1 of 35

Open Authorization API

Using Veza APIs to add custom data and identity providers to the Veza Entity Catalog

The Open Authorization API (OAA) is used to publish information about identities, authorization, and resources to the Veza Access Graph, making custom-built or otherwise-unsupported applications available for search, workflows, and monitoring. A typical motivation for using OAA is the need to integrate with enterprise applications that don't have an official Veza integration, such as a custom identity broker or source control management system.

Each built-in Veza integration has a fixed schema unique to the provider. Integrations created with OAA can use either the Custom Identity Provider or Custom Application schema, both of which are flexible enough to model a wide range of data and identity sources.

Several community connectors built on OAA are already available for immediate use, enabling easy connection to SaaS providers such as GitHub, SalesForce, and others. You can also develop a custom connector using the Veza-provided Python SDK oaaclient or your language of choice.

To integrate a custom application using OAA, you will typically rely on an API (or another method) to list identities and resources within the host system, and retrieve entity and authorization metadata such as permissions, roles, and activity status. You must then structure this information according to one of the supported OAA templates. Once you have assembled the JSON payload, you can publish it using REST API calls or the oaaclient CLI.

Use Cases

Customers have utilized the Open Authorization API to accommodate many different scenarios. A few use cases include:

Using the GitHub connector to ensure that repositories holding critical source code are correctly configured.
Collecting infrastructure-as-a-code (IaC) configurations to audit which users can log in to important hosts.
Auditing the permissions granted by an internal developer portal.

First Steps

introduces important OAA workflows, the custom application template, and common API operations. When planning your connector, you may also want to review the for more information about naming considerations, mapping custom applications to the OAA schema, and other topics.

Veza provides a and , which you can download using GitHub or pip install oaaclient. Examples and documentation are included with the source code.

Alternatively, you can parse a data source, compile the JSON payload, and publish it using your language of choice. For detailed documentation on the OAA schema and API operations, see:

- suitable for most applications
- for custom Identity Providers
- operations for creating, updating, and deleting OAA providers and data sources

Getting Started

Overview and first steps for building an Open Authorization API connector

A built-in Veza integration or OAA connector might not be available for an application or identity provider you want to connect to Veza. However, you can still use the Open Authorization API to integrate compatible applications and identity providers with the rest of your Veza data catalog.

The adaptable OAA schema can model a wide range of authorization models and resource hierarchies, and you will typically have several options for sourcing authorization metadata from the application provider. To integrate a custom application with Veza, you will need to be able to:

Extract metadata from the source application using an API, command line, or another method to collect the needed authorization-related data. Depending on the application, this could include data resources and sub-resources as well as local users, groups, roles, permissions, and correlation to federated identities or external IDs.
describing the users, resources, and permissions, according to a standard JSON schema. The payload can describe any number of application resources and sub-resources, along with information about identities, groups, permissions, and relationships to other graph entities.
for processing using Veza APIs (after registering a new custom provider and data source if they don't already exist).

You can use the to simplify the process of populating the payload, connecting to Veza, and managing OAA providers and data sources.

1. Extracting metadata from the source application

The process of retrieving user records, along with lists of resources, group and permissions information, will be unique to each technology and OAA connector. You may also need to consider how to adapt the application's implementation of roles, federated identities, and resource hierarchies to fit the .

Typically, the required information will be available from an API, but you should consult the provider's documentation to ensure the information is available, and consider an alternative method for sourcing the data, if not.

Before building a connector, you should read the best practices for and , or see the current list of for real-world examples.

2. Generating a sample payload

Most programming languages offer ways to populate and manipulate a JSON schema. You can also use the for prebuilt functions:

Below is an example of a populated application template. It demonstrates the basic principles of modeling local user permissions on application resources. For more details on all the available entities and properties see the full reference:

Custom Application Payload

Custom Properties

In addition to built-in properties such as department or last_login_at, most entities can have additional user-defined custom properties. Using enables integrations to capture application-specific data that can be useful for reporting and provide additional insight during investigations.

You can also apply to entities within the payload.

3. Creating and Updating Custom Providers and Data Sources

You will use the Veza REST API to create, delete, and update a custom data source under v1/providers/custom/{provider_id}/{datasource_id}. Before you can push an OAA payload, you will need to:

Add a custom Provider to represent the generic application provider (such as "GitHub"), and set the name and template (application or IdP).
Bind a custom Data Source to the new custom Provider (such as "GitHub Organization") to activate it in the data pipeline. The data source will be the destination for future pushes and updates, and should usually represent the top-level instance of the modeled application.

Enabling for Life Cycle Management (optional)

Identity Providers and HR Information Systems

Identity Providers and HR Information Systems can be used as identity sources in Lifecycle Management Policies by marking the Provider as a provisioning source. Identities from these sources will be available when configuring LCM Policies.

Applications

Applications integrated via OAA can be managed through LCM Workflows via one of two methods:

SCIM - If the application supports SCIM provisioning, you can configure Veza to manage application access directly through SCIM. See for more information.
REST - For applications that support REST API calls to manage access, actions can be created in LCM Workflows to manage access.

Updates

To update the data, push a new payload to the original provider ID and data source ID. By default, Veza will overwrite any existing data. The previous state will be available in the graph history, based on Veza's snapshot retention schedule.

Optionally, subsequent changes can be , where the payload only contains entities to modify, add, or remove.

You can use GET to retrieve any existing provider and data source IDs. For more information about managing Providers and Data Sources see .

Using `oaaclient`

The module can be used to instantiate a Veza connection and manage OAA providers:

See for additional documentation.

Alternatively, you can make the required REST API calls using the client of your choice or by invoking oaaclient as a .

Notes

Typically, the provider should represent the provider name (such as "CustomSCM"). Any payload pushes will target the data source ("CustomSCMInstance") under the custom provider. The pushed payload can include many nested resources (such as multiple repositories). The template also supports resources with a variety of different types within a single application.
The data source and provider name are primarily for internal use. The application_type specified in the template is used when viewing and searching the custom app from the Veza UI.

Troubleshooting

Veza enforces strict validation of the json_data field containing the OAA payload. Three checks are performed:

All required fields must be present.
String fields must be valid UTF-8 strings, no larger than 512 characters for names and IDs, and 4,096 for all other string values.
The maximum single payload size is 100MB. If you need to compress the payload, you can enable the option when . You can use multi-part upload for large payloads.

Warnings

A successful response may include warnings for issues that didn't prevent the processing of OAA data but should still be investigated. When mapping identities to an , a warning will be raised if a matching IdP group name or user principal name can't be found.

To validate an AzureAD or other type of user, go to the Access Graph, search for the node of interest, select Show Details, and confirm the principal name is correct.
To validate the identifier for a group, find the node for the group and verify the name is as expected.

Veza will always return the warnings key in the response. If a response is empty, there are no warnings.

Errors

For all Veza APIs, include an error code (in standard gRPC error, such as 3 for Invalid Argument) and a descriptive error message. The error message consists of two parts:

The field in which the error occurs
The detailed reason for the error

Best Practices

Strategies and best practices for OAA connector development

See the included topics for more information about developing an Open Authorization API connector.

Connector Requirements
Using OAA Templates

Using OAA Templates

How to use the Application Template to represent various types of application

The OAA Application template allows for representing the basic elements of an application and is flexible to allow for multiple different patterns.

The custom application template provides a framework for describing:

Who: Users, Groups, and other identities
What: Application, resources, sub-resources
How: Permissions, canonical mappings, roles, authorization

Application

The Application itself is the first entity as part of the Application submission. The application has a name and a type. The name can be specific such as "West Production" and the type is typically the vendor, technology, or product such as "GitLab". Veza will group the rest of the entities by the application type such as "GitLab Users" across all instances of an application type, however, entities will only be directly associated with the application they are submitted with. Applications additionally can have custom properties assigned to further enrich the data. This can be especially useful to distinguish between multiple instances of an application type.

Local Users

The Local User object represents the local user of the application. It can store application-specific information such as the identifier, name, active status, last login time, and custom properties specific to the application. An external Identity can be associated with the user, enabling Veza to connect the source Identity Provider (IdP). This creates a connection in Access Graph between the application user and a source identity such as Okta or Active Directory. Users can be added to groups, or have roles and permissions directly assigned.

Local Groups

Local Groups represent a collection of users. Groups can store additional metadata about the group to support search and filters. Groups can also contain other groups, to model applications that support nested groups. Groups can have role and permission assignments in the application.

Local Roles

Local Roles represent a collection of permissions within an application. When a user or group is assigned a role, that user or group is assigned all the permissions from the role. Like other entities, roles can contain additional properties to enrich the metadata of the role, such as description or application-specific attributes.

Permissions

OAA allows for expressing the permissions of the application in its own terms. In the Application Template, permissions are defined by application-specific terms such as "Close Ticket" or "Approve User". These permissions will also allow for setting corresponding Veza Canonical Permissions such as "Data Read", "Data Write", or "Metadata Read". This enables search and filters across permissions using CRUD-like equivalents.

Available Canonical Permissions: - DataRead - DataWrite - DataCreate - DataDelete - MetadataRead - MetadataWrite - MetadataCreate - MetadataDelete - NonData - Uncategorized

Resources

Resources can be used to model components within applications that users can be assigned roles or permissions on. For example, an OAA resource may be used to model a Project in an application like Jira. Users can have different roles in different projects, by assigning the correct users or groups their respective roles on the resources. Each resource has a Type which Veza uses when displaying and searching the resources for an application. Applications can have multiple types of Resources. Like other entities, resources can have properties containing additional resource metadata.

Examples

Below are some examples of how applications may be modeled in OAA. These examples have all been implemented using the Application template.

