1 of 31

Access Reviews APIs

Methods for interacting with workflows and certifications

These endpoints enable listing workflows, listing certifications, getting certification results, and updating certifications. They can be used to programmatically retrieve workflow and certification details, and update certification rows with a decision or note, such as ticket number.

These endpoints also provide utility functionality, such as managing the reviewer deny list, populating results with webhook response info, and customizing quick filters, smart actions, and help pages.

List Workflows
List Certifications
List Certification Results
Update Certification Result
Force Update Result
Update Webhook Info
Get Certification Result
Manage Reviewer Deny List
Workflow Parameters
Quick Filters
Help Page Templates
Smart Action Definitions
Delegate Reviewers
List Reviewer Infos

APIs for Veza Access Reviews are subject to change, and as such are provided with the /preview API collection. Use the appropriate prefix when calling the API, for example, your-org.vezacloud.com/api/preview/.

Quick start

First, save your API key and Veza base URL as environment variables:

export VEZA_TOKEN=APIKEY
export VEZA_URL=https://preview.vezacloud.com

List Workflows

Get all workflows and IDs:

curl "$BASE_URL/api/preview/awf/workflows" \
  -H "authorization: Bearer $VEZA_TOKEN"

List Certifications

Use a workflow id to get active and pending certifications for that workflow:

curl "$BASE_URL/api/preview/awf/certifications?workflow_id=b9dc2586-5f30-4462-b6be-53f62debc40f" \
  -H "authorization: Bearer $VEZA_TOKEN"

The response will include certification details, including the certification ids.

List Certification Results

Using a certification id, you can get results for the certification, including entity attributes:

curl "$BASE_URL/api/preview/awf/certifications/b2562ef3-a4b3-4b30-8a45-1ba36f945d10/results?offset=0&size=30" \
  -H "authorization: Bearer $VEZA_TOKEN"

Update Certification Result

Update a certification result row with a note:

curl -X PUT "$BASE_URL/api/preview/awf/certifications/b2562ef3-a4b3-4b30-8a45-1ba36f945d10/results" \
  -H "authorization: Bearer $VEZA_TOKEN" \
  -d '{"value": {"result_id": 0,"decisions": "REJECTED", "notes": "Over-privileged"}}'

Workflow Parameters Reference

Workflows, certifications, and result details

This page describes common properties for listing workflows, certifications, and certification results:

Workflow Properties

When , all Veza Workflows are returned within a values array. Each has the properties:

Name

Type

Description

Certification Properties

returns all Certifications for a workflow, within a values array.

Note that to maintain certification integrity, some properties are immutable and can't be modified, while other values system-updated. Mutable fields such as "name," "notes," "reviewers" and "due date" can be changed by operators and admins using the Veza UI:

Name

Type

Description

See for more details on query construction.

Internal fields are updated by the workflow service to store important metadata:

Name

Type

Description

States can be:

CERT_STATE_SEARCHING // The query is still running
CERT_STATE_IN_PROGRESS // the certification is being reviewed
CERT_STATE_COMPLETED // the review of the certification is complete

Result Properties

include a numeric ID, the query details, and any decisions and notes. Each result includes entity details for the source -> destination nodes and the cumulative permissions under review:

Name

Type

Description

Valid decisions are:

RESULT_DECISION_NONE // No decision has been made
RESULT_DECISION_ACCEPTED // The access described in the result row is acceptable
RESULT_DECISION_REJECTED // The access described in the result row isn't correct
RESULT_DECISION_FIXED // The access was rejected, but has been fixed

Both the number or string value for the decision are allowed, for example "decision": 4 or "decision": RESULT_DECISION_FIXED.

The notes field will always contain the most recent note. Previous notes can be reviewed in the using the List Cert Results API.

ResultNode

Shows source, destination, or intermediate entity details for a query result:

Name

type

Description

WorkflowUser

Reviewer details, typically a Veza user account. If are configured, the user type and id refer to Veza graph entities:

Name

Type

Description

You can get details for a local Veza user from Administration > User Management. For graph entities (identities from an external identity provider), inspect the entity details using Access Search or the Entities page. will return all users for a given certification.

When assigning reviewers using preview Workflows APIs, requested users are validated before assigning them to a certification result, and not assigned when the user can’t be found. Assignee id and user_type are required to identify reviewers. name and email are optional but if provided must match the Veza user record.

ActionLog

Results contain a record of all prior actions on a certification result.

Name

Type

Description

Possible actions are:

NOTE_ADDED
REVIEWER_ASSIGNED
DECISION

The response will include the type, id, email, and name of the user who made the change:

ReviewerAssignmentInstructions

The reviewer_assignment specifies how reviewers should be assigned to rows, during initial certification create or when reviewers are re-assigned by smart action.

users_manager and resource_managers assigns reviewers based on Global IdP settings.

reviewers is a way to specify one or more reviewers to apply to every row. fallback_reviewers is one or more reviewers that to assign to rows if auto assign by user or resource manager fails for any reason

List Workflows

Get all workflows and certification status

Returns a list of all workflows, including query details and creator information.

Method

syntax

GET

{{base_url}}/api/preview/awf/workflows

Examples

Request

curl '{{VEZA_URL}}/api/preview/awf/workflows' \
  -H 'authorization: Bearer '$token

Response

A successful response will include the Workflow details.

See Workflow Parameters for additional details on the complete workflow object.

