LogoLogo
User GuideDeveloper DocumentationIntegrationsRelease Notes
  • ๐Ÿ Veza Documentation
  • โ˜‘๏ธGetting Started
  • ๐Ÿ“–Veza Glossary
  • โ“Product FAQ
  • ๐Ÿ›ก๏ธSecurity FAQ
    • Advanced Security FAQ
  • Release Notes
    • ๐Ÿ—’๏ธRelease Notes
      • Release Notes: 2025-05-14
      • Release Notes: 2025-04-30
      • Release Notes: 2025-04-16
      • Release Notes: 2025-04-02
      • Release Notes: 2025-03-19
      • Archive
        • 2024.9.23
        • 2024.9.16
        • 2024.9.9
        • 2024.9.2
        • 2024.8.26
        • 2024.8.19
        • 2024.8.12
        • 2024.8.5
        • 2024.7.29
        • 2024.7.22
        • 2024.7.15
        • 2024.7.1
        • 2024.6.24
        • 2024.6.17
        • 2024.6.10
        • 2024.6.3
        • 2024.5.27
        • 2024.5.20
        • 2024.5.13
        • 2024.5.6
        • 2024.4.29
        • 2024.4.22
        • 2024.4.15
        • 2024.4.8
        • 2024.4.1
        • 2024.3.25
        • 2024.3.18
        • 2024.3.11
        • 2024.3.4
        • 2024.2.26
        • 2024.2.19
        • 2024.2.12
        • 2024.2.5
        • 2024.1.29
        • 2024.1.22
        • 2024.1.15
        • 2024.1.8
        • 2024.1.1
        • 2023.12.18
        • 2023.12.11
        • 2023.12.4
        • 2023.11.27
        • 2023.11.20
        • 2023.11.13
        • 2023.11.6
        • 2023.10.30
        • 2023.10.23
        • 2023.10.16
        • 2023.10.9
        • 2023.10.2
        • 2023.9.25
        • 2023.9.18
        • 2023.9.11
        • 2023.9.4
        • 2023.8.28
        • 2023.8.21
        • 2023.8.14
        • 2023.8.7
        • 2023.7.31
        • 2023.7.24
        • 2023.7.17
        • 2023.7.10
        • 2023.7.3
        • 2023.6.26
        • 2023.6.19
        • 2023.6.12
        • 2023.6.5
        • 2023.5.29
        • 2023.5.22
        • 2023.5.15
        • 2023.5.8
        • 2023.5.1
        • 2023.4.24
        • 2023.4.17
        • 2023.4.10
        • 2023.4.3
        • 2023.3.27
        • 2023.3.20
        • 2023.3.13
        • 2023.3.6
        • 2023.2.27
        • 2023.2.20
        • 2023.2.13
        • 2023.2.6
        • 2023.1.30
        • 2023.1.23
        • 2023.1.16
        • 2023.1.9
        • 2023.1.2
        • 2022.12.12
        • 2022.12.5
        • 2022.11.28
        • 2022.11.14
        • 2022.11.7
        • 2022.10.31
        • 2022.10.24
        • 2022.10.17
        • 2022.10.1
        • 2022.6.2
        • 2022.6.1
        • 2022.5.1
        • 2022.4.1
        • 2022.3.1
  • Features
    • ๐Ÿ”ŽAccess Visibility
      • Graph
      • Query Builder
      • Saved Queries
      • Filters
      • Query Mode
      • Intermediate Entities
      • Regular Expressions
      • Tags
      • Tagged Entity Search
      • Assumed AWS IAM Roles
      • Veza Query Language
        • Quick Start
        • Syntax
        • VQL API
    • ๐Ÿ’กAccess Intelligence
      • Overview
      • Dashboards
        • Reports
        • Scheduled Exports of Query Results via a Secure Email Link
      • Risks
      • Analyze
      • Compare
      • Rules and Alerts
      • Entities
      • NHI Identify Classification Logic
      • NHI Secrets
    • ๐Ÿ”Access Reviews
      • Get Started: Access Reviewers
      • Get Started: Review Operators
      • Access Review Tasks
        • Assign Reviewers
        • Create a Configuration
        • Create a Review
        • Draft Reviews
        • Edit a Configuration
        • Filters and Bulk Actions
        • Manage Access Reviews
