Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Methods for interacting with workflows and certifications
These endpoints enable listing workflows, listing certifications, getting certification results, and updating certifications. They can be used to programmatically retrieve workflow and certification details, and update certification rows with a decision or note, such as ticket number.
These endpoints also provide utility functionality, such as managing the reviewer deny list, populating results with webhook response info, and customizing quick filters, smart actions, and help pages.
APIs for Veza Access Reviews are subject to change, and as such are provided with the
/previewAPI collection. Use the appropriate prefix when calling the API, for example,your-org.vezacloud.com/api/preview/.
First, save your and Veza base URL as environment variables:
Get all workflows and IDs:
Use a workflow id to get active and pending certifications for that workflow:
The response will include certification details, including the certification ids.
Using a certification id, you can get results for the certification, including entity attributes:
Update a certification result row with a note:
export VEZA_TOKEN=APIKEY
export VEZA_URL=https://preview.vezacloud.comcurl "$BASE_URL/api/preview/awf/workflows" \
-H "authorization: Bearer $VEZA_TOKEN"curl "$BASE_URL/api/preview/awf/certifications?workflow_id=b9dc2586-5f30-4462-b6be-53f62debc40f" \
-H "authorization: Bearer $VEZA_TOKEN"curl "$BASE_URL/api/preview/awf/certifications/b2562ef3-a4b3-4b30-8a45-1ba36f945d10/results?offset=0&size=30" \
-H "authorization: Bearer $VEZA_TOKEN"curl -X PUT "$BASE_URL/api/preview/awf/certifications/b2562ef3-a4b3-4b30-8a45-1ba36f945d10/results" \
-H "authorization: Bearer $VEZA_TOKEN" \
-d '{"value": {"result_id": 0,"decisions": "REJECTED", "notes": "Over-privileged"}}'
Update status info for custom webhooks
Updates webhook status and details for a certification result.
If you have configured a custom webhook to conduct automated access removal or another form of remediation, you can update Veza with the notification status.
Your application can use this endpoint to send a POST request updating the webhook state, visible to other reviewers from Veza's Certification UI.
POST
/api/preview/awf/certifications/{certification_id}/results:update_webhook_info
Path parameters
certification_id - id of the certification containing the result to update.
Body
The request body must include the id of the result to update. Valid notification_status are:
PENDING
SUCCEED
FAILED
Webhook_info strings can contain up to 255 bytes.
Response
A successful response will be empty {}
{
"result_id": "0",
"notification_status": "FAILED",
"webhook_info": "Ticket could not be created"
}Update a single result with escalated privileges
ForceUpdateAwfResults allows administrators to modify results more than normally allowed, such as changing sign-off status, or changing a row's decision after a certification expires.
POST
/api/preview/awf/certifications/{certification_id}/results:force_update
The API token used for this request must be created for a user with the admin role.
A forced update request:
Can undo sign-off of a row.
On an expired or completed certification, during the grace period, rows can be modified as normal (Assuming they're no longer signed off).
The grace period for changes is 7 days after certification completion or expiration
A :
Can't undo sign-off of a row.
On an expired certification, during the grace period, a rejected row can be marked as fixed by admin/operator.
A successful response will be empty:
Customizing saved filters for certification reviewers.
List, create, and delete saved filters, globally or for a single workflow. Reviewers can pick from available quick filters under Certification Filters > Saved Filters.
GET, POST, DELETE
{Veza URL}/api/preview/awf/quick_filters
Requests require a Veza API key for authentication.
Add a quick filter by specifying an optional workflow_id and a single source or destination node property, corresponding to a Review interface column.
Filters can also apply to abstract_permissions or concrete_permissions (see example response).
Valid filter operators are:
co "contains"
eq "equals"
ne "not equals"
With a workflow_id specified, the filter will only apply to certifications on that workflow. Otherwise, reviewers can apply the quick filter to any certification:
A successful response will contain the filter id, for example:
Including a workflow_id in the query returns quick filters with a matching workflow_id and quick filters with no workflow_id:
Example response:
Get all reviewers and details by certification
GET
/api/preview/awf/certifications/{certification_id}/reviewer_infos
Returns information about all users assigned to a certification and its results. This will include the users' email and ID, along with their progress on the certification (row_stats listing actions counts by type).
A successful response returns AccessReviewerInfo objects within a values array:
Customize notes behavior and UI elements for reviewers.
By default, when a reviewer approves a row, a "notes" pop-up appears, allowing the user to optionally add a note explaining their decision. When a reviewer rejects a row, the "notes" pop-up appears, and adding a note is required. This API allows you to customize this behavior. For example, you can choose to disable the pop-up when a row is approved and make the notes pop-up optional when a row is rejected.
Additionally, this API can enable the historical "Approve & Signoff" action in the reviewer experience when multiple rows are selected. Note: It is recommended that this feature remains disabled to ensure a more streamlined reviewer experience.
accept_notes_behavior can be:
NOTES_BEHAVIOR_UNKNOWN = 0
NO_POP_UP = 1
POP_UP_OPTIONAL = 2
POP_UP_REQUIRED
reject_notes_behavior can be:
NOTES_BEHAVIOR_UNKNOWN = 0
NO_POP_UP = 1
POP_UP_OPTIONAL = 2
approve_and_sign_off_button_behavior can be:
HIDE_OR_SHOW_BEHAVIOR_UNKNOWN = 0
SHOW = 1
HIDE = 2
diff_dropdown_behavior can be:
NORMAL = 1 (Enables all users to see decisions and access changes from previous reviews for the same configuration)
ALWAYS_HIDE_FOR_ACCESS_REVIEWER_ROLE = 2 (Prevents users with the "Access Reviewer" role from accessing this option)
sw "starts with"
ew "ends with"
certification_id
string
ID of a workflow certification
Y
POST {Veza URL}/api/preview/awf/quick_filters
{
"name": "custom filter",
"filter": "source.type co \"admin\"",
"workflow_id": "ad78350a-bfe5-4eff-a160-dccbe28c6961"
}{
"id": "41761624-cb9c-4668-be69-3b0f359a45e3"
}GET {Veza URL}/api/preview/awf/quick_filtersGET {Veza URL}/api/preview/awf/quick_filters?workflow_id=78be0b3d-d6f4-4e5d-98c4-7b1db1a88575{
"values": [
{
"id": "4a1dbf1a-282f-4faf-81f2-6ee3752b5cb2",
"name": "User type = admin",
"workflow_id": "78be0b3d-d6f4-4e5d-98c4-7b1db1a88575",
"filter": "source.type eq \"admin\""
},
{
"id": "69b131b0-8af5-4ab1-9099-91c03ca54555",
"name": "abstract permissions include delete",
"workflow_id": "",
"filter": "abstract_permissions co \"Delete\""
},
{
"id": "88e5d197-6555-4e3f-a48d-43713b340a2c",
"name": "destination org filter",
"workflow_id": "",
"filter": "destination.google_cloud_organization_name eq \"acme\""
},
{
"id": "df944da1-76fe-42e0-829e-b8bf0a200f39",
"name": "concrete permissions include abort multipart upload",
"workflow_id": "78be0b3d-d6f4-4e5d-98c4-7b1db1a88575",
"filter": "concrete_permissions co \"s3:AbortMultipartUpload\""
},
{
"id": "f722936d-a8f7-4b38-acb2-a41e12ec2673",
"name": "User type is AwsIamUser",
"workflow_id": "78be0b3d-d6f4-4e5d-98c4-7b1db1a88575",
"filter": "source.type co \"AwsIamUser\""
}
]
}DELETE {Veza URL}/api/preview/awf/quick_filters/d31cfa3f-1999-4789-8ec1-a844c03dd622curl 'https://{{VezaURL}}/api/preview/awf/certifications/abe5c346-84ad-49b0-bafc-614a8365c883/reviewer_infos' \
-H 'authorization: Bearer '$TOKEN{
"values": [
{
"reviewer": {
"user_type": "localCookieUser",
"id": "dcadfc95-29f5-4130-b715-5476d40a5811",
"email": "[email protected]",
"name": "Access Reviewer"
},
"row_stats": {
"total": "1",
"no_decision": "0",
"accepted": "1",
"rejected": "0",
"fixed": "0",
"signed_off": "1"
}
}
]
}notes
body
string of most recent row
reviewers
body
object
signed_off_state
body
Sign-off status (NOT_SIGNED_OFF, SIGNED_OFF)
notification_status
body
Integration status (UNKNOWN, PENDING, SUCCEED, FAILED)
certification_id
path
ID of the certification containing the result to alter
value
body
Contains a single certification result and keys to update
result_id
body
Numeric result id to update (min 0)
decision
body
Result decision(NONE, REJECTED, ACCEPTED, FIXED)
POP_UP_REQUIREDworkflow_id
string
Workflow GUID
name
string
Workflow display name
description
string
Extended description
owner
object
Owner user details
notes
string
Workflow notes
query
Listing access certifications returns all Certifications for a workflow, within a values array.
Note that to maintain certification integrity, some properties are immutable and can't be modified, while other values system-updated. Mutable fields such as "name," "notes," "reviewers" and "due date" can be changed by operators and admins using the Veza UI:
certification_id
string
Certification GUID
workflow_id
string
Workflow GUID
query_used
WorkflowQuery
The query for the workflow (immutable).
name
string
See Query Builder API for more details on query construction.
Internal fields are updated by the workflow service to store important metadata:
state
AccessCertState
Certification status
snapshot_time
string (RFC 3339 timestamp)
Date of graph snapshot at certification creation
started_at
string (RFC 3339 timestamp)
Certification creation date
query_completed_at
string (RFC 3339 timestamp)
States can be:
CERT_STATE_SEARCHING // The query is still running
CERT_STATE_IN_PROGRESS // the certification is being reviewed
CERT_STATE_COMPLETED // the review of the certification is complete
Certification results include a numeric ID, the query details, and any decisions and notes. Each result includes entity details for the source -> destination nodes and the cumulative permissions under review:
accumulated_effective_permissions
string list
Cumulative canonical (C/R/U/D) permissions to the resource
accumulated_raw_permissions
string list
List of concrete system permissions to the resource
action_log_entries
array
Log of previous actions on the result
decision
string
Valid decisions are:
RESULT_DECISION_NONE // No decision has been made
RESULT_DECISION_ACCEPTED // The access described in the result row is acceptable
RESULT_DECISION_REJECTED // The access described in the result row isn't correct
RESULT_DECISION_FIXED // The access was rejected, but has been fixed
Both the number or string value for the decision are allowed, for example "decision": 4 or "decision": RESULT_DECISION_FIXED.
The notes field will always contain the most recent note. Previous notes can be reviewed in the action log using the List Cert Results API.
Shows source, destination, or intermediate entity details for a query result:
type
string
Entity type
name
string
Entity name
id
string
Entity UID
properties
key:value pair
Reviewer details, typically a Veza user account. If global IdP settings are configured, the user type and id refer to Veza graph entities:
user_type
string
SSO entity type or localCookieUser
id
string
User GUID
email
string
User email address
name
string
You can get details for a local Veza user from Administration > User Management. For graph entities (identities from an external identity provider), inspect the entity details using Access Search or the Entities page. List Reviewer Infos will return all users for a given certification.
When assigning reviewers using preview Workflows APIs, requested users are validated before assigning them to a certification result, and not assigned when the user can’t be found. Assignee id and user_type are required to identify reviewers. name and email are optional but if provided must match the Veza user record.
Results contain a record of all prior actions on a certification result.
action
string
Action log event type
user
object
Reviewer details
time
string
RFC 3339 timestamp
decision_detail
object
Possible actions are:
NOTE_ADDED
REVIEWER_ASSIGNED
DECISION
The response will include the type, id, email, and name of the user who made the change:
The reviewer_assignment specifies how reviewers should be assigned to rows, during initial certification create or when reviewers are re-assigned by smart action.
users_manager and resource_managers assigns reviewers based on Global IdP settings.
reviewers is a way to specify one or more reviewers to apply to every row. fallback_reviewers is one or more reviewers that to assign to rows if auto assign by user or resource manager fails for any reason
Control export permissions for reviewers.
Control whether reviewers can view and export access review data. This setting provides granular control over different export formats, allowing administrators to enable or disable CSV and PDF exports independently based on organizational security policies.
