❓Product FAQ

• Authorization Graph: Veza parses the identities, resources, and authorization controls within and across cloud environments to create a network of entities and relationships you can explore using a variety of search interfaces.

• Access Reviews: Create and manage access and entitlement reviews using the Authorization Graph.

• Insights & Reports: Identity, security, and compliance teams can use hundreds of Veza queries built to identify risks, misconfigurations, and anomalies, organized within dashboards and reports. Rules for custom or pre-built graph queries provide ways to create security baselines for alerts and notifications.

• Veza Platform

• Data Privacy, Security, and Retention: Information on Veza security procedures and policies.

Authorization Graph

Q: Veza's is a multi-cloud platform powered by an authorization metadata graph. What are the core features of this graph?

“Authorization metadata graph” provides an end to end visualization of authorization relationships between users (including non-human identities and service accounts), applications, and data sources. This includes the cloud identity providers (users, groups, and roles) and access management services (such as AWS IAM, GCP IAM, and Azure RBAC.) making a user's access possible. By presenting effective permissions (read, write, delete...) in a single control plane for any enterprise identity and data source, the Veza graph simplifies the complexity of interwoven authorization structures and enterprise data systems.

Q: How does Veza provide access to identity and authorization data – does it use APIs provided by the public cloud providers and IdPs? Or is the identity and authorization data imported manually into Veza?

Veza Cloud Platform can analyze identity and authorization data from public cloud providers and external identity providers (IDPs), along with non-cloud-native data sources like MySQL or Active Directory.

Yes, Veza utilizes the publicly available APIs published by identity providers and cloud providers to analyze these providers automatically. The nature of the API access is read-only, scoped to only essential metadata, and collected out-of-band.

There is no manual step. However, you can use the Open Authorization API to connect apps and identity providers that don't have a native integration.

Q: What are the size limitations for the Veza environment?

Graph Scale and Performance: Veza is built to manage complex authorization metadata efficiently using advanced graph technology. Our architecture includes a robust data model, a persistence model ensuring crash-consistent metadata management, and an object model capable of handling billions of small objects. Veza is available in both SaaS and On-Premises deployment models.

Our testing indicates that the Veza platform can support up to 100 million nodes (including identities, groups, roles, policies, and resources) and 500 million edges (which represent relationships and connections among these entities). While the platform maintains functionality beyond these thresholds, some features may experience performance impacts. For optimal performance when exceeding these limits, contact support@veza.com.

Separation of Duties (SoD)

Q: Is the process of defining SoD violations for individual applications manual or automated?

After adding a built-in integration, you can use out-of-the-box queries defining common Separation of Duties (SoD) violations. You can edit these queries or define your own violations using the Access Intelligence > Separation of Duties page. SoD rules can apply to custom data sources, such as users ingested from CSV or SCIM.

Q: Are toxic combinations for SoD violations identified automatically?

Veza evaluates effective and system-level permissions when parsing integrated data sources. Violations are identified when executing an SoD query, either manually or as part of risk assessment.

Q: What remediation actions are available for SoD?

By creating a rule for queries that are SoD violations, you can send announcements or create issues in systems like Jira, Slack, or ServiceNow when new violations are detected. Rules can also trigger automation using custom webhooks.

Q: What integrations are supported for SoD?

Veza integrates with 250+ systems natively and supports many more via our Open Authorization API framework. As soon as the user access data is ingested into the platform, Veza will identify toxic combinations of access based on configured SoD policies.

Access Reviews

Q: What are common issues that occur with Access Reviews?

• When a snapshot doesn't contain the specified relationship, creating a review will result in "No Data Available" error. Note that the snapshot are taken on a daily basis.

• Upon saving a Review Configuration and starting a new Review, it's possible that there are no results due to data not existing in the environment for the query parameters. To check if this is the case, search with Query Builder or Authorization Graph using the same search conditions.

Q: Can I change the query for an Access Review after saving it?

While it's possible to edit some parameters such as notification settings after saving a Review Configuration, the original query cannot be altered. This is by design, and to maintain the integrity of the certification as a permanent record.

Q: Is it possible to create Access Reviews scoped to certain resources and permissions?

When creating a Review Configuration, you can select a specific source or destination entity type, and apply attribute filters on a value such as Datasource ID.

Q: We use AWS tags to identify resource managers, departments, and operational function. Can we incorporate these in Access Review scopes?

