❓Product FAQ

• Authorization Graph: Veza parses the identities, resources, and authorization controls within and across cloud environments to create a network of entities and relationships you can explore using a variety of search interfaces.

• Workflows: Create and manage access and entitlement reviews using the Authorization Graph.

• Insights & Reports: Identity, security, and compliance teams can use hundreds of Veza queries built to identify risks, misconfigurations, and anomalies, organized within dashboards and reports. Rules for custom or pre-built graph queries provide ways to create security baselines for alerts and notifications.

• Veza Platform

• Data Privacy, Security, and Retention: Information on Veza security procedures and policies.

Authorization Graph

Q: Veza's is a multi-cloud platform powered by an authorization metadata graph. What are the core features of this graph?

“Authorization metadata graph” provides an end to end visualization of authorization relationships between users (including non-human identities and service accounts), applications, and data sources. This includes the cloud identity providers (users, groups, and roles) and access management services (such as AWS IAM, GCP IAM, and Azure RBAC.) making a user's access possible. By presenting effective permissions (read, write, delete...) in a single control plane for any enterprise identity and data source, the Veza graph simplifies the complexity of interwoven authorization structures and enterprise data systems.

Q: How does Veza provide access to identity and authorization data – does it use APIs provided by the public cloud providers and IdPs? Or is the identity and authorization data imported manually into Veza?

Veza Cloud Platform can analyze identity and authorization data from public cloud providers and external identity providers (IDPs), along with non-cloud-native data sources like MySQL or Active Directory.

Yes, Veza utilizes the publicly available APIs published by identity providers and cloud providers to analyze these providers automatically. The nature of the API access is read-only, scoped to only essential metadata, and collected out-of-band.

There is no manual step. However, you can use the Open Authorization API to connect apps and identity providers that don't have a native integration.

Q: What are the size limitations for the Veza environment?

Graph Scale and Performance: Veza is built to manage complex authorization metadata efficiently using advanced graph technology. Our architecture includes a robust data model, a persistence model ensuring crash-consistent metadata management, and an object model capable of handling billions of small objects. Veza is available in both SaaS and On-Premises deployment models.

Our testing indicates that the Veza platform can support up to 100 million nodes (including identities, groups, roles, policies, and resources) and 500 million edges (which represent relationships and connections among these entities). While the platform maintains functionality beyond these thresholds, some features may experience performance impacts. For optimal performance when exceeding these limits, contact support@veza.com.

Workflows

Q: What are common issues that occur with Workflows?

• When a snapshot doesn't contain the specified relationship, "Create Certification" will result in "No Data Available" error. Note that the snapshot are taken on a daily basis.

• Upon saving a workflow query and starting a new certification, it's possible that there are no results due to data not existing in the environment for the query parameters. To check if this is the case, search using Query Builder or Authorization Graph using the same search conditions.

Q: Can I change the query for a Workflow after saving it?

While it's possible to edit select parameters such as notification settings after saving a workflow, the original query cannot be altered. This is by design, and to maintain the integrity of the certification as a permanent record.

Q: Is it possible to create workflows scoped to certain resources and permissions?

When creating a workflow, you can select a specific source or destination entity type, and apply attribute filters on a value such as Datasource ID.

Q: We use AWS tags to identify resource managers, departments, and operational function. Can we incorporate these in workflow scopes?

When creating a workflow, you can filter on any tag Veza has discovered, as well as native Veza Tags. To do so, select the desired entity types and apply a tag-based filter.

Q: We need to perform certification on our custom apps, is this possible?

Yes, custom apps configured using OAA are selectable as an entity type, just like the built-in configuration sources. You can either select an individual "Custom Application" or "Custom IdP" entity, or query "All Users" or "All Custom Applications".

Q: We would the facilitator and reviewer to get notifications based on certain milestones, can we do this?

You can set customized notifications at workflow creation, or configure them for each certification. Orchestration Actions will trigger based on reviewer actions (assignment, creation, decision, owner change) and certification states. Orchestration Actions can trigger webhooks, create ServiceNow tickets, and send alerts to Slack channels. Operators can also configure email reminders based on certification events and deadlines.

Q: We want to be able to assign Workflows to managers to review their teams, can we accomplish this?

To create a single certification for one manager, apply a constraint on the identity's manager field, and choose the resource type(s) the certification applies to. Create a new certification, and assign the manager. To ensures the manager can view and certify only their assigned workflows (and not access other Veza functionality), you can assign the manager's Veza account the access_reviewer role.

Q: Most of our workflows involve more than one reviewer, is this supported?

Certifications can have one or more "default" reviewers, assigned when starting the certification. These default reviewers can request other reviewers from your organization, for any result they decide they aren't an appropriate reviewer for. These assigned reviewers can only view and act on the results they're assigned to.

Veza can use metadata such as manager_id from your Identity Provider or Veza Tags, and use this to automatically assign reviewers when creating a certification.

Q: We want to schedule certification campaigns to occur automatically (as part of a quarterly or annual review cadence). Can we do this?

You can set due dates on certifications, and automatically send reminders by email to the owners, participants, and optional creators/facilitators. The functionality to schedule certification campaigns is planned for a future release.

Q: We need to ensure that an owner can only mark a certification as complete once all items have been "approved" or "rejected/" Is this validation done by Veza?

You can configure a variety of certification completion options, including enforcing that all rows must have a decision before a certification can complete.

Q: Once a workflow certification is complete, how do we know that the integrity is protected?

To ensure that the certification represents a point-of-time state, the Workflow engine utilizes immutable snapshots of your environment at the point of certification. Once complete, it isn't possible to delete a certification, or the workflow that contains it.

Q: As part of certifications, we need to be able to retrieve reject decisions from Veza and feed them into governance and ticketing systems. Can we accomplish this?

All reject decisions from a given certification are retrievable programmatically as a formatted JSON object.

Q: Our reviewers need to be able to see the context of how identities gain access to resources, not just the access that exists. How do I accomplish this?

Today reviewers only have visibility to the workflows that they're assigned, this is by design to prevent them from accessing privileged information. However, we do recognize the power of our visual graph for revealing the chain of privilege and how important seeing that path is for determining if access is appropriate. As such we're adding scoped access to our visual graph that will empower the reviewer to make decisions while at the same time limiting what they can see.

Q: How do I filter/sort the columns?

You can add columns for any source, destination, or intermediate node property that Veza has discovered. Columns also show approval status, assigned reviewers, and notes. From the Certifications view, you can apply filters to narrow broad sets of results down to actionable groups. Smart actions can apply decisions across pages of results using Certification filters.

Alternatively, operators can filter at the Workflow level by adding attribute filters to the original workflow query.

Q: We need the ability to group users/systems together in the tables to approve all access for a specific user, is this possible?

We recognize the need to group rows by column in the certifications and the option is planned for a future release. You can use filters to focus on results (for example, an individual user name or resource id).

Insights and Reports

Q: What images/visualizations can be exported using Veza, and what will they contain?

Users can optionally generate PNG files to capture visual aspects of the Authorization Graph. These graphics could contain identities (human users or service accounts), authorization entities (IAM roles, groups, policies), and data sources (database names, table names) from your environment.

Q: Does this mean that reports can be viewed within Veza?

Veza includes predefined reports that provide users with insights into their environment. These can be viewed within the platform.

Veza Platform

Login issues

Veza uses browser cookies to authenticate users to the platform. If you see an error when attempting to log in after a password change, try clearing out browser cookies before signing in again.