Query Builder

Veza includes 400+ pre-built queries for identities, role-based access controls, and data sources in your environment, providing visibility and insight into authorization relationships and configuration anomalies. You can review all these assessments under Access Search > Saved Queries, or create your own with the Query Builder.

Use the Query Builder to search for entities with specific properties or relationships and save queries with a rule or risk level to track results and changes. You can also add labels and update Reports by clicking the Save button.

Creating a query

To start building a custom query, go to Access Search > Query Builder. Every query begins by specifying the entity category to return in the results. You can click on a result name to see additional entity details and add columns for any additional attributes that Veza supports.

For example, you can show relationships between users managed in an identity provider, and databases they can access:

You can search for a single entity type or search using a supertype such as User or Resource. You should update example searches based on the actual entity types and integrations for your environment.

  1. Create a simple query:

    • Go to Access Visibility > Query Builder

    • Choose Okta User as the source Entity Type

    • Add a destination by choosing Snowflake Database as the Related To entity

  2. Inspect the results. Each result represents the total access for a user.

    • Click the number of Snowflake Databases to review all the databases and permissions the user relates to.

    • If an entity is in the results of any queries with a risk level, it is marked with the risk level Critical or Warning. Click the risk level to open the Risks page, where you can see trends and manage exceptions.

    • Review the result attributes. Every attribute Veza collects or generates for an entity is included in a unique row you can enable or disable, and apply filters on.

  3. Show or hide columns to make the output more readable and focus on the most important metadata.

    • Click Columns to list all available attributes. Scroll down to show or hide any one of them.

    • Sort by columns such as the total number of relationships and Risk Score. Risk Score depends on the total number of queries with a risk level that an entity is in the results of.

To create meaningful insights for use in reports and alerts, you will want to refine the search by adding filters on entity attributes, and constraints on relationships, such as whether a result involves a specific group or role.

The query results will update dynamically, narrowing based on the options you apply. The finished query can be fine-tuned, for example, to

  • Only show identities with specific capabilities on a resource with a permissions filter

  • Filter based on a naming pattern with regular expressions

  • Filter results by last access date or activity status

  • Only show results for an individual provider account or tenant

  • Run the query against a specific graph snapshot

  • Show results with or without a relationship to an intermediate group, role, or policy

The rest of this document describes all Query Builder options. You can review built-in Saved Queries for inspiration, or see the following topics for more information:

Basic options

A query starts with a source, which can be an entity type (such as Active Directory User) or supertype (such as any User). To show all the entities Veza has discovered, pick from the Entity Type dropdown and run the query. From there, you can filter by tags, permissions, or attributes to create meaningful queries based on your needs and environment. To view past configurations, use the time machine,

Queries can be resource-centric or principal-centric, depending on your choices. For example, you can search for all S3 buckets associated with IdP users, or IdP identities with access to S3.

Query Builder Option
Details

Query Mode

Option to return configured system permission entities or effective permission calculations.

Entity Type

Specifies the source entity type or supertype to return as query results.

Relates To

When enabled, only return results with a relationship to the specified destination entity type.

Attribute Filter Group

Filter by entity attributes created or discovered by Veza.

Tag Filter

Filter by tags on the source or destination entities.

Time Machine

Pick a date or time period to run the query against historic graph data.

  • You can filter the source destination type to only get results that are recently active, disabled, or meet criteria based on any other metadata Veza has collected.

  • Filter the related entity type to get results related to destinations that meet that criteria, such as databases flagged for PCI compliance.

  • Adding a related entity will only return results with a relationship to entities of the chosen type (such as "Okta Users with Snowflake Table permissions").

  • To filter on a range of attributes and possible values, you can combine attribute filters with AND or OR statements, and use regular expressions.

Advanced options

Use the advanced options section to create a more specific search. These options apply constraints based on relationship qualities such as the number of related entities, or the existence of an intermediate entity. They are often used to identify cases where access is (or is not) enabled by a specific group or role, or filter out results based on intermediate entity attributes. Advanced options can:

  • Filter on how many possible source entities a result relates to (e.g. "No more than 1" or "80% of the total").

  • Find entities that aren't related.

  • Filter by over-provisioned score, when Access Monitoring is enabled.

  • Inspect and create rules around complex relationships such as nested roles or groups.

  • Find all “Super Users” related to a given percentage of all possible roles or other entities.