{
    "values": [
        {
            "workflow_id": "b9dc2586-5f30-4462-b6be-53f62debc40f",
            "name": "demo",
            "description": "demo",
            "owner": {
                "user_type": "localCookieUser",
                "id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
                "email": "[email protected]",
                "name": "earlypreview-auth0"
            },
            "notes": "",
            "query": {
                "raw_permissions": null,
                "effective_permissions": null,
                "source_node_types": {
                    "nodes": [
                        {
                            "node_type": "GoogleWorkspaceUser",
                            "tags": [],
                            "conditions": [],
                            "condition_expression": null,
                            "node_id": "",
                            "excluded_tags": [],
                            "count_conditions": [],
                            "direct_relationship_only": false,
                            "node_type_grouping_constraint": null
                        }
                    ],
                    "nodes_operator": "AND"
                },
                "required_intermediate_node_types": {
                    "nodes": [],
                    "nodes_operator": "AND"
                },
                "avoided_intermediate_node_types": {
                    "nodes": [],
                    "nodes_operator": "AND"
                },
                "destination_node_types": {
                    "nodes": [
                        {
                            "node_type": "GoogleCloudProject",
                            "tags": [],
                            "conditions": [],
                            "condition_expression": null,
                            "node_id": "",
                            "excluded_tags": [],
                            "count_conditions": [],
                            "direct_relationship_only": false,
                            "node_type_grouping_constraint": null
                        }
                    ],
                    "nodes_operator": "AND"
                },
                "no_relation": false,
                "snapshot_id": "1690354800",
                "waypoint_node_types": {
                    "nodes": [
                        {
                            "node_type": "GoogleCloudIamRoleBinding",
                            "tags": [],
                            "conditions": [],
                            "condition_expression": null,
                            "node_id": "",
                            "excluded_tags": [],
                            "count_conditions": [],
                            "direct_relationship_only": false,
                            "node_type_grouping_constraint": null
                        }
                    ],
                    "nodes_operator": "AND"
                },
                "path_summary_node_types": null,
                "node_relationship_type": "CONFIGURED",
                "include_all_source_tags_in_results": true,
                "include_all_destination_tags_in_results": false,
                "page_size": "0",
                "page_token": ""
            },
            "creator": {
                "user_type": "localCookieUser",
                "id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
                "email": "[email protected]",
                "name": "earlypreview-auth0"
            },
            "created_at": "2023-07-27T03:34:56.166550127Z"
        },
        {
            "workflow_id": "baecbd47-bd3d-4d52-acb8-34840a8973b2",
            "name": "Azure PS",
            "description": "",
            "owner": {
                "user_type": "localCookieUser",
                "id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
                "email": "[email protected]",
                "name": "earlypreview-auth0"
            },
            "notes": "",
            "query": {
                "raw_permissions": null,
                "effective_permissions": null,
                "source_node_types": {
                    "nodes": [
                        {
                            "node_type": "Principal",
                            "tags": [],
                            "conditions": [],
                            "condition_expression": null,
                            "node_id": "",
                            "excluded_tags": [],
                            "count_conditions": [],
                            "direct_relationship_only": false,
                            "node_type_grouping_constraint": null
                        }
                    ],
                    "nodes_operator": "AND"
                },
                "required_intermediate_node_types": {
                    "nodes": [],
                    "nodes_operator": "AND"
                },
                "avoided_intermediate_node_types": {
                    "nodes": [],
                    "nodes_operator": "AND"
                },
                "destination_node_types": {
                    "nodes": [
                        {
                            "node_type": "AzureDataLakeFilesystem",
                            "tags": [],
                            "conditions": [],
                            "condition_expression": null,
                            "node_id": "",
                            "excluded_tags": [],
                            "count_conditions": [],
                            "direct_relationship_only": false,
                            "node_type_grouping_constraint": null
                        }
                    ],
                    "nodes_operator": "AND"
                },
                "no_relation": false,
                "snapshot_id": "1675900800",
                "waypoint_node_types": null,
                "path_summary_node_types": {
                    "nodes": [
                        {
                            "node_type": "AzureADGroup",
                            "tags": [],
                            "conditions": [],
                            "condition_expression": null,
                            "node_id": "",
                            "excluded_tags": [],
                            "count_conditions": [],
                            "direct_relationship_only": false,
                            "node_type_grouping_constraint": null
                        },
                        {
                            "node_type": "ActiveDirectoryGroup",
                            "tags": [],
                            "conditions": [],
                            "condition_expression": null,
                            "node_id": "",
                            "excluded_tags": [],
                            "count_conditions": [],
                            "direct_relationship_only": false,
                            "node_type_grouping_constraint": null
                        },
                        {
                            "node_type": "AzureRoleAssignment",
                            "tags": [],
                            "conditions": [],
                            "condition_expression": null,
                            "node_id": "",
                            "excluded_tags": [],
                            "count_conditions": [],
                            "direct_relationship_only": false,
                            "node_type_grouping_constraint": null
                        },
                        {
                            "node_type": "AzureAssignmentPermissions",
                            "tags": [],
                            "conditions": [],
                            "condition_expression": null,
                            "node_id": "",
                            "excluded_tags": [],
                            "count_conditions": [],
                            "direct_relationship_only": false,
                            "node_type_grouping_constraint": null
                        }
                    ],
                    "nodes_operator": "AND"
                },
                "node_relationship_type": "CONFIGURED",
                "include_all_source_tags_in_results": false,
                "include_all_destination_tags_in_results": false,
                "page_size": "0",
                "page_token": ""
            },
            "creator": {
                "user_type": "localCookieUser",
                "id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
                "email": "[email protected]",
                "name": "earlypreview-auth0"
            },
            "created_at": "2023-02-09T03:07:24.458473708Z"
        }
    ]
}

List Certifications

Get pending and completed certifications for a workflow

Returns all certifications for an access workflow.

Method

syntax

Parameters

Name

type

Req.

Description

You can use to retrieve all valid workflow IDs.

Examples

Request

Response

values will contain all workflow details. The response may be paginated:

Name

type

Description

Sample response:

Update Webhook Info

Update status info for custom webhooks

Updates webhook status and details for a certification result.