PagerDuty

PagerDuty is an example of an application where users can have roles at the application level (global roles) but also within the PageDuty Teams that a user is a member of. Understanding which Users are part of which Teams and what level of access they have in those Teams is important for reviewing access in an application like PagerDuty. The OAA Application template can be used to model this type of application using the following mappings.

PagerDuty Entity

OAA Application

Notes

With this model, Veza can show the levels of access users have within the overall Application and their individual Teams. In this example, we can see the User Gary Ward has the Role "Restricted Access" in the PagerDuty Application, and the "Observer" Role in the "Support" Team Resource.

Python Code for the can be referenced on the Veza GitHub

GitLab

GitLab is a good example of a more complex application that can be modeled using the Veza OAA Application Template. By correctly modeling the applications, Veza can show which users have access to GitLab Groups and Projects to show details beyond just "who has access to GitLab?"

GitLab

OAA Application

Each GitLab User is represented with the Application Local User. GitLab assigns each user a unique ID number to each user, using this as the ID for the Local User makes it easier when associating groups and roles to Projects later. The Local User also allows for setting properties to represent the user's state such as is_active or last_login_at, custom properties to represent GitLab-specific properties can also be utilized like if the user is licensed or not. The identity for the Local User is set to enable OAA connection to source Identity Providers configured in Veza.
A GitLab Group represents both a collection of Users, a collection of Projects, and possibly other sub-groups. This is a good example of where some mapping needs to be done to represent GitLab using the Application Template. Since GitLab Users have a specific role in the

Python Code for the can be referenced on the Veza GitHub

Sourcing and Extracting Metadata

Strategies for extracting authorization, identity, and resource metadata

When planning an OAA connector, consider how you will gather the information you want to import into Veza. Refer to the application’s documentation to confirm you can obtain the required metadata from the host application.

Ideally, you will be able to list and collect metadata for:

User records
Group memberships
User roles and permissions
Resource names and metadata

For example, the Veza-GitHub connector utilizes the following endpoints (in addition to basic authentication and authorization APIs):

Web-based APIs are a common solution for SaaS apps, but not required for an OAA integration. Just because an endpoint exists does not mean that it returns useful information (some APIs are more designed for client automation than audits). Possible choices for sourcing metadata include:

From a database: Is data for a hosted app available in a database your connector can query?
File-based extraction: is the metadata available in source code or a configuration file, or an exportable report (such as CSV)?
Other options: does the provider have an SDK or CLI interface you can use to retrieve data?

If no machine-readable data is readily available, even screen scraping could be a solution. There are many creative options for extracting the information to populate the template, although an API will typically be the most usable option.

Naming and Identifying OAA Entities

Setting unique identifiers and human-readable names using OAA templates

Veza requires each entity to have a unique identifier, used within the template to reference entities (which groups a user is a member of) and for Veza to use to track and display the entity. This is true for both the Application and IdP templates

By default the templates use the name field for this purpose. However, names are not unique within some applications. In this case the templates offer an optional id as a unique identifier, allowing name to function as a non-unique display name.

Custom Application

Local User, Local Group and Local Role have an optional value id that can be provided for each entity that serves as the unique identifier.

To use id all Local Users, Local Groups and Local Roles must be defined with an ID. The name and id can be the same value as long it is unique for the entity type. For example a local role can have admin for both the name and id.

Using ids for mapping, instead of name is recommended in most cases, especially if any of the following are true:

Entity names aren't unique in the application (if two users can have the name "Joe Doe" but each have a unique user id such as email or login or the applications unique id).
The API references users, resources, and other entities by an ID instead of name. Using the same ID for the OAA payload will limit scenarios where you need to maintain a mapping of id to name

For Custom Application to use id for Local Users, Groups and Roles all entities must use the id field. To use the id field for Resources all Resources and Sub-Resources must have an id

Resources

Resources and Sub-resource each can have an optional id value. When provided, the resource name does not need to be unique. To use id, all resources and sub-resources must be defined with a unique ID. The id value will be used to assign resource permissions in identity_to_permissions.

Custom IdP

Custom IdP also supports a optional unique identifier value identity for Users and Groups. If not used, the entity name must be unique and will be the primary identifier.

Custom Properties

Applying additional metadata to OAA entities

In addition to built-in fields such as last_login_at, OAA supports custom-named properties for users, resources, groups, and other entities in a payload. Custom properties are validated against a set of custom property definitions as part of the JSON payload.

To use custom properties:

Include a definition of all properties as part of the payload push. The definition sets the type for the property.

Tagging with OAA

Both custom properties and Veza Tags can be used to add rich metadata and apply labeling strategies across entities in the Veza Access Graph. Both can be viewed by checking an entity's details, and are fully available when searching and filtering results.

Veza tags can be assigned to objects in an OAA payload. One typical use case for tagging within the OAA payload is assigning resource managers with Veza SYSTEM_resource_managers tags.

Tags are applied by providing a key and an optional value for each. A new tag will be created if a matching one doesn't already exist.

Due to superior integration with other Veza functionality and ease of updates, custom properties are recommended as the best approach for adding metadata to OAA entities, unless tagging is required as part of a larger campaign.

Note that while tags can be removed using the , tags applied within the template are persistent: an existing tag won't be deleted when pushing a payload with a new tag or empty tag.

Modifying Tags with Incremental Updates

After the initial metadata push (which must contain the full payload), you can modify, add, or remove the domain, users, and groups without resubmitting other entities. An is enabled by setting "incremental_change": true in the json_data push payload, and specifying the update operation for each entity to change.

The operation field indicates the change to make. Valid operations are:

"add", "modify", "delete" to create, change, or remove an entity.
"add_tag", "delete_tag" to update a tag without altering the entity.

Cross Service IdP Connections

Mapping OAA objects to external and federated identities

In Veza, the Identity Provider (IdP) serves as the representation of the source of an identity (human or otherwise). That identity can have access to many applications, clouds and other data sources. By connecting OAA entities to source IdP identities, Veza can show all the access for that identity. This can also enable powerful correlation queries such as finding deactivated Okta Users with active application accounts.

Veza makes these connections based on the identity information provided in the OAA payload.

Veza Supports Mapping for the following Identity Providers:

Active Directory
Azure AD
Custom IdP
Google Workspace
Okta
OneLogin

For all Identity Providers, the IdP Unique ID and email attributes are used to match the source identity to an OAA principal. Some entity types have additional properties usable for identity mapping:

Active Directory
- Account Name
- Distinguished Name

Application Template

The Application Template's Local User entity represents a user within the application. That Local User can map to an Identity Provider (IdP) by setting the identity value(s) in the Local Users identities array. Veza will use these identities to create an association between the IdP Identity and the Local User.

Setting external IdP Group identities is also supported on Local Groups. This should be used when there are no Local User records in the application that correlate to the external user identities. Veza will create a connection between the IdP Group and the Local Group, indicating that all IdP users from that group will have the access granted to the Local Group.

Unknown identities set on users will result in a warning that the identity can not be found. The OAA Local User will still be successfully created.

Note on Identity Mapping from the IdP: You can confirm these values by finding the corresponding entity in Veza search or the data catalog and checking the identities Idp Unique Id and other fields in the details view. Identities that cannot be resolved are returned as warnings when the application payload is pushed.

Identity Provider (IdP) Template

OAA Identity Provider Users can be connected to other IdPs by using the source_identity property on the IdP users. For details see

Human Resources Information System (HRIS) Template

Veza will automatically correlate HRIS Employee records and IdP identities based on the HRIS employee's email property. The HRIS employee has an optional parameter for identity_id if the required value is different from the user's email.

Incremental Updates

Modifying custom providers using a partial OAA payload

When developing your OAA integration, whether to implement incremental updates depends on your use case. If you don't have a convenient way to track provider-side changes, it is typically easier to do a full extraction and metadata push, to not miss changes within the app or IdP.

After the initial metadata push, you can modify, add, or remove OAA entities, permissions, and properties without needing to submit the full payload each time. A first push can't be an incremental update.

An incremental update is specified by setting "incremental_change": true in the json_data

OAA Entity Owners

Setting Entity Owners in OAA Payloads

Early Access: OAA Entity Owners functionality is currently in Early Access for automatic assignment of entity ownership during OAA payload submission. Please contact our customer success team to enable this feature for your environment.

Overview

OAA Operations

API calls for managing and updating custom data sources

Use these REST API calls to manage and update custom providers and data sources with Open Authorization API.

Create Custom Provider

Creates a custom provider and returns the provider ID.

List Custom Providers

Lists all configured custom providers.

Get Custom Provider by ID

Returns details for an individual custom provider.

Delete Custom Provider

Delete a custom provider by ID.

List Custom Provider Datasources

Return all data sources for a Custom Provider ID.

You can constrain large responses by adding a filter to the request query string. Include the operator (eq), and value, for example:

CURL <VEZA_URL>/api/v1/providers/custom?filter=name eq "GitHub"&order_by=state

Veza expects that spaces in URLS are encoded as "+" (for example?name+eq+"GitHub"&order_by=state). Note that some libraries and clients will encode spaces as "%2B" by default, which will cause errors unless you override this behavior.

Create Custom Provider Datasource

Get Datasource by ID

Returns details for a single datasource.

Delete Custom Provider Datasource

Unbind a datasource from a custom provider, and delete it.

You can also delete OAA datasources from the Veza web interface. On the Integrations page, find the OAA datasource in the list and click the action menu (⋮) to access the Delete option.

Push Custom Provider Datasource

To push authorization metadata for a custom datasource, you can specify the source and provider IDs, and upload a payload with the entities and permissions in JSON format.

