OAA Templates

OAA utilizes templates (JSON schema) for structuring authorization and identity metadata, combined with a REST API to register, update and manage the data. Once uploaded, Veza processes the template payload and incorporates the entities and permissions into the Authorization Metadata Graph.

Choosing the appropriate template is the first step in creating a new integration with OAA. The template provides a schema for describing the identities, resources, and authorization relationships local to the OAA data source.

Custom Application

For most applications, SaaS Apps and systems the Custom Application Template provides a generic and flexible model to capture authorization data for users and groups to the system and its resources.

A custom application is structured with the following main entities:

• Application

  • Resource

    • Sub-resource

      • Sub-resource

        • Additional sub-resources

  • Local Users

  • Local Groups

  • Local Roles

• Local Permissions

• Identity-to-permissions binding

Custom Identity Provider

Intended for modeling sources of users, group, and federated identity metadata, the Custom Identity Provider Template can be used to enumerate users and groups that access other external applications and resources, similar to built-in connectors for Okta and AzureAD. These users and groups typically represent the top-level corporate identities within an organization.

A Custom Identity Provider can have the following entities:

• Domains

• Users

• Groups

The Custom IdP template also includes the option to define AWS Roles that are assumable by users and groups and can work with Access Review Workflows to auto-assign resource managers.

Custom Principal

For modeling sources of identities (users, groups, and tenants) that connect to other OAA data sources on the same provider, the Custom Principal Template provides a lightweight identity model. Unlike the Custom IdP, which models a full identity provider with domains, the Principal template is designed to feed users and groups into Custom Application or other templates on the same provider.

A Custom Principal is structured with:

• Tenant

• Users

• Groups

Secret Store

For modeling secret and credential management systems, the Secret Store Template captures vaults, entries, permissions, and identity access mappings. Use this template to connect custom or self-hosted credential management systems that are not covered by a native Veza integration.

A Secret Store is structured with:

• Secret Store

  • Permissions

  • Vaults

    • Entries

      • Identities

• Identity-to-Permission Bindings

Entity Enrichment

The Entity Enrichment Template adds custom property values to entities that already exist in the Veza authorization graph from other integrations. Use this template to attach supplemental metadata (such as compliance status, cost center, or internal identifiers) to entities discovered by native integrations.

An Entity Enrichment submission contains:

• Enriched entity property definitions (schema declarations)

• Enriched entities (entity references with property values)