LogoLogo
User GuideDeveloper DocumentationIntegrationsRelease Notes
  • 🏠Veza Documentation
  • ☑️Getting Started
  • 📖Veza Glossary
  • ❓Product FAQ
  • 🛡️Security FAQ
    • Advanced Security FAQ
  • Release Notes
    • 🗒️Release Notes
      • Release Notes: 2025-04-30
      • Release Notes: 2025-04-16
      • Release Notes: 2025-04-02
      • Release Notes: 2025-03-19
      • Archive
        • 2024.9.23
        • 2024.9.16
        • 2024.9.9
        • 2024.9.2
        • 2024.8.26
        • 2024.8.19
        • 2024.8.12
        • 2024.8.5
        • 2024.7.29
        • 2024.7.22
        • 2024.7.15
        • 2024.7.1
        • 2024.6.24
        • 2024.6.17
        • 2024.6.10
        • 2024.6.3
        • 2024.5.27
        • 2024.5.20
        • 2024.5.13
        • 2024.5.6
        • 2024.4.29
        • 2024.4.22
        • 2024.4.15
        • 2024.4.8
        • 2024.4.1
        • 2024.3.25
        • 2024.3.18
        • 2024.3.11
        • 2024.3.4
        • 2024.2.26
        • 2024.2.19
        • 2024.2.12
        • 2024.2.5
        • 2024.1.29
        • 2024.1.22
        • 2024.1.15
        • 2024.1.8
        • 2024.1.1
        • 2023.12.18
        • 2023.12.11
        • 2023.12.4
        • 2023.11.27
        • 2023.11.20
        • 2023.11.13
        • 2023.11.6
        • 2023.10.30
        • 2023.10.23
        • 2023.10.16
        • 2023.10.9
        • 2023.10.2
        • 2023.9.25
        • 2023.9.18
        • 2023.9.11
        • 2023.9.4
        • 2023.8.28
        • 2023.8.21
        • 2023.8.14
        • 2023.8.7
        • 2023.7.31
        • 2023.7.24
        • 2023.7.17
        • 2023.7.10
        • 2023.7.3
        • 2023.6.26
        • 2023.6.19
        • 2023.6.12
        • 2023.6.5
        • 2023.5.29
        • 2023.5.22
        • 2023.5.15
        • 2023.5.8
        • 2023.5.1
        • 2023.4.24
        • 2023.4.17
        • 2023.4.10
        • 2023.4.3
        • 2023.3.27
        • 2023.3.20
        • 2023.3.13
        • 2023.3.6
        • 2023.2.27
        • 2023.2.20
        • 2023.2.13
        • 2023.2.6
        • 2023.1.30
        • 2023.1.23
        • 2023.1.16
        • 2023.1.9
        • 2023.1.2
        • 2022.12.12
        • 2022.12.5
        • 2022.11.28
        • 2022.11.14
        • 2022.11.7
        • 2022.10.31
        • 2022.10.24
        • 2022.10.17
        • 2022.10.1
        • 2022.6.2
        • 2022.6.1
        • 2022.5.1
        • 2022.4.1
        • 2022.3.1
  • Features
    • 🔎Access Visibility
      • Graph
      • Query Builder
      • Saved Queries
      • Filters
      • Query Mode
      • Intermediate Entities
      • Regular Expressions
      • Tags
      • Tagged Entity Search
      • Assumed AWS IAM Roles
      • Veza Query Language
        • Quick Start
        • Syntax
        • VQL API
    • 💡Access Intelligence
      • Overview
      • Dashboards
        • Reports
        • Scheduled Exports of Query Results via a Secure Email Link
      • Risks
      • Analyze
      • Compare
      • Rules and Alerts
      • Entities
      • NHI Identify Classification Logic
      • NHI Secrets
    • 🔏Access Reviews
      • Get Started: Access Reviewers
      • Get Started: Review Operators
      • Access Review Tasks
        • Assign Reviewers
        • Create a Configuration
        • Create a Review
        • Draft Reviews
        • Edit a Configuration
        • Filters and Bulk Actions
        • Manage Access Reviews
        • Using the Reviewer Interface
        • Row Grouping for Access Reviews
        • Schedule an Access Review
      • Access Review Configuration
        • Access Reviews Query Builder
        • Access Reviews Global Settings
        • Configuring a Global Identity Provider
          • Alternate Manager Lookup
        • Customizing Default Columns
        • Email Notifications and Reminders
        • Identity Provider and HRIS Enrichment
        • Managers and Resource Owners
        • Multi-Level Review
        • 1-Step Access Reviews
        • On-Demand Reviews
        • Veza Actions for Access Reviews
        • Review Intelligence Policies
        • Review Presentation Options
        • Reviewer Selection Methods
        • Reviewer Digest Notifications
      • Access Review Scenarios
        • Access Reviews: Active Directory Security Groups
        • Access Reviews: Okta App Assignments
        • Access Reviews: Okta Group Membership
        • Access Reviews: Okta Admin Roles
        • Access Reviews: Azure AD Roles
        • Access Reviews with Saved Queries
        • Source-Only Access Reviews
    • 📊Access Monitoring
    • 🔄Lifecycle Management