A warning is returned for any non-critical errors during payload processing. These can indicate incomplete or inaccurate data in the payload that do not prevent processing, but may warrant attention.

Multipart Push Custom Provider Datasource

For large payloads that exceed 100 MB, use the multipart upload endpoint to upload the payload in chunks. See for details, examples, and Python SDK usage.

Push Custom Provider Datasource CSV

For , this endpoint pushes CSV data to an existing datasource. Typically, you will first create the integration and define column mappings using the "Add Integration" flow in Veza.

CSV data must base64 encoded into the JSON body of the request.

Compression

The populated template can be compressed and encoded, for significantly reduced payload size.

Specify the compression_type. Currently supported: GZIP.
If compression is selected, Veza will expect the payload json_data as a compressed, base64-encoded string.

To compress using shell commands:

Size is typically not an issue when updating custom datasources. However, you may want to compress large payloads. The maximum body size is 100MB (compressed or uncompressed).

Escaping unsafe characters

Veza expects the populated template as a single JSON string, enclosed in the request body json_data field. Any "s and non-ASCII characters must be escaped.

To convert a template to JSON string using Python, the json.dumps() method could be used:

Custom Provider Icons

You can optionally add an icon for your custom provider by uploading a PNG or SVG file (less than 64kb) as a base64-encoded string:

Create Custom Provider Icon

Upload a custom icon to display for an OAA provider.

Get Custom Provider Icon

Return the type and string-encoded icon for a custom provider.

Delete Custom Provider Icon

Delete the icon associated with an OAA provider.

Multipart Upload

Upload large OAA payloads using chunked multipart requests

Overview

For OAA payloads that exceed 100 MB after compression, you can use multipart upload to split the payload into smaller chunks and upload them sequentially. The Veza platform assembles the chunks server-side before processing.

Multipart upload is useful when:

The payload is too large for a single HTTP request
Network reliability is a concern for large transfers
You need to monitor upload progress for very large data sources

The standard :push endpoint supports payloads up to 100 MB (compressed or uncompressed). Use multipart upload when your payload approaches or exceeds this limit, or when you need more reliable transfer for large payloads.

How it works

Start the upload by sending a start request — the server creates an upload session and returns an upload_id.
Upload chunks sequentially, each base64-encoding a raw slice of the payload. Include the upload_id from step 1 and an incrementing sequence_number.

Each chunk must be base64-encoded from raw bytes before sending. The server decodes and reassembles chunks in sequence order when the complete operation is received.

API endpoint

Start request body

Field

Type

Description

The response returns an upload_id (UUID string) to use in all subsequent requests for this upload session.

Chunk request body

Field

Type

Description

Finalization request body

Send a separate POST to the same endpoint after all chunks are uploaded:

Field

Type

Description

Example

Using the Python SDK

The oaaclient Python SDK handles multipart upload automatically when enabled:

When enable_multipart is set to True, the SDK automatically switches to multipart for payloads exceeding 50 MB (uncompressed) and:

Splits the payload into chunks and base64-encodes each one individually
Starts an upload session and tracks the upload_id
Uploads each chunk sequentially with the correct sequence_number

Notes

All chunks for a given upload_id must be uploaded before sending the completion operation.
You can re-upload a chunk with the same sequence_number and upload_id if needed — the last upload for a given sequence number is used. All chunks must be present before the completion operation is sent.

OAA Templates

JSON schemas for describing custom applications, identity providers, principals, and secret stores

OAA utilizes templates (JSON schema) for structuring authorization and identity metadata, combined with a REST API to register, update and manage the data. Once uploaded, Veza processes the template payload and incorporates the entities and permissions into the Authorization Metadata Graph.

Choosing the appropriate template is the first step in creating a new integration with OAA. The template provides a schema for describing the identities, resources, and authorization relationships local to the OAA data source.

Custom Application

OAA .NET SDK

Building blocks for your custom OAA integration

You can download the Veza C# SDK from .

The Veza package provides data models, methods, and helpers for using the . It provides helper methods to populate OAA templates for custom applications, filesystems, HRIS systems, and identity providers, and push the payloads to Veza. The SDK can also be used as a generic Veza API client.

The Veza SDK includes the following core components:

OAA Python SDK

Building blocks for your custom OAA integration

oaaclient can be downloaded from GitHub, or installed with pip3 install oaaclient.

The `oaaclient` package provides data models, methods and a command-line interface for using the Open Authorization API. You can use it to populate OAA templates including as Application, IdP, and HRIS, pushing OAA data to Veza and even as a general Veza API client.

The oaaclient SDK includes the following components:

oaaclient.client: Veza API communication (data provider management, payload push, etc.). Requires an API key for authentication.
oaaclient.templates: Classes for modeling and generating an OAA payload.
oaaclient.utils

For example usage, please see and the directory.

Sample Workflow

Create the Veza API connection and a new custom application:

Once the CustomApplication class is instantiated, you can use the public methods to populate the new app with local users, groups, resources, and permissions metadata:

Once all identities, permissions and resources are added to the CustomApplication object, the client connection handles the final push to Veza:

See the directory for complete examples.

Handling Errors

The OAAClient class handles API connections to Veza. If there are errors connecting or the API returns errors OAAClient will raise an OAAClientError exception. If the payload doesn't conform to the template requirements the OAAClientError.details will contain a list of any issues encountered.

Additional documentation

Since any given source application or service will have different methods for retrieving entities, authorization, and other required metadata, each OAA connector will be slightly different. You should consult the API documentation for your application when considering how you will source the information, and refer to existing Veza-supported OAA connectors for real-world examples.

Connector source code and oaaclient are thoroughly annotated, for reference when building your own integrations.

For additional information about developing a custom OAA integration, please see section of the User Guide.

Example Connectors

Open Authorization API usage examples

The official Veza connectors are useful references for understanding the decisions and strategies that come into play when building a custom Open Authorization API (OAA) integration.

Each connector is similar in basic function, yet adapts to the resource hierarchies and interfaces unique to the technology provider. Each uses the oaaclient Python package to construct a payload, create a custom provider and data source, and publish the extracted metadata.

Veza provides working connectors and source code for:

GitHub
GitLab
Jira
Looker
PagerDuty
Zendesk

See the for setup instructions and the most recent releases. The repository also includes sample applications demonstrating basic oaaclient usage. You can also browse these examples in the .

Custom Identity Provider

Template for pushing IdP domain, user, and group metadata

Use this template to model authorization metadata for custom identity providers using the Open Authorization API.

This document includes an example template and notes for designing and publishing a model of your IdP.

domain
users

A can define additional properties, used to add supplemental metadata to entities in the payload.

Veza will handle federated identities just as those in supported IdPs such as Okta or Entra ID, enabling search and access review for OAA entities alongside the rest of your data catalog.

Sample Template and Features

The metadata payload describes the Identity Provider domain, users, and groups to add to the Veza Access Graph:

Simple Custom Identity Provider

Modeling Assumable Amazon Web Services Roles

For cases where federated IdP entities are granted AWS permissions via IAM roles, the template supports defining assumable roles per-user. Binding a custom IdP user or group to an AWS role or group ARN enables Veza to parse and display the resource-level actions permitted within AWS.

Custom IdP users and groups can be assigned permissions in other OAA applications by setting the principal type to idp in identity_to_permissions in the payload.

Source Identity Assignments

For use cases where a custom IdP is federated with another identity provider user identities can be linked between the two. Authorizations granted to the user will also be granted the source identity. The link is created by providing the unique identity ID and provider type as part of the user entry.

For provider_type the following values are accepted:

Resource Manager Assignments

New in Veza release 2022.2.1

To assign an IdP user or group as the manager of any resource Veza has discovered, list the node type and node id in the entities_owned field, for example:

When parsing the payload, resources in the data catalog will be updated with a SYSTEM_resource_managers tag to enable entitlement reviews. The owner(s) will be suggested as reviewers for Veza Workflows that target an individual named resource with the correct tag.

Manager Assignments

Users and groups can be mapped to the identity of another user they report to. When configured, the manager will be suggested as a review for Workflow certifications where the assigned reporter is the single query target "named entity."

Custom Properties and Tags

are the recommended method for adding additional metadata to custom identities and resources.

The custom_property_definition object supports separate property namespaces for each entity type:

Field

Description

Additionally, can be applied to the IdP domain, users, and groups:

Use incremental updates to remove tags: Resubmitting a payload with different tags will apply any new tags, but not remove existing ones. To remove a tag already applied to an entity, you will need to use the remove_tag operation.

Incremental Updates

`Custom Identity Provider` definition

The identity provider object models one instance of the custom IdP:

Field

Type

Description

`IdP Domain`

One domain is supported for each custom IdP. Users and groups are mapped to the IdP domain, and connected in Veza Search:

Field

Type

Description

`IdP Users`

Each IdP user object contains the display name, login email, and identity, along with other identity-related properties:

Field

Type

Description

`IdP Groups`

Add a group by name in the groups section of the template to enable mapping IdP users to those groups:

Field

Type

Description

IdP entities can be granted permissions on custom applications in the identity_to_permissions section of the .

`IdP Apps`

Use the apps section to define any applications used to manage access within the identity provider. Apps can be associated with users and groups to model application assignments across your organization.

Field

Type

Description

Users and Groups can be assigned to an application by setting the app_assignments in the user or group.

Field

Type

Description

Creating and Updating a Custom Identity Provider

The steps to add a custom IdP are the same as for any other OAA provider: you will need to register the new provider and data source, and then push the domain, user, and group descriptions in a JSON payload.

