Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Methods for interacting with workflows and certifications
These endpoints enable listing workflows, listing certifications, getting certification results, and updating certifications. They can be used to programmatically retrieve workflow and certification details, and update certification rows with a decision or note, such as ticket number.
These endpoints also provide utility functionality, such as managing the reviewer deny list, populating results with webhook response info, and customizing quick filters, smart actions, and help pages.
APIs for Veza Access Reviews are subject to change, and as such are provided with the
/previewAPI collection. Use the appropriate prefix when calling the API, for example,your-org.vezacloud.com/api/preview/.
First, save your API key and Veza base URL as environment variables:
export VEZA_TOKEN=APIKEY
export VEZA_URL=https://preview.vezacloud.comGet all workflows and IDs:
curl "$BASE_URL/api/preview/awf/workflows" \
-H "authorization: Bearer $VEZA_TOKEN"Use a workflow id to get active and pending certifications for that workflow:
curl "$BASE_URL/api/preview/awf/certifications?workflow_id=b9dc2586-5f30-4462-b6be-53f62debc40f" \
-H "authorization: Bearer $VEZA_TOKEN"The response will include certification details, including the certification ids.
Using a certification id, you can get results for the certification, including entity attributes:
curl "$BASE_URL/api/preview/awf/certifications/b2562ef3-a4b3-4b30-8a45-1ba36f945d10/results?offset=0&size=30" \
-H "authorization: Bearer $VEZA_TOKEN"Update a certification result row with a note:
curl -X PUT "$BASE_URL/api/preview/awf/certifications/b2562ef3-a4b3-4b30-8a45-1ba36f945d10/results" \
-H "authorization: Bearer $VEZA_TOKEN" \
-d '{"value": {"result_id": 0,"decisions": "REJECTED", "notes": "Over-privileged"}}'
Prevent auto assignment for specific users
View or change the deny list for reviewer auto assignment.
Adding a user to the deny list will prevent that user from being auto assigned as a reviewer. That user will also be prevented from appearing in the drop-down menu when manually reassigning a user.
If a user's manager is on the deny list when auto assignment occurs, the certification will be assigned to the that manager's manager. If both the manager and the manager's manger are on the deny list, the result will be assigned to the workflow creator.
Returns the current denied users.
get
/api/preview/workflows/deny_list/users
Example response:
{
"users": [
{
"user_type": "OktaUser",
"id": "123456",
"email": "[email protected]",
"name": "Marilyn Hines"
}
]
}Add a user, either a Veza system user or an identity from a configured graph Identity Provider.
Note: To get the
user_typefor a Veza system user, as well as theuser_id,name, view network traffic in the browser while while searching for the user in a reviewer selection drop-down.
post
/api/preview/workflows/deny_list/users:add
Example body:
{
"users": [
{
"user_type": "OktaUser",
"id": "123456",
"email": "[email protected]",
"name": "Marilyn Hines"
}
]
}Delete an entry on the deny list.
post
/api/preview/workflows/deny_list/users:remove
Example body:
{
"users": [
{
"user_type": "OktaUser",
"id": "123456",
"email": "[email protected]",
"name": "Marilyn Hines"
}
]
}Add suggested notes for reviewer decisions.
Configure predefined notes as menu options when reviewers approve or reject rows. This feature can be configured globally for all reviews or specifically for individual review configurations. When configured for a specific review configuration (using workflow_id), those settings override any global predefined notes.
The predefined notes appear as selectable options in the notes dialog when making decisions, suggesting standardized responses alongside free-form text entry.
The request body accepts:
reject_notes: Array of predefined note options shown when rejecting rows
accept_notes: Array of predefined note options shown when approving rows
workflow_id: (Optional) Specific review configuration ID to override global settings
Example request body:
{
"value": {
"reject_notes": [
"Rotate now",
"Delete secret"
],
"accept_notes": []
},
"workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264" // Optional
}Retrieve the current predefined notes settings. Include the optional workflow_id query parameter to get settings for a specific review configuration.
Global Settings Request:
curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/predefined_decision_notes' \
-H 'Authorization: Bearer YOUR_API_KEY'Configuration-Specific Request:
curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/predefined_decision_notes?workflow_id=8ae1c414-3a76-46cb-950a-925316b3f264' \
-H 'Authorization: Bearer YOUR_API_KEY'Example response:
{
"value": {
"reject_notes": [
"Rotate now",
"Delete secret"
],
"accept_notes": []
}
}Update the predefined notes settings globally or for a specific review configuration.
Configuration-Specific Request:
curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/predefined_decision_notes' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-d '{
"value": {
"reject_notes": [
"Rotate now",
"Delete secret"
],
"accept_notes": []
},
"workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"
}'Customize notes behavior and UI elements for reviewers.
By default, when a reviewer approves a row, a "notes" pop-up appears, allowing the user to optionally add a note explaining their decision. When a reviewer rejects a row, the "notes" pop-up appears, and adding a note is required. This API allows you to customize this behavior. For example, you can choose to disable the pop-up when a row is approved and make the notes pop-up optional when a row is rejected.
Additionally, this API can enable the historical "Approve & Signoff" action in the reviewer experience when multiple rows are selected. Note: It is recommended that this feature remains disabled to ensure a more streamlined reviewer experience.
accept_notes_behavior can be:
NOTES_BEHAVIOR_UNKNOWN = 0
NO_POP_UP = 1
POP_UP_OPTIONAL = 2
POP_UP_REQUIRED = 3
reject_notes_behavior can be:
NOTES_BEHAVIOR_UNKNOWN = 0
NO_POP_UP = 1
POP_UP_OPTIONAL = 2
POP_UP_REQUIRED = 3
approve_and_sign_off_button_behavior can be:
HIDE_OR_SHOW_BEHAVIOR_UNKNOWN = 0
SHOW = 1
HIDE = 2
diff_dropdown_behavior can be:
NORMAL = 1 (Enables all users to see decisions and access changes from previous reviews for the same configuration)
ALWAYS_HIDE_FOR_ACCESS_REVIEWER_ROLE = 2 (Prevents users with the "Access Reviewer" role from accessing this option)
{
"value": {
"diff_dropdown_behavior": "ALWAYS_HIDE_FOR_ACCESS_REVIEWER_ROLE",
"accept_notes_behavior": "NO_POP_UP",
"reject_notes_behavior": "POP_UP_REQUIRED",
"approve_and_sign_off_button_behavior": "SHOW"
}
}Enable or disable automatic review completion once all rows have decisions.
Enable or disable the "auto-complete" feature. When auto-complete is enabled, a review will automatically be completed once all rows have a signed-off decision, or a non-rejected signed-off decision, depending on the "Completion Allowed Settings."
Possible values are:
AUTO_COMPLETE_UNKNOWN
AUTO_COMPLETE_ENABLED
AUTO_COMPLETE_DISABLED
{
"value": "AUTO_COMPLETE_DISABLED"
}Customizing saved filters for certification reviewers.
List, create, and delete saved filters, globally or for a single workflow. Reviewers can pick from available quick filters under Certification Filters > Saved Filters.
Requests require a for authentication.
Add a quick filter by specifying an optional workflow_id and a single source or destination node property, corresponding to a Review interface column.
Filters can also apply to abstract_permissions or concrete_permissions (see example response).
Valid filter operators are:
co "contains"
eq "equals"
ne "not equals"
sw "starts with"
ew "ends with"
With a workflow_id specified, the filter will only apply to certifications on that workflow. Otherwise, reviewers can apply the quick filter to any certification:
A successful response will contain the filter id, for example:
Including a workflow_id in the query returns quick filters with a matching workflow_id and quick filters with no workflow_id:
Example response:
Prevent users from being assigned as reviewers for rows that relate to their own access and permissions.
Enable or disable self-review prevention. When self-review prevention is enabled, users are prevented from being assigned as reviewers for rows that relate to their own access and permissions.
The value can be either an integer or string:
SELF_REVIEWER_CHECKING_DISABLED = 1 (or "SELF_REVIEWER_CHECKING_DISABLED" as string)
SELF_REVIEWER_CHECKING_ENABLED = 2 (or "SELF_REVIEWER_CHECKING_ENABLED" as string)
Example using string value:
Example using integer value:
Example cURL request:
Set default sort order for review rows.
Configure the default order in which review rows are displayed. Note: Users can later sort the rows as they prefer.
The order is specified using a SCIM "order by" expression. The default value is source.type asc.
Valid values include:
source.ATTR
destination.ATTR
waypoint.ATTR
idp.ATTR
Where ATTR is an attribute name such as "id" or "name".
Auto-expire overdue reviews.
This setting is configurable on the Access Reviews > Settings page. Enable Auto-Expire overdue reviews to automatically expire reviews that aren't completed by the due date.
Enables or disable expiration of overdue reviews. By default, overdue reviews are not expired and remain available to reviewers. When expiration is enabled, the review will be "expired" when it becomes overdue. An expired review is read-only and is not shown to reviewers.
The value can be True or False.
GET, POST, DELETE
{Veza URL}/api/preview/awf/quick_filters
POST {Veza URL}/api/preview/awf/quick_filters
{
"name": "custom filter",
"filter": "source.type co \"admin\"",
"workflow_id": "ad78350a-bfe5-4eff-a160-dccbe28c6961"
}{
"id": "41761624-cb9c-4668-be69-3b0f359a45e3"
}GET {Veza URL}/api/preview/awf/quick_filtersGET {Veza URL}/api/preview/awf/quick_filters?workflow_id=78be0b3d-d6f4-4e5d-98c4-7b1db1a88575{
"values": [
{
"id": "4a1dbf1a-282f-4faf-81f2-6ee3752b5cb2",
"name": "User type = admin",
"workflow_id": "78be0b3d-d6f4-4e5d-98c4-7b1db1a88575",
"filter": "source.type eq \"admin\""
},
{
"id": "69b131b0-8af5-4ab1-9099-91c03ca54555",
"name": "abstract permissions include delete",
"workflow_id": "",
"filter": "abstract_permissions co \"Delete\""
},
{
"id": "88e5d197-6555-4e3f-a48d-43713b340a2c",
"name": "destination org filter",
"workflow_id": "",
"filter": "destination.google_cloud_organization_name eq \"acme\""
},
{
"id": "df944da1-76fe-42e0-829e-b8bf0a200f39",
"name": "concrete permissions include abort multipart upload",
"workflow_id": "78be0b3d-d6f4-4e5d-98c4-7b1db1a88575",
"filter": "concrete_permissions co \"s3:AbortMultipartUpload\""
},
{
"id": "f722936d-a8f7-4b38-acb2-a41e12ec2673",
"name": "User type is AwsIamUser",
"workflow_id": "78be0b3d-d6f4-4e5d-98c4-7b1db1a88575",
"filter": "source.type co \"AwsIamUser\""
}
]
}DELETE {Veza URL}/api/preview/awf/quick_filters/d31cfa3f-1999-4789-8ec1-a844c03dd622Update status info for custom webhooks
Updates webhook status and details for a certification result.
If you have configured a custom webhook to conduct automated access removal or another form of remediation, you can update Veza with the notification status.
