Entity Type Groupings
Use entity type groupings to query across multiple related entity types in Veza's Access Graph for more flexible security analysis.
Entity type groupings define hierarchical categories in Veza's Access Graph. Instead of searching for OktaUser, AzureADUser, and GoogleWorkspaceUser separately, you can query the User grouping to return all user types in a single query.
Groupings use an inheritance model: entity types like OktaUser inherit from parent groupings like IdPUser, which inherit from broader groupings like User and Identity. When you query a grouping, results include all entity types in its inheritance tree.
Understanding Entity Type Groupings
Every entity in the Veza Access Graph has an entity type that identifies its source and kind (such as OktaUser, S3Bucket, or AwsIamRole). Entity types inherit from groupings that represent broader categories.
Entity Types
Entity types are discovered from your integrations:
Identity providers:
OktaUser,AzureADUser,GoogleWorkspaceUserData resources:
S3Bucket,Database,NotebookAccess control:
AwsIamRole,AzureRole,OktaGroup
Entity Type Groupings
Groupings organize entity types into a hierarchy:
User – includes all human user accounts (
OktaUser,LocalUser,AzureADUser)Resource – includes data and applications (
S3Bucket,Database,Application)Identity – includes both users and service accounts
When you query the Identity grouping, results include all User and ServiceAccount entities. When you query User, results include all IdPUser and LocalUser entities.
Grouping Hierarchy (Identity branch):
Example entity types inheriting from each grouping:
IdPUser
OktaUser, AzureADUser, GoogleWorkspaceUser
LocalUser
SnowflakeLocalUser, HashicorpVaultAlias, MongoDbUser
AIAgent
BedrockAgent, VertexAiReasoningEngine
ServiceAccount
AwsServicePrincipal, GithubApp, AzureADDevice
When to use entity type groupings:
Query all users with access to sensitive data across systems
Create access reviews that automatically include new user types as integrations are added
Build queries that work across platforms without specifying each entity type
Using Entity Type Groupings
In Query Builder
When creating queries in Query Builder, select an entity type grouping from the dropdown for your source or destination:
Example: Find all users with access to a specific S3 bucket
Source type: User (grouping)
Relationship: related to
Destination type: S3Bucket
Filter: Add bucket name filter
This query returns all user entity types—Okta Users, AWS IAM Users, Local Users, and any other user types—that have access to the specified bucket.
In VQL (Veza Query Language)
Use entity type groupings in VQL queries with the same syntax as entity types:
Available Entity Type Groupings
Identity Types
Identity
All principals that can have permissions
All User and ServiceAccount types
Complete access coverage across human and non-human identities
User
Human user accounts
OktaUser, AzureADUser, LocalUser
Access reviews for human users
IdPUser
Identity provider users
OktaUser, AzureADUser, GoogleWorkspaceUser
SSO user analysis and federated identity reviews
LocalUser
Application-specific users
SnowflakeLocalUser, HashicorpVaultAlias, MongoDbUser
Local account reviews and orphaned account detection
ServiceAccount
Local accounts for machine access
AwsServicePrincipal, AzureADDevice, GithubApp
NHI access analysis and credential management
AIAgent
Autonomous AI agents
BedrockAgent, VertexAiReasoningEngine
AI agent access auditing and governance
Access Control Types
Role
Role-based access assignments
AwsIamRole, AzureRole, OktaRole
Role assignment reviews and privilege analysis
Group
Group memberships
ActiveDirectoryGroup, OktaGroup, GoogleGroup
Group access analysis and membership audits
Entitlement
Assignable permissions
Roles, groups, and other access grants
Permission auditing and entitlement reviews
Resource Types
Resource
Data and applications
S3Bucket, Database, Application, Table
Resource access reviews and data governance
OaaResource
OAA-managed resources
Custom resources via Open Authorization API
Custom application resource reviews
AIModel
Foundation models and LLMs
AwsBedrockModel, GcpVertexAIModel
AI model access governance and deployment reviews
AITool
AI agent tools and capabilities
ActionGroup, KnowledgeBase, MCPServer
AI tool access auditing and agent capability analysis
Credential Types
Credential
Authentication credentials
Keys, secrets, and access credentials
Comprehensive credential lifecycle management
Key
API access tokens and cryptographic keys
AzureKey, KMSKey, GoogleCloudKey
Key rotation reviews and encryption key management
Secret
Secure credentials for machine access
AzureSecret, SnowflakeSecret, VaultSecret
Secret access auditing and rotation compliance
AccessCreds
Long-lived authentication credentials
AwsAccessKey, AzureCertificate, GitHubToken
Credential hygiene and access key management
Action Types
Action
Permissions and operations
ReadAction, WriteAction, DeleteAction
Permission analysis and privilege auditing
Universal Types
Any
All entities in the Access Graph
Every node type (users, resources, credentials)
Cross-entity analysis and testing
The Any grouping matches every entity in your Access Graph and can return very large result sets. Use more specific groupings like User, Resource, or Identity for better performance and more targeted results.
HRIS Types
For HR Information System integrations:
HRISUser
User
Users from HR systems (Workday, SuccessFactors, etc.)
HRISGroup
Group
Groups from HR systems
Custom Application Types (OAA)
For applications integrated via the Open Authorization API, additional entity type groupings are available:
Identity
CustomUser, CustomIDPUser, CustomPrincipalUser
Custom user types for OAA applications
Access Control
CustomGroup, CustomIDPGroup, CustomPrincipalGroup, CustomRole, CustomRoleAssignment
Custom access control entities
Resources
CustomResource, CustomSubResource, CustomApplication
Custom application resources and sub-resources
Credentials
CustomAccessCreds, CustomPermission, CustomConfiguredPermission
Custom credential and permission types
Integration
CustomIDPApp, CustomIDPAppAssignment, CustomIDPDomain, CustomPrincipalTenant
Custom integration entities
File System
CustomFileSystemServer, CustomFileSystemMount, CustomFileSystemFolder, CustomFileSystemPermission
Entities for custom file system integrations
Custom OAA groupings are available based on your integrations and may vary by environment.
Performance Considerations and Limitations
Entity type groupings are resolved at query execution time. Queries using broad groupings like Identity or Resource may take longer to execute than queries targeting specific entity types. For optimal performance, use the most specific grouping that meets your needs. Avoid the Any grouping except for exploratory analysis.
Notes:
Grouping availability is limited by your active team and accessible data sources
Query mode (Effective vs. Configured) affects both results and which groupings are available for a given source type
When filtering, some attributes are only available on specific entity types, not on all members of a grouping
Related Topics:
Last updated
Was this helpful?