Integration architecture, connection methods, security measures, scheduling options, performance considerations, and specific integration details.
Last updated
Was this helpful?
How do Veza integrations connect?
Veza connects to metadata sources (such as Identity Providers, Cloud Providers, SaaS Applications, and Data Lakes) through integrations managed on the Integrations page. Each integration periodically synchronizes to discover new data sources and extract current authorization metadata.
Veza integrations connect via read-only APIs to gather the necessary metadata information to create that integration’s access graph. Veza leverages the best-practice connection methodologies for each connector we build. Veza also generally supports additional connection methods, when another method defined by the target is the preferred method for the customer.
What metadata elements does Veza gather?
Identity Metadata: User attributes and entitlements, including role assignments and group memberships.
Employee Attributes: Unique identifiers (e.g., Employee Number, Unique ID), employment details (e.g., job title, employment status), and organizational structures (e.g., department, cost center).
Application Metadata: Local users, groups, roles, permissions, and metadata related to resources and data objects that identities can access.
Refer to individual integration guides for detailed information on supported entities and attributes.
How do integrations connect to data sources that restrict connectivity from outside a corporate network?
Deploying an Insight Point enables secure discovery of data sources that prohibit external connections from outside your corporate network. Typically deployed as a Docker container, Kubernetes service, or VM OVA, the Insight Point runs within your network to query internal-only data sources for authorization metadata and push that information to the Veza graph.
What is an Insight Point?
An Insight Point is a lightweight, static binary designed for secure metadata extraction within customer networks. It is packaged in various formats such as Docker container and OVA image, enabling integration of internal resources to Veza without direct/external exposure. The Insight Point performs local metadata collection and securely transmits the data to the customer’s Veza instance.
How does the Insight Point work?
Insight Points operate on a pull-based architecture:
The Insight Point will securely connect to the customer’s configured Veza instance to retrieve extraction tasks.
The Insight Point will take the response and perform the requested extraction work locally.
After extraction, the Insight Point transmits the data back to the configured Veza instance.
Is there any external connectivity to the Insight Point?
No. All communication is strictly unidirectional with all connections initiated from the Insight Point. Veza cannot initiate inbound connections to the Insight Point.
Can the Insight Point work with firewalls and network proxies?
Yes. Veza’s Insight Point supports working through corporate firewall configurations, network proxy requirements, and standard enterprise network security controls.
Can administrators schedule when extraction happens (e.g. during off-peak hours)?
Veza can schedule best-effort custom extraction intervals for different integrations. Each integration has a default extraction interval. Most integrations default to hourly extractions.
Administrators can customize this interval for each integration (1 hour to 30 days) on the System Settings page to optimize cost, performance, and data freshness. Some integrations, such as SharePoint and Snowflake, support activity-based extraction, enabling updates only when changes are detected.
How does Veza handle performance impact on P0 systems (databases, SaaS apps, etc.)
Veza minimizes impact on business-critical systems with rate-limited API calls, optimized queries, and configurable extraction intervals. For supported integrations, administrators can enable activity-based extractions that only trigger when changes are detected, and set limits on the specific services, entities, and attributes gathered by Veza.
What happens when extractions fail or are interrupted?
Each integration handles extraction errors based on application-specific best practices, using automatic retry logic for recoverable issues. Non-recoverable errors (like missing permissions or service unavailability) fail the extraction and trigger a retry at the next scheduled interval. Administrators can monitor all extraction statuses and errors through the integration Details view and the Events page. Veza also supports exporting these events to external systems.
What happens to long-running or incomplete extractions?
Unfinished jobs are eventually interrupted and retried at the next extraction interval to prevent pipeline delays. Large extractions can take some time to complete, and are allowed to run for extended periods.
How does Veza ensure the security of integration data?
Veza protects integration data with multiple security layers. See the Security FAQ for detailed information about Veza's security and encryption practices.
All communication uses TLS 1.2+ and AES-256 encryption.
Integration secrets (such as OAuth credentials and API keys) are securely stored, with the option to manage using external vaults.
Access to integration secrets is strictly limited to authorized Veza extraction services.
How does Veza integrate to Microsoft Entra ID?
To integrate with Microsoft Entra ID, Veza connects through an Azure App Registration with read-only permissions to the Microsoft Graph API. It retrieves metadata about:
Entra ID roles and role assignments
Groups and group memberships
Users and their attributes
Service principals and their assigned roles
How does Veza integrate with Data Lakes (Snowflake)?
The Veza integration for Snowflake data lake discovery uses a local user configured with a role that grants access to metadata on:
Users and their attributes
Roles and role hierarchies
Resources (databases, schemas, tables, and views)
Permissions and access control policies
How does Veza integrate with SaaS apps (Salesforce)?
To integrate with Salesforce (SFDC), Veza connects via a Salesforce Connected App configured with API permissions to retrieve:
User profiles and permissions
Groups and their memberships
Permission sets and assignments
Data objects and access controls
Sharing rules and account shares
Optional permissions can be added for services like SharePoint, Intune, and Key Vault, depending on the resources Veza will access. For detailed configuration steps, see the .
The user must have usage privileges on a virtual warehouse (e.g. compute_wh). You can create an alternative system database with minimal required views for greater access control. Key pair authentication is available as an alternative to passwords. Secure communication between Veza and Snowflake is typically managed using an Insight Point. For detailed implementation steps, see the .
The Connected App uses an X.509 certificate for JWT-based OAuth 2.0 authentication. Veza analyzes permissions, group memberships, and account shares to provide insights and generate effective permissions. Integration configurations support object-level filters and license-based restrictions on the metadata Veza collects. For step-by-step setup instructions, see the .