OAA Templates

OAA utilizes templates (JSON schema) for structuring authorization and identity metadata, combined with a REST API to register, update and manage the data. Once uploaded, Veza processes the template payload and incorporates the entities and permissions into the Authorization Metadata Graph.

Choosing the appropriate template (application or identity provider) is the first step in creating a new integration with OAA. The template provides a schema for describing the identities, resources, and authorization relationships local to the OAA data source.

Custom Application

For most applications, SaaS Apps and systems the Custom Application Template provides a generic and flexible model to capture authorization data for users and groups to the system and its resources.

A custom application is structured with the following main entities:

• Application

  • Resource

    • Sub-resource

      • Sub-resource

        • Additional sub-resources

  • Local Users

  • Local Groups

  • Local Roles

• Local Permissions

• Identity-to-permissions binding

Custom Identity Provider

Intended for modeling sources of users, group, and federated identity metadata, the Custom Identity Provider Template can be used to enumerate users and groups that access other external applications and resources, similar to built-in connectors for Okta and AzureAD. These users and groups typically represent the top-level corporate identities within an organization.

A Custom Identity Provider can have the following entities:

• Domains

• Users

• Groups

The Custom IdP template also includes the option to define AWS Roles that are assumable by users and groups and can work with Access Review Workflows to auto-assign resource managers.