Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Reviewing Okta User to Application assignments with Veza.
In Okta, users can be granted access to applications either directly or by group assignment. When assigned to an application, users can log in using their Okta credentials.
This document describes how to create a new configuration you can use to routinely inspect which Okta users are assigned to what apps, on an ad-hoc or scheduled basis.
You will need:
An Okta integration configured in Veza.
A user account with the Veza admin or operator role, required to create configurations and start access reviews.
Create a new access review configuration:
1.1. Log in to Veza and go to Access Reviews > Configurations.
1.2. Click New Review Configuration.
1.3. Give the configuration a name and optionally a description.
Define the scope of the access review:
Use the Query section of the configuration builder to search for related Okta users and Okta apps. Then, enable the option to show details about any related Okta groups.
2.1. For the Source Entity Type, search for Okta User and select it.
2.2. For the Destination Entity Type, click to open the menu and scroll down to search for Okta App.
Add a filter to hide inactive users (optional):
Filter the results to only include apps and users that are active.
3.1. Under Query > Filters, click Add Filter Group.
3.2. For the Entity Type, choose Okta User.
3.3. For the Attribute Field, expand the menu and choose Is Active.
3.4. For the Operator, choose Equals.
3.5. Choose True as the Attribute Value.
3.6. Click Save to enable the filter.
Add a filter to hide inactive applications (optional):
4.1. Click Add Filter Group to add a filter on the destination entity type.
4.2. Choose Okta App as the entity type.
4.3. Choose Status as the attribute to filter. For operator, choose Equals. As the value, type in ACTIVE.
4.4. Save the filter.
Add a Relationship:
Choose to include details about intermediate Okta Groups for the results. If a user's access to an app involves an Okta Group, The review interface will have extra columns with information about that group.
5.1. Expand Advanced Options and select Relationship.
5.2. In the dropdown menu, choose Okta Group.
Create a new review:
6.1. Click Save to open the configuration details page to create a new review.
6.2. From the Review Configuration Details, click New Review.
6.3. Click Create to make the review available without publishing it.
From the configuration details, in the Active Reviews section, click the review name or click Open next to the one you just created.
The reviewer interface shows a unique row for each Okta User to Okta App assignment. Inspect each row to approve or reject the access.
Customizing the reviewer interface can improve visual clarity and aid in decision-making. For this review, click Columns above the table of rows. Scroll or type to search for an attribute to show or hide:
Add a column to show information about any intermediate groups. Find the Intermediate section, and choose Name or another attribute.
Show Risk Scores for Okta users. Enable this column to show the user's relative level of risk, based on how many queries with a risk level the user appears in the results of.
Search for User “IdP Unique ID” and deselect it, unless this is needed to differentiate between users with the same name.
For more information about a row, however over a row and click the Details icon to open the sidebar.
Click the Approve ✅ or Reject ❌ icon for each row to make an initial decision.
Make decisions final by clicking Sign-off at the top right.
Finish the review by deciding and signing off on all rows. After all rows have a decision, click Complete Review on the top right.
How to review security group assignments for user principals in Microsoft Active Directory.
In Microsoft Active Directory, human and machine principals, known as users and service accounts, are assigned to security groups and distribution groups for management and administration. Security groups are used to assign user rights and permissions on shared resources, while distribution groups are used for email distribution lists.
Regularly reviewing the security groups to which users are assigned is crucial for maintaining security and compliance within Active Directory. Ensuring that only authorized users have access to sensitive information and resources can prevent potential security breaches, and is typically required by organizational policy.
This document describes how to create an Access Reviews configuration to periodically review and certify Active Directory User to Active Directory Group relationships in your organization, with a focus on built-in security groups.
You will need:
An Active Directory domain integration added in Veza.
The Veza admin or operator role, required to create configurations and start access reviews.
Open the builder to create an access review configuration:
1.1. Log in to Veza and go to Access Reviews > Configurations.
1.2. Click New Configuration to open the review builder.
1.3. Give the configuration a name and description to communicate the purpose of the Access Review to other reviewers and operators.
Define the scope of the access review: Use the Review Scope section of the configuration builder to search for related Active Directory User and Active Directory Group.
