📖Veza Glossary

As Veza evolves and integrates more advanced functionalities, the terminology can sometimes be intricate. The Veza glossary serves as a reference for terms and related topics. Whether you're a new user getting acquainted with the platform, or just seeking a refresher, this glossary can help you learn the essential terms.

Browse the categories to explore, or use the search function to find a specific term.

Table of Contents

• Core Concepts

• Veza Integrations

• Access Intelligence

• Access Search

• Access Reviews

• Administration

Core Concepts

Authorization Graph

A time-bound snapshot of entities and their attributes collected by Veza integrations. Used for investigating, intelligence automation, and rule creation across connected applications, identity providers, and cloud services.

Cloud Service Provider

A Cloud Service Provider (CSP), such as AWS or Microsoft Azure, offers a platform for infrastructure, applications, storage, and other services such as Identity and Access Management or data warehousing.

Group

A group is a collection of users sharing the same set of permissions.

IAM

Identity and Access Management (IAM) is a security framework that helps organizations manage and control access to their resources and applications.

Identity Provider

An Identity Provider (IdP), such as Okta or AWS SSO, is a service that stores and verifies user identity. IdPs are typically cloud-hosted and enable single sign-on to other systems.

Local Role

A set of permissions that are local to a single data system, computer, or device within an organization.

Local User

An account created on a single system (data systems, an app, etc.), computer, or device within an organization. Local accounts cannot be used on other data systems, computers, or devices.

Effective and System Permissions

Permissions are the individual rights and authorizations that a user has to perform actions on resources. In modern IAM, “effective permissions” are the actual permissions a user is authorized to perform after applying all the constructs of IAM, including deny, service control policy, permission boundary, or other access controls.

“System permissions” are the permissions that are directly assigned or granted to a principal (e.g., user, group, or role) on a specific resource (e.g., file, folder, or object). These permissions are typically defined and managed within the security system and set the basic level of access.

• In Veza, Effective Permissions can be Data (C)reate, (R)ead, (W)rite, (D)elete, (N)on-Data, and (M)etadata.

• In Graph search, (S)ub indicates when a principal has permissions on sub-resources within a service.

Examples of effective permissions and corresponding capabilities:

RBAC

Role-Based Access Control (RBAC) is a method of managing access to resources and applications based on the roles of individual users.

Role

In Role-based Access Control (RBAC), a role is a collection of permissions that define the actions a user is authorized to perform for resources within an organization’s IT environment.

Search

Veza Search features include Graph, Query Builder, and Tagged Entity Search. Workflows also leverage Authorization Graph queries and data for certification of access and entitlements.

Service Account

Service accounts are non-human accounts that log into servers, run batch jobs and scripts. Machine identities are similar but connote devices and IOT principals. Meanwhile, bots are similar but focused on automation. All these are sometimes summarized as non-human identities.

Webhook

A webhook is a way for an application to provide other applications with real-time information. It is a simple HTTP callback that allows one application (known as “sender”) to provide information to another application (known as “receiver”) when a particular event occurs.

Veza Integrations

Orchestration Actions

An integration built directly into Veza for sending data to external systems and enable downstream processes around Veza alerts and access reviewer actions. You can configure generic webhooks, create Jira issues, or ServiceNow tickets with Orchestration Actions, or enable Slack and email notifications.

Custom Properties

When configuring an integration, use this tab to specify additional attributes on entities to collect, by providing the name and type of attribute Veza will gather. For example, if an organization uses custom security attributes for Azure AD or Okta (such as deskNumber), these custom properties can be enabled when adding the integration, and used to filter results for search and access reviews.

Data Source

Data Sources are the individual resources (SaaS apps, data lakes, databases, etc.) from which Veza extracts authorization metadata.

Integration

A connector built directly into Veza, for ingesting data from external systems. Each inbound integration represents an inbound connection to a cloud provider, identity provider, or external application. Each integration can be associated with multiple discoverers and data sources. Orchestration Actions are outbound integrations for publishing events to external systems.

