LogoLogo
User GuideDeveloper DocumentationIntegrationsRelease Notes
  • 🏠Veza Documentation
  • ☑️Getting Started
  • 📖Veza Glossary
  • ❓Product FAQ
  • 🛡️Security FAQ
    • Advanced Security FAQ
  • Release Notes
    • 🗒️Release Notes
      • Release Notes: 2025-04-30
      • Release Notes: 2025-04-16
      • Release Notes: 2025-04-02
      • Release Notes: 2025-03-19
      • Archive
        • 2024.9.23
        • 2024.9.16
        • 2024.9.9
        • 2024.9.2
        • 2024.8.26
        • 2024.8.19
        • 2024.8.12
        • 2024.8.5
        • 2024.7.29
        • 2024.7.22
        • 2024.7.15
        • 2024.7.1
        • 2024.6.24
        • 2024.6.17
        • 2024.6.10
        • 2024.6.3
        • 2024.5.27
        • 2024.5.20
        • 2024.5.13
        • 2024.5.6
        • 2024.4.29
        • 2024.4.22
        • 2024.4.15
        • 2024.4.8
        • 2024.4.1
        • 2024.3.25
        • 2024.3.18
        • 2024.3.11
        • 2024.3.4
        • 2024.2.26
        • 2024.2.19
        • 2024.2.12
        • 2024.2.5
        • 2024.1.29
        • 2024.1.22
        • 2024.1.15
        • 2024.1.8
        • 2024.1.1
        • 2023.12.18
        • 2023.12.11
        • 2023.12.4
        • 2023.11.27
        • 2023.11.20
        • 2023.11.13
        • 2023.11.6
        • 2023.10.30
        • 2023.10.23
        • 2023.10.16
        • 2023.10.9
        • 2023.10.2
        • 2023.9.25
        • 2023.9.18
        • 2023.9.11
        • 2023.9.4
        • 2023.8.28
        • 2023.8.21
        • 2023.8.14
        • 2023.8.7
        • 2023.7.31
        • 2023.7.24
        • 2023.7.17
        • 2023.7.10
        • 2023.7.3
        • 2023.6.26
        • 2023.6.19
        • 2023.6.12
        • 2023.6.5
        • 2023.5.29
        • 2023.5.22
        • 2023.5.15
        • 2023.5.8
        • 2023.5.1
        • 2023.4.24
        • 2023.4.17
        • 2023.4.10
        • 2023.4.3
        • 2023.3.27
        • 2023.3.20
        • 2023.3.13
        • 2023.3.6
        • 2023.2.27
        • 2023.2.20
        • 2023.2.13
        • 2023.2.6
        • 2023.1.30
        • 2023.1.23
        • 2023.1.16
        • 2023.1.9
        • 2023.1.2
        • 2022.12.12
        • 2022.12.5
        • 2022.11.28
        • 2022.11.14
        • 2022.11.7
        • 2022.10.31
        • 2022.10.24
        • 2022.10.17
        • 2022.10.1
        • 2022.6.2
        • 2022.6.1
        • 2022.5.1
        • 2022.4.1
        • 2022.3.1
  • Features
    • 🔎Access Visibility
      • Graph
      • Query Builder
      • Saved Queries
      • Filters
      • Query Mode
      • Intermediate Entities
      • Regular Expressions
      • Tags
      • Tagged Entity Search
      • Assumed AWS IAM Roles
      • Veza Query Language
        • Quick Start
        • Syntax
        • VQL API
    • 💡Access Intelligence
      • Overview
      • Dashboards
        • Reports
        • Scheduled Exports of Query Results via a Secure Email Link
      • Risks
      • Analyze
      • Compare
      • Rules and Alerts
      • Entities
      • NHI Identify Classification Logic
      • NHI Secrets
    • 🔏Access Reviews
      • Get Started: Access Reviewers
      • Get Started: Review Operators
      • Access Review Tasks
        • Assign Reviewers
        • Create a Configuration
        • Create a Review
        • Draft Reviews
        • Edit a Configuration
        • Filters and Bulk Actions
        • Manage Access Reviews
        • Using the Reviewer Interface
        • Row Grouping for Access Reviews
        • Schedule an Access Review
      • Access Review Configuration
        • Access Reviews Query Builder
        • Access Reviews Global Settings
        • Configuring a Global Identity Provider
          • Alternate Manager Lookup
        • Customizing Default Columns
        • Email Notifications and Reminders
        • Identity Provider and HRIS Enrichment
        • Managers and Resource Owners
        • Multi-Level Review
        • 1-Step Access Reviews
        • On-Demand Reviews
        • Veza Actions for Access Reviews
        • Review Intelligence Policies
        • Review Presentation Options
        • Reviewer Selection Methods
        • Reviewer Digest Notifications
      • Access Review Scenarios
        • Access Reviews: Active Directory Security Groups
        • Access Reviews: Okta App Assignments
        • Access Reviews: Okta Group Membership
        • Access Reviews: Okta Admin Roles
        • Access Reviews: Azure AD Roles
        • Access Reviews with Saved Queries
        • Source-Only Access Reviews
    • 📊Access Monitoring
    • 🔄Lifecycle Management
      • Implementation and Core Concepts
      • Access Profiles
