Release Notes

Get query spec nodes

GetAssessmentQuerySpecNodes returns the entity details for nodes in the query without generating a result count. This option uses pagination and can be faster for complex queries where the total number of search results is not needed.

The request must include the full query spec object and the source_node_id of the query result to retrieve destination nodes for. Additionally, providing a snapshot_id will return destination nodes based on a Time Machine snapshot.

When specifying a page_size in the query string, responses will include the next_page_token and indicate has_more if additional results are available. Note that a page can be empty even when more results exist.

post
Authorizations
AuthorizationstringRequired

Bearer token authentication using a Veza Personal API key.

Header Format: Authorization: Bearer <your-api-key>

Creating an API Key:

  1. Log into your Veza tenant
  2. Navigate to Administration โ†’ API Keys
  3. Generate a new API key and save the value securely
Query parameters
page_sizestringOptional

The maximum number of results to be returned. Fewer results may be returned even when more pages exist.

page_tokenstringOptional

The token specifying the specific page of results to retrieve.

order_bystringOptional

Valid ordering options are destination_node_count ASC/DESC and risk_score ASC/DESC. Note: These options are used for ordering source nodes only.

Body
query_typeinteger ยท enumOptional
no_relationbooleanOptionalDeprecated
snapshot_idstringOptional
access_filterall ofOptional

when the specified filter would include all numeric values (ie >= 0 or <= 100), results will also include rows which have no OPS available (nulls)

node_relationship_typeinteger ยท enumOptional
relates_to_expall ofOptional

A boolean expression describing the "relates to" types.

path_summary_count_conditionsall ofOptional

Can be used when path_summary_node_types are set to specify the path length

result_value_typeinteger ยท enumOptional
include_all_source_tags_in_resultsbooleanOptional

These fields control whether or not tags will be included in source and/or destination results

include_all_destination_tags_in_resultsbooleanOptional
additional_columns_to_getinteger ยท enum[]Optional

Allows FE to Alert BE if permissions are being displayed to the user

include_sub_permissionsbooleanOptional

Include node with sub permissions which is a permission showing for a resource when in reality the permission applies to a subresource.

include_permissions_summarybooleanOptional

This field should be used with AssessmentQueryResultValueType SOURCE_NODES_WITH_COUNTS to include permissions summarized (aggregated) by source node, meaning it contains all permissions used by each source node

unpivot_propertiesstring[]Optional

The properties that should be unpivoted in the results producing multiple rows per node/path To be able to unpivot a property, it must be a list/array type property. If multiple properties are used result will be Cartesian product(all unpivot combinations for node). If property does not exist on a node, and it is a valid property, we will just add that node as is. Syntax to specify properties is the full path to the property using dot notation and using properties json names. Both values and pathValues can be unpivoted:

  1. Valid values for unpivoting: properties.<property_name>, unsupported_conditions.<condition_name>.conditions, joined_nodes..<valid_value_for_unpivoting>, raw_permissions, effective_permissions, access_stats.concrete_permissions, access_stats.canonical_permissions, filtered_raw_permissions, corresponding_effective_permissions, additional_node_properties.default_cohort_role_users_in_cohort, additional_node_properties.default_cohort_role_all_common_roles

  2. Valid pathValues for unpivoting: unsupported_conditions.<condition_name>.conditions, joined_nodes..<valid_value_for_unpivoting>, source.<valid_value_for_unpivoting>, destination.<valid_value_for_unpivoting>, waypoint.<valid_value_for_unpivoting>, abstract_permissions,concrete_permissions, filtered_concrete_permissions, corresponding_abstract_permissions Examples for Unpivoting values:

  3. Single field: unpivot_properties: ["properties.email_addresses"] result_values: {Values: [ {id:"1","properties"{"email_addresses":["[email protected]","[email protected]"]}} ]} After unpivot -> Multiple nodes with id 1: result_values: {Values: [ {id:"1","properties"{"email_addresses":"[email protected]"}}, {id:"1","properties"{"email_addresses":"[email protected]"}} ]}

  4. Single field with missing unpivot property: unpivot_properties: ["properties.email_addresses"] result_values: {Values: [ {id:"1","properties"{"permissions": "abc"]}} ]} After unpivot -> Single node with id 1 (no email_addresses property to unpivot): result_values: {Values: [ {id:"1","properties"{"permissions":"abc"}}, ]}

  5. Multiple fields - Cartesian Product: unpivot_properties: ["properties.email_addresses", "raw_permissions"] result_values: {Values: [ {id:"1","properties"{"email_addresses":["[email protected]","[email protected]"]}, "raw_permissions":["perm1","perm2"]} ]} After unpivot -> Multiple nodes with id 1: result_values: {Values: [ {id:"1","properties"{"email_addresses":"[email protected]"}, "raw_permissions":"perm1"}, {id:"1","properties"{"email_addresses":"[email protected]"}, "raw_permissions":"perm2"}, {id:"1","properties"{"email_addresses":"[email protected]"}, "raw_permissions":"perm1"}, {id:"1","properties"{"email_addresses":"[email protected]"}, "raw_permissions":"perm2"}, ]}

page_sizestringOptional

The maximum number of results to be returned. Fewer results may be returned even when more pages exist.

page_tokenstringOptional

The token specifying the specific page of results to retrieve.

Responses
200

OK

application/json
post
/api/v1/assessments/query_spec:nodes

Sample request:

The following example searches for AWS IAM users with permissions to modify S3 bucket ACLs:

Sample response:

Here is a more complex example, which identifies Okta Users related to Snowflake Local Roles.

Using conditions, the query will only return users related to the BILLING group AND another group, either the AUDITOR role OR ROLE_A

Request:

Response:

PreviousGet query spec node destinationsNextGet query spec results

Last updated

Was this helpful?