When enabled, reviewers can export review data in the allowed formats for offline analysis or reporting. When disabled, the corresponding export options are hidden from the reviewer interface, ensuring review data remains within the Veza platform.
The default setting disables both CSV and PDF exports for security. This setting can be configured globally for all reviews or for specific review configurations using the workflow_id parameter.
The request body accepts:
allow_csv_exports (boolean) - Enable or disable CSV export functionality for reviewers
allow_pdf_exports (boolean) - Enable or disable PDF export functionality for reviewers
workflow_id (optional string) - Specific review configuration ID to override global settings
Example request body:
Retrieve the current reviewer export permission settings. Include the optional workflow_id query parameter to get settings for a specific review configuration.
Global Settings Request:
Configuration-Specific Request:
Example response:
Update the reviewer export permission settings globally or for a specific review configuration.
Global Settings Request:
Configuration-Specific Request:
Example response:
Return a single certification result
Returns result details by id, including any special properties, decisions, and notes.
Parameters
Configure delegate Veza users who will be assigned as certification reviewers whenever a specified user would have been assigned.
Prevent auto assignment for specific users
View or change the deny list for reviewer auto assignment.
Adding a user to the deny list will prevent that user from being auto assigned as a reviewer. That user will also be prevented from appearing in the drop-down menu when manually reassigning a user.
If a user's manager is on the deny list when auto assignment occurs, the certification will be assigned to the that manager's manager. If both the manager and the manager's manger are on the deny list, the result will be assigned to the workflow creator.
Returns the current denied users.
Configure default columns and visibility for reviewers.
This API configures the default columns which reviewers will see when they open a review, as well as columns that should be hidden from reviewers but visible to administrators. If workflow_id is specified then the configuration will only be applied to reviews related to the particular Review Configuration identified by workflow_id.
The request body includes two main fields:
default_ordered_columns: Array of column names that will be visible to all users (reviewers, administrators, and operators)
curl '{{VEZA_URL}}/api/preview/awf/certifications/f9123002-978f-f203bc9885ed/results:force_update' \
-H 'authorization: Bearer '$token \
-D '{"value": {"result_id": 0,"signed_off_state":"NOT_SIGNED_OFF"}}'{}{
"value": {
"diff_dropdown_behavior": "ALWAYS_HIDE_FOR_ACCESS_REVIEWER_ROLE",
"accept_notes_behavior": "NO_POP_UP",
"reject_notes_behavior": "POP_UP_REQUIRED",
"approve_and_sign_off_button_behavior": "SHOW"
}
}{
"entries": [
{
"action": "REVIEWER_ASSIGNED",
"user": {
"user_type": "localCookieUser",
"id": "e5aeaaf6-5d7a-4982-aa61-d0e6dea612a5",
"email": "[email protected]",
"name": "preview-auth0"
},
"time": "2022-09-20T17:50:06.939577367Z",
"reviewer_detail": {
"old_reviewers": [],
"new_reviewers": [
{
"user_type": "localCookieUser",
"id": "299d63c2-8edb-4ed1-a725-e56d84d956b7",
"email": "[email protected]",
"name": "docs"
}
]
}
},
{
"action": "DECISION",
"user": {
"user_type": "localCookieUser",
"id": "e5aeaaf6-5d7a-4982-aa61-d0e6dea612a5",
"email": "[email protected]",
"name": "preview-auth0"
},
"time": "2022-09-20T17:50:21.424281596Z",
"decision_detail": {
"decision": "RESULT_DECISION_ACCEPTED",
"note": "OK"
}
},
{
"action": "DECISION",
"user": {
"user_type": "localCookieUser",
"id": "e5aeaaf6-5d7a-4982-aa61-d0e6dea612a5",
"email": "[email protected]",
"name": "preview-auth0"
},
"time": "2022-09-20T17:50:44.381372987Z",
"decision_detail": {
"decision": "RESULT_DECISION_FIXED",
"note": ""
}
},
{
"action": "NOTE_ADDED",
"user": {
"user_type": "localCookieUser",
"id": "e5aeaaf6-5d7a-4982-aa61-d0e6dea612a5",
"email": "[email protected]",
"name": "preview-auth0"
},
"time": "2022-09-20T17:52:14.773114900Z",
"note": "updating the note"
}
]
}{
"reviewer_assignment": {
"fallback_reviewers": [
{
"email": "string",
"id": "string",
"name": "string",
"user_type": "string"
}
],
"resource_managers": true,
"reviewers": [
{
"email": "string",
"id": "string",
"name": "string",
"user_type": "string"
}
],
"users_manager": true
}
}WorkflowQuery object
Workflow search conditions
creator
WorkflowUser object
Creator user details
created_at
string (RFC 3339 timestamp)
Creation date
Certification name (not used)
notes
string
Certification notes
due_date
string (RFC 3339 timestamp)
Due date timestamp
reviewers
WorkflowUser object
List of reviewers
Timestamp indicating when certification results were generated
completed_at
string (RFC 3339 timestamp)
Certification completion date
created_by
WorkflowUser object
Certification creator details
completed_by
WorkflowUser object
User who marked certification as complete
total_result_count
int
Total query results
results_updated_at
string (RFC 3339 timestamp)
Timestamp
results_updated_by
WorkflowUser object
User details
total_complete_count
int
Number or result rows with an accept, reject, or fixed decision
creator
WorkflowUser object
User details
created_at
string (RFC 3339 timestamp)
Timestamp
updated_at
string (RFC 3339 timestamp)
Timestamp
updated_by
WorkflowUser object
User details
error_reason
string
Error message, if the workflow query failed
expired_at
string (RFC 3339 timestamp)
Timestamp
total_result_count
int
Total number of results
total_complete_count
int
Results with a final decision
total_rejected_count
int
Results with a "reject" decision
total_accepted_count
int
Results with an "accept" decision
total_fixed_count
int
Results that have been "marked as fixed"
Row decision
destination
ResultNode object
The result destination (typically a resource)
notes
string
The most recent note applied to the result
notification_response_infos
array
Error message and status for Webhook integrations, pushed with UpdateWebhookInfo
notification_status
string
Whether the integration triggered successfully
result_id
int
Result unique identifier for the certification
reviewers
Array of WorkflowUsers
Reviewer details
reviewer_assignment
ReviewerAssignmentInstructions object
Instructions for fallback and auto-assigned reviewers
signed_off_at
string (RFC 3339 timestamp)
signed_off_by
WorkflowUser object
Details for a single reviewer
signed_off_state
string
UNKNOWN_SIGNED_OFF NOT_SIGNED_OFF SIGNED_OFF
source
ResultNode object
Result source (typically a principal)
updated_at
string (RFC 3339 timestamp)
updated_by
WorkflowUser object
waypoint
ResultNode object
Related intermediate entity details, if specified by the workflow query
Entity properties
Full username
Decision type and any notes
certification_id
string
Y
Certification id
result_id
string
Y
Result number to retrieve
Request
Response
For more information about the Result object see Workflows Parameters.
GET
/api/preview/awf/certifications/{certification_id}/results/{result_id}
curl '{{VEZA_URL}}/api/preview/awf/certifications/f9123002-978f-f203bc9885ed/results/0' \
-H 'authorization: Bearer '$tokenAny certification items assigned to the original reviewer are also assigned to the delegated reviewer.
Delegate reviewers are notified of the assignment and receive notifications in place of the original reviewer. They can review and sign-off on any results assigned to the original reviewer.
The original reviewer can still act on results, but will not receive assignment or reminder emails.
The JSON payload contain pairs of original and delegate Workflow Users. You can use List Reviewer Infos to get all the required details for reviewers assigned to a certification.
Add delegation for Veza system users:
A successful response will be empty.
You can map both local Veza users and identities from an integrated identity provider.
Add delegation for Okta users (with IdP settings configured):
Note that this assumes the IdP setting are configured to use "idp_unique_id" to correlate identities, as in the Okta example here.
A successful response will list all configured delegations, contained in a values array:
To remove delegations, post the configuration to /api/preview/awf/delegation/users:remove.
A successful response will be empty.
GET
List User Delegations
/api/preview/awf/delegation/users
POST
Add User Delegations
/api/preview/awf/delegation/users:add
POST
Remove User Delegations
/api/preview/awf/delegation/users:remove
get
/api/preview/workflows/deny_list/users
Example response:
Add a user, either a Veza system user or an identity from a configured graph Identity Provider.
Note: To get the
user_typefor a Veza system user, as well as theuser_id,name, view network traffic in the browser while while searching for the user in a reviewer selection drop-down.
post
/api/preview/workflows/deny_list/users:add
Example body:
Delete an entry on the deny list.
post
/api/preview/workflows/deny_list/users:remove
Example body:
{
"value": {
"result_id": 0,
"source": {
"aliases": [],
"created_at": "2023-05-03T14:25:43Z",
"datasource_id": "datasource:google_cloud_workspace",
"email_addresses": [
"[email protected]",
"[email protected]",
"[email protected]"
],
"full_admin": false,
"google_cloud_organization_name": "organizations/123456789012",
"guest": false,
"id": "datasource:112655590859538682841",
"idp_unique_id": "[email protected]",
"is_active": true,
"last_login_at": "2023-05-10T15:25:04Z",
"location_areas": [],
"mfa_enabled": false,
"name": "[email protected]",
"organization_names": [],
"provider_id": "datasource",
"suspended": false,
"type": "GoogleWorkspaceUser"
},
"destination": {
"created_at": "2021-11-01T14:23:35Z",
"datasource_id": "datasource:google_cloud_iam",
"google_cloud_organization_name": "organizations/123456789012",
"id": "projects/743979515322",
"name": "Dev GCP Project",
"parent_id": "organizations/123456789012",
"project_id": "striped-graph-330814",
"provider_id": "datasource",
"type": "GoogleCloudProject",
"updated_at": "2022-04-07T22:08:48Z"
},
"accumulated_effective_permissions": [],
"accumulated_raw_permissions": [
"bigquery.datasets.get",
"bigquery.datasets.getIamPolicy",
"bigquery.tables.get",
"bigquery.tables.getIamPolicy",
"bigquery.tables.list",
"iam.roles.get",
"iam.roles.list",
"iam.serviceAccounts.create",
"iam.serviceAccounts.list",
"resourcemanager.folders.create",
"resourcemanager.folders.delete",
"resourcemanager.folders.get",
"resourcemanager.folders.getIamPolicy",
"resourcemanager.folders.list",
"resourcemanager.folders.move",
"resourcemanager.folders.setIamPolicy",
"resourcemanager.folders.undelete",
"resourcemanager.organizations.get",
"resourcemanager.organizations.getIamPolicy",
"resourcemanager.organizations.setIamPolicy",
"resourcemanager.projects.create",
"resourcemanager.projects.delete",
"resourcemanager.projects.get",
"resourcemanager.projects.getIamPolicy",
"resourcemanager.projects.list",
"resourcemanager.projects.move",
"resourcemanager.projects.setIamPolicy",
"resourcemanager.projects.update",
"storage.buckets.create",
"storage.buckets.createTagBinding",
"storage.buckets.delete",
"storage.buckets.deleteTagBinding",
"storage.buckets.get",
"storage.buckets.getIamPolicy",
"storage.buckets.list",
"storage.buckets.listTagBindings",
"storage.buckets.setIamPolicy",
"storage.buckets.update"
],
"updated_at": null,
"updated_by": null,
"signed_off_at": null,
"signed_off_by": null,
"notification_response_infos": [],
"notification_status": "UNKNOWN",
"waypoint": {
"id": "organizations/123456789012_policy_role_binding0",
"name": "CookieAIDevServicePrincipalRole",
"type": "GoogleCloudIamRoleBinding"
},
"action_log_entries": [],
"decision": "NONE",
"notes": "",
"reviewers": [
{
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "External User"
}
],
"signed_off_state": "NOT_SIGNED_OFF",
"reviewer_assignment": null
}
}curl -X POST 'https://{{VezaURL}}/api/preview/awf/delegation/users:add' \
-H 'authorization: Bearer '$TOKEN \
-d @configuration.json{
"values": [
{
"original_user": {
"user_type": "localCookieUser",
"id": "2cdfb6e9-6f20-4198-925c-a045a3d690a0",
"email": "[email protected]",
"name": "External User"
},
"delegate_user": {
"user_type": "localCookieUser",
"id": "b8678b1b-0f31-40e4-9842-47b272694354",
"email": "[email protected]",
"name": "External User"
}
}
]
}{
"values": [
{
"original_user": {
"user_type": "OktaUser",
"id": "00upa6s0hSGtl1eGL5d5",
"email": "[email protected]",
"name": "[email protected]"
},
"delegate_user": {
"user_type": "OktaUser",
"id": "00u6h8rl61RiosYzi5d7",
"email": "[email protected]",
"name": "[email protected]"
}
}
]
}curl 'https://{{VezaURL}}/api/preview/awf/delegation/users' \
-H 'authorization: Bearer '$TOKEN{
"values": [
{
"original_user": {
"user_type": "localCookieUser",
"id": "2cdfb6e9-6f20-4198-925c-a045a3d690a0",
"email": "[email protected]",
"name": "Resource Manager"
},
"delegate_user": {
"user_type": "localCookieUser",
"id": "52c38da6-3b2e-44e9-9787-88ffa5ef398c",
"email": "[email protected]",
"name": "Backup Manager"
}
}
]
}curl -X POST 'https://{{VezaURL}}/api/preview/awf/delegation/users:remove' \
-H 'authorization: Bearer '$TOKEN \
-d @configuration/to/remove.json{
"users": [
{
"user_type": "OktaUser",
"id": "123456",
"email": "[email protected]",
"name": "Marilyn Hines"
}
]
}{
"users": [
{
"user_type": "OktaUser",
"id": "123456",
"email": "[email protected]",
"name": "Marilyn Hines"
}
]
}{
"users": [
{
"user_type": "OktaUser",
"id": "123456",
"email": "[email protected]",
"name": "Marilyn Hines"
}
]
}hide_from_reviewers_columns: Array of column names that will be hidden from users with the reviewer role but remain visible to administrators and operatorsImportant validation rules:
Column names cannot appear in both default_ordered_columns and hide_from_reviewers_columns simultaneously
Column names cannot be empty strings
Column names cannot contain spaces or commas
The system validates these constraints and returns an error if violations are found
The valid values to show entity attributes include:
source.ATTR
destination.ATTR
waypoint.ATTR
path_summary.ATTR
idp.ATTR
Where ATTR is an attribute name such as "id" or "name".
