Limit access to specific integrated providers with Team and Role assignments for Veza users.
Last updated
Was this helpful?
On Veza, team assignments can restrict the authorization data a user can see, based on the integrations scoped to the team. After an administrator has created a custom team and defined the integrations its members can access, they can add users to the team and set an operator or viewer role on the Veza Team Management page.
The Root team allows for full visibility of all graph data and access to the Operator, Administrator and 'Access Reviewer roles.
Non-Root teams support a read-only Viewer role, and a limited Operator role.
Users must have an administrator or operator Root team role to access Veza Access Reviews, Rules, and Administration features.
Non-root team members can view events and integrations in the team scope, but not change configurations.
Teams enable read-only, limited-scope .
Each team has a unique copy of built-in reports, queries, and saved searches.
When creating a team, administrators specify the allowed graph data sources from a list of all provider integrations. The team's scope might include a single cloud provider account, identity provider domain, or SQL database, or grant access to many different integrations.
To add a team and define its scope, go to Administration > Team Management.
Click Add Team
Add a team name and description
Select the integrations that will be visible to the team from the list of Providers scoped to the Team
Click Create Team
To optimize the user experience in non-root teams, consider if users will need access to related identity or resource entities from another integrated provider. This might include Single Sign-On users from an external IdP, or roles and groups from another cloud platform.
You can add or remove team members from the Team Management page, or when creating a user from the Users page. You will need to create a team before you can add users.
Find the team on the list of Teams
Click on the team to open the team details
Click Add Users
Add a user by selecting one from the dropdown menu
Click Confirm
Users on non-root teams can only have the viewer or operator role. Other roles are currently restricted to the root team.
When browsing the Veza platform, users on non-root teams can only view entities and Veza features allowed by the user's role and the team's scope. Users can change the active team under their Profile to view graph results for different teams.
To change the active team:
Click your username on the main Veza navigation menu
On the Your Profile page, find the Teams section
Pick an active team from the dropdown menu
If entities are not allowed for the user's team but are critical in describing the permissions path of in-scope results, redacted entities appear in their place.
Users assigned to non-root teams can only view Queries associated with allowed Integrations for their team.
For users assigned to more than one team, the current level of access depends on the team the user has actively enabled. Users can change their current active team on their Profile page.
Pick a for the user