Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
How to assign reviewers when creating a review, and re-assign row-level reviewers in active reviews.
When creating a review, operators will specify one or more reviewers for all the rows. They can also automatically assign rows to the applicable user’s manager or resource owner when auto-assignment is available.
After creating a review as a draft, operators can assign reviewers for each row and validate auto-assignments. Once the review starts, reviewers can reassign their work to others as needed.
Reviews can involve many different reviewers, who might be assigned only some of the rows in a review:
By default, the possible reviewers are Veza local users or external users who have logged in with single sign-on.
Reviewers can have the "Access Reviewer" role which limits the reviewer to essential review functions within Veza Access Reviews. See User Management for possible user roles.
See Configuring a Global Identity Provider to show all users in your organization as possible reviewers. This also enables manager auto-assignment.
Veza can identify and assign Entity Owners and Resource Manager Tags as individual reviewers for each row.
See Email Notifications and Reminders to inform reviewers and other stakeholders by email when rows are re-assigned or other actions occur.
When creating a review, operators may optionally assign one or more default reviewers. These reviewers are designated to act on all rows in the review.
To add default reviewers:
On the Configurations page, find the configuration you will create a review for.
Click the review name to open the Details page.
Click New Review to open the review creation wizard.
Under Assign Reviewers, choose users from the list to assign them as reviewers for all rows.
Auto-assignment will delegate decision-making to users Veza can identify as the manager of an identity under review, or the owner of a resource the identity can access. Veza supports auto-assignment both for all rows at review creation, and for selected rows when re-assigning reviewers.
Managers are identified by a user's manager attribute from the global IdP.
Resource owners are identified by Veza tag on the destination resource, added by API or from the Access Visibility > Graph actions sidebar.
Fallback Reviewers are assigned when a manager or resource owner cannot be found. Fallback reviewers are also used when a rule, such as a potential reviewer being on the deny list, would prevent the assignment.
To auto-assign reviewers when creating a review:
On the Configurations page, find the configuration you will create a review for.
Click the review name to open the Details page.
Click New Review to open the review creation wizard.
Under Assign Reviewers, enable an option to Auto-Assign Reviewers:
See Reviewer Selection Methods for more on fallback behavior and rules.
You must integrate a global identity provider (IdP) for Access Reviews to enable manager auto-assignment. For more details, see Entity Owners and Resource Manager Tags.
Once a review is in progress, operators and assigned reviewers can re-assign rows to another reviewer. In the reviewer interface, the Reviewers column shows any non-default reviewers for each row.
To reassign reviewers for a row:
Expand the row actions dropdown menu (⠇) and click Reassign Reviewers.
Choose from the list of possible reviewers to reassign the row, or enable an auto-assignment method:
In the reviewer's interface, you can use a bulk action to reassign many rows at a time:
Tick the boxes to enable bulk actions on several rows.
Click Reassign Reviewers above the table of results.
Assign reviewers by type to search for a username or email, or auto-assign the user manager or resource owner.
Confirm your selection and click Save.
See Filters and Bulk Actions for more information about combining bulk actions with filters for efficient review workflows.
How to create a new one-time access review from a saved configuration.
Create a review to start a one-time review based on the specified configuration. In doing so, you can set the due date and assign default reviewers for all rows. You can also automatically apply decisions to some rows, or customize the time frame for which to review access.
You can create a review as a draft, or publish it right away. Use the Create as draft option to inspect the results and individually assign rows, before triggering any email notifications specified in the review configuration.
Once the review is published, reviewers can log in to Veza to approve or reject access using the reviewer interface.
You will need:
A saved review configuration. Review configurations define the scope of an access review. When creating a configuration, owners can customize Veza Actions and email notification settings that apply to all reviews for that configuration.
A user account with the Veza admin or operator root team role is required to create configurations and start reviews.
On the Configurations page, find the configuration you will create a review for.
Click the review name to open the Details page.
Click Create Review to open the review creation options. You now have two choices:
1-Step: Create a review and configuration simultaneously using the quick builder. See 1-Step Access Reviews for detailed instructions.
Use Configuration: Create a review using a new or existing configuration to define the review scope(following the steps below).
If you chose Use Configuration, the review creation wizard will open with the following steps.
Select Review Configuration:
Leave this unchanged to create a review for the configuration you just viewed. Alternatively, you can use the dropdown to pick any saved review configuration.
Set Due Date:
Pick the date the review will finish. Reminder emails can trigger on, before, and after the due date depending on the notification settings in the configuration.
Assign Reviewers:
Choose users from the list to assign them as reviewers for all rows. If the configuration includes reviewer notifications, notification emails will be dispatched on review publication.
Review Intelligence:
By default, choose actions to automatically apply decisions to rows that were approved or rejected in the last review for the configuration. If an administrator has added additional Review Intelligence Policies, you can enable them here.
Time Frame Options: Use this section to review access at a particular point in time, or based on Veza's latest graph data:
From the moment the review is created: Uses the most recently parsed integration data, including any changes since the last daily snapshot.