The following column values are also valid:
status
abstract_permissions
concrete_permissions
updated_at
notes
reviewers
decision
decision_by
decision_by_id
decision_by_name
decision_by_email
decision_at
marked_fixed_by_id
marked_fixed_by_name
marked_fixed_by_email
marked_fixed_at
signed_off_state
signed_off_by_id
signed_off_by_name
signed_off_by_email
signed_off_at
notification_status
automation_run_ids
no_decision_or_decision_by
Is_signed_off
This example configuration shows sensitive identity information (unique IDs and distinguished names) to administrators while hiding them from reviewers, allowing for better security and privacy control in access reviews.
Get all workflows and certification status
Add decisions and notes to a certification result
Apply a decision, note, sign-off, or reviewer change to a numbered certification result.
Each row of the certification results can be annotated, marked as ACCEPTED, or REJECTED, signed-off, or assigned to a different reviewer.
PUT
{{base_url}}/api/preview/awf/certifications/{certification_id}/results
value must include the result_id and any mutable fields to update:
Valid decisions are:
NONE // No decision has been made
ACCEPTED // The access described in the result row is acceptable
REJECTED // The access described in the result row isn't correct
Adding a note overwrites the previous value. Historical notes are included in the action log when . When viewing the row in the UI, only the most recent note is shown.
reviewersA result’s reviewer can be reassigned by updating the reviewers field with a list of one or more Access Workflow User objects:
Note that all fields are required when assigning a reviewer. As of the current release, there is no customer-facing API to get local user ids. For this reason, API-based reviewer reassignment is recommended only when a graph IdP is configured as the , and you can programmatically retrieve required identifiers such as user "name," "id," and "email."
A successful response will be empty: {}.
{
"value": {
"default_ordered_columns": [
"source.name",
"source.department",
"source.customprop_worker_status",
"source.tags",
"path_summary.name",
"concrete_permissions",
"destination.name",
"destination.customprop_display_name",
"reviewers"
],
"hide_from_reviewers_columns": [
"source.identity_unique_id",
"idp.on_premises_distinguished_name"
]
},
"workflow_id": "002063d2-7898-4183-b5fb-1192758fdec7"
}{
"value": {
"allow_csv_exports": true,
"allow_pdf_exports": false
},
"workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264" // Optional
}curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports' \
-H 'Authorization: Bearer YOUR_API_KEY'curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports?workflow_id=8ae1c414-3a76-46cb-950a-925316b3f264' \
-H 'Authorization: Bearer YOUR_API_KEY'{
"value": {
"allow_csv_exports": false,
"allow_pdf_exports": false
}
}curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-d '{
"value": {
"allow_csv_exports": true,
"allow_pdf_exports": false
}
}'curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-d '{
"value": {
"allow_csv_exports": true,
"allow_pdf_exports": false
},
"workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"
}'{}curl '{{VEZA_URL}}/api/preview/awf/workflows' \
-H 'authorization: Bearer '$token{
"values": [
{
"workflow_id": "b9dc2586-5f30-4462-b6be-53f62debc40f",
"name": "demo",
"description": "demo",
"owner": {
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "earlypreview-auth0"
},
"notes": "",
"query": {
"raw_permissions": null,
"effective_permissions": null,
"source_node_types": {
"nodes": [
{
"node_type": "GoogleWorkspaceUser",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"required_intermediate_node_types": {
"nodes": [],
"nodes_operator": "AND"
},
"avoided_intermediate_node_types": {
"nodes": [],
"nodes_operator": "AND"
},
"destination_node_types": {
"nodes": [
{
"node_type": "GoogleCloudProject",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"no_relation": false,
"snapshot_id": "1690354800",
"waypoint_node_types": {
"nodes": [
{
"node_type": "GoogleCloudIamRoleBinding",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"path_summary_node_types": null,
"node_relationship_type": "CONFIGURED",
"include_all_source_tags_in_results": true,
"include_all_destination_tags_in_results": false,
"page_size": "0",
"page_token": ""
},
"creator": {
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "earlypreview-auth0"
},
"created_at": "2023-07-27T03:34:56.166550127Z"
},
{
"workflow_id": "baecbd47-bd3d-4d52-acb8-34840a8973b2",
"name": "Azure PS",
"description": "",
"owner": {
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "earlypreview-auth0"
},
"notes": "",
"query": {
"raw_permissions": null,
"effective_permissions": null,
"source_node_types": {
"nodes": [
{
"node_type": "Principal",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"required_intermediate_node_types": {
"nodes": [],
"nodes_operator": "AND"
},
"avoided_intermediate_node_types": {
"nodes": [],
"nodes_operator": "AND"
},
"destination_node_types": {
"nodes": [
{
"node_type": "AzureDataLakeFilesystem",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"no_relation": false,
"snapshot_id": "1675900800",
"waypoint_node_types": null,
"path_summary_node_types": {
"nodes": [
{
"node_type": "AzureADGroup",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
},
{
"node_type": "ActiveDirectoryGroup",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
},
{
"node_type": "AzureRoleAssignment",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
},
{
"node_type": "AzureAssignmentPermissions",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"node_relationship_type": "CONFIGURED",
"include_all_source_tags_in_results": false,
"include_all_destination_tags_in_results": false,
"page_size": "0",
"page_token": ""
},
"creator": {
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "earlypreview-auth0"
},
"created_at": "2023-02-09T03:07:24.458473708Z"
}
]
}signed_off_state
string
N
Can be: NOT_SIGNED_OFF, SIGNED_OFF
reviewers
array
N
Contains Workflow User details for assigned reviewers
FIXED // The access was rejected but has been fixed
name
string
Y
Must match the name property on the local user or graph node.
cert_id
string
path
id of the certification to update
value
object
body
Mutable fields to update
result_id
int
Y
certification result number to update
decision
enum
N
The decision to apply to the result
notes
string
N
user_type
string
Y
Must be the same user_type as configured for the primary workflows Identity Provider. Typical values are OktaUser, CustomIDPUser, or AzureADUser.
id
string
Y
The user_identity_property set when configuring the workflows IdP is used to validate a Workflow Reviewer's identity. For an Okta user, this would be an id such as 00upa6s0hSGtl1eGL5d5. For a Custom IdP user, this will typically be the IdP users identity set within the OAA payload.
email
string
Y
Send an empty string " " to clear the current note
Must match the email property on the local user or graph node.
Manage custom help pages for Veza Access Reviews.
Use these operations to add and manage help pages for access reviewers, and customize pop-up messages when a review starts, or when rows are signed off.
POST
{veza_url}/api/preview/awf/help_page_templates
GET
{veza_url}/api/preview/awf/help_page_templates
Add custom help messages for reviewers by providing the plain text template_body, name, and an existing workflow_id and usage where the template will apply. All reviews (certifications) for the configuration (workflow) will use the new template.
The usage field determines how and when the help page will be visible to users. It must be one of the following values:
HELP_PAGE: Reviewers can access help pages from reviewer's interface by clicking the User Guide icon. The help page will also appear when viewing the review for the first time.
REVIEW_START: Opens when reviewers start a review.
SIGN_OFF: Opens whenever a row or multiple rows are signed off by a reviewer.
Only one help page can exist at a time for a given workflow and usage. You can manage global help pages by using 00000000-0000-0000-0000-000000000000 as the workflow_id. Global help pages for each usage will apply to all reviews for all configurations.
The template can use markdown and placeholders, for example:
See for more information about placeholders.
Example request:
Get all configured help page templates.
Example response:
Returns the current help page template for an existing workflow_id and usage.
The usage parameter must be specified. For the existing help page template, the usage value should be HELP_PAGE.
To retrieve the tenant-wide default template (if it was set), use an all-zero UUID (00000000-0000-0000-0000-000000000000) for the workflow_id.
Example request:
Returns the current template for a given certification id.
Example request:
Example response:
Permanently remove the help page template for a workflow_id and usage. It will no longer apply to reviews for using the configuration, specified by workflow_id.
The usage parameter must be specified. For the existing help page template, the usage value should be HELP_PAGE.
To clear the tenant-wide default template, use an all-zero UUID for the workflow_id: 00000000-0000-0000-0000-000000000000.
Example request:
PUT {{veza_url}}/api/preview/awf/help_page_templates
Update the help page for the specified workflow_id and usage:
To add a tenant-wide default template, use an all-zero UUID for the workflow_id: 00000000-0000-0000-0000-000000000000.
Updating a template now uses a plain text template_body, instead of a base64-encoded string.
