1 of 7

OAA Templates

JSON schemas for describing custom applications, identity providers, principals, and secret stores

OAA utilizes templates (JSON schema) for structuring authorization and identity metadata, combined with a REST API to register, update and manage the data. Once uploaded, Veza processes the template payload and incorporates the entities and permissions into the Authorization Metadata Graph.

Choosing the appropriate template is the first step in creating a new integration with OAA. The template provides a schema for describing the identities, resources, and authorization relationships local to the OAA data source.

Custom Application

For most applications, SaaS Apps and systems the provides a generic and flexible model to capture authorization data for users and groups to the system and its resources.

A custom application is structured with the following main entities:

Application
- Resource
  - Sub-resource

Custom Identity Provider

Intended for modeling sources of users, group, and federated identity metadata, the can be used to enumerate users and groups that access other external applications and resources, similar to built-in connectors for Okta and AzureAD. These users and groups typically represent the top-level corporate identities within an organization.

A Custom Identity Provider can have the following entities:

Domains
Users
Groups

The Custom IdP template also includes the option to define AWS Roles that are assumable by users and groups and can work with Access Review Workflows to auto-assign resource managers.

Custom Principal

For modeling sources of identities (users, groups, and tenants) that connect to other OAA data sources on the same provider, the provides a lightweight identity model. Unlike the Custom IdP, which models a full identity provider with domains, the Principal template is designed to feed users and groups into Custom Application or other templates on the same provider.

A Custom Principal is structured with:

Tenant
Users
Groups

Secret Store

For modeling secret and credential management systems, the captures vaults, entries, permissions, and identity access mappings. Use this template to connect custom or self-hosted credential management systems that are not covered by a native Veza integration.

A Secret Store is structured with:

Secret Store
- Permissions
- Vaults

Entity Enrichment

The adds custom property values to entities that already exist in the Veza authorization graph from other integrations. Use this template to attach supplemental metadata (such as compliance status, cost center, or internal identifiers) to entities discovered by native integrations.

An Entity Enrichment submission contains:

Enriched entity property definitions (schema declarations)
Enriched entities (entity references with property values)

Custom Principal

Template for modeling a lightweight identity source with users, groups, and tenants

Use this template to model a source of identities (users, groups, and tenants) using the . Principals represent identity sources that connect to other OAA template types on the same provider, enabling Veza to map users and groups to the applications and resources they access.

The Custom Principal template differs from the in scope: a Principal is a lightweight identity source meant to feed users and groups into Custom Application or other templates on the same provider. Custom IdP models a full identity provider with domains and federated identity features.

The template has three primary entities:

Tenant - the top-level container for the principal instance. Each submission has exactly one tenant.

Custom HRIS Provider

OAA Template for Human Resources Information Systems

Overview

Use this Open Authorization API template to publish employee metadata for Human Resources Information Systems (HRIS) platforms, typically used by organizations as a single source of truth for employee information.

Unlike an Identity Provider, HR platforms typically do not provide access to other systems. Employee profiles within an HRIS platform are instead used to store important details such as employment status, who individuals report to, department, and country. Veza can use this metadata to:

Trigger events when there is a change in the integrated HRIS data source.
Correlate employees in the HRIS system with identities in your identity provider (IdP).
Enrich Access Reviews with details about linked HRIS employees for users under review.

The template supports:

A top-level System entity representing the HRIS tenant, organization, or account.
Employee entities representing current and inactive workers
Group entities representing teams, departments, cost centers, or other units to which users are assigned.

To enable this payload format, specify the hris custom template when with the API.

HRIS template example

Custom properties

The HRIS template supports . After specifying a custom property definition in the payload, you can assign additional attributes to entities. These enable attribute filters for searches and access reviews in Veza, and enrich results with entity metadata unique to the source system or your organization.

Identity mappings

Veza maps HRIS employees to identities from integrated Identity Providers (IdPs) such as Okta by matching the idp_id, email, or id value in the HRIS payload with the IdP entity's Name, Principal Name, or Identity. The matching process checks these fields in the following sequence:

idp_id
email
id

If the idp_id is unset, Veza uses the email field for matching. If the email field is also absent, the id is used. Veza issues a warning if no matching entity is found.

Custom HRIS System

The account/tenant/etc. that contains the HR information.

Property

Attribute Name

Type

Required

Unique

Description

Custom HRIS Employee

Used to represent any person who has been employed by a company.

Property

Attribute Name

Type

Required

Unique

Description

Custom HRIS Group

Used to represent any subset of employees, such as PayGroup or Team. Employees can be in multiple Groups.

Property

Attribute Name

Type

Required

Unique

Description

Secret Store

Template for modeling secret storage systems with vaults, entries, and permissions

Secret Store is an Early Access feature. Contact your Veza account team to enable it for your organization.

