62debc40f",
    "name": "Q4 2025 Access Review",
    "data_source": 0
  }'

Dynamic Filtering (Joiner/Mover/Leaver)

Use dynamic_information to scope a certification to specific identities. For mover scenarios, include previous_manager_id:

curl -X POST "$VEZA_URL/api/preview/awf/certifications" \
  -H "authorization: Bearer $VEZA_TOKEN" \
  -H "content-type: application/json" \
  -d '{
    "workflow_id": "b9dc2586-5f30-4462-b6be-53f62debc40f",
    "name": "Department Transfer Review",
    "data_source": 0,
    "dynamic_information": {
      "identities": [
        {
          "id": "00u1a2b3c4d5e6f7g8h9",
          "type": "OktaUser",
          "previous_manager_id": "00umgr123456789"
        }
      ]
    }
  }'

Multi-Level Review

Create a certification with multi-level approval requirements:

curl -X POST "$VEZA_URL/api/preview/awf/certifications" \
  -H "authorization: Bearer $VEZA_TOKEN" \
  -H "content-type: application/json" \
  -d '{
    "workflow_id": "b9dc2586-5f30-4462-b6be-53f62debc40f",
    "name": "High-Risk Access Review",
    "data_source": 0,
    "reviewer_assignment": {
      "resource_managers": true
    },
    "reviewer_assignment_second_level": {
      "users_manager": true
    },
    "final_approval_level": 2
  }'

Identity Types

Use the graph node type that corresponds to your integrated IdP:

Integration

Identity Type

Okta

OktaUser

Azure AD

AzureADUser

Active Directory

ActiveDirectoryUser

Identity IDs and types must match the values stored in the Veza Authorization Graph. You can find these values by querying the graph or viewing entity details in the Veza UI.

Force Update Result

Update a single result with escalated privileges

ForceUpdateAwfResults allows administrators to modify results more than normally allowed, such as changing sign-off status, or changing a row's decision after a certification expires.

Method

syntax

The API token used for this request must be created for a user with the

Quick Filters

Customizing saved filters for certification reviewers.

List, create, and delete saved filters, globally or for a single workflow. Reviewers can pick from available quick filters under Certification Filters > Saved Filters.

Method

Syntax

GET, POST, DELETE

{Veza URL}/api/preview/awf/quick_filters

Requests require a for authentication.

Examples

Add a quick filter

Add a quick filter by specifying an optional workflow_id and a single source or destination node property, corresponding to a Review interface column.

Filters can also apply to abstract_permissions or concrete_permissions (see example response).

Valid filter operators are:

co "contains"
eq "equals"
ne "not equals"

With a workflow_id specified, the filter will only apply to certifications on that workflow. Otherwise, reviewers can apply the quick filter to any certification:

A successful response will contain the filter id, for example:

List all quick filters

Including a workflow_id in the query returns quick filters with a matching workflow_id and quick filters with no workflow_id:

Example response:

Remove quick filter by quick filter id

Help Page Templates

Manage custom help pages for Veza Access Reviews.

Use these operations to add and manage help pages for access reviewers, and customize pop-up messages when a review starts, or when rows are signed off.

Operation

Method

Syntax

POST

{veza_url}/api/preview/awf/help_page_templates

Create help page

Add custom help messages for reviewers by providing the plain text template_body, name, and an existing workflow_id and usage where the template will apply. All reviews (certifications) for the configuration (workflow) will use the new template.

Template usage

The usage field determines how and when the help page will be visible to users. It must be one of the following values:

HELP_PAGE: Reviewers can access help pages from reviewer's interface by clicking the User Guide icon. The help page will also appear when viewing the review for the first time.
REVIEW_START: Opens when reviewers start a review.
SIGN_OFF

Only one help page can exist at a time for a given workflow and usage. You can manage global help pages by using 00000000-0000-0000-0000-000000000000 as the workflow_id. Global help pages for each usage will apply to all reviews for all configurations.

Template formatting

The template can use markdown and placeholders, for example:

See for more information about placeholders.

Example request:

List help pages

Get all configured help page templates.

Example response:

Get help page

Returns the current help page template for an existing workflow_id and usage.

The usage parameter must be specified. For the existing help page template, the usage value should be HELP_PAGE.
To retrieve the tenant-wide default template (if it was set), use an all-zero UUID (00000000-0000-0000-0000-000000000000) for the workflow_id.