Example request:
curl -X PUT '{{baseurl}}/api/preview/awf/certifications/{{cert_id}}/results' \
-H 'authorization: Bearer ' $TOKEN \
--data-raw '{"value": {"result_id": 0,"reviewers": [{"user_type": "CustomIDPUser", "id": "125", "email": "[email protected]", "name": "Valid Reviewer"}]}}'curl -X PUT '{{baseurl}}/api/preview/awf/certifications/f9123002-f056-491f-978f-f203bc9885ed/results' \
-H 'authorization: Bearer '$token \
--data-raw '{
"value": {
"result_id": 0,
"decision": "REJECTED",
"notes": "Over-privileged"
}
}'curl -X PUT '{{baseurl}}/api/preview/awf/certifications/{{cert_id}}/results' \
-H 'authorization: Bearer ' $TOKEN \
--data-raw '{"value": {"result_id": 0,"reviewers": [{"user_type": "CustomIDPUser", "id": "125", "email": "[email protected]", "name": "Valid Reviewer"}]}}'curl -X PUT '{{baseurl}}/api/preview/awf/certifications/{{cert_id}}/results' \
-H 'authorization: Bearer ' $TOKEN \
--data-raw '{"value": {"result_id": 0,"reviewers": [{"user_type": "localCookieUser", "id": "0ffcfbc7-6339-4aed-afa4-ff3bea505485", "email": "[email protected]", "name": "demo-auth0"}]}}'GET
{veza_url}/api/preview/awf/help_page_templates/{workflow_id}/{usage}
GET
{veza_url}/api/preview/awf/certification_help_page?certification_id={cert_id}
DELETE
{veza_url}/api/preview/awf/help_page_templates/{workflow_id}/{usage}
PUT
{veza_url}/api/preview/awf/help_page_templates
# Help for {{WORKFLOW_NAME}}
## Formatting
Formatting text in Markdown:
- *Italic text*
- **Bold text**
- `Code block`
- [Link text](https://example.com)
## Bullet Lists
Bullet lists in Markdown:
- Item 1
- Item 2
- Item 3
## Numbered Lists
Numbered lists in Markdown:
1. First item
2. Second item
3. Third item
## Placeholders
The following placeholders are available:
- {{WORKFLOW_NAME}}
- {{WORKFLOW_URL}}
- {{WORKFLOW_TIME}}
- {{WORKFLOW_OWNER}}
- {{WORKFLOW_DESCRIPTION}}
- {{WORKFLOW_CERT_STARTED_ON_DATE}}
- {{WORKFLOW_CERT_STARTED_ON_TIME}}
- {{WORKFLOW_CERT_CREATED_BY}}
- {{WORKFLOW_CERT_LAST_UPDATED_ON_DATE}}
- {{WORKFLOW_CERT_LAST_UPDATED_ON_TIME}}
- {{WORKFLOW_CERT_LAST_UPDATED_BY}}
- {{WORKFLOW_CERT_COMPLETED_ON_DATE}}
- {{WORKFLOW_CERT_COMPLETED_ON_TIME}}
- {{WORKFLOW_CERT_COMPLETED_BY}}
- {{WORKFLOW_CERT_LAST_ACTIVITY_ON_DATE}}
- {{WORKFLOW_CERT_LAST_ACTIVITY_ON_TIME}}
- {{WORKFLOW_CERT_LAST_ACTIVITY_BY}}
- {{WORKFLOW_CERT_DUE_ON_DATE}}
- {{WORKFLOW_CERT_REVIEWERS}}POST {{veza_url}}/api/preview/awf/help_page_templates{
"value": {
"workflow_id": "bc2b2daa-3508-4c0c-a0f2-8a2fb0ef59d9",
"name": "Review Help",
"template_body": "# {{WORKFLOW_NAME}} Review Guide\n\nWelcome to the {{WORKFLOW_NAME}} review process. Please follow the steps below:\n\n## Review Steps\n\n",
"usage": "HELP_PAGE"
}
}GET {{veza_url}}/api/preview/awf/help_page_templates{
"values": [
{
"workflow_id": "8c1772da-a7c3-4dc7-8b09-b900af011ee5",
"name": "Review Start Popup",
"usage": "REVIEW_START"
}
]
}GET {{veza_url}}/api/preview/awf/help_page_templates/{{workflow_id}}/{{usage}}GET {{veza_url}}/api/preview/awf/certification_help_page?certification_id={{cert_id}}{
"content": "# Help for Reviewers\n\n## Instructions:\n\n"
}DELETE {{veza_url}}/api/preview/awf/help_page_templates/{{workflow_id}}/{{usage}}{
"value": {
"name": "Global Sign Off Confirmation",
"template_body": "string",
"workflow_id": "00000000-0000-0000-0000-000000000000",
"usage": "SIGN_OFF"
}
}application/jsonOK
OK
application/jsonapplication/json{"value":{"diff_dropdown_behavior":"<integer>","accept_notes_behavior":"<integer>","reject_notes_behavior":"<integer>","approve_and_sign_off_button_behavior":"<integer>"}}OK
OK
application/jsonOK
OK
application/jsonapplication/json{"value":{"default_ordered_columns":["source.name","source.identity_unique_id","concrete_permissions","idp.on_premises_distinguished_name","idp.name","destination.name","destination.type","reviewers","notes","decision_by","decision_at","notification_status","automation_run_ids"]}}OK
OK
application/jsonOK
Internal Server Error
Enable or disable automatic review completion once all rows have decisions.
Enable or disable the "auto-complete" feature. When auto-complete is enabled, a review will automatically be completed once all rows have a signed-off decision, or a non-rejected signed-off decision, depending on the "Completion Allowed Settings."
Possible values are:
AUTO_COMPLETE_UNKNOWN
AUTO_COMPLETE_ENABLED
AUTO_COMPLETE_DISABLED
Auto-expire overdue reviews.
This setting is configurable on the Access Reviews > Settings page. Enable Auto-Expire overdue reviews to automatically expire reviews that aren't completed by the due date.
Enables or disable expiration of overdue reviews. By default, overdue reviews are not expired and remain available to reviewers. When expiration is enabled, the review will be "expired" when it becomes overdue. An expired review is read-only and is not shown to reviewers.
The value can be True or False.
Get pending and completed certifications for a workflow
Returns all certifications for an access workflow.
Parameters
Require data source status acknowledgement during review creation.
By default, when a review is created, a user can optionally view the status of the data sources involved in the review. This API allows the behavior to change, requiring that the data source status is shown to the user and acknowledged during review creation.
Possible values are:
DATASOURCE_ACKNOWLEDGEMENT_UNKNOWN
Configure what happens when reviews expire.
This setting is configurable on the Access Reviews > Settings page. Enable Reject incomplete rows to reject and sign off on undecided rows when a review expires.
This API allows you to change the behavior when a review expires (which can be enabled in Review Auto-Complete Settings). Depending on the behavior, incomplete rows can be auto-rejected when the review deadline passes.
Review expiration behavior can be configured globally, or for all reviews for a single Review Configuration, specified by workflow_id in the request.
Add suggested notes for reviewer decisions.
Configure predefined notes as menu options when reviewers approve or reject rows. This feature can be configured globally for all reviews or specifically for individual review configurations. When configured for a specific review configuration (using workflow_id), those settings override any global predefined notes.
The predefined notes appear as selectable options in the notes dialog when making decisions, suggesting standardized responses alongside free-form text entry.
The request body accepts:
GET /api/private/workflows/access/global_settings/ui_customization_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
PUT /api/private/workflows/access/global_settings/ui_customization_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 171
{
"value": {
"diff_dropdown_behavior": "<integer>",
"accept_notes_behavior": "<integer>",
"reject_notes_behavior": "<integer>",
"approve_and_sign_off_button_behavior": "<integer>"
}
}GET /api/private/workflows/access/global_settings/ui_column_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
{
"value": {
"default_ordered_columns": [
"source.name",
"source.identity_unique_id",
"concrete_permissions",
"idp.on_premises_distinguished_name",
"idp.name",
"destination.name",
"destination.type",
"reviewers",
"notes",
"decision_by",
"decision_at",
"notification_status",
"automation_run_ids"
]
}
}PUT /api/private/workflows/access/global_settings/ui_column_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 281
{
"value": {
"default_ordered_columns": [
"source.name",
"source.identity_unique_id",
"concrete_permissions",
"idp.on_premises_distinguished_name",
"idp.name",
"destination.name",
"destination.type",
"reviewers",
"notes",
"decision_by",
"decision_at",
"notification_status",
"automation_run_ids"
]
}
}GET /api/private/workflows/access/global_settings/ui_column_settings:list_all HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
reject_notes: Array of predefined note options shown when rejecting rows
accept_notes: Array of predefined note options shown when approving rows
workflow_id: (Optional) Specific review configuration ID to override global settings
Example request body:
Retrieve the current predefined notes settings. Include the optional workflow_id query parameter to get settings for a specific review configuration.
Global Settings Request:
Configuration-Specific Request:
Example response:
Update the predefined notes settings globally or for a specific review configuration.
Configuration-Specific Request:
{
"value": {
"diff_dropdown_behavior": "ALWAYS_HIDE_FOR_ACCESS_REVIEWER_ROLE",
"accept_notes_behavior": "NO_POP_UP",
"reject_notes_behavior": "POP_UP_REQUIRED",
"approve_and_sign_off_button_behavior": "SHOW"
}
}{
"value": {
"diff_dropdown_behavior": "ALWAYS_HIDE_FOR_ACCESS_REVIEWER_ROLE",
"accept_notes_behavior": "NO_POP_UP",
"reject_notes_behavior": "POP_UP_REQUIRED",
"approve_and_sign_off_button_behavior": "SHOW"
}
}{
"value": {
"default_ordered_columns": [
"source.name",
"source.identity_unique_id",
"concrete_permissions",
"idp.on_premises_distinguished_name",
"idp.name",
"destination.name",
"destination.type",
"reviewers",
"notes",
"decision_by",
"decision_at",
"notification_status",
"automation_run_ids"
]
}
}{
"global_settings": {
"default_ordered_columns": [
"source.name",
"source.identity_unique_id",
"concrete_permissions",
"idp.on_premises_distinguished_name",
"idp.name",
"destination.name",
"destination.type",
"reviewers",
"notes",
"decision_by",
"decision_at",
"notification_status",
"automation_run_ids"
]
},
"workflow_settings": [
{
"workflow_id": "002063d2-7898-4183-b5fb-1192758fdec7",
"settings": {
"default_ordered_columns": [
"source.name",
"source.department",
"source.customprop_worker_status",
"source.tags",
"path_summary.name",
"concrete_permissions",
"destination.name",
"destination.type",
"destination.customprop_display_name",
"reviewers",
"notes"
]
}
},
{
"workflow_id": "84459ad9-3976-4f21-9d56-fa9c0694a8a7",
"settings": {
"default_ordered_columns": [
"source.aws_userid",
"source.name",
"source.identity_unique_id",
"concrete_permissions",
"destination.name",
"destination.type",
"reviewers",
"notes",
"decision_by",
"decision_at",
"notification_status",
"automation_run_ids"
]
}
}
]
}{
"value": {
"reject_notes": [
"Rotate now",
"Delete secret"
],
"accept_notes": []
},
"workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264" // Optional
}curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/predefined_decision_notes' \
-H 'Authorization: Bearer YOUR_API_KEY'curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/predefined_decision_notes?workflow_id=8ae1c414-3a76-46cb-950a-925316b3f264' \
-H 'Authorization: Bearer YOUR_API_KEY'{
"value": {
"reject_notes": [
"Rotate now",
"Delete secret"
],
"accept_notes": []
}
}curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/predefined_decision_notes' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-d '{
"value": {
"reject_notes": [
"Rotate now",
"Delete secret"
],
"accept_notes": []
},
"workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"
}'workflow_id
string
Y
Workflow to get certifications for
You can use List Workflows to retrieve all valid workflow IDs.
Request
Response
values will contain all workflow details. The response may be paginated:
has_more
bool
Indicates if additional results are available.
total_result_count
int
The total number of results.
values
AccessCertResult
Contains details for each certification (see ).
Sample response:
GET
{{base_url}}/api/preview/awf/certifications
DATASOURCE_ACKNOWLEDGEMENT_NOT_SHOWN = 1
DATASOURCE_ACKNOWLEDGEMENT_REQUIRED = 2
The request body must include a setting object with the following structure:
Where:
workflow_id (string, optional): Specific review configuration ID. If omitted, applies globally to all reviews.
setting.behavior (integer): The expiration behavior mode:
0 = DO_NOTHING: No action is made on incomplete rows (default)
1 = AUTO_REJECT_INCOMPLETE_RESULTS: Reject and sign-off any results that are incomplete when the review expires
setting.note_to_add (string, optional): Note to be added when auto-rejecting incomplete results
Example request:
Set default sort order for review rows.
Configure the default order in which review rows are displayed. Note: Users can later sort the rows as they prefer.
The order is specified using a SCIM "order by" expression. The default value is source.type asc.
Valid values include:
source.ATTR
destination.ATTR
waypoint.ATTR
idp.ATTR
Where ATTR is an attribute name such as "id" or "name".
Prevent users from being assigned as reviewers for rows that relate to their own access and permissions.
Enable or disable self-review prevention. When self-review prevention is enabled, users are prevented from being assigned as reviewers for rows that relate to their own access and permissions.
The value can be either an integer or string:
SELF_REVIEWER_CHECKING_DISABLED = 1 (or "SELF_REVIEWER_CHECKING_DISABLED" as string)
SELF_REVIEWER_CHECKING_ENABLED = 2 (or "SELF_REVIEWER_CHECKING_ENABLED" as string)
Example using string value:
Example using integer value:
Example cURL request:
Customize the requirements for completing a review.