Use this template to model secret and credential management systems using the . The Secret Store template captures the authorization relationships for custom or self-hosted credential management systems that are not covered by a native Veza integration.

The template models a hierarchical structure:

Entity Enrichment

Template for setting custom property values on existing entities in the Veza authorization graph

Use this template to set custom property values on existing entities in the Veza authorization graph using the Open Authorization API. Unlike other OAA templates that create new entities, the Entity Enrichment template adds metadata to entities that already exist from other integrations.

Entity enrichment is useful when you have supplemental data about entities that Veza already discovers through native integrations. For example, you might enrich AWS IAM roles with internal compliance metadata, or tag Okta users with cost center information from a custom source.

The Entity Enrichment template sets arbitrary custom properties via API push. This is distinct from Enrichment Rules, which are UI-configured rules that set a fixed set of built-in Veza classification attributes (identity type, owner, privileged status, and criticality) at extraction time. Use this template when you need to attach custom metadata beyond those built-in attributes.

The template has two sections:

Enriched entity property definitions - declares the custom properties and their types for each entity type being enriched.
Enriched entities - the list of existing entities to enrich, with values for each declared property.

To use the entity enrichment template, set the template type to entity_enrichment when creating a new data provider:

Sample payload

AWS IAM enrichment example

This example enriches AWS IAM roles with internal compliance metadata and AWS IAM users with a purpose description.

Top-level payload

Field

Type

Description

Enriched entity property definitions

Each entry declares the custom properties that will be added to a specific entity type, along with their data types. Property types determine how Veza stores and indexes values. For example, TIMESTAMP properties enable relative date filters in queries (such as "last 90 days").

Property definition fields

Field

Type

Description

Supported property types

Type

Description

Enriched entities

The list of existing entities to enrich with property values. Each entity must appear exactly once with all properties that should be set. Including an entity with no properties clears all enriched property values from that entity. Only entities in the list are updated; other entities are not affected.

Enriched entity fields

Field

Type

Description

Creating and updating enrichment data

To create the OAA provider and push enrichment data:

Create the provider with the entity_enrichment template type:
Create a data source on the provider:
Push the enrichment payload to the data source:

Updates follow the same push workflow. Each push replaces the enrichment data for the entities included in the payload. Entities not included in the push are not affected.

Limitations

Property values vs. property definitions: You can clear a property value by omitting its key in a subsequent push, or by including the entity with an empty properties object. This clears the stored value but does not remove the property definition from the entity type. Once a property name is defined for an entity type, the definition persists in the graph and cannot be removed.

Provider deletion: Deleting an enrichment provider does not remove enrichment data from the Veza graph. Data pushed through the provider remains associated with the enriched entities after the provider is deleted. Contact Veza support if you need to fully remove enrichment data from the graph.

json_data

jq -Rs .

payload.json

curl -X POST "https://{VEZA_URL}/api/v1/providers/custom" \
-H "authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
--data '{"name":"My Enrichment Provider","custom_template":"entity_enrichment"}'

"enriched_entities": [
  {
    "type": "AwsIamRole",
    "id": "arn:aws:iam::339083562601:role/Administrator",
    "data_source_id": "339083562601:awsiam",
    "properties": {
      "my_company_id": "DCFB16CD-A044-4787-9165-1C926221F887",
      "is_compliance_validated": true
    }
  }
]

curl -X POST "https://{VEZA_URL}/api/v1/providers/custom" \
-H "authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
--data '{"name":"Enrichment Provider","custom_template":"entity_enrichment"}'

curl -X POST "https://{VEZA_URL}/api/v1/providers/custom/{PROVIDER_ID}/datasources" \
-H "authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
--data '{"name":"Enrichment Data Source"}'

curl -X POST "https://{VEZA_URL}/api/v1/providers/custom/{PROVIDER_ID}/datasources/{DATASOURCE_ID}:push" \
-H "authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
--data "{\"json_data\": $(jq -Rs . payload.json)}"

