search
Release Notes

Entity Enrichment

Template for setting custom property values on existing entities in the Veza authorization graph

circle-exclamation

Entity enrichment is an Early Access feature. Contact your Veza account team to enable it for your organization.

Use this template to set custom property values on existing entities in the Veza authorization graph using the Open Authorization API. Unlike other OAA templates that create new entities, the Entity Enrichment template adds metadata to entities that already exist from other integrations.

Entity enrichment is useful when you have supplemental data about entities that Veza already discovers through native integrations. For example, you might enrich AWS IAM roles with internal compliance metadata, or tag Okta users with cost center information from a custom source.

circle-info

The Entity Enrichment template sets arbitrary custom properties via API push. This is distinct from Enrichment Rules, which are UI-configured rules that set a fixed set of built-in Veza classification attributes (identity type, owner, privileged status, and criticality) at extraction time. Use this template when you need to attach custom metadata beyond those built-in attributes.

The template has two sections:

  • Enriched entity property definitions - declares the custom properties and their types for each entity type being enriched.

  • Enriched entities - the list of existing entities to enrich, with values for each declared property.

To use the entity enrichment template, set the template type to entity_enrichment when creating a new data provider:

curl -X POST "https://{VEZA_URL}/api/v1/providers/custom" \
-H "authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
--data '{"name":"My Enrichment Provider","custom_template":"entity_enrichment"}'

hashtag
Sample payload

chevron-rightAWS IAM enrichment examplehashtag

This example enriches AWS IAM roles with internal compliance metadata and AWS IAM users with a purpose description.

{
  "enriched_entity_property_definitions": [
    {
      "entity_type": "AwsIamRole",
      "enriched_properties": {
        "my_company_id": "STRING",
        "company_purpose": "STRING",
        "is_compliance_validated": "BOOLEAN"
      }
    },
    {
      "entity_type": "AwsIamUser",
      "enriched_properties": {
        "company_purpose": "STRING"
      }
    }
  ],
  "enriched_entities": [
    {
      "type": "AwsIamRole",
      "id": "arn:aws:iam::339083562601:role/Administrator",
      "data_source_id": "339083562601:awsiam",
      "properties": {
        "my_company_id": "DCFB16CD-A044-4787-9165-1C926221F887",
        "company_purpose": "Built in Admin role",
        "is_compliance_validated": true
      }
    },
    {
      "type": "AwsIamRole",
      "id": "arn:aws:iam::650251689811:role/andrew_s3_all",
      "data_source_id": "339083562601:awsiam",
      "properties": {
        "my_company_id": "A3F40BAC-1871-4EFC-A0EE-CD77E3F513C27",
        "company_purpose": "Some role for Andrew",
        "is_compliance_validated": false
      }
    },
    {
      "type": "AwsIamUser",
      "id": "arn:aws:iam::339083562601:user/andrew",
      "data_source_id": "339083562601:awsiam",
      "properties": {
        "company_purpose": "Engineering service account"
      }
    }
  ]
}

hashtag
Top-level payload

Field
Type
Description

enriched_entity_property_definitions

array

List of property definitions for each entity type

enriched_entities

array

List of entities to enrich with property values

hashtag
Enriched entity property definitions

Each entry declares the custom properties that will be added to a specific entity type, along with their data types. Property types determine how Veza stores and indexes values. For example, TIMESTAMP properties enable relative date filters in queries (such as "last 90 days").

hashtag
Property definition fields

Field
Type
Description

entity_type

string

Veza entity type to enrich (e.g., AwsIamRole, OktaUser)

enriched_properties

dictionary

Map of property names to their types. See supported types

hashtag
Supported property types

Type
Description

STRING

Text value

NUMBER

Numeric value (integer or float)

BOOLEAN

true or false

TIMESTAMP

Date/time value. Enables relative date filters in Veza queries

STRING_LIST

List of string values

hashtag
Enriched entities

The list of existing entities to enrich with property values. Each entity must appear exactly once with all properties that should be set. Including an entity with no properties removes all enriched properties from that entity. Only entities in the list are updated; other entities are not affected.

hashtag
Enriched entity fields

Field
Type
Description

type

string

Veza entity type (must match an entity_type in the property definitions)

id

string

Veza unique ID for the entity. For AWS entities, this is the ARN. Each entity must appear only once in the list

data_source_id

string

Veza data source ID for the entity. For AWS, combine the account ID with the data source type (e.g., 339083562601:awsiam)

properties

dictionary

Map of property names to values. Keys must be defined in the property definitions, and values must match the declared type. Omitting a key that is defined in the property definitions removes that property value from the entity

hashtag
Creating and updating enrichment data

To create the OAA provider and push enrichment data:

  1. Create the provider with the entity_enrichment template type:

  2. Create a data source on the provider:

  3. Push the enrichment payload to the data source:

    The push endpoint requires the payload as a JSON-encoded string in the json_data field. jq -Rs . reads payload.json and escapes it as a JSON string. See OAA API Operations for compression options.

Updates follow the same push workflow. Each push replaces the enrichment data for the entities included in the payload. Entities not included in the push are not affected.

PreviousSecret StoreNextOAA .NET SDK

Last updated

Was this helpful?