# Tags

Veza Tags provide a way to add additional metadata to entities such as identities, policies, or data resources. You can create Veza tags and apply them to any object in the Access Graph, and use these tags to filter search results (along with any cloud-native tags Veza has discovered).

### Overview

Cloud service providers such as AWS and Google Cloud offer ways to tag and label resources, identities, and other objects within an account or service. These provider-specific, cloud-native tags are typically used to enforce policies and enable automation. Tags and labels can also classify resources for business processes (such as spend management), or track technical metadata such as version or development environment.

Veza Tags enable the application of consistent tagging strategies across all identities, resources, and any other entities in the data catalog, regardless of cloud provider. Security teams can use Veza Tags to categorize entities and create rule-based policies without exposing the values or tagging scheme to AWS or GCP users.

Veza system tags can also enable automatic [workflow reviewer assignments](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/managers-and-resource-owners.md). Filtering on a given tag can be useful when creating Workflows ("certify AWS S3 access for buckets tagged for PCI compliance"). Tag filters can also narrow Access Graph results ("show only AWS EC2 instances tagged `environment: production`”).

For example, you could use tags to filter specifically for databases containing sensitive customer records. After creating a `PII` tag and applying it to those resources, you can filter search and query results to only show the tagged entities. Tags can also enable fine-grained control for [rules](/4yItIzMvkpAvMVFAamTf/features/insights/rules-and-alerts.md) and [Risks](/4yItIzMvkpAvMVFAamTf/features/insights/risks.md) when specified in the original query [conditions](/4yItIzMvkpAvMVFAamTf/features/search/filters.md).

### Tag persistence

Veza Tags are associated with entities by their unique identifiers. Tags persist across regular data syncs and extraction cycles, and are not removed when pushing updated OAA payloads with different or missing tags.

{% hint style="warning" %}
**Tags can be lost in certain scenarios.** Because tags are linked to specific entity identifiers, they will be removed if the underlying entity is deleted and recreated. This can occur when:

* **A provider is removed and re-added**: All tags on entities from that provider will be lost.
* **A datasource is removed and re-added**: Tags on entities from that datasource will be lost.
* **An entity is removed and recreated**: If an entity's unique identifier changes (for example, due to integration updates), the entity is treated as new and previous tags will not carry over.

This behavior also affects `SYSTEM_resource_managers` tags used for [automatic reviewer assignment](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/managers-and-resource-owners.md) in Access Reviews. If you rely on tags for access review workflows, take care when removing and re-adding providers or datasources.
{% endhint %}

To preserve tags before making changes that could cause data loss, you can export tag assignments using the [Tags API](/4yItIzMvkpAvMVFAamTf/developers/api/tags.md) and reapply them after the operation completes.

### Viewing Entity Tags

You might notice that some tags are already applied to your identity and data entities, as Veza automatically ingests pre-existing tags during discovery. You can see the provider-native or Veza tags for any entity using the Access Graph actions sidebar:

![View an entity's tags from Access Graph](/files/LPlEjJ0nTpXIaKiDlLMd)

Like AWS tags, Veza tags have a *key* and an optional *value*. For example, a tag with the key `Departments` could have a value such as `Engineering`, `Finance`, or `Sales`. The `DataCompliance` key can be granted additional context with a value such as `PCI`, `GDPR`, or `SOX`:

{% hint style="info" %}
Tags can be used to track a wide range of properties, and can be applied to any entity. You can use them to track a particular set of groups or policies, or apply tags to add comments for other users (`Note:Your_Details_Here`).
{% endhint %}

You can view all AWS or Google tags and labels on entities in the Veza data catalog by browsing under the **Configurations** menu.

### Search for Tagged Entities

It's not currently possible to search by tag key or value from Access Graph or Query Builder. However, you can add filters to only show entities with a given tag.

* Use [Tagged Entity Search](/4yItIzMvkpAvMVFAamTf/features/search/tagged-entity-search.md) to search entities with a Veza, Google Cloud, or AWS tag, and remove Veza tags from entities.
* Use the **Data Catalog** > *Tags* panel to review all the Veza Tags or cloud-native tags Veza has discovered, with the option to open any item in Tagged Entity Search.

### Creating and Applying Veza Tags

You can create and apply Veza Tags manually from the Access Graph, or automatically at scale using [Enrichment Rules](/4yItIzMvkpAvMVFAamTf/integrations/configuration/enrichment.md#assign-veza-tags-enrichment-rules).

