# User Roles and Permissions
This guide provides a comprehensive overview of user roles and permissions in Veza. Role assignments define a user's permissions within the platform and determine what features and data they can access.
* [Role Overview](#role-overview)
* [Team Assignment Rules](#team-assignment-rules)
* [Generally Available Roles](#generally-available-roles)
* [Early Access Roles](#early-access-roles)
* [Team-Based Access Control](#team-based-access-control)
* [Root Team Access](#root-team-access)
* [Non-Root Team Access](#non-root-team-access)
* [Team Assignment Best Practices](#team-assignment-best-practices)
* [Query Visibility and Team Scope](#query-visibility-and-team-scope)
* [Query Types and Visibility](#query-types-and-visibility)
* [Cross-Team Query Sharing](#cross-team-query-sharing)
* [Query Builder Access](#query-builder-access)
* [Root Team Permissions Matrix](#root-team-permissions-matrix)
* [Administration Permissions](#administration-permissions)
* [Integration Permissions](#integration-permissions)
* [Search and Query Permissions](#search-and-query-permissions)
* [Access Reviews Permissions](#access-reviews-permissions)
* [Dashboard Permissions](#dashboard-permissions)
* [Remediation Permissions](#remediation-permissions)
* [Rules and Tags Permissions](#rules-and-tags-permissions)
* [Related Documentation](#related-documentation)
### Role Overview
Veza uses role-based access control (RBAC) to manage user permissions. Roles are assigned when creating users and can be modified from the User Management page. Each role grants specific capabilities and determines which Veza features a user can access.
* **Generally Available (GA) Roles** are available by default for all Veza tenants without requiring enablement.
* **Early Access Roles** require enablement by Veza support before they can be assigned to users. These roles provide specialized capabilities that may be in development or testing phases.
#### Team Assignment Rules
Some roles can only be assigned to users on the root team, while others are intended for use in combination with [Teams](/4yItIzMvkpAvMVFAamTf/administration/administration/users/teams.md).
* **Root Team Members**: Can have Administrator, Access Reviewer, Operator, Viewer, and most specialized roles
* **Non-Root Team Members**: Limited to Operator, Viewer, Integrations Manager, Integration Owner, and Dashboard Viewer roles
* **Role Combinations**: Users can be assigned multiple roles and can belong to multiple teams
### Generally Available Roles
These roles are available by default for all Veza tenants:
| Role | Allowed Teams | Description |
| -------------------------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Administrator** | Root | Superuser role with full system access. Can manage all settings, users, and has all privileges. Includes user management, system configuration, and complete platform access. |
| **Operator** | Root, Non-root | - Can access all Veza features including Search, Dashboards, and Analytics.
- Can create Access Reviews and Review Configurations.
- NOTE: Non-root operators cannot create Access Reviews or Review Configurations.
- Non-root operators can only view saved queries associated with integrations in their team's scope.
- Limit Access (Early Access): When enabled on your tenant, Operators can only view and manage configurations they created or where they have been explicitly assigned access by an Administrator.
|
| **Access Reviewer** | Root | Limited role for users assigned to Access Reviews. Users can view assigned access reviews and act on assigned results. Reviewers only see authorization paths and details for rows where they are a reviewer. |
| **SCIM Provisioner** | Root | Role for managing users and groups using SCIM 2.0 endpoints. Enables automated user lifecycle management through identity provider integration. |
| **Integrations Manager** | Root, Non-root | Provides privileges for connecting and editing integrations. Can configure data sources and manage integration settings. **NOTE:** When used in non-root teams, users must also be assigned a role that provides basic login access. |
| **Integration Owner** | Root, Non-root | Provides ownership privileges for specific integrations and data sources. Can manage assigned integrations and view related data extraction status and logs. |
| **Access Reviews Monitor** | Root | Specialized role for managing Access Reviews within a limited scope. Users can view and manage Reviews from configurations they have [Limit Access](/4yItIzMvkpAvMVFAamTf/administration/administration/access-controls.md) to, including acting on tasks, viewing progress, and exporting results. Can create recurring schedules for accessible configurations but cannot create or modify Review Configurations themselves. Does not have access to Query Builder, Dashboards, Access Intelligence, or other platform features. **NOTE:** [Limit Access](/4yItIzMvkpAvMVFAamTf/administration/administration/access-controls.md) controls apply—users only see configurations and reviews where they have been explicitly granted access. |
| **Access Reviews Admin** | Root | Administrator role with the ability to globally manage Access Reviews and view Integrations. Has access to Dashboards, Access Visibility, Access Intelligence, and the Query Builder. Does not have access to NHI Security, Lifecycle Management, user/group/team management, or tenant-level settings. Cannot configure data sources or manage tags. |
| **Dashboard Viewer** | Root, Non-root | Read-only role for viewing dashboards and metrics. Can view OOTB (out-of-the-box) queries and saved queries within their team scope. Cannot create, modify, or export queries and does not have access to the Query Builder interface. Cannot use remediation actions (the "Remediate" dropdown does not appear for this role). See [Query Visibility](#query-visibility-and-team-scope) for details on how queries are scoped to teams. |
### Early Access Roles
These roles require enablement by Veza support and may not be available by default:
{% hint style="warning" %}
**Early Access Roles**: The following roles are in early access and must be enabled by Veza support before they can be assigned to users. Contact your Customer Success Manager or Veza support to request access to these roles.