If you have configured a custom webhook to conduct automated access removal or another form of remediation, you can update Veza with the notification status.

Your application can use this endpoint to send a POST request updating the webhook state, visible to other reviewers from Veza's Certification UI.

Method

syntax

POST

/api/preview/awf/certifications/{certification_id}/results:update_webhook_info

Path parameters

certification_id - id of the certification containing the result to update.

Body

{
  "result_id": "0",
  "notification_status": "FAILED",
  "webhook_info": "Ticket could not be created"
}

The request body must include the id of the result to update. Valid notification_status are:

PENDING
SUCCEED
FAILED

Webhook_info strings can contain up to 255 bytes.

Response

A successful response will be empty {}

Review Completion Settings

Customize the requirements for completing a review.

An Admin or Operator user can complete a review by clicking the "Complete Review" button.

Once a review is marked as "completed," it becomes read-only and is no longer visible to reviewers. By default, a review can be completed when all rows have a signed-off decision.

This API allows you to modify this behavior, enabling a review to be completed at any time, or only when all rows are signed off with a non-rejected decision. The latter option is useful if your organization prefers to complete reviews only after all rejected access has been remediated.

Parameters

Possible values are:

COMPLETION_ALLOWED_UNKNOWN = 0
COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION = 1 (Review can be completed only when all result rows have a decision)
COMPLETION_ALLOWED_ANYTIME = 2 (Review can be completed any time)

Example

{
    "value": "COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION"
}

Get Review Completion Settings

Set Review Completion Settings

Review Auto-Complete Settings

Enable or disable automatic review completion once all rows have decisions.

Enable or disable the "auto-complete" feature. When auto-complete is enabled, a review will automatically be completed once all rows have a signed-off decision, or a non-rejected signed-off decision, depending on the "Completion Allowed Settings."

Parameters

Possible values are:

AUTO_COMPLETE_UNKNOWN
AUTO_COMPLETE_ENABLED
AUTO_COMPLETE_DISABLED

Example

Get Review Auto-Complete Settings

Set Review Auto-Complete Settings

Self Review Prevention

Prevent users from being assigned as reviewers for rows that relate to their own access and permissions.

Enable or disable self-review prevention. When self-review prevention is enabled, users are prevented from being assigned as reviewers for rows that relate to their own access and permissions.

Parameters

The value can be either an integer or string:

SELF_REVIEWER_CHECKING_DISABLED = 1 (or "SELF_REVIEWER_CHECKING_DISABLED" as string)
SELF_REVIEWER_CHECKING_ENABLED = 2 (or "SELF_REVIEWER_CHECKING_ENABLED" as string)

Examples

Example using string value:

Example using integer value:

Example cURL request:

Get Self Review Settings

Set Self Review Settings

Review UI Customizations

Customize notes behavior and UI elements for reviewers.

By default, when a reviewer approves a row, a "notes" pop-up appears, allowing the user to optionally add a note explaining their decision. When a reviewer rejects a row, the "notes" pop-up appears, and adding a note is required. This API allows you to customize this behavior. For example, you can choose to disable the pop-up when a row is approved and make the notes pop-up optional when a row is rejected.

Additionally, this API can enable the historical "Approve & Signoff" action in the reviewer experience when multiple rows are selected. Note: It is recommended that this feature remains disabled to ensure a more streamlined reviewer experience.

Parameters

accept_notes_behavior can be:

NOTES_BEHAVIOR_UNKNOWN = 0
NO_POP_UP = 1
POP_UP_OPTIONAL = 2
POP_UP_REQUIRED = 3

reject_notes_behavior can be:

NOTES_BEHAVIOR_UNKNOWN = 0
NO_POP_UP = 1
POP_UP_OPTIONAL = 2
POP_UP_REQUIRED = 3

approve_and_sign_off_button_behavior can be:

HIDE_OR_SHOW_BEHAVIOR_UNKNOWN = 0
SHOW = 1
HIDE = 2

diff_dropdown_behavior can be:

NORMAL = 1 (Enables all users to see decisions and access changes from previous reviews for the same configuration)
ALWAYS_HIDE_FOR_ACCESS_REVIEWER_ROLE = 2 (Prevents users with the "Access Reviewer" role from accessing this option)

Example

Get Review UI Customizations

Set Review UI Customizations

Review Sort Order

Set default sort order for review rows.

Configure the default order in which review rows are displayed. Note: Users can later sort the rows as they prefer.

The order is specified using a SCIM "order by" expression. The default value is source.type asc.

Valid Values

Valid values include:

source.ATTR
destination.ATTR
waypoint.ATTR
idp.ATTR

Where ATTR is an attribute name such as "id" or "name".

Example

Get Review Sort Order

Set Review Sort Order

Expire Overdue Reviews

Auto-expire overdue reviews.

This setting is configurable on the Access Reviews > Settings page. Enable Auto-Expire overdue reviews to automatically expire reviews that aren't completed by the due date.

Enables or disable expiration of overdue reviews. By default, overdue reviews are not expired and remain available to reviewers. When expiration is enabled, the review will be "expired" when it becomes overdue. An expired review is read-only and is not shown to reviewers.

Parameters

The value can be True or False.

Get Expire Overdue Reviews Setting

Set Expire Overdue Reviews Setting

Review Expiration Behavior

Configure what happens when reviews expire.

This setting is configurable on the Access Reviews > Settings page. Enable Reject incomplete rows to reject and sign off on undecided rows when a review expires.

This API allows you to change the behavior when a review expires (which can be enabled in Review Auto-Complete Settings). Depending on the behavior, incomplete rows can be auto-rejected when the review deadline passes.