Example request:

Get review help page

Returns the current template for a given certification id.

Example request:

Example response:

Delete help page

Permanently remove the help page template for a workflow_id and usage. It will no longer apply to reviews for using the configuration, specified by workflow_id.

The usage parameter must be specified. For the existing help page template, the usage value should be HELP_PAGE.
To clear the tenant-wide default template, use an all-zero UUID for the workflow_id: 00000000-0000-0000-0000-000000000000.

Example request:

Update help page

PUT {{veza_url}}/api/preview/awf/help_page_templates

Update the help page for the specified workflow_id and usage:

To add a tenant-wide default template, use an all-zero UUID for the workflow_id: 00000000-0000-0000-0000-000000000000.
Updating a template now uses a plain text template_body, instead of a base64-encoded string.

Example request:

Smart Action Definitions

Define filter-based actions that reviewers can apply to certifications results with a matching attribute or status.

Reviewers can view and apply custom actions from the Review interface by clicking Smart Action > Prepared Actions.

Add smart action definition
- Mutable fields and mutable filters
Remove a smart action definition
List smart action definitions
Update a smart action definition

Add smart action definition

Create a smart action definition, globally or for a single Workflow.

A certification result includes all source and destination node properties discovered or added by Veza. You can specify a SCIM filter to select the results to affect, for example:

Example request:

curl -X POST "https://{{veza_url}}/api/preview/awf/smart_action_definitions" \
-H 'authorization: Bearer {{access_token}}' \
-d '{
  "apply_to_all_rows": "false",
  "description": "Reject users where the user `is active` value is not `true`",
  "filter": "source.is_active ne \"true\"",
  "mutable_fields": {
    "decision": "RESULT_DECISION_REJECTED"
  },
  "mutable_filter": "",
  "name": "Reject inactive users",
  "workflow_id": ""
}'

The filter can apply to any source or destination node property.

When apply_to_all_rows is true and no other filter criteria is specified, the action will run on all certification results.

Mutable fields and mutable filters

Mutable fields contain result attributes that are not sourced from Access Graph metadata. Use mutable_fields to apply changes to a result, and mutable_filter to filter results based on decision or sign-off state:

{
  "apply_to_all_rows": "false",
  "description": "Sign off on all rejected rows",
  "filter": "",
  "mutable_fields": {
    "signed_off_state": "SIGNED_OFF"
  },
  "mutable_filter": "decision eq \"RESULT_DECISION_REJECTED\"",
  "name": "Sign off rejected rows",
  "workflow_id": ""
}

Mutable field

Value

decision

One of: "RESULT_DECISION_UNKNOWN" "RESULT_DECISION_NONE" "RESULT_DECISION_ACCEPTED" "RESULT_DECISION_REJECTED" "RESULT_DECISION_FIXED"

notes

string

signed_off_state

One of: "UNKNOWN" "NOT_SIGNED_OFF" "SIGNED_OFF"

Remove a smart action definition

Delete a prepared action by definition id.

List smart action definitions

Returns an array of smart action definitions. By default, this endpoint lists all definitions. If a workflow_id is specified, only definitions for that workflow are included in the response.

Update a smart action definition

Alter a smart action definition by specifying the id and an array of values to change.

Access Review Settings

API operations for customizing the behavior and functionality of Veza Access Reviews.

These endpoints can be called by providing a Veza admin user API key. See to generate a bearer token for use in requests. Note that API operations in the private namespace are subject to change as features are added or modified.

Use these APIs to configure for Veza Access Reviews.

The settings that can be configured by a Veza administrator are:

Review Completion Settings

Customize the requirements for completing a review.

An Admin or Operator user can complete a review by clicking the "Complete Review" button.

Once a review is marked as "completed," it becomes read-only and is no longer visible to reviewers. By default, a review can be completed when all rows have a signed-off decision.

This API allows you to modify this behavior, enabling a review to be completed at any time, or only when all rows are signed off with a non-rejected decision. The latter option is useful if your organization prefers to complete reviews only after all rejected access has been remediated.

Parameters

Review Auto-Complete Settings

Enable or disable automatic review completion once all rows have decisions.

Enable or disable the "auto-complete" feature. When auto-complete is enabled, a review will automatically be completed once all rows have a signed-off decision, or a non-rejected signed-off decision, depending on the "Completion Allowed Settings."