Your application can use this endpoint to send a POST request updating the webhook state, visible to other reviewers from Veza's Certification UI.
POST
/api/preview/awf/certifications/{certification_id}/results:update_webhook_info
Path parameters
certification_id - id of the certification containing the result to update.
Body
{
"result_id": "0",
"notification_status": "FAILED",
"webhook_info": "Ticket could not be created"
}The request body must include the id of the result to update. Valid notification_status are:
PENDING
SUCCEED
FAILED
Webhook_info strings can contain up to 255 bytes.
Response
A successful response will be empty {}
{
"value": "SELF_REVIEWER_CHECKING_DISABLED"
}{
"value": 1
}curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/self_reviewer_settings' \
-H 'Authorization: Bearer YOUR_SECRET_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"value": 1
}'{
"value": {
"order_by": "destination.name desc"
}
}Configure what happens when reviews expire.
This setting is configurable on the Access Reviews > Settings page. Enable Reject incomplete rows to reject and sign off on undecided rows when a review expires.
This API allows you to change the behavior when a review expires (which can be enabled in Review Auto-Complete Settings). Depending on the behavior, incomplete rows can be auto-rejected when the review deadline passes.
Review expiration behavior can be configured globally, or for all reviews for a single Review Configuration, specified by workflow_id in the request.
The request body must include a setting object with the following structure:
{
"workflow_id": "string",
"setting": {
"behavior": 0,
"note_to_add": "string"
}
}Where:
workflow_id (string, optional): Specific review configuration ID. If omitted, applies globally to all reviews.
setting.behavior (integer): The expiration behavior mode:
0 = DO_NOTHING: No action is made on incomplete rows (default)
1 = AUTO_REJECT_INCOMPLETE_RESULTS: Reject and sign-off any results that are incomplete when the review expires
setting.note_to_add (string, optional): Note to be added when auto-rejecting incomplete results
Example request:
{
"workflow_id": "string",
"setting": {
"behavior": 1,
"note_to_add": "Rejected incomplete result due to review expiration."
}
}Customize the requirements for completing a review.
An Admin or Operator user can complete a review by clicking the "Complete Review" button.
Once a review is marked as "completed," it becomes read-only and is no longer visible to reviewers. By default, a review can be completed when all rows have a signed-off decision.
This API allows you to modify this behavior, enabling a review to be completed at any time, or only when all rows are signed off with a non-rejected decision. The latter option is useful if your organization prefers to complete reviews only after all rejected access has been remediated.
Possible values are:
COMPLETION_ALLOWED_UNKNOWN = 0
COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION = 1 (Review can be completed only when all result rows have a decision)
COMPLETION_ALLOWED_ANYTIME = 2 (Review can be completed any time)
{
"value": "COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION"
}Require data source status acknowledgement during review creation.
By default, when a review is created, a user can optionally view the status of the data sources involved in the review. This API allows the behavior to change, requiring that the data source status is shown to the user and acknowledged during review creation.
Possible values are:
DATASOURCE_ACKNOWLEDGEMENT_UNKNOWN = 0
DATASOURCE_ACKNOWLEDGEMENT_NOT_SHOWN = 1
DATASOURCE_ACKNOWLEDGEMENT_REQUIRED = 2
Control export permissions for reviewers.
Control whether reviewers can view and export access review data. This setting provides granular control over different export formats, allowing administrators to enable or disable CSV and PDF exports independently based on organizational security policies.
When enabled, reviewers can export review data in the allowed formats for offline analysis or reporting. When disabled, the corresponding export options are hidden from the reviewer interface, ensuring review data remains within the Veza platform.
The default setting disables both CSV and PDF exports for security. This setting can be configured globally for all reviews or for specific review configurations using the workflow_id parameter.
The request body accepts:
allow_csv_exports (boolean) - Enable or disable CSV export functionality for reviewers
allow_pdf_exports (boolean) - Enable or disable PDF export functionality for reviewers
workflow_id (optional string) - Specific review configuration ID to override global settings
Example request body:
{
"value": {
"allow_csv_exports": true,
"allow_pdf_exports": false
},
"workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264" // Optional
}Retrieve the current reviewer export permission settings. Include the optional workflow_id query parameter to get settings for a specific review configuration.
Global Settings Request:
curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports' \
-H 'Authorization: Bearer YOUR_API_KEY'Configuration-Specific Request:
curl -L 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports?workflow_id=8ae1c414-3a76-46cb-950a-925316b3f264' \
-H 'Authorization: Bearer YOUR_API_KEY'Example response:
{
"value": {
"allow_csv_exports": false,
"allow_pdf_exports": false
}
}Update the reviewer export permission settings globally or for a specific review configuration.
Global Settings Request:
curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-d '{
"value": {
"allow_csv_exports": true,
"allow_pdf_exports": false
}
}'Configuration-Specific Request:
curl -L -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/allow_reviewer_exports' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_API_KEY' \
-d '{
"value": {
"allow_csv_exports": true,
"allow_pdf_exports": false
},
"workflow_id": "8ae1c414-3a76-46cb-950a-925316b3f264"
}'Example response:
{}Workflows, certifications, and result details
This page describes common properties for listing workflows, certifications, and certification results:
When , all Veza Workflows are returned within a values array. Each has the properties:
returns all Certifications for a workflow, within a values array.
Note that to maintain certification integrity, some properties are immutable and can't be modified, while other values system-updated. Mutable fields such as "name," "notes," "reviewers" and "due date" can be changed by operators and admins using the Veza UI:
See for more details on query construction.
Internal fields are updated by the workflow service to store important metadata:
States can be:
CERT_STATE_SEARCHING // The query is still running
CERT_STATE_IN_PROGRESS // the certification is being reviewed
CERT_STATE_COMPLETED // the review of the certification is complete
include a numeric ID, the query details, and any decisions and notes. Each result includes entity details for the source -> destination nodes and the cumulative permissions under review:
Valid decisions are:
RESULT_DECISION_NONE // No decision has been made
RESULT_DECISION_ACCEPTED // The access described in the result row is acceptable
RESULT_DECISION_REJECTED // The access described in the result row isn't correct
RESULT_DECISION_FIXED // The access was rejected, but has been fixed
Both the number or string value for the decision are allowed, for example "decision": 4 or "decision": RESULT_DECISION_FIXED.
The notes field will always contain the most recent note. Previous notes can be reviewed in the using the List Cert Results API.
Shows source, destination, or intermediate entity details for a query result:
Reviewer details, typically a Veza user account. If are configured, the user type and id refer to Veza graph entities:
You can get details for a local Veza user from Administration > User Management. For graph entities (identities from an external identity provider), inspect the entity details using Access Search or the Entities page. will return all users for a given certification.
When assigning reviewers using preview Workflows APIs, requested users are validated before assigning them to a certification result, and not assigned when the user can’t be found. Assignee id and user_type are required to identify reviewers. name and email are optional but if provided must match the Veza user record.
Results contain a record of all prior actions on a certification result.
Possible actions are:
NOTE_ADDED
REVIEWER_ASSIGNED
DECISION
The response will include the type, id, email, and name of the user who made the change:
The reviewer_assignment specifies how reviewers should be assigned to rows, during initial certification create or when reviewers are re-assigned by smart action.
users_manager and resource_managers assigns reviewers based on Global IdP settings.
reviewers is a way to specify one or more reviewers to apply to every row. fallback_reviewers is one or more reviewers that to assign to rows if auto assign by user or resource manager fails for any reason
Detailed graph relationships for certification results
Returns authorization graph relationships for a certification result, including intermediate role details and accumulated permissions.
Parameters
Omit snapshot_id to get the most recent access graph. Specify the snapshot_id of the original certification to show relationships at the time of certification.
Request
Response
The out_edges of each node will contain the IDs of other directly connected nodes. For example, if "OktaUser" is connected to two "OktaGroup" nodes G1 and G2, the user's out-edges will be [{G1}, {G2}]. The node id for each connected node will be included in the response, as well as the status of the relevant data sources, for example:
API operations for customizing the behavior and functionality of Veza Access Reviews.
These endpoints can be called by providing a Veza admin user API key. See to generate a bearer token for use in requests. Note that API operations in the private namespace are subject to change as features are added or modified.
Use these APIs to configure for Veza Access Reviews.
The settings that can be configured by a Veza administrator are:
: Automatically complete reviews once all rows have a signed-off decision, or a non-rejected signed-off decision.
: Enable review completion at any time, or only when all rows are signed off with a non-rejected decision.
: Require review creators to view and acknowledge the data source status shown at review creation.
: Enable or disable expiration of overdue reviews.
: Reject and sign off incomplete rows when a review expires.
: Prevent users from being assigned as reviewers for rows that relate to their own access and permissions.
: Configure default columns which reviewers will see when they open a review.
: Set whether notes are required when approving or rejecting access.
: Set the default sort order and sorting column when opening a review.
: Add suggested notes as menu options when reviewers approve or reject rows.
: Configure default grouping behavior for review rows to organize data by column values.
: Control whether reviewers can export review data to CSV or PDF formats.
For each endpoint, a GET request returns the current setting, and a PUT request updates the setting. Use your unique Veza URL and API key (see ) in your request, for example:
Use the Postman collection as an alternative to cURL commands for testing and configuring Veza Access Reviews global settings:
To import the collection into Postman:
Download the collection file to your computer
Drag and drop the .json file directly into the Postman interface
The collection is automatically imported and appears in your Collections tab
Before using the collection, configure these required variables on the Variables tab:
The collection uses Bearer token authentication. Your apiToken variable automatically populates the Authorization header for all requests.
Important: Use HTTPS (not HTTP) for your baseUrl to avoid redirect issues that can drop request bodies in PUT/POST operations.
Get all reviewers and details by certification
Returns information about all users assigned to a certification and its results. This will include the users' email and ID, along with their progress on the certification (row_stats listing actions counts by type).
