Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
See for additional details on the complete workflow object.
Workflows, certifications, and result details
This page describes common properties for listing workflows, certifications, and certification results:
Note that to maintain certification integrity, some properties are immutable and can't be modified, while other values system-updated. Mutable fields such as "name," "notes," "reviewers" and "due date" can be changed by operators and admins using the Veza UI:
Internal fields are updated by the workflow service to store important metadata:
States can be:
CERT_STATE_SEARCHING // The query is still running
CERT_STATE_IN_PROGRESS // the certification is being reviewed
CERT_STATE_COMPLETED // the review of the certification is complete
Valid decisions are:
RESULT_DECISION_NONE // No decision has been made
RESULT_DECISION_ACCEPTED // The access described in the result row is acceptable
RESULT_DECISION_REJECTED // The access described in the result row isn't correct
RESULT_DECISION_FIXED // The access was rejected, but has been fixed
Both the number or string value for the decision are allowed, for example "decision": 4 or "decision": RESULT_DECISION_FIXED.
Shows source, destination, or intermediate entity details for a query result:
When assigning reviewers using preview Workflows APIs, requested users are validated before assigning them to a certification result, and not assigned when the user can’t be found. Assignee id and user_type are required to identify reviewers. name and email are optional but if provided must match the Veza user record.
Results contain a record of all prior actions on a certification result.
Possible actions are:
NOTE_ADDED
REVIEWER_ASSIGNED
DECISION
The response will include the type, id, email, and name of the user who made the change:
The reviewer_assignment specifies how reviewers should be assigned to rows, during initial certification create or when reviewers are re-assigned by smart action.
users_manager and resource_managers assigns reviewers based on Global IdP settings.
reviewers is a way to specify one or more reviewers to apply to every row. fallback_reviewers is one or more reviewers that to assign to rows if auto assign by user or resource manager fails for any reason
Add decisions and notes to a certification result
Apply a decision, note, sign-off, or reviewer change to a numbered certification result.
Each row of the certification results can be annotated, marked as ACCEPTED, or REJECTED, signed-off, or assigned to a different reviewer.
value must include the result_id and any mutable fields to update:
Valid decisions are:
NONE // No decision has been made
ACCEPTED // The access described in the result row is acceptable
REJECTED // The access described in the result row isn't correct
FIXED // The access was rejected but has been fixed
reviewersA result’s reviewer can be reassigned by updating the reviewers field with a list of one or more Access Workflow User objects:
A successful response will be empty: {}.
Get results for workflow certifications
Returns the results of the certification query, including any special properties, decisions, and notes.
Parameters
Request
Provide the UUID of the certification to get results. You can page through responses by providing a starting result number, and setting the maximum results to return.
Response
Each row in a certification describes an identity and resource entity pair, connected by a set of concrete and abstract permissions. Responses can be partial, depending on the page_size. You can get the next set of results by requesting a valid next_page_token as the page_token.
Update a single result with escalated privileges
ForceUpdateAwfResults allows administrators to modify results more than normally allowed, such as changing sign-off status, or changing a row's decision after a certification expires.
A forced update request:
Can undo sign-off of a row.
On an expired or completed certification, during the grace period, rows can be modified as normal (Assuming they're no longer signed off).
The grace period for changes is 7 days after certification completion or expiration
Can't undo sign-off of a row.
On an expired certification, during the grace period, a rejected row can be marked as fixed by admin/operator.
A successful response will be empty:
Methods for interacting with workflows and certifications
These endpoints enable listing workflows, listing certifications, getting certification results, and updating certifications. They can be used to programmatically retrieve workflow and certification details, and update certification rows with a decision or note, such as ticket number.
These endpoints also provide utility functionality, such as managing the reviewer deny list, populating results with webhook response info, and customizing quick filters, smart actions, and help pages.
APIs for Veza Access Reviews are subject to change, and as such are provided with the
/previewAPI collection. Use the appropriate prefix when calling the API, for example,your-org.vezacloud.com/api/preview/.
Get all workflows and IDs:
Use a workflow id to get active and pending certifications for that workflow:
The response will include certification details, including the certification ids.
