# Wiz

### Overview

The Veza integration for Wiz connects to a Wiz environment to discover and map Users, Roles, and Projects from the Wiz platform. Veza uses Wiz APIs to populate the Access Graph with entities and metadata. Wiz for Government is not currently supported.

### Requirements

#### Prerequisites

* Wiz environment
* A Wiz Service Account with appropriate permissions (see [Required Permissions](#required-permissions))
* Network [connectivity](/4yItIzMvkpAvMVFAamTf/integrations/connectivity.md) from Veza to your Wiz instance

#### Required Permissions

The Wiz service account must have a role assigned with the following permission scopes:

* `read:users` - Required to retrieve user accounts and their role assignments
* `read:projects` - Required to retrieve project information
* `read:service_accounts` - Required to retrieve service accounts

### Configuring Wiz

Veza connects to Wiz using OAuth2 client credentials flow. The integration authenticates to `https://auth.app.wiz.io/oauth/token` using the service account Client ID and Client Secret, receives an access token with audience `wiz-api`, and uses the token to make GraphQL queries to your Wiz API endpoint. Tokens are automatically refreshed before expiry.

Before adding the integration to Veza, [create an API client on the Wiz platform for the connection](https://docs.wiz.io/dev/generate-api-token).

### Configuring Wiz on the Veza Platform

To enable Veza to gather Wiz data:

1. Log in to Veza as an administrator.
2. Navigate to the **Integrations** page.
3. Click **Add Integration** and select **Wiz** as the type of integration to add.
4. Enter the required information:
   1. **Wiz API Endpoint Url**: The Wiz Endpoint URL. (e.g. `https://api.us17.app.wiz.io/graphql`)
   2. **Client ID**: The Wiz service account Client ID.
   3. **Client Secret**: The Wiz service account Client Secret.
5. Click **Save** to create the integration.

### Verifying Integration Status

After configuring the integration:

1. Navigate to the **Integrations** page in Veza.
2. Locate the Wiz integration in the list.
3. Check the **Status** column to confirm the integration is connected.
4. Click the integration name to view detailed extraction status on the **Data Sources** tab.
5. After a successful extraction, check the **Integration Overview** to verify that user data appears in Veza Graph as expected.

### Technical Notes

#### Data Synchronization

Data from Wiz is synchronized on a scheduled basis. The integration performs an initial full extraction when first configured, followed by incremental updates based on your Veza platform's configured [sync schedule](/4yItIzMvkpAvMVFAamTf/integrations/configuration/extraction.md) with a minimum delay of 12 hours.

### Supported Entities

The Veza integration for Wiz discovers the following entity types and attributes:

#### Identity Entities

**User**

Local or SSO-authenticated user account in Wiz. Each user has exactly one effective role assigned and can have access to specific projects based on whether their role is project-scoped.

**Attributes:**

| Attribute       | Notes                                                                                                                    |
| --------------- | ------------------------------------------------------------------------------------------------------------------------ |
| `id`            | Wiz User ID                                                                                                              |
| `name`          | Wiz User name                                                                                                            |
| `email`         | Wiz User email                                                                                                           |
| `created_at`    | Timestamp the Wiz User was created at                                                                                    |
| `last_login_at` | Timestamp the Wiz User last logged in at                                                                                 |
| `is_active`     | User active status                                                                                                       |
| `is_sso`        | Set to `true` when user authenticates via external identity provider, determined by Wiz's `identityProviderTypeV2` field |

**Notes:**

* Users typically have one effective role assigned. Users without assigned roles are included in the extraction but will not have role-based permissions populated in the authorization graph.
* Users with project-scoped roles have access limited to designated projects
* Users with organization-scoped roles have system-wide access
* Service accounts are discovered and synchronized along with user accounts

**Role**

Permission role that defines access levels through permission scopes. Roles can be either project-scoped (limiting access to specific projects) or organization-scoped (granting system-wide access).

**Attributes:**

| Attribute           | Notes                                       |
| ------------------- | ------------------------------------------- |
| `id`                | Wiz Role ID                                 |
| `name`              | Wiz Role name                               |
| `is_project_scoped` | If the Role is scoped to a specific project |
| `scopes`            | Permission scopes assigned to the Role      |

**Notes:**

* Scopes follow the format `{action}:{resource}` (e.g., `read:projects`, `admin:all`, `update:users`)
* Veza maps Wiz actions to permissions as follows:
  * `admin` → Full access (Create, Read, Write, Delete)
  * `read` → Read-only access
  * `write` or `update` → Write access
  * `create` → Create access
  * `delete` → Delete access
* The wildcard scope `admin:all` grants full administrative access to all resource types in Wiz
* Project-scoped roles limit user access to specific projects; organization-scoped roles grant access to all projects
* Users with project-scoped roles must have explicit project assignments to access resources

#### Container Entities

**Project**

Container for organizing Wiz resources and scoping user access. Projects serve as permission boundaries when roles are configured as project-scoped.

**Attributes:**

| Attribute | Notes            |
| --------- | ---------------- |
| `id`      | Wiz Project ID   |
| `name`    | Wiz Project name |

### Troubleshooting

#### Users Without Role Assignments

If you notice Wiz users in Veza without role assignments, this typically indicates:

* Users are newly created and have not been assigned roles yet
* Users are in a deactivated or suspended state
* API permissions may not include role data for certain user types

These users are correctly captured by the integration. To investigate:

1. Verify the users exist in your Wiz console
2. Check if roles are assigned in Wiz
3. Confirm the integration service account has `read:users` permissions


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/wiz.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.