LogoLogo
User GuideDeveloper DocumentationIntegrationsRelease Notes
  • 🏠Veza Documentation
  • ☑️Getting Started
  • 📖Veza Glossary
  • ❓Product FAQ
  • 🛡️Security FAQ
    • Advanced Security FAQ
  • Release Notes
    • 🗒️Release Notes
      • Release Notes: 2025-04-30
      • Release Notes: 2025-04-16
      • Release Notes: 2025-04-02
      • Release Notes: 2025-03-19
      • Archive
        • 2024.9.23
        • 2024.9.16
        • 2024.9.9
        • 2024.9.2
        • 2024.8.26
        • 2024.8.19
        • 2024.8.12
        • 2024.8.5
        • 2024.7.29
        • 2024.7.22
        • 2024.7.15
        • 2024.7.1
        • 2024.6.24
        • 2024.6.17
        • 2024.6.10
        • 2024.6.3
        • 2024.5.27
        • 2024.5.20
        • 2024.5.13
        • 2024.5.6
        • 2024.4.29
        • 2024.4.22
        • 2024.4.15
        • 2024.4.8
        • 2024.4.1
        • 2024.3.25
        • 2024.3.18
        • 2024.3.11
        • 2024.3.4
        • 2024.2.26
        • 2024.2.19
        • 2024.2.12
        • 2024.2.5
        • 2024.1.29
        • 2024.1.22
        • 2024.1.15
        • 2024.1.8
        • 2024.1.1
        • 2023.12.18
        • 2023.12.11
        • 2023.12.4
        • 2023.11.27
        • 2023.11.20
        • 2023.11.13
        • 2023.11.6
        • 2023.10.30
        • 2023.10.23
        • 2023.10.16
        • 2023.10.9
        • 2023.10.2
        • 2023.9.25
        • 2023.9.18
        • 2023.9.11
        • 2023.9.4
        • 2023.8.28
        • 2023.8.21
        • 2023.8.14
        • 2023.8.7
        • 2023.7.31
        • 2023.7.24
        • 2023.7.17
        • 2023.7.10
        • 2023.7.3
        • 2023.6.26
        • 2023.6.19
        • 2023.6.12
        • 2023.6.5
        • 2023.5.29
        • 2023.5.22
        • 2023.5.15
        • 2023.5.8
        • 2023.5.1
        • 2023.4.24
        • 2023.4.17
        • 2023.4.10
        • 2023.4.3
        • 2023.3.27
        • 2023.3.20
        • 2023.3.13
        • 2023.3.6
        • 2023.2.27
        • 2023.2.20
        • 2023.2.13
        • 2023.2.6
        • 2023.1.30
        • 2023.1.23
        • 2023.1.16
        • 2023.1.9
        • 2023.1.2
        • 2022.12.12
        • 2022.12.5
        • 2022.11.28
        • 2022.11.14
        • 2022.11.7
        • 2022.10.31
        • 2022.10.24
        • 2022.10.17
        • 2022.10.1
        • 2022.6.2
        • 2022.6.1
        • 2022.5.1
        • 2022.4.1
        • 2022.3.1
  • Features
    • 🔎Access Visibility
      • Graph
      • Query Builder
      • Saved Queries
      • Filters
      • Query Mode
      • Intermediate Entities
      • Regular Expressions
      • Tags
      • Tagged Entity Search
      • Assumed AWS IAM Roles
      • Veza Query Language
        • Quick Start
        • Syntax
        • VQL API
    • 💡Access Intelligence
      • Overview
      • Dashboards
        • Reports
        • Scheduled Exports of Query Results via a Secure Email Link
      • Risks
      • Analyze
      • Compare
      • Rules and Alerts
      • Entities
      • NHI Identify Classification Logic
      • NHI Secrets
    • 🔏Access Reviews
      • Get Started: Access Reviewers
      • Get Started: Review Operators
      • Access Review Tasks
        • Assign Reviewers
        • Create a Configuration
        • Create a Review
        • Draft Reviews
        • Edit a Configuration
        • Filters and Bulk Actions
        • Manage Access Reviews
        • Using the Reviewer Interface