An Admin or Operator user can complete a review by clicking the "Complete Review" button.
Once a review is marked as "completed," it becomes read-only and is no longer visible to reviewers. By default, a review can be completed when all rows have a signed-off decision.
This API allows you to modify this behavior, enabling a review to be completed at any time, or only when all rows are signed off with a non-rejected decision. The latter option is useful if your organization prefers to complete reviews only after all rejected access has been remediated.
Possible values are:
curl '{{VEZA_URL}}/api/preview/awf/certifications?workfow_id=17ce79c7-a2e6-4baf-87ff-f386764c9659' \
-H 'authorization: Bearer '$token{
"values": [
{
"certification_id": "b2562ef3-a4b3-4b30-8a45-1ba36f945d10",
"workflow_id": "b9dc2586-5f30-4462-b6be-53f62debc40f",
"query_used": {
"raw_permissions": null,
"effective_permissions": null,
"source_node_types": {
"nodes": [
{
"node_type": "GoogleWorkspaceUser",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"required_intermediate_node_types": {
"nodes": [],
"nodes_operator": "AND"
},
"avoided_intermediate_node_types": {
"nodes": [],
"nodes_operator": "AND"
},
"destination_node_types": {
"nodes": [
{
"node_type": "GoogleCloudProject",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"no_relation": false,
"snapshot_id": "1690354800",
"waypoint_node_types": {
"nodes": [
{
"node_type": "GoogleCloudIamRoleBinding",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"path_summary_node_types": null,
"node_relationship_type": "CONFIGURED",
"include_all_source_tags_in_results": true,
"include_all_destination_tags_in_results": false,
"page_size": "0",
"page_token": ""
},
"name": "demo",
"notes": "",
"due_date": "2023-07-30T03:44:00Z",
"reviewers": [],
"state": "IN_PROGRESS",
"snapshot_time": "2023-07-26T07:00:00Z",
"started_at": "2023-07-27T03:44:27.260812616Z",
"query_completed_at": "2023-07-27T03:44:31.410373279Z",
"completed_at": null,
"created_by": {
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "earlypreview-auth0"
},
"completed_by": null,
"results_updated_at": "2023-07-27T03:44:31.410373665Z",
"results_updated_by": {
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "earlypreview-auth0"
},
"updated_at": "2023-07-27T03:44:31.410413829Z",
"updated_by": {
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "earlypreview-auth0"
},
"error_reason": "",
"expired_at": null,
"version": 1,
"total_result_count": 2433,
"total_complete_count": 0,
"total_rejected_count": 0,
"total_accepted_count": 0,
"total_fixed_count": 0
}
]
}{
"workflow_id": "string",
"setting": {
"behavior": 0,
"note_to_add": "string"
}
}{
"workflow_id": "string",
"setting": {
"behavior": 1,
"note_to_add": "Rejected incomplete result due to review expiration."
}
}{
"value": "AUTO_COMPLETE_DISABLED"
}application/jsonOK
OK
application/jsonapplication/json{"value":"<integer>"}OK
OK
application/jsonOK
OK
application/jsonapplication/json{"value":"<boolean>"}OK
OK
COMPLETION_ALLOWED_UNKNOWN = 0
COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION = 1 (Review can be completed only when all result rows have a decision)
COMPLETION_ALLOWED_ANYTIME = 2 (Review can be completed any time)
{
"value": "COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION"
}application/jsonOK
OK
application/jsonapplication/json{"value":"<integer>"}OK
<string>application/jsonOK
OK
application/jsonapplication/jsonOptional workflow ID for configuration-specific settings
OK
Configure default grouping behavior for review rows to organize data by column values.
Configure default grouping behavior for access review rows. When enabled, review rows are automatically organized by the specified column values, making it easier for reviewers to process large datasets by grouping related items together.
The setting allows admins to configure a default group by column and collapsed/expanded behavior, either globally or per-workflow.
API operations for customizing the behavior and functionality of Veza Access Reviews.
These endpoints can be called by providing a Veza admin user API key. See to generate a bearer token for use in requests. Note that API operations in the private namespace are subject to change as features are added or modified.
Use these APIs to configure for Veza Access Reviews.
The settings that can be configured by a Veza administrator are:
Define filter-based actions that reviewers can apply to certifications results with a matching attribute or status.
Reviewers can view and apply custom actions from the Review interface by clicking Smart Action > Prepared Actions.
Bearer token authentication using a Veza Personal API key.
Header Format: Authorization: Bearer <your-api-key>
Creating an API Key:
Bearer token authentication using a Veza Personal API key.
Header Format: Authorization: Bearer <your-api-key>
Creating an API Key:
GET /api/private/workflows/access/global_settings/cert_auto_complete_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
PUT /api/private/workflows/access/global_settings/cert_auto_complete_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 21
{
"value": "<integer>"
}GET /api/private/workflows/access/global_settings/expire_overdue_certifications HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
PUT /api/private/workflows/access/global_settings/expire_overdue_certifications HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 21
{
"value": "<boolean>"
}{
"value": {
"order_by": "destination.name desc"
}
}{
"value": "SELF_REVIEWER_CHECKING_DISABLED"
}{
"value": 1
}curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/self_reviewer_settings' \
-H 'Authorization: Bearer YOUR_SECRET_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"value": 1
}'OK
OK
workflow_id
string
No
body
The workflow ID to apply the setting to
value.group_by_column
string
Yes
body
The column to group rows by (e.g. destination.veza_unique_name, source.veza_unique_name, status, risk_level). Must be a valid column name (same as in CreateAccessResultsGroupCollection). If empty or unset, grouping is disabled.
value.expand_groups_by_default
bool
Yes
body
When set to true, row groups will be expanded by default when the review loads; if false, they'll be collapsed. This flag is ignored when group_by_column is empty.
GET /api/private/workflows/access/global_settings/rows_group_by_setting
PUT /api/private/workflows/access/global_settings/rows_group_by_setting
destination.veza_unique_name - Group by resource name
source.veza_unique_name - Group by identity name
status - Group by review status
risk_level - Group by risk level
destination.type - Group by resource type
decision - Group by decision status
Review Completion Settings: Enable review completion at any time, or only when all rows are signed off with a non-rejected decision.
Data Source Acknowledgement: Require review creators to view and acknowledge the data source status shown at review creation.
Expire Overdue Reviews: Enable or disable expiration of overdue reviews.
Review Expiration Behavior: Reject and sign off incomplete rows when a review expires.
Self Review Prevention: Prevent users from being assigned as reviewers for rows that relate to their own access and permissions.
Review Column Defaults: Configure default columns which reviewers will see when they open a review.
Review UI Customizations: Set whether notes are required when approving or rejecting access.
Review Sort Order: Set the default sort order and sorting column when opening a review.
Predefined Decision Notes: Add suggested notes as menu options when reviewers approve or reject rows.
Review Row Grouping: Configure default grouping behavior for review rows to organize data by column values.
Outlier Detection: Configure outlier detection to identify anomalous access patterns by comparing users to peer groups (Early Access, API-only).
Reviewer Export Settings: Control whether reviewers can export review data to CSV or PDF formats.
For each endpoint, a GET request returns the current setting, and a PUT request updates the setting. Use your unique Veza URL and API key (see Authentication) in your request, for example:
Use the Postman collection as an alternative to cURL commands for testing and configuring Veza Access Reviews global settings:
To import the collection into Postman:
Download the collection file to your computer
Drag and drop the .json file directly into the Postman interface
The collection is automatically imported and appears in your Collections tab
Before using the collection, configure these required variables on the Variables tab:
baseUrl
Your Veza instance URL
https://your-organization.vezacloud.com
apiToken
Veza admin user API key
mZ1eqKMACtP...
Workflow ID
Specific review configuration ID (optional)
8ae1c414-3a76-46cb-950a-925316b3f264
The collection uses Bearer token authentication. Your apiToken variable automatically populates the Authorization header for all requests.
Important: Use HTTPS (not HTTP) for your baseUrl to avoid redirect issues that can drop request bodies in PUT/POST operations.
{
"value": "AUTO_COMPLETE_DISABLED"
}{
"value": "AUTO_COMPLETE_DISABLED"
}{
"value": false
}{
"value": false
}{
"value": "DATASOURCE_ACKNOWLEDGEMENT_REQUIRED"
}GET /api/private/workflows/access/global_settings/datasource_acknowledgement HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
PUT /api/private/workflows/access/global_settings/datasource_acknowledgement HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 21
{
"value": "<integer>"
}{
"value": "DATASOURCE_ACKNOWLEDGEMENT_REQUIRED"
}{
"value": "AUTO_REJECT_INCOMPLETE_RESULTS",
"setting": {
"behavior": 1,
"note_to_add": "Rejected incomplete result due to review expiration."
}
}GET /api/private/workflows/access/global_settings/review_expiration_behavior HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
PUT /api/private/workflows/access/global_settings/review_expiration_behavior HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 118
{
"workflow_id": "string",
"setting": {
"behavior": 1,
"note_to_add": "Rejected incomplete result due to review expiration."
}
}{
"value": "AUTO_REJECT_INCOMPLETE_RESULTS",
"setting": {
"behavior": 0,
"note_to_add": "Rejected incomplete result due to review expiration."
}
}curl 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/rows_group_by_setting' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_BEARER_TOKEN'curl 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/rows_group_by_setting?workflow_id=01983256-911c-7906-9d75-d69871c877fd' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_BEARER_TOKEN'{
"value": {
"group_by_column": "status",
"expand_groups_by_default": true
}
}curl -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/rows_group_by_setting' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_BEARER_TOKEN' \
-d '{
"value": {
"group_by_column": "destination.veza_unique_name",
"expand_groups_by_default": false
}
}'curl -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/rows_group_by_setting' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_BEARER_TOKEN' \
-d '{
"workflow_id": "01983256-911c-7906-9d75-d69871c877fd",
"value": {
"group_by_column": "destination.veza_unique_name",
"expand_groups_by_default": false
}
}'{} // Empty on successcurl -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/cert_completion_settings' \
-H 'authorization: Bearer mZ1eqKMACtP...' \
-d '{"value": "AUTO_COMPLETE_DISABLED"}'application/jsonOK
OK
application/jsonapplication/json{"value":{"order_by":"<string>"}}OK
OK
application/jsonOK
OK
application/jsonapplication/json1 = SELF_REVIEWER_CHECKING_DISABLED, 2 = SELF_REVIEWER_CHECKING_ENABLED
String values for self-review prevention settings
OK
OK
Create a smart action definition, globally or for a single Workflow.
A certification result includes all source and destination node properties discovered or added by Veza. You can specify a SCIM filter to select the results to affect, for example:
Example request:
The filter can apply to any source or destination node property.
When apply_to_all_rows is true and no other filter criteria is specified, the action will run on all certification results.
Mutable fields contain result attributes that are not sourced from Access Graph metadata. Use mutable_fields to apply changes to a result, and mutable_filter to filter results based on decision or sign-off state:
decision
One of: "RESULT_DECISION_UNKNOWN" "RESULT_DECISION_NONE" "RESULT_DECISION_ACCEPTED" "RESULT_DECISION_REJECTED" "RESULT_DECISION_FIXED"
notes
string
signed_off_state
One of: "UNKNOWN" "NOT_SIGNED_OFF" "SIGNED_OFF"
Delete a prepared action by definition id.
Returns an array of smart action definitions. By default, this endpoint lists all definitions. If a workflow_id is specified, only definitions for that workflow are included in the response.
Alter a smart action definition by specifying the id and an array of values to change.
