Integrations FAQ

• Core Integration Concepts

  • How do Veza integrations connect?

  • What metadata elements does Veza gather?

  • How do integrations connect to data sources that restrict connectivity from outside a corporate network?

• Insight Point Architecture

  • What is an Insight Point?

  • How does the Insight Point work?

  • Is there any external connectivity to the Insight Point?

  • Can the Insight Point work with firewalls and network proxies?

• Integration Management and Performance

  • Can administrators schedule when extraction happens (e.g. during off-peak hours)?

  • How does Veza handle performance impact on P0 systems (databases, SaaS apps, etc.)

  • What happens when extractions fail or are interrupted?

  • What happens to long-running or incomplete extractions?

• Troubleshooting Integrations

  • How do I troubleshoot discrepancies between Veza and source systems?

• End-to-End Security

  • How does Veza ensure the security of integration data?

• Platform-specific Integrations

  • How does Veza integrate to Microsoft Entra ID?

  • How does Veza integrate with Data Lakes (Snowflake)?

  • How does Veza integrate with SaaS apps (Salesforce)?

Core Integration Concepts

How do Veza integrations connect?

Veza connects to metadata sources (such as Identity Providers, Cloud Providers, SaaS Applications, and Data Lakes) through integrations managed on the Integrations page. Each integration periodically synchronizes to discover new data sources and extract current authorization metadata.

Veza integrations connect via read-only APIs to gather the necessary metadata information to create that integration’s access graph. Veza leverages the best-practice connection methodologies for each connector we build. Veza also generally supports additional connection methods, when another method defined by the target is the preferred method for the customer.

What metadata elements does Veza gather?

• Identity Metadata: User attributes and entitlements, including role assignments and group memberships.

• Employee Attributes: Unique identifiers (e.g., Employee Number, Unique ID), employment details (e.g., job title, employment status), and organizational structures (e.g., department, cost center).

• Application Metadata: Local users, groups, roles, permissions, and metadata related to resources and data objects that identities can access.

• Refer to individual integration guides for detailed information on supported entities and attributes.

How do integrations connect to data sources that restrict connectivity from outside a corporate network?

Deploying an Insight Point enables secure discovery of data sources that prohibit external connections from outside your corporate network. Typically deployed as a Docker container, Kubernetes service, or VM OVA, the Insight Point runs within your network to query internal-only data sources for authorization metadata and push that information to the Veza graph.

Insight Point Architecture

What is an Insight Point?

An Insight Point is a lightweight, static binary designed for secure metadata extraction within customer networks. It is packaged in various formats such as Docker container and OVA image, enabling integration of internal resources to Veza without direct/external exposure. The Insight Point performs local metadata collection and securely transmits the data to the customer’s Veza instance.

How does the Insight Point work?

Insight Points operate on a pull-based architecture:

• The Insight Point will securely connect to the customer’s configured Veza instance to retrieve extraction tasks.

• The Insight Point will take the response and perform the requested extraction work locally.

• After extraction, the Insight Point transmits the data back to the configured Veza instance.

Is there any external connectivity to the Insight Point?

No. All communication is strictly unidirectional with all connections initiated from the Insight Point. Veza cannot initiate inbound connections to the Insight Point.

Can the Insight Point work with firewalls and network proxies?

Yes. Veza’s Insight Point supports working through corporate firewall configurations, network proxy requirements, and standard enterprise network security controls.

Integration Management and Performance

Can administrators schedule when extraction happens (e.g. during off-peak hours)?

Veza can schedule best-effort custom extraction intervals for different integrations. Each integration has a default extraction interval. Most integrations default to hourly extractions.

Administrators can customize this interval for each integration (1 hour to 30 days) on the System Settings page to optimize cost, performance, and data freshness. Some integrations, such as SharePoint and Snowflake, support activity-based extraction, enabling updates only when changes are detected.

How does Veza handle performance impact on P0 systems (databases, SaaS apps, etc.)

Veza minimizes impact on business-critical systems with rate-limited API calls, optimized queries, and configurable extraction intervals. For supported integrations, administrators can enable activity-based extractions that only trigger when changes are detected, and set limits on the specific services, entities, and attributes gathered by Veza.

