Filters

Veza automatically parses entity metadata, such as storage bucket configuration settings, and user attributes such as manager or mfa_status. This metadata enables fine-grained searches with filters that target these entity attributes.

You can use filters to restrict a search, query, or workflow to return only results with attributes that meet a specified condition. For example:

• Only show identities with a certain manager, department, or activity status.

• Only show resources with a specific configuration, such as S3 Access Control List settings.

• Search by hierarchical group or sub-resource level.

• Only include entities that are in the results of another query.

Filters can also apply to permissions for each result, or on these entities. To add a filter to a search, query, or workflow, click Add Attribute Filter or Add Tag Filter depending on the condition you want to apply.

Attribute filters

Add attribute filters to constrain results based on entity metadata, For example, to identify users by Date Created or Date Updated, or find storage buckets with no access logs. Combine attribute filters in groups to create more specific conditions, for example, to find users where "Is Active" is "False" and "Country Code" is "US".

Click + Add attribute Filter Group from the search bar to apply a constraint on an entity property:

1. Pick the Entity Type to filter. In Authorization Graph, the available entities depend on the layers currently enabled under Advanced Options. Changing the search mode can show extra entity types for some integrations. 1, Pick whether to use AND or OR for the filter group. This determines the behavior of grouped filters on an entity type.

2. Pick an Attribute Field to filter on. The available options depend on the chosen entity type.

3. Pick a filter Operator. You can change the default EQUALS to NOT or INCLUDES, or other operators depending on the attribute.

4. Pick the Attribute Value to filter.

   • The search bar will autocomplete when the Attribute Field is Name and the condition is EQUALS.

   • For timestamp-type fields, you can specify an absolute or relative date to filter values before or after a given point in time.

   • With the operator set to Matches Regular Expression, the value can be a string.

Tag filters

To add a column displaying any tags on the result source or destination, enable the Show tags checkboxes under Advanced Options.

To filter on tags, click Add Tag Filter on the left sidebar. After specifying an entity category to filter, the search field will autocomplete to suggest existing tags.

• Filtering the query source by tags will restrict the search results to only show entities with a matching cloud provider or Veza tag (such as S3 buckets tagged for compliance, or users belonging to department:finance).

• Filtering the destination by tags will restrict the search results to only return source entities with a relationship to entities with the specified tag.

Permission filters

You can use permission filters to find, for example, only service accounts with push permissions to production repositories, or IdP users with the ability to change S3 bucket Access Control Lists.

• System (sometimes called "configured" "or "raw") permissions are individual privileges defined by the provider, such as s3:BucketDelete for AWS IAM.

• Effective permissions are a System permission’s Create|Read|Update|Delete equivalent, for example, Data Write or Metadata Delete.

To filter by permissions, expand the Permissions section. Permission filters can have an OR or AND operator.

• Use OR to find results with any of the specified permissions

• Use AND to find results with all of the specified permissions

Permission filters for Graph can only apply to Effective Permissions. To filter by system permission:

• Switch to System mode

• Click Add Attribute Filter

• For the Entity Type, specify the "grouped" permission category to filter

• For the Attribute, click Permission

• Click the Value field to populate the dropdown.

Filtering principal-based queries by permissions will limit the search results to only return entities allowed to perform the specified action(s) on the destination resource. For resource-based queries, adding permissions will limit the search results to resources one or more principals have authorization to.

Use the Results of One Query to Filter Another Query

Saved query filters are a type of Query Builder filter that uses the output of one query to filter another. Some conditions are too complex for a single query or are more easily expressed in a sequence. For these cases, you can create a pipeline of saved query filters. These are similar to a sub-query in SQL, filtering entities with a matching id.

Tasks you can accomplish with this method include:

• Finding all Box folders accessible by Okta users in a country, and then finding all users outside the country who also have access to those folders.

• Getting Over Provisioned Scores for Snowflake Roles that can be assumed by Snowflake users who are not connected to an Okta user.

To use a query pipeline:

1. Create and save the sub-query. The saved query must have the same source entity type as the entities in the new query to which this filter will apply.

2. Create a new query. Add a source and optional destination entity types.

3. Click Add Attribute Filter Group.

4. Select the Entity Type to filter and click Add Saved Query.

   • Operator: In will filter any results that are in the output of the saved query. Not In will only show results that do not appear in the sub-query.

   • Saved Query: Choose from the list of saved queries. Only queries returning the same results as the Entity Type will appear in the list.

   Note: You can add additional saved query filters, either in the same group or a new filter group.

5. Click Save to apply the filter.

You can chain several queries in this manner. Search times may increase when adding many sub-queries.