      • Policies
      • Conditions and Actions
      • Attribute Sync and Transformers
        • Lookup Tables
      • Integrations
        • Active Directory
        • Exchange Server
        • Okta
        • Salesforce
        • Workday
    • ⚖️Separation of Duties (SoD)
      • Managing SoD Risks with Veza
      • Creating SoD Detection Queries
      • Analyzing Separation of Duties Query Results
      • Example Separation of Duties Queries
      • SoD Manager Assignment
      • Access Reviews for SoD
  • Integrations
    • ✨Veza Integrations
      • Adobe Enterprise
      • Amazon Web Services
        • Add Existing AWS Accounts
        • Automatically Add New AWS Accounts
        • AWS DynamoDB
        • AWS KMS
        • AWS RDS MySQL
        • AWS RDS PostgreSQL
        • AWS Redshift
        • Activity Monitoring for AWS
        • Using AWS Secrets Manager for RDS Extraction
        • Notes & Supported Entities
      • Anaplan
      • Atlassian Cloud Products
      • Auth0
      • BambooHR
      • Bitbucket Data Center
      • BlackLine
      • Beeline
      • Boomi
      • Box
      • Bullhorn
      • Cassandra
      • Cisco Duo
      • Clickhouse
      • Concur
      • Confluence Server
      • Confluent
      • Coupa
      • Coupa Contingent Workforce
      • Crowdstrike Falcon
      • CSV Upload
        • CSV Upload Examples
        • CSV Upload Troubleshooting
        • CSV Upload API
      • Databricks (Single Workspace)
      • Databricks (Unity Catalog)
      • Delinea Secret Server
      • Device42
      • DocuSign
      • Dropbox
      • Egnyte
      • Expensify
      • Exchange Online (Microsoft 365)
      • Fastly
      • Google Cloud
        • Check Google Cloud Permissions
        • Notes & Supported Entities
      • Google Drive
      • GitHub
      • GitLab
      • HashiCorp Vault
      • HiBob
      • Hubspot
      • IBM Aspera
      • iManage
      • Ivanti Neurons
      • Jamf Pro
      • Jenkins
      • JFrog Artifactory
      • Jira Data Center
      • Kubernetes
      • LastPass
      • Looker
      • MongoDB
      • Microsoft Active Directory
      • Microsoft Azure
        • Azure SQL Database
        • Azure PostgreSQL Database
        • Microsoft Dynamics 365 CRM
        • Microsoft Dynamics 365 ERP
        • Notes & Supported Entities
      • Microsoft Azure AD
      • Microsoft SharePoint Online
      • Microsoft SharePoint Server
      • Microsoft SQL Server
      • MuleSoft
      • MySQL
      • NetSuite
      • New Relic
      • Okta
        • Okta MFA status
      • OneLogin
      • OpenAI
      • Oracle Cloud Infrastructure
      • Oracle Database
      • Oracle Database (AWS RDS)
      • Oracle E-Business Suite (EBS)
      • Oracle EPM
      • Oracle Fusion Cloud
      • Oracle JD Edwards EnterpriseOne
      • PagerDuty
      • Palo Alto Networks SASE/Prisma Access
      • PingOne
      • PostgreSQL
      • Power BI
      • Privacera
      • PTC Windchill
      • Qualys
      • QNXT
      • Ramp
      • Redis Cloud
      • Rollbar
      • Salesforce
      • Salesforce Commerce Cloud
      • SCIM integration
      • ServiceNow
      • Slack
      • Smartsheet
      • Snowflake
        • Snowflake Native Application
        • Snowflake Masking Policies
        • Exporting Saved Query Results to Snowflake
        • Audit Log Export
        • Event Export
      • Solarwinds
      • Spotio
      • Sumo Logic
      • Tableau Cloud
      • Teleport
      • Terraform
      • ThoughtSpot
      • Trello
      • Trino (PrestoSQL)
      • UKGPro
      • Veza
      • Windows Server
        • Enterprise Deployment
      • Workato
      • Workday
      • YouTrack
      • Zendesk
      • Zip
      • Zoom
      • Zscaler
      • 1Password
    • 🎯Integrations Overview
    • ⚠️Prerequisites and Connectivity
      • Insight Point
        • Deploying an Insight Point using the install script
        • Deploy with AWS EC2
        • Deploy with Virtual Appliance
          • Deploy with Virtual Appliance (Legacy)
        • Deploy with Azure Container Instances
        • Insight Point (Helm Chart)
      • Certificates with OpenSSL
    • ⚙️Configuring Integrations
      • Integrations FAQ
      • Extraction and Discovery Intervals
      • Custom Identity Mappings
      • Limiting Extractions
      • Enrichment Rules
      • ℹ️Running Veza Scripts with Python
  • Administration
    • 🛠️Veza Administration
      • Securing Your Veza Tenant
      • Veza Actions
        • Slack
        • ServiceNow
        • Jira
        • Webhooks
      • Virtual Private Veza
      • System Events
      • Sign-In Settings
        • Single Sign-On with Okta