Register a custom identity provider

To create a new custom provider using the identity_provider template, POST the name and template type to /providers/custom:

The response will return the custom IdP ID, which you will need when pushing the metadata payload:

Push a data source for the custom identity provider

Note that the provider id is required in both the path and body of the request. The response will include the new data source ID.

Push metadata for the data source

The payload file must contain the provider and data source ID, and the authorization metadata as a single string, for example:

`Identity Mapping Configuration`

The identity_mapping_configuration parameter defines rules for connecting users in a custom IdP to users from other data sources in the Veza graph.

This is useful when:

The connected data source does not natively support returning information about external identities
A correlation between IdP identities and local users can be assumed based on values like username, email, or another property value.

The identity_mapping_configuration is a top-level property of the Custom IDP submission, and is optional. The mapping configuration can include multiple mappings to connect IDP users to users from different data source types, each based on its own mappings.

Incremental Identity Mapping Updates

You can update just the identity mappings without resubmitting the entire provider payload by using an incremental update. This is useful when you need to modify only the mapping configuration while leaving other provider data unchanged.

Example: Incremental Identity Mapping Update

Set "incremental_change": true and use "operation": "modify" in the identity_mapping_configuration to update mapping rules without affecting other aspects of the provider.

Example curl command to apply the incremental identity mapping update:

Identity Mapping Configuration

Field

Type

Description

Identity Mapping Submission

Field

Type

Description

Supported transformations:

IGNORE_SPECIAL: Ignore special characters (_, -, .) when matching identities
IGNORE_DOMAIN: Match identities after removing domain portions (e.g., "@example.com")

IdentityMappingPropertyMatchersSubmission

Field

Type

Description

Custom Application

Template for pushing custom data source entities and authorization

Overview

The Custom Application Template can be used to model most applications and services. It can describe many common entity types (such as users, groups, and resources), and should be the starting point for most custom connectors.

The template has three primary elements, covered in detail in this document:

Applications - describes one or more application instances for the custom data source. An application may consist of any of the following entities:
- Local Users - defines the users of the application. The local user entity can be used to store the properties of the user specific to the application (such as last_login_at) and can be linked to a source identity like Okta or AzureAD.
- Local Groups - defines a group of users, permissions to the application or resources can be assigned to a group.
Permissions - define the applications specific permissions and map to Veza canonical permissions.
Identity to Permissions - Assign local and federated users and groups to permissions or roles to the application and resources.
Additionally, a may describe user-configured key:pair values that can be applied to entities in the payload.

To use the generic app template, set the template type to application when creating a new data provider:

Enabling Lifecycle Management with SCIM

If your custom application exposes SCIM 2.0 compliant endpoints, you can enable automated provisioning and deprovisioning through Veza Lifecycle Management and Access Requests by setting the external_lifecycle_management_type parameter to SCIM:

This enables Veza to automate user provisioning, deprovisioning, and group membership management for your custom application. For detailed configuration and supported operations, see .

Sample Payload

Simple Custom Application

This example demonstrates using local users and groups to assign permissions directly to the application and resources.

Sample Application using Roles

Custom Properties and Tags

and can be applied to most objects in the OAA payload: the application and its local_users, local_groups, local_roles and resources/sub_resources.

Define custom properties

Set custom properties

In the rest of the payload, for each object that should have additional properties, add a custom_properties array containing the property keys and values:

Use incremental updates to remove tags: Resubmitting a payload with different tags will apply any new tags, but not remove existing ones. To remove a tag already applied to an entity, you will need to use the remove_tag operation.

Validation and Troubleshooting

The API response will provide information for invalid data submission. You can check Veza events for updates on parsing status. Errors won't typically occur during parsing, as the metadata is validated upon push. To ensure a valid payload, you should:

Confirm all string fields are are valid UTF-8 strings no larger than 256 bytes.
Check that all required fields are present. Tags and properties are optional. You can null empty groups, roles, and other "empty" but required keys.
A 200 OK response may include warnings when matching IDP identities can't be found

Applications

The OAA payload must contain at least one top-level application. To model data systems with multiple components (such as different servers or repositories), applications can have resources and sub-resources.

You can also specify more than one application in the OAA payload, each with its own identities, permissions, roles, and resources.

The application_typeis applied to all application resources and identities, and can be used as a filterable property in Veza search.

Application Properties

Field

Type

Description

Optional fields: some values in the schema are optional. When submitting a payload without a required field, an error message will help identify the issue. The following guidelines apply:

Any type of data in a JSON payload can be null (not set).
Unused optional arrays and objects should be empty {} or [].
Unused optional strings, numbers, and booleans should be null.

OAA apps need to contain at least one identity, which could be a local_group, local_role, or an IdP identity. Role assignments are made in the section.

Resources

Each application can contain one or more resources that users can access. Resources can have additional searchable properties and may contain additional sub-resources.

Sub-resources describe additional layers of the application principals can have authorization to, and support the same properties as resources, including additionally nested sub-resources.

Resource Properties

An application can have any number of nested sub resources.

Field

Type

Description

* A specific resource type must have only resources with an id, or only resources without an id. When used identity_to_permissions assignments are made by the id value and name functions as a display name.

Resource Connections

In the system being modeled, application resources and sub-resources (such as virtual machines or Looker views) have access to other entities in the Veza Access Graph.

If an application resource or sub-resource is able to assume the permissions of a local user, IAM role, or Enterprise application, you can specify the connections to another graph entity node_type and id:

The following node types are currently available:

SnowflakeUser
GoogleCloudServiceAccount
AwsIamRole

Identities

Applications can have local users and groups for identities. For users and groups that correlate to an external Identity Provider (for example accounts automatically provisioned by the IdP), you can map the principal to the IdP entity name or login email in identities.

Local Users

Contains any users whose profiles and authentication are handled and stored by the custom application. Local users include their group assignments and any federated identities that should be mapped to the local user:

Field

Type

Description

local Groups

If the application has any groups, describe each one in the local_groups array.

Group assignments for entities are defined in identity_to_permissions.

Field

Type

Description

*Must match a discovered Okta or Azure entity Name, PrincipalName, or Identity

Local Roles

Local roles define collections of local permissions that can be assigned to multiple resources. In the applications section, roles are named and mapped to permissions. Role assignments are defined in identity_to_permissions.

Field

Type

Description

Local Access Credentials

Access credentials represent API keys, tokens, certificates, or other non-human authentication methods used by applications or services.

Field

Type

Description

permissions

Bind local permissions to the corresponding Veza canonical permission(s). Each native application permission should be included as an object, mapped to the corresponding data/non-data actions it allows.

Canonical permission types are:

DataRead
DataWrite
MetadataRead

Field

Type

Description

To better model systems where roles can contain different permissions to different types of resources, permissions can apply to individual resource_types.

When the payload is parsed, individual permissions are created for each type of resource the permission applies to.
Without resource_types specified, the permission will function normally. When directly connecting principals and resources, resource_type is ignored.

identity_to_permissions

Contains an object for each local and IdP identity, and the individual permissions to applications and resources.

You can bind permissions to federated users and groups by providing the principal’s IDP login email or group name as the identity, and setting the identity_type to idp.
Permissions and role assignments can apply to the entire application or scoped to specific resources.

Field

Type

Description

Each identity can be either a local_user, local_role, local_group, or local_access_creds name, or the identifier of an IdP user, group, or role (email address or group name).
identity_type

application_permissions

Binds the identity (IdP entity, local user, or local group) to local permission, by application and resources.

Field

Type

Description

role_assignments

Local roles are assigned to identities in the role_assignments array. Roles can apply to the entire application or only to specific (sub) resources.

Field

Type

Description

Identities to Permissions mapping

The identity_to_permissions array defines how identities are authorized to applications and resources. Each entry maps an identity to its application permissions and/or role assignments. See the section above for field details.

Templates

Classes for constructing an OAA JSON payload (Custom "Application" or "IdP").

Use of this source code is governed by the MIT license that can be found in the LICENSE file or at https://opensource.org/licenses/MIT.

Global Variables

PROPERTY_NAME_REGEX

`function` `append_helper`

Helper function to simplify appending.

Handles multiple cases:

base is None: starts a list
addition is list: extends base with list
addition is anything else: append element to list

Args:

base (List or None): base list to append to, can be None
addition (*): What to append to the list

Returns:

list: will always return a list

`function` `unique_strs`

Returns a list of unique strings from input list case insensitive

Returns the unique list of strings from input list in a case insensitive manner. For duplicate strings with different cast (e.g. "STRING" and "string") the case of the first occurrence is returned.

Args:

input (list): list of strings

Returns:

list: list of unique strings

`class` `OAATemplateException`

General exception used for violations of the template schema.

`method` `init`

`class` `OAAPermission`

Canonical permissions used by Veza Authorization Framework.

Used to describe the raw data or metadata permissions granted by CustomPermission

`class` `OAAIdentityType`

Types of identities for permission mapping.

`class` `Provider`

Base class for CustomProvider.

`method` `init`

`method` `serialize`

`class` `Application`

Base class for CustomApplication.

`method` `init`

`class` `CustomApplication`

Class for modeling application authorization using the OAA Application template.

CustomApplication class consists of identities, resources and permissions and produces the OAA JSON payload for the custom application template.

Class uses dictionaries to track most entities that can be referenced after creation. Dictionaries keys are case insensitive of the entity identifier (name or id). This applies to local_users, local_groups, local_roles, idp_identities, resources and custom_permissions.

Args:

name (str): Name of custom application
application_type (str): Searchable property, can be unique or shared across multiple applications
description (str, optional): Description for application. Defaults to None.

