LogoLogo
User GuideDeveloper DocumentationIntegrationsRelease Notes
  • 🏠Veza Documentation
  • ☑️Getting Started
  • 📖Veza Glossary
  • ❓Product FAQ
  • 🛡️Security FAQ
    • Advanced Security FAQ
  • Release Notes
    • 🗒️Release Notes
      • Release Notes: 2025-05-14
      • Release Notes: 2025-04-30
      • Release Notes: 2025-04-16
      • Release Notes: 2025-04-02
      • Release Notes: 2025-03-19
      • Archive
        • 2024.9.23
        • 2024.9.16
        • 2024.9.9
        • 2024.9.2
        • 2024.8.26
        • 2024.8.19
        • 2024.8.12
        • 2024.8.5
        • 2024.7.29
        • 2024.7.22
        • 2024.7.15
        • 2024.7.1
        • 2024.6.24
        • 2024.6.17
        • 2024.6.10
        • 2024.6.3
        • 2024.5.27
        • 2024.5.20
        • 2024.5.13
        • 2024.5.6
        • 2024.4.29
        • 2024.4.22
        • 2024.4.15
        • 2024.4.8
        • 2024.4.1
        • 2024.3.25
        • 2024.3.18
        • 2024.3.11
        • 2024.3.4
        • 2024.2.26
        • 2024.2.19
        • 2024.2.12
        • 2024.2.5
        • 2024.1.29
        • 2024.1.22
        • 2024.1.15
        • 2024.1.8
        • 2024.1.1
        • 2023.12.18
        • 2023.12.11
        • 2023.12.4
        • 2023.11.27
        • 2023.11.20
        • 2023.11.13
        • 2023.11.6
        • 2023.10.30
        • 2023.10.23
        • 2023.10.16
        • 2023.10.9
        • 2023.10.2
        • 2023.9.25
        • 2023.9.18
        • 2023.9.11
        • 2023.9.4
        • 2023.8.28
        • 2023.8.21
        • 2023.8.14
        • 2023.8.7
        • 2023.7.31
        • 2023.7.24
        • 2023.7.17
        • 2023.7.10
        • 2023.7.3
        • 2023.6.26
        • 2023.6.19
        • 2023.6.12
        • 2023.6.5
        • 2023.5.29
        • 2023.5.22
        • 2023.5.15
        • 2023.5.8
        • 2023.5.1
        • 2023.4.24
        • 2023.4.17
        • 2023.4.10
        • 2023.4.3
        • 2023.3.27
        • 2023.3.20
        • 2023.3.13
        • 2023.3.6
        • 2023.2.27
        • 2023.2.20
        • 2023.2.13
        • 2023.2.6
        • 2023.1.30
        • 2023.1.23
        • 2023.1.16
        • 2023.1.9
        • 2023.1.2
        • 2022.12.12
        • 2022.12.5
        • 2022.11.28
        • 2022.11.14
        • 2022.11.7
        • 2022.10.31
        • 2022.10.24
        • 2022.10.17
        • 2022.10.1
        • 2022.6.2
        • 2022.6.1
        • 2022.5.1
        • 2022.4.1
        • 2022.3.1
  • Features
    • 🔎Access Visibility
      • Graph
      • Query Builder
      • Saved Queries
      • Filters
      • Query Mode
      • Intermediate Entities
      • Regular Expressions
      • Tags
      • Tagged Entity Search
      • Assumed AWS IAM Roles
      • Veza Query Language
        • Quick Start
        • Syntax
        • VQL API
    • 💡Access Intelligence
      • Overview
      • Dashboards
        • Reports
        • Scheduled Exports of Query Results via a Secure Email Link
      • Risks
      • Analyze
      • Compare
      • Rules and Alerts
      • Entities
      • NHI Identify Classification Logic
      • NHI Secrets
    • 🔏Access Reviews
      • Get Started: Access Reviewers
      • Get Started: Review Operators
      • Access Review Tasks
        • Assign Reviewers
        • Create a Configuration
        • Create a Review
        • Draft Reviews
        • Edit a Configuration
        • Filters and Bulk Actions
        • Manage Access Reviews
        • Using the Reviewer Interface
        • Row Grouping for Access Reviews
        • Schedule an Access Review
      • Access Review Configuration
        • Access Reviews Query Builder
        • Access Reviews Global Settings
        • Configuring a Global Identity Provider
          • Alternate Manager Lookup
        • Customizing Default Columns
        • Email Notifications and Reminders
        • Identity Provider and HRIS Enrichment
        • Entity Owners and Resource Manager Tags
        • Multi-Level Review
        • 1-Step Access Reviews
        • On-Demand Reviews
        • Veza Actions for Access Reviews
        • Review Intelligence Policies
        • Review Presentation Options
        • Reviewer Selection Methods
        • Reviewer Digest Notifications
      • Access Review Scenarios
        • Access Reviews: Active Directory Security Groups
        • Access Reviews: Okta App Assignments
        • Access Reviews: Okta Group Membership
        • Access Reviews: Okta Admin Roles
        • Access Reviews: Azure AD Roles
        • Access Reviews with Saved Queries
        • Source-Only Access Reviews
    • 📊Access Monitoring
    • 🔄Lifecycle Management
      • Implementation and Core Concepts