Using a certification id, you can get results for the certification, including entity attributes:
Update a certification result row with a note:
When , all Veza Workflows are returned within a values array. Each has the properties:
returns all Certifications for a workflow, within a values array.
See for more details on query construction.
include a numeric ID, the query details, and any decisions and notes. Each result includes entity details for the source -> destination nodes and the cumulative permissions under review:
The notes field will always contain the most recent note. Previous notes can be reviewed in the using the List Cert Results API.
Reviewer details, typically a Veza user account. If are configured, the user type and id refer to Veza graph entities:
You can get details for a local Veza user from Administration > User Management. For graph entities (identities from an external identity provider), inspect the entity details using Access Search or the Entities page. will return all users for a given certification.
Adding a note overwrites the previous value. Historical notes are included in the action log when . When viewing the row in the UI, only the most recent note is shown.
Note that all fields are required when assigning a reviewer. As of the current release, there is no customer-facing API to get local user ids. For this reason, API-based reviewer reassignment is recommended only when a graph IdP is configured as the , and you can programmatically retrieve required identifiers such as user "name," "id," and "email."
See for more details on the Certification Result object.
The API token used for this request must be created for a user with the role.
A :
First, save your and Veza base URL as environment variables:
type
string
Entity type
name
string
Entity name
id
string
Entity UID
properties
key:value pair
Entity properties
user_type
string
SSO entity type or localCookieUser
id
string
User GUID
email
string
User email address
name
string
Full username
PUT
{{base_url}}/api/preview/awf/certifications/{certification_id}/results
cert_id
string
path
id of the certification to update
value
object
body
Mutable fields to update
GET
{{base_url}}/api/preview/awf/certifications/{certification_id}/results
certification_id
string
Y
Certification id
page_token
int
N
next_page_token to list results from
page_size
int
N
Max results to return per page (default 100, minimum 1, maximum 2,000)
paginate_direction_backwards
boolean
N
When true, use reverse order from the last page of results
POST
/api/preview/awf/certifications/{certification_id}/results:force_update
workflow_id
string
Workflow GUID
name
string
Workflow display name
description
string
Extended description
owner
Owner user details
notes
string
Workflow notes
query
WorkflowQuery object
Workflow search conditions
creator
Creator user details
created_at
string (RFC 3339 timestamp)
Creation date
certification_id
string
Certification GUID
workflow_id
string
Workflow GUID
query_used
WorkflowQuery
The query for the workflow (immutable).
name
string
Certification name (not used)
notes
string
Certification notes
due_date
string (RFC 3339 timestamp)
Due date timestamp
reviewers
List of reviewers
state
AccessCertState
Certification status
snapshot_time
string (RFC 3339 timestamp)
Date of graph snapshot at certification creation
started_at
string (RFC 3339 timestamp)
Certification creation date
query_completed_at
string (RFC 3339 timestamp)
Timestamp indicating when certification results were generated
completed_at
string (RFC 3339 timestamp)
Certification completion date
created_by
Certification creator details
completed_by
User who marked certification as complete
total_result_count
int
Total query results
results_updated_at
string (RFC 3339 timestamp)
Timestamp
results_updated_by
User details
total_complete_count
int
Number or result rows with an accept, reject, or fixed decision
creator
User details
created_at
string (RFC 3339 timestamp)
Timestamp
updated_at
string (RFC 3339 timestamp)
Timestamp
updated_by
User details
error_reason
string
Error message, if the workflow query failed
expired_at
string (RFC 3339 timestamp)
Timestamp
total_result_count
int
Total number of results
total_complete_count
int
Results with a final decision
total_rejected_count
int
Results with a "reject" decision
total_accepted_count
int
Results with an "accept" decision
total_fixed_count
int
Results that have been "marked as fixed"
accumulated_effective_permissions
string list
Cumulative canonical (C/R/U/D) permissions to the resource
accumulated_raw_permissions
string list
List of concrete system permissions to the resource
action_log_entries
Log of previous actions on the result
decision
string
Row decision
destination
The result destination (typically a resource)
notes
string
The most recent note applied to the result
notification_response_infos
array
notification_status
string
Whether the integration triggered successfully
result_id
int
Result unique identifier for the certification
reviewers
Reviewer details
reviewer_assignment
ReviewerAssignmentInstructions object
Instructions for fallback and auto-assigned reviewers
signed_off_at
string (RFC 3339 timestamp)
signed_off_by
Details for a single reviewer
signed_off_state
string
UNKNOWN_SIGNED_OFF NOT_SIGNED_OFF SIGNED_OFF
source
Result source (typically a principal)
updated_at
string (RFC 3339 timestamp)
updated_by
waypoint
Related intermediate entity details, if specified by the workflow query
action
string
Action log event type
user
Reviewer details
time
string
RFC 3339 timestamp
decision_detail
object
Decision type and any notes
result_id
int
Y
certification result number to update
decision
enum
N
The decision to apply to the result
notes
string
N
Send an empty string " " to clear the current note
signed_off_state
string
N
Can be: NOT_SIGNED_OFF, SIGNED_OFF
reviewers
N
Contains Workflow User details for assigned reviewers
user_type
string
Y
id
string
Y
email
string
Y
Must match the email property on the local user or graph node.