Attributes:

application_type (str): Searchable application type
custom_permissions (dict[OAAPermission]): Dictionary of class instances
description (str): Description for application

`method` `init`

`method` `add_access`

Legacy method for backwards compatibility.

.. deprecated:

Create an Access Credential

Access creds can be used to represent alternative access methods such as API keys or application integrations.

Access creds can be assigned roles and permissions similar to local users. Access credentials can exist independently for use cases such as administratively created integrations or can be assigned to a local user for use cases like personal access tokens.

Args:

unique_id (str): unique identifier for access cred
name (str): name for access cred

Raises:

OAATemplateException: Access credential with unique ID already exists

Returns:

AccessCred: New access cred

`method` `add_custom_permission`

Create a new custom permission.

Creates a new CustomPermission object for the application that can be used to authorize identities to the application, resources/sub-resource or as part of a role.

Args:

name (str): Name of the permission
permissions (list[OAAPermission]): Canonical permissions the custom permission represents
apply_to_sub_resources

Returns: CustomPermission

`method` `add_idp_identity`

Create an IdP principal identity.

IdP users and groups can be authorized directly to applications and resources by associating custom application permissions and roles with an IdP identity's name or email.

Args:

name (str): IdP unique identifier for user or group.

Returns: IdPIdentity

`method` `add_local_group`

Create a new local group.

Groups can be associated to resources via permissions or roles. All users in the local group are granted the group's authorization.

Local groups will be identified by name by default, if unique_id is provided it will be used as the identifier instead

Local groups can be referenced after creation using .local_groups dictionary attribute. Dictionary is case insensitive keyed by unique_id or name if not using unique_id.

Args:

name (str): Display name for group
identities (list): List of IdP identities to associate group with.
unique_id

Returns: LocalGroup

`method` `add_local_role`

Create a new local role.

A local role represents a collection of permissions.
Identities (local user, group, idp user) can be assigned a role to the application or resource, granting the role's permissions.
Local roles will be identified by name by default, if unique_id

Args:

name (str): Display name for role
permissions (list): List of Custom Permission names to include in role. CustomPermission must be created separately.

Returns: LocalRole

`method` `add_local_user`

Create a new local user for application.

Local users can be assigned to groups and associated with resources via permissions or roles. Groups and identities can be provided at creation or added later. See Identity and LocalUser class for operations.

Local users will be identified by name by default, if unique_id is provided it will be used as the identifier instead.

Local users can be referenced after creation using the .local_users dictionary attribute. Dictionary is case insensitivekeyed by unique_id or name if not using unique_id.

Use unique_id when name is not guaranteed to be unique. All permission, group and role assignments will be referenced by unique_id.

Args:

name (str): Display name for user
identities (list): List of identities as strings (usually email) for local user. Used to map local user to discovered IdP identities.
groups

Returns: LocalUser

`method` `add_resource`

Create a new resource under the application.

Resource type is used to group and filter application resources. It should be consistent for all common resources of an application.

Returns new resource object.

Resource is identified by name by default unless unique_id is provided. name must be unique if not using unique_id.

Resources can be referenced after creation using the .resources dictionary attribute. Dictionary is keyed by unique_id or name if not using unique_id. Use unique_id when name is not guaranteed to be unique.

Args:

name (str): Name of resources
resource_type (str): Type for resource
description

Returns: CustomResource

`method` `add_tag`

Add a tag to the Application

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

`method` `app_dict`

Return the 'applications' section of the payload as serializable dictionary.

`method` `define_custom_permission`

Add a custom permission to the application.

.. deprecated: ``` See CustomApplication.add_custom_permission()

Collect authorizations for all identities into a single list.

`method` `get_payload`

Get the OAA payload.

Returns the complete OAA template payload for application as serializable dictionary

Returns:

dict: OAA payload as dictionary

`method` `permissions_dict`

Return the 'permissions' section of the payload as serializable dictionary.

`method` `set_property`

Set a custom property value for the application.

Property name must be defined for CustomApplication before calling set_property. See example below and ApplicationPropertyDefinitions.define_application_property for more information on defining properties.

Args:

property_name (str): Name of property to set value for, property names must be defined as part of the application property_definitions
property_value (Any): Value for property, type should match OAAPropertyType for property definition
ignore_none

Raises:

OAATemplateException: If property name is not defined

Example: app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_application_property(name="my_property", property_type=OAAPropertyType.STRING) >>> app.set_property("my_property", "property value")

`class` `CustomResource`

Class for resources and sub-resources.

Should be used for representing components of the application to which authorization is granted. Each resource has a name and a type. The type can be used for grouping and filtering.

Arguments:

name (str): display name for resource, must be unique to parent application or resource unless using unique_id
resource_type (str): type for resource
description

Attributes:

name (str): display name for resource, must be unique to parent application or resource
unique_id (str): resource's unique identifier if provided.
resource_type

`method` `init`

`method` `add_access`

No longer supported, access should be added through identity (local_user, local_group, idp)

`method` `add_resource_connection`

Add an external connection to the resource.

Used to add a relationship to another entity discovered by Veza such as a service account or AWS IAM role.

Args:

id (str): Unique identifier for connection entity
node_type (str): Veza type for connecting node

`method` `add_sub_resource`

Create a new sub-resource under current resource

Args:

name (str): display name for resource
resource_type (str): type for resource
description

Returns: CustomResource

`method` `add_tag`

Add a new tag to resource.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

`method` `set_property`

Set the value for a custom property on a resource or sub-resource.

Property name must be defined for resource type before calling set_property(). See example below and ApplicationPropertyDefinitions.define_resource_property for more information on defining properties.

Args:

property_name (str): Name of property to set value for
property_value (Any): Value for property, type should match OAAPropertyType for property definition
ignore_none

Raises:

OAATemplateException: If property_name is not defined

Example: app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_resource_property(resource_type="cog", name="my_property", property_type=OAAPropertyType.STRING) >>> cog1 = app.add_resource(name="cog1", resource_type="cog") >>> cog1.set_property("my_property", "this value")

`method` `to_dict`

Return the dictionary representation of resource.

`class` `Identity`

Base class for deriving all identity types (should not be used directly).

Args:

name (str): name of identity
identity_type (OAAIdentityType): Veza Identity Type (local_user, local_group, idp)
unique_id (str, optional): ID of entity for reference by ID

Attributes:

name (str): name of identity
identity_type (OAAIdentityType): Veza Identity Type (local_user, local_group, idp)
application_permissions (list[CustomPermission]): List of permissions identity has directly to custom application

`method` `init`

`method` `add_permission`

Add a permission to an identity.

Permission can apply to either the application or application resource/sub-resources

Args:

permissions ([str]): List of strings representing the permission names
resource (CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.
apply_to_application

`method` `add_role`

Add a role to an identity.

Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.

Role assignment properties can be set with the assignment_properties dictionary parameter with property names as the keys. Role assignment properties types must be defined on the application prior to setting.

Args:

role (str): Name of role as string
resources (List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.
apply_to_application (bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if any

`method` `add_tag`

Add a new tag to identity.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

`method` `get_identity_to_permissions`

Get a JSON serializable dictionary of all the identity's permissions and roles.

Formats the identity's permissions and roles for the Custom Application template payload

Returns:

dict: JSON serializable dictionary of all the identity's permissions and roles

`method` `set_property`

Set a custom defined property to a specific value on an identity.

Property name must be defined for identity type before calling set_property(). See example below for LocalUser and ApplicationPropertyDefinitions.define_local_user_property for more information on defining properties. Property must be defined for the correct Identity type (LocalUser or LocalGroup, IdPIdentity does not support custom properties).

Args:

property_name (str): Name of property to set value for
property_value (Any): Value for property, type should match OAAPropertyType for property definition

Raises:

OAATemplateException: If property with property_name is not defined.

Example:

app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_local_user_property(name="my_property", property_type=OAAPropertyType.STRING) >>> user1 = app.add_local_user(name="user1") >>> user1.set_property("my_property", "value for user1")

`class` `LocalUserType`

Enum for

`class` `LocalUser`

LocalUser identity, derived from Identity base class.

Used to model an application user. Can be associated with an external IdP user, or represent a local account.

Args:

name (str): name of identity
identities (list): list of strings for IdP identity association
groups

Attributes:

name (str): name of identity
id (str): ID of entity for ID based reference
email

`method` `init`

`method` `add_access_cred`

Add access cred to user (access cred must be created separately)

Args:

access_cred (str): unique identifier of access cred

`method` `add_group`

Add user to local group (group must be created separately).

Args:

group (str): identifier of local group

`method` `add_identities`

Add multiple identities to a local user from a list.

Args:

identities (list[str]): list of identities to add to user

`method` `add_identity`

Add an identity to user.

Identity should match the email address or another principal identifier for an IdP user (Okta, Azure, ect). Veza will create a connection from the application local user to IdP identity.

Args:

identity (str): email or identifier for IdP user

`method` `add_permission`

Add a permission to an identity.

Permission can apply to either the application or application resource/sub-resources

Args:

permissions ([str]): List of strings representing the permission names
resource (CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.
apply_to_application

`method` `add_role`

Add a role to an identity.

Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.

Args:

role (str): Name of role as string
resources (List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.
apply_to_application

`method` `add_tag`

Add a new tag to identity.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

`method` `get_identity_to_permissions`

Get a JSON serializable dictionary of all the identity's permissions and roles.

Formats the identity's permissions and roles for the Custom Application template payload

Returns:

dict: JSON serializable dictionary of all the identity's permissions and roles

`method` `set_property`

Set a custom defined property to a specific value on an identity.

Args:

property_name (str): Name of property to set value for
property_value (Any): Value for property, type should match OAAPropertyType for property definition

Raises:

OAATemplateException: If property with property_name is not defined.

