Team Management

Limit access to specific integrated providers with Team and Role assignments for Veza users.

Teams overview

On Veza, team assignments can restrict the authorization data a user can see, based on the integrations scoped to the team. After an administrator has created a custom team and defined the integrations its members can access, they can add users to the team and set an operator or viewer role on the Veza Team Management page.

  • The Root team allows for full visibility of all graph data and access to the Operator, Administrator and 'Access Reviewer roles.

  • Non-Root teams support a read-only Viewer role, and a limited Operator role.

  • Users must have an administrator or operator Root team role to access Veza Access Reviews, Rules, and Administration features.

  • Non-root team members can view events and integrations in the team scope, but not change configurations.

  • Teams enable read-only, limited-scope API Keys.

  • Each team has a unique copy of built-in reports, queries, and saved searches.

When creating a team, administrators specify the allowed graph data sources from a list of all provider integrations. The team's scope might include a single cloud provider account, identity provider domain, or SQL database, or grant access to many different integrations.

Create a team

To add a team and define its scope, go to Administration > Team Management.

  1. Click Add Team

  2. Add a team name and description

  3. Select the integrations that will be visible to the team from the list of Providers scoped to the Team

  4. Click Create Team

To optimize the user experience in non-root teams, consider if users will need access to related identity or resource entities from another integrated provider. This might include Single Sign-On users from an external IdP, or roles and groups from another cloud platform.

Add members to a team

You can add or remove team members from the Team Management page, or when creating a user from the Users page. You will need to create a team before you can add users.

  1. Find the team on the list of Teams

  2. Click on the team to open the team details

  3. Click Add Users

  4. Add a user by selecting one from the dropdown menu

  5. Pick a role for the user

  6. Click Confirm

Users on non-root teams can only have the viewer or operator role. Other roles are currently restricted to the root team.

Change the active team

When browsing the Veza platform, users on non-root teams can only view entities and Veza features allowed by the user's role and the team's scope. Users can change the active team under their Profile to view graph results for different teams.

To change the active team:

  1. Click your username on the main Veza navigation menu

  2. On the Your Profile page, find the Teams section

  3. Pick an active team from the dropdown menu

If entities are not allowed for the user's team but are critical in describing the permissions path of in-scope results, redacted entities appear in their place.

Users assigned to non-root teams can only view Queries associated with allowed Integrations for their team.

For users assigned to more than one team, the current level of access depends on the team the user has actively enabled. Users can change their current active team on their Profile page.

Last updated

Was this helpful?