A successful response returns AccessReviewerInfo objects within a values array:
GET
/api/preview/awf/access_graph
certification_id
string
ID of a workflow certification
Y
result_id
int
Certification result number to get access for
Y
snapshot_id
string
Graph snapshot to get results from
N
curl 'https://{{VezaURL}}/api/preview/awf/access_graph' \
-H 'authorization: Bearer '$TOKEN \
-G -d 'certification_id=abe5c346-84ad-49b0-bafc-614a8365c883' \
-d 'result_id=1'{
"nodes": [
{
"properties": {
"id": "arn:aws:iam::973979857296:role/FederatedS3",
"name": "FederatedS3",
"type": "AwsIamRole"
},
"out_edges": [
{
"destination_node_id": "arn:aws:iam::973979857296:role/FederatedS3::eperm::877042069677/S3Bucket/2ce2cbf45bcc5d748c800358d9932a251d670509"
}
]
},
{
"properties": {
"id": "0bba9374-d4f5-4c77-93d2-7dfde581fa8a",
"name": "Abel_Maclead",
"type": "AzureADUser"
},
"out_edges": [
{
"destination_node_id": "arn:aws:iam::973979857296:role/FederatedS3"
}
]
},
{
"properties": {
"id": "arn:aws:iam::973979857296:role/FederatedS3::eperm::877042069677/S3Bucket/2ce2cbf45bcc5d748c800358d9932a251d670509",
"name": "Read",
"type": "AwsIamEffectivePermission"
},
"out_edges": [
{
"destination_node_id": "arn:aws:s3:::cct-cct02-finance"
}
]
},
{
"properties": {
"id": "arn:aws:s3:::cct-cct02-finance",
"name": "cct-cct02-finance",
"type": "S3Bucket"
},
"out_edges": []
}
],
"accumulated_effective_permissions": [
"Read"
],
"accumulated_raw_permissions": [
"s3:GetObject"
],
"datasource_infos": [
{
"datasource_id": "160e97cf-4b8a-4841-800b-49f8d6fa17ef",
"external_id": "160e97cf-4b8a-4841-800b-49f8d6fa17ef",
"name": "",
"last_sync_time": "2022-09-12T22:15:34.874682421Z",
"agent_type": "",
"has_error": false,
"is_deleted": false,
"reason": "",
"last_error_message": "",
"has_warning": false
},
{
"datasource_id": "",
"external_id": "",
"name": "",
"last_sync_time": "2022-09-12T22:09:47.245436023Z",
"agent_type": "",
"has_error": false,
"is_deleted": false,
"reason": "",
"last_error_message": "",
"has_warning": false
}
]
}GET
/api/preview/awf/certifications/{certification_id}/reviewer_infos
certification_id
string
ID of a workflow certification
Y
curl 'https://{{VezaURL}}/api/preview/awf/certifications/abe5c346-84ad-49b0-bafc-614a8365c883/reviewer_infos' \
-H 'authorization: Bearer '$TOKEN{
"values": [
{
"reviewer": {
"user_type": "localCookieUser",
"id": "dcadfc95-29f5-4130-b715-5476d40a5811",
"email": "[email protected]",
"name": "Access Reviewer"
},
"row_stats": {
"total": "1",
"no_decision": "0",
"accepted": "1",
"rejected": "0",
"fixed": "0",
"signed_off": "1"
}
}
]
}workflow_id
string
Workflow GUID
name
string
Workflow display name
description
string
Extended description
owner
WorkflowUser object
Owner user details
notes
string
Workflow notes
query
WorkflowQuery object
Workflow search conditions
creator
WorkflowUser object
Creator user details
created_at
string (RFC 3339 timestamp)
Creation date
certification_id
string
Certification GUID
workflow_id
string
Workflow GUID
query_used
WorkflowQuery
The query for the workflow (immutable).
name
string
Certification name (not used)
notes
string
Certification notes
due_date
string (RFC 3339 timestamp)
Due date timestamp
reviewers
WorkflowUser object
List of reviewers
state
AccessCertState
Certification status
snapshot_time
string (RFC 3339 timestamp)
Date of graph snapshot at certification creation
started_at
string (RFC 3339 timestamp)
Certification creation date
query_completed_at
string (RFC 3339 timestamp)
Timestamp indicating when certification results were generated
completed_at
string (RFC 3339 timestamp)
Certification completion date
created_by
WorkflowUser object
Certification creator details
completed_by
WorkflowUser object
User who marked certification as complete
total_result_count
int
Total query results
results_updated_at
string (RFC 3339 timestamp)
Timestamp
results_updated_by
WorkflowUser object
User details
total_complete_count
int
Number or result rows with an accept, reject, or fixed decision
creator
WorkflowUser object
User details
created_at
string (RFC 3339 timestamp)
Timestamp
updated_at
string (RFC 3339 timestamp)
Timestamp
updated_by
WorkflowUser object
User details
error_reason
string
Error message, if the workflow query failed
expired_at
string (RFC 3339 timestamp)
Timestamp
total_result_count
int
Total number of results
total_complete_count
int
Results with a final decision
total_rejected_count
int
Results with a "reject" decision
total_accepted_count
int
Results with an "accept" decision
total_fixed_count
int
Results that have been "marked as fixed"
accumulated_effective_permissions
string list
Cumulative canonical (C/R/U/D) permissions to the resource
accumulated_raw_permissions
string list
List of concrete system permissions to the resource
action_log_entries
ActionLog array
Log of previous actions on the result
decision
string
Row decision
destination
ResultNode object
The result destination (typically a resource)
notes
string
The most recent note applied to the result
notification_response_infos
array
Error message and status for Webhook integrations, pushed with UpdateWebhookInfo
notification_status
string
Whether the integration triggered successfully
result_id
int
Result unique identifier for the certification
reviewers
Array of WorkflowUsers
Reviewer details
reviewer_assignment
ReviewerAssignmentInstructions object
Instructions for fallback and auto-assigned reviewers
signed_off_at
string (RFC 3339 timestamp)
signed_off_by
WorkflowUser object
Details for a single reviewer
signed_off_state
string
UNKNOWN_SIGNED_OFF NOT_SIGNED_OFF SIGNED_OFF
source
ResultNode object
Result source (typically a principal)
updated_at
string (RFC 3339 timestamp)
updated_by
WorkflowUser object
waypoint
ResultNode object
Related intermediate entity details, if specified by the workflow query
type
string
Entity type
name
string
Entity name
id
string
Entity UID
properties
key:value pair
Entity properties
user_type
string
SSO entity type or localCookieUser
id
string
User GUID
email
string
User email address
name
string
Full username
action
string
Action log event type
user
WorkflowUser object
Reviewer details
time
string
RFC 3339 timestamp
decision_detail
object
Decision type and any notes
{
"entries": [
{
"action": "REVIEWER_ASSIGNED",
"user": {
"user_type": "localCookieUser",
"id": "e5aeaaf6-5d7a-4982-aa61-d0e6dea612a5",
"email": "[email protected]",
"name": "preview-auth0"
},
"time": "2022-09-20T17:50:06.939577367Z",
"reviewer_detail": {
"old_reviewers": [],
"new_reviewers": [
{
"user_type": "localCookieUser",
"id": "299d63c2-8edb-4ed1-a725-e56d84d956b7",
"email": "[email protected]",
"name": "docs"
}
]
}
},
{
"action": "DECISION",
"user": {
"user_type": "localCookieUser",
"id": "e5aeaaf6-5d7a-4982-aa61-d0e6dea612a5",
"email": "[email protected]",
"name": "preview-auth0"
},
"time": "2022-09-20T17:50:21.424281596Z",
"decision_detail": {
"decision": "RESULT_DECISION_ACCEPTED",
"note": "OK"
}
},
{
"action": "DECISION",
"user": {
"user_type": "localCookieUser",
"id": "e5aeaaf6-5d7a-4982-aa61-d0e6dea612a5",
"email": "[email protected]",
"name": "preview-auth0"
},
"time": "2022-09-20T17:50:44.381372987Z",
"decision_detail": {
"decision": "RESULT_DECISION_FIXED",
"note": ""
}
},
{
"action": "NOTE_ADDED",
"user": {
"user_type": "localCookieUser",
"id": "e5aeaaf6-5d7a-4982-aa61-d0e6dea612a5",
"email": "[email protected]",
"name": "preview-auth0"
},
"time": "2022-09-20T17:52:14.773114900Z",
"note": "updating the note"
}
]
}{
"reviewer_assignment": {
"fallback_reviewers": [
{
"email": "string",
"id": "string",
"name": "string",
"user_type": "string"
}
],
"resource_managers": true,
"reviewers": [
{
"email": "string",
"id": "string",
"name": "string",
"user_type": "string"
}
],
"users_manager": true
}
}curl -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/cert_completion_settings' \
-H 'authorization: Bearer mZ1eqKMACtP...' \
-d '{"value": "AUTO_COMPLETE_DISABLED"}'baseUrl
Your Veza instance URL
https://your-organization.vezacloud.com
apiToken
Veza admin user API key
mZ1eqKMACtP...
Workflow ID
Specific review configuration ID (optional)
8ae1c414-3a76-46cb-950a-925316b3f264
Configure default columns and visibility for reviewers.
This API configures the default columns which reviewers will see when they open a review, as well as columns that should be hidden from reviewers but visible to administrators. If workflow_id is specified then the configuration will only be applied to reviews related to the particular Review Configuration identified by workflow_id.
The request body includes two main fields:
default_ordered_columns: Array of column names that will be visible to all users (reviewers, administrators, and operators)
hide_from_reviewers_columns: Array of column names that will be hidden from users with the reviewer role but remain visible to administrators and operators
Important validation rules:
Column names cannot appear in both default_ordered_columns and hide_from_reviewers_columns simultaneously
Column names cannot be empty strings
Column names cannot contain spaces or commas
The system validates these constraints and returns an error if violations are found
The valid values to show entity attributes include:
source.ATTR
destination.ATTR
waypoint.ATTR
path_summary.ATTR
idp.ATTR
Where ATTR is an attribute name such as "id" or "name".
The following column values are also valid:
status
abstract_permissions
concrete_permissions
updated_at
notes
reviewers
decision
decision_by
decision_by_id
decision_by_name
decision_by_email
decision_at
marked_fixed_by_id
marked_fixed_by_name
marked_fixed_by_email
marked_fixed_at
signed_off_state
signed_off_by_id
signed_off_by_name
signed_off_by_email
signed_off_at
notification_status
automation_run_ids
no_decision_or_decision_by
Is_signed_off
{
"value": {
"default_ordered_columns": [
"source.name",
"source.department",
"source.customprop_worker_status",
"source.tags",
"path_summary.name",
"concrete_permissions",
"destination.name",
"destination.customprop_display_name",
"reviewers"
],
"hide_from_reviewers_columns": [
"source.identity_unique_id",
"idp.on_premises_distinguished_name"
]
},
"workflow_id": "002063d2-7898-4183-b5fb-1192758fdec7"
}This example configuration shows sensitive identity information (unique IDs and distinguished names) to administrators while hiding them from reviewers, allowing for better security and privacy control in access reviews.
Define filter-based actions that reviewers can apply to certifications results with a matching attribute or status.
Reviewers can view and apply custom actions from the Review interface by clicking Smart Action > Prepared Actions.
Create a smart action definition, globally or for a single Workflow.
A certification result includes all source and destination node properties discovered or added by Veza. You can specify a SCIM filter to select the results to affect, for example:
Example request:
curl -X POST "https://{{veza_url}}/api/preview/awf/smart_action_definitions" \
-H 'authorization: Bearer {{access_token}}' \
-d '{
"apply_to_all_rows": "false",
"description": "Reject users where the user `is active` value is not `true`",
"filter": "source.is_active ne \"true\"",
"mutable_fields": {
"decision": "RESULT_DECISION_REJECTED"
},
"mutable_filter": "",
"name": "Reject inactive users",
"workflow_id": ""
}'The filter can apply to any source or destination node property.
When apply_to_all_rows is true and no other filter criteria is specified, the action will run on all certification results.