OK
Default error response
OK
Default error response
application/jsonOK
OK
application/jsonapplication/json{"value":"<integer>"}OK
GET /api/private/workflows/access/global_settings/view_sort_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
{
"value": {
"order_by": "source.type asc"
}
}PUT /api/private/workflows/access/global_settings/view_sort_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 33
{
"value": {
"order_by": "<string>"
}
}GET /api/private/workflows/access/global_settings/self_reviewer_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
PUT /api/private/workflows/access/global_settings/self_reviewer_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 11
{
"value": 1
}curl -X POST "https://{{veza_url}}/api/preview/awf/smart_action_definitions" \
-H 'authorization: Bearer {{access_token}}' \
-d '{
"apply_to_all_rows": "false",
"description": "Reject users where the user `is active` value is not `true`",
"filter": "source.is_active ne \"true\"",
"mutable_fields": {
"decision": "RESULT_DECISION_REJECTED"
},
"mutable_filter": "",
"name": "Reject inactive users",
"workflow_id": ""
}'{
"apply_to_all_rows": "false",
"description": "Sign off on all rejected rows",
"filter": "",
"mutable_fields": {
"signed_off_state": "SIGNED_OFF"
},
"mutable_filter": "decision eq \"RESULT_DECISION_REJECTED\"",
"name": "Sign off rejected rows",
"workflow_id": ""
}GET /api/private/workflows/access/global_settings/allow_reviewer_exports HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
PUT /api/private/workflows/access/global_settings/allow_reviewer_exports HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 108
{
"value": {
"allow_csv_exports": true,
"allow_pdf_exports": true,
"allow_xlsx_exports": true
},
"workflow_id": "text"
}OK
{
"value": {
"order_by": "source.type asc"
}
}{
"value": "SELF_REVIEWER_CHECKING_DISABLED"
}{
"value": "SELF_REVIEWER_CHECKING_DISABLED"
}{
"value": {
"allow_csv_exports": true,
"allow_pdf_exports": true,
"allow_xlsx_exports": true
},
"workflow_id": "text"
}{}{
"value": "COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION"
}GET /api/private/workflows/access/global_settings/cert_completion_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
PUT /api/private/workflows/access/global_settings/cert_completion_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 21
{
"value": "<integer>"
}{
"value": "COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION"
}Bearer token authentication using a Veza Personal API key.
Header Format: Authorization: Bearer <your-api-key>
Creating an API Key:
empty workflow_id would mean that the smartAction can be used for any workflowId
OK
Default error response
Bearer token authentication using a Veza Personal API key.
Header Format: Authorization: Bearer <your-api-key>
Creating an API Key:
OK
Default error response
Bearer token authentication using a Veza Personal API key.
Header Format: Authorization: Bearer <your-api-key>
Creating an API Key:
If no value is passed for workflow_id, all smart actions will be returned. If workflow_id is not "", smart actions with a matching workflow_id or with an empty workflow_id will be returned.
OK
Default error response
Bearer token authentication using a Veza Personal API key.
Header Format: Authorization: Bearer <your-api-key>
Creating an API Key:
OK
Default error response
{
"id": "text"
}{
"values": [
{
"id": "text",
"description": "text",
"name": "text",
"workflow_id": "text",
"filter": "text",
"mutable_fields": {
"decision": 1,
"notes": "text",
"updated_at": "2025-12-23T12:22:28.658Z",
"updated_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"notification_infos": {
"values": [
{
"notification_type": 1,
"webhook_type": 1,
"status": 1,
"error_message": "text",
"updated_at": "2025-12-23T12:22:28.658Z",
"snow_info": {
"ticket_number": "text",
"sys_id": "text"
},
"webhook_info": {
"info": "text"
},
"jira_info": {
"keys": [
"text"
]
},
"slack_app_info": {}
}
]
},
"notification_status": 1,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"signed_off_state": 1,
"signed_off_at": "2025-12-23T12:22:28.658Z",
"signed_off_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"action_log": {
"entries": [
{
"action": 1,
"user": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"time": "2025-12-23T12:22:28.658Z",
"note": "text",
"reviewer_detail": {
"old_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"new_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
]
},
"decision_detail": {
"decision": 1,
"note": "text"
},
"decision_cleared_detail": {
"previous_decision": 1,
"original_decider": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"reason": 1
},
"approval_level": 1
}
]
},
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"automation_run_ids": [
"text"
],
"decision_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"decision_at": "2025-12-23T12:22:28.658Z",
"revoke_request_infos": [
{
"id": "text",
"state": 1,
"error_message": "text"
}
],
"old_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"predefined_question_response": [
{
"question_id": "text",
"answer_id": "text",
"answer_text": "text",
"respondent_user": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"responded_at": "2025-12-23T12:22:28.658Z"
}
],
"is_assigned_to_current_user": true
},
"mutable_filter": "text",
"apply_to_all_rows": true
}
]
}{}POST /api/preview/awf/smart_action_definitions HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 2335
{
"name": "text",
"description": "text",
"workflow_id": "text",
"filter": "text",
"mutable_fields": {
"decision": 1,
"notes": "text",
"updated_at": "2025-12-23T12:22:28.658Z",
"updated_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"notification_infos": {
"values": [
{
"notification_type": 1,
"webhook_type": 1,
"status": 1,
"error_message": "text",
"updated_at": "2025-12-23T12:22:28.658Z",
"snow_info": {
"ticket_number": "text",
"sys_id": "text"
},
"webhook_info": {
"info": "text"
},
"jira_info": {
"keys": [
"text"
]
},
"slack_app_info": {}
}
]
},
"notification_status": 1,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"signed_off_state": 1,
"signed_off_at": "2025-12-23T12:22:28.658Z",
"signed_off_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"action_log": {
"entries": [
{
"action": 1,
"user": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"time": "2025-12-23T12:22:28.658Z",
"note": "text",
"reviewer_detail": {
"old_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"new_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
]
},
"decision_detail": {
"decision": 1,
"note": "text"
},
"decision_cleared_detail": {
"previous_decision": 1,
"original_decider": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"reason": 1
},
"approval_level": 1
}
]
},
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"automation_run_ids": [
"text"
],
"decision_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"decision_at": "2025-12-23T12:22:28.658Z",
"revoke_request_infos": [
{
"id": "text",
"state": 1,
"error_message": "text"
}
],
"old_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"predefined_question_response": [
{
"question_id": "text",
"answer_id": "text",
"answer_text": "text"
}
],
"is_assigned_to_current_user": true
},
"mutable_filter": "text",
"apply_to_all_rows": true
}DELETE /api/preview/awf/smart_action_definitions/{id} HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
{}GET /api/preview/awf/smart_action_definitions HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
PUT /api/preview/awf/smart_action_definitions HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 2357
{
"value": {
"id": "text",
"description": "text",
"name": "text",
"workflow_id": "text",
"filter": "text",
"mutable_fields": {
"decision": 1,
"notes": "text",
"updated_at": "2025-12-23T12:22:28.658Z",
"updated_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"notification_infos": {
"values": [
{
"notification_type": 1,
"webhook_type": 1,
"status": 1,
"error_message": "text",
"updated_at": "2025-12-23T12:22:28.658Z",
"snow_info": {
"ticket_number": "text",
"sys_id": "text"
},
"webhook_info": {
"info": "text"
},
"jira_info": {
"keys": [
"text"
]
},
"slack_app_info": {}
}
]
},
"notification_status": 1,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"signed_off_state": 1,
"signed_off_at": "2025-12-23T12:22:28.658Z",
"signed_off_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"action_log": {
"entries": [
{
"action": 1,
"user": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"time": "2025-12-23T12:22:28.658Z",
"note": "text",
"reviewer_detail": {
"old_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"new_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
]
},
"decision_detail": {
"decision": 1,
"note": "text"
},
"decision_cleared_detail": {
"previous_decision": 1,
"original_decider": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"reason": 1
},
"approval_level": 1
}
]
},
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"automation_run_ids": [
"text"
],
"decision_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
},
"decision_at": "2025-12-23T12:22:28.658Z",
"revoke_request_infos": [
{
"id": "text",
"state": 1,
"error_message": "text"
}
],
"old_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"predefined_question_response": [
{
"question_id": "text",
"answer_id": "text",
"answer_text": "text"
}
],
"is_assigned_to_current_user": true
},
"mutable_filter": "text",
"apply_to_all_rows": true
}
}Detailed graph relationships for certification results
GET
/api/preview/awf/access_graph
Returns Access Graph relationships for a certification result, including intermediate role details and accumulated permissions.
Parameters
Omit snapshot_id to get the most recent access graph. Specify the snapshot_id of the original certification to show relationships at the time of certification.
Request
Response
The out_edges of each node will contain the IDs of other directly connected nodes. For example, if "OktaUser" is connected to two "OktaGroup" nodes G1 and G2, the user's out-edges will be [{G1}, {G2}]. The node id for each connected node will be included in the response, as well as the status of the relevant data sources, for example:
certification_id
string
ID of a workflow certification
Y
result_id
int
Certification result number to get access for
Y
snapshot_id
string
Graph snapshot to get results from
N
curl 'https://{{VezaURL}}/api/preview/awf/access_graph' \
-H 'authorization: Bearer '$TOKEN \
-G -d 'certification_id=abe5c346-84ad-49b0-bafc-614a8365c883' \
-d 'result_id=1'{
"nodes": [
{
"properties": {
"id": "arn:aws:iam::973979857296:role/FederatedS3",
"name": "FederatedS3",
"type": "AwsIamRole"
},
"out_edges": [
{
"destination_node_id": "arn:aws:iam::973979857296:role/FederatedS3::eperm::877042069677/S3Bucket/2ce2cbf45bcc5d748c800358d9932a251d670509"
}
]
},
{
"properties": {
"id": "0bba9374-d4f5-4c77-93d2-7dfde581fa8a",
"name": "Abel_Maclead",
"type": "AzureADUser"
},
"out_edges": [
{
"destination_node_id": "arn:aws:iam::973979857296:role/FederatedS3"
}
]
},
{
"properties": {
"id": "arn:aws:iam::973979857296:role/FederatedS3::eperm::877042069677/S3Bucket/2ce2cbf45bcc5d748c800358d9932a251d670509",
"name": "Read",
"type": "AwsIamEffectivePermission"
},
"out_edges": [
{
"destination_node_id": "arn:aws:s3:::cct-cct02-finance"
}
]
},
{
"properties": {
"id": "arn:aws:s3:::cct-cct02-finance",
"name": "cct-cct02-finance",
"type": "S3Bucket"
},
"out_edges": []
}
],
"accumulated_effective_permissions": [
"Read"
],
"accumulated_raw_permissions": [
"s3:GetObject"
],
"datasource_infos": [
{
"datasource_id": "160e97cf-4b8a-4841-800b-49f8d6fa17ef",
"external_id": "160e97cf-4b8a-4841-800b-49f8d6fa17ef",
"name": "",
"last_sync_time": "2022-09-12T22:15:34.874682421Z",
"agent_type": "",
"has_error": false,
"is_deleted": false,
"reason": "",
"last_error_message": "",
"has_warning": false
},
{
"datasource_id": "",
"external_id": "",
"name": "",
"last_sync_time": "2022-09-12T22:09:47.245436023Z",
"agent_type": "",
"has_error": false,
"is_deleted": false,
"reason": "",
"last_error_message": "",
"has_warning": false
}
]
}Get, create, update, delete, and attach Intelligent Automations.
Use these operations to manage Access Review Automations and associate them with individual workflows.
Automations apply changes (such as approve, sign-off, add a note, or apply visual indicators) to Certification rows based on historical certification data, or a filter on the current results. They can run by default or on an opt-in basis when a certification is created.
For more information about this feature see Intelligent Automations.
You will need an API token with root team or administrator permissions to manage Automations.
The following rules apply when an Automation run encounters an issue:
If Automation processing fails for any result, the Automation run stops and no further Automations are applied.
When Automations fail, the Certification is still considered complete and non-errored. The Automation run will have an error status and message.
Results are considered the same when the entities and relationships are exactly equal (including data source IDs). If a conflict occurs with Automations trying to change the same mutable field:
Each change must update the field to the same value. The action log entry will contain notes (if supplied) for each action.
Automations changing a field to differing values are unresolvable conflicts and skipped, but will not interrupt the Automation run.
An Automation consists of attachment_behavior rules, filter criteria, and an action to apply:
Each Automation object has the fields:
id (String): Unique identifier for the Automation.
name (String): Name of the Automation.
description (String): A brief description of the Automation.
attachment_behavior (Object)Defines if the Automation is available for all workflows, and whether it is optional:
attach_to_new_workflows (Boolean): Indicates whether to automatically attach to new and existing workflows.
opt_in (Boolean): If true Operators can pick the automation when creating a Workflow. If false the automation is enabled by default.
criteria (Object)Specifies filters for conditionally updating results:
filter (String): A SCIM filter specifying a source or destination attribute with support for complex expressions using AND, OR, and parentheses for grouping. Examples:
Simple filter: source.is_active eq false
Complex filter: (source.name sw "A" OR source.name sw "B") AND destination.is_active eq true
Similarly to Smart Actions, Automations can update results based on a source or destination attribute (such as activity status). Filters use the syntax source.attribute or destination.attribute.
