> For the complete documentation index, see [llms.txt](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/search/graph.md). # Access Graph Search Access Graph is a powerful search engine for visualizing the connections between users, services, and data sources. Graph search provides insight into intermediate relationships such as Role-Based Access Controls, and Identity and Access Management groups. Graph search complements the [Query Builder](/4yItIzMvkpAvMVFAamTf/features/search/query-builder.md) by providing options to explore authorization relationships, uncover anomalies, and identify [risks](/4yItIzMvkpAvMVFAamTf/features/insights/risks.md). See the following sections to learn more about Access Graph search. * [Overview](#overview) * [Graph search options](#graph-search-options) * [Graph search navigation](#graph-search-navigation) * [Graph snapshots](#graph-snapshots) * [Table view and graph export](#table-view-and-graph-export) * [Locking graph paths](#locking-graph-paths) * [Graph relationship options](#graph-relationship-options) * [Graph display options](#graph-display-options) * [Graph actions sidebar](#graph-actions-sidebar) * [Entities with hierarchical relationships](#entities-with-hierarchical-relationships) * [Effective permissions](#effective-permissions) ### Overview Use the **Search Bar** at the top of the graph to: * search for individual entities by name or all entities the same category (such as `AWS S3 Bucket`). * save the current graph view, export to a PNG, or create a shareable link. * open *Tables* view or switch to the Query Builder. * pick a historic snapshot to run the search against. The search bar will autocomplete to show possible entities and entity types such as *Users*, *Resources*, and *Services* matching the keyword. Clicking *See All Results* will open a detailed view of the results. Use the **search options** menu on the left side of the graph to: * expand the search by adding a relationship to another entity or entity type. * narrow the current search by [applying a tag or constraint](/4yItIzMvkpAvMVFAamTf/features/search/filters.md). * toggle highlighting of Risks and other entities of interest. * enable color-coding by provider account. * set the visibility of entity types shown in search results. After you have found a view you want to share with other team members or return to later, you can: * Save a shortcut to your current graph view by clicking the save icon on the top action bar and adding a title on the modal that follows. You can recall saved views from the *Saved Graphs* submenu. * Share a direct link to the graph view. * Save or copy the current view in `PNG` format. * Export the graph as [tables](#table-view-and-graph-export). ### Graph search options Searching for a named entity will show the full authorization path for that entity. Optionally searching by entity category will show all entities of that type. After specifying a source entity, you can use the *relates to* option to search for relationships connecting two entity types. Depending on the search, results can include all relationships for a single named entity, or show the relationships for all entities of the source and destination types. For example, you *show the full authorization path for a single User entity* or *show connections between all S3 buckets and Okta users*. You can expand an entity-centric search by adding additional parameters or with graph actions. For example, you can [add a relationship](#graph-search-options) and [toggle layer visibility](#graph-display-options) to explore all paths and intermediate entities connecting a service account and Redshift cluster. To refine your search, you can apply [filters](/4yItIzMvkpAvMVFAamTf/features/search/filters.md) to only show relationships where entities have a tag or property that matches a condition. | Search Option | Details | | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Query Mode** | Option to show system-level RBAC and IAM entities, or effective permission nodes (Early Access). | | **Relates To** | When enabled, only return results with a relationship to the specified destination. | | **Filters: Attributes** | [Filter by entity attributes](/4yItIzMvkpAvMVFAamTf/features/search/filters.md#tag-filters) Veza has gathered. | | **Filters: Tags** | [Filter by tags](/4yItIzMvkpAvMVFAamTf/features/search/filters.md#tag-filters) on the entity types in the search. | | **Filters: Permissions** | [Filter by effective permissions](/4yItIzMvkpAvMVFAamTf/features/search/filters.md#permission-filters). | | **Advanced Options: Exclude Entities** | Exclude results that have any of the specified entity types in their path. | | **Advanced Options: Require Entities** | Include only results that have any of the specified entity types in their path. | | **Filters: AWS Account** | Filter results to show only entities or the specified account ids. | | **Advanced Options: Direction** | Specify the direction of relationship traversal: **Outgoing** (→ what can source access?), **Incoming** (← who can access source?), or **Any Direction** (system selects optimal direction, preferring paths with permissions). | | **Advanced Options: Path Type** | Filter by relationship type: **Permission** (access-granting relationships only), **Non-Permission** (organizational relationships only), or **Any** (all relationships). | ### Graph search navigation The initial search results view will show