Parameters

Possible values are:

AUTO_COMPLETE_UNKNOWN
AUTO_COMPLETE_ENABLED
AUTO_COMPLETE_DISABLED

Example

Get Review Auto-Complete Settings

Set Review Auto-Complete Settings

Self Review Prevention

Prevent users from being assigned as reviewers for rows that relate to their own access and permissions.

Enable or disable self-review prevention. When self-review prevention is enabled, users are prevented from being assigned as reviewers for rows that relate to their own access and permissions.

Parameters

The value can be either an integer or string:

SELF_REVIEWER_CHECKING_DISABLED = 1 (or "SELF_REVIEWER_CHECKING_DISABLED" as string)
SELF_REVIEWER_CHECKING_ENABLED = 2 (or "SELF_REVIEWER_CHECKING_ENABLED" as string)

An optional workflow_id parameter allows configuring self-review prevention per review configuration, overriding the global setting for that configuration. When workflow_id is omitted, the request reads or writes the global setting.

Examples

Example using string value (global):

{
    "value": "SELF_REVIEWER_CHECKING_DISABLED"
}

Example using integer value (global):

{
    "value": 1
}

Example enabling self-review prevention for a specific review configuration:

{
    "value": "SELF_REVIEWER_CHECKING_ENABLED",
    "workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"
}

When a workflow_id is provided on a GET request, Veza returns the configuration-specific setting if one exists, or falls back to the global setting.

Example GET request (per review configuration):

curl -L -X GET 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/self_reviewer_settings?workflow_id=8ae1c414-3a76-46cb-950a-925316b3f264' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN'

Example cURL request (global):

curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/self_reviewer_settings' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "value": 1
  }'

Example cURL request (per review configuration):

curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/self_reviewer_settings' \
  -H 'Authorization: Bearer YOUR_SECRET_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "value": 2,
    "workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"
  }'

Get Self Review Settings

Set Self Review Settings

Expire Overdue Reviews

Auto-expire overdue reviews.

This setting is configurable on the Access Reviews > Settings page. Enable Auto-Expire overdue reviews to automatically expire reviews that aren't completed by the due date.

Enables or disable expiration of overdue reviews. By default, overdue reviews are not expired and remain available to reviewers. When expiration is enabled, the review will be "expired" when it becomes overdue. An expired review is read-only and is not shown to reviewers.

Parameters

The value can be True or False.

Get Expire Overdue Reviews Setting

Set Expire Overdue Reviews Setting

Predefined Decision Notes

Add suggested notes for reviewer decisions.

Configure predefined notes as menu options when reviewers approve or reject rows. This feature can be configured globally for all reviews or specifically for individual review configurations. When configured for a specific review configuration (using workflow_id), those settings override any global predefined notes.

The predefined notes appear as selectable options in the notes dialog when making decisions, suggesting standardized responses alongside free-form text entry.

Parameters

The request body accepts:

Action Allow List

Restrict which users can delete In Progress reviews or modify review due dates, independent of their assigned Veza role.

API reference for the Action Allow List feature. For configuration guidance and how it works, see Action Allow List.

Role Requirements

Operation

Required Role

Principals

Both users and groups can be added to the allow list. A user is permitted if their user ID is directly on the list, or if any Veza group they belong to is on the list.

Each principal is specified as an object with a type and id:

All IDs must be Veza internal UUIDs. Email addresses and usernames are not supported.

To look up a user's UUID:

Administration console: Go to Administration > Users, click the user's name, and copy the UUID from their profile page.
Users API: Use the to list users and locate the id field in the response.

To look up a group's UUID:

Groups API: Use GET /api/private/groups to list groups and locate the id field for the target group. Use the filter query parameter to narrow by name (e.g., ?filter=name eq 'Your Group Name').

Allowed Actions

The allowed_action field controls which restricted operations the principal is permitted to perform. Specify one or both values:

Value

Description

API Reference

Check Whether the Allow List Is Enabled

GET /api/private/workflows/access/settings/action_allowlist_enabled

Returns the current enabled state of the allow list.

Example:

Response:

Enable or Disable the Allow List

PUT /api/private/workflows/access/settings/action_allowlist_enabled

Enable or disable the allow list globally. When disabled, existing RBAC governs access to all review operations.