      • Implementation and Core Concepts
      • Access Profiles
      • Policies
      • Conditions and Actions
      • Attribute Sync and Transformers
        • Lookup Tables
      • Integrations
        • Active Directory
        • Exchange Server
        • Okta
        • Salesforce
        • Workday
    • ⚖️Separation of Duties (SoD)
      • Managing SoD Risks with Veza
      • Creating SoD Detection Queries
      • Analyzing Separation of Duties Query Results
      • Example Separation of Duties Queries
      • SoD Manager Assignment
      • Access Reviews for SoD
  • Integrations
    • ✨Veza Integrations
      • Adobe Enterprise
      • Amazon Web Services
        • Add Existing AWS Accounts
        • Automatically Add New AWS Accounts
        • AWS DynamoDB
        • AWS KMS
        • AWS RDS MySQL
        • AWS RDS PostgreSQL
        • AWS Redshift
        • Activity Monitoring for AWS
        • Using AWS Secrets Manager for RDS Extraction
        • Notes & Supported Entities
      • Anaplan
      • Atlassian Cloud Products
      • Auth0
      • BambooHR
      • Bitbucket Data Center
      • BlackLine
      • Beeline
      • Boomi
      • Box
      • Bullhorn
      • Cassandra
      • Cisco Duo
      • Clickhouse
      • Concur
      • Confluence Server
      • Confluent
      • Coupa
      • Coupa Contingent Workforce
      • Crowdstrike Falcon
      • CSV Upload
        • CSV Upload Examples
        • CSV Upload Troubleshooting
        • CSV Upload API
      • Databricks (Single Workspace)
      • Databricks (Unity Catalog)
      • Delinea Secret Server
      • Device42
      • DocuSign
      • Dropbox
      • Egnyte
      • Expensify
      • Exchange Online (Microsoft 365)
      • Fastly
      • Google Cloud
        • Check Google Cloud Permissions
        • Notes & Supported Entities
      • Google Drive
      • GitHub
      • GitLab
      • HashiCorp Vault
      • HiBob
      • Hubspot
      • IBM Aspera
      • iManage
      • Ivanti Neurons
      • Jamf Pro
      • Jenkins
      • JFrog Artifactory
      • Jira Data Center
      • Kubernetes
      • LastPass
      • Looker
      • MongoDB
      • Microsoft Active Directory
      • Microsoft Azure
        • Azure SQL Database
        • Azure PostgreSQL Database
        • Microsoft Dynamics 365 CRM
        • Microsoft Dynamics 365 ERP
        • Notes & Supported Entities
      • Microsoft Azure AD
      • Microsoft SharePoint Online
      • Microsoft SharePoint Server
      • Microsoft SQL Server
      • MuleSoft
      • MySQL
      • NetSuite
      • New Relic
      • Okta
        • Okta MFA status
      • OneLogin
      • OpenAI
      • Oracle Cloud Infrastructure
      • Oracle Database
      • Oracle Database (AWS RDS)
      • Oracle E-Business Suite (EBS)
      • Oracle EPM
      • Oracle Fusion Cloud
      • Oracle JD Edwards EnterpriseOne
      • PagerDuty
      • Palo Alto Networks SASE/Prisma Access
      • PingOne
      • PostgreSQL
      • Power BI
      • Privacera
      • PTC Windchill
      • Qualys
      • QNXT
      • Ramp
      • Redis Cloud
      • Rollbar
      • Salesforce
      • Salesforce Commerce Cloud
      • SCIM integration
      • ServiceNow
      • Slack
      • Smartsheet
      • Snowflake
        • Snowflake Native Application
        • Snowflake Masking Policies
        • Exporting Saved Query Results to Snowflake
        • Audit Log Export
        • Event Export
      • Solarwinds
      • Spotio
      • Sumo Logic
      • Tableau Cloud
      • Teleport
      • Terraform
      • ThoughtSpot
      • Trello
      • Trino (PrestoSQL)
      • UKGPro
      • Veza
      • Windows Server
        • Enterprise Deployment
      • Workato
      • Workday
      • YouTrack
      • Zendesk
      • Zip
      • Zoom
      • Zscaler
      • 1Password
    • 🎯Integrations Overview
    • ⚠️Prerequisites and Connectivity
      • Insight Point
        • Deploying an Insight Point using the install script
        • Deploy with AWS EC2
        • Deploy with Virtual Appliance
          • Deploy with Virtual Appliance (Legacy)
        • Deploy with Azure Container Instances
        • Insight Point (Helm Chart)
      • Certificates with OpenSSL
    • ⚙️Configuring Integrations
      • Integrations FAQ
      • Extraction and Discovery Intervals
      • Custom Identity Mappings
      • Limiting Extractions
      • Enrichment Rules
      • ℹ️Running Veza Scripts with Python
  • Administration
    • 🛠️Veza Administration
      • Securing Your Veza Tenant
      • Veza Actions
        • Slack
        • ServiceNow
        • Jira
        • Webhooks
      • Virtual Private Veza
