Release Notes

Access Search

Access Search terms and definitions in the Veza platform.

Account Filter

Predefined filter that narrows down search results to specific parent Azure tenants or AWS accounts. Particularly useful in multi-environment setups.

Access Graph

A time-bound snapshot of entities, relationships, and their attributes collected by Veza integrations. Used for investigating, intelligence automation, and rule creation across connected applications, identity providers, and cloud services.

Display Options

Advanced Graph visualization options for labeling entities by provider account or tenant, and highlighting relationships of interest such as assume role paths, disabled users, or risky entities. Display options will vary based on the entity types in your search.

Related documentation: Display Options

Does not relate to

Option to only return results of the source type with NO relationship to entities of the destination type.

Related documentation: Does not relate to

Entities

Entities represent the authorization, data, and identity objects discovered by Veza, as shown in search results or on the Entities page. Entities can be data services or resources, identity domains, users or groups, and IAM or RBAC elements such as policies and roles. Entities have properties to contain attribute metadata such as manager, is_active, or encryption_enabled. Queries typically will specify both source and destination entity types, such as Okta User to AWS S3 Bucket or Google User to Google Group. Higher-level entity type groupings such as All Users and All Resources can be used to search for several entity types at once.

Related documentation: Entities

Entity Attributes

Entity Attributes are the rich metadata associated with an entity, to enable granular filters based on a range of possible properties. These attributes may be added by Veza during parsing (such as name, is_human, or full_admin), or ingested directly from the provider (mfa_enabled, is_encrypted, and so on).

Related documentation: Entity Attributes

Exclude Entities

Search option to only return results where source and destination are NOT connected by a particular entity type (for example, to show access granted without an assigned group). This can be used to show only access granted in a way that bypasses a user's intended groups, and filter results that aren't related to particular groups, roles, or policies.

Related documentation: Exclude Entities

Explain Effective Permission

Advanced Action in Effective graph search mode to show raw permissions and IAM relationships resulting in an effective permission calculation (represented by an EP node).

Related documentation: Explain Effective Permission

Filters - Attributes

Filters which constrain query results based on the source, destination, or intermediate entity's attributes (such as Name, ID, or Is Active).

Attribute filters can always apply to source and destination entities, or any entity type in a graph search result.

Related documentation: Filters - Attributes

Filters - Permissions

Option to filter query results by raw or effective permissions, such as s3:DeleteBucket or Data Delete.

Related documentation: Filters - Permissions

Filters - Tags

Condition to filter results based on a Veza Tag or native provider tag applied to the source, destination, or intermediate entity. Filters can always apply to source and destination entities. The query must define Required intermediate entities to filter by tags on intermediate entity types.

Related documentation: Filters - Tags

Graph

Graph search shows the relationships between entities and resulting effective permissions, based on the latest Access Graph or Time Machine snapshot. Actions and filters provide utilities for traversing the graph and understanding and remediating risky access.

Related documentation: Graph

Query

A search against the Veza graph. Queries can be built-in or created using the Query Builder. Saved Queries are shown in Veza Reports and on the Saved Queries page. Queries can have labels and be assigned a risk level. Integrations associated with entities in the query are saved as query attributes, for easier retrieval and organization.

Related documentation: Query

Query Mode

Search option to either show Effective Permissions from source to destination entities OR additional intermediate entity types such as IAM/RBAC roles and policy bindings.

  • Effective mode calculates and shows all possible actions, after accounting for any potential restrictions (such as policy deny statements and other controls). Effective Permissions represent all the metadata and non-data actions the principal can take on a resource.

  • System mode shows the configured permissions and access path, before processing potentially overriding policies such as deny statements, SCPs, and network policies. Configuration mode is useful for understanding, certifying, and enforcing rules based on User > Role relationships and role-based permissions for CSPs like Google and Azure.

  • Depending on the query mode, reviewers will sign off on the combined Permissions for each result, or the Path Summary and Concrete Permissions for each result.

Related documentation: Query Mode

Related Entity Limit

Query Builder option to filter results based on the number of related destination entities. The count operator can be <, =, >, etc.

Related documentation: Related Entity Limit

Relates to

The final entity type for a query. By default, each result will include the effective permissions between the source and destination entities.

Related documentation: Relates to

Relationship Options

Advanced Graph visualization options to show or hide graph columns (layers/entity types) and relationships. Depending on the search, the Advanced View toggle shows additional intermediate entities such as local user accounts between principal identities and data resources.

Related documentation: Relationship Options

Require Entities

Parameter to only return results where an entity of the selected type (such as a local group) connects the source and destination nodes. Requiring an intermediate entity enables filters on the intermediate entity's attributes.

Related documentation: Require Entities

See More

Graph search option indicating that pages of results are shown instead of all results. Pagination will be enabled by default for graph searches that return more results than Veza can render at once.

Related documentation: See More

Show assumed entities

Parameter to include or exclude indirect and nested relationships (such as roles that are assumed by other roles, or groups that are members of other groups) from search and in the reviewer interface. The option to Show assumed [entity type] appears under Advanced Options > Relationship Options when the query source or destination is nestable (such as Snowflake Group or AWS IAM Role).

Source Entity Type

The initial node for a query. Entities of the Source type are included in a review scope for review and attestation if a relationship exists between that entity and another entity of the Destination type. If no destination is specified, the query will return all entities of the source entity type.

Related documentation: Source Entity Type

Specific Related Entity

Option to select a single entity of the selected source or destination entity type, and only return relationships for that unique identity, IAM/RBAC entity, or resource.

Related documentation: Specific Related Entity

System Permissions

An individual privilege defined in the provider-native terms, such as s3:BucketDelete in AWS Identity and Access Management (IAM). System permissions are the basic building blocks of access control, and are typically assigned directly to principals (users, groups, or roles) on resources (files, folders, or objects).

Related documentation: System Permissions

Tagged Entities

The Tagged Entities page provides a way to view and search all entities that have matching Tags.

Related documentation: Tagged Entities

Tags

Tags are used to add extra metadata to entities, using key:value pairs. Two types of tags are supported by the Veza platform:

  • Veza Tags that users add to Access Graph entities.

  • Provider-specific tags that Veza discovers, such as AWS tags, Snowflake tags, and Google Cloud labels. Tagged Entity Search offers a way to quickly find entities with a matching tag. You can also add tag filters to constrain search results based on whether entities have (or do not have) a certain set of tags.

Related documentation: Tags

Time Machine

Option indicating the Access Graph snapshot to execute the query against.

  • Access Reviews can use a time machine snapshot or use the most recent one when a review is created.

  • Use the Access Graph Time Machine to search against a snapshot of relationships and entities at a specific point in time.

Related documentation: Time Machine

← Back to Glossary

PreviousAccess IntelligenceNextAccess Reviews

Last updated

Was this helpful?