Mutable fields contain result attributes that are not sourced from Authorization Graph data. Use mutable_fields to apply changes to a result, and mutable_filter to filter results based on decision or sign-off state:
{
"apply_to_all_rows": "false",
"description": "Sign off on all rejected rows",
"filter": "",
"mutable_fields": {
"signed_off_state": "SIGNED_OFF"
},
"mutable_filter": "decision eq \"RESULT_DECISION_REJECTED\"",
"name": "Sign off rejected rows",
"workflow_id": ""
}decision
One of: "RESULT_DECISION_UNKNOWN" "RESULT_DECISION_NONE" "RESULT_DECISION_ACCEPTED" "RESULT_DECISION_REJECTED" "RESULT_DECISION_FIXED"
notes
string
signed_off_state
One of: "UNKNOWN" "NOT_SIGNED_OFF" "SIGNED_OFF"
Delete a prepared action by definition id.
Returns an array of smart action definitions. By default, this endpoint lists all definitions. If a workflow_id is specified, only definitions for that workflow are included in the response.
Alter a smart action definition by specifying the id and an array of values to change.
Update a single result with escalated privileges
ForceUpdateAwfResults allows administrators to modify results more than normally allowed, such as changing sign-off status, or changing a row's decision after a certification expires.
POST
/api/preview/awf/certifications/{certification_id}/results:force_update
The API token used for this request must be created for a user with the admin role.
A forced update request:
Can undo sign-off of a row.
On an expired or completed certification, during the grace period, rows can be modified as normal (Assuming they're no longer signed off).
The grace period for changes is 7 days after certification completion or expiration
Can't undo sign-off of a row.
On an expired certification, during the grace period, a rejected row can be marked as fixed by admin/operator.
certification_id
path
ID of the certification containing the result to alter
value
body
Contains a single certification result and keys to update
result_id
body
Numeric result id to update (min 0)
decision
body
Result decision(NONE, REJECTED, ACCEPTED, FIXED)
notes
body
string of most recent row
reviewers
body
object
signed_off_state
body
Sign-off status (NOT_SIGNED_OFF, SIGNED_OFF)
notification_status
body
Integration status (UNKNOWN, PENDING, SUCCEED, FAILED)
curl '{{VEZA_URL}}/api/preview/awf/certifications/f9123002-978f-f203bc9885ed/results:force_update' \
-H 'authorization: Bearer '$token \
-D '{"value": {"result_id": 0,"signed_off_state":"NOT_SIGNED_OFF"}}'A successful response will be empty:
{}Configure delegate Veza users who will be assigned as certification reviewers whenever a specified user would have been assigned.
Administrators can configure delegate reviewers for who would otherwise be assigned or auto-assigned to certification results. Specifying a delegate reviewer for another Veza user allows them to fulfill the responsibilities of that user — for example, if a manager is on leave, out-of-office, or otherwise unavailable.
Any certification items assigned to the original reviewer are also assigned to the delegated reviewer.
Delegate reviewers are notified of the assignment and receive notifications in place of the original reviewer. They can review and sign-off on any results assigned to the original reviewer.
The original reviewer can still act on results, but will not receive assignment or reminder emails.
The JSON payload contain pairs of original and delegate . You can use to get all the required details for reviewers assigned to a certification.
Add delegation for Veza system users:
A successful response will be empty.
You can map both local Veza users and identities from an .
Add delegation for Okta users (with IdP settings configured):
Note that this assumes the IdP setting are configured to use "idp_unique_id" to correlate identities, as in the Okta example .
A successful response will list all configured delegations, contained in a values array:
To remove delegations, post the configuration to /api/preview/awf/delegation/users:remove.
A successful response will be empty.
Configure default grouping behavior for review rows to organize data by column values.
Configure default grouping behavior for access review rows. When enabled, review rows are automatically organized by the specified column values, making it easier for reviewers to process large datasets by grouping related items together.
The setting allows admins to configure a default group by column and collapsed/expanded behavior, either globally or per-workflow.
GET /api/private/workflows/access/global_settings/rows_group_by_setting
PUT /api/private/workflows/access/global_settings/rows_group_by_setting
destination.veza_unique_name - Group by resource name
source.veza_unique_name - Group by identity name
status - Group by review status
risk_level - Group by risk level
destination.type - Group by resource type
decision - Group by decision status
workflow_id
string
No
body
The workflow ID to apply the setting to
value.group_by_column
string
Yes
body
The column to group rows by (e.g. destination.veza_unique_name, source.veza_unique_name, status, risk_level). Must be a valid column name (same as in CreateAccessResultsGroupCollection). If empty or unset, grouping is disabled.
value.expand_groups_by_default
bool
Yes
body
When set to true, row groups will be expanded by default when the review loads; if false, they'll be collapsed. This flag is ignored when group_by_column is empty.
curl 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/rows_group_by_setting' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_BEARER_TOKEN'curl 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/rows_group_by_setting?workflow_id=01983256-911c-7906-9d75-d69871c877fd' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_BEARER_TOKEN'{
"value": {
"group_by_column": "status",
"expand_groups_by_default": true
}
}curl -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/rows_group_by_setting' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_BEARER_TOKEN' \
-d '{
"value": {
"group_by_column": "destination.veza_unique_name",
"expand_groups_by_default": false
}
}'curl -X PUT 'https://your-organization.vezacloud.com/api/private/workflows/access/global_settings/rows_group_by_setting' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_BEARER_TOKEN' \
-d '{
"workflow_id": "01983256-911c-7906-9d75-d69871c877fd",
"value": {
"group_by_column": "destination.veza_unique_name",
"expand_groups_by_default": false
}
}'{} // Empty on successGET
List User Delegations
/api/preview/awf/delegation/users
POST
Add User Delegations
/api/preview/awf/delegation/users:add
POST
Remove User Delegations
/api/preview/awf/delegation/users:remove
curl -X POST 'https://{{VezaURL}}/api/preview/awf/delegation/users:add' \
-H 'authorization: Bearer '$TOKEN \
-d @configuration.json{
"values": [
{
"original_user": {
"user_type": "localCookieUser",
"id": "2cdfb6e9-6f20-4198-925c-a045a3d690a0",
"email": "[email protected]",
"name": "External User"
},
"delegate_user": {
"user_type": "localCookieUser",
"id": "b8678b1b-0f31-40e4-9842-47b272694354",
"email": "[email protected]",
"name": "External User"
}
}
]
}{
"values": [
{
"original_user": {
"user_type": "OktaUser",
"id": "00upa6s0hSGtl1eGL5d5",
"email": "[email protected]",
"name": "[email protected]"
},
"delegate_user": {
"user_type": "OktaUser",
"id": "00u6h8rl61RiosYzi5d7",
"email": "[email protected]",
"name": "[email protected]"
}
}
]
}curl 'https://{{VezaURL}}/api/preview/awf/delegation/users' \
-H 'authorization: Bearer '$TOKEN{
"values": [
{
"original_user": {
"user_type": "localCookieUser",
"id": "2cdfb6e9-6f20-4198-925c-a045a3d690a0",
"email": "[email protected]",
"name": "Resource Manager"
},
"delegate_user": {
"user_type": "localCookieUser",
"id": "52c38da6-3b2e-44e9-9787-88ffa5ef398c",
"email": "[email protected]",
"name": "Backup Manager"
}
}
]
}curl -X POST 'https://{{VezaURL}}/api/preview/awf/delegation/users:remove' \
-H 'authorization: Bearer '$TOKEN \
-d @configuration/to/remove.jsonapplication/jsonOK
GET /api/private/workflows/access/global_settings/ui_customization_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
OK
{
"value": {
"diff_dropdown_behavior": "ALWAYS_HIDE_FOR_ACCESS_REVIEWER_ROLE",
"accept_notes_behavior": "NO_POP_UP",
"reject_notes_behavior": "POP_UP_REQUIRED",
"approve_and_sign_off_button_behavior": "SHOW"
}
}application/jsonapplication/json{"value":{"diff_dropdown_behavior":"<integer>","accept_notes_behavior":"<integer>","reject_notes_behavior":"<integer>","approve_and_sign_off_button_behavior":"<integer>"}}OK
PUT /api/private/workflows/access/global_settings/ui_customization_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 171
{
"value": {
"diff_dropdown_behavior": "<integer>",
"accept_notes_behavior": "<integer>",
"reject_notes_behavior": "<integer>",
"approve_and_sign_off_button_behavior": "<integer>"
}
}OK
{
"value": {
"diff_dropdown_behavior": "ALWAYS_HIDE_FOR_ACCESS_REVIEWER_ROLE",
"accept_notes_behavior": "NO_POP_UP",
"reject_notes_behavior": "POP_UP_REQUIRED",
"approve_and_sign_off_button_behavior": "SHOW"
}
}application/jsonOK
GET /api/private/workflows/access/global_settings/cert_auto_complete_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
OK
{
"value": "AUTO_COMPLETE_DISABLED"
}application/jsonapplication/json{"value":"<integer>"}OK
PUT /api/private/workflows/access/global_settings/cert_auto_complete_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 21
{
"value": "<integer>"
}OK
{
"value": "AUTO_COMPLETE_DISABLED"
}application/jsonOK
GET /api/private/workflows/access/global_settings/self_reviewer_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
OK
{
"value": "SELF_REVIEWER_CHECKING_DISABLED"
}application/jsonapplication/json1 = SELF_REVIEWER_CHECKING_DISABLED, 2 = SELF_REVIEWER_CHECKING_ENABLED
String values for self-review prevention settings
OK
PUT /api/private/workflows/access/global_settings/self_reviewer_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 11
{
"value": 1
}OK
{
"value": "SELF_REVIEWER_CHECKING_DISABLED"
}application/jsonOK
GET /api/private/workflows/access/global_settings/view_sort_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
OK
{
"value": {
"order_by": "source.type asc"
}
}application/jsonapplication/json{"value":{"order_by":"<string>"}}OK
PUT /api/private/workflows/access/global_settings/view_sort_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 33
{
"value": {
"order_by": "<string>"
}
}OK
{
"value": {
"order_by": "source.type asc"
}
}application/jsonOK
GET /api/private/workflows/access/global_settings/expire_overdue_certifications HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
OK
{
"value": false
}application/jsonapplication/json{"value":"<boolean>"}OK
PUT /api/private/workflows/access/global_settings/expire_overdue_certifications HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 21
{
"value": "<boolean>"
}OK
{
"value": false
}<string>application/jsonOK
GET /api/private/workflows/access/global_settings/review_expiration_behavior HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
OK
{
"value": "AUTO_REJECT_INCOMPLETE_RESULTS",
"setting": {
"behavior": 0,
"note_to_add": "Rejected incomplete result due to review expiration."
}
}application/jsonapplication/jsonOptional workflow ID for configuration-specific settings
OK
PUT /api/private/workflows/access/global_settings/review_expiration_behavior HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 118
{
"workflow_id": "string",
"setting": {
"behavior": 1,
"note_to_add": "Rejected incomplete result due to review expiration."
}
}OK
{
"value": "AUTO_REJECT_INCOMPLETE_RESULTS",
"setting": {
"behavior": 1,
"note_to_add": "Rejected incomplete result due to review expiration."
