Adding users, managing accounts, and configuring authentication settings.
Manage user accounts and authentication settings from the Administration > User Management page. The Users list shows all system users and local accounts provisioned for users who have logged in with single sign-on.
To add a local user and assign teams and roles:
Navigate to Administration > User Management
Click Add User
Enter the required information:
User Name: Unique identifier for the user account
Email: Primary email address for the user
Configure team and role assignments:
Root Team: Assign to grant access to all integrated providers based on role
Custom Teams: Assign to limit user access to specific integrations
Roles: Select appropriate roles using checkboxes (see User Roles and Permissions)
Multiple roles can be selected simultaneously for each team assignment
Use + Add Another Team to assign multiple teams
Click Create User to save the new user account
You can modify user roles using two different approaches:
Option 1 - From User Management (recommended for cross-team role management):
Go to Administration > User Management
Locate the user and click Change Roles
Modify existing team roles or add new team assignments
Select or deselect roles as needed
Click Save to apply changes
Option 2 - From Team Management (for team-specific role changes):
Go to Administration > Team Management
Click the team name containing the user
Locate the user and click Change Roles
Select or deselect roles for that specific team
Click Save to apply changes
Use the User Management approach when managing a user's roles across multiple teams. Use the Team Management approach when updating roles for multiple users within a specific team.
User permissions are determined by their role assignments within each team and the team's scope. Key principles:
Users can belong to multiple teams with different roles in each
Root team members have access to all integrated providers
Custom team members have access only to specific integrations assigned to their team
For complete details on role capabilities, team assignment rules, and permissions matrices, see User Roles and Permissions.
To enable Single Sign-On for your users:
Configure a compatible identity provider (IdP)
Set up SAML or OIDC integration
Configure default role assignments for federated identities
Test the SSO configuration with a test user
After enabling SSO, Veza automatically creates local accounts when users authenticate with their IdP for the first time. This allows you to assign workflow reviewers by email without creating accounts beforehand.
Your SSO configuration can define a default role for federated identities. Veza recommends validating this behavior and contacting the Veza customer success team to change it if desired. By default, Veza will assign the Access Reviewer role to SSO users.
If you have configured your SSO IdP as a Veza integration, you can:
Enable reviewer suggestions based on user attributes
Use manager relationships for Access Review assignments
Leverage group memberships for automatic team assignment
For detailed configuration, see Global IdP Settings.
For automated user lifecycle management, Veza supports SCIM Provisioning with compatible identity providers:
Supported IdPs: Okta, Microsoft Entra ID, and other SCIM 2.0 compatible providers
Capabilities: Automated user provisioning, updates, and deprovisioning
Benefits: Eliminates manual user management and ensures access is synchronized with your IdP
Local user passwords must meet the following requirements:
Minimum length: 10 characters
Character types: At least one uppercase letter, lowercase letter, number, and symbol
Password strength: Must meet minimum strength requirements based on complexity analysis
Password history: Cannot reuse any of the last 8 passwords
If users experience login issues:
401 errors after password change: Clear browser cookies and try again
Account lockouts: Contact an administrator to unlock the account
SSO issues: Verify IdP configuration and user provisioning status
MFA problems: Check multi-factor authentication device and backup codes
For programmatic user management, see Team and User Management APIs.
User Roles and Permissions - Complete role definitions, permissions matrices, and access control
Team Management - Team creation, organization, and access scope management
Multi-factor Authentication - Enhanced account security
Single Sign-On Configuration - SSO setup and management
SCIM Provisioning - Automated user lifecycle management
Support User Access - Granting access to Veza support
Limit access to specific integrated providers with Team and Role assignments for Veza users.
On Veza, team assignments can restrict the authorization data a user can see, based on the integrations scoped to the team. After an administrator has created a custom team and defined the integrations its members can access, they can add users to the team and set an operator or viewer role on the Veza Team Management page.
The Root team allows for full visibility of all graph data and access to the Operator, Administrator and 'Access Reviewer roles.
Non-Root teams support a read-only Viewer role, and a limited Operator role.
Users must have an administrator or operator Root team role to access Veza Access Reviews, Rules, and Administration features.
Non-root team members can view events and integrations in the team scope, but not change configurations.
Teams enable read-only, limited-scope API Keys.
Each team has a unique copy of built-in reports, queries, and saved searches.
When creating a team, administrators specify the allowed graph data sources from a list of all provider integrations. The team's scope might include a single cloud provider account, identity provider domain, or SQL database, or grant access to many different integrations.
To add a team and define its scope, go to Administration > Team Management.
Click Add Team
Add a team name and description
Select the integrations that will be visible to the team from the list of Providers scoped to the Team
Click Create Team
To optimize the user experience in non-root teams, consider if users will need access to related identity or resource entities from another integrated provider. This might include Single Sign-On users from an external IdP, or roles and groups from another cloud platform.
You can add or remove team members from the Team Management page, or when creating a user from the Users page. You will need to create a team before you can add users.