Example:

`method` `to_dict`

Output user to dictionary for payload.

`class` `LocalGroup`

LocalGroup identity.

Derived from Identity base class. Used to represent groups of local users for application.

Args:

name (str): name of group
identities (list): list of strings for IdP identity association
unique_id

Attributes:

name (str): name of identity
identities (list): list of strings for IdP identity association
groups

`method` `init`

`method` `add_group`

Add a nested group to local group (group must be created separately).

Args:

group (str): identifier of local group

`method` `add_identity`

Add an identity to group.

The email address or another valid identifier should match that of an IdP principal (Okta, Azure, ect). Veza will create a connection from the application local group to IdP identity.

Args:

identity (str): primary IdP identifier for group to associate

`method` `add_permission`

Add a permission to an identity.

Permission can apply to either the application or application resource/sub-resources

Args:

permissions ([str]): List of strings representing the permission names
resource (CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.
apply_to_application

`method` `add_role`

Add a role to an identity.

Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.

Args:

role (str): Name of role as string
resources (List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.
apply_to_application (bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if any

`method` `add_tag`

Add a new tag to identity.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

`method` `get_identity_to_permissions`

Get a JSON serializable dictionary of all the identity's permissions and roles.

Formats the identity's permissions and roles for the Custom Application template payload

Returns:

dict: JSON serializable dictionary of all the identity's permissions and roles

`method` `set_property`

Set a custom defined property to a specific value on an identity.

Args:

property_name (str): Name of property to set value for
property_value (Any): Value for property, type should match OAAPropertyType for property definition

Raises:

OAATemplateException: If property with property_name is not defined.

Example:

`method` `to_dict`

Output group to dictionary for payload.

`class` `IdPIdentity`

IdP identity derived from Identity base class.

Used to associate IdP identities (users or groups) directly to resource where concept of local users/groups doesn't apply to application.

Args:

name (str): Primary IdP identifier for identity (email, group name, etc)

Attributes:

name (str): name of identity
identity_type (OAAIdentityType): Veza Identity Type, (idp)
application_permissions (list[CustomPermission]): permissions identity has directly to custom application

`method` `init`

`method` `add_permission`

Add a permission to an identity.

Permission can apply to either the application or application resource/sub-resources

Args:

permissions ([str]): List of strings representing the permission names
resource (CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.
apply_to_application

`method` `add_role`

Add a role to an identity.

Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.

Args:

role (str): Name of role as string
resources (List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.
apply_to_application (bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if any

`method` `add_tag`

Add a new tag to identity.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

`method` `get_identity_to_permissions`

Get a JSON serializable dictionary of all the identity's permissions and roles.

Formats the identity's permissions and roles for the Custom Application template payload

Returns:

dict: JSON serializable dictionary of all the identity's permissions and roles

`method` `set_property`

Set custom IdP property (no functionality).

IdP identities do not support custom properties since the identity is discovered through the provider (Okta, Azure, etc)

`class` `AccessCred`

Access Credential derived from Identity base class.

Access Creds can be used to represent non-user based methods that grant access such as API keys or integrations.

AccessCreds can be assigned roles or permissions to an application or resource. An AccessCred can stand-alone or be associated to a local user.

Args:

unique_id (str): Unique identifier for access cred
name (str): Name for access cred, does not need to be unique

Attributes:

unique_id (str): Unique identifier for access cred
name (str): Name for access cred, does not need to be unique
is_active (bool): Indicate if credential is active, defaults to True

`method` `init`

`method` `add_permission`

Add a permission to an identity.

Permission can apply to either the application or application resource/sub-resources

Args:

permissions ([str]): List of strings representing the permission names
resource (CustomResource, optional): Custom resource, if None permission is applied to application. Defaults to None.
apply_to_application

`method` `add_role`

Add a role to an identity.

Role to authorize identity to either the application or application resource/sub-resource based on role's permissions.

Args:

role (str): Name of role as string
resources (List[CustomResource], optional): Custom resource, if None role is applied to application. Defaults to None.
apply_to_application (bool, optional): Apply permission to application when True, False will replace existing value, None will leave previous setting if any

`method` `add_tag`

Add a new tag to identity.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

`method` `get_identity_to_permissions`

Get a JSON serializable dictionary of all the identity's permissions and roles.

Formats the identity's permissions and roles for the Custom Application template payload

Returns:

dict: JSON serializable dictionary of all the identity's permissions and roles

`method` `set_property`

Set a custom defined property to a specific value on an access credential.

Property name must be defined for access credentials before calling set_property(). See example below and ApplicationPropertyDefinitions.define_access_cred_property for more information on defining properties.

Args:

property_name (str): Name of property to set value for
property_value (Any): Value for property, type should match OAAPropertyType for property definition

Raises:

OAATemplateException: If property with property_name is not defined.

Example:

app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_access_cred_property(name="my_property", property_type=OAAPropertyType.STRING) >>> cred1 = app.add_access_cred(unique_id="cred001", name="Cred 001") >>> cred1.set_property("my_property", "value for cred001")

`method` `to_dict`

Output Access credential dictionary for payload

`class` `LocalRole`

Represent a Custom Application Local Role.

Local Roles are a collection of permissions (as CustomPermission). Roles can be used to associate a local user, group or IdP identity to an application, resource or sub-resource.

Permissions can either be assigned at creation and/or added later.

If the CustomPermission definition includes resource types in the resource_types list, the permission will only be assigned to resources/sub-resources that match that type as part of an assignment.

Args:

name (str): name of local role
permissions (list[CustomPermission], optional): List of custom permission names (strings) to associate with the role. Defaults to empty list.
unique_id (string, optional): Unique identifier for role for identification by ID

Attributes:

name (str): name of local role
unique_id (str): Unique identifier for role for identification by ID
permissions (list[CustomPermission]): list of custom permission names (strings) to associate with the role

`method` `init`

`method` `add_permissions`

Add a permission to the role.

Args:

permissions (list): List of permission names (strings) to add to role

`method` `add_role`

Add a nested sub-role to the role (nested role must be created separately)

Args:

role (str): identifier of the local role to nest inside this role

`method` `add_tag`

Add a new tag to role.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

`method` `set_property`

Set the value for custom property on a local role.

Property name must be defined for local roles before calling set_property(). See example below and ApplicationPropertyDefinitions.define_local_role_property for more information on defining properties.

Args:

property_name (str): Name of property to set value for
property_value (Any): Value for property, type should match OAAPropertyType for property definition
ignore_none

Raises:

OAATemplateException: If property name is not defined.

Example: app = CustomApplication("App", application_type="example") >>> app.property_definitions.define_local_role_property(name="my_property", property_type=OAAPropertyType.STRING) >>> role1 = app.add_local_role(name="role1") >>> role1.set_property(property_name="my_property", property_value="role1s value")

`method` `to_dict`

Convert role to dictionary for inclusion in JSON payload.

Returns:

dict: serializable dictionary of role

`class` `CustomPermission`

CustomPermission class for defining CustomApplication permissions.

Custom permissions represent the named permissions for the application in its terms (e.g. "Admin" or "PUSH") and define the Veza canonical mapping (e.g. DataRead, MetadataRead, DataWrite).
A permission can either be applied directly to an application or resource or assigned as part of a role.
Optionally, when permissions are used as part of a role, if the resource_types list is populated the permission will only be applied to resources who's type is in the resource_types

Args:

name (str): Display name for permission
permissions (list): List of OAAPermission enums that represent the canonical permissions
apply_to_sub_resources (bool, optional): If true, when permission is applied to the application or resource, identity also has permission to all children of application/resource. Defaults to

Attributes:

name (str): Display name for permission
permissions (list[OAAPermission]): List of OAAPermission enums that represent the canonical permissions
apply_to_sub_resources (bool): If true, when permission is applied to the application or resource, identity also has permission to all children of application/resource.

`method` `init`

`method` `add_resource_type`

Add a resource type to the resource_types list.

Extends the list of resource types permission applies to when used in role assignment.

Args:

resource_type (str): The resource type string value

`method` `to_dict`

Returns dictionary representation for payload.

`class` `OAAPropertyType`

Supported types for custom properties on OAA entities such as application, resource, and identity.

`class` `ApplicationPropertyDefinitions`

Model for defining custom properties for application and its entities (users, groups, roles, resources).

Property definitions define the names for additional entity properties and the expected type.

Args:

application_type (str): type of custom application property definitions apply to

Attributes:

application_properties (dict): property definitions for application
local_user_properties (dict): property definitions for local users
local_group_properties (dict): property definitions for local groups

`method` `init`

`method` `define_access_cred_property`

Define an access cred property.

Args:

name (str): name for property
property_type (OAAPropertyType): type for property

`method` `define_application_property`

Define an application property.

Args:

name (str): name for property
property_type (OAAPropertyType): type for property

`method` `define_local_group_property`

Define a local group property.

Args:

name (str): name for property
property_type (OAAPropertyType): type for property

`method` `define_local_role_property`

Define a local role property.

Args:

name (str): name for property
property_type (OAAPropertyType): type for property

`method` `define_local_user_property`

Define a local user property.

Args:

name (str): name for property
property_type (OAAPropertyType): type for property

`method` `define_resource_property`

Define a property for a resource by type of resource.

Args:

resource_type (str): type of resource property definition is for
name (str): property name
property_type (OAAPropertyType): type for property

`method` `define_role_assignment_property`

`method` `to_dict`

Return property definitions as dictionary ready for OAA payload

`method` `validate_name`

Check property name for valid characters

Raises an exception if the name string does not match required pattern. Name must start with a character and can only contain letters and _ character.