Review expiration behavior can be configured globally, or for all reviews for a single Review Configuration, specified by workflow_id in the request.

Request Structure

The request body must include a setting object with the following structure:

{
  "workflow_id": "string",
  "setting": {
    "behavior": 0,
    "note_to_add": "string"
  }
}

Parameters

Where:

workflow_id (string, optional): Specific review configuration ID. If omitted, applies globally to all reviews.
setting.behavior (integer): The expiration behavior mode:
- 0 = DO_NOTHING: No action is made on incomplete rows (default)
- 1 = AUTO_REJECT_INCOMPLETE_RESULTS: Reject and sign-off any results that are incomplete when the review expires
setting.note_to_add (string, optional): Note to be added when auto-rejecting incomplete results

Example

Example request:

{
  "workflow_id": "string",
  "setting": {
    "behavior": 1,
    "note_to_add": "Rejected incomplete result due to review expiration."
  }
}

Get Review Expiration Behavior

Set Review Expiration Behavior

Predefined Decision Notes

Add suggested notes for reviewer decisions.

Configure predefined notes as menu options when reviewers approve or reject rows. This feature can be configured globally for all reviews or specifically for individual review configurations. When configured for a specific review configuration (using workflow_id), those settings override any global predefined notes.

The predefined notes appear as selectable options in the notes dialog when making decisions, suggesting standardized responses alongside free-form text entry.

Parameters

The request body accepts:

reject_notes: Array of predefined note options shown when rejecting rows
accept_notes: Array of predefined note options shown when approving rows
workflow_id: (Optional) Specific review configuration ID to override global settings

Example

Example request body:

{
    "value": {
        "reject_notes": [
            "Rotate now",
            "Delete secret"
        ],
        "accept_notes": []
    },
    "workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"  // Optional
}

Get Predefined Notes Settings

Retrieve the current predefined notes settings. Include the optional workflow_id query parameter to get settings for a specific review configuration.

Global Settings Request:

curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/predefined_decision_notes' \
-H 'Authorization: Bearer YOUR_API_KEY'

Configuration-Specific Request:

curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/predefined_decision_notes?workflow_id=8ae1c414-3a76-46cb-950a-925316b3f264' \
-H 'Authorization: Bearer YOUR_API_KEY'

Example response:

{
    "value": {
        "reject_notes": [
            "Rotate now",
            "Delete secret"
        ],
        "accept_notes": []
    }
}

Set Predefined Notes Settings

Update the predefined notes settings globally or for a specific review configuration.

Configuration-Specific Request:

curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/predefined_decision_notes' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-d '{
    "value": {
        "reject_notes": [
            "Rotate now",
            "Delete secret"
        ],
        "accept_notes": []
    },
    "workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"
}'

Workflow Parameters Reference

Workflows, certifications, and result details

This page describes common properties for listing workflows, certifications, and certification results:

Workflow Properties

When , all Veza Workflows are returned within a values array. Each has the properties:

Name

Type

Description

Certification Properties

returns all Certifications for a workflow, within a values array.

Name

Type

Description

See for more details on query construction.

Internal fields are updated by the workflow service to store important metadata:

Name

Type

Description

States can be:

CERT_STATE_SEARCHING // The query is still running
CERT_STATE_IN_PROGRESS // the certification is being reviewed
CERT_STATE_COMPLETED // the review of the certification is complete

Result Properties

include a numeric ID, the query details, and any decisions and notes. Each result includes entity details for the source -> destination nodes and the cumulative permissions under review:

Name

Type

Description

Valid decisions are:

RESULT_DECISION_NONE // No decision has been made
RESULT_DECISION_ACCEPTED // The access described in the result row is acceptable
RESULT_DECISION_REJECTED // The access described in the result row isn't correct
RESULT_DECISION_FIXED // The access was rejected, but has been fixed

Both the number or string value for the decision are allowed, for example "decision": 4 or "decision": RESULT_DECISION_FIXED.

The notes field will always contain the most recent note. Previous notes can be reviewed in the using the List Cert Results API.

ResultNode

Shows source, destination, or intermediate entity details for a query result:

Name

type

Description

WorkflowUser

Reviewer details, typically a Veza user account. If are configured, the user type and id refer to Veza graph entities:

Name

Type

Description

When assigning reviewers using preview Workflows APIs, requested users are validated before assigning them to a certification result, and not assigned when the user can’t be found. Assignee id and user_type are required to identify reviewers. name and email are optional but if provided must match the Veza user record.

ActionLog

Results contain a record of all prior actions on a certification result.

Name

Type

Description

Possible actions are:

NOTE_ADDED
REVIEWER_ASSIGNED
DECISION

The response will include the type, id, email, and name of the user who made the change:

ReviewerAssignmentInstructions

The reviewer_assignment specifies how reviewers should be assigned to rows, during initial certification create or when reviewers are re-assigned by smart action.

users_manager and resource_managers assigns reviewers based on Global IdP settings.

Update Certification Result

Add decisions and notes to a certification result

Apply a decision, note, sign-off, or reviewer change to a numbered certification result.

Each row of the certification results can be annotated, marked as ACCEPTED, or REJECTED, signed-off, or assigned to a different reviewer.

Method

syntax

PUT

{{base_url}}/api/preview/awf/certifications/{certification_id}/results

Parameters

Name

Type

Description

cert_id

string

path

id of the certification to update

value

object

body

Mutable fields to update

value must include the result_id and any mutable fields to update:

Name

Type

Req.