From the most recent daily snapshot: Uses Veza's most recent snapshot (which might be different from the latest data).
From another snapshot: Choose Graph data from a previous date. Use this option to review access at a specific point in time.
Data Source Status: Under Time Frame Options, click Data Source Status to view details for the chosen snapshot. Use this option to check if an important integration is inactive or reporting errors.
Click Create or Create and Publish to save the review and return to the configuration details page.
Using filters to apply actions to several rows at a time, across many pages of results.
Use bulk actions in the review interface to update many rows at once with a note, decision, or sign-off state. You can also use bulk actions to change reviewer assignments for a group of results.
Filtering the reviewer interface based on specific criteria and acting on rows in bulk is a recommended workflow for working on large access reviews.
For example, bulk actions can:
Update all rows that already have a decision, note, or an assigned reviewer.
Reassign reviewers based on an attribute such as department, region, or manager.
Approve or reject access for specific permissions.
This document describes a recommended workflow for acting on all results that match the current filter.
Use filters to apply group actions based on an attribute, decision, or other column for a result row:
Click Filters at the top of the review interface.
Click Show More to reveal all possible columns.
Find an attribute to filter on and click on it.
Filterable attributes are grouped with a prefix to indicate the element of the access relationship they apply to.
Source: Attributes on the entity whose access is under review (e.g., user name or group type).
Destination: Attributes on the related entity.
Intermediate: Attributes for a waypoint entity connecting the source and destination. This option is enabled at the configuration level by specifying a single Relationship entity type.
Summary Entities: The name, ID, or entity type of any entity that appears in the path summary. A path summary can be enabled at the configuration level to show a sequence of several entities connecting the source and destination, such as groups, roles, or other resources.
Metadata: Review-specific information such as the decision, notes, and assigned reviewers.
Operator: For text strings, options are CONTAINS. EQUALS, NOT EQUALS, STARTS WITH, and ENDS WITH. When filtering on dates, you will instead pick a time range.
Parameter: Enter the text to match.
(Optional) Add Another to specify more matchers. Strings are grouped with an "OR" statement, for example, "Destination Region" EQUALS "East" OR EQUALS "WEST.
(Optional) Click another property on the Filters menu to refine your search with additional attributes.
Click Apply to filter the reviewer interfaces based on your selection.
Notes:
The filter string can be empty, for example, User Department EQUALS (empty value).
To treat a numeric value as a string (such as to match numbers in user names), enclose the numbers in quotes (Name, CONTAINS, "00000"). Otherwise, the number will be treated as an integer.
You can include leading or trailing spaces in the search text by enclosing the filter string in quotes, for example, Resource Name = " Bucket "
Possible actions are Approve, Reject, Reassign Reviewers, or Add Note. To sign off, click the button at the top right.
To apply an action to rows matching a filter:
Customize and apply a filter to show just the results you want to act on.
Choose the rows with the checkboxes on the left.
At the top of the screen, click on an action to apply.
To act on all rows on all pages in the review, instead of just the current page:
Tick the multi-select box at the top left to select all rows on the page.
Click Select all rows above the table of results.
Choose an action to apply and confirm your decision.
Review access in structured, collapsible sections to streamline review workflows and enables bulk actions.
Early Access: Row grouping is currently provided as an optional feature. Please contact our support team to enable this capability for your Veza tenant.
Row grouping enables reviewers to organize and consolidate their review data into structured, collapsible sections. This makes it easier to focus on key insights, manage large sets of access data, and take quick actions based on user assignments, risk levels, or changes in access.
With this option, you can group your review results in multiple ways, including by:
User: View all access associated with a specific user in one expandable section.
Source: Group rows by the entity granting access (e.g., unique users, roles, or groups).
Destination: Group access by its target (e.g., applications, roles, or resources).
Risk Level: Organize access by risk level—Critical, High, Medium, Low, or None.
Status: Separate changed vs. unchanged rows based on past review decisions.
For example, in this access review of Okta Users to Snowflake Databases, enabling the Group By > User option shows expandable groups of rows for each unique user in the results:
The “Group By” option provides a powerful way to consolidate assigned work into collapsible sections, organized by source ID, destination ID, or risk levels. Rows groupings can also be used to sort changed and unchanged rows, if there is historic decision data for the review.
To enable row grouping for an access review:
Click on an active review to open the results in the reviewer’s interface.
Click + Group By above the table to choose an option:
Source: Group by source entity ID (this could be each unique user, role, or group under review)
Destination: Group by the destination entity ID (e.g., individual roles, apps, or resources users are assigned to or have permissions on)
Risk Level: Group results by risk level (Critical, High, Medium, Low, or None).
Status: Group rows that are changed or unchanged since the last review using the same configuration.
Expand or collapse each group of rows to focus on different components of the access review.
Use group options to apply bulk decisions quickly:
Approve or reject rows multiple rows at once.
Apply actions, such as signing off, adding notes, or reassigning reviews.
This feature is designed to streamline your review workflow, reducing manual effort and ensuring faster, more effective decision-making.