{% endhint %}
| Role | Allowed Teams | Description |
| ---------------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Viewer** | Root, Non-root | Read-only access to Veza features such as Search and Dashboards. **NOTE:** Root team access requires ROOT\_TEAM\_VIEWER feature enablement. Non-root team access is available without additional flags. |
| **Auditor** | Root | Grants privileges for exporting audit logs and events. Can access system audit trails and compliance reporting features for regulatory and security requirements. |
| **OAA Push** | Root, Non-root | Grants privileges for uploading Open Authorization API (OAA) payloads. Automatically assigned to [team service accounts](/4yItIzMvkpAvMVFAamTf/administration/administration/users/teams.md#team-service-accounts) that are created when teams are established. Enables custom application integration through the OAA framework. |
| **Watcher** | Root | Read-only operator for observation and auditing. Can view Review Configurations, review actions, and review progress, but cannot start reviews or modify configurations. When [assigned as a reviewer](/4yItIzMvkpAvMVFAamTf/features/access-reviews/how-to/assign-reviewers.md) on specific rows, a Watcher can act on those rows³. Cannot access other Veza features (Search, Dashboards, Integrations). [**Limit Access**](/4yItIzMvkpAvMVFAamTf/administration/administration/access-controls.md) **(Early Access):** When enabled, Watchers can only view configurations where they have been explicitly assigned access. |
| **Re-assigner** | Root | Specialized role with the ability to re-assign any result in an Access Review. Has the same limitations as Watchers but can update assigned reviewers for active Reviews. [**Limit Access**](/4yItIzMvkpAvMVFAamTf/administration/administration/access-controls.md) **(Early Access):** When enabled, Reassigners can only reassign reviewers in configurations where they have been explicitly assigned access. |
| **Programmatic Key Manager** | Root, Non-root | Enables principals to programmatically manage API keys. By default, API key endpoints are restricted to interactive sessions. Allows automated API key lifecycle management. |
| **OAA CSV Manager** | Root, Non-root | Limited role allowing application owners to manage their own CSV-based integrations. Users can only manage **CSV Upload** integrations. **Required for CSV Upload integrations.** |
| **NHI Security Admin** | Root | Specialized role for managing Non-Human Identity (NHI) security features, configurations, and policies. Provides access to NHI-specific dashboards, risk assessments, and security controls for service accounts, API keys, and other non-human identities. |
| **System Monitoring** | Root | Role with access for system monitoring, troubleshooting, and operational tasks. Provides visibility into system health, performance metrics, and operational status for platform maintenance purposes. |
### Team-Based Access Control
Veza uses teams to organize users and control access to specific integrations and data sources. Role behavior varies depending on team assignment:
#### Root Team Access
The root team is always available, and can be used for common user management scenarios:
* **Full Platform Access**: Users on the root team have access to all integrated providers based on their role
* **Administrative Capabilities**: Only root team members can perform user management and system configuration
* **Review Creation**: Access Review and Review Configuration creation is restricted to root team operators and administrators
#### Non-Root Team Access
Administrators can create custom teams with limited access to specific integration data sources.
