Access Reviews Query Builder
Reference for the review configurations query builder.
Last updated
Reference for the review configurations query builder.
Last updated
Reviews you create can be organization-wide, or constrained to specific applications or populations of users. Use the query builder to scope reviews to meet the needs of your organization based on what data sources you have integrated, the specific compliance requirements of your organization, and existing review processes. For instance, a review configuration might specify:
All users with specific permissions on all databases of a certain type.
Users with any access to an individual application.
Access for a subset of users, based on an attribute, such as "department."
The results of the query are used to compile the list of items included in an individual access or entitlements review. Depending on the objective of the review, these items can be further enriched with:
System and Effective Permissions for a relationship, such as the permissions that a user has when accessing a particular resource
A summary of the path that made the access connection - useful to show that an intermediary group or role is granting a user access
Additional metadata about the source or destination entities to provide more context to reviewers.
Queries are especially powerful when entities in your access graph have attributes or tags defining ownership, applicability to compliance rules or regulations, regional metadata, and other organizational attributes. Additional metadata can include Veza tags, native tags originating from the data source (i.e. AWS tags), and Open Authorization API custom properties, as well as details about a related identity from your Identity provider or HRIS system.
This document provides an overview of all configuration options and guidance on using entity type groupings to review access for many entity types using a single configuration.
This document provides an overview of all configuration options and guidance on using entity type groupings to review access for many entity types using a single configuration.
The following table describes the options when defining an access review's scope with the configuration query builder.
Note that these options can differ from those available in the Access Visibility query builder, and include parameters specifically designed for access reviews. The entity types available as query source or destination depend on your configured integrations.
| Field | Description |
|---|---|
Use entity type groupings in a configuration to include several entity types in the scope of an access review. Choosing an entity type grouping as the source or destination will include all entities within that grouping. Use these to construct queries such as "All Principals to all Custom Application Role," or "All Top Level Principals to GitHub Repositories."
All Principals: Entities with the Identity label, including machine entity types that can have permissions on resources.
All Top Level Principals: Identity-type entities that cannot be assumed by another identity. Use this option to show primary organizational identities (e.g., IdP users), and filter out any low-level identities (such as local users) they can assume. Reviews will contain local users and service accounts that donβt have an upper-level identity.
All Local Users: Entities with the LocalUser label (e.g., Google Cloud SQL User, Hashicorp Vault Alias, or MongoDB Users)
All Resources: All entities with the Resource label.
AccessCreds: Entities with the AccessCreds label.
You can check which entities are included in an entity type grouping using the query builder. Search for the label in Access Visibility > Query Builder and review the list of included entities in the Filter By Type dropdown menu.
Some special entity type groupings are provided specifically for Access Reviews. These return all "custom" users, roles, resources, and other entities added to Veza using Open Authorization API templates. These groupings enable scoping reviews to for all users or resources in custom applications, identity providers, and HRIS platforms:
Custom Applications
Custom Subresources
Custom Resources
Custom Users
Custom Roles
Custom Role Assignments
Custom IdP Domains
Custom IdP Groups
Custom IdP Users
Custom Groups
Custom Permissions
Custom entities and their attributes are defined in the JSON push payload created by OAA connectors. For more information about these entity types and attributes, see OAA Templates.
Name
A friendly name for the configuration, used for notification messages and shown on the Access Reviews page.
Description
Used to add internal notes, such as details about the configuration scope and purpose.
Query Mode: Effective
When enabled, returns effective permission calculations for the source and destination pair.
Query Mode: System
When enabled, returns system-level entities and raw permissions for the source and destination pair.
Source Entity Type
Selects the entities to review (typically an identity). The results will include all entities of the chosen type.
Destination Entity Type
Usually, one or more types of resources to approve an identity's permissions on. However, any entity can be the final node of the path (such as a role, service, or group). Rows will show source entities and their relationships to entities of the chosen type.
Select a single entity (Optional)
When selected, only show access involving a specific source or destination entity, specified by name.
Preview source/destination entities
Update the results table to preview source or destination entities based on Veza's most recent graph data. Reviewers will certify the query results based on graph data at the time of review creation.
Advanced Options: Include source tags in review results
When enabled, reviews include a column showing the keys of any tags on the source entity.
Advanced Options: Include destination tags in review results
When enabled, reviews include a column showing tag keys for the destination entity.
Advanced Options: Relationship
Enables optional columns for reviewers, showing the full entity metadata when an entity of the selected type exists in the path between the source and destination (such as the group granting an Okta user access to an app).
Advanced Options: Summary Entities
The review will include a column indicating the names and hierarchical relationships of the specified entity types.
Advanced Options: Exclude Entities
Exclude results with a relationship to the selected intermediate entity type(s), for example, to review users not assigned to groups.
Advanced Options: Require Entities
Only show results that have a relationship to the required entity type(s), such as users directly assigned to groups.
Relationship Options: Include Assumed
By default, reviews contain a row for each unique source-destination relationship, including assignments that are due to nested groups, roles, or projects. Disable this option to only include rows for the top-level assignment.
Advanced Options: Relationship
An intermediate entity category to require, such as a local user account, group, or role. When specified, details on this intermediate node appear in an additional review column.
Enrich with IdP/HRIS Metadata
Choose related entity types to include their attributes in the reviewer interface. See Identity Provider and HRIS Enrichment to learn more.
Filters: Attributes
Filter by an entity property, such as user department. Click + Add Predefined Attribute Filter to quickly add a filter on the user "manager" attribute, when the source user is the same as the user entity type defined in Access Reviews Global IdP Settings.
Filters: Tags
Only return results that include (or donβt include) the specified tags. Tags can be Veza Tags, or discovered tags native to an integration, such as AWS Tags or Snowflake Tags. Enabling Show Source/Destination Tags will additionally provide reviewers with the ability to see any tags applied to the results, and sort and filter by tags within the review interface.
Filters: Permissions
Only return results with specific privileges on the destination resource. Permissions can be effective or system. Based on the operator, matches can be "all" or "any". Applying a permissions filter to a query that does not involve permissions (such as User to Role) will return no results.