2.1. For the Source Entity Type, search for Active Directory User and select it.
2.2. For the Destination Entity Type, click to open the menu and scroll down to search for **Active Directory Group
2.3. Expand Advanced Options and enable Summary Entities.
Choose Active Directory Group from the dropdown. This will show the relationships between any intermediate groups that result in a specific group membership.
2.4. Add an attribute filter to only include security groups. In the Filters section, click Add Filter Group and select Active Directory Group as the entity type to filter. Save the filter Is Security Group Equals True.
Create a review:
3.1. Click Save to open the Configuration Details.
3.2. From the configuration details, click New Review.
3.3. Click Create to make the review available without publishing it.
From the configuration details, in the Active Reviews section, click the review name or click Open next to the one you just created.
The reviewer interface shows a unique row for each Active Directory User to Active Directory Group assignment. Inspect each row to approve or reject the access, checking for assignments that are unnecessary or incorrect.
Customizing the reviewer interface can improve visual clarity and aid in decision-making. For this review, click Columns above the table of rows. Scroll or type to search for an attribute to show or hide:
Enable the Summary Entities column to show inherited access when assignments involve groups assigned to other groups.
Search for User “IdP Unique ID” and deselect it, unless this is needed to differentiate between users with the same name.
Search for and enable User “Department” and User “Is Active.” These attributes can help determine whether a group is appropriate for a user.
Enable Destination “Group Type” to show the group scope.
Hover over a row and click the Details icon to open the sidebar. Add columns or use the details sidebar to see more attributes for the user or group. If the Summary Entities column includes many nodes, click on an entity to show the full name and exact order.
Click the Approve ✅ or Reject ❌ icon for each row to make an initial decision.
Make decisions final by clicking Sign-off at the top right.
Finish the review by deciding and signing off on all rows. Once all rows have a decision, click Complete Review on the top right.
Review users, groups, resources, or other entities by configuring an Access Review with no destination entity type.
Access Reviews are designed to show information about the access a source entity has to another destination entity, including details about the relationship and resulting permissions. When the review scope does not include a destination, the review will instead list all results of the source type, constrained by filters and other query parameters.
Only specifying a source entity type enables simple yet comprehensive review of:
All human or machine identities in an organization
All local accounts or groups in an integrated application
All resources of a certain type, such S3 Buckets, Snowflake Databases, or OAA Custom Applications.
The results of queries with risk levels.
Many out-of-the-box Veza queries return a single entity type (if Show [Destination Entities] is not enabled.). You can create an Access Review from a Saved Query as a way to remediate Risks and take action on results that appear on Veza Dashboards.
To review a single entity type:
In the Query section of the configuration builder:
2.1. Select the Source entity type from the dropdown.
2.2. Leave the Destination blank.
2.3. (Optional) Add Filters to constrain the output.
Finish and Save the configuration.
After creating a review for the configuration, reviewers can view detailed metadata for each entity and approve or reject each one.
How to conduct access reviews for user to role assignments in Microsoft Azure AD (Entra ID).
This document describes how to create an Access Reviews configuration you can use to periodically review and certify role assignments for Microsoft Azure AD users in your organization.
In Azure AD, roles provide permissions within the Identity Provider. For example, you can assign roles to allow adding or changing users, resetting user passwords, managing user licenses, or managing domain names. Regularly reviewing these role assignments is important to limit the blast radius of compromised identities, and enforce least privilege access to your identity provider.
Roles can be built-in or customer-defined. Built-in roles cover common sets of permissions needed for development, administration, auditing, and other functions. Custom roles are typically created to provide specific sets of permissions to address edge cases or complex business requirements.
You can specifically review users assigned to built-in admin roles or custom roles with a filter, described in the instructions below. To review users with a specific role, use the Select a single entity in the query builder to choose a single role by name.
Microsoft Azure AD is now the Microsoft Entra ID product. Veza uses the legacy term Azure AD to identify the Azure service and users, apps, groups, and roles in a domain.
You will need:
A configured . Veza discovers the Azure AD service by default when connecting to your organization's tenant.
The Veza admin or operator , required to create configurations and start access reviews.
Open the builder to create an access review configuration:
1.1. Log in to Veza and go to Access Reviews > Configurations.
1.2. Click New Configuration to open the review builder.
1.3. Give the configuration a name and description to communicate the purpose of the review to other reviewers and operators.
