# OAA Entity Owners {% hint style="success" %} **Early Access:** OAA Entity Owners functionality is currently in Early Access for automatic assignment of entity ownership during OAA payload submission. Please contact our customer success team to enable this feature for your environment. {% endhint %} ### Overview OAA supports setting [Entity Owners](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/managers-and-resource-owners.md) on OAA Entities as part of the submission for some templates. This enables a single operation to submit the OAA Entity and its owner. Entity Owners enable automated assignment and accountability in access management and other workflows: * Owners can be used by Access Workflows for [automatic assignment of review rows](/4yItIzMvkpAvMVFAamTf/features/access-reviews/how-to/assign-reviewers.md#auto-assign-reviewers) * Assigning owners for entities that represent non-human identities enables visibility into those users on the Non-Human Identities (NHI) overview page. * If Veza assigns a [Risk Score](/4yItIzMvkpAvMVFAamTf/features/insights/risks.md#define-risks-from-queries) to the entity, an owner assignment can help identify the user best able to remediate the risk. ### Supported Templates and Entity Types Currently supported OAA Templates and entity types for Entity Owners: **Application Template:** * Application (owners can be set at the application level itself) * Users * Groups * Roles * Resources * Access Credentials **Requirements:** Entity Owners must be a User entity type from an Identity Provider integration enabled in Veza. If a [Global Identity provider](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/global-idp-settings.md) is configured, the owner must be a user entity from the Global IDP. Identity-provider application entities (such as `OktaApp` and `AzureADEnterpriseApplication`) also support entity owners, but owners are not set in the OAA payload. See [Supported entity types for owner assignment](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/managers-and-resource-owners.md#supported-entity-types) for the full list and assignment methods. ### Entity Owner Entry Use the `owners` property on supported entities to specify entity owners as an array of objects. ```json { "external_id": "some_user@example.com", "owner_type": "OktaUser", "primary": true } ``` | Attribute | Value | | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `external_id` | The ID of the owner from the IDP. External ID supports the same lookup attributes as [identities](/4yItIzMvkpAvMVFAamTf/developers/api/oaa/best-practices/cross-service-connections.md) | | `owner_type` | The node type of the owner (case insensitive). For custom identity providers, use format `OAA.{idp_type}.IDPUser`, where `{idp_type}` is the value specified when creating the custom IdP provider. To find your `idp_type` value, use the [List Custom Providers API](/4yItIzMvkpAvMVFAamTf/developers/api/oaa/rest-api/operations.md#list-custom-providers). The attribute is optional when the Global IDP is configured | | `primary` | If true, user is the primary owner, defaults to `false` | #### Example Usage For example, setting the owner on a role may look like the following: ```json "local_roles": [ { "name": "User Admin", "permissions": [ "view_all", "manage_users" ], "owners": [ { "external_id": "some_user@example.com", "owner_type": "OktaUser", "primary": true } ] } ] ``` #### Owner Type Values For custom identity providers, you will need to determine the correct `owner_type` format to identify the entities in Veza Graph. You can find this information through the Veza UI or using an API request: In the Veza UI: 1. Go to **Access Visibility** > **Graph** 2. Search for a user from your custom identity provider 3. Click on the user to open the sidebar and choose **Basic Actions** > **View Details** 4. The entity *type* is displayed in the user details (e.g., "OAA.Custom\_IDP.IDPUser") 5. Use this exact node type as your `owner_type` value Alternately, you can use `GET /api/v1/providers/custom` to list all custom providers and their `idp_type` values. The `owner_type` format should be `OAA.{idp_type}.IDPUser` See the table below for common IdP types and corresponding owner entity types: | Provider Type | `idp_type` Value | `owner_type` Format | | ------------------------ | ------------------- | -------------------------- | | Standard Okta | `"Okta"` | `OktaUser` | | Standard Azure AD | `"AzureAD"` | `AzureADUser` | | Active Directory | `"ActiveDirectory"` | `ActiveDirectoryUser` | | Ping Identity | `"PingOne"` | `PingOneUser` | | OneLogin | `"OneLogin"` | `OneLoginUser` | | AWS IAM Identity Center | `"AwsSso"` | `AwsSsoUser` | | Google Workspace | `"Google"` | `GoogleWorkspaceUser` | | Custom LDAP | `"company_ldap"` | `OAA.company_ldap.IDPUser` | | Custom Identity Provider | `"custom_idp"` | `OAA.custom_idp.IDPUser` | ### Warnings and Errors If an Owner entry is malformed, references an unsupported owner type, or conflicts with the Global IDP setting a Field Violation error will be returned and the OAA payload will be rejected. If an owner identity cannot be found, a warning will be returned with the successful response and the OAA payload will be accepted and processed with the unknown owner(s) being ignored. Entity owners must originate from the *primary* Global IdP source. Users from [alternate manager lookup sources](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/global-idp-settings/alternate-manager-lookup.md) cannot be used as entity owners. ### Next Steps After submitting an OAA payload with entity owners, verify the assignment by locating the entity in Query Builder or Graph Search. You can then configure [automatic reviewer assignment](/4yItIzMvkpAvMVFAamTf/features/access-reviews/how-to/assign-reviewers.md#auto-assign-reviewers) to use these owners in access review workflows. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/developers/api/oaa/best-practices/oaa-entity-owners.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.