        • Single Sign-On with Okta (OIDC)
        • Single Sign-On with Microsoft Entra
      • User Management
        • Multi-factor Authentication
        • Team Management
        • Support User Access
  • Developers
    • 🌐Veza APIs
      • Authentication
      • Troubleshooting
      • Pagination
      • Open Authorization API
        • Getting Started
        • Core Concepts
          • Connector Requirements
          • Using OAA Templates
          • Providers, Data Sources, Names and Types
          • Sourcing and Extracting Metadata
          • Naming and Identifying OAA Entities
          • Modeling Users, Permissions, and Roles
          • Custom Properties
          • Tagging with OAA
          • Cross Service IdP Connections
          • Incremental Updates
        • OAA Push API
          • OAA Operations
        • OAA Templates
          • Custom Application
          • Custom Identity Provider
          • Custom HRIS Provider
        • OAA .NET SDK
          • C# OAA Application Connector
        • OAA Python SDK
          • Application Outline
          • oaaclient modules
            • Client
            • Structures
            • Templates
            • Utils
        • Sample Apps
        • Example Connectors
      • Integration APIs
        • Enable/Disable Providers
        • Cloud Platforms and Data Providers
        • Identity Providers
        • Data Sources
        • Sync and Parse Status
      • Query APIs
        • Quick Start
        • Query Builder Terminology
        • Query Builder Parameters
        • Query Builder Results
        • List saved queries
        • Save a query
        • Get a saved query
        • Update a query
        • Delete a query
        • Get query node destinations
        • Get query nodes
        • Get query result
        • Get query spec node destinations
        • Get query spec nodes
        • Get query spec results
        • Private APIs
          • Get Access Relationship
          • Role Existence
          • Role Maintenance
          • Cohort Role Analysis
        • Tags
          • Create, Add, Remove Tag
          • Promoted Tags
      • Access Reviews APIs
        • Workflow Parameters Reference
        • List Workflows
        • List Certifications
        • List Certification Results
        • Update Certification Result
        • Force Update Result
        • Update Webhook Info
        • Get Certification Result
        • Manage Reviewer Deny List
        • Quick Filters
        • Help Page Templates
        • Smart Action Definitions
        • Delegate Reviewers
        • List Reviewer Infos
        • Get Access Graph
        • Automations API
        • Global Settings APIs
      • System Audit Logs
      • System Events
      • Notification Templates
        • Notification Templates API
      • Team and User Management APIs
        • Team API Keys
      • SCIM Provisioning
        • SCIM API Reference
        • SCIM Provisioning with Okta
  • Product Updates
    • 🆕Product Updates
      • Product Update: March'25
      • Product Update: February'25
      • UX Update - Integration Management
      • Product Update: January'25
      • Product Update: December'24
      • Product Update: November'24
      • Product Update: October'24
      • Product Update: September'24
      • Product Update: August'24
      • UX Update: Veza Integrations
      • Product Update: July'24
      • Product Update: June'24
      • Product Update: May'24
      • Product Update: April'24
      • UX Update - Enhanced Reviewer Experience for Veza Access Reviews
      • Product Update: March'24
      • Product Update: February'24
      • Design Update: February'24
      • UX Update - New Navigation Experience
      • UX Update - Access Review Dashboards
      • Building Veza’s Platform and Products
      • Veza Product Update - Jan'24
      • Veza Product Update - 2H 2023
      • Veza Product Update - December'23
      • Veza Product Update - November'23
      • Veza Product Update - October'23
      • Veza Product Update - September'23
      • Veza Product Update - August'23
      • Veza Product Update - July'23
      • Veza Product Update - June'23
      • Veza Product Update - May'23
      • Veza Product Update - April'23
      • Veza Product Update - March'23
      • Veza Product Update - Feb'23
      • Veza Product Update - Jan'23
Powered by GitBook
On this page
  • Query parameters
  • NodeSpecCollection
  • NodeSpec
  • NodeTypeGroupingConstraint
  • ConditionExpression
  • Tags
  • No relation
  • Avoids intermediate node types
  • Query type
  • Permissions
  • RelatesToExp
  • RiskSuppressedConstraintsCollection