Create reviews as drafts to ensure that results are as expected, act on rows, and make changes to reviewers before notifying participants.
Operators can choose to create access reviews in an unpublished, draft state. When a review is in a draft state, it offers an opportunity for the operator to inspect the included rows and adjust default reviewer assignments before commencing the review and notifying reviewers and other stakeholders.
Notes:
Reviews must be explicitly published. When creating a new review, operators can create the review, which will save the review as a draft, or create and publish the review.
Reviewers cannot view any unpublished reviews, even when they contain rows assigned to them.
Operators can act on any results in unpublished reviews, including approving or rejecting, assigning reviewers, and signing off. Veza does not send webhooks for reviewer assignments when reviews are in draft state. All other webhooks (such as actions configured to trigger on rejected row sign-off) will trigger as normal.
Publishing the review sends notification emails triggered "On review start."
Create an access review: Create a Review.
When creating the review, click Create (instead of Create and Publish) to create the review in a draft state.
Operators can make changes to draft reviews without notifying assignees. To prepare a review, you might:
Use the Review Details sidebar on the left to configure review-specific email notifications and Veza Actions.
Add row-level reviewers with the Reassign reviewers action.
Approve or reject rows you can immediately decide on.
Add notes for other reviewers.
Sign off on one or more rows using the Sign-Off Selected button at the top right.
Review owners can publish drafts directly from the Access Reviews page:
Search for the draft review and click Publish.
To see active reviews and publish any drafts for a specific configuration:
Go to the Configurations page.
Use the search bar to find the configuration containing the review, and click to view Configuration Details.
In the Active Reviews section, find the draft review. Click Publish.
Enable recurring access reviews for a review configuration.
While some reviews may be one-time procedures, you will typically want to conduct reviews on a schedule to proactively mitigate security risks and ensure that access is evaluated consistently over time.
In Veza, you can create a schedule for any saved review configuration. The cadence for new reviews can be biweekly, monthly, every other month, or every quarter, depending on your operational practices and compliance requirements.
Scheduled reviews can have reviewers, and can use to automatically act on results that have not changed since the last review.
You will need:
The administrator or operator role for viewing and managing review configurations.
An existing review configuration. See for more details
To schedule reviews for a configuration:
Choose a configuration on the Configurations page. Click ⠇to expand the actions menu and choose Create Schedule.
Configure the schedule:
1.1 Add a Name and Description for the created reviews.
1.2 Assign one or more Default Reviewers for the review. These users can act on any row and reassign them to other users. By default, Veza will suggest default reviewers based on prior reviews for the configuration.
1.3. Pick a Frequency to create reviews.
Options are Weekly, Biweekly, Monthly, Every other Month, and Quarterly.
Check the Next Run On date below the form to preview when the review will run based on the current frequency and start date.
1.3. Pick a Start Date for the schedule.
1.4. Pick a Time to run review and the Time Zonewhen the review will be run.
1.5 Set the Review Duration. This is the number of days until the review expires at the specified time.
1.6. (Optional) Under Use Review Intelligence Policies, enable automation to apply decisions based on a filter or prior decisions.
1.7. Set Review Time Frame.
Each new Review runs the workflow query parameters against the most recent graph data, the latest graph snapshot, or can run against a historical snapshot.
Click View Datasource Statuses to inspect the current status of all Veza integrations involved in the query. Review the last sync time, status, and errors in the modal.
Click Save to create the schedule.
To edit a schedule later, find the configuration on the Configurations page and click Edit Schedule.
Procedures for validating completeness and accuracy to meet audit requirements, such as requirements for SOX, SOC1, and SOC2.
A management review control is a type of internal control where management evaluates financial, operational, or system information—such as estimates, forecasts, reconciliations, or user listings—to detect errors, inconsistencies, or unusual trends. Its effectiveness relies on the integrity of Information Produced by the Entity (IPE), as decisions are based on that data.
User access reviews (UAR) control is a management review control. As part of UARs, reviewers rely on either an export from the source system under review or an automated Identity Governance and Administration (IGA) tool, such as the Veza platform, that's integrated with the source system to perform the review. Relevant data from the source system would be automatically pulled or uploaded to the IGA tool.
Audit guidance for SOX and other compliance frameworks, such as SOC1 and SOC2 for management review controls, is that auditors should review management's procedures over completeness and accuracy of the IPE. Therefore, for user access review controls, control owner and/or control operator (e.g. the person who creates the review, the person who performs the review, the person who signs off the review) should perform procedures to validate the completeness and accuracy of user listings under review regardless of leveraging an IGA tool or performing manual reviews from a data export. Such procedures would be the 'Management's procedures'.
Note: Certain organizations perform role-to-permissions reviews for in-scope applications. Such reviews help to ensure that the permissions tied to roles are set as expected. Though the procedures listed below focus on user access reviews, the same procedures can be applicable to role-to-permission reviews as well.
Customers can use a combination of the below procedures, though final say about what's minimally required is best assessed internally with the customer's internal and external auditors. Note that some auditors may demand that you perform all of the procedures below as well as additional procedures, for example, reviewing and documenting integration configuration periodically.