        • Using the Reviewer Interface
        • Row Grouping for Access Reviews
        • Schedule an Access Review
      • Access Review Configuration
        • Access Reviews Query Builder
        • Access Reviews Global Settings
        • Configuring a Global Identity Provider
          • Alternate Manager Lookup
        • Customizing Default Columns
        • Email Notifications and Reminders
        • Identity Provider and HRIS Enrichment
        • Entity Owners and Resource Manager Tags
        • Multi-Level Review
        • 1-Step Access Reviews
        • On-Demand Reviews
        • Veza Actions for Access Reviews
        • Review Intelligence Policies
        • Review Presentation Options
        • Reviewer Selection Methods
        • Reviewer Digest Notifications
      • Access Review Scenarios
        • Access Reviews: Active Directory Security Groups
        • Access Reviews: Okta App Assignments
        • Access Reviews: Okta Group Membership
        • Access Reviews: Okta Admin Roles
        • Access Reviews: Azure AD Roles
        • Access Reviews with Saved Queries
        • Source-Only Access Reviews
    • ๐Ÿ“ŠAccess Monitoring
    • ๐Ÿ”„Lifecycle Management
      • Implementation and Core Concepts
      • Access Profiles
      • Policies
      • Conditions and Actions
      • Attribute Sync and Transformers
        • Lookup Tables
      • Integrations
        • Active Directory
        • Exchange Server
        • Okta
        • Salesforce
        • Workday
    • โš–๏ธSeparation of Duties (SoD)
      • Managing SoD Risks with Veza
      • Creating SoD Detection Queries
      • Analyzing Separation of Duties Query Results
      • Example Separation of Duties Queries
      • SoD Manager Assignment
      • Access Reviews for SoD
  • Integrations
    • โœจVeza Integrations
      • Adobe Enterprise
      • Amazon Web Services
        • Add Existing AWS Accounts
        • Automatically Add New AWS Accounts
        • AWS DynamoDB
        • AWS KMS
        • AWS RDS MySQL
        • AWS RDS PostgreSQL
        • AWS Redshift
        • Activity Monitoring for AWS
        • Using AWS Secrets Manager for RDS Extraction
        • Notes & Supported Entities
      • Anaplan
      • Atlassian Cloud Products
      • Auth0
      • BambooHR
      • Bitbucket Data Center
      • BlackLine
      • Beeline
      • Boomi
      • Box
      • Bullhorn
      • Cassandra
      • Cisco Duo
      • Clickhouse
      • Concur
      • Confluence Server
      • Confluent
      • Coupa
      • Coupa Contingent Workforce
      • Crowdstrike Falcon
      • CSV Upload
        • CSV Upload Examples
        • CSV Upload Troubleshooting
        • CSV Upload API
      • Databricks (Single Workspace)
      • Databricks (Unity Catalog)
      • Delinea Secret Server
      • Device42
      • DocuSign
      • Dropbox
      • Egnyte
      • Expensify
      • Exchange Online (Microsoft 365)
      • Fastly
      • Google Cloud
        • Check Google Cloud Permissions
        • Notes & Supported Entities
      • Google Drive
      • GitHub
      • GitLab
      • HashiCorp Vault
      • HiBob
      • Hubspot
      • IBM Aspera
      • iManage
      • Ivanti Neurons
      • Jamf Pro
      • Jenkins
      • JFrog Artifactory
      • Jira Data Center
      • Kubernetes
      • LastPass
      • Looker
      • MongoDB
      • Microsoft Active Directory
      • Microsoft Azure
        • Azure SQL Database
        • Azure PostgreSQL Database
        • Microsoft Dynamics 365 CRM