Args:

name (str): name of property to validate

Raises:

OAATemplateException: Name is not a string
OAATemplateException: Name contains invalid characters or does not start with a letter

`method` `validate_property_name`

Validate that a property name has been defined for given resource type.

Args:

property_name (str): name of property to validate
entity_type (str): type of entity custom property is for (application, local_user, local_group, local_role, resource)
resource_type

Raises:

OAATemplateException: If property name has not been previously defined for entity

`class` `IdPEntityType`

IdP entity types.

`class` `IdPProviderType`

Veza supported IdP provider types.

`class` `CustomIdPProvider`

CustomIdPProvider class for modeling Identity Providers (IdP) using OAA Custom Identity Provider Template.

CustomIdPProvider class consists of IdP domain information, user, group and external associations for identities like AWS Roles.

Classes uses dictionaries to track most components, dictionaries are all keyed by string of the entity name

Args:

name (str): Name of IdP
idp_type (str): Type descriptor for IdP, can be unique or share across multiple IdP e.g. ldap, IPA
domain (str): IdP domain name

Attributes:

name (str): Name of custom IdP
idp_type (str): Type for IdP
description (str): Description for IdP

`method` `init`

`method` `add_app`

summary

Args:

id (str): description
name (str): description

Raises:

Returns:

CustomIdPApp: description

`method` `add_group`

Add group to IdP.

Arguments:

name (str): primary ID for group
full_name (str): optional display name for group
identity (str): optional unique identifier for group, if None name is used as identity

`method` `add_user`

Add user to IdP

if no identity is set name will be used as identity

Arguments:

name (str): primary ID for user
full_name (str): optional full name for display
email (str): optional email for user

Returns: CustomIdPUser

`method` `get_payload`

Return formatted payload as dictionary for JSON conversion and upload

`class` `CustomIdPDomain`

Domain model for Custom IdP provider.

Args:

name (str): domain name

Attributes:

name (str): domain name

`method` `init`

`method` `add_tag`

Add a new tag to IdP Domain.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

`method` `set_property`

Set custom property value for domain.

Property name must be defined for domain before calling set_property(). See example below and IdPPropertyDefinitions.define_domain_property for more information.

Args:

property_name (str): Name of property
property_value (Any): Value for property, type should match OAAPropertyType for property definition
ignore_none (bool, optional): Do not set property if value is None. Defaults to False.

Raises:

OAATemplateException: If property with property_name is not defined.

Example: idp = CustomIdPProvider(name="Example IdP", idp_type="example", domain="example.com") >>> idp.property_definitions.define_domain_property(name="my_property", property_type=OAAPropertyType.STRING) >>> idp.domain.set_property(property_name="my_property", property_value="domain property value")

`method` `to_dict`

Output function for payload.

`class` `CustomIdPUser`

User model for CustomIdPProvider.

Args:

name (str): username for identity
email (str): primary email for user
full_name (str): Display name for user

Attributes:

name (str): username for identity
email (str): primary email for user
full_name (str): display name for user

`method` `init`

`method` `add_app_assignment`

Create App assignment for user

Args:

id (str): ID of App assignment, must be unique for user
name (str): Name of assignment
app_id (str): App ID, must exist in list of Apps for IDP

Raises:

OAATemplateException: Duplicate assignment ID
OAATemplateException: Unknown assignment property name

`method` `add_assumed_role_arns`

Add AWS Roles to list of roles user can assume by ARN.

Args:

arns (list): list of role ARNs as strings that the user is allowed to assume

`method` `add_groups`

Add user to group(s) by group name

Args:

group_identities (list): list of strings for group identities to add user to

`method` `add_tag`

Add a new tag to IdP User.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

`method` `set_property`

Set custom property value for user.

Property name must be defined for users before calling set_property(). See example below and IdPPropertyDefinitions.define_user_property for more information.

Args:

property_name (str): Name of property
property_value (Any): Value for property, type should match OAAPropertyType for property definition
ignore_none (bool, optional): Do not set property if value is None. Defaults to False.

Raises:

OAATemplateException: If property with property_name is not defined.

Example: idp = CustomIdPProvider(name="Example IdP", idp_type="example", domain="example.com") >>> idp.property_definitions.define_user_property(name="my_property", property_type=OAAPropertyType.STRING) >>> user1 = idp.add_user(name="User 1") >>> user1.set_property("my_property", "user1 value")

`method` `set_source_identity`

Set an source external identity for user.

source_identity will connect CustomIdP user to a Veza graph IdP user.
provider_type limits scope for finding matching IdP identities
search all providers with IdPProviderType.ANY

Args:

identity (str): Unique Identity of the source identity
provider_type (IdPProviderType): Type for provider to match source identity from

`method` `to_dict`

Function to prepare user entity for payload

`class` `CustomIdPGroup`

Group model for CustomIdPProvider.

Args:

name (str): name of group
full_name (str): optional full name for group
identity (str): optional identifier for group if name is not reference identifier

Parameters:

name (str): name of group
full_name (str): optional full name for group
identity (str): optional identifier for group, if None name is used as identity

`method` `init`

`method` `add_app_assignment`

Create App assignment for group

Args:

id (str): ID of App assignment, must be unique for group
name (str): Name of assignment
app_id (str): App ID, must exist in list of Apps for IDP

Raises:

OAATemplateException: Duplicate assignment ID
OAATemplateException: Unknown assignment property name

`method` `add_assumed_role_arns`

Add AWS Roles to list of roles group members can assume by ARN.

Args:

arns (list): list of role ARNs as strings that the group members are allowed to assume

`method` `add_groups`

Add group to group(s) by group name

Adds current group to another parent group by the group identifier

Args:

group_identities (list): list of strings for group identities to add group to

`method` `add_tag`

Add a new tag to IdP Group.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

`method` `set_property`

Set custom property value for group.

Property name must be defined for groups before calling set_property(). See example below and IdPPropertyDefinitions.define_group_property for more information.

Args:

property_name (str): Name of property
property_value (Any): Value for property, type should match OAAPropertyType for property definition
ignore_none (bool, optional): Do not set property if value is None. Defaults to False.

Raises:

OAATemplateException: If property with property_name is not defined.

Example: idp = CustomIdPProvider(name="Example IdP", idp_type="example", domain="example.com") >>> idp.property_definitions.define_group_property(name="my_property", property_type=OAAPropertyType.STRING) >>> group1 = idp.add_group(name="Group 1") >>> group1.set_property("my_property", "group1 value")

`method` `to_dict`

Function to prepare user entity for payload.

`class` `CustomIdPApp`

App model for CustomIdPProvider

Args:

id (str): ID for App, must be unique
name (str): Name for App
property_definitions (IdPPropertyDefinitions, optional): Custom property definitions, required to set custom properties. Defaults to None.

Attributes:

id (str): ID for App, must be unique
name (str): Name for App
description (str): Description property for App

`method` `init`

`method` `add_assumed_role_arns`

Add AWS Roles to list of roles App can assume by ARN. Any Users or Groups assigned to the App are represented as being able to assume the roles.

Args:

arns (list): list of role ARNs as strings that the user is allowed to assume

`method` `add_tag`

Add a new tag to IdP User.

Args:

key (str): Key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for Tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only. Defaults to "".

`method` `set_property`

Set custom property value for app.

Property name must be defined for app before calling set_property(). See example below and IdPPropertyDefinitions.define_app_property for more information.

Args:

property_name (str): Name of property
property_value (Any): Value for property, type should match OAAPropertyType for property definition
ignore_none (bool, optional): Do not set property if value is None. Defaults to False.

Raises:

OAATemplateException: If property with property_name is not defined.

Example: idp = CustomIdPProvider(name="Example IdP", idp_type="example", domain="example.com") >>> idp.property_definitions.define_app_property(name="my_property", property_type=OAAPropertyType.STRING) >>> app1 = idp.add_app(id="app1", ="App 1") >>> app1.set_property("my_property", "app1 value")

`method` `to_dict`

`class` `IdPPropertyDefinitions`

Model for defining custom properties for CustomIdPProvider and its entities (users, groups, domain).

Property definitions define the names for additional entity properties and the expected type.

Attributes:

domain_properties (dict): property definitions for IdP Domain
user_properties (dict): property definitions for IdP users
group_properties (dict): property definitions for IdP groups

`method` `init`

`method` `define_app_assignment_property`

Define an app assignment custom property

Args:

name (str): name of property
property_type (OAAPropertyType): type for property

`method` `define_app_property`

Define an app custom property

Args:

name (str): name of property
property_type (OAAPropertyType): type for property

`method` `define_domain_property`

Define a domain custom property.

Args:

name (str): name of property
property_type (OAAPropertyType): type for property

`method` `define_group_property`

Define a group custom property.

Args:

name (str): name of property
property_type (OAAPropertyType): type for property

`method` `define_user_property`

Define a user custom property.

Args:

name (str): name of property
property_type (OAAPropertyType): type for property

`method` `to_dict`

Returns custom IdP property definitions.

`method` `validate_property_name`

Validate that a property name has been defined for a given IdP entity.

Raises exception if property name has not been previously defined for entity

Args:

property_name (str): name of property to validate
entity_type (str): type of entity custom property is for (domain, users, groups)

Raises:

OAATemplateException: If property name is not defined

`class` `Tag`

Veza Tag data model.

Args:

key (str): key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str, optional): Value for tag, will appear in Veza as key:value. Must be letters, numbers, whitespace and the special characters @,._- only.

Attributes:

key (str): key for tag, aka name. Must be present and must be letters, numbers or _ (underscore) only.
value (str): Value for tag, will appear in Veza as key:value. Must be letters, numbers and the special characters @,._ only.

