Query Builder
Creating a query
To start building a custom query, go to Access Search > Query Builder. Every query begins by specifying the entity category to return in the results. You can click on a result name to see additional entity details and add columns for any additional attributes that Veza supports.
For example, you can show relationships between users managed in an identity provider, and databases they can access:
You can search for a single entity type or search using a supertype such as User
or Resource
. You should update example searches based on the actual entity types and integrations for your environment.
Create a simple query:
Go to Access Visibility > Query Builder
Choose
Okta User
as the source Entity TypeAdd a destination by choosing
Snowflake Database
as the Related To entity
Inspect the results. Each result represents the total access for a user.
Click the number of Snowflake Databases to review all the databases and permissions the user relates to.
Review the result attributes. Every attribute Veza collects or generates for an entity is included in a unique row you can enable or disable, and apply filters on.
Show or hide columns to make the output more readable and focus on the most important metadata.
Click Columns to list all available attributes. Scroll down to show or hide any one of them.
Sort by columns such as the total number of relationships and Risk Score. Risk Score depends on the total number of queries with a risk level that an entity is in the results of.
To create meaningful insights for use in reports and alerts, you will want to refine the search by adding filters on entity attributes, and constraints on relationships, such as whether a result involves a specific group or role.
The query results will update dynamically, narrowing based on the options you apply. The finished query can be fine-tuned, for example, to
Only show identities with specific capabilities on a resource with a permissions filter
Filter based on a naming pattern with regular expressions
Filter results by last access date or activity status
Only show results for an individual provider account or tenant
Run the query against a specific graph snapshot
Show results with or without a relationship to an intermediate group, role, or policy
The rest of this document describes all Query Builder options. You can review built-in Saved Queries for inspiration, or see the following topics for more information:
Basic options
A query starts with a source, which can be an entity type (such as Active Directory User) or supertype (such as any User). To show all the entities Veza has discovered, pick from the Entity Type dropdown and run the query. From there, you can filter by tags, permissions, or attributes to create meaningful queries based on your needs and environment. To view past configurations, use the time machine,
Queries can be resource-centric or principal-centric, depending on your choices. For example, you can search for all S3 buckets associated with IdP users, or IdP identities with access to S3.
You can filter the source destination type to only get results that are recently active, disabled, or meet criteria based on any other metadata Veza has collected.
Filter the related entity type to get results related to destinations that meet that criteria, such as databases flagged for PCI compliance.
Adding a related entity will only return results with a relationship to entities of the chosen type (such as "Okta Users with Snowflake Table permissions").
To filter on a range of attributes and possible values, you can combine attribute filters with AND or OR statements, and use regular expressions.
Advanced options
Use the advanced options section to create a more specific search. These options apply constraints based on relationship qualities such as the number of related entities, or the existence of an intermediate entity. They are often used to identify cases where access is (or is not) enabled by a specific group or role, or filter out results based on intermediate entity attributes. Advanced options can:
Filter on how many possible source entities a result relates to (e.g. "No more than 1" or "80% of the total").
Find entities that aren't related.
Inspect and create rules around complex relationships such as nested roles or groups.
Find all “Super Users” related to a given percentage of all possible roles or other entities.
Result options
By default, Query Builder returns entities of the source type that meet the search criteria, including a total count. Query Builder can optionally return a result for each unique relationship. In this mode, you can further show a summary of entities in the path enabling the connection. These features can be useful when inspecting relationships between identities, RBAC controls, and resources.
To change the result mode, click show {destination entities} above the search results. You will notice that several rows can now appear for each user. This is because a result is now returned for each unique source > destination pair.
Click Show Summary Entities to add a column indicating when the selected Summary Entities exist in the path (for example, the group connecting an identity and a resource).
The results show the source User, intermediate groups and roles, and the Database the user can access.
Click an entry in the Summary Entities column to view the full path and more details.
The Permissions columns show the actions the source can take on the resource. These appear in both provider-native System terms and the Effective Create/Read/Update/Delete capabilities each system permission corresponds to.
Heatmaps
Heatmaps show a visualization of how privileges are distributed for a given source entity type and related entity type, such as users related to the most roles. This view can be useful for finding overly-broad IAM roles or policies, over-permissioned users, or resources that are widely accessible.
To open a heatmap:
Search for two related entity types.
Click View as Heatmaps.
Click Edit Thresholds to change how entities are color-coded
Click View as Table to go back to the search results.
Entities with the most relationships (sorted by highest to lowest count) appear on the left, and entities with the least sorted on the right in green. Alter the query to update results based on a filter or other constraints.
Saving a query
In Query Builder, use the Save button add the query to the Saved Queries list. This enables integrating the query with other features, such as:
Setting a risk level or sorting with labels
Adding rules to trigger alerts based on the query
Including the query in reports or on the dashboard
Query details
Labels organize queries and can automatically populate reports. You can pick from existing labels or create them when saving a query.
Adding a Risk Level highlights query results with a critical or warning indicator, and enables risk score calculation for monitoring and evaluating entities that meet the search criteria.
Query Visibility determines whether other non-admin users can view and edit the saved query.
Rules and alerts
Rules inform Veza operators and trigger events when query results change, or when the attributes of entities in the results change. Set the criteria for the rule to trigger alerts on the conditions section.
Alerts can integrate with other systems depending on the notifications and webhooks an administrator has configured. You can set these destinations in the rule actions sections,
Reports
Additional options
Click View to inspect the request in JSON format.
Click Copy to immediately add it to your clipboard for pasting into another application.
Last updated