{
  "enriched_entity_property_definitions": [
    {
      "entity_type": "AwsIamRole",
      "enriched_properties": {
        "my_company_id": "STRING",
        "company_purpose": "STRING",
        "is_compliance_validated": "BOOLEAN"
      }
    },
    {
      "entity_type": "AwsIamUser",
      "enriched_properties": {
        "company_purpose": "STRING"
      }
    }
  ],
  "enriched_entities": [
    {
      "type": "AwsIamRole",
      "id": "arn:aws:iam::339083562601:role/Administrator",
      "data_source_id": "339083562601:awsiam",
      "properties": {
        "my_company_id": "DCFB16CD-A044-4787-9165-1C926221F887",
        "company_purpose": "Built in Admin role",
        "is_compliance_validated": true
      }
    },
    {
      "type": "AwsIamRole",
      "id": "arn:aws:iam::650251689811:role/andrew_s3_all",
      "data_source_id": "339083562601:awsiam",
      "properties": {
        "my_company_id": "A3F40BAC-1871-4EFC-A0EE-CD77E3F513C27",
        "company_purpose": "Some role for Andrew",
        "is_compliance_validated": false
      }
    },
    {
      "type": "AwsIamUser",
      "id": "arn:aws:iam::339083562601:user/andrew",
      "data_source_id": "339083562601:awsiam",
      "properties": {
        "company_purpose": "Engineering service account"
      }
    }
  ]
}

{
  "name": "HRIS Example",
  "hris_type": "HR Platform",
  "custom_property_definition": {
    "system_properties": {},
    "employee_properties": {
      "job_level": "STRING"
    },
    "group_properties": {}
  },
  "system": {
    "id": "7D8A21AE-6650-4357-842B-3FCEC8F29195",
    "name": "HRIS Example",
    "url": "https://hris.example.com",
  },
  "employees": [
    {
      "id": "123456",
      "name": "jdoe",
      "employee_number": "E123456",
      "first_name": "John",
      "last_name": "Doe",
      "canonical_name": "Doe, John",
      "email": "[email protected]",
      "home_location": "Anytown, CA",
      "work_location": "San Francisco, CA",
      "employment_status": "HIRED",
      "start_date": "2022-05-22T00:00:00Z",
      "job_title": "Software Developer",
      "employment_types": [
        "FULL_TIME"
      ],
      "custom_properties": {
        "job_level": "L3"
      },
      "is_active": true,
      "groups": [
        {
          "id": "all_employees"
        }
      ],
      "managers": [
        {
          "id": "987654"
        }
      ],
      "department": {
        "id": "engineering"
      }
    },
    {
      "id": "987654",
      "name": "jane.doe",
      "employee_number": "E987654",
      "first_name": "Jane",
      "last_name": "Doe",
      "canonical_name": "Doe, Jane",
      "email": "[email protected]",
      "home_location": "Anytown, CA",
      "work_location": "San Francisco, CA",
      "employment_status": "HIRED",
      "start_date": "2021-03-13T00:00:00Z",
      "job_title": "Software Developer",
      "employment_types": [
        "FULL_TIME"
      ],
      "custom_properties": {
        "job_level": "M2"
      },
      "is_active": true,
      "groups": [
        {
          "id": "all_employees"
        }
      ],
      "department": {
        "id": "engineering"
      }
    }
  ],
  "groups": [
    {
      "id": "all_employees",
      "name": "All Employees",
      "group_type": "Employee Group"
    },
    {
      "id": "engineering",
      "name": "Engineering",
      "group_type": "Department"
    }
  ]
}

{
  "name": "BambooHR",
  "hris_type": "BambooHR",
  "custom_property_definition": {
    "employee_properties": {
      "division": "STRING",
      "office_extension": "STRING"
    },
    "group_properties": {
      "headquarters_location": "STRING"
    }
  },
  "system": {
    "name": "BambooHR",
    "id": "BambooHR",
    "url": "https://vezai.bamboohr.com",
    "idp_providers": ["okta"]
  },
  "employees": [
    {
      "name": "Charlotte Abbott",
      "id": "1",
      "custom_properties": {
        "division": "North America",
        "office_extension": "1234"
      },
      "employee_number": "1",
      "email": "[email protected]",
      "work_location": "Lindon, Utah",
      "job_title": "Sr. HR Administrator"
    },
    {
      "name": "Cheryl Barnet",
      "id": "10",
      "custom_properties": {
        "division": "North America",
        "office_extension": "5678"
      },
      "employee_number": "10",
      "email": "[email protected]",
      "work_location": "Lindon, Utah",
      "job_title": "VP of Customer Success"
    }
  ],
  "groups": [
    {
      "name": "North America-Human Resources",
      "id": "North America-Human Resources",
      "group_type": "Department",
      "custom_properties": {
        "headquarters_location": "Lindon, Utah"
      }
    }
  ]
}

HashiCorp Vault Example

This example demonstrates a secret store with two vaults, permissions, vault entries with identity mappings, and identity-to-permission bindings.