}
}application/jsonOK
GET /api/private/workflows/access/global_settings/cert_completion_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
OK
{
"value": "COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION"
}application/jsonapplication/json{"value":"<integer>"}OK
PUT /api/private/workflows/access/global_settings/cert_completion_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 21
{
"value": "<integer>"
}OK
{
"value": "COMPLETION_ALLOWED_ALL_ROWS_HAVE_DECISION"
}application/jsonOK
GET /api/private/workflows/access/global_settings/datasource_acknowledgement HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
OK
{
"value": "DATASOURCE_ACKNOWLEDGEMENT_REQUIRED"
}application/jsonapplication/json{"value":"<integer>"}OK
PUT /api/private/workflows/access/global_settings/datasource_acknowledgement HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 21
{
"value": "<integer>"
}OK
{
"value": "DATASOURCE_ACKNOWLEDGEMENT_REQUIRED"
}application/jsonOK
GET /api/private/workflows/access/global_settings/ui_column_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
OK
{
"value": {
"default_ordered_columns": [
"source.name",
"source.identity_unique_id",
"concrete_permissions",
"idp.on_premises_distinguished_name",
"idp.name",
"destination.name",
"destination.type",
"reviewers",
"notes",
"decision_by",
"decision_at",
"notification_status",
"automation_run_ids"
]
}
}application/jsonapplication/json{"value":{"default_ordered_columns":["source.name","source.identity_unique_id","concrete_permissions","idp.on_premises_distinguished_name","idp.name","destination.name","destination.type","reviewers","notes","decision_by","decision_at","notification_status","automation_run_ids"]}}OK
PUT /api/private/workflows/access/global_settings/ui_column_settings HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 281
{
"value": {
"default_ordered_columns": [
"source.name",
"source.identity_unique_id",
"concrete_permissions",
"idp.on_premises_distinguished_name",
"idp.name",
"destination.name",
"destination.type",
"reviewers",
"notes",
"decision_by",
"decision_at",
"notification_status",
"automation_run_ids"
]
}
}OK
{
"value": {
"default_ordered_columns": [
"source.name",
"source.identity_unique_id",
"concrete_permissions",
"idp.on_premises_distinguished_name",
"idp.name",
"destination.name",
"destination.type",
"reviewers",
"notes",
"decision_by",
"decision_at",
"notification_status",
"automation_run_ids"
]
}
}application/jsonOK
Internal Server Error
GET /api/private/workflows/access/global_settings/ui_column_settings:list_all HTTP/1.1
Host: {{baseurl}}
Authorization: Bearer YOUR_SECRET_TOKEN
Accept: */*
{
"global_settings": {
"default_ordered_columns": [
"source.name",
"source.identity_unique_id",
"concrete_permissions",
"idp.on_premises_distinguished_name",
"idp.name",
"destination.name",
"destination.type",
"reviewers",
"notes",
"decision_by",
"decision_at",
"notification_status",
"automation_run_ids"
]
},
"workflow_settings": [
{
"workflow_id": "002063d2-7898-4183-b5fb-1192758fdec7",
"settings": {
"default_ordered_columns": [
"source.name",
"source.department",
"source.customprop_worker_status",
"source.tags",
"path_summary.name",
"concrete_permissions",
"destination.name",
"destination.type",
"destination.customprop_display_name",
"reviewers",
"notes"
]
}
},
{
"workflow_id": "84459ad9-3976-4f21-9d56-fa9c0694a8a7",
"settings": {
"default_ordered_columns": [
"source.aws_userid",
"source.name",
"source.identity_unique_id",
"concrete_permissions",
"destination.name",
"destination.type",
"reviewers",
"notes",
"decision_by",
"decision_at",
"notification_status",
"automation_run_ids"
]
}
}
]
}GET
/api/preview/awf/certifications/{certification_id}/results/{result_id}
certification_id
string
Y
Certification id
result_id
string
Y
Result number to retrieve
curl '{{VEZA_URL}}/api/preview/awf/certifications/f9123002-978f-f203bc9885ed/results/0' \
-H 'authorization: Bearer '$token{
"value": {
"result_id": 0,
"source": {
"aliases": [],
"created_at": "2023-05-03T14:25:43Z",
"datasource_id": "datasource:google_cloud_workspace",
"email_addresses": [
"[email protected]",
"[email protected]",
"[email protected]"
],
"full_admin": false,
"google_cloud_organization_name": "organizations/123456789012",
"guest": false,
"id": "datasource:112655590859538682841",
"idp_unique_id": "[email protected]",
"is_active": true,
"last_login_at": "2023-05-10T15:25:04Z",
"location_areas": [],
"mfa_enabled": false,
"name": "[email protected]",
"organization_names": [],
"provider_id": "datasource",
"suspended": false,
"type": "GoogleWorkspaceUser"
},
"destination": {
"created_at": "2021-11-01T14:23:35Z",
"datasource_id": "datasource:google_cloud_iam",
"google_cloud_organization_name": "organizations/123456789012",
"id": "projects/743979515322",
"name": "Dev GCP Project",
"parent_id": "organizations/123456789012",
"project_id": "striped-graph-330814",
"provider_id": "datasource",
"type": "GoogleCloudProject",
"updated_at": "2022-04-07T22:08:48Z"
},
"accumulated_effective_permissions": [],
"accumulated_raw_permissions": [
"bigquery.datasets.get",
"bigquery.datasets.getIamPolicy",
"bigquery.tables.get",
"bigquery.tables.getIamPolicy",
"bigquery.tables.list",
"iam.roles.get",
"iam.roles.list",
"iam.serviceAccounts.create",
"iam.serviceAccounts.list",
"resourcemanager.folders.create",
"resourcemanager.folders.delete",
"resourcemanager.folders.get",
"resourcemanager.folders.getIamPolicy",
"resourcemanager.folders.list",
"resourcemanager.folders.move",
"resourcemanager.folders.setIamPolicy",
"resourcemanager.folders.undelete",
"resourcemanager.organizations.get",
"resourcemanager.organizations.getIamPolicy",
"resourcemanager.organizations.setIamPolicy",
"resourcemanager.projects.create",
"resourcemanager.projects.delete",
"resourcemanager.projects.get",
"resourcemanager.projects.getIamPolicy",
"resourcemanager.projects.list",
"resourcemanager.projects.move",
"resourcemanager.projects.setIamPolicy",
"resourcemanager.projects.update",
"storage.buckets.create",
"storage.buckets.createTagBinding",
"storage.buckets.delete",
"storage.buckets.deleteTagBinding",
"storage.buckets.get",
"storage.buckets.getIamPolicy",
"storage.buckets.list",
"storage.buckets.listTagBindings",
"storage.buckets.setIamPolicy",
"storage.buckets.update"
],
"updated_at": null,
"updated_by": null,
"signed_off_at": null,
"signed_off_by": null,
"notification_response_infos": [],
"notification_status": "UNKNOWN",
"waypoint": {
"id": "organizations/123456789012_policy_role_binding0",
"name": "CookieAIDevServicePrincipalRole",
"type": "GoogleCloudIamRoleBinding"
},
"action_log_entries": [],
"decision": "NONE",
"notes": "",
"reviewers": [
{
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "External User"
}
],
"signed_off_state": "NOT_SIGNED_OFF",
"reviewer_assignment": null
}
}Add decisions and notes to a certification result
Apply a decision, note, sign-off, or reviewer change to a numbered certification result.
Each row of the certification results can be annotated, marked as ACCEPTED, or REJECTED, signed-off, or assigned to a different reviewer.
PUT
{{base_url}}/api/preview/awf/certifications/{certification_id}/results
cert_id
string
path
id of the certification to update
value
object
body
Mutable fields to update
value must include the result_id and any mutable fields to update:
result_id
int
Y
certification result number to update
decision
enum
N
The decision to apply to the result
notes
string
N
Send an empty string " " to clear the current note
signed_off_state
string
N
Can be: NOT_SIGNED_OFF, SIGNED_OFF
reviewers
array
N
Contains Workflow User details for assigned reviewers
Valid decisions are:
NONE // No decision has been made
ACCEPTED // The access described in the result row is acceptable
REJECTED // The access described in the result row isn't correct
FIXED // The access was rejected but has been fixed
Adding a note overwrites the previous value. Historical notes are included in the action log when Listing Certification Results. When viewing the row in the UI, only the most recent note is shown.
reviewersA result’s reviewer can be reassigned by updating the reviewers field with a list of one or more Access Workflow User objects:
user_type
string
Y
Must be the same user_type as configured for the . Typical values are OktaUser, CustomIDPUser, or AzureADUser.
id
string
Y
The user_identity_property set when configuring the workflows IdP is used to validate a Workflow Reviewer's identity. For an Okta user, this would be an id such as 00upa6s0hSGtl1eGL5d5. For a Custom IdP user, this will typically be the IdP users set within the OAA payload.
email
string
Y
Must match the email property on the local user or graph node.
name
string
Y
Must match the name property on the local user or graph node.
curl -X PUT '{{baseurl}}/api/preview/awf/certifications/{{cert_id}}/results' \
-H 'authorization: Bearer ' $TOKEN \
--data-raw '{"value": {"result_id": 0,"reviewers": [{"user_type": "CustomIDPUser", "id": "125", "email": "[email protected]", "name": "Valid Reviewer"}]}}'Note that all fields are required when assigning a reviewer. As of the current release, there is no customer-facing API to get local user ids. For this reason, API-based reviewer reassignment is recommended only when a graph IdP is configured as the Global Workflows IdP, and you can programmatically retrieve required identifiers such as user "name," "id," and "email."
curl -X PUT '{{baseurl}}/api/preview/awf/certifications/f9123002-f056-491f-978f-f203bc9885ed/results' \
-H 'authorization: Bearer '$token \
--data-raw '{
"value": {
"result_id": 0,
"decision": "REJECTED",
"notes": "Over-privileged"
}
}'curl -X PUT '{{baseurl}}/api/preview/awf/certifications/{{cert_id}}/results' \
-H 'authorization: Bearer ' $TOKEN \
--data-raw '{"value": {"result_id": 0,"reviewers": [{"user_type": "CustomIDPUser", "id": "125", "email": "[email protected]", "name": "Valid Reviewer"}]}}'curl -X PUT '{{baseurl}}/api/preview/awf/certifications/{{cert_id}}/results' \
-H 'authorization: Bearer ' $TOKEN \
--data-raw '{"value": {"result_id": 0,"reviewers": [{"user_type": "localCookieUser", "id": "0ffcfbc7-6339-4aed-afa4-ff3bea505485", "email": "[email protected]", "name": "demo-auth0"}]}}'A successful response will be empty: {}.
Get results for workflow certifications
Returns the results of the certification query, including any special properties, decisions, and notes.
Parameters
Request
Provide the UUID of the certification to get results. You can page through responses by providing a starting result number, and setting the maximum results to return.
Response
Each row in a certification describes an identity and resource entity pair, connected by a set of concrete and abstract permissions. Responses can be partial, depending on the page_size. You can get the next set of results by requesting a valid next_page_token as the page_token.
See for more details on the Certification Result object.
