Query Builder Terminology

Entity (Node)

An entity, also referred to as a node, represents an authorization, data, or identity object discovered by Veza. It can be a concrete external named entity, such as AwsIamPolicy or OktaUser, or an edge aggregation node created by Veza for visualization and service purposes.

Entities, within the context of the Query Builder API, are the building blocks that represent various authorization, data, and identity objects discovered by Veza. They are used to construct queries, workflows, and Authorization Graph searches.

Entities encompass a wide range of elements, including identities, local users, data resources, identity domains, and IAM or RBAC elements such as security groups, policies, and roles.

When constructing queries, you will typically specify the source and destination entity types, such as Okta User to AWS S3 Bucket or Google User to Google Group, along with specific constraints on those entity types.

The Query Builder API offers top-level Entity Type Groupings such as User and Resource, providing an easy way to select and constrain all entities belonging to a particular supertype.

Entity Attribute

An entity attribute is a key-value pair associated with a specific entity type. These attributes carry rich metadata, enabling granular filters and search conditions.

Veza will add certain properties such as name, is human, or full admin during parsing. Other attributes such as mfa_enabled and is_encrypted can be directly ingested from the provider.

Entity Type

An entity type represents the final and precise specification of a node's category in an external system. Examples of external entity types include AwsIamUser, or S3Bucket.

Entity Type Grouping

An entity type grouping, or supertype, provides a top-level label to search for multiple entity types in a single query, such as User or Resource. Constraints can apply to an entity type grouping as if it were a single entity.

Supertypes are groupings of entities in the graph, allowing the specification of a "one of" style constraint among different concrete node types. A node type can be a member of one or more supertypes, and a supertype can contain concrete node types as well as other supertypes.

Effective and System Permissions

Raw or System permissions refer to individual privileges defined in the provider's internal terms, for example, AWS IAM s3:BucketDelete.

Effective Permissions represent the canonical C/R/U/D equivalents of system permissions. For example, MetadataWrite, DataRead, NonData.

Note: When filtering by permission, you must specify the type of permission. Effective and system permissions cannot both be specified for the same query. If a search does not involve privileged relationships to resources, the permissions filter has no effect (e.g., User->Policy search).

Tags

Veza supports two types of tags:

1. Veza Tags: These are key or key-value pairs that users add to Authorization Graph entities.

2. Provider-Specific Tags: Veza also discovers tags specific to providers, such as AWS tags and Google Cloud labels.