Managing access reviews for custom and on-premises applications is a common challenge for many organizations, especially enterprises. Unlike commercial off-the-shelf (COTS) software, custom and homegrown applications often lack standardized interfaces and processes for access management leading to manual reviews that are both time-consuming and prone to errors. This inefficiency poses significant compliance risk, especially when these applications fall in-scope for regulations like SOX, SOC 1, SOC 2, GDPR, or HIPAA.
Why Custom Applications Need Access Reviews
Custom applications, just like COTS applications, often handle critical business processes and can be considered in-scope for regulations that mandate regular user access reviews. Moreover, without proper access reviews, these applications can become a hotspot for over-provisioned accounts and compliance risks. Unique to custom or homegrown applications, however, is that they can be harder to integrate into standardized access governance practices – especially as the applications have become more complicated or their architectures have aged. Without a unified approach for both COTS and custom and homegrown applications, organizations risk missing vital compliance checks.
Veza has changed the game by making access reviews for custom and homegrown applications just as simple and automated as they are for COTS applications. With seamless integration (via Veza OAA) into Veza’s Access Platform, custom and homegrown applications are incorporated into the same streamlined review workflows, eliminating the need for complex configurations or expensive training. Importantly, the reviewer experience for COTS and custom applications is identical when using Veza meaning no additional training for the managers and application owners responsible for performing access reviews in both COTS and custom applications.
What is Open Authorization API (OAA)?
Veza uses the Open Authorization API (OAA) to seamlessly integrate custom, legacy, and homegrown applications into the Veza platform. Think of OAA as a “universal translator” that allows any custom application to communicate with Veza using standard protocols. Once integrated, creating access review workflows is straightforward, allowing you to apply the same level of oversight and visibility as you would with commercial off-the-shelf (COTS) applications. Veza’s OAA offers a flexible, modern, and cost-effective solution for integrating custom applications. By leveraging modern, mainstream technologies like RESTful API endpoints, JSON, and Python, OAA is easy to integrate. Moreover, other common, widely-used technologies are easy to integrate as well.
For instance, OAA supports a variety of data sources, including SQL databases, CSV files, and proprietary formats, enabling seamless data ingestion and normalization. This flexibility allows organizations to reuse existing access review setups, resulting in faster time-to-value. By simplifying integration and reducing the need for specialized expertise, OAA helps organizations streamline access reviews, lower costs, and accelerate implementation. To learn more about how Veza integrates seamlessly with custom applications, please read: Getting Started with Veza’s Open Authorization API
Step-by-Step: Creating an Access Review for a Custom App in Veza
1. Integrate Custom App Data
Connect your custom app to Veza using the OAA framework—whether through SQL, CSV, or proprietary formats. Veza automatically normalizes the data and integrates it into the Access Graph, mapping it to other entities and ensuring a seamless flow for access reviews and governance.
2. Build an Access Review
Once your custom app data is integrated into Veza, you can reuse the same dataset to generate multiple access reviews. With Veza Access Reviews, you can define review parameters such as users, resources, entitlements, and permissions directly from the ingested data. Advanced filtering allows you to refine the scope without reloading or reconfiguring data. This flexibility enables organizations to run diverse access reviews from a single dataset, including User-to-Group Reviews, User-to-Role Reviews, Access Path Analysis, and System Permission Reviews—eliminating redundant queries and streamlining access governance.
3. Automate and Run the Access Review
Launch the access review for your custom app alongside your COTS applications. The reviewers will have access to the same streamlined interface, making the review process as simple, consistent, and efficient as possible.
Key Features That Empower Access Reviews for Custom Applications
1. Dynamic Role Analytics
Gain insights into roles and permissions, helping reviewers quickly identify unnecessary or misaligned access. This feature ensures that the access review process is more efficient by surfacing only the most critical information for review.
2. Effortless Integration and Operationalization
Once custom applications are integrated into the Veza platform, it’s trivial to create and operationalize access reviews for those applications. The access review process for custom apps works exactly the same as it does for commercial off-the-shelf (COTS) applications. This consistency eliminates the complexity and silos often associated with reviewing custom app access.
3. User-Centric Design
Veza presents access details in clear, business-friendly language, making it easy for reviewers to understand, even if they lack technical expertise. This intuitive design reduces the learning curve and ensures a smoother review process for all involved.
Why Veza Makes a Difference
Before Veza, organizations struggled to include custom, legacy, or homegrown apps in access review campaigns due to unique architectures, leading to slow, error-prone compliance processes. Veza seamlessly integrates these apps into your access governance workflows, automating data ingestion and unifying access reviews across all applications. This simplifies compliance, streamlines operations, and reduces manual effort.
Standardized Review Process Across All Applications
Veza’s access review tool works the same for both custom and COTS applications, making the process simple and consistent. This uniformity reduces complexity for reviewers and compliance teams, allowing them to efficiently manage reviews across all applications with minimal training.
The Business Benefits of Veza’s Approach
Veza enables seamless integration of custom apps into access reviews alongside COTS solutions, streamlining workflows and significantly reducing administrative burden. By providing audit-ready reports and a unified governance strategy, Veza automates compliance processes, empowering organizations to maintain control while minimizing manual effort. This approach optimizes efficiency, making access reviews for custom applications as simple and effective as those for COTS applications, ultimately saving time and resources across teams.