Request body:

Set enabled to true to enable or false to disable.

Example (enable):

Example (disable):

Add Principals to the Allow List

POST /api/private/workflows/access/action_allowlist

Add one or more users or groups to the allow list. A single request can include multiple principals of mixed types.

Request body:

Example (add a user for both actions):

Example (add a group):

Remove Principals from the Allow List

POST /api/private/workflows/access/action_allowlist:delete

Remove one or more principals from the allow list. Uses the same request shape as the add endpoint.

Request body:

Example:

List All Permitted Principals

GET /api/private/workflows/access/action_allowlist

Returns all users and groups currently on the allow list. Each entry represents one principal–action pair; a principal with two allowed actions appears as two separate entries.

Example:

Response:

Check Whether a User Is Permitted

GET /api/private/workflows/access/action_allowlist/{user_id}

Returns the resolved allowed actions for the specified user, including permissions inherited from group memberships. Pass a user UUID — passing a group UUID will return an empty allowed_actions array rather than an error.

Example:

Response:

Returns an empty array if the user is not on the list and belongs to no permitted groups.

Automations API

Get, create, update, delete, and attach Intelligent Automations.

Use these operations to manage Access Review Automations and associate them with individual workflows.

Automations apply changes (such as approve, sign-off, add a note, or apply visual indicators) to Certification rows based on historical certification data, or a filter on the current results. They can run by default or on an opt-in basis when a certification is created.

Example Automations

{
  "id": "e48dd2c8-3633-463b-a477-0177a942b5a6",
  "name": "Highlight inactive sources",
  "description": "Highlight rows where the source account is inactive",
  "priority": 0,
  "attachment_behavior": {
    "attach_to_new_workflows": true,
    "opt_in": true
  },
  "criteria": {
    "filter": "source.is_active eq false",
    "mutable_filter": ""
  },
  "action": {
    "display_style": "HIGHLIGHT",
    "display_text": "Source account is inactive",
    "highlight_color": "#FF6B35"
  }
}

{
  "id": "f59ee3d9-4744-574c-b588-1288b0942c7c",
  "name": "Reject privileged account access",
  "description": "Suggest reject for admin or root accounts",
  "priority": 0,
  "attachment_behavior": {
    "attach_to_new_workflows": true,
    "opt_in": true
  },
  "criteria": {
    "filter": "(destination.name eq \"admin\") OR (source.name eq \"root\")",
    "mutable_filter": ""
  },
  "action": {
    "display_style": "SUGGEST_REJECT",
    "display_text": "Privileged account detected - review carefully"
  }
}

For more information about this feature see Intelligent Automations.

You will need an API token with root team or administrator permissions to manage Automations.

Key Concepts

When working with the Automations API, it is important to understand the relationship between three identifiers:

ID Type

Description

Scope

At an API level,

An Automation is a reusable rule that can be attached to one or more Workflows
A Workflow (review configuration) defines how reviews are created and can have multiple Certifications over time
A Certification is a single instance of a review where Automations run against the results

Error handling and conflicts

The following rules apply when an Automation run encounters an issue:

If Automation processing fails for any result, the Automation run stops and no further Automations are applied.
When Automations fail, the Certification is still considered complete and non-errored. The Automation run will have an error status and message.

Results are considered the same when the entities and relationships are exactly equal (including data source IDs). If a conflict occurs with Automations trying to change the same mutable field:

Each change must update the field to the same value. The action log entry will contain notes (if supplied) for each action.
Automations changing a field to differing values are unresolvable conflicts and skipped, but will not interrupt the Automation run.

Automation Object Schema

An Automation consists of attachment_behavior rules, filter criteria, and an action to apply:

Each Automation object has the fields:

id (String): Unique identifier for the Automation.
name (String): Name of the Automation.
description

`attachment_behavior` (Object)

Defines if the Automation is available for all workflows, and whether it is optional:

attach_to_new_workflows (Boolean): Indicates whether to automatically attach to new and existing workflows.
opt_in (Boolean): If true Operators can pick the automation when creating a Workflow. If false the automation is enabled by default.

`criteria` (Object)

Specifies filters for conditionally updating results:

filter (String): A SCIM filter specifying a source or destination attribute with support for complex expressions using AND, OR, and parentheses for grouping. Examples:
- Simple filter: source.is_active eq false
- Complex filter: (source.name sw "A" OR source.name sw "B") AND destination.is_active eq true

Similarly to Smart Actions, Automations can update results based on a source or destination attribute (such as activity status). Filters use the syntax source.attribute or destination.attribute.

