OAA Push API

This document provides a basic overview of the API requests for creating and updating an OAA data source. These steps and API calls can be adapted for your client or programming language of choice. You can also use the oaaclient Python module to handle Veza authentication, register the data source, and push the populated template.

Overview

While registering sources and pushing authorization metadata with Open Authorization API is relatively straightforward, it is important to understand how Veza organizes custom providers and data sources as endpoints:

• You will first register a new custom application provider with a POST request to /api/providers/custom (specifying the app name and template).

  • The template determines the type of entities the provider supports (application, identity_provider, or hris).

• Each custom provider can have one or more data sources (such as different instances or domains), generated using Create Datasource.

  • The populated template can describe additional resources and sub-resources, such as individual databases, repositories, or views.

• You can push authorization metadata for each custom data source.

• All custom data sources are shown on the Configuration > Apps & Data Sources menu, and can be retrieved using List Custom Provider Datasources.

You should typically name the provider based on the generic application provider (such as GitHub) and the data source after the top-level instance (such as GitHub - Organization). See the Best Practices for more information about parsing and identifying entities using metadata from the source application.

Authentication

Your requests will need to include a Veza API Key. For OAA APIs, using a Team API key is recommended. Provide it as the bearer auth token in the header of each request, for example:

curl -X GET "https://$VEZA_URL/api/v1/providers/custom" \
-H "authorization: Bearer $API_KEY"

Follow best practices for managing API keys: Do not save credentials in connector code. Consider using a secrets manager to securely store API keys and make them available at run time.

First Run

To add a custom application, you will need to:

• Create a new custom provider and data source.

• push the entity and authorization data in a JSON payload.

Create a Custom Provider

Use Create Custom Provider to register a new top-level custom provider. The custom_template determines what kind of entities you can push to the provider.

Custom Application provider

This is a common configuration with broad support for modeling applications with local identities, resources, and authorization:

Custom Application with SCIM lifecycle management

If your application exposes SCIM 2.0 endpoints, it can support automated provisioning and deprovisioning through Veza Lifecycle Management:

Custom Application with REST lifecycle management

For applications that expose custom REST APIs (but not SCIM) for user provisioning. Veza sends REST requests to the application's endpoints through the Insight Point, which must have network access to the target application:

Custom Identity Provider

This template is for modeling custom or unsupported identity providers as a source of users and groups:

Identities and groups in the custom provider can mapped to local accounts in other systems, and assigned as entity owners. Custom IdPs can also be used a source of identity for Lifecycle Management policies.

HRIS Provider

This template is intended to model HR information systems. Set provisioning to true to use the HRIS as a system of record for Lifecycle Management policies:

Provider creation response

All provider creation requests return the Provider ID, which you will need to create and manage data sources:

Provider creation fields

Using the Python SDK

The oaaclient SDK provides create_provider() with an options parameter for advanced fields:

Create a Data Source for the Provider

Each provider needs at least one data source. Create one with Create Custom Provider Datasource

The response will include the data source ID:

• Datasources should be unique to the data collected by an OAA integration instance. For example, if an application has a "prod" and "dev" instance, creating a datasource for each will enable independent updates to each environment.

• Name the data source uniquely based on the application instance to discover. Try to include the hostname or organization name in the data source. For example, don't use "GitHub" use "GitHub - Acme Inc" or "Portal - prod.corp.com"

• Note that a provider id is required in both the request path and body.

Push data source metadata

Once the data source and provider are active, publish the payload with Push Custom Provider Datasource. The request body must include the Provider ID and Data Source ID.

json_data must contain the populated OAA template as a single JSON string (escaping any unsafe characters such as ").

Get Custom Providers

Get Custom Data Sources

Update Custom Data Source

Specifying the Provider ID and Data Source ID, perform the same post operation used for the initial push.

To update an existing data source, use the operations List Provider and List Datasources operations to get the provider and data source IDs.