Limit Integration Services

Option to globally prevent discovery of all resources for a provider service (for example, AWS EC2).

Mapping Configuration

Option when configuring an Identity Provider integration allowing users to define cross-service connections between Identity Provider accounts and local accounts in other integrated systems (if Veza cannot automatically detect the connection).

Monitoring

Veza Activity Monitoring features provide insight into resource and privilege utilization for your users. These include Overprovisioned Access Scores and special reports leveraging cloud provider audit logs.

OAA Integration (Community)

An OAA integration built by Veza, a customer, or the open-source community that is available in our community GitHub repository.

OAA Integration (Customer)

An OAA integration built by a customer for one of their proprietary systems that is not published to the public repository.

Open Authorization API

An Open Source framework for adding off-the-shelf or in-house-developed proprietary applications and identity providers to the Veza graph.

Resource inclusion and exclusion lists

Option when configuring an integration, setting limits on the individual resources Veza will attempt to extract and parse (for example, AWS S3 Bucket).

Veza Cloud Connector

A Veza-provided VM image or docker container to enable connections to systems without APIs, or without publicly reachable APIs.

Worker

Workers are the components that find and catalog the authorization metadata and Data Source components of the integration.

Access Intelligence

Activity Monitoring Timeframe

A customizable period used to calculate Over Provisioned Scores for users and roles, based on entitlement usage within a set period of time. To change the range, go to the System Settings page and pick 1, 7, 30, 60, 90, or 120 days as the value. The default value (Auto) is 30 days.

Alerts

Alerts activate when a built-in or custom rule condition is met. Each alert includes a summary of changed entities since the last rule evaluation. Alerts are published via notifications, which include a summary of the original query. Notification delivery methods include email and outbound integrations or webhooks.

Dashboard

The primary Veza landing page, including customizable sections and report summaries, and quick links to Veza features. The home page includes a summary of active Alerts, Certifications, and integrated Data Sources.

Dashboard Reports

A tile-based summary of reports and related insights from the Dashboard Reports section, shown on the main Veza landing page.

Exception

An entity to ignore as a Risky Entity, due to matching a condition or being individually marked as an exception. Constraints on the query can mark entities as "Exceptions" based on a filter rule (for example, all resources in a test environment, or system roles that are not reasonably actionable).

Heatmaps

Heatmaps are a way to visualize identity and data authorization entities by the number of connected relationships (for example, IAM users sorted by most connections to IAM roles). You can use these to identify your most-privileged users or widely-accessible resources and investigate entities with overly broad permissions.

Insights

Veza Insights provide tools to understand and act on risky entities and relationships using the Authorization Graph. Veza Insights include customizable Reporting, the Access Risks Dashboard, Rules, and Alerts.

Over Provisioned Access Score

OPAS represents the percentage of resources an identity is granted permission to but has not utilized recently. For example, if a user reads on 3 tables, but is entitled to read from 10, they are over-provisioned by 70%. The OPAS can change depending on the resources and permissions selected by the original query.

Query Integrations

A system-provided attribute listing all integrations involved in a query. You can filter by integration when searching for queries to add to Reports, or on the Saved Queries page.

Query Labels

A customer or system-provided attribute, intended for risk categorization and query organization.

Recommendations

Recommendations allow users to request remediation for risks and certification results. Recommendations can include pre-defined instructions based on the entity type, or administrators can create custom templates. Recommendations can also be delivered using outbound integrations (for example to create a service desk ticket or automate remediation with a webhook).

Report

A collection of queries, organized into sections for actionable insights on Authorization Graph data. Reports can be built-in or user-created, and private or public.

Report Category

Report categories are used to group reports on the Reporting > Reports page. Access Risk tiles are based on reports in the Dashboard report category.

Report Section

Sections in Reports contain groups of saved Queries, based on the provider, type or risk, or other customizable criteria.

Risk

Any entity that appears in the results of a saved query with a risk level is considered a Risk. Marking a query as a Risk can define security baseline, misconfiguration, common access risk, or other anomalies, enabling alerts and recommendations. You can mark a Risk as an Exception to prevent it from appearing as a risk.