When creating a Review Configuration, you can filter on any tag Veza has discovered, as well as native Veza Tags. To do so, select the desired entity types and apply a tag-based filter.

Q: We need to perform certification on our custom apps, is this possible?

Yes, custom apps configured using OAA are selectable as an entity type, just like the built-in configuration sources. You can either select an individual "Custom Application" or "Custom IdP" entity, or query "All Users" or "All Custom Applications".

Q: We would like the facilitator and reviewer to get notifications based on certain milestones, can we do this?

You can set customized notifications when adding a Review Configuration, or configure them for each Review. Orchestration Actions will trigger based on reviewer actions (assignment, creation, decision, owner change) and certification states. Orchestration Actions can trigger webhooks, create ServiceNow tickets, and send alerts to Slack channels. Operators can also configure email reminders based on certification events and deadlines.

Q: Can we assign team-wide Access Reviews to individual managers?

To create a single certification for one manager, apply a constraint on the identity's manager field, and choose the resource(s) the certification applies to. You can also identify managers for any entity type using tags.

Create a new certification, and assign the manager. To ensures the manager can view and certify only their assigned Reviews (and not access other Veza functionality), you can assign the manager's Veza account the access_reviewer role.

Q: Most of our Access Reviews involve more than one reviewer, is this supported?

Certifications can have one or more "default" reviewers, assigned when starting the certification. These default reviewers can request other reviewers from your organization, for any result they decide they aren't an appropriate reviewer for. These assigned reviewers can only view and act on the results they're assigned to.

Veza can use metadata such as manager_id from your Identity Provider or Veza Tags, and use this to automatically assign reviewers when creating a certification.

Q: We want to schedule certification campaigns to occur automatically (as part of a quarterly or annual review cadence). Can we do this?

You can set due dates on certifications, and automatically send reminders by email to the owners, participants, and optional creators/facilitators. The functionality to schedule certification campaigns is planned for a future release.

Q: We need to ensure that an owner can only mark a certification as complete once all items have been "approved" or "rejected/" Is this validation done by Veza?

You can configure a variety of certification completion options, including enforcing that all rows must have a decision before a certification can complete.

Q: How is the integrity of an Access Review protected after completion?

To ensure that the Review represents a point-of-time state, Veza utilizes immutable snapshots of your environment at the point of certification. Once complete, it isn't possible to delete a Review, or the Review Configuration that contains it.

Q: As part of certifications, we need to be able to retrieve reject decisions from Veza and feed them into governance and ticketing systems. Can we accomplish this?

All reject decisions from a given certification are retrievable programmatically as a formatted JSON object.

Q: Our reviewers need to be able to see the context of how identities gain access to resources, not just the access that exists. How do I accomplish this?

Today, reviewers only have visibility to the Reviews that they are assigned. This is by design to prevent them from accessing privileged information. However, we do recognize the power of our visual graph for revealing the chain of privilege and how important seeing that path is for determining if access is appropriate. By creating Teams, you can scope access to the Veza graph that will empower the reviewer to make decisions while limiting what they can see.

Q: How can I customize and sort a Review?

You can show attributes for any source, destination, or intermediate node that Veza has discovered, using the column selector. Columns can also show approval status, assigned reviewers, and notes. From the Certifications view, you can apply filters to narrow broad sets of results down to actionable groups. You can apply decisions to more than one page of filtered results by choosing an action above the list of results.

Q: We need the ability to group users/systems together in the tables to approve all access for a specific user, is this possible?

We recognize the need to group rows by column in the certifications and the option is planned for a future release. You can use filters to focus on results (for example, an individual user name or resource id).

Insights and Reports

Q: What images/visualizations can be exported using Veza, and what will they contain?

Users can optionally generate PNG files to capture visual aspects of the Authorization Graph. These graphics could contain identities (human users or service accounts), authorization entities (IAM roles, groups, policies), and data sources (database names, table names) from your environment.

Q: Does this mean that reports can be viewed within Veza?

Veza includes predefined reports that provide users with insights into their environment. These can be viewed within the platform.

Veza Platform

Supported Browsers

Veza is tested and optimized for use with Chromium-based web browsers. For the best experience and full functionality, we recommend using the latest versions of the following browsers:

• Google Chrome

• Microsoft Edge

Login issues

Veza uses browser cookies to authenticate users to the platform. If you see an error when attempting to log in after a password change, try clearing out browser cookies before signing in again.