Filtering by Joined Node Attributes

When an Access Review configuration includes , you can filter on enriched entity attributes in Automations. Reference joined nodes by their alias directly (e.g., idp.attribute), not using joined_nodes.idp.attribute.

For complete guidance on finding aliases, filter syntax, and examples, see .

Early Access: Filtering by joined node attributes in Automations is currently in early access. Contact Veza Support for the latest status.

Filtering by Mutable Fields

Mutable filters in Automations use the syntax previous.decision, previous.notes and previous.signed_off_state to refer to historical row data. The possible values are:

decision:
- "RESULT_DECISION_UNKNOWN"
- "RESULT_DECISION_NONE"

`action` (Object)

Action the Automation will apply to matching results:

decision (String): Decision code for the action.
signed_off_state (String): Sign off state code.
notes (String): Notes the automation will apply.

Note: When using display_style actions, you cannot set decision, signed_off_state, notes, or reviewer_assignment fields.

Possible decisions and numeric codes are:

UNKNOWN (0)
NONE (1)

Signed Off State can be:

UNKNOWN_SIGNED_OFF = 0;
NOT_SIGNED_OFF = 1;
SIGNED_OFF = 2;

`reviewer_assignment` (Object)

The preview API does not currently support Reviewer assignment.

Preview API Documentation

Use the endpoints documented below to create and manage automations:

List Automations

Endpoint: /api/preview/awf/automations
Method: GET
Description: Returns all Automations and configuration details.

Returns all in a values array.

Update Automation

Endpoint: /api/preview/awf/automations
Method: PUT
Description: Updates an existing Automation. The full Automation object is required.

Create Automation

Endpoint: /api/preview/awf/automations
Method: POST
Description: Creates a new Automation.

Get Automation

Endpoint: /api/preview/awf/automations/{id}
Method: GET
Description: Get details for a single Automation by ID.

Delete Automation

Endpoint: /api/preview/awf/automations/{id}
Method: DELETE
Description: Deletes a specific Automation by its ID.

Attach Automations

Endpoint: /api/preview/awf/automations:attach
Method: POST
Description: Enable an Automation for a specific workflow, or all workflows.

Attach one or all Automations to a single workflow by specifying the:

id (String): Single Automation ID.
workflow_id (String): ID of the workflow to associate Automations with.
all (boolean): If True

List attached Workflow Automations

Endpoint: /api/preview/awf/automations:attached/{workflow_id}
Method: GET
Description: Returns all Automations eligible to run on Certifications for a given Workflow id.

Detach Automations

Endpoint: /api/preview/awf/automations:detach
Method: POST
Description: Detach one or all Automations from an Access Review Workflow.

Outlier Detection

Configure outlier detection settings to identify anomalous access patterns in Access Reviews.

Early Access Feature: Outlier Detection is currently in Early Access and available via API only. The feature and API are subject to change. Contact your Veza Customer Success Manager to enable this feature for your tenant.

Configure outlier detection to automatically identify and flag anomalous access patterns during Access Reviews. The Manager-Centric algorithm compares each user's access to their peer group and detects access held by fewer than a specified threshold percentage of peers, helping reviewers focus on unusual or potentially risky permissions.

How Outlier Detection Works

The Manager-Centric outlier detection algorithm uses statistical analysis to identify rare access patterns:

Peer Grouping: Users are grouped based on configurable properties (default: users sharing the same manager)
Statistical Analysis: For each destination (resource/permission) in the review, Veza calculates what percentage of the peer group has access using the Wilson score confidence interval method at 95% confidence
Threshold Comparison: Access paths where the statistical lower bound is at or below the configured threshold are flagged as outliers

Default Behavior

By default, outlier detection uses:

Grouping: Users with the same manager (manager_idp_unique_id property)
Threshold: 15% (access held by ≤15% of peers is flagged as an outlier)

Example Scenario

Consider an Access Review for Okta groups:

100 users report to Manager A
95 of them have access to the "Engineering-All-Hands" group
5 users have access to the "Admin-Production-Access" group

Given a 15% threshold:

"Engineering-All-Hands" access (95% of peers) is not flagged, as this is normal access
"Admin-Production-Access" (5% of peers) is flagged as an outlier, as this is rare access

The reviewer sees a warning on those 5 rows that this access is anomalous within the peer group — no more than 15% of peers with shared characteristics have it.