Risk Level

Level of risks if the query result contains non-zero results. Risk level can be 'critical' or 'warning'.

Rules

A rule consists of a baseline query, thresholds of conditions, and notification settings, delivered when conditions are met. The default action is to send an Alert to the Alerts page.

Veza Events

A Page with a complete list of system events as well as events related to Integrations and Rules

Access Search

Account Filter

Predefined filter that narrows down search results to specific parent Azure tenants or AWS accounts. Particularly useful in multi-environment setups.

Authorization Graph

A time-bound snapshot of entities and their attributes collected by Veza integrations. Used for investigating, intelligence automation, and rule creation across connected applications, identity providers, and cloud services.

Destination

The final entity type for a query. By default, each result will include the effective permissions between the source and destination entities.

Display Options

Advanced Graph visualization options for labeling entities by provider account or tenant, and highlighting relationships of interest such as assume role paths, disabled users, or risky entities. Display options will vary based on the entity types in your search.

Does not relate to

Option to only return results of the source type with NO relationship to entities of the destination type

Entities

Entities represent the authorization, data, and identity objects discovered by Veza, as shown in search results or on the Entities page. Entities can be data services or resources, identity domains, users or groups, and IAM or RBAC elements such as policies and roles. Entities have properties to contain attribute metadata such as manager, is_active, or encryption_enabled. Queries typically will specify both source and destination entity types, such as Okta User to AWS S3 Bucketc or Google User to Google Group. Higher-level entity type groupings such as All Users and All Resources can be used to search for several entity types at once.

Entity Attributes

Entity Attributes are the rich metadata associated with an entity, to enable granular filters based on a range of possible properties. These attributes may be added by Veza during parsing (such as name, is human, or full admin), or ingested directly from the provider (mfa_enabled, is_encrypted, and so on)

Exclude Entities

Search option to only return results where source and destination are NOT connected by a particular entity type (for example, to show access granted without an assigned group). This can be used to show only access granted in a way that bypasses a user's intended groups, and filter results that aren't related to particular groups, roles, or policies.

Explain Effective Permission

Advanced Action in Effective graph search mode to show raw permissions and IAM relationships resulting in an effective permission calculation (represented by an EP node).

Filters - Attributes

Filters constrain query results based on the source, destination, or intermediate entity's attributes (such as Name, ID, or Is Active).

Filters - Permissions

Option to filter query results by raw or effective permissions, such as s3:DeleteBucket or Data Delete.

Filters - Tags

Condition to filter results based on a Veza Tag or native provider tag applied to the source, destination, or intermediate entity. Filters can always apply to source and destination entities. The query must define Required intermediate entities to filter by tags on intermediate entity types.

Graph

Graph search shows the relationships between entities and resulting effective permissions, based on the latest Authorization Graph or Time Machine snapshot. Actions and filters provide utilities for traversing the graph and understanding and remediating risky access.

Query

A search against the Veza graph. Queries can be built-in or created using the Query Builder. Saved Queries are shown in Veza Reports and on the Saved Queries page. Queries can -have labels and be assigned a risk level. Integrations associated with entities in the query are saved as query attributes, for easier retrieval and organization.

Query Mode

Search option to either show Effective Permissions from source to destination entities OR additional intermediate entity types such as IAM/RBAC roles and policy bindings.

• Effective mode calculates and shows all possible actions, after accounting for any potential restrictions (such as policy deny statements and other controls). Effective Permissions represent all the metadata and non-data actions the principal can take on a resource.

• System mode shows the configured permissions and access path, before processing potentially overriding policies such as deny statements, SCPs, and network policies. Configuration mode is useful for understanding, certifying, and enforcing rules based on User > Role relationships and role-based permissions for CSPs like Google and Azure.

• Depending on the Workflow Query Mode, reviewers will certify the combined Permissions for each result, or the Path Summary and Concrete Permissions for each result.

Related Entity Limit

Query Builder option to filter results based on the number of related destination entities. The count operator can be <,=,>, etc.