        • Row Grouping for Access Reviews
        • Schedule an Access Review
      • Access Review Configuration
        • Access Reviews Query Builder
        • Access Reviews Global Settings
        • Configuring a Global Identity Provider
          • Alternate Manager Lookup
        • Customizing Default Columns
        • Email Notifications and Reminders
        • Identity Provider and HRIS Enrichment
        • Managers and Resource Owners
        • Multi-Level Review
        • 1-Step Access Reviews
        • On-Demand Reviews
        • Veza Actions for Access Reviews
        • Review Intelligence Policies
        • Review Presentation Options
        • Reviewer Selection Methods
        • Reviewer Digest Notifications
      • Access Review Scenarios
        • Access Reviews: Active Directory Security Groups
        • Access Reviews: Okta App Assignments
        • Access Reviews: Okta Group Membership
        • Access Reviews: Okta Admin Roles
        • Access Reviews: Azure AD Roles
        • Access Reviews with Saved Queries
        • Source-Only Access Reviews
    • 📊Access Monitoring
    • 🔄Lifecycle Management
      • Implementation and Core Concepts
      • Access Profiles
      • Policies
      • Conditions and Actions
      • Attribute Sync and Transformers
        • Lookup Tables
      • Integrations
        • Active Directory
        • Exchange Server
        • Okta
        • Salesforce
        • Workday
    • ⚖️Separation of Duties (SoD)
      • Managing SoD Risks with Veza
      • Creating SoD Detection Queries
      • Analyzing Separation of Duties Query Results
      • Example Separation of Duties Queries
      • SoD Manager Assignment
      • Access Reviews for SoD
  • Integrations
    • ✨Veza Integrations
      • Adobe Enterprise
      • Amazon Web Services
        • Add Existing AWS Accounts
        • Automatically Add New AWS Accounts
        • AWS DynamoDB
        • AWS KMS
        • AWS RDS MySQL
        • AWS RDS PostgreSQL
        • AWS Redshift
        • Activity Monitoring for AWS
        • Using AWS Secrets Manager for RDS Extraction
        • Notes & Supported Entities
      • Anaplan
      • Atlassian Cloud Products
      • Auth0
      • BambooHR
      • Bitbucket Data Center
      • BlackLine
      • Beeline
      • Boomi
      • Box
      • Bullhorn
      • Cassandra
      • Cisco Duo
      • Clickhouse
      • Concur
      • Confluence Server
      • Confluent
      • Coupa
      • Coupa Contingent Workforce
      • Crowdstrike Falcon
      • CSV Upload
        • CSV Upload Examples
        • CSV Upload Troubleshooting
        • CSV Upload API
      • Databricks (Single Workspace)
      • Databricks (Unity Catalog)
      • Delinea Secret Server
      • Device42
      • DocuSign
      • Dropbox
      • Egnyte
      • Expensify
      • Exchange Online (Microsoft 365)
      • Fastly
      • Google Cloud
        • Check Google Cloud Permissions
        • Notes & Supported Entities
      • Google Drive
      • GitHub
      • GitLab
      • HashiCorp Vault
      • HiBob
      • Hubspot
      • IBM Aspera
      • iManage
      • Ivanti Neurons
      • Jamf Pro
      • Jenkins
      • JFrog Artifactory
      • Jira Data Center
      • Kubernetes
      • LastPass
      • Looker
      • MongoDB
      • Microsoft Active Directory
      • Microsoft Azure
        • Azure SQL Database
        • Azure PostgreSQL Database
        • Microsoft Dynamics 365 CRM