API Endpoints

Administrators can customize outlier detection using APIs:

Get Outlier Detection Configuration

GET /api/private/workflows/access/global_settings/manager_centric_config

Retrieve the current outlier detection configuration, either globally or for a specific review configuration.

Parameters

Name

Type

Required

Description

Example: Get Global Configuration

Example: Get Configuration for Specific Review

Response

Set Outlier Detection Configuration

PUT /api/private/workflows/access/global_settings/manager_centric_config

Update the outlier detection configuration globally or for a specific review configuration.

Parameters

Name

Type

Required

Description

Example: Set Global Configuration

Example: Set Configuration for Specific Review

Response

Grouping Properties

Grouping properties define how users are organized into peer groups for outlier analysis. You can specify properties from:

Source nodes (the users/identities in the review)
Destination nodes (the resources/permissions being reviewed)
Enriched/joined nodes (additional data joined to the query, such as manager information from an IdP)

Property Reference Schema

Each property reference has these fields:

Field

Type

Required

Description

Target Node Types

SOURCE Node Properties

Properties from the source entities in the review (typically users/identities).

Common source properties:

department - User's department
location - User's location
manager_idp_unique_id - User's manager identifier (default)

Example:

DESTINATION Node Properties

Properties from the destination entities (resources/permissions being reviewed).

Common destination properties:

classification - Resource classification level
data_sensitivity - Data sensitivity level
owner - Resource owner

Example:

JOINED Node Properties (Enrichment)

Properties from enriched/joined metadata from another data source. These require the review query to include a JoinNodeSpec that joins additional data (such as manager information from an IdP).

Example:

This groups all users by their manager's department, requiring the review query to join the manager data with the alias "manager".

Configuration Examples

Example 1: Default Manager-Based Grouping

Groups users by manager with a 15% threshold (default configuration):

Use case: Identify access that's unusual compared to direct peers reporting to the same manager.

Example 2: Department and Location Grouping

Groups users by both department and location with a 10% threshold:

Use case: Identify access that's rare among users in the same department and office location.

Example 3: No Grouping (Population-Wide)

Compares each user to the entire population with 5% threshold:

Use case: Flag extremely rare access across the entire organization, regardless of role or department.

Example 4: Resource Classification Grouping

Groups by destination resource classification with a 20% threshold:

Use case: Identify unusual access patterns within resources of the same classification level.

Example 5: Manager's Department (Enrichment)

Groups by the manager's department (requires query enrichment) with a 15% threshold:

Use case: Identify access that's unusual among users whose managers are in the same department, useful in matrix organizations.

Use Cases

Finance Audit Compliance

Scenario: Reviewing access to financial systems where SOX compliance requires attention to outlier access.

Configuration:

Users with access held by ≤5% of their department peers are flagged for additional scrutiny.

Engineering Production Access

Scenario: Reviewing production system access where most engineers shouldn't have admin rights.

Configuration:

Identifies engineers with production access that is unusual within their team, considering the environment.

Role-Based Access Review

Scenario: Reviewing access where job role should predict permissions.

Configuration:

Flags access held by ≤15% of users with the same job role, indicating potential role creep or over-provisioning.

Cross-Department Anomaly Detection

Scenario: Detecting access patterns that are unusual for an entire department.

Configuration:

Identifies access held by ≤8% of users in the same department and location, flagging potentially inappropriate cross-functional access.

Important Considerations

Configuration Scope: Settings can be applied globally (affecting all new reviews by default) or per-review configuration. Review-specific settings override global settings for reviews created from that configuration.

Property Availability: Grouping properties must exist in your access review query results. If a specified property doesn't exist for source/destination/joined nodes, outlier detection may not function as expected. Verify property names match your data schema.

Statistical Confidence: The algorithm uses the Wilson score confidence interval at 95% confidence level to ensure statistically sound outlier detection even with small peer groups. Peer groups with fewer than 3 members are excluded from outlier analysis to maintain statistical validity.