      • System Events
      • Sign-In Settings
        • Single Sign-On with Okta
        • Single Sign-On with Okta (OIDC)
        • Single Sign-On with Microsoft Entra
      • User Management
        • Multi-factor Authentication
        • Team Management
        • Support User Access
  • Developers
    • 🌐Veza APIs
      • Authentication
      • Troubleshooting
      • Pagination
      • Open Authorization API
        • Getting Started
        • Core Concepts
          • Connector Requirements
          • Using OAA Templates
          • Providers, Data Sources, Names and Types
          • Sourcing and Extracting Metadata
          • Naming and Identifying OAA Entities
          • Modeling Users, Permissions, and Roles
          • Custom Properties
          • Tagging with OAA
          • Cross Service IdP Connections
          • Incremental Updates
        • OAA Push API
          • OAA Operations
        • OAA Templates
          • Custom Application
          • Custom Identity Provider
          • Custom HRIS Provider
        • OAA .NET SDK
          • C# OAA Application Connector
        • OAA Python SDK
          • Application Outline
          • oaaclient modules
            • Client
            • Structures
            • Templates
            • Utils
        • Sample Apps
        • Example Connectors
      • Integration APIs
        • Enable/Disable Providers
        • Cloud Platforms and Data Providers
        • Identity Providers
        • Data Sources
        • Sync and Parse Status
      • Query APIs
        • Quick Start
        • Query Builder Terminology
        • Query Builder Parameters
        • Query Builder Results
        • List saved queries
        • Save a query
        • Get a saved query
        • Update a query
        • Delete a query
        • Get query node destinations
        • Get query nodes
        • Get query result
        • Get query spec node destinations
        • Get query spec nodes
        • Get query spec results
        • Private APIs
          • Get Access Relationship
          • Role Existence
          • Role Maintenance
          • Cohort Role Analysis
        • Tags
          • Create, Add, Remove Tag
          • Promoted Tags
      • Access Reviews APIs
        • Workflow Parameters Reference
        • List Workflows
        • List Certifications
        • List Certification Results
        • Update Certification Result
        • Force Update Result
        • Update Webhook Info
        • Get Certification Result
        • Manage Reviewer Deny List
        • Quick Filters
        • Help Page Templates
        • Smart Action Definitions
        • Delegate Reviewers
        • List Reviewer Infos
        • Get Access Graph
        • Automations API
        • Global Settings APIs
      • System Audit Logs
      • System Events
      • Notification Templates
        • Notification Templates API
      • Team and User Management APIs
        • Team API Keys
      • SCIM Provisioning
        • SCIM API Reference
        • SCIM Provisioning with Okta
  • Product Updates
    • 🆕Product Updates
      • Product Update: March'25
      • Product Update: February'25
      • UX Update - Integration Management
      • Product Update: January'25
      • Product Update: December'24
      • Product Update: November'24
      • Product Update: October'24
      • Product Update: September'24
      • Product Update: August'24
      • UX Update: Veza Integrations
      • Product Update: July'24
      • Product Update: June'24
      • Product Update: May'24
      • Product Update: April'24
      • UX Update - Enhanced Reviewer Experience for Veza Access Reviews
      • Product Update: March'24
      • Product Update: February'24
      • Design Update: February'24
      • UX Update - New Navigation Experience
      • UX Update - Access Review Dashboards
      • Building Veza’s Platform and Products
      • Veza Product Update - Jan'24
      • Veza Product Update - 2H 2023
      • Veza Product Update - December'23
      • Veza Product Update - November'23
      • Veza Product Update - October'23
      • Veza Product Update - September'23
      • Veza Product Update - August'23
      • Veza Product Update - July'23
      • Veza Product Update - June'23
      • Veza Product Update - May'23
      • Veza Product Update - April'23
      • Veza Product Update - March'23
      • Veza Product Update - Feb'23
      • Veza Product Update - Jan'23
Powered by GitBook
On this page
  • Authentication
  • Query specifications
  • Get destination nodes
  • Save a query
  • Get saved query result count or entity details