Mutable filters in Automations use the syntax previous.decision, previous.notes and previous.signed_off_state to refer to historical row data. The possible values are:
decision:
"RESULT_DECISION_UNKNOWN"
"RESULT_DECISION_NONE"
action (Object)Action the Automation will apply to matching results:
decision (String): Decision code for the action.
signed_off_state (String): Sign off state code.
notes (String): Notes the automation will apply.
Note: When using display_style actions, you cannot set decision, signed_off_state, notes, or reviewer_assignment fields.
Possible decisions and numeric codes are:
UNKNOWN (0)
NONE (1)
ACCEPTED (2
Signed Off State can be:
UNKNOWN_SIGNED_OFF = 0;
NOT_SIGNED_OFF = 1;
SIGNED_OFF = 2;
reviewer_assignment (Object)The preview API does not currently support Reviewer assignment.
Use the endpoints documented below to create and manage automations:
Endpoint: /api/preview/awf/automations
Method: GET
Description: Returns all Automations and configuration details.
Returns all in a values array.
Endpoint: /api/preview/awf/automations
Method: PUT
Description: Updates an existing Automation. The full Automation object is required.
Endpoint: /api/preview/awf/automations
Method: POST
Description: Creates a new Automation.
Endpoint: /api/preview/awf/automations/{id}
Method: GET
Description: Get details for a single Automation by ID.
Endpoint: /api/preview/awf/automations/{id}
Method: DELETE
Description: Deletes a specific Automation by its ID.
Endpoint: /api/preview/awf/automations:attach
Method: POST
Description: Enable an Automation for a specific workflow, or all workflows.
Attach one or all Automations to a single workflow by specifying the:
id (String): Single Automation ID.
workflow_id (String): ID of the workflow to associate Automations with.
all (boolean): If True, attaches all existing Automations to the Workflow.
Endpoint: /api/preview/awf/automations:attached/{workflow_id}
Method: GET
Description: Returns all Automations eligible to run on Certifications for a given Workflow id.
Endpoint: /api/preview/awf/automations:detach
Method: POST
Description: Detach one or all Automations from an Access Review Workflow.
{
"id": "e48dd2c8-3633-463b-a477-0177a942b5a6",
"name": "Highlight inactive sources",
"description": "Highlight rows where the source account is inactive",
"priority": 0,
"attachment_behavior": {
"attach_to_new_workflows": true,
"opt_in": true
},
"criteria": {
"filter": "source.is_active eq false",
"mutable_filter": ""
},
"action": {
"display_style": "HIGHLIGHT",
"display_text": "Source account is inactive"
}
}{
"id": "f59ee3d9-4744-574c-b588-1288b0942c7c",
"name": "Reject privileged account access",
"description": "Suggest reject for admin or root accounts",
"priority": 0,
"attachment_behavior": {
"attach_to_new_workflows": true,
"opt_in": true
},
"criteria": {
"filter": "(destination.name eq \"admin\") OR (source.name eq \"root\")",
"mutable_filter": ""
},
"action": {
"display_style": "SUGGEST_REJECT",
"display_text": "Privileged account detected - review carefully"
}
}priority (Integer): Priority value of the Automation (not currently supported).
mutable_filter (String): A filter on a previous result mutable field using the syntax previous.attribute. Example: "previous.decision eq "RESULT_DECISION_ACCEPTED""
"RESULT_DECISION_REJECTED"
"RESULT_DECISION_FIXED"
notes: string
signed_off_state:
"UNKNOWN"
"NOT_SIGNED_OFF"
"SIGNED_OFF"
display_style (String): Visual indicator to apply to matching rows:HIGHLIGHT: Highlight the row
SUGGEST_ACCEPT: Mark the row as suggested for acceptance
SUGGEST_REJECT: Mark the row as suggested for rejection
display_text (String): Custom message to show when display_style is set
REJECTED (3)
FIXED (4)
opt_in (boolean): If False the Automation can be selected when creating a certification. Otherwise, operators can enable it when creating certifications.
Bearer token authentication using a Veza Personal API key.
Header Format: Authorization: Bearer <your-api-key>
Creating an API Key:
OK
Default error response
Bearer token authentication using a Veza Personal API key.
Header Format: Authorization: Bearer <your-api-key>
Creating an API Key:
Bearer token authentication using a Veza Personal API key.
Header Format: Authorization: Bearer <your-api-key>
Creating an API Key:
Bearer token authentication using a Veza Personal API key.
Header Format: Authorization: Bearer <your-api-key>
Creating an API Key:
Bearer token authentication using a Veza Personal API key.
Header Format: Authorization: Bearer <your-api-key>
Creating an API Key:
Bearer token authentication using a Veza Personal API key.
Header Format: Authorization: Bearer <your-api-key>
Creating an API Key:
Bearer token authentication using a Veza Personal API key.
Header Format: Authorization: Bearer <your-api-key>
Creating an API Key:
Bearer token authentication using a Veza Personal API key.
Header Format: Authorization: Bearer <your-api-key>
Creating an API Key:
Get results for workflow certifications
Returns the results of the certification query, including any special properties, decisions, and notes.
GET
{{base_url}}/api/preview/awf/certifications/{certification_id}/results
Parameters
Request
Provide the UUID of the certification to get results. You can page through responses by providing a starting result number, and setting the maximum results to return.
Response
Each row in a certification describes an identity and resource entity pair, connected by a set of concrete and abstract permissions. Responses can be partial, depending on the page_size. You can get the next set of results by requesting a valid next_page_token as the page_token.
See for more details on the Certification Result object.
{
"id": "string",
"name": "string",
"description": "string",
"priority": 0,
"attachment_behavior": {
"attach_to_new_workflows": boolean,
"opt_in": boolean
},
"criteria": {
"filter": "string",
"mutable_filter": "string"
},
"action": {
// For modification actions:
"decision": "string",
"signed_off_state": "string",
"notes": "string",
"reviewer_assignment": null,
// OR for display actions:
"display_style": "string",
"display_text": "string"
}
}certification_id
string
Y
Certification id
page_token
int
N
next_page_token to list results from
page_size
int
N
Max results to return per page (default 100, minimum 1, maximum 2,000)
paginate_direction_backwards
boolean
N
When true, use reverse order from the last page of results
curl '{{VEZA_URL}}/api/preview/awf/certifications/f9123002-f056-491f-978f-f203bc9885ed/results?page_token=0&page_size=1' \
-H 'authorization: Bearer '$token{
"values": [
{
"result_id": 0,
"source": {
"aliases": [],
"created_at": "2023-05-03T14:25:43Z",
"datasource_id": "datasource:google_cloud_workspace",
"email_addresses": [
"[email protected]",
"[email protected]",
"[email protected]"
],
"full_admin": false,
"google_cloud_organization_name": "organizations/123456789012",
"guest": false,
"id": "datasource:112655590859538682841",
"idp_unique_id": "[email protected]",
"is_active": true,
"last_login_at": "2023-05-10T15:25:04Z",
"location_areas": [],
"mfa_enabled": false,
"name": "[email protected]",
"organization_names": [],
"provider_id": "datasource",
"suspended": false,
"type": "GoogleWorkspaceUser"
},
"destination": {
"created_at": "2021-11-01T14:23:35Z",
"datasource_id": "datasource:google_cloud_iam",
"google_cloud_organization_name": "organizations/123456789012",
"id": "projects/743979515322",
"name": "Dev GCP Project",
"parent_id": "organizations/123456789012",
"project_id": "striped-graph-330814",
"provider_id": "datasource",
"type": "GoogleCloudProject",
"updated_at": "2022-04-07T22:08:48Z"
},
"accumulated_effective_permissions": [],
"accumulated_raw_permissions": [
"bigquery.datasets.get",
"bigquery.datasets.getIamPolicy",
"bigquery.tables.get",
"bigquery.tables.getIamPolicy",
"bigquery.tables.list",
"iam.roles.get",
"iam.roles.list",
"iam.serviceAccounts.create",
"iam.serviceAccounts.list",
"resourcemanager.folders.create",
"resourcemanager.folders.delete",
"resourcemanager.folders.get",
"resourcemanager.folders.getIamPolicy",
"resourcemanager.folders.list",
"resourcemanager.folders.move",
"resourcemanager.folders.setIamPolicy",
"resourcemanager.folders.undelete",
"resourcemanager.organizations.get",
"resourcemanager.organizations.getIamPolicy",
"resourcemanager.organizations.setIamPolicy",
"resourcemanager.projects.create",
"resourcemanager.projects.delete",
"resourcemanager.projects.get",
"resourcemanager.projects.getIamPolicy",
"resourcemanager.projects.list",
"resourcemanager.projects.move",
"resourcemanager.projects.setIamPolicy",
"resourcemanager.projects.update",
"storage.buckets.create",
"storage.buckets.createTagBinding",
"storage.buckets.delete",
"storage.buckets.deleteTagBinding",
"storage.buckets.get",
"storage.buckets.getIamPolicy",
"storage.buckets.list",
"storage.buckets.listTagBindings",
"storage.buckets.setIamPolicy",
"storage.buckets.update"
],
"updated_at": null,
"updated_by": null,
"signed_off_at": null,
"signed_off_by": null,
"notification_response_infos": [],
"notification_status": "UNKNOWN",
"waypoint": {
"id": "organizations/123456789012_policy_role_binding0",
"name": "CookieAIDevServicePrincipalRole",
"type": "GoogleCloudIamRoleBinding"
},
"action_log_entries": [],
"decision": "NONE",
"notes": "",
"reviewers": [
{
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "External User"
}
],
"signed_off_state": "NOT_SIGNED_OFF",
"reviewer_assignment": null
},
{
"result_id": 1,
"source": {
"aliases": [],
"created_at": "2023-05-03T14:25:43Z",
"datasource_id": "datasource:google_cloud_workspace",
"email_addresses": [
"[email protected]",
"[email protected]",
"[email protected]"
],
"full_admin": false,
"google_cloud_organization_name": "organizations/123456789012",
"guest": false,
"id": "datasource:112655590859538682841",
"idp_unique_id": "[email protected]",
"is_active": true,
"last_login_at": "2023-05-10T15:25:04Z",
"location_areas": [],
"mfa_enabled": false,
"name": "[email protected]",
"organization_names": [],
"provider_id": "datasource",
"suspended": false,
"type": "GoogleWorkspaceUser"
},
"destination": {
"created_at": "2021-11-01T14:23:35Z",
"datasource_id": "datasource:google_cloud_iam",
"google_cloud_organization_name": "organizations/123456789012",
"id": "projects/743979515322",
"name": "Dev GCP Project",
"parent_id": "organizations/123456789012",
"project_id": "striped-graph-330814",
"provider_id": "datasource",
"type": "GoogleCloudProject",
"updated_at": "2022-04-07T22:08:48Z"
},
"accumulated_effective_permissions": [],
"accumulated_raw_permissions": [
"cloudkms.cryptoKeyVersions.create",
"cloudkms.cryptoKeyVersions.destroy",
"cloudkms.cryptoKeyVersions.get",
"cloudkms.cryptoKeyVersions.list",
"cloudkms.cryptoKeyVersions.restore",
"cloudkms.cryptoKeyVersions.update",
"cloudkms.cryptoKeyVersions.useToDecryptViaDelegation",
"cloudkms.cryptoKeyVersions.useToEncryptViaDelegation",
"cloudkms.cryptoKeys.create",
"cloudkms.cryptoKeys.get",
"cloudkms.cryptoKeys.getIamPolicy",
"cloudkms.cryptoKeys.list",
"cloudkms.cryptoKeys.setIamPolicy",
"cloudkms.cryptoKeys.update",
"cloudkms.keyRings.create",
"cloudkms.keyRings.createTagBinding",
"cloudkms.keyRings.deleteTagBinding",
"cloudkms.keyRings.get",
"cloudkms.keyRings.getIamPolicy",
"cloudkms.keyRings.list",
"cloudkms.keyRings.listTagBindings",
"cloudkms.keyRings.setIamPolicy",
"cloudkms.locations.get",
"cloudkms.locations.list",
"resourcemanager.projects.get"
],
"updated_at": null,
"updated_by": null,
"signed_off_at": null,
"signed_off_by": null,
"notification_response_infos": [],
"notification_status": "UNKNOWN",
"waypoint": {
"id": "organizations/123456789012_policy_role_binding11",
"name": "cloudkms.admin",
"type": "GoogleCloudIamRoleBinding"
},
"action_log_entries": [],
"decision": "NONE",
"notes": "",
"reviewers": [
{
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "External User"
}
],
"signed_off_state": "NOT_SIGNED_OFF",
"reviewer_assignment": null
}
],
"next_page_token": "EAI=",
"has_more": true,
"has_previous": false
}OK
Default error response
OK
Default error response
OK
Default error response
OK
Default error response
Attaches an automation to one or all workflows Attach will succeeds if the automation is already attached and will update the "opt_in" if necessary
OK
Default error response
OK
Default error response
Detaches an automation from one or all workflows
OK
Default error response
GET /api/preview/awf/automations HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
{
"values": [
{
"id": "text",
"name": "text",
"description": "text",
"priority": 1,
