User Guide
Release Notes

Team Management

Limit access to specific integrated providers with Team and Role assignments for Veza users.

Recent Teams enhancements:

  • Operator role for non-root teams: Users can now have the operator role for custom teams. This means that they can create and manage their own assessment queries, reports, risks, and saved Graph searches. They can also tag entities in their active team's scope.

  • All team members (viewer or operator) can now view data sources and events for integrations within the team scope.

  • Out-of-the-box insights for teams: Each team now has their own copy of built-in queries, graph searches, and reports for integrations they can access. It can now take some time for changes to propagate after creating a team.

  • SAML claims for custom team and role assignments: After enabling SSO, users can log in with teams and roles based on assignments in your Identity Provider, defined in a SAML assertion when a user logs in.

  • SAML claims for root team role assignment: Administrators can specify a SAML attribute containing internal roles or groups, which can map to Veza root team roles.

Teams overview

On Veza, team assignments can restrict the authorization data a user can see, based on the integrations scoped to the team. After an administrator has created a custom team and defined the integrations its members can access, they can add users to the team and set an operator or viewer role on the Veza Team Management page.

  • The Root team allows for full visibility of all graph data and access to the Operator, Administrator and 'Access Reviewer roles.

  • Non-Root teams support a read-only Viewer role, and a limited Operator role.

  • Users must have an administrator or operator Root team role to access Veza Access Reviews, Rules, and Administration features.

  • Non-root team members can view events and integrations in the team scope, but not change configurations.

  • Teams enable read-only, limited-scope API Keys.

  • Each team has a unique copy of built-in reports, queries, and saved searches.

When creating a team, administrators specify the allowed graph data sources from a list of all provider integrations. The team's scope might include a single cloud provider account, identity provider domain, or SQL database, or grant access to many different integrations.

Create a team

To add a team and define its scope, go to Administration > Team Management.

  1. Click Add Team

  2. Add a team name and description

  3. Select the integrations that will be visible to the team from the list of Providers scoped to the Team

  4. Click Create Team

To optimize the user experience in non-root teams, consider if users will need access to related identity or resource entities from another integrated provider. This might include Single Sign-On users from an external IdP, or roles and groups from another cloud platform.

Add members to a team

You can add or remove team members from the Team Management page, or when creating a user from the Users page. You will need to create a team before you can add users.

  1. Find the team on the list of Teams

  2. Click on the team to open the team details

  3. Click Add Users

  4. Add a user by selecting one from the dropdown menu

  5. Pick a role for the user

  6. Click Confirm

Users on non-root teams can only have the viewer or operator role. Other roles are currently restricted to the root team.

Change the active team

When browsing the Veza platform, users on non-root teams can only view entities and Veza features allowed by the user's role and the team's scope. Users can change the active team under their Profile to view graph results for different teams.

To change the active team:

  1. Click your username on the main Veza navigation menu

  2. On the Your Profile page, find the Teams section

  3. Pick an active team from the dropdown menu

If entities are not allowed for the user's team but are critical in describing the permissions path of in-scope results, redacted entities appear in their place.

Users assigned to non-root teams can only view Queries associated with allowed Integrations for their team.

For users assigned to more than one team, the current level of access depends on the team the user has actively enabled. Users can change their current active team on their Profile page.

SSO aliases for teams

A team has a name and an SSO Alias (by default, these are the same). This alias is used to map groups or roles defined within your identity provider to Veza teams for team and role assignment when the user first logs in. See Teams with Single Sign-On for more information.

You can add an SSO alias when creating a team. To set an alias for an existing team:

  1. On the Team Management page, find the team and click Edit.

  2. Update the SSO Alias and click Save.

Team aliases are case-sensitive.

PreviousMulti-factor AuthenticationNextWorkflows Global IdP Settings

Last updated