Description

result_id

int

certification result number to update

decision

enum

The decision to apply to the result

notes

string

Send an empty string " " to clear the current note

signed_off_state

string

Can be: NOT_SIGNED_OFF, SIGNED_OFF

reviewers

array

Contains Workflow User details for assigned reviewers

Valid decisions are:

NONE // No decision has been made
ACCEPTED // The access described in the result row is acceptable
REJECTED // The access described in the result row isn't correct
FIXED // The access was rejected but has been fixed

Adding a note overwrites the previous value. Historical notes are included in the action log when Listing Certification Results. When viewing the row in the UI, only the most recent note is shown.

Re-assigning `reviewers`

A result’s reviewer can be reassigned by updating the reviewers field with a list of one or more Access Workflow User objects:

Name

Type

Req.

Description

user_type

string

Must be the same user_type as configured for the . Typical values are OktaUser, CustomIDPUser, or AzureADUser.

id

string

The user_identity_property set when configuring the workflows IdP is used to validate a Workflow Reviewer's identity. For an Okta user, this would be an id such as 00upa6s0hSGtl1eGL5d5. For a Custom IdP user, this will typically be the IdP users set within the OAA payload.

email

string

Must match the email property on the local user or graph node.

name

string

Must match the name property on the local user or graph node.

curl -X PUT '{{baseurl}}/api/preview/awf/certifications/{{cert_id}}/results' \
-H 'authorization: Bearer ' $TOKEN \
 --data-raw '{"value": {"result_id": 0,"reviewers": [{"user_type": "CustomIDPUser", "id": "125", "email": "[email protected]", "name": "Valid Reviewer"}]}}'

Note that all fields are required when assigning a reviewer. As of the current release, there is no customer-facing API to get local user ids. For this reason, API-based reviewer reassignment is recommended only when a graph IdP is configured as the Global Workflows IdP, and you can programmatically retrieve required identifiers such as user "name," "id," and "email."

Examples

Reject with note

curl -X PUT '{{baseurl}}/api/preview/awf/certifications/f9123002-f056-491f-978f-f203bc9885ed/results' \
  -H 'authorization: Bearer '$token \
  --data-raw '{
  "value": {
    "result_id": 0,
    "decision": "REJECTED",
    "notes": "Over-privileged"
  }
}'

Change the reviewer to a Custom IdP user

curl -X PUT '{{baseurl}}/api/preview/awf/certifications/{{cert_id}}/results' \
-H 'authorization: Bearer ' $TOKEN \
 --data-raw '{"value": {"result_id": 0,"reviewers": [{"user_type": "CustomIDPUser", "id": "125", "email": "[email protected]", "name": "Valid Reviewer"}]}}'

Assign a local user as a reviewer

curl -X PUT '{{baseurl}}/api/preview/awf/certifications/{{cert_id}}/results' \
-H 'authorization: Bearer ' $TOKEN \
--data-raw '{"value": {"result_id": 0,"reviewers": [{"user_type": "localCookieUser", "id": "0ffcfbc7-6339-4aed-afa4-ff3bea505485", "email": "[email protected]", "name": "demo-auth0"}]}}'

Response

A successful response will be empty: {}.

Review Column Defaults

Configure default columns and visibility for reviewers.

This API configures the default columns which reviewers will see when they open a review, as well as columns that should be hidden from reviewers but visible to administrators. If workflow_id is specified then the configuration will only be applied to reviews related to the particular Review Configuration identified by workflow_id.

The request body includes two main fields:

default_ordered_columns: Array of column names that will be visible to all users (reviewers, administrators, and operators)
hide_from_reviewers_columns: Array of column names that will be hidden from users with the reviewer role but remain visible to administrators and operators

Validation Rules

Important validation rules:

Column names cannot appear in both default_ordered_columns and hide_from_reviewers_columns simultaneously
Column names cannot be empty strings
Column names cannot contain spaces or commas
The system validates these constraints and returns an error if violations are found

Valid Column Values

The valid values to show entity attributes include:

source.ATTR
destination.ATTR
waypoint.ATTR
path_summary.ATTR
idp.ATTR

Where ATTR is an attribute name such as "id" or "name".

The following column values are also valid:

status
abstract_permissions
concrete_permissions
updated_at
notes
reviewers
decision
decision_by
decision_by_id
decision_by_name
decision_by_email
decision_at
marked_fixed_by_id
marked_fixed_by_name
marked_fixed_by_email
marked_fixed_at
signed_off_state
signed_off_by_id
signed_off_by_name
signed_off_by_email
signed_off_at
notification_status
automation_run_ids
no_decision_or_decision_by
Is_signed_off

Example

{
  "value": {
    "default_ordered_columns": [
      "source.name",
      "source.department",
      "source.customprop_worker_status",
      "source.tags",
      "path_summary.name",
      "concrete_permissions",
      "destination.name",
      "destination.customprop_display_name",
      "reviewers"
    ],
    "hide_from_reviewers_columns": [
      "source.identity_unique_id",
      "idp.on_premises_distinguished_name"
    ]
  },
  "workflow_id": "002063d2-7898-4183-b5fb-1192758fdec7"
}

This example configuration shows sensitive identity information (unique IDs and distinguished names) to administrators while hiding them from reviewers, allowing for better security and privacy control in access reviews.

Get Review Column Defaults

Set Review Column Defaults

List All Column Settings

Automations API

Get, create, update, delete, and attach Intelligent Automations.

Use these operations to manage Access Review Automations and associate them with individual workflows.

Automations apply changes (such as approve, sign-off, add a note, or apply visual indicators) to Certification rows based on historical certification data, or a filter on the current results. They can run by default or on an opt-in basis when a certification is created.