name
string
Y
Must match the name property on the local user or graph node.
certification_id
path
ID of the certification containing the result to alter
value
body
Contains a single certification result and keys to update
result_id
body
Numeric result id to update (min 0)
decision
body
Result decision(NONE, REJECTED, ACCEPTED, FIXED)
notes
body
reviewers
body
signed_off_state
body
Sign-off status (NOT_SIGNED_OFF, SIGNED_OFF)
notification_status
body
Integration status (UNKNOWN, PENDING, SUCCEED, FAILED)
Get pending and completed certifications for a workflow
Returns all certifications for an access workflow.
GET
{{base_url}}/api/preview/awf/certifications
Parameters
workflow_id
string
Y
Workflow to get certifications for
Request
Response
values will contain all workflow details. The response may be paginated:
has_more
bool
Indicates if additional results are available.
total_result_count
int
The total number of results.
values
AccessCertResult
Sample response:
Customizing saved filters for certification reviewers.
List, create, and delete saved filters, globally or for a single workflow. Reviewers can pick from available quick filters under Certification Filters > Saved Filters.
GET, POST, DELETE
{Veza URL}/api/preview/awf/quick_filters
Add a quick filter by specifying an optional workflow_id and a single source or destination node property, corresponding to a Review interface column.
Valid filter operators are:
co "contains"
eq "equals"
ne "not equals"
sw "starts with"
ew "ends with"
With a workflow_id specified, the filter will only apply to certifications on that workflow. Otherwise, reviewers can apply the quick filter to any certification:
A successful response will contain the filter id, for example:
Including a workflow_id in the query returns quick filters with a matching workflow_id and quick filters with no workflow_id:
Example response:
Configure delegate Veza users who will be assigned as certification reviewers whenever a specified user would have been assigned.
Any certification items assigned to the original reviewer are also assigned to the delegated reviewer.
Delegate reviewers are notified of the assignment and receive notifications in place of the original reviewer. They can review and sign-off on any results assigned to the original reviewer.
The original reviewer can still act on results, but will not receive assignment or reminder emails.
Add delegation for Veza system users:
A successful response will be empty.
Add delegation for Okta users (with IdP settings configured):
A successful response will list all configured delegations, contained in a values array:
To remove delegations, post the configuration to /api/preview/awf/delegation/users:remove.
A successful response will be empty.
Define filter-based actions that reviewers can apply to certifications results with a matching attribute or status.
Reviewers can view and apply custom actions from the Review interface by clicking Smart Action > Prepared Actions.
Create a smart action definition, globally or for a single Workflow.
Example request:
The filter can apply to any source or destination node property.
When apply_to_all_rows is true and no other filter criteria is specified, the action will run on all certification results.
Mutable fields contain result attributes that are not sourced from Authorization Graph data. Use mutable_fields to apply changes to a result, and mutable_filter to filter results based on decision or sign-off state:
Delete a prepared action by definition id.
Returns an array of smart action definitions. By default, this endpoint lists all definitions. If a workflow_id is specified, only definitions for that workflow are included in the response.