Was this helpful?

Export as PDF
  1. Developers
  2. Veza APIs
  3. Query APIs

Query Builder Parameters

Options for saved and spec query requests

PreviousQuery Builder TerminologyNextQuery Builder Results

Last updated 1 year ago

Was this helpful?

When calling endpoints or , you will specify the search parameters in a JSON object in the request body. Saved queries and query specifications support a range of parameters and options, described in this document.

Queries begin with a source node type and optionally a destination node type. A simple query might show "all Okta users with relationships to S3 Buckets". A more advanced query will add additional constraints on entity attributes or tags, or filter on relationships to intermediate entities, such as a role, group, or local user.

Most requests will return entities of the source node type. Use or to return related entities for an individual source entity in a query result.

As the Veza uses these APIs, you can preview different sample requests and responses by constructing queries from the web interface, opening the Save dropdown menu, and choosing View Query Spec API.

Query parameters

Field
Type
Notes

all_entity_condition

A constraint to apply on all entities that happen to be a part of the query result (specified or not)

analysis_type

string

For built-in queries, indicates where the query originated (Query Builder or the Analysis page). Values can be UNSET USER GROUP ROLE or SEPARATION_OF_DUTY

avoided_intermediate_node_types

Any entity types that cannot exist in the path between the query source and destination.

description

string

A description of the assessment query, shown in the query details.

destination_node_types

If specified, results only include entities with a relationship to the destination node type.

effective_permissions

Effective permissions to search, and operator to use.

labels

array of strings

List of assessment labels for categorization in reports.

name

string

The name of the assessment query, shown in the Veza UI.

no_relation

boolean

deprecated (use relates_to_exp)

node_relationship_type

string

Query mode EFFECTIVE_ACCESS (default) or CONFIGURED.

query_type

string

always use SOURCE_TO_DESTINATION

raw_permissions

If specified, only return results that have the listed raw permissions.

relates_to_exp

Specify related note constraints

required_intermediate_node_types

Specifies requirements for the path connecting the source and destination nodes.

risk_level

string

Sets whether results are marked as risks based on the risk level: NONE (default), WARNING, or CRITICAL

risk_suppressed_constraints

Adds a risk exception for nodes matching the specification.

source_node_types

The source node type to return as results for SOURCE_TO_DESTINATION queries (for example AwsIamUser). Required to have only 1.

violation

boolean

Deprecated, use risk_level instead

visibility

string

Sets whether a query is public or visible only to owners. PUBLIC (default) or PRIVATE

include_nodes

boolean

When true, only return a result count.

