Release Notes

💡Access Intelligence

Insights to understand and act on authorization risks and relationships that Veza has discovered.

Veza's query-driven insights enable organizations to observe, track, and remediate authorization risks using the power of the Authorization Graph. See following sections and related topics to learn more about Reports, Rules and Alerts, Risks, and Analyze.

Getting started

You can quickly get started with Veza Insights by exploring the Dashboard, and clicking Open in Reports to view the associated Queries in detail.

  1. Identify a Saved Query you want to track.

  2. Add that query to a new Report

  3. Add the Report to the Dashboard.

  4. Give the query a Risk Level to flag entities in the results.

  5. Create a Rule to get notifications when the query results meet the specified conditions.

  6. Repeat the process for other Saved Queries.

Reports

A Report is a collection of Saved Queries, organized to best meet the needs of a specific organization, team, or user.

Opening a report shows a summary of current results, with the option to view trends, investigate entities and relationships in Graph, or open and change the original search in Query Builder.

Reports can be Veza-built or user-created, and set to private or public visibility. Owners can make customizations by opening a report and clicking Edit.

Viewing and acting on Queries in a Report.

Dashboards

Adding reports to Dashboard section allows users to customize summaries that appear on the primary Veza Home page for easy access and continuous monitoring. Dashboard tiles show the trending change for the last week or month, and the most recent query results. You can edit these reports and queries to focus on the most important findings.

Rules and alerts

You can define and monitor security baselines using Rules and Alerts for Saved Queries. A rule consists of a baseline query, thresholds of conditions, and notification settings. Alerts trigger when the Rule's conditions are met.

  • Rules can trigger when the total number of results change

  • Rules can also trigger when there are changes in properties for entities in the query results.

  • Rules can trigger an alert in the form of a service desk ticket, an email, or a custom webhook.

Risks

You can track least privilege violations, anomalies, and non-standard configurations by marking a Saved Query as a risk and setting a risk level. You can write your own queries to define potential exploits and access control risks, or use out-of-the-box saved queries.

The results of these queries are highlighted in Graph search when Show Risks is enabled. Active risks be reviewed on the Risks page. For results that can't be acted on or are safe to ignore, you can individually mark the entities as exceptions, or add filters to the original query.

Enabling and viewing Risk details for Graph Search results.

Analyze and Compare

The Analyze page provides utility search interfaces for specific tasks like reviewing Group and Role assignments. For example, you can find all users belonging to a group, all users that can assume a role, or review all group/role access for a single user.

The Compare feature allows security and identity teams to perform side-by-side comparative analysis of permissions between users or between roles. This functionality helps identify access differences, potential privilege violations, and supports access governance initiatives. See Compare for more details.

Compare offers two main functionalities:

  1. User Comparison - Compare two users of the same type

  2. Role Comparison - Compare two roles of the same type

Comparison is most useful after you have created baseline profiles (such as an engineering_profile Okta User or a standardized AWS IAM Role) with the appropriate level of access. You can then compare other users or roles to the baseline to see how group and resource access varies from the established norm.

For more advanced Segregation of Duty (SoD) capabilities, Veza offers a dedicated SoD feature that enables comprehensive identification and management of toxic access combinations across your organization.

Role Definitions

Role Definitions is an automated role mining tool that analyzes existing user permissions to generate optimized role assignments. Using a deterministic algorithm, it identifies common permission patterns and creates a minimal set of distinct roles to replace individual permission assignments.

This feature helps organizations:

  • Simplify access management by consolidating individual permissions into roles

  • Identify permission patterns across users and resources

  • Create role-based access control (RBAC) from existing permission data

  • Optimize role assignments to minimize complexity

See Role Definitions for step-by-step instructions on uploading permission data, generating role assignments, and exporting results.

Veza Query Language (VQL)

VQL provides a SQL-like query language for programmatic access to the Authorization Graph. Security teams and developers can use VQL to:

  • Write precise queries for complex authorization analysis

  • Automate report generation and data exports

  • Integrate Veza insights into external tools and workflows

  • Create custom security assessments beyond the UI capabilities

VQL queries can be executed via the VQL API or using the Query Builder's advanced mode. See the VQL Quick Start and VQL Syntax guides to learn more.

Dashboard Sharing

Share custom dashboards with teams or stakeholders using Veza's dashboard sharing capabilities:

  • Team Sharing: Share dashboards directly with other Veza teams for ongoing collaboration

  • Email Sharing: Send notification emails with secure links to view dashboards

Only custom (user-created) dashboards can be shared between teams. Out-of-the-box dashboards are available to all users with access to the required integrations.

Scheduled Query Exports

Schedule automated exports of query results delivered via secure email links:

  • Configure daily, weekly, or monthly exports for any saved query

  • Recipients receive secure links that expire after 28 days

  • Download access requires appropriate Veza permissions

  • Export format includes customizable columns and entity attributes

This enables sharing sensitive query results with stakeholders while maintaining security controls.

Out-of-the-Box Dashboards

Veza provides 58 pre-built dashboards organized into categories:

  • Activity Monitoring - Usage patterns and dormant account detection

  • Authorization Risk - Privilege escalation paths and misconfigurations

  • Cloud IAM - AWS, Azure, and Google Cloud identity insights

  • Data Warehouse Insights - Snowflake, Databricks, BigQuery, and Redshift security

  • SaaS Security - Salesforce, GitHub, Okta, and other application risks

  • Compliance - SOC 1, SOX, and PCI frameworks

These dashboards are automatically available and provide immediate value after integrating data sources.

PreviousVQL APINextOverview

Last updated

Was this helpful?