Team Management

Limit access to specific integrated providers with Team and Role assignments for Veza users.

PreviousMulti-factor Authentication NextSupport User Access

Last updated 9 days ago

Was this helpful?

Team Management

Limit access to specific integrated providers with Team and Role assignments for Veza users.

Recent Teams enhancements:

Operator role for non-root teams: Users can now have the operator role for custom teams. This means that they can create and manage their own assessment queries, reports, risks, and saved Graph searches. They can also tag entities in their active team's scope. Operators on non-root teams are not allowed to create Access Reviews.
All team members (viewer or operator) can now view data sources and events for integrations within the team scope.
Out-of-the-box insights for teams: Each team now has their own copy of built-in queries, graph searches, and reports for integrations they can access. It can now take some time for changes to propagate after creating a team.
SAML claims for custom team and role assignments: After enabling SSO, users can log in with teams and roles based on assignments in your Identity Provider, defined in a SAML assertion when a user logs in.
SAML claims for root team role assignment: Administrators can specify a containing internal roles or groups, which can map to Veza root team roles.

Teams overview

On Veza, team assignments can restrict the authorization data a user can see, based on the integrations scoped to the team. After an administrator has created a custom team and defined the integrations its members can access, they can add users to the team and set an operator or viewer role on the Veza Team Management page.

The Root team allows for full visibility of all graph data and access to the Operator, Administrator and 'Access Reviewer roles.
Non-Root teams support a read-only Viewer role, and a limited Operator role.
Users must have an administrator or operator Root team role to access Veza Access Reviews, Rules, and Administration features.
Non-root team members can view events and integrations in the team scope, but not change configurations.
Teams enable read-only, limited-scope .
Each team has a unique copy of built-in reports, queries, and saved searches.

When creating a team, administrators specify the allowed graph data sources from a list of all provider integrations. The team's scope might include a single cloud provider account, identity provider domain, or SQL database, or grant access to many different integrations.

Create a team

To add a team and define its scope, go to Administration > Team Management.

Click Add Team
Add a team name and description
Select the integrations that will be visible to the team from the list of Providers scoped to the Team
Click Create Team

To optimize the user experience in non-root teams, consider if users will need access to related identity or resource entities from another integrated provider. This might include Single Sign-On users from an external IdP, or roles and groups from another cloud platform.

Add members to a team

You can add or remove team members from the Team Management page, or when creating a user from the Users page. You will need to create a team before you can add users.

Find the team on the list of Teams
Click on the team to open the team details
Click Add Users
Add a user by selecting one from the dropdown menu
Click Confirm

Users on non-root teams can only have the viewer or operator role. Other roles are currently restricted to the root team.

Change the active team

When browsing the Veza platform, users on non-root teams can only view entities and Veza features allowed by the user's role and the team's scope. Users can change the active team under their Profile to view graph results for different teams.

To change the active team:

Click your username on the main Veza navigation menu
On the Your Profile page, find the Teams section
Pick an active team from the dropdown menu

If entities are not allowed for the user's team but are critical in describing the permissions path of in-scope results, redacted entities appear in their place.

Users assigned to non-root teams can only view Queries associated with allowed Integrations for their team.

For users assigned to more than one team, the current level of access depends on the team the user has actively enabled. Users can change their current active team on their Profile page.