Promoted Tags

Use these APIs to define the tags Veza should treat as customer-defined properties. Access Reviews that involve these entity types will include columns showing the tag name and value.

For example, in AWS, you may automatically tag identities with a 3rd-party security tool, or use tags to label S3 buckets containing sensitive data. When a tag is promoted, Veza Access Reviews will treat the tag as a built-in entity attribute, and show this information for reviewers in an optional column.

Promote tag

Add a promotion rule by specifying its type and key, and the entity types it applies to:

• include_entity_types: if true, promote tags for the listed type(s).

• exclude_entity_type: if true, promotes tags for all entities except the listed type(s).

You can promote tags for any integration that supports them, such as Snowflake or Google Cloud. Use for integrations that do not support vendor-native tags or when built-in tagging is unavailable. Example tag types:

• AWSTag

• CookieTag (Veza Tag)

• GoogleCloudLabel

Entity types for tag promotion should be concrete types. You can confirm the format by viewing details for any graph node, and checking the Type attribute, for example:

• OAA.PagerDuty.User

• ActiveDirectoryUser

• OAA.custom_idp.IDPUser

Demote tag

Remove a promotion rule for the specified tag key and type. Demotions apply on the next data source parse.

List tag promotions

Get all promotion rules for all entity types.