What happens when extractions fail or are interrupted?

Each integration handles extraction errors based on application-specific best practices, using automatic retry logic for recoverable issues. Non-recoverable errors (like missing permissions or service unavailability) fail the extraction and trigger a retry at the next scheduled interval. Administrators can monitor all extraction statuses and errors through the integration Details view and the Events page. Veza also supports exporting these events to external systems.

What happens to long-running or incomplete extractions?

Unfinished jobs are eventually interrupted and retried at the next extraction interval to prevent pipeline delays. Large extractions can take some time to complete, and are allowed to run for extended periods.

Troubleshooting Integrations

How do I troubleshoot discrepancies between Veza and source systems?

Integration discrepancies can occur when entity counts or attributes don't match between Veza and the source system. Use this approach to identify and resolve common issues:

When Veza displays fewer entities than the source system:

• Data synchronization delay – New data may not have synced to Veza yet. Check the integration's last successful extraction time on the integration Details page. Manually trigger an extraction or wait for the next scheduled sync.

• Authentication issues – Verify that integration credentials are valid and haven't expired. Review any authentication errors in the Events page.

• Scope limitations – Confirm that Veza has been authorized to access all required data sources and organizational units within the integration scope.

• Extraction failures – Check for partial extraction failures that may have prevented complete data collection. See individual integration guides for platform-specific troubleshooting steps.

When entity attributes don't match between systems:

• Data synchronization delay – New data may not have synced to Veza yet. Check the integration's last successful extraction time on the integration Details page. Manually trigger an extraction or wait for the next scheduled sync.

• Integration sync failures – Review integration details for any missed extractions due to missing permissions or connection issues, which could result in stale data in Veza.

Additional troubleshooting resources:

• Integration Management and Performance

• Extraction and Discovery Intervals

• Configuring Integrations

For persistent issues or complex troubleshooting scenarios, contact Veza technical support or your customer success manager for specialized assistance.

End-to-End Security

How does Veza ensure the security of integration data?

Veza protects integration data with multiple security layers. See the Security FAQ for detailed information about Veza's security and encryption practices.

• All communication uses TLS 1.2+ and AES-256 encryption.

• Integration secrets (such as OAuth credentials and API keys) are securely stored, with the option to manage using external vaults.

• Access to integration secrets is strictly limited to authorized Veza extraction services.

Platform-specific Integrations

How does Veza integrate to Microsoft Entra ID?

To integrate with Microsoft Entra ID, Veza connects through an Azure App Registration with read-only permissions to the Microsoft Graph API. It retrieves metadata about:

• Entra ID roles and role assignments

• Groups and group memberships

• Users and their attributes

• Service principals and their assigned roles

Optional permissions can be added for services like SharePoint, Intune, and Key Vault, depending on the resources Veza will access. For detailed configuration steps, see the Microsoft Azure Integration Guide.

How does Veza integrate with Data Lakes (Snowflake)?

The Veza integration for Snowflake data lake discovery uses a local user configured with a role that grants access to metadata on:

• Users and their attributes

• Roles and role hierarchies

• Resources (databases, schemas, tables, and views)

• Permissions and access control policies

The user must have usage privileges on a virtual warehouse (e.g. compute_wh). You can create an alternative system database with minimal required views for greater access control. Key pair authentication is available as an alternative to passwords. Secure communication between Veza and Snowflake is typically managed using an Insight Point. For detailed implementation steps, see the Snowflake Integration Guide.

How does Veza integrate with SaaS apps (Salesforce)?

To integrate with Salesforce (SFDC), Veza connects via a Salesforce Connected App configured with API permissions to retrieve:

• User profiles and permissions

• Groups and their memberships

• Permission sets and assignments

• Data objects and access controls

• Sharing rules and account shares

The Connected App uses an X.509 certificate for JWT-based OAuth 2.0 authentication. Veza analyzes permissions, group memberships, and account shares to provide insights and generate effective permissions. Integration configurations support object-level filters and license-based restrictions on the metadata Veza collects. For step-by-step setup instructions, see the Salesforce Integration Guide.