Alter a smart action definition by specifying the id and an array of values to change.
Get all reviewers and details by certification
Returns information about all users assigned to a certification and its results. This will include the users' email and ID, along with their progress on the certification (row_stats listing actions counts by type).
A successful response returns AccessReviewerInfo objects within a values array:
Detailed graph relationships for certification results
Returns authorization graph relationships for a certification result, including intermediate role details and accumulated permissions.
Parameters
Omit snapshot_id to get the most recent access graph. Specify the snapshot_id of the original certification to show relationships at the time of certification.
Request
Response
The out_edges of each node will contain the IDs of other directly connected nodes. For example, if "OktaUser" is connected to two "OktaGroup" nodes G1 and G2, the user's out-edges will be [{G1}, {G2}]. The node id for each connected node will be included in the response, as well as the status of the relevant data sources, for example:
Update status info for custom webhooks
Updates webhook status and details for a certification result.
If you have configured a custom webhook to conduct automated access removal or another form of remediation, you can update Veza with the notification status.
Your application can use this endpoint to send a POST request updating the webhook state, visible to other reviewers from Veza's Certification UI.
Path parameters
certification_id - id of the certification containing the result to update.
Body
The request body must include the id of the result to update. Valid notification_status are:
PENDING
SUCCEED
FAILED
Webhook_info strings can contain up to 255 bytes.
Response
A successful response will be empty {}
API operations for customizing the behavior and functionality of Veza Access Reviews.
At present, the settings that can be configured by a Veza administrator are:
Auto-completion: Automatically complete reviews once all rows have a signed-off decision, or a non-rejected signed-off decision.
Completion requirements: Enable review completion at any time, or only when all rows are signed off with a non-rejected decision.
Data Source Status Acknowledgement: Require review creators to view and acknowledge the data source status shown at review creation.
Overdue Review Expiration: Enable or disable expiration of overdue reviews.
Review Expiration Behavior: Reject and sign off incomplete rows when a review expires.
Self Review Prevention: Prevent users from being assigned as reviewers for rows that relate to their own access and permissions.
Column Customization: Configure default columns which reviewers will see when they open a review.
UI Customization: Set whether notes are required when approving or rejecting access.
Sort Order: Set the default sort order and sorting column when opening a review.
Predefined Decision Notes: Add suggested notes as menu options when reviewers approve or reject rows.
For each endpoint, a GET request returns the current setting, and a PUT request updates the setting. Use your unique Veza URL and API key in your request, for example:
Optionally, you can use the Postman collection linked below to customize Access Reviews global settings:
Customize the requirements for completing a review.
Example:
An Admin or Operator user can complete a review by clicking the "Complete Review" button.
Once a review is marked as "completed," it becomes read-only and is no longer visible to reviewers. By default, a review can be completed when all rows have a signed-off decision.
This API allows you to modify this behavior, enabling a review to be completed at any time, or only when all rows are signed off with a non-rejected decision. The latter option is useful if your organization prefers to complete reviews only after all rejected access has been remediated.
Possible values are:
COMPLETION_ALLOWED_UNKNOWN = 0
COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION = 1 (Review can be completed only when all result rows have a decision)
COMPLETION_ALLOWED_ANYTIME = 2 (Review can be completed any time)
Enable or disable the "auto-complete" feature. When auto-complete is enabled, a review will automatically be completed once all rows have a signed-off decision, or a non-rejected signed-off decision, depending on the "Completion Allowed Settings."
Possible values are:
AUTO_COMPLETE_UNKNOWN
AUTO_COMPLETE_ENABLED
AUTO_COMPLETE_DISABLED
Example:
Enable or disable self-review prevention. When self-review prevention is enabled, users are prevented from being assigned as reviewers for rows that relate to their own access and permissions.
The value can be:
SELF_REVIEWER_CHECKING_UNKNOWN = 0
SELF_REVIEWER_CHECKING_DISABLED = 1
SELF_REVIEWER_CHECKING_ENABLED = 2
By default, when a reviewer approves a row, a "notes" pop-up appears, allowing the user to optionally add a note explaining their decision. When a reviewer rejects a row, the "notes" pop-up appears, and adding a note is required. This API allows you to customize this behavior. For example, you can choose to disable the pop-up when a row is approved and make the notes pop-up optional when a row is rejected.