* **Scoped Access**: Users see only the integrations and data sources assigned to their team
* **Limited Roles**: Can only have Operator, Viewer, Integrations Manager, Integration Owner, and Dashboard Viewer roles
* **Feature Restrictions**: Cannot create Access Reviews, manage users, or access system-wide configuration
#### Team Assignment Best Practices
Typically, you should assign root team for users who need system-wide access and use custom teams to limit access to specific business units or applications. You can combine multiple roles when users need a range of capabilities. The Integration Owner role can enable application-specific administrators with limited access to other integrations and features.
**Security Considerations**:
* Limit **Administrator** role assignments to essential personnel
* Use non-root teams to implement least-privilege access
* Regularly review role assignments, especially for early access roles
* Consider using **Watcher** role for temporary or limited access needs
* Monitor usage of specialized roles such as **OAA Push** and **Programmatic Key Manager**
### Query Visibility and Team Scope
Understanding how saved queries and OOTB (out-of-the-box) queries are scoped to teams is essential for users with limited roles such as **Dashboard Viewer** or **Viewer**.
{% hint style="info" %}
**Key Concept**: "Public" queries in Veza are **team-scoped**, not globally visible. A query marked as "public" is visible to all members of the team where it was created, but not to members of other teams.
{% endhint %}
#### Query Types and Visibility
| Query Type | Visibility | Description |
| ------------------------- | ------------------ | ------------------------------------------------------------------------------------------------------------------------- |
| **OOTB Queries** | Team-scoped | Each team receives its own copy of out-of-the-box queries. Changes to OOTB queries in one team do not affect other teams. |
| **Public Saved Queries** | Team-scoped | Queries marked as "public" are visible to all members of the same team, but not to other teams. |
| **Private Saved Queries** | Creator and owners | Only visible to the user who created the query and users explicitly added as query owners. |
#### Cross-Team Query Sharing
To share query results across teams, use **dashboards** as a workaround:
1. Create a dashboard with the desired query visualizations
2. Share the dashboard with users from other teams
3. Users can view the dashboard results without needing direct access to the underlying queries
{% hint style="warning" %}
**Dashboard Viewer Limitation**: Users with only the **Dashboard Viewer** role can view OOTB queries and dashboards within their team scope, but cannot access the Query Builder interface or create new queries. They also cannot export query results.
{% endhint %}
#### Query Builder Access
Access to the Query Builder interface is controlled by **UI Capabilities** in addition to role-based permissions. The following roles have Query Builder access:
* Administrator
* Operator
* Viewer
* Access Reviews Admin
* NHI Security Admin
Roles without Query Builder access (such as **Dashboard Viewer**, **Access Reviewer**, and **Watcher**) can view query results through dashboards but cannot create or modify queries directly.
### Root Team Permissions Matrix
The following tables show specific permissions for root team roles. Permissions are organized by functional area.
#### Administration Permissions
| Permission | Admin | Operator | Viewer | Access Reviewer | Access Reviews Admin | Access Reviews Monitor | Watcher | Reassigner | Dashboard Viewer |
| ----------------------- | :---: | :------: | :----: | :-------------: | :------------------: | :--------------------: | :-----: | :--------: | :--------------: |
| User management | ☒ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ |
| Team management | ☒ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ |
| Tenant settings | ☒ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ |
| Create API keys | ☒ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ |
| Configure notifications | ☒ | ☒ | ☐ | ☐ | ☒ | ☐ | ☐ | ☐ | ☐ |
#### Integration Permissions
| Permission | Admin | Operator | Viewer | Access Reviewer | Access Reviews Admin | Access Reviews Monitor | Watcher | Reassigner | Dashboard Viewer |
| ----------------------- | :---: | :------: | :----: | :-------------: | :------------------: | :--------------------: | :-----: | :--------: | :--------------: |
| Configure data sources | ☒ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ |
| View data sources | ☒ | ☒ | ☒ | ☐ | ☒ | ☐ | ☐ | ☐ | ☐ |
| View data source events | ☒ | ☒ | ☒ | ☐ | ☒ | ☐ | ☐ | ☐ | ☐ |
#### Search and Query Permissions
| Permission | Admin | Operator | Viewer | Access Reviewer | Access Reviews Admin | Access Reviews Monitor | Watcher | Reassigner | Dashboard Viewer |
| -------------------- | :---: | :------: | :----: | :-------------: | :------------------: | :--------------------: | :-----: | :--------: | :--------------: |
| Access Query Builder | ☒ | ☒ | ☒ | ☐ | ☒ | ☐ | ☐ | ☐ | ☐ |
| Create queries | ☒ | ☒ | ☐ | ☐ | ☒ | ☐ | ☐ | ☐ | ☐ |
| View saved queries¹ | ☒ | ☒ | ☒ | ☐ | ☒ | ☐ | ☐ | ☐ | ☒ |
| Export query results | ☒ | ☒ | ☒ | ☐ | ☒ | ☐ | ☐ | ☐ | ☐ |
| Use Graph search | ☒ | ☒ | ☒ | ☐ | ☒ | ☐ | ☐ | ☐ | ☐ |
| View data catalog | ☒ | ☒ | ☒ | ☐ | ☒ | ☐ | ☐ | ☐ | ☐ |
#### Access Reviews Permissions
| Permission | Admin | Operator | Viewer | Access Reviewer | Access Reviews Admin | Access Reviews Monitor | Watcher | Reassigner | Dashboard Viewer |
| ----------------------------- | :---: | :------: | :----: | :-------------: | :------------------: | :--------------------: | :-----: | :--------: | :--------------: |
| Create Review Configurations² | ☒ | ☒ | ☐ | ☐ | ☒ | ☐ | ☐ | ☐ | ☐ |
| Manage Review Configurations² | ☒ | ☒ | ☐ | ☐ | ☒ | ☐ | ☐ | ☐ | ☐ |
| View Review Configurations⁵ | ☒ | ☒ | ☒ | ☐ | ☒ | ☒ | ☒⁶ | ☒⁶ | ☐ |
| Start Access Reviews⁵ | ☒ | ☒ | ☐ | ☐ | ☒ | ☒ | ☐ | ☐ | ☐ |
| Create recurring schedules⁵ | ☒ | ☒ | ☐ | ☐ | ☒ | ☒ | ☐ | ☐ | ☐ |
| Act on assigned reviews³ | ☒ | ☒ | ☐ | ☒ | ☒ | ☒ | ☒³ | ☒³ | ☐ |
| Reassign review results | ☒ | ☒ | ☐ | ☐ | ☒ | ☐ | ☐ | ☒⁶ | ☐ |
| View review progress⁵ | ☒ | ☒ | ☒ | ☐ | ☒ | ☒ | ☒⁶ | ☒⁶ | ☐ |
| Export review results⁵ | ☒ | ☒ | ☒ | ☐ | ☒ | ☒ | ☐ | ☐ | ☐ |
#### Dashboard Permissions
| Permission | Admin | Operator | Viewer | Access Reviewer | Access Reviews Admin | Access Reviews Monitor | Watcher | Reassigner | Dashboard Viewer |
| ----------------- | :---: | :------: | :----: | :-------------: | :------------------: | :--------------------: | :-----: | :--------: | :--------------: |
| View dashboards | ☒ | ☒ | ☒ | ☐ | ☒ | ☐ | ☐ | ☐ | ☒ |
| Create dashboards | ☒ | ☒ | ☐ | ☐ | ☒ | ☐ | ☐ | ☐ | ☐ |
| Export dashboards | ☒ | ☒ | ☒ | ☐ | ☒ | ☐ | ☐ | ☐ | ☐ |
#### Remediation Permissions
| Permission | Admin | Operator | Viewer | Access Reviewer | Access Reviews Admin | Access Reviews Monitor | Watcher | Reassigner | Dashboard Viewer |
| --------------------------- | :---: | :------: | :----: | :-------------: | :------------------: | :--------------------: | :-----: | :--------: | :--------------: |
| View Remediate dropdown⁸ | ☒ | ☒ | ☒⁸ | ☐ | ☒ | ☐ | ☐ | ☐ | ☐ |
| Execute remediation actions | ☒ | ☒ | ☐ | ☐ | ☒ | ☐ | ☐ | ☐ | ☐ |
| View Remediation Log | ☒ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ |
| Enable action on query | ☒ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ |
#### Rules and Tags Permissions
| Permission | Admin | Operator | Viewer | Access Reviewer | Access Reviews Admin | Access Reviews Monitor | Watcher | Reassigner | Dashboard Viewer |
| ------------------- | :---: | :------: | :----: | :-------------: | :------------------: | :--------------------: | :-----: | :--------: | :--------------: |
| Manage rules | ☒ | ☒ | ☐ | ☐ | ☒ | ☐ | ☐ | ☐ | ☐ |
| View tags | ☒ | ☒ | ☒ | ☒⁴ | ☒ | ☒⁴ | ☒⁴ | ☒⁴ | ☒ |
| Create and add tags | ☒ | ☒ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ |
**Notes:**
1. **Saved queries**: Users can only view queries within their team scope. Operators can only view their own saved searches unless the query is marked as public within their team.
