Access Reviews Query Builder

Reference for the review configurations query builder.

Overview

Reviews you create can be organization-wide, or constrained to specific applications or populations of users. Use the query builder to scope reviews to meet the needs of your organization based on what data sources you have integrated, the specific compliance requirements of your organization, and existing review processes. For instance, a review configuration might specify:

  • All users with specific permissions on all databases of a certain type.

  • Users with any access to an individual application.

  • Access for a subset of users, based on an attribute, such as "department."

The results of the query are used to compile the list of items included in an individual access or entitlements review. Depending on the objective of the review, these items can be further enriched with:

  • System and Effective Permissions for a relationship, such as the permissions that a user has when accessing a particular resource

  • A summary of the path that made the access connection - useful to show that an intermediary group or role is granting a user access

  • Additional metadata about the source or destination entities to provide more context to reviewers.

Queries are especially powerful when entities in your access graph have attributes or tags defining ownership, applicability to compliance rules or regulations, regional metadata, and other organizational attributes. Additional metadata can include Veza tags, native tags originating from the data source (i.e. AWS tags), and Open Authorization API custom properties, as well as details about a related identity from your Identity provider or HRIS system.

This document provides an overview of all configuration options and guidance on using entity type groupings to review access for many entity types using a single configuration.

This document provides an overview of all configuration options and guidance on using entity type groupings to review access for many entity types using a single configuration.

Reference: Configuration Query Builder

The following table describes the options when defining an access review's scope with the configuration query builder.

Note that these options can differ from those available in the Access Visibility query builder, and include parameters specifically designed for access reviews. The entity types available as query source or destination depend on your configured integrations.

Field
Description

Name

A friendly name for the configuration, used for notification messages and shown on the Access Reviews page.

Description

Used to add internal notes, such as details about the configuration scope and purpose.

Query Mode: Effective

When enabled, returns effective permission calculations for the source and destination pair.

Query Mode: System

When enabled, returns system-level entities and raw permissions for the source and destination pair.

Source Entity Type

Selects the entities to review (typically an identity). The results will include all entities of the chosen type.

Destination Entity Type

Usually, one or more types of resources to approve an identity's permissions on. However, any entity can be the final node of the path (such as a role, service, or group). Rows will show source entities and their relationships to entities of the chosen type.

Select a single entity (Optional)

When selected, only show access involving a specific source or destination entity, specified by name.

Preview source/destination entities

Update the results table to preview source or destination entities based on Veza's most recent graph data. Reviewers will certify the query results based on graph data at the time of review creation.

Advanced Options: Include source tags in review results

When enabled, reviews include a column showing the keys of any tags on the source entity.

Advanced Options: Include destination tags in review results

When enabled, reviews include a column showing tag keys for the destination entity.

Advanced Options: Relationship

Enables optional columns for reviewers, showing the full entity metadata when an entity of the selected type exists in the path between the source and destination (such as the group granting an Okta user access to an app).

Advanced Options: Summary Entities

The review will include a column indicating the names and hierarchical relationships of the specified entity types.

Advanced Options: Exclude Entities

Exclude results with a relationship to the selected intermediate entity type(s), for example, to review users not assigned to groups.

Advanced Options: Require Entities

Only show results that have a relationship to the required entity type(s), such as users directly assigned to groups.

Relationship Options: Include Assumed

By default, reviews contain a row for each unique source-destination relationship, including assignments that are due to nested groups, roles, or projects. Disable this option to only include rows for the top-level assignment.

Advanced Options: Relationship

An intermediate entity category to require, such as a local user account, group, or role. When specified, details on this intermediate node appear in an additional review column.

Enrich with IdP/HRIS Metadata

Choose related entity types to include their attributes in the reviewer interface. See Identity Provider and HRIS Enrichment to learn more.

Filters: Attributes

Filter by an entity property, such as user department. Click + Add Predefined Attribute Filter to quickly add a filter on the user "manager" attribute, when the source user is the same as the user entity type defined in Access Reviews Global IdP Settings.

Filters: Tags

Only return results that include (or don’t include) the specified tags. Tags can be Veza Tags, or discovered tags native to an integration, such as AWS Tags or Snowflake Tags. Enabling Show Source/Destination Tags will additionally provide reviewers with the ability to see any tags applied to the results, and sort and filter by tags within the review interface.

Filters: Permissions

Only return results with specific privileges on the destination resource. Permissions can be effective or system. Based on the operator, matches can be "all" or "any". Applying a permissions filter to a query that does not involve permissions (such as User to Role) will return no results.

Entity Type Groupings

Use entity type groupings in a configuration to include several entity types in the scope of an access review. Choosing an entity type grouping as the source or destination will include all entities within that grouping. Use these to construct queries such as "All Principals to all Custom Application Role," or "All Top Level Principals to GitHub Repositories."

Generic entity type groupings

  • All Principals: Entities with the Identity label, including machine entity types that can have permissions on resources.

  • All Top Level Principals: Identity-type entities that cannot be assumed by another identity. Use this option to show primary organizational identities (e.g., IdP users), and filter out any low-level identities (such as local users) they can assume. Reviews will contain local users and service accounts that don’t have an upper-level identity.

  • All Local Users: Entities with the LocalUser label (e.g., Google Cloud SQL User, Hashicorp Vault Alias, or MongoDB Users)

  • All Resources: All entities with the Resource label.

  • AccessCreds: Entities with the AccessCreds label.

You can check which entities are included in an entity type grouping using the query builder. Search for the label in Access Visibility > Query Builder and review the list of included entities in the Filter By Type dropdown menu.

Entity type groupings for custom applications

Some special entity type groupings are provided specifically for Access Reviews. These return all "custom" users, roles, resources, and other entities added to Veza using Open Authorization API templates. These groupings enable scoping reviews to for all users or resources in custom applications, identity providers, and HRIS platforms:

  • Custom Applications

  • Custom Subresources

  • Custom Resources

  • Custom Users

  • Custom Roles

  • Custom Role Assignments

  • Custom IdP Domains

  • Custom IdP Groups

  • Custom IdP Users

  • Custom Groups

  • Custom Permissions

Custom entities and their attributes are defined in the JSON push payload created by OAA connectors. For more information about these entity types and attributes, see OAA Templates.

Last updated