        • Microsoft Dynamics 365 ERP
        • Notes & Supported Entities
      • Microsoft Azure AD
      • Microsoft SharePoint Online
      • Microsoft SharePoint Server
      • Microsoft SQL Server
      • MuleSoft
      • MySQL
      • NetSuite
      • New Relic
      • Okta
        • Okta MFA status
      • OneLogin
      • OpenAI
      • Oracle Cloud Infrastructure
      • Oracle Database
      • Oracle Database (AWS RDS)
      • Oracle E-Business Suite (EBS)
      • Oracle EPM
      • Oracle Fusion Cloud
      • Oracle JD Edwards EnterpriseOne
      • PagerDuty
      • Palo Alto Networks SASE/Prisma Access
      • PingOne
      • PostgreSQL
      • Power BI
      • Privacera
      • PTC Windchill
      • Qualys
      • QNXT
      • Ramp
      • Redis Cloud
      • Rollbar
      • Salesforce
      • Salesforce Commerce Cloud
      • SCIM integration
      • ServiceNow
      • Slack
      • Smartsheet
      • Snowflake
        • Snowflake Native Application
        • Snowflake Masking Policies
        • Exporting Saved Query Results to Snowflake
        • Audit Log Export
        • Event Export
      • Solarwinds
      • Spotio
      • Sumo Logic
      • Tableau Cloud
      • Teleport
      • Terraform
      • ThoughtSpot
      • Trello
      • Trino (PrestoSQL)
      • UKGPro
      • Veza
      • Windows Server
        • Enterprise Deployment
      • Workato
      • Workday
      • YouTrack
      • Zendesk
      • Zip
      • Zoom
      • Zscaler
      • 1Password
    • 🎯Integrations Overview
    • ⚠️Prerequisites and Connectivity
      • Insight Point
        • Deploying an Insight Point using the install script
        • Deploy with AWS EC2
        • Deploy with Virtual Appliance
          • Deploy with Virtual Appliance (Legacy)
        • Deploy with Azure Container Instances
        • Insight Point (Helm Chart)
      • Certificates with OpenSSL
    • ⚙️Configuring Integrations
      • Integrations FAQ
      • Extraction and Discovery Intervals
      • Custom Identity Mappings
      • Limiting Extractions
      • Enrichment Rules
      • ℹ️Running Veza Scripts with Python
  • Administration
    • 🛠️Veza Administration
      • Securing Your Veza Tenant
      • Veza Actions
        • Slack
        • ServiceNow
        • Jira
        • Webhooks
      • Virtual Private Veza
      • System Events
      • Sign-In Settings
        • Single Sign-On with Okta
        • Single Sign-On with Okta (OIDC)
        • Single Sign-On with Microsoft Entra
      • User Management
        • Multi-factor Authentication
        • Team Management
        • Support User Access
  • Developers
    • 🌐Veza APIs
      • Authentication
      • Troubleshooting
      • Pagination
      • Open Authorization API
        • Getting Started
        • Core Concepts
          • Connector Requirements
          • Using OAA Templates
          • Providers, Data Sources, Names and Types
          • Sourcing and Extracting Metadata
          • Naming and Identifying OAA Entities
          • Modeling Users, Permissions, and Roles
          • Custom Properties
          • Tagging with OAA
          • Cross Service IdP Connections
          • Incremental Updates
        • OAA Push API
          • OAA Operations
        • OAA Templates
          • Custom Application
          • Custom Identity Provider
          • Custom HRIS Provider
        • OAA .NET SDK
          • C# OAA Application Connector
        • OAA Python SDK