{
  "secret_store_type": "hashicorp_vault",
  "custom_property_definition": {
    "secret_store_properties": {
      "environment": "STRING"
    },
    "permission_properties": {},
    "vault_properties": {
      "encryption_type": "STRING"
    },
    "entry_properties": {
      "rotation_enabled": "BOOLEAN"
    }
  },
  "secret_store": {
    "name": "Production Vault",
    "id": "prod-vault-001",
    "description": "Production environment secrets",
    "tags": [
      {
        "key": "department",
        "value": "engineering"
      }
    ],
    "custom_properties": {
      "environment": "production"
    },
    "permissions": [
      {
        "name": "Read",
        "id": "perm-read",
        "resource": "secrets/*",
        "allow_identity_assume": false
      },
      {
        "name": "Write",
        "id": "perm-write",
        "resource": "secrets/*",
        "allow_identity_assume": true
      }
    ],
    "secret_store_vaults": [
      {
        "name": "API Keys",
        "id": "vault-api-keys",
        "vault_type": "kv",
        "description": "API key storage",
        "tags": [
          {
            "key": "category",
            "value": "api-credentials"
          }
        ],
        "custom_properties": {
          "encryption_type": "AES-256"
        },
        "entries": [
          {
            "name": "Stripe API Key",
            "id": "entry-stripe",
            "description": "Stripe payment processing key",
            "custom_properties": {
              "rotation_enabled": true
            },
            "identities": [
              {
                "type": "OktaUser",
                "external_id": "[email protected]"
              }
            ]
          }
        ]
      },
      {
        "name": "Database Credentials",
        "id": "vault-db-creds",
        "vault_type": "kv",
        "description": "Database connection credentials",
        "custom_properties": {
          "encryption_type": "AES-256"
        },
        "entries": [
          {
            "name": "PostgreSQL Admin",
            "id": "entry-postgres",
            "description": "PostgreSQL admin credentials",
            "custom_properties": {
              "rotation_enabled": true
            }
          }
        ]
      }
    ],
    "identity_to_permissions": [
      {
        "identity": "admin-user",
        "identity_type": "local_user",
        "permission_assignments": [
          {
            "vault": [
              "vault-api-keys",
              "vault-db-creds"
            ],
            "permissions": [
              "Read",
              "Write"
            ]
          }
        ]
      },
      {
        "identity": "developer-user",
        "identity_type": "local_user",
        "permission_assignments": [
          {
            "vault": [
              "vault-api-keys"
            ],
            "permissions": [
              "Read"
            ]
          }
        ]
      }
    ]
  }
}

Custom PAM Payload

This payload models a custom PAM system with two credential vaults, permission definitions, and identity-to-permission mappings reflecting typical DBA and platform engineer access patterns.

{
  "secret_store_type": "custom_pam",
  "custom_property_definition": {
    "vault_properties": {
      "rotation_policy": "STRING",
      "requires_approval": "BOOLEAN"
    },
    "entry_properties": {
      "credential_type": "STRING"
    }
  },
  "secret_store": {
    "name": "ACME Internal PAM",
    "id": "pam.acme-internal.example.com",
    "description": "Production internal credential management system",
    "tags": [
      {
        "key": "environment",
        "value": "production"
      }
    ],
    "permissions": [
      {
        "name": "View",
        "id": "perm-view",
        "allow_identity_assume": false
      },
      {
        "name": "Checkout",
        "id": "perm-checkout",
        "allow_identity_assume": true
      },
      {
        "name": "Rotate",
        "id": "perm-rotate",
        "allow_identity_assume": false
      },
      {
        "name": "Manage",
        "id": "perm-manage",
        "allow_identity_assume": false
      }
    ],
    "secret_store_vaults": [
      {
        "name": "Production Databases",
        "id": "vault-prod-databases",
        "vault_type": "database",
        "description": "Privileged database credentials for production systems",
        "custom_properties": {
          "rotation_policy": "30-day",
          "requires_approval": true
        },
        "entries": [
          {
            "name": "postgres-prod-admin",
            "id": "cred-pg-admin-001",
            "description": "PostgreSQL production superuser",
            "custom_properties": {
              "credential_type": "service_account"
            },
            "identities": [
              {
                "type": "AzureADUser",
                "external_id": "[email protected]"
              }
            ]
          },
          {
            "name": "mysql-prod-readonly",
            "id": "cred-mysql-ro-001",
            "description": "MySQL production read-only service account",
            "custom_properties": {
              "credential_type": "service_account"
            }
          }
        ]
      },
      {
        "name": "Cloud Platform Keys",
        "id": "vault-cloud-keys",
        "vault_type": "cloud_credentials",
        "description": "Cloud provider access keys",
        "custom_properties": {
          "rotation_policy": "90-day",
          "requires_approval": false
        },
        "entries": [
          {
            "name": "cloud-prod-admin",
            "id": "cred-cloud-admin-001",
            "description": "Production cloud IAM admin access key",
            "custom_properties": {
              "credential_type": "access_key"
            },
            "identities": [
              {
                "type": "AzureADUser",
                "external_id": "[email protected]"
              }
            ]
          }
        ]
      }
    ],
    "identity_to_permissions": [
      {
        "identity": "[email protected]",
        "identity_type": "AzureADUser",
        "permission_assignments": [
          {
            "vault": ["vault-prod-databases"],
            "permissions": ["View", "Checkout"]
          }
        ]
      },
      {
        "identity": "[email protected]",
        "identity_type": "AzureADUser",
        "permission_assignments": [
          {
            "vault": ["vault-cloud-keys"],
            "permissions": ["View", "Checkout", "Rotate"]
          },
          {
            "vault": ["vault-prod-databases"],
            "permissions": ["View"]
          }
        ]
      }
    ]
  }
}