To validate completeness: Reconcile the total number of source system user records vs. the total number of users for that source system reported by Veza. If total counts of users are not available in either system, trace a sample of users from the source system to Veza and make sure no user is missing.
To validate the accuracy: Trace a sample of source system users reported by Veza to the source system, and make sure no user is missing. For the sampled users, validate that the users' attributes, such as name, role, or group, etc, are the same between Veza and the source system.
Note: There are situations where Veza can return more users than displayed in the source system. This scenario is quite common, and it does not mean that the Veza platform is inaccurate. For example, Veza can pull resource data via source system APIs, which could return a more comprehensive list of entities than displayed by default in the source system UI.
When creating an access review in the Veza platform, review the access review's configuration before creating the first review to ensure the configuration is set as intended.
Note: To obtain a review configuration's creation and last modification date, you can refer to the corresponding user access review's PDF export.
For reviews that exclude certain types of users, it is critical to ensure that the exclusion is clearly documented by the review creator and auditor for transparency
IMPORTANT This procedure is highly recommended when a review configuration is used for the first time.
In the 'Administration' tab, Veza's event log contains 30 days of change history in the UI. If customers need to retain more than 30 days of data, then they can leverage a SIEM, such as Splunk, Elastic or others to retain their data. Either Veza Events API or Audit Log Event API can be used. For documentation see: Events API, and Audit Logs API
Option 1: Enable Data Source Status Acknowledgement function to review the health of the data source sync when the applicable graph snapshot was taken. After acknowledgement, the review will be created from the same graph snapshot. This is how you guarantee that the integration was healthy for your review.
Option 2: Prior to creating a review, go to the Integration page and 'Start Extraction' for the data source corresponding to the source system. Once the data extraction status shows 'success', create the user access review.
Note: For customers excluding certain entitlements from their user access reviews, it is crucial to provide documentation and justifications to the auditors why certain entitlements are excluded (e.g. read-only roles). Some best practices include:
Apply Veza tags to all target resource roles or groups (e.g., tagging roles with 'SOX: in-scope' vs. 'SOX: out-of-scope').
Note that you may need to justify to your auditor when certain entities were tagged out of scope.
Querying all roles or groups for a target resource, including tagged or untagged roles/groups, and
Performing a review to ensure tags have been correctly applied to all roles or groups exhaustively.
Note: It is best to perform this analysis against a specific graph snapshot. Also, the results from this query can also be used to perform correctness and accuracy reconciliation when performing role-to-permission review.
Review Configuration: Once the aforementioned tag review has been performed, set up a query that identifies users and roles/resources with desired tags, such as 'SOX: in-scope', and use that query in the Review Configuration.
Define Review Timeframe: The snapshot date should be the same date when the tag review is performed. For example, if the tag review is performed on 5/31/2025, and the review is created on the same date, then choose 'From the most recent daily snapshot'; if the review is created on 6/1/2025 or later, then choose 'From Another Snapshot' and choose '5/31/2025' as the date.
Set up Alerts and Veza Actions when a new entitlement is created and/or when an untagged entitlement shows up from the source system.
See Rules and Alerts
It is important to document procedures performed. It is not required that you take screenshots, but screenshots can help save time when explaining the procedure performed to auditors. Sign off and date the procedure is also recommended.
In addition to the completeness and accuracy procedures mentioned above, customers should implement IT general controls (ITGCs) for Veza to ensure that certain authentication, access controls, and change management controls are implemented. The ITGCs are also management's procedures over completeness and accuracy of the report. See here for an explanation of ITGCs from an audit firm.
Organizations should consider their IT environment and the robustness of the controls to determine what completeness and accuracy procedures should be conducted.
To ensure the health of the integration, here are additional best practices we recommend the customers adopt:
Regularly monitoring the health status of integrations.
Ensuring integrations are set up with correct credentials and sufficient scope such that all required entities from the source systems/applications are extracted and loaded into the Veza Access Graph.
When there is a change in the source system, evaluate the change and assess if such a change would impact integration with Veza.
Failure to perform these procedures might result in out-of-date or incomplete source system data in the Veza platform. Moreover, if a completeness and accuracy reconciliation encounters issues, such as non-reconciling records or counts, the root cause can often be traced to an unhealthy or improperly configured integration.
Customers should evaluate the risk of the overall IT environment, history of access control failure, and robustness of other ITGCs to determine how frequently these procedures should be conducted.
In an environment where there are sufficient ITGCs over Veza, such as a documented review change control procedure is followed when making changes to Review Configurations; admin and operator access is tightly controlled, etc., then the procedures can be less frequent. In an environment where there are no robust ITGCs in Veza, the procedures may need to be more frequent. Your internal or external auditors should be able to tell you whether you're performing the procedures frequently enough.
In some cases, customers could perform and document the completeness and accuracy procedures performed during the Veza implementation phase (part of their SDLC procedures), and rely on ITGC controls onwards.