Advanced Option
Details

Does not relate to

Only return results without a relationship to the chosen entity type.

Related entity limit

Only return results whose total connections to destination entities is greater or less than the specified count or percentage.

Exclude Entities

Exclude results that have any of the specified entity types in their path.

Require Entities

Include only results that have any of the specified entity types in their path.

Specific Related Entity

Only return results with a relationship to a single entity specified by name.

Summary Entities

Enable the option to show the chosen entity types existing in the path connecting the source and destination, such as intermediate projects and roles.

Summary Entity Count

Filter based on number of entities in the Summary Entity column.

Includes all source tags

Show tags applied to results in an additional column.

Includes all destination tags

Show tags on destination entities (if visible) in an additional column.

Include assumed groups/roles

Include or exclude results that are due to indirect relationships, such as when one role can assume another. This option is only shown when the destination type can be nested (such as Snowflake Roles or AD Groups).

Over Provisioned Score Threshold

Filter results by percent of unused permissions. This option is only available when both entity types support Access Monitoring.

Result options

By default, Query Builder returns entities of the source type that meet the search criteria, including a total count. Query Builder can optionally return a result for each unique relationship. In this mode, you can further show a summary of entities in the path enabling the connection. These features can be useful when inspecting relationships between identities, RBAC controls, and resources.

To change the result mode, click show {destination entities} above the search results. You will notice that several rows can now appear for each user. This is because a result is now returned for each unique source > destination pair.

Click Show Summary Entities to add a column indicating when the selected Summary Entities exist in the path (for example, the group connecting an identity and a resource).

  • The results show the source User, intermediate groups and roles, and the Database the user can access.

  • Click an entry in the Summary Entities column to view the full path and more details.

  • The Permissions columns show the actions the source can take on the resource. These appear in both provider-native System terms and the Effective Create/Read/Update/Delete capabilities each system permission corresponds to.

Result options
Details

Show destination entities

Show results as source-destination pairs, with columns showing related entity attributes.

Show summary entities

Show a column containing the chosen summary entity types existing in the path.

View heatmaps

Visualize results as heatmaps

Open in graph

Change the search to a graph query.

  • For more information about Summary Entities (in the context of Access Reviews), see Presentation Options

Heatmaps

Heatmaps show a visualization of how privileges are distributed for a given source entity type and related entity type, such as users related to the most roles. This view can be useful for finding overly-broad IAM roles or policies, over-permissioned users, or resources that are widely accessible.

To open a heatmap:

  1. Search for two related entity types.

  2. Click View as Heatmaps.

  3. Click Edit Thresholds to change how entities are color-coded

  4. Click View as Table to go back to the search results.

Entities with the most relationships (sorted by highest to lowest count) appear on the left, and entities with the least sorted on the right in green. Alter the query to update results based on a filter or other constraints.

Saving a query

In Query Builder, use the Save button add the query to the Saved Queries list. This enables integrating the query with other features, such as:

  • Setting a risk level or sorting with labels

  • Adding rules to trigger alerts based on the query

  • Including the query in reports or on the dashboard

You can manage all built-in and user created queries on the Saved Queries page. See the following sections for more detail on possible options when saving a query:

Query details

Add details for a saved query to label and categorize it, and set if it is private or public for all users. You can also set a risk level for the query.

  • Labels organize queries and can automatically populate reports. You can pick from existing labels or create them when saving a query.

  • Adding a Risk Level highlights query results with a critical or warning indicator, and enables risk score calculation for monitoring and evaluating entities that meet the search criteria.

  • Query Visibility determines whether other non-admin users can view and edit the saved query.

Rules and alerts

Rules inform Veza operators and trigger events when query results change, or when the attributes of entities in the results change. Set the criteria for the rule to trigger alerts on the conditions section.

Alerts can integrate with other systems depending on the notifications and webhooks an administrator has configured. You can set these destinations in the rule actions sections,

See Rules and Alerts for more details.

Reports

Pick from the list of Reports and report sections to add the query to them. Use reports to organize important queries, and share them with other users and teams.

Additional options

Use the Save Query dropdown menu to export the chosen columns and results for further analysis, or get a query definition suitable for use with the Query Builder API:

  • Click View to inspect the request in JSON format.

  • Click Copy to immediately add it to your clipboard for pasting into another application.

Last updated