Was this helpful?

Export as PDF
  1. Developers
  2. Veza APIs
  3. Query APIs

Quick Start

API overview and sample queries

PreviousQuery APIsNextQuery Builder Terminology

Last updated 1 year ago

Was this helpful?

The is fundamental to and , enabling external notifications and enhanced search visibility based on query constraints and conditions. When combined with for remediation workflows, these can offer in-the-box tools to begin integrating Veza with external processes.

As Veza does not write changes to your environment, you can use the query builder API to build your own tools and integrate Veza with your internal systems and security processes.

For example, you might use Veza APIs to:

  • Programmatically detect and add Snowflake users to a role when another role already exists with the required permissions

  • Progressively query for data resources matching a naming pattern or other condition, and apply tags with the provider's built-in APIs

  • Discover and alter overly permissive policies granting access to sensitive data

Your Veza success team can offer additional support and access to development tools including a Python SDK. This guide covers some simple examples to help get started with custom queries, including links to additional documentation.

Authentication

To run the provided commands, you'll need to first generate a token from Administration > . You'll also need to know the base URL of your Veza deployment, such as your-org.veza.com.

Query specifications

You can validate that a query is functioning as intended before saving it with , which will return the total number of entities in the search results.

returns a paginated list of query results, including entity details. This operation does not return a total count of results. A query spec does not require the full saved query , and instead takes a condensed payload.

returns the related destination nodes for a single entity in the results of a saved query. This endpoint can be used, for example, to review the related roles for an individual user when the query specifies User > Role.

Sample Request

Post your request to or , depending on whether you need a list of the included nodes (including all entity properties), or want the full result count:

curl -X 'POST' "$VEZA_URL/api/v1/assessments/query_spec:nodes?page_token-page_size=1" \
-H "authorization: Bearer $VEZA_TOKEN" \
-d '{
 "node_relationship_type": "EFFECTIVE_ACCESS",
 "query_type": "SOURCE_TO_DESTINATION",
 "include_nodes": true,
 "no_relation": false,
 "source_node_types": {
  "nodes": [
   {
    "node_type": "OktaUser",
    "condition_expression": {
     "specs": [
      {
       "id": "b952cf69-5e31-42e5-ae66-372a45b2045b",
       "property": "mfa_active",
       "fn": "EQ",
       "value": false,
       "not": false
      }
     ],
     "operator": "AND"
    }
   }
  ]
 },
 "destination_node_types": {
  "nodes": [
   {
    "node_type": "S3Bucket",
    "condition_expression": {
     "specs": [
      {
       "id": "b78d3e44-0272-4023-ba34-33abaf608e7e",
       "property": "block_public_acls",
       "fn": "EQ",
       "value": false,
       "not": false
      }
     ],
     "operator": "AND"
    }
   }
  ]
 }
}'

See Query Builder Parameters for more information about possible options.