          • Application Outline
          • oaaclient modules
            • Client
            • Structures
            • Templates
            • Utils
        • Sample Apps
        • Example Connectors
      • Integration APIs
        • Enable/Disable Providers
        • Cloud Platforms and Data Providers
        • Identity Providers
        • Data Sources
        • Sync and Parse Status
      • Query APIs
        • Quick Start
        • Query Builder Terminology
        • Query Builder Parameters
        • Query Builder Results
        • List saved queries
        • Save a query
        • Get a saved query
        • Update a query
        • Delete a query
        • Get query node destinations
        • Get query nodes
        • Get query result
        • Get query spec node destinations
        • Get query spec nodes
        • Get query spec results
        • Private APIs
          • Get Access Relationship
          • Role Existence
          • Role Maintenance
          • Cohort Role Analysis
        • Tags
          • Create, Add, Remove Tag
          • Promoted Tags
      • Access Reviews APIs
        • Workflow Parameters Reference
        • List Workflows
        • List Certifications
        • List Certification Results
        • Update Certification Result
        • Force Update Result
        • Update Webhook Info
        • Get Certification Result
        • Manage Reviewer Deny List
        • Quick Filters
        • Help Page Templates
        • Smart Action Definitions
        • Delegate Reviewers
        • List Reviewer Infos
        • Get Access Graph
        • Automations API
        • Global Settings APIs
      • System Audit Logs
      • System Events
      • Notification Templates
        • Notification Templates API
      • Team and User Management APIs
        • Team API Keys
      • SCIM Provisioning
        • SCIM API Reference
        • SCIM Provisioning with Okta
  • Product Updates
    • 🆕Product Updates
      • Product Update: March'25
      • Product Update: February'25
      • UX Update - Integration Management
      • Product Update: January'25
      • Product Update: December'24
      • Product Update: November'24
      • Product Update: October'24
      • Product Update: September'24
      • Product Update: August'24
      • UX Update: Veza Integrations
      • Product Update: July'24
      • Product Update: June'24
      • Product Update: May'24
      • Product Update: April'24
      • UX Update - Enhanced Reviewer Experience for Veza Access Reviews
      • Product Update: March'24
      • Product Update: February'24
      • Design Update: February'24
      • UX Update - New Navigation Experience
      • UX Update - Access Review Dashboards
      • Building Veza’s Platform and Products
      • Veza Product Update - Jan'24
      • Veza Product Update - 2H 2023
      • Veza Product Update - December'23
      • Veza Product Update - November'23
      • Veza Product Update - October'23
      • Veza Product Update - September'23
      • Veza Product Update - August'23
      • Veza Product Update - July'23
      • Veza Product Update - June'23
      • Veza Product Update - May'23
      • Veza Product Update - April'23
      • Veza Product Update - March'23
      • Veza Product Update - Feb'23
      • Veza Product Update - Jan'23
Powered by GitBook
On this page
  • Authorization Graph
  • Separation of Duties (SoD)
  • Access Reviews
  • Insights and Reports
  • Veza Platform