Get pending and completed certifications for a workflow
Manage custom help pages for Veza Access Reviews.
Use these operations to add and manage help pages for access reviewers, and customize pop-up messages when a review starts, or when rows are signed off.
Add custom help messages for reviewers by providing the plain text template_body, name, and an existing workflow_id and usage where the template will apply. All reviews (certifications) for the configuration (workflow) will use the new template.
The usage field determines how and when the help page will be visible to users. It must be one of the following values:
HELP_PAGE: Reviewers can access help pages from reviewer's interface by clicking the User Guide icon. The help page will also appear when viewing the review for the first time.
REVIEW_START: Opens when reviewers start a review.
SIGN_OFF: Opens whenever a row or multiple rows are signed off by a reviewer.
Only one help page can exist at a time for a given workflow and usage. You can manage global help pages by using 00000000-0000-0000-0000-000000000000 as the workflow_id. Global help pages for each usage will apply to all reviews for all configurations.
The template can use markdown and placeholders, for example:
See for more information about placeholders.
Example request:
Get all configured help page templates.
Example response:
Returns the current help page template for an existing workflow_id and usage.
The usage parameter must be specified. For the existing help page template, the usage value should be HELP_PAGE.
To retrieve the tenant-wide default template (if it was set), use an all-zero UUID (00000000-0000-0000-0000-000000000000) for the workflow_id.
Example request:
Returns the current template for a given certification id.
Example request:
Example response:
Permanently remove the help page template for a workflow_id and usage. It will no longer apply to reviews for using the configuration, specified by workflow_id.
The usage parameter must be specified. For the existing help page template, the usage value should be HELP_PAGE.
To clear the tenant-wide default template, use an all-zero UUID for the workflow_id: 00000000-0000-0000-0000-000000000000.
Example request:
PUT {{veza_url}}/api/preview/awf/help_page_templates
Update the help page for the specified workflow_id and usage:
To add a tenant-wide default template, use an all-zero UUID for the workflow_id: 00000000-0000-0000-0000-000000000000.
Updating a template now uses a plain text template_body, instead of a base64-encoded string.
Example request:
GET
{{base_url}}/api/preview/awf/certifications/{certification_id}/results
certification_id
string
Y
Certification id
page_token
int
N
next_page_token to list results from
page_size
int
N
Max results to return per page (default 100, minimum 1, maximum 2,000)
paginate_direction_backwards
boolean
N
When true, use reverse order from the last page of results
curl '{{VEZA_URL}}/api/preview/awf/certifications/f9123002-f056-491f-978f-f203bc9885ed/results?page_token=0&page_size=1' \
-H 'authorization: Bearer '$token{
"values": [
{
"result_id": 0,
"source": {
"aliases": [],
"created_at": "2023-05-03T14:25:43Z",
"datasource_id": "datasource:google_cloud_workspace",
"email_addresses": [
"[email protected]",
"[email protected]",
"[email protected]"
],
"full_admin": false,
"google_cloud_organization_name": "organizations/123456789012",
"guest": false,
"id": "datasource:112655590859538682841",
"idp_unique_id": "[email protected]",
"is_active": true,
"last_login_at": "2023-05-10T15:25:04Z",
"location_areas": [],
"mfa_enabled": false,
"name": "[email protected]",
"organization_names": [],
"provider_id": "datasource",
"suspended": false,
"type": "GoogleWorkspaceUser"
},
"destination": {
"created_at": "2021-11-01T14:23:35Z",
"datasource_id": "datasource:google_cloud_iam",
"google_cloud_organization_name": "organizations/123456789012",
"id": "projects/743979515322",
"name": "Dev GCP Project",
"parent_id": "organizations/123456789012",
"project_id": "striped-graph-330814",
"provider_id": "datasource",
"type": "GoogleCloudProject",
"updated_at": "2022-04-07T22:08:48Z"
},
"accumulated_effective_permissions": [],
"accumulated_raw_permissions": [
"bigquery.datasets.get",
"bigquery.datasets.getIamPolicy",
"bigquery.tables.get",
"bigquery.tables.getIamPolicy",
"bigquery.tables.list",
"iam.roles.get",
"iam.roles.list",
"iam.serviceAccounts.create",
"iam.serviceAccounts.list",
"resourcemanager.folders.create",
"resourcemanager.folders.delete",
"resourcemanager.folders.get",
"resourcemanager.folders.getIamPolicy",
"resourcemanager.folders.list",
"resourcemanager.folders.move",
"resourcemanager.folders.setIamPolicy",
"resourcemanager.folders.undelete",
"resourcemanager.organizations.get",
"resourcemanager.organizations.getIamPolicy",
"resourcemanager.organizations.setIamPolicy",
"resourcemanager.projects.create",
"resourcemanager.projects.delete",
"resourcemanager.projects.get",
"resourcemanager.projects.getIamPolicy",
"resourcemanager.projects.list",
"resourcemanager.projects.move",
"resourcemanager.projects.setIamPolicy",
"resourcemanager.projects.update",
"storage.buckets.create",
"storage.buckets.createTagBinding",
"storage.buckets.delete",
"storage.buckets.deleteTagBinding",
"storage.buckets.get",
"storage.buckets.getIamPolicy",
"storage.buckets.list",
"storage.buckets.listTagBindings",
"storage.buckets.setIamPolicy",
"storage.buckets.update"
],
"updated_at": null,
"updated_by": null,
"signed_off_at": null,
"signed_off_by": null,
"notification_response_infos": [],
"notification_status": "UNKNOWN",
"waypoint": {
"id": "organizations/123456789012_policy_role_binding0",
"name": "CookieAIDevServicePrincipalRole",
"type": "GoogleCloudIamRoleBinding"
},
"action_log_entries": [],
"decision": "NONE",
"notes": "",
"reviewers": [
{
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "External User"
}
],
"signed_off_state": "NOT_SIGNED_OFF",
"reviewer_assignment": null
},
{
"result_id": 1,
"source": {
"aliases": [],
"created_at": "2023-05-03T14:25:43Z",
"datasource_id": "datasource:google_cloud_workspace",
"email_addresses": [
"[email protected]",
"[email protected]",
"[email protected]"
],
"full_admin": false,
"google_cloud_organization_name": "organizations/123456789012",
"guest": false,
"id": "datasource:112655590859538682841",
"idp_unique_id": "[email protected]",
"is_active": true,
"last_login_at": "2023-05-10T15:25:04Z",
"location_areas": [],
"mfa_enabled": false,
"name": "[email protected]",
"organization_names": [],
"provider_id": "datasource",
"suspended": false,
"type": "GoogleWorkspaceUser"
},
"destination": {
"created_at": "2021-11-01T14:23:35Z",
"datasource_id": "datasource:google_cloud_iam",
"google_cloud_organization_name": "organizations/123456789012",
"id": "projects/743979515322",
"name": "Dev GCP Project",
"parent_id": "organizations/123456789012",
"project_id": "striped-graph-330814",
"provider_id": "datasource",
"type": "GoogleCloudProject",
"updated_at": "2022-04-07T22:08:48Z"
},
"accumulated_effective_permissions": [],
"accumulated_raw_permissions": [
"cloudkms.cryptoKeyVersions.create",
"cloudkms.cryptoKeyVersions.destroy",
"cloudkms.cryptoKeyVersions.get",
"cloudkms.cryptoKeyVersions.list",
"cloudkms.cryptoKeyVersions.restore",
"cloudkms.cryptoKeyVersions.update",
"cloudkms.cryptoKeyVersions.useToDecryptViaDelegation",
"cloudkms.cryptoKeyVersions.useToEncryptViaDelegation",
"cloudkms.cryptoKeys.create",
"cloudkms.cryptoKeys.get",
"cloudkms.cryptoKeys.getIamPolicy",
"cloudkms.cryptoKeys.list",
"cloudkms.cryptoKeys.setIamPolicy",
"cloudkms.cryptoKeys.update",
"cloudkms.keyRings.create",
"cloudkms.keyRings.createTagBinding",
"cloudkms.keyRings.deleteTagBinding",
"cloudkms.keyRings.get",
"cloudkms.keyRings.getIamPolicy",
"cloudkms.keyRings.list",
"cloudkms.keyRings.listTagBindings",
"cloudkms.keyRings.setIamPolicy",
"cloudkms.locations.get",
"cloudkms.locations.list",
"resourcemanager.projects.get"
],
"updated_at": null,
"updated_by": null,
"signed_off_at": null,
"signed_off_by": null,
"notification_response_infos": [],
"notification_status": "UNKNOWN",
"waypoint": {
"id": "organizations/123456789012_policy_role_binding11",
"name": "cloudkms.admin",
"type": "GoogleCloudIamRoleBinding"
},
"action_log_entries": [],
"decision": "NONE",
"notes": "",
"reviewers": [
{
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "External User"
}
],
"signed_off_state": "NOT_SIGNED_OFF",
"reviewer_assignment": null
}
],
"next_page_token": "EAI=",
"has_more": true,
"has_previous": false
}GET
{{base_url}}/api/preview/awf/certifications
workflow_id
string
Y
Workflow to get certifications for
curl '{{VEZA_URL}}/api/preview/awf/certifications?workfow_id=17ce79c7-a2e6-4baf-87ff-f386764c9659' \
-H 'authorization: Bearer '$tokenhas_more
bool
Indicates if additional results are available.
total_result_count
int
The total number of results.
values
AccessCertResult
Contains details for each certification (see workflow parameters).