Define the scope of the review:
Use the Review Scope section of the configuration builder to search for related Azure AD User and Azure AD Role.
2.1. For the Source Entity Type, search for Azure AD User and select it.
2.2. For the Destination Entity Type, click to open the menu and scroll down to search for Azure AD Role.
To only review users assigned to built-in roles, add an attribute filter on the Azure AD Role attribute Builtin. The value will be true for built-in roles, and false for custom roles:
3.1. Under Filters > Attributes, click Add Filter Group,
3.2. Choose Azure AD Role as the entity type to apply the filter to.
3.3. In Filter Group 1, create the filter:
Attribute Field "Builtin"
Operator "Equals"
Attribute Value "True".
3.4 Save the filter.
Create a review:
4.1. Click Save to open the Configuration Details.
4.2. From the configuration details, click New Review.
4.3. Click Create to make the review available without publishing it.
From the configuration details, in the Active Reviews section, click the review name or click Open next to the one you just created.
The reviewer interface shows a unique row for each Azure AD User and Azure AD Role assignment. Review the table to confirm that users have appropriate access rights based on their operational roles and responsibilities.
Hover over a row and click the Details icon to open the sidebar. Add columns or use the details sidebar to see more attributes for each user and role, such as activity status or role type.
To approve or reject access and finish the review:
Click the Approve ✅ or Reject ❌ icon for each row to make an initial decision.
Make decisions final by clicking Sign-off at the top right.
Finish the review by deciding and signing off on all rows. Once all rows have a decision, click Complete Review on the top right.
Customize access review scopes to best suit your environment and compliance requirements.
Veza Access Reviews support a wide range of compliance scenarios, due to the flexibility of the query builder and the power of Veza's authorization graph. This document provides conceptual overviews to help scope access reviews for common use cases, based on your unique requirements.
The topics in this section include step-by-step instructions for common types of access reviews, which you can use to familiarize yourself with the configuration builder and customize to meet your needs.
Access Reviews: Azure AD Roles, including built-in administrative roles.
Access Reviews: Active Directory Security Groups (Including admin groups such as Active Directory Domain Admins, Enterprise Admins, and Schema Admins).
You can use Veza to conduct both user access reviews and entitlement reviews:
User Access Reviews (UARs) are a specific type of review focused on inspecting access granted to users, whether directly or through inherited roles and group memberships. User access reviews can also be conducted to review the access-granting relationships assigned to a user, such as reviewing a user’s group membership or role assignments in an application.
Users whose access is under review can include:
Employees: Full-time, part-time, or temporary staff.
Contractors: External individuals engaged by the organization for specific tasks or projects.
Consultants: External advisors given access to specific parts of the organization’s IT environment.
Partners: Business partners with access to specific systems or data due to collaborative relationships.
An Entitlement Review is a review verifying that permissions on a resource, such as a database, file repository, or object store, are appropriate for the entities granted access. Entities may be users or non-human entities. Veza can show both the normalized effective permissions or the native system permissions for each row of access, with the option to filter on specific permissions of interest, such as reviewing all users with WRITE access to a database.
For either UARs or Entitlement Reviews, Veza can assign responsibility for completing these reviews to managers, department heads, application owners, IT system administrators, and others based on business requirements.
Veza operators define the settings and scope for a review (its configuration) with a flexible step-by-step builder. Each review will have an underlying query that defines the scope of the review. The query can be very broad (All Users to all Applications) therefore increasing the scope of the entities included in the review. Or, the scope can be quite specific and narrow to drill down on individual providers, resources, or identities (Okta Users in the finance department with "Update" permissions on Snowflake Table "Transactions"). The scope will define the entities and access relationships included in the review.
Best Practices for Setting Source and Destination:
Setting the source entity to a user identity is not required, but is recommended for user access and entitlement reviews. When a resource is additionally set as the destination, reviewers will be prompted to approve individual identities and their access to resources.
User-to-resource scopes are preferred for reviews that involve manager auto-assignment and are required for auto-revocation with Veza Lifecycle Management.