Was this helpful?

Export as PDF

Product FAQ

Questions and answers about the Veza cloud platform, features, and policies

PreviousVeza GlossaryNextSecurity FAQ

Last updated 1 month ago

Was this helpful?

  • : Veza parses the identities, resources, and authorization controls within and across cloud environments to create a network of entities and relationships you can explore using a variety of search interfaces.

  • : Create and manage access and entitlement reviews using the Authorization Graph.

  • : Identity, security, and compliance teams can use hundreds of Veza queries built to identify risks, misconfigurations, and anomalies, organized within dashboards and reports. Rules for custom or pre-built graph queries provide ways to create security baselines for alerts and notifications.

  • : Information on Veza security procedures and policies.

Authorization Graph

Q: Veza's is a multi-cloud platform powered by an authorization metadata graph. What are the core features of this graph?

“Authorization metadata graph” provides an end to end visualization of authorization relationships between users (including non-human identities and service accounts), applications, and data sources. This includes the cloud identity providers (users, groups, and roles) and access management services (such as AWS IAM, GCP IAM, and Azure RBAC.) making a user's access possible. By presenting effective permissions (read, write, delete...) in a single control plane for any enterprise identity and data source, the Veza graph simplifies the complexity of interwoven authorization structures and enterprise data systems.

Q: How does Veza provide access to identity and authorization data – does it use APIs provided by the public cloud providers and IdPs? Or is the identity and authorization data imported manually into Veza?

Veza Cloud Platform can analyze identity and authorization data from public cloud providers and external identity providers (IDPs), along with non-cloud-native data sources like MySQL or Active Directory.

Yes, Veza utilizes the publicly available APIs published by identity providers and cloud providers to analyze these providers automatically. The nature of the API access is read-only, scoped to only essential metadata, and collected out-of-band.

There is no manual step. However, you can use the to connect apps and identity providers that don't have a native integration.

Q: What are the size limitations for the Veza environment?

Graph Scale and Performance: Veza is built to manage complex authorization metadata efficiently using advanced graph technology. Our architecture includes a robust data model, a persistence model ensuring crash-consistent metadata management, and an object model capable of handling billions of small objects. Veza is available in both SaaS and On-Premises deployment models.

Our testing indicates that the Veza platform can support up to 100 million nodes (including identities, groups, roles, policies, and resources) and 500 million edges (which represent relationships and connections among these entities). While the platform maintains functionality beyond these thresholds, some features may experience performance impacts. For optimal performance when exceeding these limits, contact support@veza.com.

Separation of Duties (SoD)

Q: Is the process of defining SoD violations for individual applications manual or automated?

After adding a built-in integration, you can use out-of-the-box queries defining common Separation of Duties (SoD) violations. You can edit these queries or define your own violations using the Access Intelligence > Separation of Duties page. SoD rules can apply to custom data sources, such as users ingested from CSV or SCIM.

Q: Are toxic combinations for SoD violations identified automatically?

Veza evaluates effective and system-level permissions when parsing integrated data sources. Violations are identified when executing an SoD query, either manually or as part of risk assessment.

Q: What remediation actions are available for SoD?

By creating a rule for queries that are SoD violations, you can send announcements or create issues in systems like Jira, Slack, or ServiceNow when new violations are detected. Rules can also trigger automation using custom webhooks.

Q: What integrations are supported for SoD?

Veza integrates with 250+ systems natively and supports many more via our Open Authorization API framework. As soon as the user access data is ingested into the platform, Veza will identify toxic combinations of access based on configured SoD policies.

Access Reviews

Q: What are common issues that occur with Access Reviews?

  • When a snapshot doesn't contain the specified relationship, creating a review will result in "No Data Available" error. Note that the snapshot are taken on a daily basis.

  • Upon saving a Review Configuration and starting a new Review, it's possible that there are no results due to data not existing in the environment for the query parameters. To check if this is the case, search with Query Builder or Authorization Graph using the same search conditions.

Q: Can I change the query for an Access Review after saving it?

While it's possible to edit some parameters such as notification settings after saving a Review Configuration, the original query cannot be altered. This is by design, and to maintain the integrity of the certification as a permanent record.

Q: Is it possible to create Access Reviews scoped to certain resources and permissions?

When creating a Review Configuration, you can select a specific source or destination entity type, and apply attribute filters on a value such as Datasource ID.

Q: We use AWS tags to identify resource managers, departments, and operational function. Can we incorporate these in Access Review scopes?

When creating a Review Configuration, you can filter on any tag Veza has discovered, as well as native Veza Tags. To do so, select the desired entity types and apply a tag-based filter.

Q: We need to perform certification on our custom apps, is this possible?

Yes, custom apps configured using OAA are selectable as an entity type, just like the built-in configuration sources. You can either select an individual "Custom Application" or "Custom IdP" entity, or query "All Users" or "All Custom Applications".

Q: We would like the facilitator and reviewer to get notifications based on certain milestones, can we do this?

You can set customized notifications when adding a Review Configuration, or configure them for each Review. Veza Actions will trigger based on reviewer actions (assignment, creation, decision, owner change) and certification states. Veza Actions can trigger webhooks, create ServiceNow tickets, and send alerts to Slack channels. Operators can also configure email reminders based on certification events and deadlines.