Relationship Options

Advanced Graph visualization options to show or hide graph columns (layers/entity types) and relationships. Depending on the search, the Advanced View toggle shows additional intermediate entities such as local user accounts between principal identities and data resources.

Require Entities

Parameter to only return results where an entity of the selected type (such as a local group) connects the source and destination nodes. Requiring an intermediate entity enables filters on the intermediate entity's attributes

See More

Graph search parameter indicating that pages of results are shown instead of all results. Pagination will be enabled by default for graph searches that return more results than Veza can render at once.

Show assumed entities

Parameter to include or exclude indirect and nested relationships (such as roles that are assumed by other roles, or groups that are members of other groups) from search and certification results. The option to Show assumed [entity type] appears under Advanced Options > Relationship Options when the query source or destination is nestable (such as Snowflake Group or AWS IAM Role).

Source Entity Type

The initial node for a query. Entities of the Source type are included in certification results for review and attestation if a relationship exists between that entity and another entity of the Destination type.

Specific Related Entity

Option to select a single entity of the selected source or destination entity type, and only return relationships for that unique identity, IAM/RBAC entity, or resource.

System Permissions

An individual privilege defined in the provider’s native terms, such as AWS IAM s3:BucketDelete

Tagged Entities

The Tagged Entities page provides a way to view and search all entities that have matching Tags.

Tags

Tags are used to add extra metadata to entities, using key:value pairs. Two types of tags are supported by the Veza platform: * Veza Tags that users add to Authorization Graph entities * Provider-specific tags that Veza discovers, such as AWS tags and Google Cloud labels. Tagged Entity Search offers a way to quickly find entities with a matching tag. You can also add tag filters to constrain Search and Certification results based on whether entities have (or don't have) a certain set of tags.

Time Machine

Option indicating the Authorization Graph snapshot to execute the query against.

• Workflows do not run against a specified snapshot and will use the most recent one at the time of Certification creation.

• Use the Authorization Graph Time Machine to search against a snapshot of relationships and entities at a specific point in time.

Access Reviews

Certification

Scheduled instances of access review with unique deadlines and reviewers. Reviewers can accept, reject, or delegate items. Rejected items can be marked as Fixed by operators after a remediation request. Certifications are based on immutable graph snapshots and an underlying query.

Certification Result

Represents a source-destination pair in a certification, detailing permissions an identity holds on a resource and the connecting relationship. Can include a summary of waypoint entities like groups, roles, and permissions.

Complete

Status indicating that all certification items were signed off before the due date.

Default Reviewer

Individuals explicitly specified as Reviewers (for all results) when a certification is created.

Delegate Reviewer

An alternate user assigned to carry out the responsibilities of an original user who would be auto-assigned as a reviewer but is unavailable.

Expired

Status indicating that not all certification items were signed off by the due date.

Fallback Reviewers

Fallback Reviewers are specified when creating a workflow and are assigned when rules prevent the assignment of the original user, or when a manager does not exist for a certification result row.

Filter

Certification option to show only a subset of rows based on criteria applied to one or more result columns. For example, you could filter to show only identities with a certain name, results that are signed off, or only resources from a specific region. The filtered view can be acted on using a Smart Action.

Global IdP Settings

System-wide setting to enable detection of potential certification reviewers, including team managers and resource managers, from an integrated Identity Provider. Those users can use Single Sign-On to review their assigned certification items.

Managers

Individuals assigned (by attribute or tag) as a manager of the user included in a certification result.

Mark as Fixed

Operator action to indicate that the recommendation has been carried out for a certification item. Signed-off items can be Marked as Fixed.

Pending

Status for certifications that are not expired, and still have items pending sign-off.

Presentation Rule

Support-enabled option to highlight special rows such as disabled users, based on filter criteria.

Reassign

Reviewer or workflow owner action to assign a certification item to another reviewer, after a certification has begun.

Reminder

Type of email notification sent to remind Access Reviewers about remaining tasks for certifications. Followup reminders can also be configured to escalate any tasks remaining for a certification.