Additionally, this API can enable the historical "Approve & Signoff" action in the reviewer experience when multiple rows are selected. Note: It is recommended that this feature remains disabled to ensure a more streamlined reviewer experience.
Example:
accept_notes_behavior can be:
NOTES_BEHAVIOR_UNKNOWN = 0
NO_POP_UP = 1
POP_UP_OPTIONAL = 2
POP_UP_REQUIRED = 3
reject_notes_behavior can be:
NOTES_BEHAVIOR_UNKNOWN = 0
NO_POP_UP = 1
POP_UP_OPTIONAL = 2
POP_UP_REQUIRED = 3
approve_and_sign_off_button_behavior can be:
HIDE_OR_SHOW_BEHAVIOR_UNKNOWN = 0
SHOW = 1
HIDE = 2
This API configures the default columns which reviewers will see when they open a review. If workflow_id is specified then the configuration will only be applied to reviews related to the particular Review Configuration identified by workflow_id.
The valid values to show entity attributes include:
source.ATTR
destination.ATTR
waypoint.ATTR
path_summary.ATTR
idp.ATTR
Where ATTR is an attribute name such as “id” or “name”.
The following column values are also valid:
status
abstract_permissions
concrete_permissions
updated_at
notes
reviewers
decision
decision_by
decision_by_id
decision_by_name
decision_by_email
decision_at
marked_fixed_by_id
marked_fixed_by_name
marked_fixed_by_email
marked_fixed_at
signed_off_state
signed_off_by_id
signed_off_by_name
signed_off_by_email
signed_off_at
notification_status
automation_run_ids
no_decision_or_decision_by
Is_signed_off
Example:
Configure the default order in which review rows are displayed. Note: Users can later sort the rows as they prefer.
The order is specified using a SCIM "order by" expression. The default value is source.type asc.
Valid values include:
source.ATTR
destination.ATTR
waypoint.ATTR
idp.ATTR
Where ATTR is an attribute name such as “id” or “name”.
Example
This setting is configurable on the Access Reviews > Settings page. Enable Auto-Expire overdue reviews to automatically expire reviews that aren't completed by the due date.
Enables or disable expiration of overdue reviews. By default, overdue reviews are not expired and remain available to reviewers. When expiration is enabled, the review will be “expired” when it becomes overdue. An expired review is read-only and is not shown to reviewers.
The value can be True or False.
This setting is configurable on the Access Reviews > Settings page. Enable Reject incomplete rows to reject and sign off on undecided rows when a review expires.
This API allows you to change the behavior when a review expires (which can be enabled in Review Auto-Complete Settings). Depending on the behavior, incomplete rows can be auto-rejected when the review deadline passes.
Possible values are:
DO_NOTHING: No action is made on incomplete rows (default).
AUTO_REJECT_INCOMPLETE_RESULTS: Reject and sign-off any results that are incomplete when the review expires.
Review expiration behavior can be configured globally, or for all reviews for a single Review, specified by workflow_id in the request.
By default, when a review is created, a user can optionally view the status of the data sources involved in the review. This API allows the behavior to change, requiring that the data source status is shown to the user and acknowledged during review creation.
Possible values are:
DATASOURCE_ACKNOWLEDGEMENT_UNKNOWN = 0
DATASOURCE_ACKNOWLEDGEMENT_NOT_SHOWN = 1
DATASOURCE_ACKNOWLEDGEMENT_REQUIRED = 2
Configure predefined notes as menu options when reviewers approve or reject rows. This feature can be configured globally for all reviews or specifically for individual review configurations. When configured for a specific review configuration (using workflow_id), those settings override any global predefined notes.
The predefined notes appear as selectable options in the notes dialog when making decisions, suggesting standardized responses alongside free-form text entry.