Additionally, customers may be qualified to benchmark the Review Configurations, in which case, the auditors would examine the report logic once and wouldn't need to examine it again for 2-3 years when the configuration has not changed or changed minimally. Typically, with strong ITGCs over Veza, auditors would consider adopting benchmarking. Customers can discuss that qualification with their auditors.
Integration discrepancies can occur when entity counts or attributes don't match between Veza and the source system. Use this approach to identify and resolve common issues:
When Veza displays fewer entities than the source system:
Data synchronization delay – New data may not have synced to Veza yet. Check the integration's last successful extraction time on the integration Details page. Manually trigger an extraction or wait for the next scheduled sync.
Authentication issues – Verify that integration credentials are valid and haven't expired. Review any authentication errors in the Events page.
Scope limitations – Confirm that Veza has been authorized to access all required data sources and organizational units within the integration scope. The specifics vary between Integrations.
Integration sync failures – Check for partial extraction failures that may have prevented complete data collection. See individual integration guides for integration-specific troubleshooting steps.
When entity attributes don't match between systems:
Data synchronization delay – New data may not have synced to Veza yet. Check the integration's last successful extraction time on the integration Details page. Manually trigger an extraction or wait for the next scheduled sync.
Integration sync failures – Review integration details for any missed extractions due to missing permissions or connection issues, which could result in stale data in Veza.
For persistent issues or complex troubleshooting scenarios, contact Veza technical support for specialized assistance.
How to edit an existing configuration for Veza Access Reviews.
Edit an Access Reviews configuration to change the scope, update default email notification settings, or customize the Veza Actions.
Editing notification settings and Veza Actions will cause any active reviews for that configuration to use the new settings.
Changing the query will have no impact on existing, active reviews. Saved changes will apply to any future scheduled or ad-hoc access reviews for that configuration.
To update a configuration, open its details page:
In Veza, go to Access Reviews > Configurations
Search for the configuration to edit.
Click on the configuration name or click Actions > Details.
On the Configuration Details page, click the Edit button.
Use the Edit Configuration page to update the details, scope, notification settings, or Veza Actions.
Click Update Configuration to save your changes.
How to create and customize new access review configurations.
In Veza, a configuration sets the parameters for conducting access or entitlement reviews. Operators initiate reviews based on these configurations, which occur periodically or as one-time assessments. Each review is tied to a unique due date and a designated set of reviewers.
Configurations allow for varying scope—ranging from broad, covering all users across numerous cloud services and data assets, to specific, focusing on individual departments or applications. Additionally, configurations can address relationships between policies, groups, or roles. Using queries, you can conduct different types of reviews in Veza:
Access Reviews: Ensure appropriate access levels across services and resources, verifying that permissions align with user roles and pose no security risks.
Entitlement Reviews: Validate and certify actual permissions on specific resources, ensuring they are necessary and comply with organizational policies.
Each configuration includes a:
Name and Description: Used for internal reference and identification.
Query: Defines what to review, with options to filter by tags, attributes, or other criteria.
Notifications and Veza Actions: Automate communications and actions, inherited by future reviews.
For detailed steps on setting up a new configuration, see the sections below.
To create a configuration and set the underlying query:
Open the Configurations page and click the + Create Configuration button.
Give the configuration a unique name and a description.
Build a query to define the scope of the review.
Add email notifications to inform reviewers of assignments. You can also set reminders based on when the review is due. You can enable these for reviewers, the configuration creator, or additional recipients.
Enable Veza Actions by choosing integrations or webhooks to trigger based on decisions and reviewer changes. For example, you can create a service desk issue on row rejection, and send an email when all results are signed off.
Preview the results and save the configuration.
To create a configuration:
Log in to Veza and open the Access Reviews section. On the navigation sidebar, open the Configurations page.
Click + Create Configuration to open the builder.
Give the configuration a name and description.
Configuration Name: Enter a brief title to describe the access review. Reviews for this configuration will show the name in email notifications and reminders.
Configuration Description (Optional): Describe the query used, and the purpose of the configuration for other administrators and operators.
Each configuration must be scoped to a single graph query that specifies a set of entities or an access relationship, such as "Okta User to Snowflake Database." You can create a query or pick a saved query to scope the review.
Starting a review from a saved query enables action on queries featured in dashboard tiles, and queries that have been assigned a risk level. Queries constructed in the Query Builder can also define more complex review scopes with Saved Query Filters.
To review entities of several types at once, pick an entity type grouping as the source or destination. These appear at the top of the list and contain multiple entity types. Groupings include:
All Resources: All "resource"-type entities that Veza has discovered, including AWS S3 Buckets, Snowflake Tables, and GitHub Repositories.
All Principals: Includes all entities that Veza has discovered and labeled as “identities” that can have permissions on a resource, including Active Directory Users, Okta Users, and Snowflake Local Users.
All Top Level Principals: All identities that cannot be assumed by another identity. Use this entity type grouping to show primary corporate identities, and filter out any low-level identities (such as local users) they can assume. Reviews for this configuration will include any local account users and service accounts that don’t correlate to any upper-level identity.