Example Automations

{
  "id": "e48dd2c8-3633-463b-a477-0177a942b5a6",
  "name": "Highlight inactive sources",
  "description": "Highlight rows where the source account is inactive",
  "priority": 0,
  "attachment_behavior": {
    "attach_to_new_workflows": true,
    "opt_in": true
  },
  "criteria": {
    "filter": "source.is_active eq false",
    "mutable_filter": ""
  },
  "action": {
    "display_style": "HIGHLIGHT",
    "display_text": "Source account is inactive"
  }
}

{
  "id": "f59ee3d9-4744-574c-b588-1288b0942c7c",
  "name": "Reject privileged account access",
  "description": "Suggest reject for admin or root accounts",
  "priority": 0,
  "attachment_behavior": {
    "attach_to_new_workflows": true,
    "opt_in": true
  },
  "criteria": {
    "filter": "(destination.name eq \"admin\") OR (source.name eq \"root\")",
    "mutable_filter": ""
  },
  "action": {
    "display_style": "SUGGEST_REJECT",
    "display_text": "Privileged account detected - review carefully"
  }
}

For more information about this feature see Intelligent Automations.

You will need an API token with root team or administrator permissions to manage Automations.

Error handling and conflicts

The following rules apply when an Automation run encounters an issue:

If Automation processing fails for any result, the Automation run stops and no further Automations are applied.
When Automations fail, the Certification is still considered complete and non-errored. The Automation run will have an error status and message.

Results are considered the same when the entities and relationships are exactly equal (including data source IDs). If a conflict occurs with Automations trying to change the same mutable field:

Each change must update the field to the same value. The action log entry will contain notes (if supplied) for each action.
Automations changing a field to differing values are unresolvable conflicts and skipped, but will not interrupt the Automation run.

Automation Object Schema

An Automation consists of attachment_behavior rules, filter criteria, and an action to apply:

{
  "id": "string",
  "name": "string",
  "description": "string",
  "priority": 0,
  "attachment_behavior": {
    "attach_to_new_workflows": boolean,
    "opt_in": boolean
  },
  "criteria": {
    "filter": "string",
    "mutable_filter": "string"
  },
  "action": {
    // For modification actions:
    "decision": "string",
    "signed_off_state": "string",
    "notes": "string",
    "reviewer_assignment": null,

    // OR for display actions:
    "display_style": "string",
    "display_text": "string"
  }
}

Each Automation object has the fields:

id (String): Unique identifier for the Automation.
name (String): Name of the Automation.
description (String): A brief description of the Automation.
priority (Integer): Priority value of the Automation (not currently supported).

`attachment_behavior` (Object)

Defines if the Automation is available for all workflows, and whether it is optional:

attach_to_new_workflows (Boolean): Indicates whether to automatically attach to new and existing workflows.
opt_in (Boolean): If true Operators can pick the automation when creating a Workflow. If false the automation is enabled by default.

`criteria` (Object)

Specifies filters for conditionally updating results:

filter (String): A SCIM filter specifying a source or destination attribute with support for complex expressions using AND, OR, and parentheses for grouping. Examples:
- Simple filter: source.is_active eq false
- Complex filter: (source.name sw "A" OR source.name sw "B") AND destination.is_active eq true
mutable_filter (String): A filter on a previous result mutable field using the syntax previous.attribute. Example: "previous.decision eq "RESULT_DECISION_ACCEPTED""

Similarly to Smart Actions, Automations can update results based on a source or destination attribute (such as activity status). Filters use the syntax source.attribute or destination.attribute.

Mutable filters in Automations use the syntax previous.decision, previous.notes and previous.signed_off_state to refer to historical row data. The possible values are:

decision:
- "RESULT_DECISION_UNKNOWN"
- "RESULT_DECISION_NONE"
- "RESULT_DECISION_ACCEPTED"
- "RESULT_DECISION_REJECTED"
- "RESULT_DECISION_FIXED"
notes: string
signed_off_state:
- "UNKNOWN"
- "NOT_SIGNED_OFF"
- "SIGNED_OFF"

`action` (Object)

Action the Automation will apply to matching results:

decision (String): Decision code for the action.
signed_off_state (String): Sign off state code.
notes (String): Notes the automation will apply.
display_style (String): Visual indicator to apply to matching rows:
- HIGHLIGHT: Highlight the row
- SUGGEST_ACCEPT: Mark the row as suggested for acceptance
- SUGGEST_REJECT: Mark the row as suggested for rejection
display_text (String): Custom message to show when display_style is set

Note: When using display_style actions, you cannot set decision, signed_off_state, notes, or reviewer_assignment fields.

Possible decisions and numeric codes are:

UNKNOWN (0)
NONE (1)
ACCEPTED (2)
REJECTED (3)
FIXED (4)

Signed Off State can be:

UNKNOWN_SIGNED_OFF = 0;
NOT_SIGNED_OFF = 1;
SIGNED_OFF = 2;

`reviewer_assignment` (Object)

The preview API does not currently support Reviewer assignment.

Preview API Documentation

Use the endpoints documented below to create and manage automations:

List Automations

Endpoint: /api/preview/awf/automations
Method: GET
Description: Returns all Automations and configuration details.

Returns all Automations in a values array.

Update Automation

Endpoint: /api/preview/awf/automations
Method: PUT
Description: Updates an existing Automation. The full Automation object is required.

Create Automation

Endpoint: /api/preview/awf/automations
Method: POST
Description: Creates a new Automation.

Get Automation

Endpoint: /api/preview/awf/automations/{id}
Method: GET
Description: Get details for a single Automation by ID.

Delete Automation

Endpoint: /api/preview/awf/automations/{id}
Method: DELETE
Description: Deletes a specific Automation by its ID.

Attach Automations

Endpoint: /api/preview/awf/automations:attach
Method: POST
Description: Enable an Automation for a specific workflow, or all workflows.