NodeSpecCollection

A collection of node specifications, defining constraints or other query parameters on each entity type.

You can query for a single principal or resource by filtering on node ID.

Field
Type
Notes

nodes

node spec array

Contains an object for each node type

nodes_operator

string

Sets whether all or any of the node conditions must be true (AND(default), OR).

NodeSpec

Contains the type, tags, and conditions applied to a node, narrowing the focus of the query.

Note that you can add conditions and tags to either the source node type or the destination.

Field
Type
Notes

condition_expression

Logical tree of constraints to apply

conditions

array

Deprecated, use condition_expression

count_conditions

array

Count condition functions and values. count_conditions are only accepted in assessment queries, when the node spec defines destination_node_types.

direct_relationship_only

boolean

When set to true, self-referential edges on this node type will not be traversed. For example, if the node type is Role and direct_relationship_only is true, then any edge Role -> Role will be ignored. Can only be used with destination or source node types with self-referential edges. Cannot be used with labels.

excluded_tags

tags to exclude from results.

node_id

string

For specifying an individual entity, a single graph entity ID

node_type

string

Concrete node type (e.g. AwsIamUser) or node label (e.g. User)

node_type_grouping_constraint

Contains an operator and list of node types to include or exclude

tags

tags to require, specified with key value pairs.

NodeTypeGroupingConstraint

Query specs support supertypes with constraints. They can specified in the same way as concrete node types. node_type_grouping_constraint can be used to limit the concrete node type set belonging to the specified super type, with possible constraint type values EXCLUDE or INCLUDE. Example spec:

{
    "node_relationship_type": "EFFECTIVE_ACCESS",
    "query_type": "SOURCE_TO_DESTINATION",
    "include_nodes": true,
    "source_node_types": {
        "nodes": [
            {
                "node_type": "User",
                "node_type_grouping_constraint" :{
                    "constraint_type" : "INCLUDE",
                    "node_types" : ["CustomIDPUser", "OktaUser"]
                }
            }
        ]
    },
    "destination_node_types": {
        "nodes": [
            {
                "node_type": "S3Bucket"
            }
        ]
    }
}

ConditionExpression

Additional constraints can be applied using a node condition_expression. Conditions specified within the expression can target node attributes such as name, date created, or any other properties Veza has discovered.

Conditions can always apply to source and destination node types. Conditions can only apply to intermediate node types when the query defines required_intermediate_node_types.

Conditions have a function (fn). Valid operators are:

  • EQ: 'Equals',

  • LT: 'Less Than',

  • LTE: 'Less Than or Equal',

  • GT: 'Greater Than',

  • GTE: 'Greater Than or Equal',

  • LIST_CONTAINS: 'List Contains',

  • IN: 'In',

  • STARTS_WITH: 'Starts With',

  • CONTAINS: 'Contains',

  • ENDS_WITH: 'Ends With',

  • EXISTS: 'Exists',

  • REGEX: 'Matches Regular Expression',

Date-based operators can be:

LT: 'Not in the Last', LTE: 'Before', GT: 'In the Last', GTE: 'After', EQ: 'At',

For example:

{
  "query_type": "SOURCE_TO_DESTINATION",
  "source_node_types": {
    "nodes": [
      {
        "node_type": "AwsIamUser",
        "condition_expression": {
          "operator": "AND",
          "specs": [
            {
              "fn": "LTE",
              "property": "last_used_at",
              "value": "2022-01-02T17:59:59.494Z"
            },
            {
              "fn": "GTE",
              "property": "last_used_at",
              "value": "2022-01-01T06:00:00.494Z"
            }
          ]
        }
      }
    ]
  }
}

The condition value can be true, false, a number, an RFC3339 timestamp, or a string. For example, to find S3 Bucket destinations where public ACLs haven't been blocked:

{
  "destination_node_types": {
    "nodes": [
      {
        "node_type": "S3Bucket",
        "condition_expression": {
          "specs": [
            {
              "fn": "EQ",
              "property": "block_public_acls",
              "value": false,
              "not": false
            }
          ]
        }
      }
    ]
  }
}

Conditions can also contain a string-typed value. For example, to find all Okta users with the prefix "sa-":

{
  "node_type": "OktaUser",
  "condition_expression": {
    "specs": [
      {
        "fn": "STARTS_WITH",
        "property": "name",
        "value": "sa-",
        "not": false
      }
    ]
  }
}

Note that you can specify nodes where the condition doesn't apply by setting "not": true for the constraint.