Create the provider with the secret_store template type:

curl -X POST "https://{VEZA_URL}/api/v1/providers/custom" \
-H "authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
--data '{"name":"MySecretStore","custom_template":"secret_store"}'

Create a data source on the provider:

curl -X POST "https://{VEZA_URL}/api/v1/providers/custom/{PROVIDER_ID}/datasources" \
-H "authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
--data '{"name":"my_secret_store_source"}'

Push the payload to the data source:

curl -X POST "https://{VEZA_URL}/api/v1/providers/custom/{PROVIDER_ID}/datasources/{DATASOURCE_ID}:push" \
-H "authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
--data "{\"json_data\": $(jq -Rs . payload.json)}"

The push endpoint requires the payload as a JSON-encoded string in the json_data field. jq -Rs . reads payload.json and escapes it as a JSON string.

curl -X POST "https://{VEZA_URL}/api/v1/providers/custom" \
-H "authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
--data '{"name":"MySecretStore","custom_template":"secret_store"}'

"secret_store": {
  "name": "Production Vault",
  "id": "prod-vault-001",
  "description": "Production environment secrets",
  "tags": [],
  "custom_properties": {},
  "permissions": [],
  "secret_store_vaults": [],
  "identity_to_permissions": []
}

"secret_store_vaults": [
  {
    "name": "API Keys",
    "id": "vault-api-keys",
    "vault_type": "kv",
    "description": "API key storage",
    "tags": [],
    "custom_properties": {},
    "entries": []
  }
]

"entries": [
  {
    "name": "Stripe API Key",
    "id": "entry-stripe",
    "description": "Stripe payment processing key",
    "custom_properties": {
      "rotation_enabled": true
    },
    "identities": [
      {
        "type": "OktaUser",
        "external_id": "[email protected]"
      }
    ]
  }
]

"identity_to_permissions": [
  {
    "identity": "admin-user",
    "identity_type": "local_user",
    "permission_assignments": [
      {
        "vault": ["vault-api-keys", "vault-db-creds"],
        "permissions": ["Read", "Write"]
      }
    ]
  }
]

"custom_property_definition": {
  "secret_store_properties": {
    "environment": "STRING"
  },
  "permission_properties": {},
  "vault_properties": {
    "encryption_type": "STRING"
  },
  "entry_properties": {
    "rotation_enabled": "BOOLEAN"
  }
}

Custom Principal with Users and Groups

This example demonstrates a corporate directory with users assigned to groups, custom properties, and hierarchical group nesting.

{
  "custom_property_definition": {
    "tenant_properties": {
      "region": "STRING"
    },
    "user_properties": {
      "department": "STRING",
      "mfa_enabled": "BOOLEAN"
    },
    "group_properties": {
      "is_security_group": "BOOLEAN"
    }
  },
  "name": "Example Corp",
  "principal_type": "corporate_directory",
  "tenant": {
    "name": "Example Corp",
    "id": "tenant-001",
    "tenant_unique_id": "tenant-001",
    "tags": [
      {
        "key": "environment",
        "value": "production"
      }
    ],
    "custom_properties": {
      "region": "us-west-2"
    }
  },
  "users": [
    {
      "name": "Alice Johnson",
      "id": "alice01",
      "email": "[email protected]",
      "user_unique_id": "alice01",
      "display_name": "Alice Johnson",
      "is_active": true,
      "created_date": "2024-01-15T09:00:00.000Z",
      "last_login": "2025-02-20T14:30:00.000Z",
      "identities": [
        "[email protected]"
      ],
      "groups": [
        {
          "id": "grp-engineering"
        }
      ],
      "custom_properties": {
        "department": "Engineering",
        "mfa_enabled": true
      }
    },
    {
      "name": "Bob Smith",
      "id": "bob02",
      "email": "[email protected]",
      "user_unique_id": "bob02",
      "is_active": true,
      "identities": [
        "[email protected]"
      ],
      "groups": [
        {
          "id": "grp-engineering"
        },
        {
          "id": "grp-admins"
        }
      ],
      "custom_properties": {
        "department": "Engineering"
      }
    }
  ],
  "groups": [
    {
      "name": "Engineering",
      "id": "grp-engineering",
      "group_unique_id": "grp-engineering",
      "group_type": "Department",
      "identities": [
        "[email protected]"
      ],
      "custom_properties": {
        "is_security_group": false
      }
    },
    {
      "name": "Admins",
      "id": "grp-admins",
      "group_unique_id": "grp-admins",
      "group_type": "Security",
      "custom_properties": {
        "is_security_group": true
      }
    },
    {
      "name": "Platform Team",
      "id": "grp-platform",
      "group_unique_id": "grp-platform",
      "group_type": "Team",
      "parent_group": {
        "id": "grp-engineering"
      }
    }
  ]
}