Example request body:
The request body accepts:
reject_notes: Array of predefined note options shown when rejecting rows
accept_notes: Array of predefined note options shown when approving rows
workflow_id: (Optional) Specific review configuration ID to override global settings
Retrieve the current predefined notes settings. Include the optional workflow_id query parameter to get settings for a specific review configuration.
Global Settings Request:
Configuration-Specific Request:
Example response:
Update the predefined notes settings globally or for a specific review configuration.
Configuration-Specific Request:
object
object
object
object
object
object
object
object
array
object
Error message and status for Webhook integrations, pushed with
Array of
object
object
object
object
object
array
Must be the same user_type as configured for the . Typical values are OktaUser, CustomIDPUser, or AzureADUser.
The user_identity_property set when configuring the workflows IdP is used to validate a Workflow Reviewer's identity. For an Okta user, this would be an id such as 00upa6s0hSGtl1eGL5d5. For a Custom IdP user, this will typically be the IdP users set within the OAA payload.
string of most recent row
object
You can use to retrieve all valid workflow IDs.
Contains details for each certification (see ).
Requests require a for authentication.
Filters can also apply to abstract_permissions or concrete_permissions (see example response).
Administrators can configure delegate reviewers for who would otherwise be assigned or auto-assigned to certification results. Specifying a delegate reviewer for another Veza user allows them to fulfill the responsibilities of that user — for example, if a manager is on leave, out-of-office, or otherwise unavailable.
The JSON payload contain pairs of original and delegate . You can use to get all the required details for reviewers assigned to a certification.
You can map both local Veza users and identities from an .
Note that this assumes the IdP setting are configured to use "idp_unique_id" to correlate identities, as in the Okta example .
A certification includes all source and destination node properties discovered or added by Veza. You can specify a SCIM filter to select the results to affect, for example:
These endpoints can be called by providing a Veza admin user API key. See to generate a bearer token for use in requests. Note that API operations in the private namespace are subject to change as features are added or modified.
Use these APIs to configure for Veza Access Reviews.
GET
List User Delegations
/api/preview/awf/delegation/users
POST
Add User Delegations
/api/preview/awf/delegation/users:add
POST
Remove User Delegations
/api/preview/awf/delegation/users:remove
decision
One of: "RESULT_DECISION_UNKNOWN" "RESULT_DECISION_NONE" "RESULT_DECISION_ACCEPTED" "RESULT_DECISION_REJECTED" "RESULT_DECISION_FIXED"
notes
string
signed_off_state
One of: "UNKNOWN" "NOT_SIGNED_OFF" "SIGNED_OFF"
GET
/api/preview/awf/certifications/{certification_id}/reviewer_infos
certification_id
string
ID of a workflow certification
Y
GET
/api/preview/awf/access_graph
certification_id
string
ID of a workflow certification
Y
result_id
int
Certification result number to get access for
Y
snapshot_id
string
Graph snapshot to get results from
N
POST
/api/preview/awf/certifications/{certification_id}/results:update_webhook_info
Prevent auto assignment for specific users
View or change the deny list for reviewer auto assignment.
Adding a user to the deny list will prevent that user from being auto assigned as a reviewer. That user will also be prevented from appearing in the drop-down menu when manually reassigning a user.
If a user's manager is on the deny list when auto assignment occurs, the certification will be assigned to the that manager's manager. If both the manager and the manager's manger are on the deny list, the result will be assigned to the workflow creator.
Returns the current denied users.
get
/api/preview/workflows/deny_list/users
Example response:
Note: To get the
user_typefor a Veza system user, as well as theuser_id,name, view network traffic in the browser while while searching for the user in a reviewer selection drop-down.
post
/api/preview/workflows/deny_list/users:add
Example body:
Delete an entry on the deny list.
post
/api/preview/workflows/deny_list/users:remove
Example body:
Return a single certification result
Returns result details by id, including any special properties, decisions, and notes.
GET
/api/preview/awf/certifications/{certification_id}/results/{result_id}
Parameters
certification_id
string
Y
Certification id
result_id
string
Y
Result number to retrieve
Request
Response
Add a user, either a or an identity from a .
For more information about the Result object see .
Get, create, update, delete, and attach Intelligent Automations.
Use these operations to manage Access Review Automations and associate them with individual workflows.