Threshold Tuning: Start with the default 15% threshold and adjust based on your organization's risk tolerance:

Lower thresholds (5-10%): More sensitive, flags only the rarest access

Enrichment Requirements: When using TARGET_NODE_JOINED properties, ensure your Access Review query includes the corresponding JoinNodeSpec with the matching alias. See for enrichment configuration.

- Overview of all Access Reviews settings
- Complete Access Reviews documentation

Access Reviews APIs

hashtagCore Workflow Operations

hashtagQuick start

Create Certification

hashtagOverview

hashtagEndpoint

hashtagRequest Body

hashtagDynamic Information

hashtagIdentity Object

hashtagReviewer Assignment

hashtagResponse

hashtagExamples

hashtagBasic Certification

hashtagDynamic Filtering (Joiner/Mover/Leaver)

hashtagMulti-Level Review

hashtagIdentity Types

hashtagSee Also

Force Update Result

Quick Filters

hashtagExamples

hashtagAdd a quick filter

hashtagList all quick filters

hashtagRemove quick filter by quick filter id

Help Page Templates

hashtagCreate help page

hashtagTemplate usage

hashtagTemplate formatting

hashtagList help pages

hashtagGet help page

hashtagGet review help page

hashtagDelete help page

hashtagUpdate help page

Smart Action Definitions

hashtagAdd smart action definition

hashtagMutable fields and mutable filters

hashtagRemove a smart action definition

hashtagList smart action definitions

hashtagUpdate a smart action definition

Access Review Settings

Review Completion Settings

hashtagParameters

Review Auto-Complete Settings

hashtagParameters

hashtagExample

hashtagGet Review Auto-Complete Settings

hashtagSet Review Auto-Complete Settings

Self Review Prevention

hashtagParameters

hashtagExamples

hashtagGet Self Review Settings

hashtagSet Self Review Settings

Expire Overdue Reviews

hashtagParameters

hashtagGet Expire Overdue Reviews Setting

hashtagSet Expire Overdue Reviews Setting

Predefined Decision Notes

hashtagParameters

Action Allow List

hashtagRole Requirements

hashtagPrincipals

hashtagAllowed Actions

hashtagAPI Reference

hashtagCheck Whether the Allow List Is Enabled

hashtagEnable or Disable the Allow List

hashtagAdd Principals to the Allow List

hashtagRemove Principals from the Allow List

hashtagList All Permitted Principals

hashtagCheck Whether a User Is Permitted

Create Certification

hashtagOverview

hashtagEndpoint

hashtagRequest Body

hashtagDynamic Information

hashtagIdentity Object

hashtagReviewer Assignment

hashtagResponse

hashtagExamples

hashtagBasic Certification

hashtagDynamic Filtering (Joiner/Mover/Leaver)

hashtagMulti-Level Review

Core Workflow Operations

Quick start

Overview

Endpoint

Request Body

Dynamic Information

Identity Object

Reviewer Assignment

Response

Examples

Basic Certification

Dynamic Filtering (Joiner/Mover/Leaver)

Multi-Level Review

Identity Types

See Also

Examples

Add a quick filter

List all quick filters

Remove quick filter by quick filter id

Create help page

Template usage

Template formatting

List help pages

Get help page

Get review help page

Delete help page

Update help page

Add smart action definition

Mutable fields and mutable filters

Remove a smart action definition

List smart action definitions

Update a smart action definition

Parameters

Parameters

Example

Get Review Auto-Complete Settings

Set Review Auto-Complete Settings

Parameters

Examples

Get Self Review Settings

Set Self Review Settings

Parameters

Get Expire Overdue Reviews Setting

Set Expire Overdue Reviews Setting

Parameters

Role Requirements

Principals

Allowed Actions

API Reference

Check Whether the Allow List Is Enabled

Enable or Disable the Allow List

Add Principals to the Allow List

Remove Principals from the Allow List

List All Permitted Principals

Check Whether a User Is Permitted

Overview

Endpoint

Request Body

Dynamic Information

Identity Object

Reviewer Assignment

Response

Examples

Basic Certification

Dynamic Filtering (Joiner/Mover/Leaver)

Multi-Level Review

Identity Types

See Also

Add smart action definition

Mutable fields and mutable filters

Remove a smart action definition

List smart action definitions

Update a smart action definition

Parameters

Examples

Get Self Review Settings

Set Self Review Settings

Parameters

Get Expire Overdue Reviews Setting

Set Expire Overdue Reviews Setting