Reviewers approve, reject, annotate, or re-assign the entities or access relationships defined by the review scope, represented as rows in the reviewer interface. Each row is assignable to reviewers for a decision and sign-off. Depending on the review configuration, reviewers may be asked to certify individual entities, source-destination pairs, and optionally permissions:
Type
Scope
Use Case
Examples
Source & Destination
Review access involving a relationship between two different entity types.
User access and entitlement reviews.
- Users and assigned roles in Azure AD
- Users and assigned apps in Okta
- Users and security group memberships in Active Directory
- Users with permissions on Snowflake databases
- All Okta Users to S3 Buckets
Source-only
Review a single type of entity, shown as a list.
Simple user access reviews or reviewing lists of access-granting entities.
- All local user accounts in Snowflake
- All roles in NetSuite
- All security groups in Active Directory
Saved Query
Review the results of any saved query in Veza, using the full functionality of Access Visibility > Query Builder.
Reviews based on out-of-the-box or customer-defined queries.
- Any saved query, including those powering Access Intelligence dashboards.
See Access Reviews Query Builder for more about query builder options.
Adding different types of filters to the review scope allows for finer-grained scoping of the review. Multiple filters and filter types can be combined for greater expressive power:
Single Entity: Constrain the review scope to a specific source and/or destination entity, such as reviewing all access for a single named Okta User, or all users assigned to a group named “Administrators”.
Entity Attributes: Constrain the review scope to entities with some common attribute(s), such as Active Directory Users belonging to Active Directory Groups containing ‘admin’ in the name.
Tags: Constrain the review scope to entities with specific tags applied, such as AWS IAM Users with access to S3 Buckets tagged as containing PII.
Permissions: Constrain the entitlements review scope to entities with specific permissions on resources, such as Snowflake Local Users with Update and Delete permissions on Snowflake Databases.
For more information about tags and tag filters, see Filters and Tags. For reviews that involve tagged entities, two additional options are available:
Promoted Tags: Administrators can promote tags to appear as custom attributes with dedicated columns in the reviewer interface. See Promoted Tags for more details.
Show Source/Destination Tags: Enable this option in the configuration builder to show columns containing all tags on the source or destination entities in the reviewer interface. Reviewers can refer to the tag keys and values to better inform their decisions, and use the columns for filtering.
Filtering by permissions helps constrain the scope of reviews to the riskiest access.
Permission filters can specify either type of permission - System or Effective. Effective and system permissions cannot both be specified for the same query. See Review Presentation Options for more about permission types.
Applying a permissions filter on a relationship that does not involve permissions (e.g., User-Group) will yield no rows.
The query can require a specific Relationship entity connecting the query source and destination (such as an AWS IAM role connecting users and storage buckets).
When a Relationship is specified and an entity of that category exists for a result, node details appear in additional review interface columns.
This can offer reviewers visibility into the role-based access controls such as groups or roles, or the local user account used to access a resource.
Specifying Excluded entity types will filter out any search results with a relationship to the chosen entity category. This option enables reviews, for example, on groups that do not have a corresponding IAM role, or users that are not part of a group. This option is not available when "All Parent Principals" is the query source.
Specifying Included entity types will only return results that have a relationship to the chosen entity types. This option enables review of users and resources connected to a specific intermediate group, role, or policy.
See Intermediate Entities for more on these query parameters.
How to review administrative privileges assigned to Okta Users.
This document describes how to create an Access Reviews configuration you can use to periodically review and certify Okta User to Okta Role relationships in your organization, focusing on built-in Admin Roles.
In Okta, Admin Roles enable admin-level access permissions for authorized personnel to perform critical functions in the Okta environment such as managing users, apps, and system settings. Routinely reviewing and certifying which users are assigned to these roles can help maintain the least privileges for identity provider administration.
In the Veza graph, the "Okta Role" entity type includes both standard Admin Roles and custom roles. The reviewer interface can show additional metadata such as whether a role is built-in, and the role risk score if Activity Monitoring is enabled.
You will need:
An Okta integration enabled in Veza.
The Veza admin or operator role, required to create configurations and start access reviews.
Open the configuration builder:
1.1. Log in to Veza and go to Access Reviews > Configurations.
1.2. Click New Configuration to open the review builder.
1.3. Give the configuration a name and description to communicate the purpose of the Access Review to other reviewers and operators.