Automations apply changes (such as approve, sign-off, add a note, or apply visual indicators) to Certification rows based on historical certification data, or a filter on the current results. They can run by default or on an opt-in basis when a certification is created.
You will need an API token with root team or administrator permissions to manage Automations.
The following rules apply when an Automation run encounters an issue:
If Automation processing fails for any result, the Automation run stops and no further Automations are applied.
When Automations fail, the Certification is still considered complete and non-errored. The Automation run will have an error status and message.
Results are considered the same when the entities and relationships are exactly equal (including data source IDs). If a conflict occurs with Automations trying to change the same mutable field:
Each change must update the field to the same value. The action log entry will contain notes (if supplied) for each action.
Automations changing a field to differing values are unresolvable conflicts and skipped, but will not interrupt the Automation run.
An Automation consists of attachment_behavior rules, filter criteria, and an action to apply:
Each Automation object has the fields:
id (String): Unique identifier for the Automation.
name (String): Name of the Automation.
description (String): A brief description of the Automation.
priority (Integer): Priority value of the Automation (not currently supported).
attachment_behavior (Object)Defines if the Automation is available for all workflows, and whether it is optional:
attach_to_new_workflows (Boolean): Indicates whether to automatically attach to new and existing workflows.
opt_in (Boolean): If true Operators can pick the automation when creating a Workflow. If false the automation is enabled by default.
criteria (Object)Specifies filters for conditionally updating results:
filter (String): A SCIM filter specifying a source or destination attribute with support for complex expressions using AND, OR, and parentheses for grouping. Examples:
Simple filter: source.is_active eq false
Complex filter: (source.name sw "A" OR source.name sw "B") AND destination.is_active eq true
mutable_filter (String): A filter on a previous result mutable field using the syntax previous.attribute. Example: "previous.decision eq "RESULT_DECISION_ACCEPTED""
Similarly to Smart Actions, Automations can update results based on a source or destination attribute (such as activity status). Filters use the syntax source.attribute or destination.attribute.
Mutable filters in Automations use the syntax previous.decision, previous.notes and previous.signed_off_state to refer to historical row data. The possible values are:
decision:
"RESULT_DECISION_UNKNOWN"
"RESULT_DECISION_NONE"
"RESULT_DECISION_ACCEPTED"
"RESULT_DECISION_REJECTED"
"RESULT_DECISION_FIXED"
notes: string
signed_off_state:
"UNKNOWN"
"NOT_SIGNED_OFF"
"SIGNED_OFF"
action (Object)Action the Automation will apply to matching results:
decision (String): Decision code for the action.
signed_off_state (String): Sign off state code.
notes (String): Notes the automation will apply.
display_style (String): Visual indicator to apply to matching rows:
HIGHLIGHT: Highlight the row
SUGGEST_ACCEPT: Mark the row as suggested for acceptance
SUGGEST_REJECT: Mark the row as suggested for rejection
display_text (String): Custom message to show when display_style is set
Note: When using display_style actions, you cannot set decision, signed_off_state, notes, or reviewer_assignment fields.
Possible decisions and numeric codes are:
UNKNOWN (0)
NONE (1)
ACCEPTED (2)
REJECTED (3)
FIXED (4)
Signed Off State can be:
UNKNOWN_SIGNED_OFF = 0;
NOT_SIGNED_OFF = 1;
SIGNED_OFF = 2;
reviewer_assignment (Object)The preview API does not currently support Reviewer assignment.
Use the endpoints documented below to create and manage automations:
Endpoint: /api/preview/awf/automations
Method: GET
Description: Returns all Automations and configuration details.
Endpoint: /api/preview/awf/automations
Method: PUT
Description: Updates an existing Automation. The full Automation object is required.
Endpoint: /api/preview/awf/automations
Method: POST
Description: Creates a new Automation.
Endpoint: /api/preview/awf/automations/{id}
Method: GET
Description: Get details for a single Automation by ID.
Endpoint: /api/preview/awf/automations/{id}
Method: DELETE
Description: Deletes a specific Automation by its ID.