To define the review scope in the configuration builder, select a query from Saved Queries or create one with using the Query Builder tab:
Type to search for a Source entity type. This could be a specific type of user, role, group, or resource, such as “Okta User” or “S3 Bucket.” Reviewers will sign off on source entities and, if defined, the source entity’s relationship to a destination entity, presented in rows for approval or rejection. You can preview these source entities based on the current graph data.
Click to add Destination entity types. These could be specific resources, roles, or groups assigned to entities of the source type. In the reviewer interface, each row will contain a source > destination pair (e.g., a single Okta User and an S3 bucket they have permissions on.)
2.1. Click to open the selection menu.
2.2. Entity type groupings appear at the top of the list. Scroll down to search for a single entity type.
2.3. Tick the boxes to enable one or more destinations
2.4. Click Preview Destination Entities to view the current results in the table.
The destination can be a data resource or a related IAM or RBAC entity, such as a role or group. You can also reverse the query to certify applications or resources accessible by users.
Customize the review with Advanced Options:
Depending on the query, rows can include extra details about the path connecting the source and destination. Advanced options enable reviewers to evaluate and certify not only an identity's access and permissions, but how that access is granted:
3.1. Include source/destination tags in review results: If the source or destination data source supports tagging, the reviewer interface will include a column listing any of these tags or labels, along with any Veza Tags.
3.2. Enrich with IdP/HRIS metadata (Early Access): Veza can map identities to a corresponding user in an Identity Provider, or worker record in a Human Resource Information System (HRIS). Enable this option and choose a data source to use for enrichment. In the review interface, additional columns show the linked entity's attributes.
3.3. Relationship: This option is typically used to enable constraints on an entity that connects the source and destination, such as a Snowflake role granting access to a Snowflake schema.
Reviewers can enable extra columns to show details about the intermediate entity, and filter the rows based its properties, such as the name or last updated time of Okta Groups connecting Okta Users and Okta Applications.
3.4. Summary Entities: Adding Summary Entities enables an additional column in the review, showing intermediate relationships in the path connecting the source and destination entity. These entities can include nested groups or roles, projects, or policies.
See Review Presentation Options for more about these query parameters.
3.5. Exclude or Require Entities: Hide or only show source and destination pairs with any of the chosen entity types in the path. Use this option to review, for example, users with no relationships to groups.
Add Filters to constrain results (optional):
Applying filters narrows the scope of a review to find exactly the relationships and entities you want to review. Filter groups can apply to any attribute Veza has collected for entities in the search.
To create attribute filters:
4.1. Click +Add Filter Group.
4.2. Choose the Entity Type to apply the filter to.
4.3. Choose from possible Attribute Fields available for that entity type.
4.4. Choose an Operator. Available operators depend on the attribute type, such as contains for lists, before for dates, or equals.
4.5. Choose an Attribute Value from the dropdown. Possible selections auto-fill when filtering by Name, or you can enter any value.
You can combine groups of filters to create finely-focused reviews, and filter on tags and permissions. See Filters for more information.
Filter by Tags (optional):
You can optionally filter the review scope by adding tag filters, which support both Veza tags and provider-native tags. For example, you might use a 3rd-party tool to tag certain resources in AWS, or automatically label entities according to business unit, compliance requirement, or environment type.
5.1. Click +Add Tag Filter.
5.2. Pick the Entity Type to filter.
5.3. Choose Tags to Include. Click to show a short list of tags, or type to search from all available tags.
5.4. Optionally pick Tags to exclude. Any entities with these tags are omitted from the results.
Filter by Permissions (optional):
To only review access for entities with certain permissions on the destination entity, add a permissions filter:
6.1. Toggle a permission type: Effective or System.
To show users with specific Create/Read/Update/Delete capabilities, select Effective Permissions.
Use System Permissions to filter by specific permissions based on the provider's native terminology.
6.2. Select Permissions: Use the dropdown menu to pick one or more individual permissions.
6.3. Operator: Filter results when they have any of the chosen permissions (OR), or match the specified conditions exactly (AND).
Set default email notifications to alert reviewers and other stakeholders. Reviews for the configuration inherit these notification and reminder settings. See Email Notifications and Reminders for more details.
Notifications: Emails to inform reviewers, managers, and stakeholders based on events such as review start or reviewer reassignments.
1.1 Tick the boxes to enable notification recipients. These can be the assigned reviewers, their managers, and additional recipients specified by email.
1.1 Pick the events that will trigger notifications (on row reassignment, on review start, and on review completion).
Reminders: Action Needed: These emails inform users after a period of inactivity, or before, on, or after the due date.
2.1 Enable recipients for reminders.
2.2 Pick the events and relative dates when emails trigger (on row reassignment, review start, and review completion).
Final Reminders: Action Needed: Escalated reminders, typically used to emphasize a missed deadline or extended period of inactivity:
3.1 Enable recipients for final reminders.
3.2 Pick the events and relative number of days when emails trigger (after a period of no changes, or before, on, or after the due date).
Reviewers can be auto-assigned to Entity Owners and Resource Manager Tags on review creation. To ensure that these users receive a notification, enable reviewer notifications on review start.