Resource Managers

Individuals assigned (by attribute or tag) as manager of the resource included in a certification result.

Reviewer Actions

Actions reviewers can take on an access review:

• Accept: Reviewer decision to approve the access specified by the certification item (as legitimate access).

• Reject: Reviewer's decision to refute the current access for a certification result (as illegitimate access). Reject actions can trigger remediation processes using webhooks and the ServiceNow integration.

• Sign Off: Reviewer action to finalize the decision on a certification item, making it immutable.

Reviewer Auto-Assignment

Option to assign managers and resource managers as reviewers based on metadata Veza has discovered. Auto-assignment enables workflow owners to assign many reviewers at once, either to specific reviewers, or to resource managers and team managers using metadata from an identity provider, or Veza Tags. The identity provider must be integrated with Veza and Global IdP Settings must be enabled.

Reviewer Deny List

Global list of users who are blocked from being assigned as reviewers.

Show Relationship

Certification presentation option enabling visibility into a single connecting entity and its properties, existing between the source and destination nodes. The certification will include optional columns for each Intermediate {Entity} {Attribute}

Show Summary

Certification presentation option enabling visibility into the RBAC configuration granting access to the destination entity. The certification will include a default Path Summary column showing the names of selected entities that exist between the source and destination. For example, when Group is selected as a Path Summary Entity, the Path Summary for results could contain either: - Group 1 (indicating access is granted directly by that group)

• Group 1 ... Group 2 (indicating that the first group allows access to the second)

Smart Action

Smart actions apply decisions, notes, and reviewer assignments to certification items matching specified filtering criteria. Smart Actions can also apply decisions to the currently selected set of certification items.

Uncertified

Status for pending certifications with no signed-off items.

Workflow

A Workflow represents a periodic or one-time access or entitlement review, including:

• A Query defining the entities and relationships under review

• Default Notification and Integration settings, inherited by all future certifications for that workflow

• Attributes such as a name and description, for identification and internal reference.

Workflow Integrations

Workflow and certification setting to enable outbound integrations and webhooks for Reviewer Actions (certification complete, row accept/reject, reviewer change).

Workflow Notifications

Notifications are reminders sent by email to notify users of reviewer assignments and deadlines.

Workflow Query

A workflow query sets the source entity type, destination entity type, and other search parameters defining the scope of a Certification. The Certification will contain individual result rows for review and sign-off.n * Workflow queries can be very broad (All Users to All Resources) or very specific, including filters on tags, property-based constraints, and intermediate node requirements.n* Each query has a source and destination node. Entities of the Source type are included in certification results for review and attestation if a relationship exists between that entity and another entity of the Destination type.n* Workflow query results include both the source and destination entity details, the effective permissions for that relationship, and optionally, a summary of the path that made the connection.

Workflows

Features for access review and certification of entitlements. Access Workflows provide a framework for repeatable, multi-user review processes with full certification history, using the power of Veza graph search. Workflows and certifications are created and accessed from the main Workflows panel.

Administration

Access Reviewer

Role that enables users to review and certify items within their assigned access reviews. Allows access solely to the Access Reviews panel and workflows designated for their review.

Administrator

Highest-level user role with full control over settings, integrations, and privileges. Inherits all capabilities of Operator and Access Reviewer roles.

Configuration

Integration configurations are saved settings for connecting to an external platform, including the credentials and optional settings for the connection. Integrations are added and managed on the Configuration > Integrations panel.

Operator

Role allowing users to create Workflows and start Certifications, as well as review all items in certifications they create. Operators can access all Veza features such as Search and public Reports, but cannot manage other users or integrations.

Sign-in Settings

Sign-in Settings is a Veza Administration panel for managing Multi-factor authentication (MFA), Single Sign-On (SSO), and configuring local account (non-SSO) access for your Veza tenant

User Management

The page where users can be added, removed, or edited and have roles assigned.

Veza Webhook

Webhooks are automated messages containing a payload of instructions that are sent to a specific URL when the conditions associated with the webhook are met.