Use the Review Scope section of the configuration builder to search for related Okta Users and Okta Roles:
2.1. For the Source Entity Type, search for Okta User and click to select it.
2.2. For the Destination Entity Type, click to open the menu and scroll down to search for Okta Role.
Add an Attribute Filter to only include built-in Admin Roles.
3.1. Click Add Filter Group and
3.2. Choose Okta Role as the entity type to filter.
3.3. Use the dropdowns to create a filter: "Custom" “Equals" “False".
Add a Relationship to show when a user’s access to a role is provided by membership in a group:
4.1. Under Advanced Options, toggle the Relationship option.
4.2. Use the menu to choose Okta Group as the intermediate entity type.
Create a new review:
5.1. Click Save to open the configuration details page to create a new review.
5.2. From the Configuration Details, click New Review.
5.3. Click Create to make the review available without publishing it.
The reviewer interface shows a unique row for each Okta User to Okta Role assignment, pre-filtered to only show built-in roles.
Review each row to ensure the access is appropriate. Approve or reject the access, check for roles that are unnecessary or incorrect, and sign off on your decisions once final.
Column customization: Focus on the most important details by showing or hiding columns. For this review, you might want to:
Disable the Permissions columns, since these will always be empty.
Enable the Intermediate Role Name column to show the group granting access to a role.
Hover over a row and click the Details icon to open the sidebar. Add columns or use the details sidebar to see more attributes such as the role type.
Click the Approve ✅ or Reject ❌ icon for each row to make an initial decision.
Make decisions final by clicking Sign-off at the top right.
Finish the review by deciding and signing off on all rows. Once all rows have a decision, click Complete Review on the top right.
How to conduct access reviews for Okta User to Okta Group assignments.
In Okta, users are typically assigned to groups, which usually correspond to a business role. Applications can be assigned to groups, Groups are then assigned to applications enabling teams of users within the same Group to access the same set of applications.
This document describes how to create a new configuration you can use to review which Okta Users are assigned to Okta Groups in your organization.
You will need:
An integration enabled in Veza.
The Veza admin or operator , required to create configurations and start access reviews.
Create a new access review configuration:
1.1. Log in to Veza and go to Access Reviews > Configurations.
1.2. Click New Configuration.
1.3. Give the configuration a name and optionally a description.
Define the scope of the access review: Use the Review Scope section of the configuration builder to search for related Okta users and Okta groups.
2.1. For the Source Entity Type, search for Okta User and select it.
2.2. For the Destination Entity Type, click to open the menu and scroll down to search for Okta Group.
Create a new review:
3.1. Click Save to open the configuration details page to create a new review.
3.2. From the Review Configuration Details, click New Review.
3.3. Click Create to make the review available without publishing it.
From the configuration details, in the Active Reviews section, click the review name or click Open next to the one you just created.
The reviewer interface shows a unique row for each Okta User to Okta group assignment. Inspect each row to approve or reject the access.
Customizing the reviewer interface can improve visual clarity and aid in decision-making. For this review, click Columns above the table of rows. Scroll or type to search for an attribute to show or hide:
Show Risk Scores. Enable this column to show the total percentage of resources each user can access, but has unutilized permissions on.
Search for User “IdP Unique ID” and deselect it, unless this is needed to differentiate between users with the same name.
Hover over a row and click the Details icon to open the sidebar. Use the details sidebar or add columns to see more attributes such as the group type, created date, and description. You can also add or remove columns to show or hide additional details about a user and group.
Click the Approve ✅ or Reject ❌ icon for each row to make an initial decision.
Make decisions final by clicking Sign-off at the top right.
Finish the review by deciding and signing off on all rows. Once all rows have a decision, click Complete Review on the top right.
Create Access Reviews from Query Builder searches to leverage existing saved queries.
You can quickly define the scope of a review by choosing a Saved Query when creating the configuration. Creating a review from a saved query enables you to create reviews on the results of saved queries featured in Veza reports and dashboards.
Many of Veza's out-of-the-box queries return a single entity type (unless Show [Destination Entities] is enabled). Reviews using saved queries will show a single entity type or a relationship, depending on the chosen query.
To create an access review Configuration with a Saved Query:
In the configuration builder, click to open the Saved Query tab:
Choose from the list of Saved Queries.
Configure default reminders and Veza Actions.
Save the Configuration.