Graph
Visual entity and relationship search for all integrated environments.
Authorization Graph is a powerful search engine for visualizing the connections between users, services, and data sources. Graph search provides insight into intermediate relationships such as Role-Based Access Controls, and Identity and Access Management groups. Graph search complements the Query Builder by providing options to explore authorization relationships, uncover anomalies, and identify risks.
See the following sections to learn more about Authorization Graph search.
Overview
Use the Search Bar at the top of the graph to:
search for individual entities by name or all entities the same category (such as
AWS S3 Bucket).save the current graph view, export to a PNG, or create a shareable link.
open Tables view or switch to the Query Builder.
pick a historic snapshot to run the search against.
The search bar will autocomplete to show possible entities and entity types such as Users, Resources, and Services matching the keyword. Clicking See All Results will open a detailed view of the results.
Use the search options menu on the left side of the graph to:
expand the search by adding a relationship to another entity or entity type.
narrow the current search by applying a tag or constraint.
toggle highlighting of Risks and other entities of interest.
enable color-coding by provider account.
set the visibility of entity types shown in search results.
After you have found a view you want to share with other team members or return to later, you can:
Save a shortcut to your current graph view by clicking the save icon on the top action bar and adding a title on the modal that follows. You can recall saved views from the Saved Graphs submenu.
Share a direct link to the graph view.
Save or copy the current view in
PNGformat.Export the graph as tables.
Graph search options
Searching for a named entity will show the full authorization path for that entity. Optionally searching by entity category will show all entities of that type. After specifying a source entity, you can use the relates to option to search for relationships connecting two entity types.
Depending on the search, results can include all relationships for a single named entity, or show the relationships for all entities of the source and destination types. For example, you show the full authorization path for a single User entity or show connections between all S3 buckets and Okta users.
You can expand an entity-centric search by adding additional parameters or with graph actions. For example, you can add a relationship and toggle layer visibility to explore all paths and intermediate entities connecting a service account and Redshift cluster.
To refine your search, you can apply filters to only show relationships where entities have a tag or property that matches a condition.
| Search Option | Details |
|---|---|
Query Mode | Option to show system-level RBAC and IAM entities, or effective permission nodes (Early Access). |
Relates To | When enabled, only return results with a relationship to the specified destination. |
Filters: Attributes | |
Filters: Tags | |
Filters: Permissions | |
Advanced Options: Exclude Entities | Exclude results that have any of the specified entity types in their path. |
Advanced Options: Require Entities | Include only results that have any of the specified entity types in their path. |
Filters: AWS Account | Filter results to show only entities or the specified account ids. |
Graph search navigation
The initial search results view will show no results until you have entered a search term. After providing a search condition, the results will update and you can begin exploring the output. The columns will adapt based on the authorization relationships you are currently inspecting.
Search results appear within containers and columns, depending on the entity category and visible relationships. Identities typically appear on the left side of the graph, with data stores on the right. When several entities have the same name, a number appears next to the entity name to indicate the provider.
Click the actions dropdown next to a column name to show or hide specific entities within it. You can zoom or center with the controls at the bottom of the graph.
Clicking on an entity node will highlight it and expand the Actions Sidebar on the right. The actions sidebar offers advanced entity-specific options and details.
You can undo and redo your most recent action from the action bar at the bottom of the screen. The current search conditions appear on the left.
Graph snapshots
You can view the historic state of your cloud authorization infrastructure at a past date with Veza snapshots. Pick a calendar date from the dropdown menu, and current and future searches will return relationships and metadata from the chosen point in time.
In the current release, Veza retains graph snapshots for 31 days.
To change the snapshot for the graph query, click the Graph History icon from the top action bar.
Depending on Veza system settings, search results will:
Refresh when adding or removing parameters (default), or
Update when clicking the Execute Query button
Table view and graph export
Tables View can be useful for working with many search results. After you have fine-tuned the search, you can export it for additional processing in CSV format, or export it in PDF format to share with other teams:
Click View AG relationships in table on the graph search bar
Click Export at the top of the table.
Locking graph paths
A path connecting two entities represents a relationship (granting or denying access to a resource). You can click on the connection to lock the path and hide all other entities.
Graph relationship options
The bottom section of the Navigation bar holds graph visibility controls, in the “Show or Hide Relationships” section. You can collapse a layer (leaving the heading visible but hiding all entities within it), or remove the layer entirely.
You can use this to pick columns and entities to include in search results and graph exports to customize a view before sharing it, or to show only the most important details.
Additionally, the actions dropdown next to a column name provides the option to filter entities in a layer, collapse the layer, or pick specific items to include in the view. You can opt to show only entities associated with a Risk, or only the entities highlighted by a locked path (if enabled for the current search).
