# Query Mode Veza provides two distinct query modes that determine which authorization relationships are visible in searches, graphs, and access reviews. ### Query Modes **Effective mode** displays the actual permissions a principal can exercise after applying all restrictions, including deny policies, service control policies (SCPs), and network controls. This mode represents the final computed access level. **System mode** displays the configured authorization relationships as they exist in source systems, without applying restrictive policies. This mode reveals the complete configured access structure, including intermediate entities and potential access paths. System mode includes relationships and entities that are filtered out of Effective mode. For example, Azure AD PIM eligibility schedules represent configured potential access rather than active permissions, so they only appear in System mode. System mode also exposes intermediate authorization entities such as role bindings, group memberships, and policy attachments that explain how access flows between identities and resources. See [Intermediate Entities](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/search/intermediate-entities) for example queries possible in this mode. System mode also enables the full range of possible selections for Access Reviews [Summary Entities](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/access-reviews/configuration/presentation-options#show-intermediate-relationship). #### Permissions in system mode Search and Access Reviews present a natural-language summary of the actions that identities can ultimately take on a resource, in the form of [Effective Permissions](https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/search/effective-permissions) (EP). The default **Effective** mode shows the cumulative level of access a principal has on a resource, after accounting for all roles, groups, and elements such as policy "deny" statements. In Effective mode, you can click on a single *Permission* node in Access Graph and click *Explain Effective Permissions* to view the configured system-level authorization relationships that result in the EP calculation. Typically, this will show additional entities such as policies, groups, and roles configured for the principal. **System** mode enables visualization and constraints on raw authorization nodes such as role bindings and group memberships, and the exact permissions connecting identities, policies, and resources. In general, enabling system mode can add additional context to understand and map Role Based Access Controls for Google Cloud Platform and Microsoft Azure AD. System mode is especially useful for searching and filtering on the intermediate entities such as roles and groups connecting identities and resources. * Role Bindings entities assign specific permissions to a specific user or group in a Google Organization. Graph view consolidates duplicate Role Bindings by Role name, or by Role name and Policy Resource pair. * Policy Resource nodes represent the specific resource types that a role binding applies to. Graph shows relationships for Role Bindings and the resources in the search, indicating the resource hierarchy and the level of the hierarchy the Role applies. * The Google Folder hierarchy is a visual representation of the Organization structure. * "Group" is a term used to describe a collection of users in a Google Organization. The visualization will also show the relationship between a User and a Role Binding, and any intermediate Group entities. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/search/query-mode.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.