      • Access Profiles
      • Policies
      • Conditions and Actions
      • Attribute Sync and Transformers
        • Lookup Tables
      • Integrations
        • Active Directory
        • Exchange Server
        • Okta
        • Salesforce
        • Workday
    • ⚖️Separation of Duties (SoD)
      • Managing SoD Risks with Veza
      • Creating SoD Detection Queries
      • Analyzing Separation of Duties Query Results
      • Example Separation of Duties Queries
      • SoD Manager Assignment
      • Access Reviews for SoD
  • Integrations
    • ✨Veza Integrations
      • Adobe Enterprise
      • Amazon Web Services
        • Add Existing AWS Accounts
        • Automatically Add New AWS Accounts
        • AWS DynamoDB
        • AWS KMS
        • AWS RDS MySQL
        • AWS RDS PostgreSQL
        • AWS Redshift
        • Activity Monitoring for AWS
        • Using AWS Secrets Manager for RDS Extraction
        • Notes & Supported Entities
      • Anaplan
      • Atlassian Cloud Products
      • Auth0
      • BambooHR
      • Bitbucket Data Center
      • BlackLine
      • Beeline
      • Boomi
      • Box
      • Bullhorn
      • Cassandra
      • Cisco Duo
      • Clickhouse
      • Concur
      • Confluence Server
      • Confluent
      • Coupa
      • Coupa Contingent Workforce
      • Crowdstrike Falcon
      • CSV Upload
        • CSV Upload Examples
        • CSV Upload Troubleshooting
        • CSV Upload API
      • Databricks (Single Workspace)
      • Databricks (Unity Catalog)
      • Delinea Secret Server
      • Device42
      • DocuSign
      • Dropbox
      • Egnyte
      • Expensify
      • Exchange Online (Microsoft 365)
      • Fastly
      • Google Cloud
        • Check Google Cloud Permissions
        • Notes & Supported Entities
      • Google Drive
      • GitHub
      • GitLab
      • HashiCorp Vault
      • HiBob
      • Hubspot
      • IBM Aspera
      • iManage
      • Ivanti Neurons
      • Jamf Pro
      • Jenkins
      • JFrog Artifactory
      • Jira Data Center
      • Kubernetes
      • LastPass
      • Looker
      • MongoDB
      • Microsoft Active Directory
      • Microsoft Azure
        • Azure SQL Database
        • Azure PostgreSQL Database
        • Microsoft Dynamics 365 CRM
        • Microsoft Dynamics 365 ERP
        • Notes & Supported Entities
      • Microsoft Azure AD
      • Microsoft SharePoint Online
      • Microsoft SharePoint Server
      • Microsoft SQL Server
      • MuleSoft
      • MySQL
      • NetSuite
      • New Relic
      • Okta
        • Okta MFA status
      • OneLogin
      • OpenAI
      • Oracle Cloud Infrastructure
      • Oracle Database
      • Oracle Database (AWS RDS)
      • Oracle E-Business Suite (EBS)
      • Oracle EPM
      • Oracle Fusion Cloud
      • Oracle JD Edwards EnterpriseOne
      • PagerDuty
      • Palo Alto Networks SASE/Prisma Access
      • PingOne
      • PostgreSQL
      • Power BI
      • Privacera
      • PTC Windchill
      • Qualys
      • QNXT
      • Ramp
      • Redis Cloud
      • Rollbar
      • Salesforce
      • Salesforce Commerce Cloud
      • SCIM integration
      • ServiceNow
      • Slack
      • Smartsheet
      • Snowflake
        • Snowflake Native Application
        • Snowflake Row Access Policies
        • Snowflake Masking Policies
        • Exporting Saved Query Results to Snowflake
        • Audit Log Export
        • Event Export
      • Solarwinds
      • Spotio
      • Sumo Logic
      • Tableau Cloud
      • Teleport
      • Terraform
      • ThoughtSpot
      • Trello
      • Trino (PrestoSQL)
      • UKGPro
      • Veza
      • Windows Server
        • Enterprise Deployment
      • Workato
      • Workday
      • YouTrack
      • Zendesk
      • Zip
      • Zoom
      • Zscaler
      • 1Password
    • 🎯Integrations Overview
    • ⚠️Prerequisites and Connectivity
      • Insight Point
        • Deploying an Insight Point using the install script
        • Deploy with AWS EC2
        • Deploy with Virtual Appliance
          • Deploy with Virtual Appliance (Legacy)
        • Deploy with Azure Container Instances
        • Insight Point (Helm Chart)
      • Certificates with OpenSSL
    • ⚙️Configuring Integrations
      • Integrations FAQ
      • Extraction and Discovery Intervals
      • Custom Identity Mappings
      • Limiting Extractions
      • Enrichment Rules
      • ℹ️Running Veza Scripts with Python
  • Administration
    • 🛠️Veza Administration
      • Securing Your Veza Tenant
      • Veza Actions
        • Slack
        • ServiceNow
        • Jira
        • Webhooks
      • Virtual Private Veza
      • System Events