        • Microsoft Dynamics 365 ERP
        • Notes & Supported Entities
      • Microsoft Azure AD
      • Microsoft SharePoint Online
      • Microsoft SharePoint Server
      • Microsoft SQL Server
      • MuleSoft
      • MySQL
      • NetSuite
      • New Relic
      • Okta
        • Okta MFA status
      • OneLogin
      • OpenAI
      • Oracle Cloud Infrastructure
      • Oracle Database
      • Oracle Database (AWS RDS)
      • Oracle E-Business Suite (EBS)
      • Oracle EPM
      • Oracle Fusion Cloud
      • Oracle JD Edwards EnterpriseOne
      • PagerDuty
      • Palo Alto Networks SASE/Prisma Access
      • PingOne
      • PostgreSQL
      • Power BI
      • Privacera
      • PTC Windchill
      • Qualys
      • QNXT
      • Ramp
      • Redis Cloud
      • Rollbar
      • Salesforce
      • Salesforce Commerce Cloud
      • SCIM integration
      • ServiceNow
      • Slack
      • Smartsheet
      • Snowflake
        • Snowflake Native Application
        • Snowflake Row Access Policies
        • Snowflake Masking Policies
        • Exporting Saved Query Results to Snowflake
        • Audit Log Export
        • Event Export
      • Solarwinds
      • Spotio
      • Sumo Logic
      • Tableau Cloud
      • Teleport
      • Terraform
      • ThoughtSpot
      • Trello
      • Trino (PrestoSQL)
      • UKGPro
      • Veza
      • Windows Server
        • Enterprise Deployment
      • Workato
      • Workday
      • YouTrack
      • Zendesk
      • Zip
      • Zoom
      • Zscaler
      • 1Password
    • ๐ŸŽฏIntegrations Overview
    • โš ๏ธPrerequisites and Connectivity
      • Insight Point
        • Deploying an Insight Point using the install script
        • Deploy with AWS EC2
        • Deploy with Virtual Appliance
          • Deploy with Virtual Appliance (Legacy)
        • Deploy with Azure Container Instances
        • Insight Point (Helm Chart)
      • Certificates with OpenSSL
    • โš™๏ธConfiguring Integrations
      • Integrations FAQ
      • Extraction and Discovery Intervals
      • Custom Identity Mappings
      • Limiting Extractions
      • Enrichment Rules
      • โ„น๏ธRunning Veza Scripts with Python
  • Administration
    • ๐Ÿ› ๏ธVeza Administration
      • Securing Your Veza Tenant
      • Veza Actions
        • Slack
        • ServiceNow
        • Jira
        • Webhooks
      • Virtual Private Veza
      • System Events
      • Sign-In Settings
        • Single Sign-On with Okta
        • Single Sign-On with Okta (OIDC)
        • Single Sign-On with Microsoft Entra
      • User Management
        • Multi-factor Authentication
        • Team Management
        • Support User Access
  • Developers
    • ๐ŸŒVeza APIs
      • Authentication
      • Troubleshooting
      • Pagination
      • Open Authorization API
        • Getting Started
        • Core Concepts
          • Connector Requirements
          • Using OAA Templates
          • Providers, Data Sources, Names and Types
          • Sourcing and Extracting Metadata
          • Naming and Identifying OAA Entities
          • Modeling Users, Permissions, and Roles
          • Custom Properties
          • Tagging with OAA
          • Cross Service IdP Connections
          • Incremental Updates
        • OAA Push API
          • OAA Operations
        • OAA Templates
          • Custom Application
          • Custom Identity Provider
          • Custom HRIS Provider
        • OAA .NET SDK
          • C# OAA Application Connector