There can also be a not on the whole expression:

"condition_expression": {
  "operator": "OR",
  "not": true,
  "specs": [
    {
      "not": true,
      "fn": "EQ",
      ..
    },
    ..
  ]
}

You can get all the properties available for different node types (which vary depending on the provider and service) by searching for the entities in Authorization Graph and viewing the node details.

Tags

When applied to source or destination node types, results will only show entities with (or without) a specific Veza Tag or a discovered AWS tag. For example:

    "destination_node_types": {
      "nodes": [
        {
          "node_type": "S3Bucket",
          "tags": [
            {
              "key": "awstag_PII",
              "value": "PCI"
            }
          ],
          "excluded_tags": [
            {
              "key": "environment",
              "value": "production"
            }
          ]
        }
      ]
    }

tags and excluded_tags can always apply to source and destination node types. They can only apply to intermediate node types in assessment queries, when the spec defines required_intermediate_node_types.

No relation

Enable no_relation to only return nodes without a relationship to the destination node types. For example, to show Microsoft Azure AD users that do not belong to the group "Alabama":

{
  "query_type": "SOURCE_TO_DESTINATION",
  "source_node_types": {
    "nodes": [
      {
        "node_type": "AzureADUser"
      }
    ]
  },
  "destination_node_types": {
    "nodes": [
      {
        "node_type": "AzureADGroup",
        "condition_expression": {
          "specs": [
            {
              "fn": "EQ",
              "property": "name",
              "stringValue": "Alabama"
            }
          ]
        }
      }
    ]
  },
  "no_relation": true,
  "include_nodes": true
}

Avoids intermediate node types

You may want to query for entities that have direct access to a resource, without a specific intermediate relationship. For example, you can query for IAM users whose resource access does not also involve a role.

To query for relationships that do not include a specific node type in the authorization path, specify an exclusion in the avoids_intermediate_node_types object:

...
"no_relation": false,
"avoids_intermediate_node_types": {
  "nodes": [
    {
      "node_type": "AwsIamRole"
    }
  ]
}

Query type

Query Type
Description

SYSTEM_CREATED

Used for pre-built system queries.

SOURCE_TO_DESTINATION

The search will return entities of the source node type with a relationship to the destination entity type.

DESTINATION_NODES

Return the destination nodes, instead of source nodes (deprecated, use query_spec:destination_nodes).

Permissions

To return only entities with one or more permissions to a resource, you can list either system or effective permissions, with an AND or OR operator.

RawPermissionCollection

"Raw" or "System" permissions describe privileges using the service providers terms, for example s3:PutBucketAcl.

Field
Type
Notes

values

string

String list of raw permission names

operator

string

AND, OR (default AND)

You can review all the possible permissions Veza has discovered for an entity by selecting it as a related entity in a Query Builder search. The "Permissions" dropdown menu will include all effective and raw permissions for the resource type.

EffectivePermissionCollection

Field
Type
Notes

values

string

Effective permissions can be METADATA_WRITE, METADATA_READ, METADATA_CREATE, METADATA_DELETE, DATA_READ, DATA_WRITE, DATA_CREATE, DATA_DELETE, NON_DATA ] (default METADATA_WRITE)

operator

string

AND, OR (default AND)

Effective permissions are an abstraction of an entity's authorization to a resource. When discovering authorization metadata for a connected provider, Veza maps each raw permission a principal has on a resource to the corresponding canonical permission, and calculates the cumulative effective permissions.

RelatesToExp

Queries constructed using the v1 API and the Segregation of Duty page can use "relates to" expressions to get results based on relationships to more than one related entity types, with AND | OR logic. For example: Show all users that are in Group A and Group B, or Show users that are in Group X and have Role Y.