2. **Limit Access (Early Access)**: When the [Limit Access](/4yItIzMvkpAvMVFAamTf/administration/administration/access-controls.md) feature is enabled, Operators can only create and manage configurations where they have been explicitly assigned access or that they created themselves.
3. **Assigned reviewer permissions**: Any user [assigned as a reviewer](/4yItIzMvkpAvMVFAamTf/features/access-reviews/how-to/assign-reviewers.md) on specific review rows receives reviewer permissions for those rows, regardless of their platform role.
* This includes the ability to approve, reject, sign off, add notes, and reassign rows. This enables workflows where a user with a view-only role (such as **Watcher**) can observe some reviews while acting on assigned rows in others.
* Reassignment by assigned reviewers is governed by the [**Enable Reviewer Reassignment**](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/access-review-settings.md#enable-reviewer-reassignment) setting in **Access Reviews** > **Settings**. When disabled, assigned reviewers (including Watchers acting as reviewers) cannot reassign, but Administrators, Operators, and Reassigners always retain reassignment privileges regardless of this setting.
* Roles without access to Access Reviews endpoints (such as Viewer and Dashboard Viewer) are not affected by the assigned reviewer mechanism and cannot act on review rows regardless of assignment.
4. **Limited scope tags**: Can only see entity properties (such as tags) within their Access Reviews scope. Cannot use Search features such as Graph or the Query Builder.
5. **Access Reviews Monitor scope**: This role is always subject to [Limit Access](/4yItIzMvkpAvMVFAamTf/administration/administration/access-controls.md) controls. Users can only view and manage configurations and reviews where they have been explicitly granted access. The role cannot bypass RBAC filtering to view all configurations globally.
6. **Watcher and Reassigner scope**: These roles are limited to Access Reviews features only and cannot access other platform features (Search, Dashboards, Integrations, etc.). When [Limit Access](/4yItIzMvkpAvMVFAamTf/administration/administration/access-controls.md) is enabled, they can only view configurations where explicitly granted access.
7. **Role combinations**: Users with multiple roles receive the combined capabilities of all assigned roles. For example, combining **Watcher** with [Limit Access](/4yItIzMvkpAvMVFAamTf/administration/administration/access-controls.md) and [reviewer assignment](/4yItIzMvkpAvMVFAamTf/features/access-reviews/how-to/assign-reviewers.md) enables a user to observe some reviews while actively reviewing assigned rows in others.
8. **Viewer remediation access**: Viewers can see the Remediate dropdown and available channels for a query, but cannot execute remediations. The Remediation Log tab requires the Admin role.
### Related Documentation
* [User Management](/4yItIzMvkpAvMVFAamTf/administration/administration/users.md) - Creating and managing user accounts
* [Team Management](/4yItIzMvkpAvMVFAamTf/administration/administration/users/teams.md) - Organizing users and controlling access scope
* [Saved Query Visibility](/4yItIzMvkpAvMVFAamTf/features/search/saved-queries.md#visibility-by-team-and-role) - Understanding team-based query visibility
* [Single Sign-On Configuration](/4yItIzMvkpAvMVFAamTf/administration/administration/sign-in-settings.md) - Enabling SSO and default role assignment
* [SCIM Provisioning](/4yItIzMvkpAvMVFAamTf/developers/api/scim.md) - Automated user lifecycle management
* [CSV Upload Integration](/4yItIzMvkpAvMVFAamTf/integrations/integrations/csv.md) - Using the OAA CSV Manager role
* [Remediation Actions](/4yItIzMvkpAvMVFAamTf/features/insights/remediation-actions.md) - Executing remediations from query results and required roles
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/administration/administration/users/roles.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.