      • Sign-In Settings
        • Single Sign-On with Okta
        • Single Sign-On with Okta (OIDC)
        • Single Sign-On with Microsoft Entra
      • User Management
        • Multi-factor Authentication
        • Team Management
        • Support User Access
  • Developers
    • 🌐Veza APIs
      • Authentication
      • Troubleshooting
      • Pagination
      • Open Authorization API
        • Getting Started
        • Core Concepts
          • Connector Requirements
          • Using OAA Templates
          • Providers, Data Sources, Names and Types
          • Sourcing and Extracting Metadata
          • Naming and Identifying OAA Entities
          • Modeling Users, Permissions, and Roles
          • Custom Properties
          • Tagging with OAA
          • Cross Service IdP Connections
          • Incremental Updates
        • OAA Push API
          • OAA Operations
        • OAA Templates
          • Custom Application
          • Custom Identity Provider
          • Custom HRIS Provider
        • OAA .NET SDK
          • C# OAA Application Connector
        • OAA Python SDK
          • Application Outline
          • oaaclient modules
            • Client
            • Structures
            • Templates
            • Utils
        • Sample Apps
        • Example Connectors
      • Integration APIs
        • Enable/Disable Providers
        • Cloud Platforms and Data Providers
        • Identity Providers
        • Data Sources
        • Sync and Parse Status
      • Query APIs
        • Quick Start
        • Query Builder Terminology
        • Query Builder Parameters
        • Query Builder Results
        • List saved queries
        • Save a query
        • Get a saved query
        • Update a query
        • Delete a query
        • Get query node destinations
        • Get query nodes
        • Get query result
        • Get query spec node destinations
        • Get query spec nodes
        • Get query spec results
        • Private APIs
          • Get Access Relationship
          • Role Existence
          • Role Maintenance
          • Cohort Role Analysis
        • Tags
          • Create, Add, Remove Tag
          • Promoted Tags
      • Access Reviews APIs
        • Workflow Parameters Reference
        • List Workflows
        • List Certifications
        • List Certification Results
        • Update Certification Result
        • Force Update Result
        • Update Webhook Info
        • Get Certification Result
        • Manage Reviewer Deny List
        • Quick Filters
        • Help Page Templates
        • Smart Action Definitions
        • Delegate Reviewers
        • List Reviewer Infos
        • Get Access Graph
        • Automations API
        • Global Settings APIs
      • System Audit Logs
      • System Events
      • Notification Templates
        • Notification Templates API
      • Team and User Management APIs
        • Team API Keys
      • SCIM Provisioning
        • SCIM API Reference
        • SCIM Provisioning with Okta
  • Product Updates
    • 🆕Product Updates
      • Product Update: March'25
      • Product Update: February'25
      • UX Update - Integration Management
      • Product Update: January'25
      • Product Update: December'24
      • Product Update: November'24
      • Product Update: October'24
      • Product Update: September'24
      • Product Update: August'24
      • UX Update: Veza Integrations
      • Product Update: July'24
      • Product Update: June'24
      • Product Update: May'24
      • Product Update: April'24
      • UX Update - Enhanced Reviewer Experience for Veza Access Reviews
      • Product Update: March'24
      • Product Update: February'24
      • Design Update: February'24
      • UX Update - New Navigation Experience
      • UX Update - Access Review Dashboards
      • Building Veza’s Platform and Products
      • Veza Product Update - Jan'24
      • Veza Product Update - 2H 2023
      • Veza Product Update - December'23
      • Veza Product Update - November'23
      • Veza Product Update - October'23
      • Veza Product Update - September'23
      • Veza Product Update - August'23
      • Veza Product Update - July'23
      • Veza Product Update - June'23
      • Veza Product Update - May'23
      • Veza Product Update - April'23
      • Veza Product Update - March'23
      • Veza Product Update - Feb'23
      • Veza Product Update - Jan'23
Powered by GitBook
On this page
  • Overview
  • Over Provisioned Score
  • "Last Used At" and "Last Activity At" in Query Builder
  • Activity Monitoring
  • Access Monitoring using Query Builder
  • Access Monitoring Examples