        • OAA Python SDK
          • Application Outline
          • oaaclient modules
            • Client
            • Structures
            • Templates
            • Utils
        • Sample Apps
        • Example Connectors
      • Integration APIs
        • Enable/Disable Providers
        • Cloud Platforms and Data Providers
        • Identity Providers
        • Data Sources
        • Sync and Parse Status
      • Query APIs
        • Quick Start
        • Query Builder Terminology
        • Query Builder Parameters
        • Query Builder Results
        • List saved queries
        • Save a query
        • Get a saved query
        • Update a query
        • Delete a query
        • Get query node destinations
        • Get query nodes
        • Get query result
        • Get query spec node destinations
        • Get query spec nodes
        • Get query spec results
        • Private APIs
          • Get Access Relationship
          • Role Existence
          • Role Maintenance
          • Cohort Role Analysis
        • Tags
          • Create, Add, Remove Tag
          • Promoted Tags
      • Access Reviews APIs
        • Workflow Parameters Reference
        • List Workflows
        • List Certifications
        • List Certification Results
        • Update Certification Result
        • Force Update Result
        • Update Webhook Info
        • Get Certification Result
        • Manage Reviewer Deny List
        • Quick Filters
        • Help Page Templates
        • Smart Action Definitions
        • Delegate Reviewers
        • List Reviewer Infos
        • Get Access Graph
        • Automations API
        • Global Settings APIs
      • System Audit Logs
      • System Events
      • Notification Templates
        • Notification Templates API
      • Team and User Management APIs
        • Team API Keys
      • SCIM Provisioning
        • SCIM API Reference
        • SCIM Provisioning with Okta
  • Product Updates
    • ๐Ÿ†•Product Updates
      • Product Update: March'25
      • Product Update: February'25
      • UX Update - Integration Management
      • Product Update: January'25
      • Product Update: December'24
      • Product Update: November'24
      • Product Update: October'24
      • Product Update: September'24
      • Product Update: August'24
      • UX Update: Veza Integrations
      • Product Update: July'24
      • Product Update: June'24
      • Product Update: May'24
      • Product Update: April'24
      • UX Update - Enhanced Reviewer Experience for Veza Access Reviews
      • Product Update: March'24
      • Product Update: February'24
      • Design Update: February'24
      • UX Update - New Navigation Experience
      • UX Update - Access Review Dashboards
      • Building Vezaโ€™s Platform and Products
      • Veza Product Update - Jan'24
      • Veza Product Update - 2H 2023
      • Veza Product Update - December'23
      • Veza Product Update - November'23
      • Veza Product Update - October'23
      • Veza Product Update - September'23
      • Veza Product Update - August'23
      • Veza Product Update - July'23
      • Veza Product Update - June'23
      • Veza Product Update - May'23
      • Veza Product Update - April'23
      • Veza Product Update - March'23
      • Veza Product Update - Feb'23
      • Veza Product Update - Jan'23
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Developers
  2. Veza APIs
  3. Query APIs
  4. Private APIs