no results until you have entered a search term. After providing a search condition, the results will update and you can begin exploring the output. The columns will adapt based on the authorization relationships you are currently inspecting. Search results appear within containers and columns, depending on the entity category and visible relationships. Identities typically appear on the left side of the graph, with data stores on the right. When several entities have the same name, a number appears next to the entity name to indicate the provider. Click the actions dropdown next to a column name to show or hide specific entities within it. You can zoom or center with the controls at the bottom of the graph. Clicking on an entity node will highlight it and expand the **Actions Sidebar** on the right. The [actions sidebar](#graph-actions-sidebar) offers advanced entity-specific options and details. You can undo and redo your most recent action from the action bar at the bottom of the screen. The current search conditions appear on the left. #### Graph snapshots You can view the historic state of your cloud authorization infrastructure at a past date with Veza snapshots. Pick a calendar date from the dropdown menu, and current and future searches will return relationships and metadata from the chosen point in time. In the current release, Veza retains graph snapshots for 31 days. To change the snapshot for the graph query, click the *Graph History* icon from the top action bar. Depending on Veza system settings, search results will: * Refresh when adding or removing parameters (default), or * Update when clicking the *Execute Query* button #### Table view and graph export Tables View can be useful for working with many search results. After you have fine-tuned the search, you can export it for additional processing in CSV format, or export it in PDF format to share with other teams: * Click *View AG relationships in table* on the graph search bar * Click *Export* at the top of the table. #### Locking graph paths A path connecting two entities represents a relationship (granting or denying access to a resource). You can click on the connection to *lock* the path and hide all other entities. #### Graph relationship options The bottom section of the Navigation bar holds graph visibility controls, in the “Show or Hide Relationships” section. You can collapse a layer (leaving the heading visible but hiding all entities within it), or remove the layer entirely. You can use this to pick columns and entities to include in search results and graph exports to customize a view before sharing it, or to show only the most important details. Additionally, the actions dropdown next to a column name provides the option to filter entities in a layer, collapse the layer, or pick specific items to include in the view. You can opt to show only entities associated with a Risk, or only the entities highlighted by a locked path (if enabled for the current search). > After opening a Graph search from the *Saved Queries* page or the Graph actions sidebar, use *Relationship Options* to additional layers for an optimal view. #### Graph display options The navigation menu provides several options to additionally refine your search: * *Highlight Entities of Interest > Show Risks*: Veza automatically scans your identity and data authorization relationships for least privilege risks, and highlights the risky entities. Click the node to expand the sidebar and view detailed information for each [Risk](/4yItIzMvkpAvMVFAamTf/features/insights/risks.md). * *Highlight Entities of Interest > Deactivated Users*: Highlight users that Veza identified as dormant. * *Advanced View*: Some entities are not shown by default, for better performance and visual clarity. To show all related nodes, toggle "Advanced" in the search options. Depending on your search, the additional nodes might appear in existing layers, or new ones. * *Show Assume Role*: Update the view to reflect [assume role](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html) operations within and across accounts. * *Enable Pagination*: Optimizes review of large result sets. When enabled, Left and Right arrows appear at the top of the screen, and limits the number of *Currently Showing* entities to 10. Each page of results shows just the relationships for the current leftmost entities. To limit layers other than the starting one, click *...* to open the layer actions dropdown. #### Graph display limits {% hint style="info" %} Access Graph visualization has a display limit of **10,000 nodes** per query. This ensures optimal performance and user experience when rendering complex relationship graphs. {% endhint %} When a search returns more than 10,000 nodes, the graph may not fully render all results. If this presents a limitation, you can mitigate this by: * Applying attribute, tag, or permission filters to narrow the result set below the display threshold * Switching to [Query Builder](/4yItIzMvkpAvMVFAamTf/features/search/query-builder.md) which supports full pagination through large result sets and CSV export * Using Advanced Options to exclude intermediate entity types from paths * Enabling pagination in graph display options to view results in smaller batches {% hint style="warning" %} If you have identities with an unusually high number of group memberships (10,000+ groups), the graph visualization may struggle to render