Attach one or all Automations to a single workflow by specifying the:

id (String): Single Automation ID.
workflow_id (String): ID of the workflow to associate Automations with.
all (boolean): If True, attaches all existing Automations to the Workflow.
opt_in (boolean): If False the Automation can be selected when creating a certification. Otherwise, operators can enable it when creating certifications.

List attached Workflow Automations

Endpoint: /api/preview/awf/automations:attached/{workflow_id}
Method: GET
Description: Returns all Automations eligible to run on Certifications for a given Workflow id.

Detach Automations

Endpoint: /api/preview/awf/automations:detach
Method: POST
Description: Detach one or all Automations from an Access Review Workflow.

Outlier Detection

Configure outlier detection settings to identify anomalous access patterns in Access Reviews.

Early Access Feature: Outlier Detection is currently in Early Access and available via API only. The feature and API are subject to change. Contact your Veza Customer Success Manager to enable this feature for your tenant.

Configure outlier detection to automatically identify and flag anomalous access patterns during Access Reviews. The Manager-Centric algorithm compares each user's access to their peer group and detects access held by fewer than a specified threshold percentage of peers, helping reviewers focus on unusual or potentially risky permissions.

How Outlier Detection Works

The Manager-Centric outlier detection algorithm uses statistical analysis to identify rare access patterns:

Peer Grouping: Users are grouped based on configurable properties (default: users sharing the same manager)
Statistical Analysis: For each destination (resource/permission) in the review, Veza calculates what percentage of the peer group has access using the Wilson score confidence interval method at 95% confidence
Threshold Comparison: Access paths where the statistical lower bound is at or below the configured threshold are flagged as outliers
Reviewer Visibility: Flagged items are highlighted in the reviewer interface with explanations indicating the access is rare within the peer group

Default Behavior

By default, outlier detection uses:

Grouping: Users with the same manager (manager_idp_unique_id property)
Threshold: 15% (access held by ≤15% of peers is flagged as an outlier)

Example Scenario

Consider an Access Review for Okta groups:

100 users report to Manager A
95 of them have access to the "Engineering-All-Hands" group
5 users have access to the "Admin-Production-Access" group

Given a 15% threshold:

"Engineering-All-Hands" access (95% of peers) is not flagged, as this is normal access
"Admin-Production-Access" (5% of peers) is flagged as an outlier, as this is rare access

The reviewer sees a warning on those 5 rows that this access is anomalous within the peer group — no more than 15% of peers with shared characteristics have it.

API Endpoints

Administrators can customize outlier detection using APIs:

Get Outlier Detection Configuration

GET /api/private/workflows/access/global_settings/manager_centric_config

Retrieve the current outlier detection configuration, either globally or for a specific review configuration.

Parameters

Name

Type

Required

Description

workflow_id

string

query

Review configuration ID. If specified, returns the configuration for that specific review configuration. If omitted or empty, returns the global configuration.

Example: Get Global Configuration

curl 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/manager_centric_config' \
  -H 'Authorization: Bearer YOUR_BEARER_TOKEN' \
  -H 'Content-Type: application/json'

Example: Get Configuration for Specific Review

curl 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/manager_centric_config?workflow_id=8ae1c414-3a76-46cb-950a-925316b3f264' \
  -H 'Authorization: Bearer YOUR_BEARER_TOKEN' \
  -H 'Content-Type: application/json'

Response

{
  "value": {
    "grouping_properties": [
      {
        "property_name": "manager_idp_unique_id"
      }
    ],
    "threshold": 0.15
  }
}

Set Outlier Detection Configuration

PUT /api/private/workflows/access/global_settings/manager_centric_config

Update the outlier detection configuration globally or for a specific review configuration.

Parameters

Name

Type

Required

Description

workflow_id

string

Review configuration ID. If specified, applies settings only to that configuration. If omitted, updates the global default.

value

object

Yes

Configuration object

value.grouping_properties

array

Array of property references defining how to group users into peer groups. If empty, uses population-wide comparison. See below.

value.threshold

number

Yes

Threshold percentage (0.0 to 1.0) below which access is considered an outlier. For example, 0.15 means access held by ≤15% of peers is flagged.

Example: Set Global Configuration

curl -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/manager_centric_config' \
  -H 'Authorization: Bearer YOUR_BEARER_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "value": {
      "grouping_properties": [
        {
          "property_name": "department",
          "target": "TARGET_NODE_SOURCE"
        },
        {
          "property_name": "location",
          "target": "TARGET_NODE_SOURCE"
        }
      ],
      "threshold": 0.1
    }
  }'

Example: Set Configuration for Specific Review

curl -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/manager_centric_config' \
  -H 'Authorization: Bearer YOUR_BEARER_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264",
    "value": {
      "grouping_properties": [
        {
          "property_name": "manager_idp_unique_id"
        }
      ],
      "threshold": 0.2
    }
  }'

Response

{}

Grouping Properties

Grouping properties define how users are organized into peer groups for outlier analysis. You can specify properties from:

Source nodes (the users/identities in the review)
Destination nodes (the resources/permissions being reviewed)
Enriched/joined nodes (additional data joined to the query, such as manager information from an IdP)

Property Reference Schema

Each property reference has these fields:

Field

Type

Required

Description

property_name

string

Yes

The name of the property to group by (e.g., "department", "location", "manager_idp_unique_id")

target

enum

Where the property comes from. Options: TARGET_NODE_UNSPECIFIED (default, assumes source), TARGET_NODE_SOURCE, TARGET_NODE_DESTINATION, TARGET_NODE_JOINED

joined_node_alias

string

Conditional

Required when target is TARGET_NODE_JOINED. The alias of the joined node from the review query's JoinNodeSpec

Target Node Types

SOURCE Node Properties

Properties from the source entities in the review (typically users/identities).