Get Access Relationship

Identify grantees (such as roles) providing specific access permissions to a given identity for a set of resources.

PreviousPrivate APIsNextRole Existence

Last updated 1 month ago

Was this helpful?

Early Access: This API is provided in Early Access. Please contact our customer support team for more information and to enable this feature.

Overview

The GetAccessRelationship API takes an identity (user), a list of resources with permissions, and responds with potential grantees (roles) that can grant these access permissions to the user. The response includes detailed information about the additional access these grantees would provide. This API is particularly designed for role recommendations and permissions analysis in Snowflake environments.

Use cases and features

This API returns potential grantees (i.e., Snowflake roles) that can provide specific permissions, with results ordered by the level of "extra access" they provide (access not already available to the user). The response includes comparisons between current access and potential access and supports filtering by grantee type and other criteria.

  1. Role Recommendations: Find the most appropriate roles to grant a user for specific access needs

  2. Privilege Analysis: Analyze what additional privileges different roles would provide to a user

  3. Access Management: Compare different access options before making permission changes

  4. Least Privilege Implementation: Identify roles that provide necessary access with minimal excess permissions

Limitations

  • This feature is currently limited to the .

  • For highly connected identities (>10,000 accesses or accessible resources), the calculation of "extra access" can be performance-intensive. For a timely response, the API will return grantees with the least resources by themselves, instead of those providing the least extra resources. In such cases, is_identity_highly_connected will be set to true in response.

Get Access Relationship

Request Parameters

The API accepts a GetAccessRelationshipRequest object with the following parameters:

Parameter
Type
Required
Description

identity_id

string

Yes

ID for the principal (user) in Veza node ID format

identity_type

string

Yes

Veza node type for the principal (currently must be SnowflakeUser)

resource_id

string

No

ID of the resource to analyze

resource_type

string

No

Type of the resource to analyze (used to calculate impact)

raw_permissions

RawPermissionCollection

No

Collection of raw permissions to analyze

effective_permissions

EffectivePermissionCollection

No

Collection of effective permissions to analyze

grantee_type

string

No

Veza node type for the grantee (currently must be SnowflakeRole)

grantee_filter

AssessmentQuerySpecFilter

No

Filter to apply on potential grantees

saved_query_id_for_grantee_ids

string

No

ID of a saved query, source nodes in its result will be used as a filter

max_grantee_count

int32

No

Maximum number of grantees to return

resource_types_to_display

string[]

No

Resource types to include in the result (in addition to resource_type above)

max_resource_count

int32

No

Grantees with access to more resources will be excluded from the results. 0 (unset) uses the default value of 100,000. Setting a higher value will include grantees with more resources.

no_extra_stats

boolean

No

Show less stats to makes the API respond faster: when True, the response will not contain permission summaries and resource access changes, but the grantee IDs are still returned in the correct order.

resource_permissions

ResourcePermissions[]

No

Only valid when result order is LEAST_PRIVILEGED. Returned grantees will be able to access all resources with the permissions in resource_permissions.

result_order

RoleRecommendationResultOrder

No

Ordering method for results (default is by minimal access count)

direct_grantee_to_resource_only

boolean

No

When true, only return roles with direct access to the input resources

Important: Either resource_permissions or the combination of (resource_id, resource_type, raw_permissions, effective_permissions) must be provided in the request, but not both.

Result Ordering

The API provides two options for ordering the returned grantees:

  • Default Order (Minimal Access Count): By default, the API returns grantees ordered by their access count, prioritizing roles with fewest total accesses.

  • Least Privileged: When setting "result_order": "LEAST_PRIVILEGED", the API orders grantees by least privilege principle (minimum necessary permissions) and enables several advanced features:

    • No system-defined admin roles will be returned in the results

    • The resource_permissions parameter can be used, which allows input of multiple resources

Special Considerations

  • When max_resource_count is reached for an identity, the API will return grantees with the least resources by themselves, instead of those providing the least extra resources.

  • The no_extra_stats parameter improves performance when detailed statistics aren't needed. This parameter will:

    • Skip saved query lookup for grantee IDs

    • Only include basic resource count information in the response

    • Ignore the saved_query_id_for_grantee_ids parameter

    • Only return old_accessible_resource_count and new_accessible_resource_count for the input resource_type

    • This parameter is not effective when result_order is set to LEAST_PRIVILEGED

  • The resource_permissions parameter is only usable when result_order is set to LEAST_PRIVILEGED

Response Structure

The API returns a GetAccessRelationshipResponse object with the following fields:

Field
Type
Description

ordered_node_access_changes

NodeAccessChange[]

List of grantees and their access statistics, ordered according to the input result_order

is_identity_highly_connected

boolean

Indicates if the identity has access to many resources (>10,000 accesses for a single resource type)

result_time

Timestamp

Time when the cache was refreshed (if cache was used)

identity_already_has_all_access

boolean

Indicates if the principal already has all the requested access

Note: There are deprecated fields in the response (role_id, resource_type, new_accessible_resource_count) that should not be used. Use the ordered_node_access_changes field instead.