all relationships. For these cases, use Query Builder for row-based analysis and export to CSV. {% endhint %} ### Graph actions sidebar Clicking an entity in Access Graph search results will expand the actions sidebar. This menu provides additional details and search options for the chosen entity. Possible actions vary depending on your search and appear under *Basic* *Actions*, *Actions*, and the *Properties* section. *Basic Actions* include a shortcut to view entity details, and the option to add a [filter](/4yItIzMvkpAvMVFAamTf/features/search/filters.md) on the entity category. Applying a filter from the sidebar is a quick way to filter the graph view to narrow in on a particular user, policy, or resource. | Graph sidebar action | Details | | ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | Group | Collapses and groups entities with the same name. Identical entities such as IAM Policies and Effective Permissions are grouped by default. | | Ungroup | Makes any nodes that are currently grouped available for individual selection. | | Show Details | Show all metadata for the chosen entity. This includes generic identifying information and provider- and resource- specific properties. | | Show All Policies | Start a search showing all the policies related to an entity. | | Show JSON Document | View the configured policy object for an IAM role and summary of impacted services | | Show Roles | Start a search showing all the roles related to an entity. | | Add Constraint | Quickly filter the chosen entity category by an shared attribute. | | Add Veza Tag | Create or apply an existing Veza Tag to an entity, such as to flag a sensitive data set, assign a custom attribute, or add a note. | | Filter by Tag | Filter entities of the chosen category by a matching tag. | | Show Data Access | Start a search showing all privileges and authorization for an identity. | | EP - Explain Effective Permissions | See all the policies, statements, and privilege determining the “true” permissions displayed in an effective permissions node. | | Show Hierarchy | Show relationships to nested entities of the same category with parent-child relationships (such other roles, policies, or groups) | | Show Identities | Start a search showing all the identities that have permissions on the resource. | | Show Groups | Start a search showing all the groups related to an entity. | | Set Owners | Set the manager for [certification auto-assignment](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/managers-and-resource-owners.md). | | Show Data Services | Start a search showing all the resources an identity has permissions on. | | Properties > Drill-Down | Traverse right, expanding the graph towards a related entity category. layer | | Properties > Drill-Up | Traverse left, expanding the graph towards a related entity category. layer | #### Entities with hierarchical relationships Some entities, such as AWS IAM roles or AzureAD groups, can have nested relationships. Graph search indicates these relationships with a blue path between nodes within a layer, and an icon. ![Nested groups](/files/fu9M4yWdI3wU5qCemiDT) Click "Show Hierarchy" on the actions sidebar to open a horizontal view: ![Nested group details](/files/RsX6TAZVFLQ8CUkBWgAm) To show only top-level (or only nested) entities of the chosen category, apply an attribute filter on the `hierarchical level` property of the role, group, or policy. **Early Access:** Graph Search Advanced Options: This feature enables showing or hiding entities and relationships that assumed by way of a secondary entity, such as a nested group or hierarchical role. * For example, when searching for entity types such as AWS IAM Role > Redshift Database, you can opt to show or hide relationships that involve an assumed AWS IAM Role. Hiding assumed roles will show only paths where roles grant permissions directly to the resource, excluding relationships that involve assumed secondary roles. * Similarly, for User > Local Group searches, hiding assumed entities will exclude groups the user is indirectly a member of rather than showing all indirect assignments and nested groups. #### Effective permissions **Grouped Effective Permissions**: The Graph shows groups of [Effective Permissions](/4yItIzMvkpAvMVFAamTf/glossary/core-concepts-glossary.md#effective-and-system-permissions), representing collections of permissions to a resource. For example, the single AWS IAM permission `S3:deleteBucket` is consolidated with other (M)etadata permissions and represented by a single Effective Permission node. **Explaining Permissions**: To explain single effective permissions with the same name, click the node to open the actions sidebar and click *Ungroup*. To show the full details for a single effective permission, click the EP node top open the actions sidebar and click *Explain Effective Permissions.* * Effective Permissions can be Data (C)create, (R)ead, (W)rite, (D)elete, (N)on-Data, and (M)etadata. * An Effective Permission labeled **S** (Sub) indicates when permissions do not apply directly to the related service, but that an identity has permissions on any resources under that service. For example, if an identity has an S EP node connecting to a KMS Service in an AWS account, the identity has permissions on some underlying EKS clusters. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/search/graph.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.