Find the team on the list of Teams
Click on the team to open the team details
Click Add Users
Add a user by selecting one from the dropdown menu
Pick a role for the user
Click Confirm
Users on non-root teams can only have the viewer or operator role. Other roles are currently restricted to the root team.
When browsing the Veza platform, users on non-root teams can only view entities and Veza features allowed by the user's role and the team's scope. Users can change the active team under their Profile to view graph results for different teams.
To change the active team:
Click your username on the main Veza navigation menu
On the Your Profile page, find the Teams section
Pick an active team from the dropdown menu
If entities are not allowed for the user's team but are critical in describing the permissions path of in-scope results, redacted entities appear in their place.
Users assigned to non-root teams can only view Queries associated with allowed Integrations for their team.
For users assigned to more than one team, the current level of access depends on the team the user has actively enabled. Users can change their current active team on their Profile page.
Configuring multi-factor authentication and troubleshooting login issues.
Multi-Factor Authentication (MFA) enhances the security of your user account by requiring more than one form of verification when logging in, such as a password combined with time-sensitive credentials from an authenticator app.
Given the sensitive nature of Veza's data, your organization can mandate a second authentication factor for users. To enable MFA for a local Veza account, access your user profile.
If you sign in to Veza with Single Sign-On, you will not be able to enable MFA in Veza. Instead, you will use an authentication factor associated with your corporate identity provider account.
Set up MFA with an authenticator app such as Google Authenticator:
Click on your user name in the main navigation bar to access your user profile.
In the Two-Factor Authentication section, click Third-Party Authenticator App and click Configure.
Open your preferred authenticator app, and scan the QR code or manually enter the provided code.
Enter the code generated by your authenticator app.
Securely save the provided recovery codes for account backup.
Ensure that you have safely stored the recovery codes. Click Continue.
Most mobile authenticator applications are compatible with Veza MFA. If you do not have an approved app, consider these:
Android
Duo Mobile, LastPass Authenticator, Microsoft Authenticator, Google Authenticator, Symantec VIP
iOS
Duo Mobile, LastPass Authenticator, Microsoft Authenticator, Google Authenticator, Symantec VIP
If you lose your recovery options, reach out to a Veza administrator within your organization. Administrators have the capability to reset your authenticator configuration. If your organization's sole administrator has lost access, contact Veza support for help.
Temporarily grant access to Veza support personnel for troubleshooting and assistance.
By default, Veza employees cannot access customer tenant data. To troubleshoot issues with assistance from the Veza support team, you can create a short-lived support user account with limited teams and roles in your environment. This account expires automatically after a specified duration, ensuring security and compliance with organizational policies.
Upon expiration, the support account is automatically disabled and removed from the Users page. You can re-enable the account using the Support User Access form.
After consenting to support access, authorized Veza personnel can log in to your tenant at the URL https://<your-organization.vezacloud.com>/api/private/support:login.
Log in as an administrator and go to System Settings.
Click Support User Access.
Assign appropriate team(s) and role(s). Click Next.
For read-only investigation, assign the Operator role for the Root team. To enable the support user to make changes to your tenant, assign the Administrator role.
Click Next and tick the checkbox to consent to support access for an initial 12 hours. Click Grant Access to Veza Support to enable the user.
Granting access will notify the Veza support team. After access is granted, the page will show the user details and time remaining:
To add time in 24-hour increments, click the Extend Access button. Access can be granted for up to one week in this way.
The user should now also be visible in the User Management table. This user will have the Support user type, and the Roles/Teams cannot be changed.
Updating Roles/Teams for the support user requires disabling the user and re-granting access with the new Roles/Teams.
Access extension can also be done from the Actions menu in the User Management table, as shown in the screenshot below.
Any events produced by support user actions are logged with the support user email
See the screenshot below to compare an API key creation Event for a normal user vs. a support user:
When support access expires, the user is removed from all associated teams.
When support access expires, any created API keys are deleted.
<action> by <user email> via [email protected]
Guide to Veza platform roles, permissions, and access control.
This guide provides a comprehensive overview of user roles and permissions in Veza. Role assignments define a user's permissions within the platform and determine what features and data they can access.
Veza uses role-based access control (RBAC) to manage user permissions. Roles are assigned when creating users and can be modified from the User Management page. Each role grants specific capabilities and determines which Veza features a user can access.
Generally Available (GA) Roles are available by default for all Veza tenants without requiring enablement.
Early Access Roles require enablement by Veza support before they can be assigned to users. These roles provide specialized capabilities that may be in development or testing phases.
Some roles can only be assigned to users on the root team, while others are intended for use in combination with Teams.
Root Team Members: Can have Administrator, Access Reviewer, Operator, and most specialized roles
Non-Root Team Members: Limited to Operator, Viewer, Integrations Manager, and Integration Owner roles
Role Combinations: Users can be assigned multiple roles and can belong to multiple teams
These roles are available by default for all Veza tenants:
Administrator
Root
Superuser role with full system access. Can manage all settings, users, and has all privileges. Includes user management, system configuration, and complete platform access.