Q: Can we assign team-wide Access Reviews to individual managers?

To create a single certification for one manager, apply a constraint on the identity's manager field, and choose the resource(s) the certification applies to. You can also identify managers for any entity type using tags.

Create a new certification, and assign the manager. To ensures the manager can view and certify only their assigned Reviews (and not access other Veza functionality), you can assign the manager's Veza account the access_reviewer role.

Q: Most of our Access Reviews involve more than one reviewer, is this supported?

Certifications can have one or more "default" reviewers, assigned when starting the certification. These default reviewers can request other reviewers from your organization, for any result they decide they aren't an appropriate reviewer for. These assigned reviewers can only view and act on the results they're assigned to.

Veza can use metadata such as manager_id from your Identity Provider or Veza Tags, and use this to automatically assign reviewers when creating a certification.

Q: We want to schedule certification campaigns to occur automatically (as part of a quarterly or annual review cadence). Can we do this?

You can set due dates on certifications, and automatically send reminders by email to the owners, participants, and optional creators/facilitators. The functionality to schedule certification campaigns is planned for a future release.

Q: We need to ensure that an owner can only mark a certification as complete once all items have been "approved" or "rejected/" Is this validation done by Veza?

You can configure a variety of certification completion options, including enforcing that all rows must have a decision before a certification can complete.

Q: How is the integrity of an Access Review protected after completion?

To ensure that the Review represents a point-of-time state, Veza utilizes immutable snapshots of your environment at the point of certification. Once complete, it isn't possible to delete a Review, or the Review Configuration that contains it.

Q: As part of certifications, we need to be able to retrieve reject decisions from Veza and feed them into governance and ticketing systems. Can we accomplish this?

Q: Our reviewers need to be able to see the context of how identities gain access to resources, not just the access that exists. How do I accomplish this?

Q: How can I customize and sort a Review?

You can show attributes for any source, destination, or intermediate node that Veza has discovered, using the column selector. Columns can also show approval status, assigned reviewers, and notes. From the Certifications view, you can apply filters to narrow broad sets of results down to actionable groups. You can apply decisions to more than one page of filtered results by choosing an action above the list of results.

Q: We need the ability to group users/systems together in the tables to approve all access for a specific user, is this possible?

We recognize the need to group rows by column in the certifications and the option is planned for a future release. You can use filters to focus on results (for example, an individual user name or resource id).

Insights and Reports

Q: What images/visualizations can be exported using Veza, and what will they contain?

Q: Does this mean that reports can be viewed within Veza?

Veza includes predefined reports that provide users with insights into their environment. These can be viewed within the platform.

Veza Platform

Supported Browsers

Veza is tested and optimized for use with Chromium-based web browsers. For the best experience and full functionality, we recommend using the latest versions of the following browsers:

  • Google Chrome

  • Microsoft Edge

Login issues

Veza uses browser cookies to authenticate users to the platform. If you see an error when attempting to log in after a password change, try clearing out browser cookies before signing in again.

All reject decisions from a given certification are retrievable programmatically as a .

Today, reviewers only have visibility to the Reviews that they are assigned. This is by design to prevent them from accessing privileged information. However, we do recognize the power of our visual graph for revealing the chain of privilege and how important seeing that path is for determining if access is appropriate. By creating , you can scope access to the Veza graph that will empower the reviewer to make decisions while limiting what they can see.

Users can optionally generate PNG files to capture visual aspects of the . These graphics could contain identities (human users or service accounts), authorization entities (IAM roles, groups, policies), and data sources (database names, table names) from your environment.

❓
formatted JSON object
Teams
Authorization Graph
Data Privacy, Security, and Retention
Open Authorization API
Authorization Graph
Access Reviews
Insights & Reports
Veza Platform