NodeAccessChange Structure

Each NodeAccessChange object contains:

Field
Type
Description

node_type

string

The node type of the grantee

id

string

The node ID of the grantee

name

string

The name of the grantee

resource_access_changes

ResourceAccessChange[]

Access changes per resource type

ResourceAccessChange Structure

Each ResourceAccessChange object contains:

Field
Type
Description

resource_type

string

Type of the resource

old_accessible_resource_count

int32

Count of resources accessible before granting

new_accessible_resource_count

int32

Count of resources accessible after granting

old_raw_permissions

string[]

List of raw permissions before granting

new_raw_permissions

string[]

List of raw permissions after granting

old_effective_permissions

string[]

List of effective permissions before granting

new_effective_permissions

string[]

List of effective permissions after granting

Usage Examples

Example 1: Using Resource Permissions (Recommended)

This example shows how to use the API to find roles that would give a specific Snowflake user access to certain resources using the resource_permissions parameter.

Request

{
  "identity_id": "example-snowflake.com/user/ALICE",
  "identity_type": "SnowflakeUser",
  "resource_permissions": [
    {
      "resource_id": "example-snowflake.com/database/SALES/schema/PUBLIC/table/CUSTOMER_DATA",
      "resource_type": "SnowflakeTable",
      "permissions": ["SELECT", "INSERT"]
    }
  ],
  "grantee_type": "SnowflakeRole",
  "max_grantee_count": 5,
  "result_order": "LEAST_PRIVILEGED"
}

Example 2: Using Resource ID and Permissions

This example shows how to use the API with the resource ID and permissions approach.

This example uses LEAST_PRIVILEGED result ordering. The response will prioritize grantees that provide the minimum necessary permissions to meet the requested access requirements.

Request

{
  "identity_id": "example-snowflake.com/user/ALICE",
  "identity_type": "SnowflakeUser",
  "resource_id": "example-snowflake.com/database/SALES/schema/PUBLIC/table/CUSTOMER_DATA",
  "resource_type": "SnowflakeTable",
  "raw_permissions": {
    "values": ["SELECT", "INSERT"],
    "operator": "AND"
  },
  "grantee_type": "SnowflakeRole",
  "max_grantee_count": 5,
  "result_order": "LEAST_PRIVILEGED"
}

Response

{
  "ordered_node_access_changes": [
    {
      "node_type": "SnowflakeRole",
      "id": "example-snowflake.com/role/ANALYST",
      "name": "ANALYST",
      "resource_access_changes": [
        {
          "resource_type": "SnowflakeTable",
          "old_accessible_resource_count": 10,
          "new_accessible_resource_count": 25,
          "old_raw_permissions": ["SELECT"],
          "new_raw_permissions": ["SELECT", "INSERT"],
          "old_effective_permissions": ["SELECT"],
          "new_effective_permissions": ["SELECT", "INSERT"]
        }
      ]
    },
    {
      "node_type": "SnowflakeRole",
      "id": "example-snowflake.com/role/DATA_EDITOR",
      "name": "DATA_EDITOR",
      "resource_access_changes": [
        {
          "resource_type": "SnowflakeTable",
          "old_accessible_resource_count": 10,
          "new_accessible_resource_count": 32,
          "old_raw_permissions": ["SELECT"],
          "new_raw_permissions": ["SELECT", "INSERT", "UPDATE"],
          "old_effective_permissions": ["SELECT"],
          "new_effective_permissions": ["SELECT", "INSERT", "UPDATE"]
        }
      ]
    }
  ],
  "is_identity_highly_connected": false,
  "result_time": "2025-02-25T10:15:30Z",
  "identity_already_has_all_access": false
}