Veza can trigger actions in external systems on review completion, row reassignment, or sign-off of an approved or rejected row. Enable these in the Veza Actions section of the configuration builder.
Tick the box next to an event trigger to enable Veza Actions.
Use the dropdown to pick a Veza Action for each event.
If no targets are available, you can skip this step. See Veza Actions for Access Reviews for more details.
Confirm your choices and save the configuration:
Click Create Configuration at the top right to save your work.
You can now open the configuration details make adjustments or Create a Review.
Monitoring and administrating configurations, and working with active and completed reviews.
Administrators and operators can track and manage configurations as well as individual reviews. This document addresses configuration management and actions for both active and completed reviews.
Go to Access Reviews > Configurations to view and manage all configurations:
Search for a configuration or page through the list to review all configurations.
Expand the actions menu (⠇) for the configuration to choose an action:
Details: View and manage active and completed reviews, or edit the configuration.
Create Schedule: Enable review creation on a schedule. See Schedule an Access Review.
Delete: Delete a configuration with no reviews.
Delete Schedule/Edit Schedule: Shown when a schedule is configured.
You can sort the list of configurations by name, last certified date, created date, and active or completed reviews.
Go to Access Reviews > Access Reviews to track the status of all active or completed reviews, and delete them if needed. You can also clone or export a completed review:
To see active reviews for all configurations, go to the Access Reviews page.
Click the review name or Open to open the rows in the reviewer's interface.
Expand the review actions menu (⠇) to choose an action:
Settings: Change the due date.
Clone: Create a new review with the same configuration.
Delete: Delete an active review.
Configuration Details: open the configuration to edit or view its associated reviews.
You can sort the list of reviews by publisher, publication date, description, last modified, rows completed, due date, started date, name, or status.
To view active reviews for a single configuration:
Open the Configurations page.
In the Configuration Details, scroll down to the Active Reviews section.
To view completed reviews:
For a single configuration: go to the Configuration Details and open the Completed Reviews tab.
For all configurations: go to the Access Reviews page and open the Completed Reviews tab.
Use the Actions menu to clone, export, or view stats for a completed review:
Clone: Create a new review with the same configuration.
Stats: Inspect detailed completion statistics:
Total rows not signed-off
Rows signed-off and accepted
Rows signed-off and fixed
Rows signed-off and rejected
Review status (completed or expired)
Date of review expiration or completion.
Export as CSV: Save the finished review's metadata in comma-separated value (CSV) format, suitable for converting to a spreadsheet.
Configuration Details: View active and completed reviews or edit the configuration.
To download the full list of active, completed, and expired reviews, including review metadata, click Export All on the Access Reviews page. Administrators can use the dropdown menu to:
Export all reviews
Export only overdue reviews
Create, edit, or delete an export schedule
Note that exporting review metadata is different from exporting review rows from the reviewer's interface. Review metadata exports include high-level information about reviews but do not include individual certification results.
CSV export includes the following columns:
Workflow Name
Workflow Id
Certification Id
Certification Name
Started At
Created By
Published At
Published By
State
Due Date
Expired At
Description
Notes
Completed At
Completed By
Total Rows
Total Completed
Total Remaining
Total Accepted
Total Rejected
Total Fixed
Last Modified At
Last Modified By
Scheduled review exports
You can configure secure exports of review metadata on a recurring schedule. When enabled, a specified recipient will receive an email with a link to download the current reviews in CSV format.
To schedule automated exports:
From the Access Reviews page, expand Export All > Schedule Export
Configure the schedule:
Frequency: Daily, Weekly, or Monthly
Export Time: Time of day to generate the export
Recipient: The email address that will receive a link
Click Save to enable the schedule
Note that only one export schedule can be active at a time. To change an existing schedule:
Click Export All > Edit Schedule
To remove any configured schedule:
Click Export All > Delete Schedule
Reviewers and administrators can open the reviewer's interface to sign off on access and perform a range of other actions.
The review interface is a spreadsheet-style view for approving or rejecting different types of entities and access relationships. The review scope and Review Presentation Options dictate how query results appear in the reviewer interface, and what types of entities are source, destination, or intermediate nodes.
The reviewer's interface implements strict role-based access controls:
Review creators and administrators have full visibility into all rows and review metadata. This includes all reviewer assignments and overall progress.
Access Reviewers only have visibility into rows assigned to them and cannot see the full review metadata. They can see their individual progress, including the number of items they have acted on or completed and their total assigned rows.
Reviewers use this page to:
Approve or reject their assigned rows.
Assign other reviewers for a row.
Sign-off on their decisions.
Operators and administrators can use the reviewer's interface to:
Annotate rows and mark rejected rows as "Fixed."
View and edit review details, notifications, and Veza Actions.
Review overall progress, action logs, and automation status.
Mark the review "Complete" after all rows have decisions.
Export the view to share findings or import rows into another system.
The sections below describe actions and features after opening a review as an operator or access reviewer:
You can access the reviewer interface from the Access Reviews overview. Click a review name on the Active Reviews tab to open it.