Sample Response

The response always returns a value, next_page_token, and has_more. If more results are available, you can get the next page of results by passing the page_token in the request query.

The values array will contain the Individual entity details:

id

Unique Authorization Graph entity ID.

type

Type of entity.

destination_node_count

Number of related entities matching the query conditions.

permissions

{
  "values": [
    {
      "id": "00upa6s0hSGtl1eGL5d5",
      "type": "OktaUser",
      "properties": {
        "created_at": "2020-11-12T20:56:34Z",
        "datasource_id": "dev-5150036.okta.com",
        "email": "Abel_Maclead@cookiedemo.onmicrosoft.com",
        "first_name": "Abel",
        "idp_unique_id": "Abel_Maclead@cookiedemo.onmicrosoft.com",
        "is_active": true,
        "last_name": "Maclead",
        "login": "Abel_Maclead@cookiedemo.onmicrosoft.com",
        "mfa_active": false,
        "name": "Abel_Maclead@cookiedemo.onmicrosoft.com",
        "provider_id": "dev-5150036.okta.com",
        "status": "STAGED",
        "updated_at": "2020-11-12T20:56:34Z"
      },
      "destination_node_count": 5,
      "permissions": [],
      "engagement_access_stats": null,
      "access_stats": null,
      "destination_node_ids": [],
      "risk_level": "WARNING",
      "raw_permissions": [],
      "effective_permissions": []
    }
  ],
  "path_values": [],
  "next_page_token": "eyJGaXJzdCI6eyJkdXBsaWNhdGlvbl9zY29wZV9pZCI6IjQwZjFlZGZiLWQ1Y2UtNGU4ZC1hNWVmLWY2MzhmMDgxYzMzYiIsImlkIjoiMDB1Nmg4cnI2dkFzSUJqMW41ZDciLCJsb3dlcl9uYW1lIjoiYWFyb24uYmluZm9yZEB2ZXphdGVzdC5jb20ifSwiTGFzdCI6eyJkdXBsaWNhdGlvbl9zY29wZV9pZCI6IjQwZjFlZGZiLWQ1Y2UtNGU4ZC1hNWVmLWY2MzhmMDgxYzMzYiIsImlkIjoiMDB1cGE2czBoU0d0bDFlR0w1ZDUiLCJsb3dlcl9uYW1lIjoiYWJlbF9tYWNsZWFkQGNvb2tpZWRlbW8ub25taWNyb3NvZnQuY29tIn19",
  "has_more": true
}

For more information, see Query Builder Results.

Get destination nodes

Sample Request

curl -X 'POST' "$VEZA_URL/api/v1/assessments/query_spec:destination_nodes?page_size=0&page_token=" \
-H "authorization: Bearer $VEZA_TOKEN" \
-d '{
  "spec": {
 "node_relationship_type": "EFFECTIVE_ACCESS",
 "query_type": "SOURCE_TO_DESTINATION",
 "include_nodes": true,
 "no_relation": false,
 "source_node_types": {
  "nodes": [
   {
    "node_type": "OktaUser",
    "id": "StartNode",
    "condition_expression": {
     "specs": [
      {
       "id": "b952cf69-5e31-42e5-ae66-372a45b2045b",
       "property": "mfa_active",
       "fn": "EQ",
       "value": false,
       "not": false
      }
     ],
     "operator": "AND"
    }
   }
  ]
 },
 "destination_node_types": {
  "nodes": [
   {
    "node_type": "S3Bucket",
    "id": "EndNode",
    "condition_expression": {
     "specs": [
      {
       "id": "b78d3e44-0272-4023-ba34-33abaf608e7e",
       "property": "block_public_acls",
       "fn": "EQ",
       "value": false,
       "not": false
      }
     ],
     "operator": "AND"
    }
   }
  ]
 }
},
  "source_node_id": "00upa6s0hSGtl1eGL5d5"
}'