Related APIs

๐ŸŒ
Role Existence API
Role Maintenance API
Cohort Role Analysis API
Snowflake integration
  • Overview
  • Get Access Relationship
  • POST/api/private/assessments/access_relationship
  • Request Parameters
  • Response Structure
  • Usage Examples
  • Related APIs
post
Authorizations
Body
identity_idstringOptional
identity_typestringOptional
resource_idstringOptional

only one of resource_permissions or (resource_id, resource_type, raw_permissions, effective_permissions) can be set in the input

resource_typestringOptional
grantee_typestringOptional
saved_query_id_for_grantee_idsstringOptional
max_grantee_countinteger ยท int32Optional
resource_types_to_displaystring[]Optional
max_resource_countinteger ยท int32Optional
no_extra_statsbooleanOptional

When result_type=DEFAULT, setting no_extra_stats to true will also skip these queries:

  • saved_query_id_for_grantee_ids will be ignored
  • response will only contain old_accessible_resource_count and new_accessible_resource_count for input resource_type.
result_orderinteger ยท enumOptional

result_order is by default minimal access count, but can be set to LEAST_PRIVILEGED and enable new features including resource_permissions and faster response

direct_grantee_to_resource_onlybooleanOptional
Responses
200
OK
application/json
default
Default error response
application/json
post
POST /api/private/assessments/access_relationship HTTP/1.1
Host: 
Authorization: Bearer Bearer <API key>
Content-Type: application/json
Accept: */*
Content-Length: 3575

