User Guide
Release Notes

Connector Requirements

Choosing your development environment and deploying an OAA connector

The Open Authorization API enables developers to push metadata to the Veza Authorization Graph using a standard JSON schema. To automate this process, you will need a way to periodically query the data source you want to integrate, populate the schema, and publish the populated template payload to your Veza instance using API calls.

You can interact with the Veza API from your client or language of choice. OAA connectors can (and have) been developed in a variety of languages. The only requirements are the ability to:

  • query the source application (or read a data file, or another method) to collect identity, resource, and authorization metadata

  • assemble a dict or similar data structure and convert to JSON

  • make REST API calls to publish the payload

Veza provides a Python SDK oaaclient. This package provides functions for generating and submitting the JSON payload. The Veza developed community connectors use this toolkit, along with all integrations built by active customer developers.

Deploying your connector

You can run OAAClient as a manual CLI tool for trial purposes, but should automate any long-running OAA implementation. A DevOps or SecOps team is typically responsible for establishing continuous integration of a Veza connector.

Customers are responsible for running their own connectors. The frequency your app must run will depend on use case, ranging from daily to hourly. Veza typically refreshes metadata for built-in integrations on an hourly basis. However, you can decide to publish OAA payloads on any schedule.

At a minimum, a deployed OAA connector should be able to:

  • Parse the data source and push an updated payload on a schedule

  • Securely handle secrets such as API keys

Teams should follow their preferred processes and use familiar or existing platforms. Some options include:

  • AWS Lambda function

  • Docker/k8s-based container

  • cron task

  • GitHub action

Choosing between full push and incremental updates

Veza expects the default push to contain a full payload. This will overwrite all information in the updated data source.

During development, it is usually most efficient to design your parser for a full discovery. It will be easiest to design the connector to assemble and push the full payload, and use the same code to publish updates.

OAA does support incremental update as an optional behavior–if your custom data source or identity provider provides a way to get individual changes over time, you could design your connector to parse only new or changed entities, and push updates individually (perhaps in response to detected changes). However, this approach will be more complicated. A full parse-and-push will be more efficient, unless there's a method to query the provider for differences since the last push.

To use incremental updates:

  • Set the is_incremental flag in the payload to true

  • Add an add, modify or delete operation to all entities

PreviousCore ConceptsNextUsing OAA Templates

Last updated