Query Mode

Veza provides two distinct query modes that determine which authorization relationships are visible in searches, graphs, and access reviews.

Query Modes

Effective mode displays the actual permissions a principal can exercise after applying all restrictions, including deny policies, service control policies (SCPs), and network controls. This mode represents the final computed access level.

System mode displays the configured authorization relationships as they exist in source systems, without applying restrictive policies. This mode reveals the complete configured access structure, including intermediate entities and potential access paths.

System mode includes relationships and entities that are filtered out of Effective mode. For example, Azure AD PIM eligibility schedules represent configured potential access rather than active permissions, so they only appear in System mode.

System mode also exposes intermediate authorization entities such as role bindings, group memberships, and policy attachments that explain how access flows between identities and resources.

See Intermediate Entities for example queries possible in this mode. System mode also enables the full range of possible selections for Access Reviews Summary Entities.

Permissions in system mode

Search and Access Reviews present a natural-language summary of the actions that identities can ultimately take on a resource, in the form of Effective Permissions (EP). The default Effective mode shows the cumulative level of access a principal has on a resource, after accounting for all roles, groups, and elements such as policy "deny" statements.

In Effective mode, you can click on a single Permission node in Authorization Graph and click Explain Effective Permissions to view the configured system-level authorization relationships that result in the EP calculation. Typically, this will show additional entities such as policies, groups, and roles configured for the principal.

System mode enables visualization and constraints on raw authorization nodes such as role bindings and group memberships, and the exact permissions connecting identities, policies, and resources.

In general, enabling system mode can add additional context to understand and map Role Based Access Controls for Google Cloud Platform and Microsoft Azure AD. System mode is especially useful for searching and filtering on the intermediate entities such as roles and groups connecting identities and resources.

• Role Bindings entities assign specific permissions to a specific user or group in a Google Organization. Graph view consolidates duplicate Role Bindings by Role name, or by Role name and Policy Resource pair.

• Policy Resource nodes represent the specific resource types that a role binding applies to. Graph shows relationships for Role Bindings and the resources in the search, indicating the resource hierarchy and the level of the hierarchy the Role applies.

• The Google Folder hierarchy is a visual representation of the Organization structure.

• "Group" is a term used to describe a collection of users in a Google Organization. The visualization will also show the relationship between a User and a Role Binding, and any intermediate Group entities.