# Entity Type Groupings Entity type groupings define hierarchical categories in Veza's Access Graph. Instead of searching for OktaUser, AzureADUser, and GoogleWorkspaceUser separately, you can query the **User** grouping to return all user types in a single query. Groupings use an inheritance model: entity types like `OktaUser` inherit from parent groupings like `IdPUser`, which inherit from broader groupings like `User` and `Identity`. When you query a grouping, results include all entity types in its inheritance tree. ## Understanding Entity Type Groupings Every entity in the Veza Access Graph has an **entity type** that identifies its source and kind (such as `OktaUser`, `S3Bucket`, or `AwsIamRole`). Entity types inherit from **groupings** that represent broader categories. ### Entity Types Entity types are discovered from your integrations: * **Identity providers**: `OktaUser`, `AzureADUser`, `GoogleWorkspaceUser` * **Data resources**: `S3Bucket`, `Database`, `Notebook` * **Access control**: `AwsIamRole`, `AzureRole`, `OktaGroup` ### Entity Type Groupings Groupings organize entity types into a hierarchy: * **User** – includes all human user accounts (`OktaUser`, `LocalUser`, `AzureADUser`) * **Resource** – includes data and applications (`S3Bucket`, `Database`, `Application`) * **Identity** – includes both users and service accounts When you query the `Identity` grouping, results include all `User` and `ServiceAccount` entities. When you query `User`, results include all `IdPUser` and `LocalUser` entities. **Grouping Hierarchy (Identity branch):** {% @mermaid/diagram content="graph TD subgraph Groupings Identity\[Identity] User\[User] ServiceAccount\[ServiceAccount] IdPUser\[IdPUser] LocalUser\[LocalUser] AIAgent\[AIAgent] end ``` Identity --> User Identity --> ServiceAccount User --> IdPUser User --> LocalUser ServiceAccount --> AIAgent" %} ``` **Example entity types inheriting from each grouping:** | Grouping | Entity Types (examples) | | -------------- | ---------------------------------------------------- | | IdPUser | OktaUser, AzureADUser, GoogleWorkspaceUser | | LocalUser | SnowflakeLocalUser, HashicorpVaultAlias, MongoDbUser | | AIAgent | BedrockAgent, VertexAiReasoningEngine | | ServiceAccount | AwsServicePrincipal, GithubApp, AzureADDevice | **When to use entity type groupings:** * Query all users with access to sensitive data across systems * Create access reviews that automatically include new user types as integrations are added * Build queries that work across platforms without specifying each entity type ## Using Entity Type Groupings ### In Query Builder When creating queries in Query Builder, select an entity type grouping from the dropdown for your source or destination: **Example: Find all users with access to a specific S3 bucket** 1. **Source type**: User (grouping) 2. **Relationship**: related to 3. **Destination type**: S3Bucket 4. **Filter**: Add bucket name filter This query returns all user entity types—Okta Users, AWS IAM Users, Local Users, and any other user types—that have access to the specified bucket. ### In VQL (Veza Query Language) Use entity type groupings in VQL queries with the same syntax as entity types: ```vql -- Find all identities with access to production resources SHOW Identity RELATED TO Resource WHERE name REGEX '.*prod.*'; -- Find service accounts with credentials SHOW ServiceAccount RELATED TO AccessCreds; -- Find local users without MFA SHOW LocalUser WHERE mfa_enabled = false; ``` ## Available Entity Type Groupings ### Identity Types | Grouping | Description | Example Entity Types | Use Case | | ------------------ | ---------------------------------------- | ---------------------------------------------------- | -------------------------------------------------------------- | | **Identity** | All principals that can have permissions | All User and ServiceAccount types | Complete access coverage across human and non-human identities | | **User** | Human user accounts | OktaUser, AzureADUser, LocalUser | Access reviews for human users | | **IdPUser** | Identity provider users | OktaUser, AzureADUser, GoogleWorkspaceUser | SSO user analysis and federated identity reviews | | **LocalUser** | Application-specific users | SnowflakeLocalUser, HashicorpVaultAlias, MongoDbUser | Local account reviews and orphaned account detection | | **ServiceAccount** | Local accounts for machine access | AwsServicePrincipal, AzureADDevice, GithubApp | NHI access analysis and credential management | | **AIAgent** | Autonomous AI agents | BedrockAgent, VertexAiReasoningEngine | AI agent access auditing and governance | ### Access Control Types | Grouping | Description | Example Entity Types | Use Case | | --------------- | ----------------------------- | -------------------------------------------- | ---------------------------------------------- | | **Role** | Role-based access assignments | AwsIamRole, AzureRole, OktaRole | Role assignment reviews and privilege analysis | | **Group** | Group memberships | ActiveDirectoryGroup, OktaGroup, GoogleGroup | Group access analysis and membership audits | | **Entitlement** | Assignable permissions | Roles, groups, and other access grants | Permission auditing and entitlement reviews | ### Resource Types | Grouping | Description | Example Entity Types | Use Case | | --------------- | ------------------------------- | ------------------------------------------- | ----------------------------------------------------- | | **Resource** | Data and applications | S3Bucket, Database, Application, Table | Resource access reviews and data governance | | **OaaResource** | OAA-managed resources | Custom resources via Open Authorization API | Custom application resource reviews | | **AIModel** | Foundation models and LLMs | AwsBedrockModel, GcpVertexAIModel | AI model access governance and deployment reviews | | **AITool** | AI agent tools and capabilities | ActionGroup, KnowledgeBase, MCPServer | AI tool access auditing and agent capability analysis | ### Credential Types | Grouping | Description | Example Entity Types | Use Case | | --------------- | ---------------------------------------- | ------------------------------------------- | -------------------------------------------------- | | **Credential** | Authentication credentials | Keys, secrets, and access credentials | Comprehensive credential lifecycle management | | **Key** | API access tokens and cryptographic keys | AzureKey, KMSKey, GoogleCloudKey | Key rotation reviews and encryption key management | | **Secret** | Secure credentials for machine access | AzureSecret, SnowflakeSecret, VaultSecret | Secret access auditing and rotation compliance | | **AccessCreds** | Long-lived authentication credentials | AwsAccessKey, AzureCertificate, GitHubToken | Credential hygiene and access key management | ### Action Types | Grouping | Description | Example Entity Types | Use Case | | ---------- | -------------------------- | ------------------------------------- | ------------------------------------------ | | **Action** | Permissions and operations | ReadAction, WriteAction, DeleteAction | Permission analysis and privilege auditing | ### Universal Types | Grouping | Description | Example Entity Types | Use Case | | -------- | -------------------------------- | ----------------------------------------------- | --------------------------------- | | **Any** | All entities in the Access Graph | Every node type (users, resources, credentials) | Cross-entity analysis and testing | {% hint style="warning" %} The **Any** grouping matches every entity in your Access Graph and can return very large result sets. Use more specific groupings like User, Resource, or Identity for better performance and more targeted results. {% endhint %} ### HRIS Types For HR Information System integrations: | Grouping | Inherits From | Description | | ------------- | ------------- | ----------------------------------------------------- | | **HRISUser** | User | Users from HR systems (Workday, SuccessFactors, etc.) | | **HRISGroup** | Group | Groups from HR systems | ### Custom Application Types (OAA) For applications integrated via the Open Authorization API, additional entity type groupings are available: | Category | Groupings | Description | | ------------------ | ------------------------------------------------------------------------------------------------- | ---------------------------------------------- | | **Identity** | CustomUser, CustomIDPUser, CustomPrincipalUser | Custom user types for OAA applications | | **Access Control** | CustomGroup, CustomIDPGroup, CustomPrincipalGroup, CustomRole, CustomRoleAssignment | Custom access control entities | | **Resources** | CustomResource, CustomSubResource, CustomApplication | Custom application resources and sub-resources | | **Credentials** | CustomAccessCreds, CustomPermission, CustomConfiguredPermission | Custom credential and permission types | | **Integration** | CustomIDPApp, CustomIDPAppAssignment, CustomIDPDomain, CustomPrincipalTenant | Custom integration entities | | **File System** | CustomFileSystemServer, CustomFileSystemMount, CustomFileSystemFolder, CustomFileSystemPermission | Entities for custom file system integrations | {% hint style="info" %} Custom OAA groupings are available based on your integrations and may vary by environment. {% endhint %} ### Performance Considerations and Limitations Entity type groupings are resolved at query execution time. Queries using broad groupings like `Identity` or `Resource` may take longer to execute than queries targeting specific entity types. For optimal performance, use the most specific grouping that meets your needs. Avoid the `Any` grouping except for exploratory analysis. Notes: * Grouping availability is limited by your active team and accessible data sources * Query mode (Effective vs. Configured) affects both results and which groupings are available for a given source type * When filtering, some attributes are only available on specific entity types, not on all members of a grouping *** **Related Topics:** * [Entities](/4yItIzMvkpAvMVFAamTf/features/search/entities.md) * [NHI Secrets](/4yItIzMvkpAvMVFAamTf/features/nhi/nhi-secrets.md) * [Query Builder](/4yItIzMvkpAvMVFAamTf/features/search/query-builder.md) * [Veza Query Language](/4yItIzMvkpAvMVFAamTf/features/search/vql.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/search/entities/entity-type-groupings.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.