{
"values": [
{
"certification_id": "b2562ef3-a4b3-4b30-8a45-1ba36f945d10",
"workflow_id": "b9dc2586-5f30-4462-b6be-53f62debc40f",
"query_used": {
"raw_permissions": null,
"effective_permissions": null,
"source_node_types": {
"nodes": [
{
"node_type": "GoogleWorkspaceUser",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"required_intermediate_node_types": {
"nodes": [],
"nodes_operator": "AND"
},
"avoided_intermediate_node_types": {
"nodes": [],
"nodes_operator": "AND"
},
"destination_node_types": {
"nodes": [
{
"node_type": "GoogleCloudProject",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"no_relation": false,
"snapshot_id": "1690354800",
"waypoint_node_types": {
"nodes": [
{
"node_type": "GoogleCloudIamRoleBinding",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"path_summary_node_types": null,
"node_relationship_type": "CONFIGURED",
"include_all_source_tags_in_results": true,
"include_all_destination_tags_in_results": false,
"page_size": "0",
"page_token": ""
},
"name": "demo",
"notes": "",
"due_date": "2023-07-30T03:44:00Z",
"reviewers": [],
"state": "IN_PROGRESS",
"snapshot_time": "2023-07-26T07:00:00Z",
"started_at": "2023-07-27T03:44:27.260812616Z",
"query_completed_at": "2023-07-27T03:44:31.410373279Z",
"completed_at": null,
"created_by": {
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "earlypreview-auth0"
},
"completed_by": null,
"results_updated_at": "2023-07-27T03:44:31.410373665Z",
"results_updated_by": {
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "earlypreview-auth0"
},
"updated_at": "2023-07-27T03:44:31.410413829Z",
"updated_by": {
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "earlypreview-auth0"
},
"error_reason": "",
"expired_at": null,
"version": 1,
"total_result_count": 2433,
"total_complete_count": 0,
"total_rejected_count": 0,
"total_accepted_count": 0,
"total_fixed_count": 0
}
]
}POST
{veza_url}/api/preview/awf/help_page_templates
GET
{veza_url}/api/preview/awf/help_page_templates
GET
{veza_url}/api/preview/awf/help_page_templates/{workflow_id}/{usage}
GET
{veza_url}/api/preview/awf/certification_help_page?certification_id={cert_id}
DELETE
{veza_url}/api/preview/awf/help_page_templates/{workflow_id}/{usage}
PUT
{veza_url}/api/preview/awf/help_page_templates
# Help for {{WORKFLOW_NAME}}
## Formatting
Formatting text in Markdown:
- *Italic text*
- **Bold text**
- `Code block`
- [Link text](https://example.com)
## Bullet Lists
Bullet lists in Markdown:
- Item 1
- Item 2
- Item 3
## Numbered Lists
Numbered lists in Markdown:
1. First item
2. Second item
3. Third item
## Placeholders
The following placeholders are available:
- {{WORKFLOW_NAME}}
- {{WORKFLOW_URL}}
- {{WORKFLOW_TIME}}
- {{WORKFLOW_OWNER}}
- {{WORKFLOW_DESCRIPTION}}
- {{WORKFLOW_CERT_STARTED_ON_DATE}}
- {{WORKFLOW_CERT_STARTED_ON_TIME}}
- {{WORKFLOW_CERT_CREATED_BY}}
- {{WORKFLOW_CERT_LAST_UPDATED_ON_DATE}}
- {{WORKFLOW_CERT_LAST_UPDATED_ON_TIME}}
- {{WORKFLOW_CERT_LAST_UPDATED_BY}}
- {{WORKFLOW_CERT_COMPLETED_ON_DATE}}
- {{WORKFLOW_CERT_COMPLETED_ON_TIME}}
- {{WORKFLOW_CERT_COMPLETED_BY}}
- {{WORKFLOW_CERT_LAST_ACTIVITY_ON_DATE}}
- {{WORKFLOW_CERT_LAST_ACTIVITY_ON_TIME}}
- {{WORKFLOW_CERT_LAST_ACTIVITY_BY}}
- {{WORKFLOW_CERT_DUE_ON_DATE}}
- {{WORKFLOW_CERT_REVIEWERS}}POST {{veza_url}}/api/preview/awf/help_page_templates{
"value": {
"workflow_id": "bc2b2daa-3508-4c0c-a0f2-8a2fb0ef59d9",
"name": "Review Help",
"template_body": "# {{WORKFLOW_NAME}} Review Guide\n\nWelcome to the {{WORKFLOW_NAME}} review process. Please follow the steps below:\n\n## Review Steps\n\n",
"usage": "HELP_PAGE"
}
}GET {{veza_url}}/api/preview/awf/help_page_templates{
"values": [
{
"workflow_id": "8c1772da-a7c3-4dc7-8b09-b900af011ee5",
"name": "Review Start Popup",
"usage": "REVIEW_START"
}
]
}GET {{veza_url}}/api/preview/awf/help_page_templates/{{workflow_id}}/{{usage}}GET {{veza_url}}/api/preview/awf/certification_help_page?certification_id={{cert_id}}{
"content": "# Help for Reviewers\n\n## Instructions:\n\n"
}DELETE {{veza_url}}/api/preview/awf/help_page_templates/{{workflow_id}}/{{usage}}{
"value": {
"name": "Global Sign Off Confirmation",
"template_body": "string",
"workflow_id": "00000000-0000-0000-0000-000000000000",
"usage": "SIGN_OFF"
}
}OK
Default error response
GET /api/private/workflows/access/global_settings/allow_reviewer_exports HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Accept: */*
{
"value": {
"allow_csv_exports": true,
"allow_pdf_exports": true
},
"workflow_id": "text"
}OK
Default error response
PUT /api/private/workflows/access/global_settings/allow_reviewer_exports HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Content-Type: application/json
Accept: */*
Content-Length: 82
{
"value": {
"allow_csv_exports": true,
"allow_pdf_exports": true
},
"workflow_id": "text"
}{}empty workflow_id would mean that the smartAction can be used for any workflowId
OK
Default error response
POST /api/preview/awf/smart_action_definitions HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Content-Type: application/json
Accept: */*
Content-Length: 1787
{
"name": "text",
"description": "text",
"workflow_id": "text",
"filter": "text",
"mutable_fields": {
"decision": 1,
"notes": "text",
"updated_at": "2025-09-18T21:08:45.276Z",
"updated_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
},
"notification_infos": {
"values": [
{
"notification_type": 1,
"webhook_type": 1,
"status": 1,
"error_message": "text",
"updated_at": "2025-09-18T21:08:45.276Z",
"snow_info": {
"ticket_number": "text",
"sys_id": "text"
},
"webhook_info": {
"info": "text"
},
"jira_info": {
"keys": [
"text"
]
},
"slack_app_info": {}
}
]
},
"notification_status": 1,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"signed_off_state": 1,
"signed_off_at": "2025-09-18T21:08:45.276Z",
"signed_off_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
},
"action_log": {
"entries": [
{
"action": 1,
"user": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
},
"time": "2025-09-18T21:08:45.276Z",
"note": "text",
"reviewer_detail": {
"old_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"new_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
]
},
"decision_detail": {
"decision": 1,
"note": "text"
},
"approval_level": 1
}
]
},
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"automation_run_ids": [
"text"
],
"decision_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
},
"decision_at": "2025-09-18T21:08:45.276Z",
"revoke_request_infos": [
{
"id": "text",
"state": 1,
"error_message": "text"
}
],
"old_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
]
},
"mutable_filter": "text",
"apply_to_all_rows": true
}{
"id": "text"
}OK
Default error response
DELETE /api/preview/awf/smart_action_definitions/{id} HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Accept: */*
{}If no value is passed for workflow_id, all smart actions will be returned. If workflow_id is not "", smart actions with a matching workflow_id or with an empty workflow_id will be returned.
OK
Default error response
GET /api/preview/awf/smart_action_definitions HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Accept: */*
{
"values": [
{
"id": "text",
"description": "text",
"name": "text",
"workflow_id": "text",
"filter": "text",
"mutable_fields": {
"decision": 1,
"notes": "text",
"updated_at": "2025-09-18T21:08:45.276Z",
"updated_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
},
"notification_infos": {
"values": [
{
"notification_type": 1,
"webhook_type": 1,
"status": 1,
"error_message": "text",
"updated_at": "2025-09-18T21:08:45.276Z",
"snow_info": {
"ticket_number": "text",
"sys_id": "text"
},
"webhook_info": {
"info": "text"
},
"jira_info": {
"keys": [
"text"
]
},
"slack_app_info": {}
}
]
},
"notification_status": 1,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"signed_off_state": 1,
"signed_off_at": "2025-09-18T21:08:45.276Z",
"signed_off_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
},
"action_log": {
"entries": [
{
"action": 1,
"user": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
},
"time": "2025-09-18T21:08:45.276Z",
"note": "text",
"reviewer_detail": {
"old_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"new_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
]
},
"decision_detail": {
"decision": 1,
"note": "text"
},
"approval_level": 1
}
]
},
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"automation_run_ids": [
"text"
],
"decision_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
},
"decision_at": "2025-09-18T21:08:45.276Z",
"revoke_request_infos": [
{
"id": "text",
"state": 1,
"error_message": "text"
}
],
"old_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
]
},
"mutable_filter": "text",
"apply_to_all_rows": true
}
]
}OK
Default error response
PUT /api/preview/awf/smart_action_definitions HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Content-Type: application/json
Accept: */*
Content-Length: 1809
{
"value": {
"id": "text",
"description": "text",
"name": "text",
"workflow_id": "text",
"filter": "text",
"mutable_fields": {
"decision": 1,
"notes": "text",
"updated_at": "2025-09-18T21:08:45.276Z",
"updated_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
},
"notification_infos": {
"values": [
{
"notification_type": 1,
"webhook_type": 1,
"status": 1,
"error_message": "text",
"updated_at": "2025-09-18T21:08:45.276Z",
"snow_info": {
"ticket_number": "text",
"sys_id": "text"
},
"webhook_info": {
"info": "text"
},
"jira_info": {
"keys": [
"text"
]
},
"slack_app_info": {}
}
]
},
"notification_status": 1,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"signed_off_state": 1,
"signed_off_at": "2025-09-18T21:08:45.276Z",
"signed_off_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
},
"action_log": {
"entries": [
{
"action": 1,
"user": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
},
"time": "2025-09-18T21:08:45.276Z",
"note": "text",
"reviewer_detail": {
"old_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"new_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
]
},
"decision_detail": {
"decision": 1,
"note": "text"
},
"approval_level": 1
}
]
},
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"automation_run_ids": [
"text"
],
"decision_by": {
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
},
"decision_at": "2025-09-18T21:08:45.276Z",
"revoke_request_infos": [
{
"id": "text",
"state": 1,
"error_message": "text"
}
],
"old_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
]
},
"mutable_filter": "text",
"apply_to_all_rows": true
}
}{}Get, create, update, delete, and attach Intelligent Automations.
Use these operations to manage Access Review Automations and associate them with individual workflows.
Automations apply changes (such as approve, sign-off, add a note, or apply visual indicators) to Certification rows based on historical certification data, or a filter on the current results. They can run by default or on an opt-in basis when a certification is created.
For more information about this feature see .
You will need an API token with root team or administrator permissions to manage Automations.
The following rules apply when an Automation run encounters an issue:
If Automation processing fails for any result, the Automation run stops and no further Automations are applied.
When Automations fail, the Certification is still considered complete and non-errored. The Automation run will have an error status and message.
Results are considered the same when the entities and relationships are exactly equal (including data source IDs). If a conflict occurs with Automations trying to change the same mutable field:
Each change must update the field to the same value. The action log entry will contain notes (if supplied) for each action.
Automations changing a field to differing values are unresolvable conflicts and skipped, but will not interrupt the Automation run.
An Automation consists of attachment_behavior rules, filter criteria, and an action to apply:
Each Automation object has the fields:
id (String): Unique identifier for the Automation.
name (String): Name of the Automation.
description (String): A brief description of the Automation.
priority (Integer): Priority value of the Automation (not currently supported).
attachment_behavior (Object)Defines if the Automation is available for all workflows, and whether it is optional:
attach_to_new_workflows (Boolean): Indicates whether to automatically attach to new and existing workflows.
opt_in (Boolean): If true Operators can pick the automation when creating a Workflow. If false the automation is enabled by default.
criteria (Object)Specifies filters for conditionally updating results:
filter (String): A SCIM filter specifying a source or destination attribute with support for complex expressions using AND, OR, and parentheses for grouping. Examples:
Simple filter: source.is_active eq false
Complex filter: (source.name sw "A" OR source.name sw "B") AND destination.is_active eq true
mutable_filter (String): A filter on a previous result mutable field using the syntax previous.attribute. Example: "previous.decision eq "RESULT_DECISION_ACCEPTED""
Similarly to Smart Actions, Automations can update results based on a source or destination attribute (such as activity status). Filters use the syntax source.attribute or destination.attribute.
