search
Release Notes

๐Ÿ’กAccess Intelligence

Insights to understand and act on authorization risks and relationships that Veza has discovered.

Veza's query-driven insights enable organizations to observe, track, and remediate authorization risks using the power of the Access Graph. See following sections and related topics to learn more about Dashboards, Rules and Alerts, Risks, and Analyze.

Getting started

You can begin familiarizing yourself with Veza Insights by exploring the dashboards, and clicking on any insight tile to view the associated Query in detail.

  1. Identify a Saved Query you want to track.

  2. Add that query to a Dashboard.

  3. Give the query a Risk Level to flag entities in the results.

  4. Create a Rule to get notifications when the query results meet the specified conditions.

  5. Configure Veza Actions to remediate findings through Jira tickets, ServiceNow incidents, Slack alerts, or custom webhooks.

  6. Repeat the process for other Saved Queries.

hashtag
Dashboards

Dashboards are collections of Saved Queries, organized into sections to best meet the needs of a specific organization, team, or user. Dashboards appear on the primary Veza Home page for easy access and continuous monitoring.

Opening a dashboard shows a summary of current results, with the option to view trends, investigate entities and relationships in Graph, or open and change the original search in Query Builder. Dashboard tiles show the trending change for the last week or month, and the most recent query results.

Dashboards can be Veza-built or user-created, and set to private or public visibility. Owners can make customizations by opening a dashboard and clicking Edit. You can also create new dashboards, add or remove queries, and share dashboards with your team.

circle-info

Legacy Reports experience: If your tenant still shows Reports under Access Intelligence, see Reports (Legacy) for the previous workflow. The Reports experience has been consolidated into Dashboards.

hashtag
Rules and alerts

You can define and monitor security baselines using Rules and Alerts for Saved Queriesarrow-up-right. A rule consists of a baseline query, thresholds of conditions, and notification settings. Alerts trigger when the Rule's conditions are met.

  • Rules can trigger when the total number of results change

  • Rules can also trigger when there are changes in properties for entities in the query results.

  • Rules can trigger an alert in the form of a service desk ticket, an email, or a custom webhook.

hashtag
Risks

You can track least privilege violations, anomalies, and non-standard configurations by marking a Saved Query as a risk and setting a risk level. You can write your own queries to define potential exploits and access control risks, or use out-of-the-box saved queries.

The results of these queries are highlighted in Graph search when Show Risks is enabled. Active risks be reviewed on the Risks page. For results that can't be acted on or are safe to ignore, you can individually mark the entities as exceptions, or add filters to the original query.

Enabling and viewing Risk details for Graph Search results.

hashtag
Analyze and Compare

The Analyze page provides utility search interfaces for specific tasks like reviewing Group and Role assignments. For example, you can find all users belonging to a group, all users that can assume a role, or review all group/role access for a single user.

The Compare feature allows security and identity teams to perform side-by-side comparative analysis of permissions between users or between roles. This functionality helps identify access differences, potential privilege violations, and supports access governance initiatives. See Compare for more details.

Compare offers two main functionalities:

  1. User Comparison - Compare two users of the same type

  2. Role Comparison - Compare two roles of the same type

Comparison is most useful after you have created baseline profiles (such as an engineering_profile Okta User or a standardized AWS IAM Role) with the appropriate level of access. You can then compare other users or roles to the baseline to see how group and resource access varies from the established norm.

For more advanced Segregation of Duty (SoD) capabilities, Veza offers a dedicated SoD feature that enables comprehensive identification and management of toxic access combinations across your organization.

hashtag
Role Definitions

Role Definitions is an automated role mining tool that analyzes existing user permissions to generate optimized role assignments. Using a deterministic algorithm, it identifies common permission patterns and creates a minimal set of distinct roles to replace individual permission assignments.

This feature helps organizations:

  • Simplify access management by consolidating individual permissions into roles

  • Identify permission patterns across users and resources

  • Create role-based access control (RBAC) from existing permission data

  • Optimize role assignments to minimize complexity

See Role Definitions for step-by-step instructions on uploading permission data, generating role assignments, and exporting results.

hashtag
Veza Query Language (VQL)

VQL provides a SQL-like query language for programmatic access to the Access Graph. Security teams and developers can use VQL to:

  • Write precise queries for complex authorization analysis

  • Automate report generation and data exports

  • Integrate Veza insights into external tools and workflows

  • Create custom security assessments beyond the UI capabilities

VQL queries can be executed via the VQL API or using the Query Builder's advanced mode. See the VQL Quick Start and VQL Syntax guides to learn more.

hashtag
Dashboard Sharing

Share custom dashboards with teams or stakeholders using Veza's dashboard sharing capabilities:

  • Team Sharing: Share dashboards directly with other Veza teams for ongoing collaboration

  • Email Sharing: Send notification emails with secure links to view dashboards

Only custom (user-created) dashboards can be shared between teams. Out-of-the-box dashboards are available to all users with access to the required integrations.

hashtag
Scheduled Query Exports

Schedule automated exports of query results delivered via secure email links:

  • Configure daily, weekly, or monthly exports for any saved query

  • Recipients receive secure links that expire after 28 days

  • Download access requires appropriate Veza permissions

  • Export format includes customizable columns and entity attributes

This enables sharing sensitive query results with stakeholders while maintaining security controls.

hashtag
Out-of-the-Box Dashboards

Veza provides 58 pre-built dashboards organized into categories:

  • Activity Monitoring - Usage patterns and dormant account detection

  • Authorization Risk - Privilege escalation paths and misconfigurations

  • Cloud IAM - AWS, Azure, and Google Cloud identity insights

  • Data Warehouse Insights - Snowflake, Databricks, BigQuery, and Redshift security

  • SaaS Security - Salesforce, GitHub, Okta, and other application risks

  • Compliance - SOC 1, SOX, and PCI frameworks

These dashboards are automatically available and provide immediate value after integrating data sources.

hashtag
Related features

Access Intelligence works alongside other Veza capabilities to provide end-to-end visibility and governance:

  • NHI Security: Dedicated dashboards and queries for non-human identities, including the NHI Insights and NHI Access Tracker OOTB dashboards. Use Access Intelligence rules and risks to monitor NHI accounts alongside human identities.

  • Access Reviews: Launch access reviews directly from risk findings to certify and remediate flagged access.

  • Access AI: Use natural language queries to explore Access Intelligence findings and surface hidden risk patterns with generative AI.

  • Veza Actions: Remediate risk findings by triggering Jira tickets, ServiceNow incidents, Slack notifications, or custom webhooks from rules and alerts.

PreviousVQL APINextOverview

Last updated

Was this helpful?