Was this helpful?

Export as PDF
  1. Features

Access Monitoring

Over Provisioned Scores and dormant access insights

PreviousSource-Only Access ReviewsNextLifecycle Management

Last updated 28 days ago

Was this helpful?

Early Access: Access Monitoring is provided on an Early Access basis. Please contact our customer success team to enable the feature. By default, monitoring supports AWS, Snowflake, and Google Cloud BigQuery, after enabling audit logs for these integrations. Monitoring for Okta is available in Early Access.

Overview

Veza Access Monitoring provides visibility into actual access and usage of resources across your cloud environments and data stores. It collects and analyzes log data to determine which identities (users, roles, service accounts) have accessed specific resources such as databases, data tables, cloud storage, applications, and more.

Access Monitoring enables Veza operators to search for identities with more privileges than they are actually using, create rules to govern permission creep, and remediate dormant access with reports, queries, and the Activity Monitoring page.

Access Monitoring is currently supported for the , , , and Google Cloud BigQuery integrations. Toggling for these integrations will enable or disable monitoring capabilities.

Key Features

Access Auditing: When enabled, Veza gathers access logs from sources such as:

  • Snowflake

  • AWS CloudTrail

  • Okta system logs

  • Google Cloud Audit Logs

Veza aggregates this data to show which identities accessed which resources, and when the access occurred.

To gather this information, you will need to enable audit log extraction on the Veza Integrations page, and ensure the integration service account has the required permissions to read available activity logs.