Atlassian Cloud Admin Payload

This payload models an Atlassian Cloud organization with managed and external users, product-access groups, and custom properties tracking account metadata.

{
  "custom_property_definition": {
    "user_properties": {
      "account_type": "STRING",
      "account_status": "STRING",
      "access_billable": "BOOLEAN",
      "product_access": "STRING_LIST",
      "user_type": "STRING"
    },
    "group_properties": {
      "description": "STRING"
    }
  },
  "name": "Atlassian Cloud Admin",
  "principal_type": "Atlassian Cloud Admin",
  "tenant": {
    "name": "acme-corp",
    "id": "a1b2c3d4-5678-90ab-cdef-1234567890ab",
    "tenant_unique_id": "a1b2c3d4-5678-90ab-cdef-1234567890ab"
  },
  "users": [
    {
      "name": "Jane Doe",
      "id": "5b10ac8d82e05b22cc7d4ef5",
      "email": "[email protected]",
      "user_unique_id": "5b10ac8d82e05b22cc7d4ef5",
      "is_active": true,
      "identities": [
        "[email protected]"
      ],
      "groups": [
        {
          "id": "jira-software-users"
        },
        {
          "id": "confluence-users"
        }
      ],
      "custom_properties": {
        "account_type": "atlassian",
        "account_status": "active",
        "access_billable": true,
        "product_access": ["jira-software", "confluence"],
        "user_type": "managed"
      }
    },
    {
      "name": "[email protected]",
      "id": "7c20bd9e93f16c33dd8e5fg6",
      "email": "[email protected]",
      "user_unique_id": "7c20bd9e93f16c33dd8e5fg6",
      "is_active": true,
      "identities": [
        "[email protected]"
      ],
      "groups": [
        {
          "id": "jira-software-users"
        }
      ],
      "custom_properties": {
        "account_type": "atlassian",
        "account_status": "active",
        "access_billable": true,
        "product_access": ["jira-software"],
        "user_type": "external"
      }
    }
  ],
  "groups": [
    {
      "name": "jira-software-users",
      "id": "jira-software-users",
      "group_unique_id": "jira-software-users",
      "group_type": "product-access",
      "custom_properties": {
        "description": "Users with access to Jira Software"
      }
    },
    {
      "name": "confluence-users",
      "id": "confluence-users",
      "group_unique_id": "confluence-users",
      "group_type": "product-access",
      "custom_properties": {
        "description": "Users with access to Confluence"
      }
    },
    {
      "name": "org-admins",
      "id": "org-admins",
      "group_unique_id": "org-admins",
      "group_type": "admin",
      "custom_properties": {
        "description": "Organization administrators"
      }
    }
  ]
}

Create the provider with both the principal and application template types:

curl -X POST "https://{VEZA_URL}/api/v1/providers/custom" \
-H "authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
--data '{"name":"ExampleCorp","custom_templates":["principal","application"]}'

Create a data source on the provider, specifying the principal template:

curl -X POST "https://{VEZA_URL}/api/v1/providers/custom/{PROVIDER_ID}/datasources" \
-H "authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
--data '{"name":"Principal Data Source","custom_template":"principal"}'

Push the payload to the data source:
The push endpoint requires the payload as a JSON-encoded string in the json_data field. jq -Rs . reads payload.json and escapes it as a JSON string.

curl -X POST "https://{VEZA_URL}/api/v1/providers/custom" \
-H "authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
--data '{"name":"ExampleCorp","custom_templates":["principal","application"]}'

curl -X POST "https://{VEZA_URL}/api/v1/providers/custom/{PROVIDER_ID}/datasources" \
-H "authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
--data '{"name":"Principal Data Source","custom_template":"principal"}'