`method` `init`

`class` `HRISProvider`

Class for modeling Human Resource Information Systems (HRIS) Template

HRIS template consists of base information about the HRIS instance, Employees and Groups.

Employees and Groups are tracked in case insensitive dictionaries that can be used to reference entities after creation.

Args:

name (str): Name for HRIS Instance
hris_type (str): Type for HRIS. Typically the vendor or product name.
url (str): Instance URL for HRIS.

Attributes:

employees (dict[string]): Dictionary of HRISEmployee instances keyed by Employee ID
groups (dict[string]): Dictionary of HRISGroup instances keyed by Group ID

`method` `init`

`method` `add_employee`

Add a new Employee

Function creates a new HRISEmployee instance and adds it to the HRISProvider.employees keyed by the unique_id

Args:

unique_id (str): Unique Identifier for Employee
name (str): Display name for employee
employee_number (str): The employee's number that appears in the third-party integration.

Raises:

OAATemplateException: Employee with ID already exists

Returns:

HRISEmployee: Entity for new employee

`method` `add_group`

Add a new Group

Used to represent any subset of employees, such as PayGroup or Team. Employees can be in multiple Groups. Groups can also be members of other groups to create hierarchy.

Some properties of HRISEmployee such as department must reference an existing HRISGroup by its ID.

Args:

unique_id (str): Unique ID for group
name (str): Display name
group_type (str): Type for group such as "Team", "Department", "Cost Center"

Returns:

HRISGroup: Entity for new group

`method` `get_payload`

Get the OAA payload.

Returns the complete OAA template payload for HRIS as serializable dictionary

Returns:

dict: OAA payload as dictionary

`class` `HRISSystem`

HRISSystem information

Representation for HRISSystem information. The system information is used to represent additional details for the HRIS Instance.

Args:

name (str): Name for system Instance
url (str, optional): URL for instance . Defaults to "". TODO: Is this right?

`method` `init`

`method` `add_idp_type`

Link HRIS to External IdP of given type

Sets the IdP types (Okta, AzureAD, ect) for Veza to link employee identities too.

Args:

provider_type (IdPProviderType): Type of IdP for source identities

Raises:

ValueError: provider_type must be IdPProviderType enum

Returns:

list[IdPProviderType]: List of configured IdP types

`method` `to_dict`

`class` `HRISEmployee`

HRIS Employee Entity

Represents an employee record in the HRIS system. Each employee must have a unique ID to identify it in the payload. This ID is also used to reference one employee to the other for manager hierarchy.

Init variables are all required and must not be empty such as ""

Args:

unique_id (str): Unique Identifier for Employee
name (str): Name for employee record.
employee_number (str): The employee's number that appears in the third-party integration.

Parameters:

company (str): The company (or subsidiary) the employee works for.
preferred_name (str): The employee's preferred first name.
display_full_name (str): The employee's full name, to use for display purposes.

Raises:

ValueError: Any of the required arguments are empty.

`method` `init`

`method` `add_group`

Add employee to group

Adds employee to a group by the group ID. Group must also be defined for HRISInstance with HRISProvider.add_group()

Args:

group_id (str): Unique ID of HRISGroup to add employee too

`method` `add_manager`

Add manager to Employee

Adds a manager to the employee by the manager's HRISEmployee instance unique ID. Manger employee record must also exist.

Args:

manager_id (str): Unique ID for manager HRISEmployee instance

`method` `set_property`

Set Employee custom property value

Property name must be defined for employee before calling set_property

Args:

property_name (str): Name of property
property_value (any): Value for property, type should match OAAPropertyType for property definition
ignore_none (bool, optional): Do not set property if value is None. Defaults to False.. Defaults to False.

Raises:

OAATemplateException: If property with property_name is not defined.

`method` `to_dict`

Output employee to dictionary for payload.

`class` `HRISGroup`

HRIS Group

Represents any group of employees in the HRIS system. HRISGroups can be used to represent teams, departments, cost centers or any organizational unit. Each group has a type to make searching and grouping easier.

Group's Unique ID must be unique across all group types.

Args:

unique_id (str): Unique ID for group
name (str): Display name
group_type (str): Type for group such as "Team", "Department", "Cost Center"

`method` `init`

`method` `set_property`

Set HRIS Group custom property value

Property name must be defined for group before calling set_property

Args:

property_name (str): Name of property
property_value (any): Value for property, type should match OAAPropertyType for property definition
ignore_none (bool, optional): Do not set property if value is None. Defaults to False.. Defaults to False.

Raises:

OAATemplateException: If property with property_name is not defined.

`method` `to_dict`

Dictionary output for inclusion in payload

`class` `HRISPropertyDefinitions`

`method` `init`

`method` `define_employee_property`

`method` `define_group_property`

`method` `define_system_property`

`method` `to_dict`

`method` `validate_name`

Check property name for valid characters

Raises an exception if the name string does not match required pattern. Name must start with a character and can only contain letters and _ character.

Args:

name (str): name of property to validate

Raises:

OAATemplateException: Name is not a string
OAATemplateException: Name contains invalid characters or does not start with a letter

Responses

200

application/json

Paginated list of custom (OAA) providers.

next_page_tokenstringOptional

Token to retrieve the next page of results. Empty when no more pages exist.

has_morebooleanOptional

If true, additional pages of results are available.

default

Default error response

valuesobject[]Optional

The pagination token to retrieve the next page of results.

If true, more results are available.

Open Authorization API

hashtagUse Cases

hashtagFirst Steps

Getting Started

hashtag1. Extracting metadata from the source application

hashtag2. Generating a sample payload

hashtagCustom Properties

hashtag3. Creating and Updating Custom Providers and Data Sources

hashtagEnabling for Life Cycle Management (optional)

hashtagIdentity Providers and HR Information Systems

hashtagApplications

hashtagUpdates

hashtagUsing oaaclient

hashtagNotes

hashtagTroubleshooting

hashtagWarnings

hashtagErrors

Best Practices

Using OAA Templates

hashtagExamples

hashtagPagerDuty

hashtagGitLab

Sourcing and Extracting Metadata

Naming and Identifying OAA Entities

hashtagCustom Application

hashtagResources

hashtagCustom IdP

Custom Properties

Tagging with OAA

hashtagModifying Tags with Incremental Updates

Cross Service IdP Connections

hashtagApplication Template

hashtagIdentity Provider (IdP) Template

hashtagHuman Resources Information System (HRIS) Template

Incremental Updates

OAA Entity Owners

hashtagOverview

OAA Operations

hashtagCreate Custom Provider

hashtagList Custom Providers

hashtagGet Custom Provider by ID

hashtagDelete Custom Provider

hashtagList Custom Provider Datasources

hashtagCreate Custom Provider Datasource

hashtagGet Datasource by ID

hashtagDelete Custom Provider Datasource

hashtagPush Custom Provider Datasource

hashtagMultipart Push Custom Provider Datasource

hashtagPush Custom Provider Datasource CSV

hashtagCompression

hashtagEscaping unsafe characters

hashtagCustom Provider Icons

hashtagCreate Custom Provider Icon

hashtagGet Custom Provider Icon

hashtagDelete Custom Provider Icon

Multipart Upload

hashtagOverview

hashtagHow it works

hashtagAPI endpoint

hashtagStart request body

hashtagChunk request body

hashtagFinalization request body

hashtagExample

hashtagUsing the Python SDK

hashtagNotes

OAA Templates

hashtagCustom Application

OAA .NET SDK

OAA Python SDK

hashtagHandling Errors

hashtagAdditional documentation

Example Connectors

Open Authorization API

hashtagUse Cases

hashtagFirst Steps

Getting Started

hashtag1. Extracting metadata from the source application

hashtag2. Generating a sample payload

hashtagCustom Properties

hashtag3. Creating and Updating Custom Providers and Data Sources

Use Cases

First Steps

1. Extracting metadata from the source application

2. Generating a sample payload

Custom Properties

3. Creating and Updating Custom Providers and Data Sources

Enabling for Life Cycle Management (optional)

Identity Providers and HR Information Systems

Applications

Updates

Using `oaaclient`

Notes

Troubleshooting

Warnings

Errors

Examples

PagerDuty

GitLab

Custom Application

Resources

Custom IdP

Modifying Tags with Incremental Updates

Application Template

Identity Provider (IdP) Template

Human Resources Information System (HRIS) Template

Overview

Create Custom Provider

List Custom Providers

Get Custom Provider by ID

Delete Custom Provider

List Custom Provider Datasources

Create Custom Provider Datasource

Get Datasource by ID

Delete Custom Provider Datasource

Push Custom Provider Datasource

Multipart Push Custom Provider Datasource

Push Custom Provider Datasource CSV

Compression

Escaping unsafe characters

Custom Provider Icons

Create Custom Provider Icon

Get Custom Provider Icon

Delete Custom Provider Icon

Overview

How it works

API endpoint

Start request body

Chunk request body

Finalization request body

Example

Using the Python SDK

Notes

Custom Application

Handling Errors

Additional documentation

Use Cases

First Steps

1. Extracting metadata from the source application

2. Generating a sample payload

Custom Properties

3. Creating and Updating Custom Providers and Data Sources

Enabling for Life Cycle Management (optional)

Identity Providers and HR Information Systems

Applications

Updates

Using `oaaclient`

Notes

Troubleshooting

Warnings

Errors

Modifying Tags with Incremental Updates

Application Template

Identity Provider (IdP) Template

Human Resources Information System (HRIS) Template

Custom Application

Resources

Custom IdP

Examples

PagerDuty

GitLab