To open the results of an active review for a single configuration:
Find the configuration on the Access Reviews > Configurations list.
Click a configuration name to open the details page.
Find a review on the list of Active Reviews and click Open to open it.
In addition to a full-featured UI for desktop use, Veza provides a mobile experience for reviewers on tablets and other devices with smaller screen sizes. Users can approve, reject, and sign off on results with a simplified "swipe" layout. The card representing a row is similar to the details view for desktop users, showing the attributes and permissions for each entity under review.
In swipe mode, reviewers can:
Swipe left to reject access.
Swipe right to approve access.
Use the options menu (...) to view details or reassign reviewers.
Add filters and apply bulk actions to update many cards at a time.
The mobile interface is only available for users with the Access Reviewer role. Administrators and operators can use the full reviewer interface when browsing reviews on mobile devices.
The behavior of swipe actions in mobile view can be configured by the Veza support team. Depending on your settings, left and right swipes can map to: APPROVE, APPROVE_AND_SIGN_OFF, REJECT, or REJECT_AND_SIGN_OFF.
Apply actions to individual results using the dropdown menu (⠇) to the right of each row. The available actions vary depending on your role and the row's state.
Approve
Reject
Re-assign reviewer
Sign off
Add Note
Clear Decision
Mark as Fixed
Open in Authorization Graph
Note that decisions can be reverted until they are signed off.
See Assign Reviewers for more details on assigning reviewers.
Row action logs
See all historical activity for a row by opening the action log:
Expand the row actions menu.
Click View Action Log.
Review the events by type, description, user, and timestamp.
Row fixed status
Administrators can denote rejected rows as fixed following remediation.
"Fixed" is a unique state that denotes an access rejection is successfully remediated. Depending on your system settings, you can require that access reviews cannot be marked complete until all rows are either "Approved" or "Fixed."
To update the fixed status of a row:
Expand the actions menu for a Rejected row.
Click Mark as Fixed.
Use the Add Note action to document a decision, suggest a resolution, or leave a comment on any row. Notes are visible to the review owner and other reviewers assigned to the row.
Reviewers can be required to add a note when they approve or reject access, depending on Access Reviews Global Settings.
To add a note to a row, use a bulk action or the row actions dropdown.
Adding a note replaces the current one.
Only the most recent note appears in the "Notes" column.
Earlier entries are available under Actions > View Action Log.
To show tags in the reviewer interface, source and/or destination tags must be included in review configuration (Advanced Options).
When enabled, all tags are shown in an additional column. Click a tag key to show the tag values.
An administrator can enable tags to appear as attributes in the reviewer interface by promoting individual tag keys. These keys are shown in columns, displaying the tag value for each row. See Promoted Tags. You can apply Veza tags to entities with an API or from the Graph search sidebar.
Early Access: The option to filter by a user is currently provided as an optional feature and must be enabled by the Veza support team.
When reviewing access for a few different identities, it can be helpful to focus on rows related to a single user in the results. You can use the Show Users button to list each unique user involved in a review and open a filtered list of all the results related to an individual user.
To filter the reviewer interface on rows related to a single identity:
Click the Show Users button above the results. The button only appears when the query's source node is a principal.
The list of Unique Users will open, containing the full list of unique source entities in the query results.
Choose an identity from the list. You can search by username, id, or email address to find a specific user.
Click View Details to open the results related to that user in a new tab.
Note that in the current release, for users with the access reviewer role, the Show Users button lists all unique users in the review, which can include users from rows that are not assigned to the current reviewer.
Owners and administrators can export rows directly from the reviewer interface. CSV exports include all entity attributes and row metadata, suitable for importing into another tool. PDF exports include a title page and additional pages for metadata about the overall review status.
To download row metadata in CSV format:
From the reviewer interface, click Export > Export to CSV.
Enter a name for the downloaded file.
Choose specific columns to export, or export all columns by default.
Add transformations to convert Column Names > Export Names.
Click Export.
To export rows in PDF format:
From the reviewer interface, click Export > Export to PDF.
Enter a name for the downloaded file.
Enter a title for the document cover page.
Pick columns to include (up to 12).
Reorder and transform column names for readability.
Click Export.
By default, the reviewer's interface shows each row's source (usually a user or other principal) name and type, effective permissions (if available), and the name and type of destination entity (usually a resource). Reviewers can resize, rearrange, and show or hide columns to focus on critical details. Any changes are saved to the browser.
Administrators can change the default columns for all reviews or customize review columns for a particular configuration. See Customizing Default Columns.
Access reviews involving local user accounts that are associated with external IDP users can optionally support an IDP User column group. This group contains attributes specific to external users associated with the source user.
Reviewers and Operators can use the column selector to display these additional IDP User fields, such as risk score, title, department or activity status. These columns will be empty for local users without an ßassociated IDP user:
After all results are signed-off, operators can click Complete to finish the review, preventing further changes:
Open the reviewer interface.
Click Complete at the top right to finish the review.
See Access Reviews Global Settings for more information about possible completion settings for your tenant.