"users": [
  {
    "name": "Alice Johnson",
    "id": "alice01",
    "email": "[email protected]",
    "user_unique_id": "alice01",
    "display_name": "Alice Johnson",
    "is_active": true,
    "created_date": "2024-01-15T09:00:00.000Z",
    "last_login": "2025-02-20T14:30:00.000Z",
    "identities": ["[email protected]"],
    "groups": [{"id": "grp-engineering"}],
    "tags": [],
    "custom_properties": {}
  }
]

"groups": [
  {
    "name": "Engineering",
    "id": "grp-engineering",
    "group_unique_id": "grp-engineering",
    "group_type": "Department",
    "identities": ["[email protected]"],
    "tags": [],
    "custom_properties": {}
  },
  {
    "name": "Platform Team",
    "id": "grp-platform",
    "group_type": "Team",
    "parent_group": {
      "id": "grp-engineering"
    }
  }
]

"custom_property_definition": {
  "tenant_properties": {
    "region": "STRING"
  },
  "user_properties": {
    "department": "STRING",
    "mfa_enabled": "BOOLEAN"
  },
  "group_properties": {
    "is_security_group": "BOOLEAN"
  }
}

curl -X POST "https://{VEZA_URL}/api/v1/providers/custom/{PROVIDER_ID}/datasources/{DATASOURCE_ID}:push" \
-H "authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
--data "{\"json_data\": $(jq -Rs . payload.json)}"

Custom Identity Provider

Template for pushing IdP domain, user, and group metadata

Use this template to model authorization metadata for custom identity providers using the Open Authorization API.

This document includes an example template and notes for designing and publishing a model of your IdP.

domain
users

A can define additional properties, used to add supplemental metadata to entities in the payload.

Veza will handle federated identities just as those in supported IdPs such as Okta or Entra ID, enabling search and access review for OAA entities alongside the rest of your data catalog.

Sample Template and Features

The metadata payload describes the Identity Provider domain, users, and groups to add to the Veza Access Graph:

Simple Custom Identity Provider

Modeling Assumable Amazon Web Services Roles

For cases where federated IdP entities are granted AWS permissions via IAM roles, the template supports defining assumable roles per-user. Binding a custom IdP user or group to an AWS role or group ARN enables Veza to parse and display the resource-level actions permitted within AWS.

Custom IdP users and groups can be assigned permissions in other OAA applications by setting the principal type to idp in identity_to_permissions in the payload.

Source Identity Assignments

For use cases where a custom IdP is federated with another identity provider user identities can be linked between the two. Authorizations granted to the user will also be granted the source identity. The link is created by providing the unique identity ID and provider type as part of the user entry.

For provider_type the following values are accepted:

Resource Manager Assignments

New in Veza release 2022.2.1

To assign an IdP user or group as the manager of any resource Veza has discovered, list the node type and node id in the entities_owned field, for example:

When parsing the payload, resources in the data catalog will be updated with a SYSTEM_resource_managers tag to enable entitlement reviews. The owner(s) will be suggested as reviewers for Veza Workflows that target an individual named resource with the correct tag.

Manager Assignments

Users and groups can be mapped to the identity of another user they report to. When configured, the manager will be suggested as a review for Workflow certifications where the assigned reporter is the single query target "named entity."

Custom Properties and Tags

are the recommended method for adding additional metadata to custom identities and resources.

The custom_property_definition object supports separate property namespaces for each entity type:

Field

Description

Additionally, can be applied to the IdP domain, users, and groups:

Use incremental updates to remove tags: Resubmitting a payload with different tags will apply any new tags, but not remove existing ones. To remove a tag already applied to an entity, you will need to use the remove_tag operation.

Incremental Updates

After the initial metadata push (which must contain the full payload), you can modify, add, or remove the domain, users, and groups without resubmitting other entities. An is enabled by setting "incremental_change": true in the json_data push payload, and specifying the update operation for each entity to change.

`Custom Identity Provider` definition

The identity provider object models one instance of the custom IdP:

Field

Type

Description

`IdP Domain`

One domain is supported for each custom IdP. Users and groups are mapped to the IdP domain, and connected in Veza Search:

Field

Type

Description

`IdP Users`

Each IdP user object contains the display name, login email, and identity, along with other identity-related properties:

Field

Type

Description

`IdP Groups`

Add a group by name in the groups section of the template to enable mapping IdP users to those groups:

Field

Type

Description

IdP entities can be granted permissions on custom applications in the identity_to_permissions section of the .

`IdP Apps`

Use the apps section to define any applications used to manage access within the identity provider. Apps can be associated with users and groups to model application assignments across your organization.

Field

Type

Description

Users and Groups can be assigned to an application by setting the app_assignments in the user or group.

Field

Type

Description

Creating and Updating a Custom Identity Provider

The steps to add a custom IdP are the same as for any other OAA provider: you will need to register the new provider and data source, and then push the domain, user, and group descriptions in a JSON payload.

