# Veza ### Overview This integration populates the Access Graph to show users, roles, teams, and authentication group mappings within Veza. You can use the integration to familiarize yourself with basic Veza search and administration concepts, and: * Review access and certify user team and role assignments in Veza * Search and visualize connections between IdP users and Veza users and teams * Understand how external authentication groups (SAML, OIDC) map to Veza roles * Create rules based on the amount and qualities of these authorization entities See [notes and supported entities](#notes-and-supported-entities) for more details. ### Configuring the Veza integration To enable the integration: 1. In Veza, go to **Configuration** > **Integrations** 2. Click *Add Integration* and pick Veza as the type of integration to add. Click *Next*. 3. Give the integration a name and click *Create Integration*. #### Identity Mappings Veza can show relationships between external identities and local users. To enable this, edit your Identity Provider integration and click [Mapping Configurations](/4yItIzMvkpAvMVFAamTf/integrations/configuration/custom-identity-mappings.md) to create a mapping for Veza. * Choose "Veza" as the destination data source type * For most SSO configurations, you can match users by the `email` attribute on each entity type. ### Notes and Supported Entities #### Veza Domain Represents the top-level tenant for your Veza platform, where users log in. #### Veza Local Role A role is a collection of permissions assigned to each user, such as administrator or operator. * Full Admin: `true` for administrators. * Permissions: The system permissions allowed by the role. #### Veza Local Team Represents a Veza team. Users can be assigned to the Root team for full access, or custom teams scoped to a set of providers. * Policy Type: Indicates if the team is limited to a `PROVIDER_ID_SET` for custom teams, or `UNBOUND` for root teams. * Providers: Providers scoped to the role. * User Count: Number of users added to the team. * Updated At: Date the team was last changed. #### Veza Local User * Auth Provider Type: Indicates if the user has an external account for single sign on (`SAML_AUTH_PROVIDER`) or is fully managed by Veza (`LOCAL_AUTH_PROVIDER`). #### Veza Role Binding Represents a combined team and role assignment. The properties mirror the associated role. For Access Reviews, querying for "Veza User" to "Veza Role Binding" is an effective way to certify the role and team assignment at the same time. #### Veza Auth Group Represents authentication groups from external identity providers that map to Veza roles. These groups provide visibility into how external authentication (SAML, OIDC, etc.) translates to Veza permissions. * **External ID**: The group identifier from your external identity provider * **Auth Provider ID**: Unique identifier for the authentication provider * **Auth Provider Name**: Display name of the authentication provider * **Auth Provider Type**: Type of authentication provider (SAML, OIDC, etc.) * **Is Tenant Managed**: Whether the group is managed by Veza or externally #### Veza Role Mapping Shows the connection between external authentication groups and Veza roles. These mappings define how group membership in your Identity Provider translates to specific role assignments within Veza. * **Auth Group Name**: Name of the external authentication group * **Mapping Strategy**: How your [SAML authentication provider](/4yItIzMvkpAvMVFAamTf/administration/administration/sign-in-settings/saml.md#teams-role-assignments-with-single-sign-on) determines role assignments (pre-configured mappings or direct group-to-role specifications) * **Auth Provider ID**: Identifies the associated authentication provider * **Is Default Mapping**: Whether this is a default role assignment or custom mapping * **Is Tenant Managed**: Whether the mapping is managed by Veza or externally * **Group ID**: Optional identifier for the group within the mapping {% hint style="info" %} For detailed instructions on viewing and using authentication group mappings for access reviews, see [SAML Group to Role Mapping Visibility](/4yItIzMvkpAvMVFAamTf/administration/administration/sign-in-settings/saml-group-role-visibility.md). {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/veza.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.