Sample response

{
  "values": [
    {
      "id": "arn:aws:s3:::cct-cct02-engineering",
      "type": "S3Bucket",
      "properties": {
        "allows_acls": true,
        "aws_account_id": "123456789012",
        "block_public_access_enabled": false,
        "block_public_acls": false,
        "block_public_policy": false,
        "created_at": "2021-03-18T08:26:23Z",
        "datasource_id": "123456789012:s3",
        "default_encryption_enabled": true,
        "default_retention_mode": "DISABLED",
        "has_public_policy": true,
        "hosts_website": false,
        "ignore_public_acls": false,
        "name": "cct-cct02-engineering",
        "object_lock_enabled": false,
        "object_ownership_controls": "ObjectWriter",
        "provider_id": "123456789012",
        "region": "us-east-2",
        "replication_rules_count": 0,
        "request_payer": "BucketOwner",
        "restrict_public_buckets": false,
        "server_access_logs_enabled": false
      },
      "destination_node_count": 0,
      "permissions": [
        {
          "id": "arn:aws:iam::123456789012:role/FederatedS3::eperm::123456789012/S3Bucket/affd3e3cd4f3d7f544628ecce27415ae13a984bb",
          "type": "AwsIamEffectivePermission",
          "properties": {
            "aws_account_id": "123456789012",
            "datasource_id": "123456789012::eperm::123456789012:s3",
            "name": "Read",
            "permissions": [
              "s3:GetObject",
              "s3:GetObjectVersion"
            ],
            "provider_id": "123456789012"
          },
          "destination_node_count": 0,
          "permissions": [],
          "engagement_access_stats": null,
          "access_stats": null,
          "destination_node_ids": [],
          "risk_level": "NONE",
          "raw_permissions": [],
          "effective_permissions": []
        },
        {
          "id": "arn:aws:iam::123456789012:role/FederatedRedshiftAndS3::eperm::123456789012/S3Bucket/affd3e3cd4f3d7f544628ecce27415ae13a984bb",
          "type": "AwsIamEffectivePermission",
          "properties": {
            "aws_account_id": "123456789012",
            "datasource_id": "123456789012::eperm::123456789012:s3",
            "name": "Read",
            "permissions": [
              "s3:GetObject",
              "s3:GetObjectVersion"
            ],
            "provider_id": "123456789012"
          },
          "destination_node_count": 0,
          "permissions": [],
          "engagement_access_stats": null,
          "access_stats": null,
          "destination_node_ids": [],
          "risk_level": "NONE",
          "raw_permissions": [],
          "effective_permissions": []
        }
      ],
      "engagement_access_stats": null,
      "access_stats": null,
      "destination_node_ids": [],
      "risk_level": "CRITICAL",
      "raw_permissions": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "effective_permissions": [
        "Read"
      ]
    }
  ],
  "path_values": [],
  "next_page_token": "",
  "has_more": false
}

Save a query

Get saved query result count or entity details

Use the query ID to run a saved query. Just as for query_spec operations, you can request the paginated entity details or the result count, or get destination nodes for a result:

get query nodes
curl 'https://<baseUrl>/api/v1/assessments/queries/ab5b66df-6873-4e53-98e5-aa55b88c76bd:nodes?page_size=100' \
  -H 'authorization: <authToken>'
get query result
curl 'https://<baseUrl>/api/v1/assessments/queries/ab5b66df-6873-4e53-98e5-aa55b88c76bd:result' \
  -H 'authorization: Bearer <authToken>'

Responses will contain the node details or the total count, depending on the method used.

get query nodes
{
  "values": [
    {
      "id": "arn:aws:s3:::cct-cct01-finance",
      "type": "S3Bucket",
      "properties": {
        "block_public_acls": false,
        "name": "cct-cct01-finance"
      },
      "destination_node_count": 0,
      "permissions": []
    }
  ],
  "next_page_token": "MTAw",
  "has_more": false
}
get query result
{"result_type":"number","number_value":"1"}

For , the permissions the source entity has to a specific destination entity.

Use to find the related entities for an individual result for a query spec. Specify the source_node_id of the entity to get relationships for:

If you want to run the same query repeatedly, or enable Veza or based on the results, you can save it under .

A saved query includes a name and description, along with any other .

🌐
Query Builder
Rules
Risks
Webhooks
API Keys
GetAssessmentQuerySpecResult
GetAssessmentQuerySpecNodes
parameters
GetAssessmentQuerySpecDestinationNodes
/query_spec:nodes
/query_spec:result
GetAssessmentQuerySpecDestinationNodes
Rules
Risks
/assessments/queries
query parameters
Get destination nodes