After opening a Graph search from the Saved Queries page or the Graph actions sidebar, use Relationship Options to additional layers for an optimal view.
Graph display options
The navigation menu provides several options to additionally refine your search:
Highlight Entities of Interest > Show Risks: Veza automatically scans your identity and data authorization relationships for least privilege risks, and highlights the risky entities. Click the node to expand the sidebar and view detailed information for each Risk.
Highlight Entities of Interest > Deactivated Users: Highlight users that Veza identified as dormant.
Advanced View: Some entities are not shown by default, for better performance and visual clarity. To show all related nodes, toggle "Advanced" in the search options. Depending on your search, the additional nodes might appear in existing layers, or new ones.
Show Assume Role: Update the view to reflect assume role operations within and across accounts.
Enable Pagination: Optimizes review of large result sets. When enabled, Left and Right arrows appear at the top of the screen, and limits the number of Currently Showing entities to 10. Each page of results shows just the relationships for the current leftmost entities. To limit layers other than the starting one, click ... to open the layer actions dropdown.
Graph actions sidebar
Clicking an entity in Authorization Graph search results will expand the actions sidebar. This menu provides additional details and search options for the chosen entity. Possible actions vary depending on your search and appear under Basic Actions, Actions, and the Properties section.
Basic Actions include a shortcut to view entity details, and the option to add a filter on the entity category. Applying a filter from the sidebar is a quick way to filter the graph view to narrow in on a particular user, policy, or resource.
| Graph sidebar action | Details |
|---|---|
Group | Collapses and groups entities with the same name. Identical entities such as IAM Policies and Effective Permissions are grouped by default. |
Ungroup | Makes any nodes that are currently grouped available for individual selection. |
Show Details | Show all metadata for the chosen entity. This includes generic identifying information and provider- and resource- specific properties. |
Show All Policies | Start a search showing all the policies related to an entity. |
Show JSON Document | View the configured policy object for an IAM role and summary of impacted services |
Show Roles | Start a search showing all the roles related to an entity. |
Add Constraint | Quickly filter the chosen entity category by an shared attribute. |
Add Veza Tag | Create or apply an existing Veza Tag to an entity, such as to flag a sensitive data set, assign a custom attribute, or add a note. |
Filter by Tag | Filter entities of the chosen category by a matching tag. |
Show Data Access | Start a search showing all privileges and authorization for an identity. |
EP - Explain Effective Permissions | See all the policies, statements, and privilege determining the “true” permissions displayed in an effective permissions node. |
Show Hierarchy | Show relationships to nested entities of the same category with parent-child relationships (such other roles, policies, or groups) |
Show Identities | Start a search showing all the identities that have permissions on the resource. |
Show Groups | Start a search showing all the groups related to an entity. |
Set Owners | |
Show Data Services | Start a search showing all the resources an identity has permissions on. |
Properties > Drill-Down | Traverse right, expanding the graph towards a related entity category. layer |
Properties > Drill-Up | Traverse left, expanding the graph towards a related entity category. layer |
Entities with hierarchical relationships
Some entities, such as AWS IAM roles or AzureAD groups, can have nested relationships. Graph search indicates these relationships with a blue path between nodes within a layer, and an icon.
Click "Show Hierarchy" on the actions sidebar to open a horizontal view:
To show only top-level (or only nested) entities of the chosen category, apply an attribute filter on the hierarchical level property of the role, group, or policy.
Early Access: Graph Search Advanced Options: This feature enables showing or hiding entities and relationships that assumed by way of a secondary entity, such as a nested group or hierarchical role.
For example, when searching for entity types such as AWS IAM Role > Redshift Database, you can opt to show or hide relationships that involve an assumed AWS IAM Role. Hiding assumed roles will show only paths where roles grant permissions directly to the resource, excluding relationships that involve assumed secondary roles.
Similarly, for User > Local Group searches, hiding assumed entities will exclude groups the user is indirectly a member of rather than showing all indirect assignments and nested groups.
Effective permissions
Grouped Effective Permissions: The Graph shows groups of Effective Permissions, representing collections of permissions to a resource. For example, the single AWS IAM permission S3:deleteBucket is consolidated with other (M)etadata permissions and represented by a single Effective Permission node.
Explaining Permissions: To explain single effective permissions with the same name, click the node to open the actions sidebar and click Ungroup. To show the full details for a single effective permission, click the EP node top open the actions sidebar and click Explain Effective Permissions.
Effective Permissions can be Data (C)create, (R)ead, (W)rite, (D)elete, (N)on-Data, and (M)etadata.
An Effective Permission labeled S (Sub) indicates when permissions do not apply directly to the related service, but that an identity has permissions on any resources under that service. For example, if an identity has an S EP node connecting to a KMS Service in an AWS account, the identity has permissions on some underlying EKS clusters.
Last updated