Endpoint: /api/preview/awf/automations:attach
Method: POST
Description: Enable an Automation for a specific workflow, or all workflows.
Attach one or all Automations to a single workflow by specifying the:
id (String): Single Automation ID.
workflow_id (String): ID of the workflow to associate Automations with.
all (boolean): If True, attaches all existing Automations to the Workflow.
opt_in (boolean): If False the Automation can be selected when creating a certification. Otherwise, operators can enable it when creating certifications.
Endpoint: /api/preview/awf/automations:attached/{workflow_id}
Method: GET
Description: Returns all Automations eligible to run on Certifications for a given Workflow id.
Endpoint: /api/preview/awf/automations:detach
Method: POST
Description: Detach one or all Automations from an Access Review Workflow.
Manage custom help pages for Veza Access Reviews.
Use these operations to add and manage help pages for access reviewers, and customize pop-up messages when a review starts, or when rows are signed off.
Add custom help messages for reviewers by providing the plain text template_body, name, and an existing workflow_id and usage where the template will apply. All reviews (certifications) for the configuration (workflow) will use the new template.
The usage field determines how and when the help page will be visible to users. It must be one of the following values:
HELP_PAGE: Reviewers can access help pages from reviewer's interface by clicking the User Guide icon. The help page will also appear when viewing the review for the first time.
REVIEW_START: Opens when reviewers start a review.
SIGN_OFF: Opens whenever a row or multiple rows are signed off by a reviewer.
Only one help page can exist at a time for a given workflow and usage. You can manage global help pages by using 00000000-0000-0000-0000-000000000000 as the workflow_id. Global help pages for each usage will apply to all reviews for all configurations.
The template can use markdown and placeholders, for example:
Example request:
Get all configured help page templates.
Example response:
Returns the current help page template for an existing workflow_id and usage.
The usage parameter must be specified. For the existing help page template, the usage value should be HELP_PAGE.
To retrieve the tenant-wide default template (if it was set), use an all-zero UUID (00000000-0000-0000-0000-000000000000) for the workflow_id.
Example request:
Returns the current template for a given certification id.
Example request:
Example response:
Permanently remove the help page template for a workflow_id and usage. It will no longer apply to reviews for using the configuration, specified by workflow_id.
The usage parameter must be specified. For the existing help page template, the usage value should be HELP_PAGE.
To clear the tenant-wide default template, use an all-zero UUID for the workflow_id: 00000000-0000-0000-0000-000000000000.
Example request:
PUT {{veza_url}}/api/preview/awf/help_page_templates
Update the help page for the specified workflow_id and usage:
To add a tenant-wide default template, use an all-zero UUID for the workflow_id: 00000000-0000-0000-0000-000000000000.
Updating a template now uses a plain text template_body, instead of a base64-encoded string.
Example request:
For more information about this feature see .
Returns all in a values array.
See for more information about placeholders.
POST
{veza_url}/api/preview/awf/help_page_templates
GET
{veza_url}/api/preview/awf/help_page_templates
GET
{veza_url}/api/preview/awf/help_page_templates/{workflow_id}/{usage}
GET
{veza_url}/api/preview/awf/certification_help_page?certification_id={cert_id}
DELETE
{veza_url}/api/preview/awf/help_page_templates/{workflow_id}/{usage}
PUT
{veza_url}/api/preview/awf/help_page_templates
If no value is passed for workflow_id, all smart actions will be returned. If workflow_id is not "", smart actions with a matching workflow_id or with an empty workflow_id will be returned.
Attaches an automation to one or all workflows Attach will succeeds if the automation is already attached and will update the "opt_in" if necessary
Detaches an automation from one or all workflows
application/jsonapplication/json{"value":{"diff_dropdown_behavior":"<integer>","accept_notes_behavior":"<integer>","reject_notes_behavior":"<integer>","approve_and_sign_off_button_behavior":"<integer>"}}OK
application/jsonapplication/json{"value":{"default_ordered_columns":["source.name","source.identity_unique_id","concrete_permissions","idp.on_premises_distinguished_name","idp.name","destination.name","destination.type","reviewers","notes","decision_by","decision_at","notification_status","automation_run_ids"]}}OK