Release Notes

Core Concepts

Core Concepts terms and definitions in the Veza platform.

Access Graph

A time-bound snapshot of entities, relationships, and their attributes collected by Veza integrations. Used for investigating, intelligence automation, and rule creation across connected applications, identity providers, and cloud services.

Cloud Service Provider

A Cloud Service Provider (CSP), such as AWS or Microsoft Azure, offers a platform for infrastructure, applications, storage, and other services such as Identity and Access Management or data warehousing.

Effective and System Permissions

Permissions are the individual rights and authorizations that a user has to perform actions on resources. In modern IAM, “effective permissions” are the actual permissions a user is authorized to perform after applying all the constructs of IAM, including deny, service control policy, permission boundary, or other access controls. “System permissions” are the permissions that are directly assigned or granted to a principal (e.g., user, group, or role) on a specific resource (e.g., file, folder, or object). These permissions are typically defined and managed within the security system and set the basic level of access.

  • In Veza, Effective Permissions can be Data (C)reate, (R)ead, (W)rite, (D)elete, (N)on-Data, and (M)etadata.

  • In Graph search, (S)ub indicates when a principal has permissions on sub-resources within a service. Examples of effective permissions and corresponding capabilities:

  • MetadataWrite, MetadataRead, MetadataCreate, MetadataDelete - Permission to create a Redshift Database table, or change an S3 bucket policy.

  • DataRead, DataWrite, DataCreate, DataDelete - A data read, write, create, or delete permission, such as reading database tables, or pushing to a repository.

  • NonData - All other permissions that do not apply to data, such as permission to cancel a Redshift query or reboot a Redshift cluster.

Group

A group is a collection of users sharing the same set of permissions.

IAM

Identity and Access Management (IAM) is a security framework that helps organizations manage and control access to their resources and applications.

Identity Provider

An Identity Provider (IdP), such as Okta or AWS SSO, is a service that stores and verifies user identity. IdPs are typically cloud-hosted and enable single sign-on to other systems.

Local Role

A set of permissions that are local to a single data system, computer, or device within an organization.

Local User

An account created on a single system (data systems, an app, etc.), computer, or device within an organization. Local accounts cannot be used on other data systems, computers, or devices.

RBAC

Role-Based Access Control (RBAC) is a method of managing access to resources and applications based on the roles of individual users.

Role

In Role-based Access Control (RBAC), a role is a collection of permissions that define the actions a user is authorized to perform for resources within an organization’s IT environment.

Search

Veza Search features include Graph, Query Builder, and Tagged Entity Search. Veza Access Reviews leverage graph queries and entity metadata for access and entitlement review.

Related documentation: Search

Service Account

Service accounts are non-human accounts that log into servers, run batch jobs and scripts. Machine identities are similar but connote devices and IoT principals. Meanwhile, bots are similar but focused on automation. All these are sometimes summarized as non-human identities.

Webhook

A webhook is a way for an application to provide other applications with real-time information. It is a simple HTTP callback that allows a sender to provide information to a receiver when a particular event occurs.

← Back to Glossary

PreviousVeza GlossaryNextVeza Integrations

Last updated

Was this helpful?