User Guide
Release Notes

User Management

Adding users, sign-in options, and managing Veza platform roles.

You can add additional users from the Administration > User Management page. The Users list will show all system users and local accounts provisioned for users who have logged in with single sign-on. Veza administrators can download the full access log in CSV format by clicking the Export Audit Logs button at the top of the screen.

Adding local users

To add a local user and assign a team and role:

  1. Click Add User.

  2. Enter a user name and email.

  3. Pick a team and roles:

    • Assign the root team to grant users access to all integrated providers based on their role. Use the selector to assign more than one role.

    • Assign custom teams to limit user access based on the integrations in the team scope.

    • Click + Add Another Team to assign more teams, up to a soft limit of 15.

  4. Click Create User to save the changes.

Changing and assigning user roles

To change or add roles for local users:

  1. Go to Administration > Team Management and click the team name.

  2. Click Change Roles for the chosen user.

  • Users on Root teams can have the administrator, access reviewer, or operator role.

  • Users on non-root teams can only have the operator or viewer role.

  • Early Access: Root team members can have the watcher read-only operator role, and the re-assigner role with limited capability to manage reviewers for Access Reviews.

Single sign-on and default roles

To enable Single Sign-On for your users, you'll need to configure a compatible identity provider. After enabling SSO, Veza will create a local account after a visitor has authenticated with their IdP for the first time. This allows you to assign workflow reviewers within your organization by email without creating an account beforehand.

Your SSO configuration can define a default role for federated identities. Veza recommends validating this behavior and contacting the Veza customer success team to change it if desired. By default, Veza will assign the Reviewers role to SSO users.

If you have configured the IdP used for Single Sign-On as a Veza integration, you can change the Global Workflows IdP configuration to enable reviewer suggestions based on graph metadata such as user email and manager id.

Passwords and login

Password requirements include:

  • A minimum of 8 characters.

  • At least 5 unique characters.

  • At least one upper case letter, lower case letter, or symbol.

Additionally, Veza prohibits the reuse of your last 8 passwords.

If users have issues (such as a 401 error) when attempting to log in after a password change, they should clear their browser cookies before signing in again.

Roles

Role assignments define a user's permissions within Veza. Administrators can apply roles when creating a user, and change them from the User Management page. Possible roles are:

  • Administrator (root team): Superuser role. Can change all settings and manage integrations, along with all other Operator and Reviewer privileges.

  • Operator (root and non-root teams): Limited role allowing users to create Review Configurations and act on any result in a Review. Operators can access all Veza features such as Search and public Reports, but cannot manage users or integrations.

  • Reviewer (root team): Limited role intended for users assigned to Access Reviews. This role can access the Review Actions page and view and act on assigned results. Reviewers can only see authorization paths and details for the results they are assigned.

  • Viewer (non-root team): Special role granting view-only permission on entities and features, limited the team's scope. Viewers can change the active team under their Profile to view Authorization Graph data for different teams they belong to.

  • Watcher (root team, Early Access): Read-Only operator role that prevents making any changes in Veza (such as starting an Access Review). Watchers can view all Review Configurations and Review Actions. This role prevents access to any other Veza features.

  • Re-assigner (root team, Early Access): Specialized role for users, able to re-assign any result in an Access Review. Re-assigners have the same limitations as Watchers, but can update assigned reviewers for any active Review.

You can change the role of an SSO user after their first login. Most users will use the Operator role depending on their everyday tasks. Note that the Reviewer role only permits access to the Access Reviews feature, and only for reviews where the user is directly assigned.

Root team roles

Permissionadminoperatoraccess_reviewer

Configure data sources

View data sources

View data source events

User management

Search*

View data catalog

Create workflows

Manage certifications

Continue certification**

Configure Notifications

Create API keys

Manage rules

View and create reports

View tags***

Create and add tags

  • * Users with the operator role can only view their own saved searches.

  • ** Users with the access reviewer role can only view and continue their assigned Access Reviews.

  • *** Users with the access reviewer role can only see relationships and entity properties (such as tags) for their assigned results. They cannot use Search features such as Graph or the Query Builder.

PreviousSingle Sign-On with Azure ADNextMulti-factor Authentication

Last updated