Last Accessed Tracking: For monitored resources, the feature tracks the last time each identity accessed the resource. This highlights dormant or unused access that can potentially be revoked to reduce the attack surface.

An Over Provisioned Access score is calculated for each identity and resource pair, comparing the actual activity level against the level of access granted. Higher scores indicate over-privileged access that may need review.

Access data can power rules, alerts, and workflow triggers. For example, creating a remediation ticket whenever an over-privileged identity is detected based on Over Provisioned Scores.

Cloud Entitlements Dashboard: For supported systems, pre-built dashboards provide an overview of:

  • Most active identities

  • Dormant and unused identities

  • Dormant roles

  • Other entitlement metrics

This provides visibility for privileged access management and identifying areas to apply least privilege principles.

Use these tools to understand the gap between granted permissions and actual usage, and optimize access rights to align with the principle of least privilege.

Over Provisioned Score

Over Provisioned Scores add an additional dimension to the Query Builder and search results, enabling filtering and sorting based on recent activity and actual usage. For supported queries, an additional column shows the Over Provisioned Score (OPS) for each result. This score represents a ratio of the total resources a user has permissions on, compared to the how many resources they are actually interacting with.

A higher score indicates more underutilized access. If a user can read 100 tables, but only used this permission on 50 tables, their Table Read OPS is 50%. If they had read only 20 tables, the OPS would be 80%.

Users can have different scores for different resource types (such as tables, views, or databases). Over Provisioned Scores update as query filters are applied to limit the range of utilized permissions or destination resources.

Customizing the date range for Access Monitoring: Administrators can customize the date range for Access Monitoring under System Settings > Activity Monitoring Time Frame. The period of inactivity can be 30, 60, 90, or 120 days.

"Last Used At" and "Last Activity At" in Query Builder

After enabling Access Monitoring and audit log extraction, supported entities (such as Snowflake Local Roles) will have a "Last Activity At" attribute.

In the Query Builder, these attributes are shown in filterable columns. The "Last Activity At" attribute differs from the "Last Used At" attribute.

  • Last Activity At is a timestamp generated from activity logs. It represents the last time a source entity had any activity on a resource, such as a user utilizing a role to gain access to a resource, or edit the role itself.

  • Last Used At is a timestamp extracted directly from the integrated data source. It typically represents the last time an identity or resource was used for any reason, and is not available in or provided by all systems. The Last Used At value will be "Never" if this metadata is unavailable.

Activity Monitoring

The Activity Monitoring page is a streamlined search interface providing an overview of dormant access for supported platforms. You can open any search in the Query Builder to add constraints and save it to use in reports, create rules, or filter another query.

To use the Activity Monitoring overview:

  1. Go to Access Monitoring > Activity Monitoring

  2. Use the menus to choose a platform (AWS, Okta, Snowflake, or Google Cloud)

  3. Choose a principal (Okta User, AWS IAM User or Role, Snowflake User or Role, Google Workspace User, or Google Cloud Service Account)

  4. Choose a related resource (Okta App, AWS S3 Bucket or AWS Secrets Manager Secret, Snowflake database, view, table, or schema, BigQuery Dataset, or BigQuery Table)

  5. Optionally, enable Show dormant entities only to filter out results with no Over Provisioned Score.

Extra columns appear containing usage information for each result. These show the Over Provisioned Score, total available resources, actual resources accessed, and the percentage of total utilized access.

Access Monitoring using Query Builder

To create queries with Over Provisioned Score parameters, go to Access Visibility > Query Builder, and choose a supported source and related entity type.

The following queries support Over Provisioned Scores:

  • Okta User to Okta App or AWS S3 Bucket or AWS Secrets Manager Secret or AWS KMS Key

  • AWS IAM User or Role to AWS S3 Bucket or AWS Secrets Manager Secret or AWS KMS Key

  • Snowflake User or Role to Snowflake Database, View, Table, or Schema.