"attachment_behavior": {
"attach_to_new_workflows": true,
"opt_in": true
},
"criteria": {
"filter": "text",
"mutable_filter": "text"
},
"action": {
"decision": 1,
"signed_off_state": 1,
"notes": "text",
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"display_style": 1,
"display_text": "text"
}
}
]
}PUT /api/preview/awf/automations HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 619
{
"value": {
"id": "text",
"name": "text",
"description": "text",
"priority": 1,
"attachment_behavior": {
"attach_to_new_workflows": true,
"opt_in": true
},
"criteria": {
"filter": "text",
"mutable_filter": "text"
},
"action": {
"decision": 1,
"signed_off_state": 1,
"notes": "text",
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"display_style": 1,
"display_text": "text"
}
}
}POST /api/preview/awf/automations HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 597
{
"name": "text",
"description": "text",
"priority": 1,
"attachment_behavior": {
"attach_to_new_workflows": true,
"opt_in": true
},
"criteria": {
"filter": "text",
"mutable_filter": "text"
},
"action": {
"decision": 1,
"signed_off_state": 1,
"notes": "text",
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"display_style": 1,
"display_text": "text"
}
}GET /api/preview/awf/automations/{id} HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
{
"value": {
"id": "text",
"name": "text",
"description": "text",
"priority": 1,
"attachment_behavior": {
"attach_to_new_workflows": true,
"opt_in": true
},
"criteria": {
"filter": "text",
"mutable_filter": "text"
},
"action": {
"decision": 1,
"signed_off_state": 1,
"notes": "text",
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"display_style": 1,
"display_text": "text"
}
}
}DELETE /api/preview/awf/automations/{id} HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
{}POST /api/preview/awf/automations:attach HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 59
{
"id": "text",
"workflow_id": "text",
"all": true,
"opt_in": true
}GET /api/preview/awf/automations:attached/{workflow_id} HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
{
"values": [
{
"automation": {
"id": "text",
"name": "text",
"description": "text",
"priority": 1,
"attachment_behavior": {
"attach_to_new_workflows": true,
"opt_in": true
},
"criteria": {
"filter": "text",
"mutable_filter": "text"
},
"action": {
"decision": 1,
"signed_off_state": 1,
"notes": "text",
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text",
"alternate_email": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"display_style": 1,
"display_text": "text"
}
},
"opt_in": true
}
]
}POST /api/preview/awf/automations:detach HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 45
{
"id": "text",
"workflow_id": "text",
"all": true
}{}{
"id": "text"
}{}{}Configure outlier detection settings to identify anomalous access patterns in Access Reviews.
Early Access Feature: Outlier Detection is currently in Early Access and available via API only. The feature and API are subject to change. Contact your Veza Customer Success Manager to enable this feature for your tenant.
Configure outlier detection to automatically identify and flag anomalous access patterns during Access Reviews. The Manager-Centric algorithm compares each user's access to their peer group and detects access held by fewer than a specified threshold percentage of peers, helping reviewers focus on unusual or potentially risky permissions.
The Manager-Centric outlier detection algorithm uses statistical analysis to identify rare access patterns:
Peer Grouping: Users are grouped based on configurable properties (default: users sharing the same manager)
Statistical Analysis: For each destination (resource/permission) in the review, Veza calculates what percentage of the peer group has access using the Wilson score confidence interval method at 95% confidence
Threshold Comparison: Access paths where the statistical lower bound is at or below the configured threshold are flagged as outliers
Reviewer Visibility
By default, outlier detection uses:
Grouping: Users with the same manager (manager_idp_unique_id property)
Threshold: 15% (access held by ≤15% of peers is flagged as an outlier)
Consider an Access Review for Okta groups:
100 users report to Manager A
95 of them have access to the "Engineering-All-Hands" group
5 users have access to the "Admin-Production-Access" group
Given a 15% threshold:
"Engineering-All-Hands" access (95% of peers) is not flagged, as this is normal access
"Admin-Production-Access" (5% of peers) is flagged as an outlier, as this is rare access
The reviewer sees a warning on those 5 rows that this access is anomalous within the peer group — no more than 15% of peers with shared characteristics have it.
Administrators can customize outlier detection using APIs:
GET /api/private/workflows/access/global_settings/manager_centric_config
Retrieve the current outlier detection configuration, either globally or for a specific review configuration.
PUT /api/private/workflows/access/global_settings/manager_centric_config
Update the outlier detection configuration globally or for a specific review configuration.
Grouping properties define how users are organized into peer groups for outlier analysis. You can specify properties from:
Source nodes (the users/identities in the review)
Destination nodes (the resources/permissions being reviewed)
Enriched/joined nodes (additional data joined to the query, such as manager information from an IdP)
Each property reference has these fields:
Properties from the source entities in the review (typically users/identities).
Common source properties:
department - User's department
location - User's location
manager_idp_unique_id - User's manager identifier (default)
Example:
Properties from the destination entities (resources/permissions being reviewed).
Common destination properties:
classification - Resource classification level
data_sensitivity - Data sensitivity level
owner - Resource owner
Example:
Properties from enriched/joined metadata from another data source. These require the review query to include a JoinNodeSpec that joins additional data (such as manager information from an IdP).
Example:
This groups all users by their manager's department, requiring the review query to join the manager data with the alias "manager".
Groups users by manager with a 15% threshold (default configuration):
Use case: Identify access that's unusual compared to direct peers reporting to the same manager.
Groups users by both department and location with a 10% threshold:
Use case: Identify access that's rare among users in the same department and office location.
Compares each user to the entire population with 5% threshold:
Use case: Flag extremely rare access across the entire organization, regardless of role or department.
Groups by destination resource classification with a 20% threshold:
Use case: Identify unusual access patterns within resources of the same classification level.
Groups by the manager's department (requires query enrichment) with a 15% threshold:
Use case: Identify access that's unusual among users whose managers are in the same department, useful in matrix organizations.
Scenario: Reviewing access to financial systems where SOX compliance requires attention to outlier access.
Configuration:
Users with access held by ≤5% of their department peers are flagged for additional scrutiny.
Scenario: Reviewing production system access where most engineers shouldn't have admin rights.
Configuration:
Identifies engineers with production access that is unusual within their team, considering the environment.
Scenario: Reviewing access where job role should predict permissions.
Configuration:
Flags access held by ≤15% of users with the same job role, indicating potential role creep or over-provisioning.
Scenario: Detecting access patterns that are unusual for an entire department.
Configuration:
Identifies access held by ≤8% of users in the same department and location, flagging potentially inappropriate cross-functional access.
Property Availability: Grouping properties must exist in your access review query results. If a specified property doesn't exist for source/destination/joined nodes, outlier detection may not function as expected. Verify property names match your data schema.
Threshold Tuning: Start with the default 15% threshold and adjust based on your organization's risk tolerance:
Lower thresholds (5-10%): More sensitive, flags only the rarest access
Higher thresholds (20-25%): Less sensitive, flags more broadly uncommon access
- Overview of all Access Reviews settings
- Complete Access Reviews documentation
value.threshold
number
Yes
Threshold percentage (0.0 to 1.0) below which access is considered an outlier. For example, 0.15 means access held by ≤15% of peers is flagged.
is_active - Whether the user account is activeemployee_type - Employee classification (e.g., full-time, contractor)
environment - Environment (prod, dev, test)workflow_id
string
No
query
Review configuration ID. If specified, returns the configuration for that specific review configuration. If omitted or empty, returns the global configuration.
workflow_id
string
No
Review configuration ID. If specified, applies settings only to that configuration. If omitted, updates the global default.
value
object
Yes
Configuration object
value.grouping_properties
array
No
property_name
string
Yes
The name of the property to group by (e.g., "department", "location", "manager_idp_unique_id")
target
enum
No
Where the property comes from. Options: TARGET_NODE_UNSPECIFIED (default, assumes source), TARGET_NODE_SOURCE, TARGET_NODE_DESTINATION, TARGET_NODE_JOINED
joined_node_alias
string
Conditional
Array of property references defining how to group users into peer groups. If empty, uses population-wide comparison. See below.
Required when target is TARGET_NODE_JOINED. The alias of the joined node from the review query's JoinNodeSpec
curl 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/manager_centric_config' \
-H 'Authorization: Bearer YOUR_BEARER_TOKEN' \
-H 'Content-Type: application/json'curl 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/manager_centric_config?workflow_id=8ae1c414-3a76-46cb-950a-925316b3f264' \
-H 'Authorization: Bearer YOUR_BEARER_TOKEN' \
-H 'Content-Type: application/json'{
"value": {
"grouping_properties": [
{
"property_name": "manager_idp_unique_id"
}
],
"threshold": 0.15
}
}curl -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/manager_centric_config' \
-H 'Authorization: Bearer YOUR_BEARER_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"value": {
"grouping_properties": [
{
"property_name": "department",
"target": "TARGET_NODE_SOURCE"
},
{
"property_name": "location",
"target": "TARGET_NODE_SOURCE"
}
],
"threshold": 0.1
}
}'curl -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/manager_centric_config' \
-H 'Authorization: Bearer YOUR_BEARER_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264",
"value": {
"grouping_properties": [
{
"property_name": "manager_idp_unique_id"
}
],
"threshold": 0.2
}
}'{}{
"property_name": "department",
"target": "TARGET_NODE_SOURCE"
}{
"property_name": "classification",
"target": "TARGET_NODE_DESTINATION"
}{
"property_name": "department",
"target": "TARGET_NODE_JOINED",
"joined_node_alias": "manager"
}{
"value": {
"grouping_properties": [
{
"property_name": "manager_idp_unique_id"
}
],
"threshold": 0.15
}
}{
"value": {
"grouping_properties": [
{
"property_name": "department",
"target": "TARGET_NODE_SOURCE"
},
{
"property_name": "location",
"target": "TARGET_NODE_SOURCE"
}
],
"threshold": 0.1
}
}{
"value": {
"grouping_properties": [],
"threshold": 0.05
}
}{
"value": {
"grouping_properties": [
{
"property_name": "classification",
"target": "TARGET_NODE_DESTINATION"
}
],
"threshold": 0.2
}
}{
"value": {
"grouping_properties": [
{
"property_name": "department",
"target": "TARGET_NODE_JOINED",
"joined_node_alias": "manager"
}
],
"threshold": 0.15
}
}{
"value": {
"grouping_properties": [
{
"property_name": "department",
"target": "TARGET_NODE_SOURCE"
}
],
"threshold": 0.05
}
}{
"value": {
"grouping_properties": [
{
"property_name": "team",
"target": "TARGET_NODE_SOURCE"
},
{
"property_name": "environment",
"target": "TARGET_NODE_DESTINATION"
}
],
"threshold": 0.1
}
}{
"value": {
"grouping_properties": [
{
"property_name": "job_role",
"target": "TARGET_NODE_SOURCE"
}
],
"threshold": 0.15
}
}{
"value": {
"grouping_properties": [
{
"property_name": "department",
"target": "TARGET_NODE_SOURCE"
},
{
"property_name": "location",
"target": "TARGET_NODE_SOURCE"
}
],
"threshold": 0.08
}
}