Common source properties:

department - User's department
location - User's location
manager_idp_unique_id - User's manager identifier (default)
is_active - Whether the user account is active
employee_type - Employee classification (e.g., full-time, contractor)

Example:

{
  "property_name": "department",
  "target": "TARGET_NODE_SOURCE"
}

DESTINATION Node Properties

Properties from the destination entities (resources/permissions being reviewed).

Common destination properties:

classification - Resource classification level
data_sensitivity - Data sensitivity level
owner - Resource owner
environment - Environment (prod, dev, test)

Example:

{
  "property_name": "classification",
  "target": "TARGET_NODE_DESTINATION"
}

JOINED Node Properties (Enrichment)

Properties from enriched/joined metadata from another data source. These require the review query to include a JoinNodeSpec that joins additional data (such as manager information from an IdP).

Example:

{
  "property_name": "department",
  "target": "TARGET_NODE_JOINED",
  "joined_node_alias": "manager"
}

This groups all users by their manager's department, requiring the review query to join the manager data with the alias "manager".

Configuration Examples

Example 1: Default Manager-Based Grouping

Groups users by manager with a 15% threshold (default configuration):

{
  "value": {
    "grouping_properties": [
      {
        "property_name": "manager_idp_unique_id"
      }
    ],
    "threshold": 0.15
  }
}

Use case: Identify access that's unusual compared to direct peers reporting to the same manager.

Example 2: Department and Location Grouping

Groups users by both department and location with a 10% threshold:

{
  "value": {
    "grouping_properties": [
      {
        "property_name": "department",
        "target": "TARGET_NODE_SOURCE"
      },
      {
        "property_name": "location",
        "target": "TARGET_NODE_SOURCE"
      }
    ],
    "threshold": 0.1
  }
}

Use case: Identify access that's rare among users in the same department and office location.

Example 3: No Grouping (Population-Wide)

Compares each user to the entire population with 5% threshold:

{
  "value": {
    "grouping_properties": [],
    "threshold": 0.05
  }
}

Use case: Flag extremely rare access across the entire organization, regardless of role or department.

Example 4: Resource Classification Grouping

Groups by destination resource classification with a 20% threshold:

{
  "value": {
    "grouping_properties": [
      {
        "property_name": "classification",
        "target": "TARGET_NODE_DESTINATION"
      }
    ],
    "threshold": 0.2
  }
}

Use case: Identify unusual access patterns within resources of the same classification level.

Example 5: Manager's Department (Enrichment)

Groups by the manager's department (requires query enrichment) with a 15% threshold:

{
  "value": {
    "grouping_properties": [
      {
        "property_name": "department",
        "target": "TARGET_NODE_JOINED",
        "joined_node_alias": "manager"
      }
    ],
    "threshold": 0.15
  }
}

Use case: Identify access that's unusual among users whose managers are in the same department, useful in matrix organizations.

Use Cases

Finance Audit Compliance

Scenario: Reviewing access to financial systems where SOX compliance requires attention to outlier access.

Configuration:

{
  "value": {
    "grouping_properties": [
      {
        "property_name": "department",
        "target": "TARGET_NODE_SOURCE"
      }
    ],
    "threshold": 0.05
  }
}

Users with access held by ≤5% of their department peers are flagged for additional scrutiny.

Engineering Production Access

Scenario: Reviewing production system access where most engineers shouldn't have admin rights.

Configuration:

{
  "value": {
    "grouping_properties": [
      {
        "property_name": "team",
        "target": "TARGET_NODE_SOURCE"
      },
      {
        "property_name": "environment",
        "target": "TARGET_NODE_DESTINATION"
      }
    ],
    "threshold": 0.1
  }
}

Identifies engineers with production access that is unusual within their team, considering the environment.

Role-Based Access Review

Scenario: Reviewing access where job role should predict permissions.

Configuration:

{
  "value": {
    "grouping_properties": [
      {
        "property_name": "job_role",
        "target": "TARGET_NODE_SOURCE"
      }
    ],
    "threshold": 0.15
  }
}

Flags access held by ≤15% of users with the same job role, indicating potential role creep or over-provisioning.

Cross-Department Anomaly Detection

Scenario: Detecting access patterns that are unusual for an entire department.

Configuration:

{
  "value": {
    "grouping_properties": [
      {
        "property_name": "department",
        "target": "TARGET_NODE_SOURCE"
      },
      {
        "property_name": "location",
        "target": "TARGET_NODE_SOURCE"
      }
    ],
    "threshold": 0.08
  }
}

Identifies access held by ≤8% of users in the same department and location, flagging potentially inappropriate cross-functional access.

Important Considerations

Configuration Scope: Settings can be applied globally (affecting all new reviews by default) or per-review configuration. Review-specific settings override global settings for reviews created from that configuration.

Property Availability: Grouping properties must exist in your access review query results. If a specified property doesn't exist for source/destination/joined nodes, outlier detection may not function as expected. Verify property names match your data schema.

Statistical Confidence: The algorithm uses the Wilson score confidence interval at 95% confidence level to ensure statistically sound outlier detection even with small peer groups. Peer groups with fewer than 3 members are excluded from outlier analysis to maintain statistical validity.

Threshold Tuning: Start with the default 15% threshold and adjust based on your organization's risk tolerance:

Lower thresholds (5-10%): More sensitive, flags only the rarest access
Higher thresholds (20-25%): Less sensitive, flags more broadly uncommon access

After implementing Outlier Detection, monitor reviewer feedback and adjust accordingly.

Enrichment Requirements: When using TARGET_NODE_JOINED properties, ensure your Access Review query includes the corresponding JoinNodeSpec with the matching alias. See Access Reviews Configuration for enrichment configuration.

Access Reviews Settings - Overview of all Access Reviews settings
Access Reviews Configuration - Complete Access Reviews documentation