  • Snowflake Role to Snowflake User

  • Snowflake User to Snowflake Role

  • Google Workspace User to BigQuery Dataset or BigQuery Table

  • Google Cloud ServiceAccount to BigQuery Dataset or BigQuery Table

You can also open a search on the Activity Monitoring page to pre-fill the query builder.

For supported queries, results have an Over Provisioned Score column. Click a score to show:

  • All resources a principal relates to

  • Details about the used and unused permissions

  • Last activity time

Over Provisioned Score Threshold: Use these Query Builder options to filter out results that are above, below, or equal to a given score based on the activity monitoring time range.

Permissions: In Query Builder, scores are based on the current permission filters. With no permissions specified, any usage will count as activity.

Last Activity timestamps: This column is enabled when using the "Show (Resource)" option in Query Builder. This returns results as principal and resource pairs, instead of showing one result for each principal. Use this to review detailed metadata about each destination resource.

Access Monitoring Examples

Here are a few examples for creating OPS-based queries and creating rules from these queries.

OPS for individual permissions or resources

To see user OPS for specific databases, or for a particular set of permissions:

Search for Snowflake Local User grouped by Snowflake Database. The results will show all users with access to any database. The Over Provisioned Score for the results accounts for any permission on any Snowflake database.

Optionally, click a number in the "Snowflake Databases column to see all databases the user can access, and their cumulative effective permissions on that database:

Apply a constraint on the database name:

  1. Click Filters > Add Attribute Filter

  2. Pick "Snowflake Database" for the Entity Type

  3. Filter Snowflake Databases with the constraint "Name" "Equals" "<Single Database Name>"

  4. Note that the query results and Over Provisioned Scores have changed

  5. Next, pick from the Permissions menu to filter the results and update the OPS accordingly.

You can filter on one or more canonical or system permissions. A system permission is an explicit privilege, as defined by the service provider (such as RENAME TABLE in Snowflake). The canonical permission is the effective Create/Read/Write/Delete equivalent (such as METADATA WRITE).

Google Cloud BigQuery

To check for over-provisioned Google Cloud users with access to BigQuery datasets:

  1. Create a new query for "Google Workspace User" grouped by "Big Query Dataset"

  2. The results will show all users with access to any dataset, with their OPS score based on actual dataset usage

  3. To focus on specific permissions, use the Permissions filter to select BigQuery-specific permissions like bigquery.datasets.get or canonical permissions like DATA READ

  4. Add an Over Provisioned Score threshold to only show users with high OPS values (e.g., 75% or higher)

  5. Save the query for future reference or to create rules based on it

Alerts and Rules with Over Provisioned Scores

You can create queries that filter results by OPS, and then create rules to alert when the number of dormant entities meets or exceeds a threshold.

For example, to alert when a Veza detects a user with a Database Read OPS of over 33%:

  1. Create a new query for "Snowflake Local User" grouped by "Snowflake Database"

  2. Set the Over Provisioned Score Threshold:

    1. Change the operator to >= (greater than or equal to)

    2. Set the threshold to 33%

  3. Add the DATA READ canonical permission.

  4. Save the Query with a name and description

  5. Go to Saved Queries and find the new query:

    1. Open the query actions menu and click Add Alert Rule

    2. Add the condition "If Query Results have increased by more than 1 occurrences"

    3. Pick an alert destination and click next

    4. Add a name and description. Click Finish to save the rule.

After configuration, the target destination will receive a notification payload when Veza detects a user with actual usage of less than a third of their total "Database Data Read" entitlements.

Rule Conditions for Over Provisioned Scores

You can also create rules that trigger when there are changes to OPS scores for individual query results.

  1. Create a rule for a query that uses OPS, by saving a Query Builder query, the Saved Queries page, or Access Monitoring dashboard.

  2. Change the if condition from Query Results to Over Provisioned Score

  3. Pick an operator, for example, "are more than"

  4. Pick a value, such as 75

  5. Choose where to deliver the alert

  6. Set the name, description, and severity

  7. Save the rule

📊
Snowflake
AWS
Okta
Audit Log extraction