RelatesToExp Evaluation

For E = { specs: [A, B, ...], child_expressions: [X, Y, ...], operator, not }

  • "source has a path to E" is defined as:

  • If operator is AND (default): "source has a path to ALL of (A,B, ..., X, Y, ...)"

  • If operator is OR: "source has a path to ANY of (A,B, ..., X, Y, ...)"

  • If not = true, boolean invert the result above

RelatesToExp Field Specifications

  • and_op_type: AndOperatorType (INFERRED [default], SOURCE_INTERSECT, PAIR_INTERSECT)

  • child_expressions: RelatesToExpressions Array

  • not: Boolean flag applied to specs and child_expressions

  • operator: Operator (AND [default], OR)

  • specs: RelatesToSpec array specifying node types and conditions

AndOperatorType

  • INFERRED (default): Replaced with SOURCE_INTERSECT or PAIR_INTERSECT based on query execution context.

  • SOURCE_INTERSECT: Intersection based on source node.

  • PAIR_INTERSECT: Intersection based on pairs of nodes.

Given the following graph relationship:

U1 -- P1 -- R1
    /
U2 -- P2 -- R2

U1 and U2 are entity type U, and R1 and R2 are entity type R. Here U2 is in the result of U-> (P1->R AND P2->R) with SOURCE_INTERSECT. With PAIR_INTERSECT, U2 is not in the result because neither R1 or R2 matches both U->P1->R and U->P2->R.

If we change the graph to have R1 match both U->P1->R and U->P2->R:

U1 -- P1 -- R1
    /     /
U2 -- P2 -

Now U2 is in the result of the same query with PAIR_INTERSECT. PAIR_INTERSECT makes more sense for queries like “users have permission A && B to database” when the meaning is “permission A && B to the same database”

AndOperatorType defaults:

  • INFERRED will be replaced with one of SOURCE_INTERSECT or PAIR_INTERSECT when executing the query.

  • INFERRED is replaced with PAIR_INTERSECT only if:

    • The query doesn't have RelatesToExpression.Not == true in any child expressions, and

    • All operands of the AND have the same sole node type, and

    • All operands of the AND don't include conflicting "equal to" conditions on unique property (id and name)

  • Otherwise INFERRED is replaced with SOURCE_INTERSECT

RelatesToSpec

A RelatesToSpec represents a precise path definition:

  • source has a path to any node spec in node_types

    • direction determines the direction of the path

  • the path has all required_intermediate_node_types

  • the path has none of avoided_intermediate_node_types

  • all or any of raw_permissions appear on the path, depending on raw_permissions.operator

  • all or any of effective_permissions appear on the path, effective_permissions on raw_permissions.operator

  • if no_relation=true, it instead means such a path does not exist

Field
Type
Description

avoided_intermediate_node_types

direction

string

RelatesToDirection

effective_permissions

no_relation

boolean

node_types

raw_permissions

object

A collection of raw permission names

required_intermediate_node_types

RelatesToDirection can be:

  • ANY_DIRECTION : Direction to be chosen by the API. Paths of any direction is accepted by the caller.

  • SINGLE_DIRECTIONAL: Direction to be chosen by the API if there is only one valid direction. Otherwise this input is invalid.

  • OUTGOING: Only accept result for paths of ( -> ...). This input is invalid if there is no such a path in schema.

  • INCOMING: Only accept result for paths of (... -> ). This input is invalid if there is no such a path in schema.

RiskSuppressedConstraintsCollection

object

object

object

object

array

object

array

object

object

object

object

define conditions on entity types to mark exceptions for queries with a risk level.

🌐
query spec
saving a query
GetAssessmentQuerySpecDestinationNodes
GetAssessmentQueryDestinationNodes
Query Builder
NodeSpec
ConditionExpression
NodeSpecCollection
NodeSpecCollection
Effective Permission Collection
Raw Permission Collection
RelatesToExp
NodeSpecCollection
RiskSuppressedConstraintsCollection
NodeSpecCollection
ConditionExpression
Tags
NodeTypeGroupingConstraint
Tags
NodeSpecCollection
EffectivePermissionCollection
NodeSpecCollection
NodeSpecCollection