# Filters Veza automatically parses entity metadata, such as storage bucket configuration settings, and user attributes such as `manager` or `mfa_status`. This metadata enables fine-grained searches with filters that target these entity attributes. You can use filters to restrict a search, query, or workflow to return only results with attributes that meet a specified condition. For example: * Only show identities with a certain manager, department, or activity status. * Only show resources with a specific configuration, such as S3 Access Control List settings. * Search by hierarchical group or sub-resource level. * Only include entities that are in the results of another query. Filters can also apply to permissions for each result, or [tags](/4yItIzMvkpAvMVFAamTf/features/search/tags.md) on these entities. To add a filter to a search, query, or workflow, click *Add Attribute Filter* or *Add Tag Filter* depending on the condition you want to apply. #### Attribute filters Add attribute filters to constrain results based on entity metadata, For example, to identify users by `Date Created` or `Date Updated`, or find storage buckets with no access logs. Combine attribute filters in groups to create more specific conditions, for example, to find users where "Is Active" is "False" and "Country Code" is "US". Click **+ Add attribute Filter Group** from the search bar to apply a constraint on an entity property: 1. Pick the **Entity Type** to filter. In Access Graph, the available entities depend on the layers currently enabled under *Advanced Options*. Changing the search mode can show extra entity types for some integrations. 1, Pick whether to use **AND** or **OR** for the filter group. This determines the behavior of grouped filters on an entity type. 2. Pick an **Attribute Field** to filter on. The available options depend on the chosen entity type. 3. Pick a filter **Operator**. You can change the default `EQUALS` to `NOT` or `INCLUDES`, or other operators depending on the attribute. 4. Pick the **Attribute Value** to filter. * The search bar will autocomplete when the Attribute Field is `Name` and the condition is `EQUALS`. * For timestamp-type fields, you can specify an absolute or relative date to filter values before or after a given point in time. * With the operator set to *Matches Regular Expression*, the value can be a [Regular Expression](/4yItIzMvkpAvMVFAamTf/features/search/regex.md) string. #### Tag filters You can filter search results to only show entities with a matching [tag](/4yItIzMvkpAvMVFAamTf/features/search/tags.md). In Graph search, you can inspect the tags on an entity by clicking on the entity to open the Actions sidebar, and clicking on the number of cloud provider or Veza tags. To show tags in Query Builder, enable source or destination tags under *Advanced Options* > *Tags Options*. You can also click a result name to view tags in the entity details. To add a column displaying any tags on the result source or destination, enable the **Show tags** checkboxes under **Advanced Options**. To filter on tags, click *Add Tag Filter* on the left sidebar. After specifying an entity category to filter, the search field will autocomplete to suggest existing tags. * Filtering the query *source* by tags will restrict the search results to only show entities with a matching cloud provider or Veza tag (such as S3 buckets tagged for compliance, or users belonging to `department:finance`). * Filtering the *destination* by tags will restrict the search results to only return *source* entities with a relationship to entities with the specified tag. You can **tag an entity** in your data catalog from the [Identity Data Entities](/4yItIzMvkpAvMVFAamTf/features/insights/entities-overview.md) page, or from the Access Graph by selecting an entity and clicking *Add Tag* on the Actions Sidebar. #### Permission filters You can use permission filters to find, for example, only service accounts with push permissions to production repositories, or IdP users with the ability to change S3 bucket Access Control Lists. * **System** (sometimes called "configured" "or "raw") permissions are individual privileges defined by the provider, such as `s3:BucketDelete` for AWS IAM. * **Effective** permissions are a System permission’s Create|Read|Update|Delete equivalent, for example, `Data Write` or `Metadata Delete`. To filter by permissions, expand the *Permissions* section. Permission filters can have an `OR` or `AND` operator. * Use `OR` to find results with any of the specified permissions * Use `AND` to find results with all of the specified permissions Permission filters for Graph can only apply to *Effective* Permissions. To filter by system permission: * Switch to *System* mode * Click *Add Attribute Filter* * For the *Entity Type*, specify the "grouped" permission category to filter * For the *Attribute*, click `Permission` * Click the *Value* field to populate the dropdown. ![Filtering by grouped AWS permission in "system" query mode](/files/erZx2rVTLVfWiiHhU41e) > Filtering principal-based queries by permissions will limit the search results to only return entities allowed to perform the specified action(s) on the destination resource. For resource-based queries, adding permissions will limit the search results to resources one or more principals have authorization to. #### Use the Results of One Query to Filter Another Query Saved query filters are a type of Query Builder filter that uses the output of one query to filter another. Some conditions are too complex for a single query or are more easily expressed in a sequence. For these cases, you can create a pipeline of saved query filters. These are similar to a sub-query in SQL, filtering entities with a matching `id`. Tasks you can accomplish with this method include: * Finding all Box folders accessible by Okta users in a country, and then finding all users outside the country who also have access to those folders. * Getting Over Provisioned Scores for Snowflake Roles that can be assumed by Snowflake users who are not connected to an Okta user. To use a query pipeline: 1. Create and save the sub-query. The saved query must have the same source entity type as the entities in the new query to which this filter will apply. 2. Create a new query. Add a source and optional destination entity types. 3. Click **Add Attribute Filter Group**. 4. Select the **Entity Type** to filter and click **Add Saved Query**. * **Operator**: *In* will filter any results that are in the output of the saved query. *Not In* will only show results that do not appear in the sub-query. * **Saved Query**: Choose from the list of saved queries. Only queries returning the same results as the **Entity Type** will appear in the list. Note: You can add additional saved query filters, either in the same group or a new filter group. 5. Click **Save** to apply the filter. You can chain several queries in this manner. Search times may increase when adding many sub-queries. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/search/filters.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.