Enrichment Rules

Overview

Enrichment rules allow you to automatically identify and categorize important entities in your environment, such as privileged roles, critical resources, and non-human identities. After configuring an enrichment rule, matching entities are updated with special attributes. Using these attributes to define filters and conditions enables rules, access reviews, and other capabilities for these special entities.

To create an enrichment rule, you first need to use the Query Builder to save a query identifying the entities to enrich. The criteria can be based on various factors, such as:

• An attribute (e.g., a naming convention or another property that identifies non-human service accounts)

• Permissions granted by a role

• Other distinguishing relationship between entities.

Enrichment Rule Types

Veza currently supports four types of enrichment rules:

• Identify Non-Human Identities: Automatically label users with the identity type attribute by setting the value to HUMAN or NONHUMAN.

• Assign Entity Owners: Assign ownership of entities. Specify a static owner by name or email, or resolve ownership dynamically from a property on the matched entity or a related entity in the graph.

• Detect Privileged Accounts: Roles that meet the query condition will have the is privileged attribute set to TRUE.

• Classify Critical Resources: Resources in the query results will have the criticality level attribute set to LOW, MEDIUM, HIGH, or CRITICAL.

When extracting metadata from an integration, Veza will check for matching enrichment rules and update entities that meet the conditions specified by the saved query. For example, an enrichment rule could label roles that grant access to specific permissions or resources as "privileged," mark identities as non-human based on a naming convention, or set a criticality level for resources based on existing tags or attributes.

Create an Enrichment Rule

Administrators can use the Integrations > Enrichment page to manage and create rules. To create a rule, you must specify:

• The enrichment rule type.

• The integrations, data sources, and entity type the rule applies to.

• Rule options, such as the criticality level for critical resources.

To define an enrichment rule:

1. Navigate to the Enrichment Page:

   • Go to Integrations > Enrichment.

   • Click Add Enrichment Rule.

2. Name the Rule:

   • Enter an identifiable name in the Rule Name field.

3. Select the Enrichment Rule Type:

   • Choose one of the following options:

     • Identify Non-Human Identities: For matching users, set the identity type attribute value (HUMAN or NONHUMAN).

     • Assign Entity Owners: For matching entities, assign the enriched_owner attribute to a user from your integrated Identity Provider (IdP) or HRIS.

     • Detect Privileged Accounts: For matching roles, set the is privileged attribute to TRUE.

     • Classify Critical Resources: For matching resources, set the criticality level attribute (LOW, MEDIUM, HIGH, or CRITICAL).

4. Choose Integrations:

   • Use the Integrations dropdown to select the specific integrations the rule will apply to.

5. Select Entity Type:

   • Choose a supported Entity Type (e.g., users, roles, resources) from those data sources.

6. Pick a Saved Query:

   • Select a saved query that identifies the entities to enrich.

7. Save the Rule:

   • Click Save to apply the changes.

Veza will apply the enrichment rules the next time data sources are extracted. You can trigger this manually by clicking Start Extraction on the Integrations > All Data Sources page.

Entity Owner Enrichment Rules

Entity Owner enrichment rules enable you to assign ownership and accountability for entities across your environment. While commonly used for non-human identities (NHIs) like service accounts and API keys, these rules can apply to any entity type including identities, resources, and roles.

When you assign an enriched owner, Veza combines it with any existing owners to create a merged Owners attribute displayed throughout the platform, which can be used to auto-assign Access Reviews, filter query results, or trigger Rules and Alerts.

To enable an Entity Owner enrichment rule:

1. Create a saved query identifying the entities to enrich

2. Specify the enriched owners from your integrated IdP or HRIS

When enabled, Veza validates the owner exists and sets the enriched_owner attribute for matching entities. Veza combines enriched owners with any manually assigned owners to create a merged Owners attribute. This merged view appears in:

• Entity detail pages

• Query Builder results (use the Owners attribute to filter)

• Access Review auto-assignment

• Rules and Alerts

Use the Assign Owner with section to choose how Veza identifies the owner. Select Name or Email to enter a fixed owner. Select Entity Property to resolve the owner dynamically from a graph property value. The examples below use Name or Email assignment.

For example, you can assign an owner to all NHIs in an integration:

• Query condition: AWS IAM User that are non-human identity type

• Owner value: Enter the email or username of a user from your IdP (e.g., [email protected])

Or assign owners by naming convention:

• Query condition: AWS IAM User that are non-human and name starts with "svc-data-"

• Owner value: Enter the email or username of a user from your IdP (e.g., [email protected])

You can also assign owner by resource access (or based on a relationship to any other destination entity type):

• Query condition: AWS IAM User that are NHI that have access to S3 bucket "production-data"

• Owner value: Enter the email or username of a user from your IdP (e.g., [email protected])

Dynamic owner assignment

Entity Owner enrichment rules support dynamic owner resolution using graph properties. Select Entity Property in the Assign Owner with section to configure this. Instead of entering a fixed name or email, Veza resolves the owner from a property value at each extraction cycle.

Direct property resolution

When ownership information is stored as a property on the entity being enriched, select the property directly from the Property dropdown. Veza reads that property's value for each matched entity to resolve the owner.

For example, if entities in your environment carry a property identifying the responsible person or team, select that property in the enrichment rule form.

Related entity resolution

When ownership information lives on a different entity in the graph, enable the Use additional query for owner toggle. Select a saved query as the Owner Query that traverses from each matched entity to the related entity holding the owner information. Then select the property from that related entity to resolve the owner.

The Owner Query must be a saved query with exactly one destination entity type.

For example, to assign ownership of service accounts based on a linked Okta user:

1. Create a primary saved query that identifies the service accounts to enrich.

2. Create a saved query from each service account to its linked OktaUser, with OktaUser as the destination entity type.

3. In the enrichment rule, select Entity Property, then enable Use additional query for owner.

4. Select this PATH query as the Owner Query.

5. Select the email property from OktaUser as the owner value.

When multiple related entities match a single source, Veza uses the entity with the lowest node ID.

Manage Enrichment Rules

Use the Integrations > Enrichment page to view all rules and edit or delete individual rules:

1. Access the Enrichment Page:

   • Go to Integrations > Enrichment.

2. View Rules by Type:

   • Choose a tab to view rules by type:

     • NHI

     • Entity Owners

     • Privileged

     • Critical Resources

3. Edit or Delete Rules:

   • Click Edit to update a rule or Delete to remove it.

4. Enable / Disable Rules:

   • Toggle the switch in the Enabled column to activate or deactivate a rule.

   • Disabling a rule removes its enrichment metadata from existing entities upon the next data source extraction.