Operator
Root, Non-root
Can access all Veza features including Search, Reports, and Analytics. Can create Access Reviews and Review Configurations. NOTE: Non-root operators cannot create Access Reviews or Review Configurations.
Access Reviewer
Root
Limited role for users assigned to Access Reviews. Users can view assigned access reviews and act on assigned results. Reviewers only see authorization paths and details for rows where they are a reviewer.
SCIM Provisioner
Root
Role for managing users and groups using SCIM 2.0 endpoints. Enables automated user lifecycle management through identity provider integration.
Integrations Manager
Root, Non-root
Provides privileges for connecting and editing integrations. Can configure data sources and manage integration settings. NOTE: When used in non-root teams, users must also be assigned a role that provides basic login access.
Integration Owner
Root, Non-root
Provides ownership privileges for specific integrations and data sources. Can manage assigned integrations and view related data extraction status and logs.
Access Reviews Monitor
Root
Specialized read-only role for monitoring Access Review campaigns and progress. Can view review configurations, progress metrics, and completion status across all reviews without the ability to make changes or access other Veza features.
These roles require enablement by Veza support and may not be available by default:
Early Access Roles: The following roles are in early access and must be enabled by Veza support before they can be assigned to users. Contact your Customer Success Manager or Veza support to request access to these roles.
Viewer
Root, Non-root
Read-only access to Veza features such as Search and Reports. NOTE: Root team access requires ROOT_TEAM_VIEWER feature enablement. Non-root team access is available without additional flags.
Auditor
Root
Grants privileges for exporting audit logs and events. Can access system audit trails and compliance reporting features for regulatory and security requirements.
OAA Push
Root, Non-root
Grants privileges for uploading Open Authorization API (OAA) payloads. Enables custom application integration through the OAA framework.
Watcher
Root
Read-only operator that cannot make changes in Veza (such as starting an Access Review). Can view Review Configurations and Review Actions but cannot access other Veza features.
Re-assigner
Root
Specialized role with the ability to re-assign any result in an Access Review. Has the same limitations as Watchers but can update assigned reviewers for active Reviews.
Programmatic Key Manager
Root, Non-root
Enables principals to programmatically manage API keys. By default, API key endpoints are restricted to interactive sessions. Allows automated API key lifecycle management.
OAA CSV Manager
Root, Non-root
Limited role allowing application owners to manage their own CSV-based integrations. Users can only manage CSV Upload integrations. Required for CSV Upload integrations.
NHI Security Admin
Root
Specialized role for managing Non-Human Identity (NHI) security features, configurations, and policies. Provides access to NHI-specific dashboards, risk assessments, and security controls for service accounts, API keys, and other non-human identities.
Veza uses teams to organize users and control access to specific integrations and data sources. Role behavior varies depending on team assignment:
The root team is always available, and can be used for common user management scenarios:
Full Platform Access: Users on the root team have access to all integrated providers based on their role
Administrative Capabilities: Only root team members can perform user management and system configuration
Review Creation: Access Review and Review Configuration creation is restricted to root team operators and administrators
Administrators can create custom teams with limited access to specific integration data sources.
Scoped Access: Users see only the integrations and data sources assigned to their team
Limited Roles: Can only have Operator, Viewer, Integrations Manager, or Integration Owner roles
Feature Restrictions: Cannot create Access Reviews, manage users, or access system-wide configuration
Typically, you should assign root team for users who need system-wide access and use custom teams to limit access to specific business units or applications. You can combine multiple roles when users need a range of capabilities. The Integration Owner role can enable application-specific administrators with limited access to other integrations and features.
Security Considerations:
Limit Administrator role assignments to essential personnel
Use non-root teams to implement least-privilege access
Regularly review role assignments, especially for early access roles
Consider using Watcher role for temporary or limited access needs
Monitor usage of specialized roles like OAA Push and Programmatic Key Manager
The following table shows specific permissions for core root team roles:
Configure data sources
☒
☐
☐
View data sources
☒
☒
☐
View data source events
☒
☒
☐
User management
☒
☐
☐
Search*
☒
☒
☐
View data catalog
☒
☒
☐
Create workflows
☒
☒
☐
Manage certifications
☒
☒
☐
Continue certification**
☒
☒
☒
Configure Notifications
☒
☒
☐
Create API keys
☒
☐
☐
Manage rules
☒
☒
☐
View and create reports
☒
☒
☐
View tags***
☒
☒
☒
Create and add tags
☒
☒
☐
Notes:
* Users with the operator role can only view their own saved searches.
** Users with the access reviewer role can only view and continue their assigned Access Reviews.
*** Users with the access reviewer role can only see relationships and entity properties (such as tags) for their assigned results. They cannot use Search features such as Graph or the Query Builder.
User Management - Creating and managing user accounts
Team Management - Organizing users and controlling access scope
Single Sign-On Configuration - Enabling SSO and default role assignment
SCIM Provisioning - Automated user lifecycle management
CSV Upload Integration - Using the OAA CSV Manager role