Mutable filters in Automations use the syntax previous.decision, previous.notes and previous.signed_off_state to refer to historical row data. The possible values are:
decision:
"RESULT_DECISION_UNKNOWN"
"RESULT_DECISION_NONE"
"RESULT_DECISION_ACCEPTED"
"RESULT_DECISION_REJECTED"
"RESULT_DECISION_FIXED"
notes: string
signed_off_state:
"UNKNOWN"
"NOT_SIGNED_OFF"
"SIGNED_OFF"
action (Object)Action the Automation will apply to matching results:
decision (String): Decision code for the action.
signed_off_state (String): Sign off state code.
notes (String): Notes the automation will apply.
display_style (String): Visual indicator to apply to matching rows:
HIGHLIGHT: Highlight the row
SUGGEST_ACCEPT: Mark the row as suggested for acceptance
SUGGEST_REJECT: Mark the row as suggested for rejection
display_text (String): Custom message to show when display_style is set
Note: When using display_style actions, you cannot set decision, signed_off_state, notes, or reviewer_assignment fields.
Possible decisions and numeric codes are:
UNKNOWN (0)
NONE (1)
ACCEPTED (2)
REJECTED (3)
FIXED (4)
Signed Off State can be:
UNKNOWN_SIGNED_OFF = 0;
NOT_SIGNED_OFF = 1;
SIGNED_OFF = 2;
reviewer_assignment (Object)The preview API does not currently support Reviewer assignment.
Use the endpoints documented below to create and manage automations:
Endpoint: /api/preview/awf/automations
Method: GET
Description: Returns all Automations and configuration details.
Returns all in a values array.
Endpoint: /api/preview/awf/automations
Method: PUT
Description: Updates an existing Automation. The full Automation object is required.
Endpoint: /api/preview/awf/automations
Method: POST
Description: Creates a new Automation.
Endpoint: /api/preview/awf/automations/{id}
Method: GET
Description: Get details for a single Automation by ID.
Endpoint: /api/preview/awf/automations/{id}
Method: DELETE
Description: Deletes a specific Automation by its ID.
Endpoint: /api/preview/awf/automations:attach
Method: POST
Description: Enable an Automation for a specific workflow, or all workflows.
Attach one or all Automations to a single workflow by specifying the:
id (String): Single Automation ID.
workflow_id (String): ID of the workflow to associate Automations with.
all (boolean): If True, attaches all existing Automations to the Workflow.
opt_in (boolean): If False the Automation can be selected when creating a certification. Otherwise, operators can enable it when creating certifications.
Endpoint: /api/preview/awf/automations:attached/{workflow_id}
Method: GET
Description: Returns all Automations eligible to run on Certifications for a given Workflow id.
Endpoint: /api/preview/awf/automations:detach
Method: POST
Description: Detach one or all Automations from an Access Review Workflow.
GET
{{base_url}}/api/preview/awf/workflows
curl '{{VEZA_URL}}/api/preview/awf/workflows' \
-H 'authorization: Bearer '$token{
"values": [
{
"workflow_id": "b9dc2586-5f30-4462-b6be-53f62debc40f",
"name": "demo",
"description": "demo",
"owner": {
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "earlypreview-auth0"
},
"notes": "",
"query": {
"raw_permissions": null,
"effective_permissions": null,
"source_node_types": {
"nodes": [
{
"node_type": "GoogleWorkspaceUser",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"required_intermediate_node_types": {
"nodes": [],
"nodes_operator": "AND"
},
"avoided_intermediate_node_types": {
"nodes": [],
"nodes_operator": "AND"
},
"destination_node_types": {
"nodes": [
{
"node_type": "GoogleCloudProject",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"no_relation": false,
"snapshot_id": "1690354800",
"waypoint_node_types": {
"nodes": [
{
"node_type": "GoogleCloudIamRoleBinding",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"path_summary_node_types": null,
"node_relationship_type": "CONFIGURED",
"include_all_source_tags_in_results": true,
"include_all_destination_tags_in_results": false,
"page_size": "0",
"page_token": ""
},
"creator": {
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "earlypreview-auth0"
},
"created_at": "2023-07-27T03:34:56.166550127Z"
},
{
"workflow_id": "baecbd47-bd3d-4d52-acb8-34840a8973b2",
"name": "Azure PS",
"description": "",
"owner": {
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "earlypreview-auth0"
},
"notes": "",
"query": {
"raw_permissions": null,
"effective_permissions": null,
"source_node_types": {
"nodes": [
{
"node_type": "Principal",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"required_intermediate_node_types": {
"nodes": [],
"nodes_operator": "AND"
},
"avoided_intermediate_node_types": {
"nodes": [],
"nodes_operator": "AND"
},
"destination_node_types": {
"nodes": [
{
"node_type": "AzureDataLakeFilesystem",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"no_relation": false,
"snapshot_id": "1675900800",
"waypoint_node_types": null,
"path_summary_node_types": {
"nodes": [
{
"node_type": "AzureADGroup",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
},
{
"node_type": "ActiveDirectoryGroup",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
},
{
"node_type": "AzureRoleAssignment",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
},
{
"node_type": "AzureAssignmentPermissions",
"tags": [],
"conditions": [],
"condition_expression": null,
"node_id": "",
"excluded_tags": [],
"count_conditions": [],
"direct_relationship_only": false,
"node_type_grouping_constraint": null
}
],
"nodes_operator": "AND"
},
"node_relationship_type": "CONFIGURED",
"include_all_source_tags_in_results": false,
"include_all_destination_tags_in_results": false,
"page_size": "0",
"page_token": ""
},
"creator": {
"user_type": "localCookieUser",
"id": "e3ac5e6a-1946-4688-82a7-8a607133a1c8",
"email": "[email protected]",
"name": "earlypreview-auth0"
},
"created_at": "2023-02-09T03:07:24.458473708Z"
}
]
}{
"id": "e48dd2c8-3633-463b-a477-0177a942b5a6",
"name": "Highlight inactive sources",
"description": "Highlight rows where the source account is inactive",
"priority": 0,
"attachment_behavior": {
"attach_to_new_workflows": true,
"opt_in": true
},
"criteria": {
"filter": "source.is_active eq false",
"mutable_filter": ""
},
"action": {
"display_style": "HIGHLIGHT",
"display_text": "Source account is inactive"
}
}{
"id": "f59ee3d9-4744-574c-b588-1288b0942c7c",
"name": "Reject privileged account access",
"description": "Suggest reject for admin or root accounts",
"priority": 0,
"attachment_behavior": {
"attach_to_new_workflows": true,
"opt_in": true
},
"criteria": {
"filter": "(destination.name eq \"admin\") OR (source.name eq \"root\")",
"mutable_filter": ""
},
"action": {
"display_style": "SUGGEST_REJECT",
"display_text": "Privileged account detected - review carefully"
}
}{
"id": "string",
"name": "string",
"description": "string",
"priority": 0,
"attachment_behavior": {
"attach_to_new_workflows": boolean,
"opt_in": boolean
},
"criteria": {
"filter": "string",
"mutable_filter": "string"
},
"action": {
// For modification actions:
"decision": "string",
"signed_off_state": "string",
"notes": "string",
"reviewer_assignment": null,
// OR for display actions:
"display_style": "string",
"display_text": "string"
}
}OK
Default error response
GET /api/preview/awf/automations HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Accept: */*
{
"values": [
{
"id": "text",
"name": "text",
"description": "text",
"priority": 1,
"attachment_behavior": {
"attach_to_new_workflows": true,
"opt_in": true
},
"criteria": {
"filter": "text",
"mutable_filter": "text"
},
"action": {
"decision": 1,
"signed_off_state": 1,
"notes": "text",
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"display_style": 1,
"display_text": "text"
}
}
]
}OK
Default error response
PUT /api/preview/awf/automations HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Content-Type: application/json
Accept: */*
Content-Length: 569
{
"value": {
"id": "text",
"name": "text",
"description": "text",
"priority": 1,
"attachment_behavior": {
"attach_to_new_workflows": true,
"opt_in": true
},
"criteria": {
"filter": "text",
"mutable_filter": "text"
},
"action": {
"decision": 1,
"signed_off_state": 1,
"notes": "text",
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"display_style": 1,
"display_text": "text"
}
}
}{}OK
Default error response
POST /api/preview/awf/automations HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Content-Type: application/json
Accept: */*
Content-Length: 547
{
"name": "text",
"description": "text",
"priority": 1,
"attachment_behavior": {
"attach_to_new_workflows": true,
"opt_in": true
},
"criteria": {
"filter": "text",
"mutable_filter": "text"
},
"action": {
"decision": 1,
"signed_off_state": 1,
"notes": "text",
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"display_style": 1,
"display_text": "text"
}
}{
"id": "text"
}OK
Default error response
GET /api/preview/awf/automations/{id} HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Accept: */*
{
"value": {
"id": "text",
"name": "text",
"description": "text",
"priority": 1,
"attachment_behavior": {
"attach_to_new_workflows": true,
"opt_in": true
},
"criteria": {
"filter": "text",
"mutable_filter": "text"
},
"action": {
"decision": 1,
"signed_off_state": 1,
"notes": "text",
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"display_style": 1,
"display_text": "text"
}
}
}OK
Default error response
DELETE /api/preview/awf/automations/{id} HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Accept: */*
{}Attaches an automation to one or all workflows Attach will succeeds if the automation is already attached and will update the "opt_in" if necessary
OK
Default error response
POST /api/preview/awf/automations:attach HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Content-Type: application/json
Accept: */*
Content-Length: 59
{
"id": "text",
"workflow_id": "text",
"all": true,
"opt_in": true
}{}OK
Default error response
GET /api/preview/awf/automations:attached/{workflow_id} HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Accept: */*
{
"values": [
{
"automation": {
"id": "text",
"name": "text",
"description": "text",
"priority": 1,
"attachment_behavior": {
"attach_to_new_workflows": true,
"opt_in": true
},
"criteria": {
"filter": "text",
"mutable_filter": "text"
},
"action": {
"decision": 1,
"signed_off_state": 1,
"notes": "text",
"reviewer_assignment": {
"users_manager": true,
"resource_managers": true,
"reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"fallback_reviewers": [
{
"user_type": "text",
"id": "text",
"email": "text",
"name": "text"
}
],
"reviewers_managers_for_approval_levels": [
1
]
},
"display_style": 1,
"display_text": "text"
}
},
"opt_in": true
}
]
}Detaches an automation from one or all workflows
OK
Default error response
POST /api/preview/awf/automations:detach HTTP/1.1
Host: your-tenant.cookiecloud.ai
Authorization: Bearer JWT
Content-Type: application/json
Accept: */*
Content-Length: 45
{
"id": "text",
"workflow_id": "text",
"all": true
}{}