Team Management
Limit access to specific integrated providers with Team and Role assignments for Veza users.
Recent Teams enhancements:
Operator role for non-root teams: Users can now have the operator role for custom teams. This means that they can create and manage their own assessment queries, reports, risks, and saved Graph searches. They can also tag entities in their active team's scope. Operators on non-root teams are not allowed to create Access Reviews.
All team members (viewer or operator) can now view data sources and events for integrations within the team scope.
Out-of-the-box insights for teams: Each team now has their own copy of built-in queries, graph searches, and reports for integrations they can access. It can now take some time for changes to propagate after creating a team.
SAML claims for custom team and role assignments: After enabling SSO, users can log in with teams and roles based on assignments in your Identity Provider, defined in a SAML assertion when a user logs in.
SAML claims for root team role assignment: Administrators can specify a SAML attribute containing internal roles or groups, which can map to Veza root team roles.
Teams overview
On Veza, team assignments can restrict the authorization data a user can see, based on the integrations scoped to the team. After an administrator has created a custom team and defined the integrations its members can access, they can add users to the team and set an operator or viewer role on the Veza Team Management page.
The Root team allows for full visibility of all graph data and access to the Viewer, Operator, Administrator and 'Access Reviewer roles.
Non-Root teams support a read-only Viewer role, and a limited Operator role.
Users must have an
administratororoperatorRoot team role to access Veza Access Reviews, Rules, and Administration features.Non-root team members can view events and integrations in the team scope, but not change configurations.
Teams enable read-only, limited-scope API Keys.
Each team has a unique copy of built-in reports, queries, and saved searches.
When creating a team, administrators specify the allowed graph data sources from a list of all provider integrations. The team's scope might include a single cloud provider account, identity provider domain, or SQL database, or grant access to many different integrations.
Teams vs Veza Groups:
Teams control what users can access. They define organizational scopes for specific integrations and data sources.
Veza Groups define who belongs together. Groups can be thought of as identity containers for user organization and permission management.
Both can be used simultaneously: a user can belong to multiple groups AND multiple teams.
See Veza Groups documentation for details on group management.
Create a team
To add a team and define its scope, go to Administration > Team Management.
Click Add Team
Add a team name and description
Select the integrations that will be visible to the team from the list of Providers scoped to the Team
Click Create Team
To optimize the user experience in non-root teams, consider if users will need access to related identity or resource entities from another integrated provider. This might include Single Sign-On users from an external IdP, or roles and groups from another cloud platform.
Team Service Accounts
When you create a team, Veza automatically generates an internal service account for that team. These service accounts enable programmatic access for uploading custom integration data (OAA payloads) scoped to the team's integrations.
Team Service Accounts have the following characteristics:
Naming:
{Team Name} team service accountEmail:
serviceaccount-{teamID}@{tenantID}.vezacloud.comRole: Automatically assigned the
oaa_pushroleLifecycle: Created with the team, deleted when the team is removed
Visibility: Appears in Query Builder results as "Veza Local User" entities but not in the Admin UI
Team service accounts are automatically managed by Veza and cannot be manually edited or deleted through the user interface. They are used by Team API Keys to authenticate programmatic OAA integration updates within the team's scope.
Add members to a team
You can add or remove team members from the Team Management page, or when creating a user from the Users page. You will need to create a team before you can add users.
Find the team on the list of Teams
Click on the team to open the team details
Click Add Users
Add a user by selecting one from the dropdown menu
Pick a role for the user
Click Confirm
Users on non-root teams can only have the viewer or operator role. Other roles are currently restricted to the root team.
Change the active team
When browsing the Veza platform, users on non-root teams can only view entities and Veza features allowed by the user's role and the team's scope. Users can change the active team under their Profile to view graph results for different teams.
To change the active team:
Click your username on the main Veza navigation menu
On the Your Profile page, find the Teams section
Pick an active team from the dropdown menu
If entities are not allowed for the user's team but are critical in describing the permissions path of in-scope results, redacted entities appear in their place.
Saved Query Visibility for Teams
Each team has different access to saved queries based on their scope:
Root team members can view all public saved queries system-wide
Non-root team members can only view:
Queries associated with integrations in their team's scope
Their team's copy of built-in queries (limited to accessible integrations)
Queries explicitly shared with their team
This ensures users only see queries relevant to the data they can access.
Users assigned to non-root teams can only view Queries associated with allowed Integrations for their team.
For users assigned to more than one team, the current level of access depends on the team the user has actively enabled. Users can change their current active team on their Profile page.
Last updated
Was this helpful?