To apply a tag to an individual entity, use the [Access Graph](/4yItIzMvkpAvMVFAamTf/features/search/graph.md#graph-actions-sidebar) actions sidebar. Select the entity you want to tag, and click *Add Tag*.

![Potential values include timestamps, boolean (true or false), or full text](/files/RkeW3gmDvZKCCyEl9RBR)

You can create a new tag, or pick an existing one on the modal that appears.

{% hint style="info" %}
Tags can take some time to populate. If your tag isn't immediately available, you might need to wait several minutes. Any tags you create will be visible to other Veza users.
{% endhint %}

To **remove a tag from an entity**:

1. Search for the entity using Access Graph or Query Builder \*. From Query Builder, click on the result name to view details \*. From Graph, click on the node to expand the actions sidebar, and choose *View Details* or *Veza Tags*
2. Any applied Veza Tags are shown in purple. Click the "x" next to a tag to remove it from the entity.

### Tag Administration

The **Data Catalog** > *Tags* panel lists all the tags that Veza users have created, with additional tabs for any cloud native tags Veza has discovered. You can sort the list by key or title, or create a new tag from this panel:

1. Click the "Add New" button to create a new tag
2. Enter a key and value, and save your changes
3. Once populated, the tag can be assigned to entities and used as a filter

### Applying Tags via Enrichment Rules

[Enrichment Rules](/4yItIzMvkpAvMVFAamTf/integrations/configuration/enrichment.md#assign-veza-tags-enrichment-rules) enable bulk tagging — automatically adding or removing Veza Tags across large sets of entities based on a saved query. Before this feature, bulk tagging required the [Tags API](/4yItIzMvkpAvMVFAamTf/developers/api/tags.md), which remains available if an API-driven approach is preferred.

To create a Veza Tags enrichment rule, go to **Integrations** > **Enrichment**, click **Add Enrichment Rule**, and select **Assign Veza Tags** as the rule type. Tags are applied or removed each time the matching data sources are extracted.

{% hint style="info" %}
**Enrichment-managed tags look the same as manually applied tags.** There is currently no visual indicator in the Access Graph or elsewhere distinguishing tags applied by an enrichment rule from tags you applied by hand.

The **Remove Tags** operation in an enrichment rule only removes tags from entities that match the current query result set. It does not retroactively remove tags from entities that previously matched but no longer do.
{% endhint %}

### Using Tags in Search

To filter an Access Graph search by a Veza tag or external tag, click "Add tags" in the *Filter by Tag* section of the graph Search menu. Select an entity type to filter, and choose from the list of available tags.

Once the tag has been added to your search, the layer where the filter is applied will collapse to only include entities with a matching AWS or Veza Tag. You can see any tags filtering your current search on the search sidebar:

![Filtering an AG search by a tag.](/files/-Mjbix4pW69lFsG2KhTA)

**Note** that tag-based filters are applied to a single entity type at a time. You can still filter multiple entity types by a Veza tag by applying the filter to each layer.

![Filtering an AG layer by tag.](/files/-MjbiyrGO9DC5h7nfsD0)

### Tagging for custom apps and identity providers

You can apply tags to entities pushed using the [Open Authorization API](/4yItIzMvkpAvMVFAamTf/developers/api/oaa.md) by declaring them in the `tags` array of the custom template. This example for the BitBucket application type has multiple tags on the instance, project, group, and user:

```yaml
{
  "name": "BitBucket",
  "tags": [
            {
              "key": "instanceTag1key",
              "value": "instanceTag1Val"
            },
            {
              "key": "instanceTag2key"
            }
          ],
  "projects": [
    {
      "name": "Project 1",
      "repos": [
        {
          "name": "Repo 1",
          "tags": [
            {
              "key": "repoTag1key",
              "value": "repoTag1Val"
            },
            {
              "key": "repoTag2key"
            }
          ]
        }
      ],
      "tags": [
        {
          "key": "projectTag1key",
          "value": "projectTag1Val"
        },
        {
          "key": "projectTag2key"
        }
      ]
    }
  ],
  "groups": [
    {
      "name": "Test Group 1",
      "tags": [
        {
          "key": "groupTag1key",
          "value": "groupTag1Val"
        },
        {
          "key": "groupTag2key"
        }
      ],
      "global_permissions": "ProjectCreator"
    }
  ],
  "users": [
    {
      "name": "User1",
      "email": "user1@testme.com",
      "identity": "user1@testme.com",
      "global_permissions": "BitbucketUser",
      "tags": [
        {
          "key": "userTag1key",
          "value": "userTag1Val"
        },
        {
          "key": "userTag2key"
        }
      ]
    }
  ]
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/search/tags.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.