{
  "identity_id": "text",
  "identity_type": "text",
  "resource_id": "text",
  "resource_type": "text",
  "raw_permissions": {
    "values": [
      "text"
    ],
    "operator": 1
  },
  "effective_permissions": {
    "values": [
      1
    ],
    "operator": 1
  },
  "grantee_type": "text",
  "grantee_filter": {
    "query_type": 1,
    "source_node_types": {
      "nodes": [
        {
          "node_type": "text",
          "condition_expression": {
            "specs": [
              {
                "fn": 1,
                "property": "text",
                "value": null,
                "not": true,
                "value_property_name": "text",
                "value_property_from_other_node": true
              }
            ],
            "tag_specs": [
              {
                "tag": {
                  "type": "text",
                  "key": "text",
                  "value": "text",
                  "properties": {
                    "ANY_ADDITIONAL_PROPERTY": null
                  }
                },
                "exclude": true
              }
            ],
            "child_expressions": "[Circular Reference]",
            "operator": 1,
            "not": true
          },
          "node_id": "text",
          "count_condition_expression": "[Circular Reference]",
          "direct_relationship_only": true,
          "node_type_grouping_constraint": {
            "node_types": [
              "text"
            ],
            "constraint_type": 1
          },
          "properties_to_get": [
            "text"
          ],
          "tags_to_get": [
            {
              "type": 1,
              "key": "text"
            }
          ],
          "integration_types": [
            "text"
          ]
        }
      ],
      "nodes_operator": 1
    },
    "customized_variables": [
      {
        "key": "text",
        "value": "text"
      }
    ],
    "access_filter": {
      "engagement_score": {
        "op": 1,
        "value": 1
      },
      "over_provisioned_score": {
        "op": 1,
        "value": 1
      },
      "include_secondary_grantee": true,
      "include_indirect_resource": true,
      "exclude_indirect_grantee": true,
      "anomaly_detection_history_days": "text",
      "last_used": {
        "op": 1,
        "value": "2025-05-25T08:34:54.407Z",
        "target": 1
      }
    },
    "node_relationship_type": 1,
    "relates_to_exp": {
      "specs": [
        {
          "node_types": "[Circular Reference]",
          "required_intermediate_node_types": "[Circular Reference]",
          "avoided_intermediate_node_types": "[Circular Reference]",
          "raw_permissions": {
            "values": [
              "text"
            ],
            "operator": 1
          },
          "effective_permissions": {
            "values": [
              1
            ],
            "operator": 1
          },
          "no_relation": true,
          "direction": 1
        }
      ],
      "child_expressions": [
        {
          "specs": "[Circular Reference]",
          "child_expressions": "[Circular Reference]",
          "operator": 1,
          "not": true,
          "and_op_type": 1
        }
      ],
      "operator": 1,
      "not": true,
      "and_op_type": 1
    },
    "path_summary_node_types": {
      "nodes": [
        {
          "node_type": "text",
          "condition_expression": {
            "specs": [
              {
                "fn": 1,
                "property": "text",
                "value": null,
                "not": true,
                "value_property_name": "text",
                "value_property_from_other_node": true
              }
            ],
            "tag_specs": [
              {
                "tag": {
                  "type": "text",
                  "key": "text",
                  "value": "text",
                  "properties": {
                    "ANY_ADDITIONAL_PROPERTY": null
                  }
                },
                "exclude": true
              }
            ],
            "child_expressions": "[Circular Reference]",
            "operator": 1,
            "not": true
          },
          "node_id": "text",
          "count_condition_expression": "[Circular Reference]",
          "direct_relationship_only": true,
          "node_type_grouping_constraint": {
            "node_types": [
              "text"
            ],
            "constraint_type": 1
          },
          "properties_to_get": [
            "text"
          ],
          "tags_to_get": [
            {
              "type": 1,
              "key": "text"
            }
          ],
          "integration_types": [
            "text"
          ]
        }
      ],
      "nodes_operator": 1
    },
    "all_entity_condition": {
      "specs": [
        {
          "fn": 1,
          "property": "text",
          "value": null,
          "not": true,
          "value_property_name": "text",
          "value_property_from_other_node": true
        }
      ],
      "tag_specs": [
        {
          "tag": {
            "type": "text",
            "key": "text",
            "value": "text",
            "properties": {
              "ANY_ADDITIONAL_PROPERTY": null
            }
          },
          "exclude": true
        }
      ],
      "child_expressions": [
        {
          "specs": [
            {
              "fn": 1,
              "property": "text",
              "value": null,
              "not": true,
              "value_property_name": "text",
              "value_property_from_other_node": true
            }
          ],
          "tag_specs": [
            {
              "tag": {
                "type": "text",
                "key": "text",
                "value": "text",
                "properties": {
                  "ANY_ADDITIONAL_PROPERTY": null
                }
              },
              "exclude": true
            }
          ],
          "child_expressions": [
            "[Circular Reference]"
          ],
          "operator": 1,
          "not": true
        }
      ],
      "operator": 1,
      "not": true
    },
    "path_summary_count_conditions": {
      "conditions": [
        {
          "fn": 1,
          "value": "text",
          "value_as": 1
        }
      ]
    },
    "result_value_type": 1
  },
  "saved_query_id_for_grantee_ids": "text",
  "max_grantee_count": 1,
  "resource_types_to_display": [
    "text"
  ],
  "max_resource_count": 1,
  "no_extra_stats": true,
  "resource_permissions": [
    {
      "raw_permissions": [
        "text"
      ],
      "node_type": "text",
      "node_id": "text"
    }
  ],
  "result_order": 1,
  "direct_grantee_to_resource_only": true
}
{
  "ordered_node_access_changes": [
    {
      "node_type": "text",
      "id": "text",
      "name": "text",
      "resource_access_changes": [
        {
          "resource_type": "text",
          "old_accessible_resource_count": 1,
          "new_accessible_resource_count": 1,
          "old_raw_permissions": [
            "text"
          ],
          "new_raw_permissions": [
            "text"
          ],
          "old_effective_permissions": [
            "text"
          ],
          "new_effective_permissions": [
            "text"
          ]
        }
      ]
    }
  ],
  "is_identity_highly_connected": true,
  "result_time": "2025-05-25T08:34:54.407Z",
  "identity_already_has_all_access": true
}