User Guide
Release Notes

Analysis

Quickly inspect relationships between users, groups, and roles.

Experimental: Veza Analysis queries are currently available in early access. Contact the Veza support team to learn more and to enable the feature.

You can investigate users, groups, and role assignments from the Access Intelligence > Analysis page. This feature offers a simple interface to review a variety of authorization relationships for an individual entity.

For example, Analysis page offers a way to:

  • show all users that can assume a Snowflake role.

  • find all users or other groups that belong to an Active Directory group.

  • find all groups or roles that an AWS IAM user can assume or is assigned.

After running an analysis, you can review the results immediately or open the search in Query Builder to add parameters and assign rules and risk levels.

Analyzing a user, group, or role

  1. Click User Analysis, Group Analysis, or Role Analysis.

  2. Use the Type dropdown to choose the user, group, or role by provider (such as "Salesforce User").

  3. Select an individual entity from the second dropdown.

  4. Pick the Analysis query to run on the chosen entity.

If results are available, they will appear in the table of records.

  • Click Columns to show or hide any group, role, or user properties

  • Click Open in Query Builder to open a search in Query Builder, with an attribute filter on the entity name.

Analysis queries

The possible analysis options depend on whether you have chosen a user, group, role, and the entity's provider integration. The following actions are available based on the specified entity category:

  • User

    • All Groups the User is in

    • All Roles the User can assume

  • Group

    • All Users that are in the Group

    • All Roles the Group can assume

  • Role

    • All Users that can assume the Role

    • All Roles that can assume the Role

Limitations:

Role analysis is well-suited for AWS, GitHub, and Snowflake, where a user has a singular role or a role is a principal. Analysis does not currently support scenarios where a user is not directly bound to a role but is assigned one at the resource level (such as for Google, Azure, and Salesforce roles).

PreviousEntitiesNextAccess Reviews

Last updated