Register a custom identity provider

To create a new custom provider using the identity_provider template, POST the name and template type to /providers/custom:

The response will return the custom IdP ID, which you will need when pushing the metadata payload:

Push a data source for the custom identity provider

Note that the provider id is required in both the path and body of the request. The response will include the new data source ID.

Push metadata for the data source

The payload file must contain the provider and data source ID, and the authorization metadata as a single string, for example:

`Identity Mapping Configuration`

The identity_mapping_configuration parameter defines rules for connecting users in a custom IdP to users from other data sources in the Veza graph.

This is useful when:

The connected data source does not natively support returning information about external identities
A correlation between IdP identities and local users can be assumed based on values like username, email, or another property value.

The identity_mapping_configuration is a top-level property of the Custom IDP submission, and is optional. The mapping configuration can include multiple mappings to connect IDP users to users from different data source types, each based on its own mappings.

Incremental Identity Mapping Updates

You can update just the identity mappings without resubmitting the entire provider payload by using an incremental update. This is useful when you need to modify only the mapping configuration while leaving other provider data unchanged.

Example: Incremental Identity Mapping Update

Set "incremental_change": true and use "operation": "modify" in the identity_mapping_configuration to update mapping rules without affecting other aspects of the provider.

Example curl command to apply the incremental identity mapping update:

Identity Mapping Configuration

Field

Type

Description

Identity Mapping Submission

Field

Type

Description

Supported transformations:

IGNORE_SPECIAL: Ignore special characters (_, -, .) when matching identities
IGNORE_DOMAIN: Match identities after removing domain portions (e.g., "@example.com")

IdentityMappingPropertyMatchersSubmission

Field

Type

Description

{
  "name": "My IdP",
  "idp_type": "custom_idp",
  "domains": [
    {
      "name": "example.com",
      "tags": [],
    }
  ],
  "users": [
    {
      "name": "m_richardson",
      "email": "[email protected]",
      "identity": "m_richardson",
      "full_name": "Michelle Richardson",
      "department": null,
      "is_active": true,
      "is_guest": false,
      "groups": [
        {
          "identity": "everyone"
        },
        {
          "identity": "developers"
        }
      ],
      "assumed_role_arns": [
        {
          "identity": "arn:aws:iam::123456789012:role/role001"
        },
        {
          "identity": "arn:aws:iam::123456789012:role/role002"
        }
      ],
      "tags": [],
    },
    {
      "name": "evargas",
      "email": "[email protected]",
      "identity": "evargas",
      "full_name": "Elizabeth Vargas",
      "department": null,
      "is_active": true,
      "is_guest": false,
      "groups": [
        {
          "identity": "everyone"
        },
        {
          "identity": "developers"
        },
        {
          "identity": "sec-ops"
        }
      ],
      "assumed_role_arns": [],
      "tags": [],
    },
    {
      "name": "willis",
      "email": "[email protected]",
      "identity": "c_williams",
      "full_name": null,
      "department": null,
      "is_active": true,
      "is_guest": false,
      "groups": [
        {
          "identity": "everyone"
        }
      ],
      "assumed_role_arns": [],
      "tags": []
    }
  ],
  "groups": [
    {
      "name": "developers",
      "identity": "developers",
      "full_name": null,
      "is_security_group": null,
      "tags": []
    },
    {
      "name": "sec-ops",
      "identity": "sec-ops",
      "full_name": null,
      "is_security_group": null,
      "tags": []
    },
    {
      "name": "everyone",
      "identity": "everyone",
      "full_name": "All Company Employees",
      "is_security_group": null,
      "tags": []
    }
  ],
  "identity_mapping_configuration": {
    "mappings": [
      {
        "destination_datasource_type": "GITHUB_USERS",
        "property_matchers": [
          {
            "source_property": "EMAIL",
            "destination_property": "UNIQUE_ID"
          }
        ]
      },
      {
        "destination_datasource_type": "SQL_SERVER",
        "property_matchers": [
          {
            "source_property": "EMAIL",
            "destination_property": "EMAIL"
          }
        ],
        "transformations": [
          "IGNORE_DOMAIN"
        ]
      }
    ]
  }
}

{
      "name": "willis",
      "email": "[email protected]",
      "identity": "000001",
      "full_name": "Charles Willis",
      "department": "Sales",
      "is_active": true,
      "is_guest": false,
      "groups": [
        {
          "identity": "everyone"
        }
      ],
      "assumed_role_arns": {
        "identity": [
          "arn:aws:iam::123456789012:role/S3Access"
          ]
      },
      "source_identity": {
        "identity": "[email protected]",
        "provider_type": "okta"
      },
      "tags": [],
      "custom_properties": {},
      "manager_id": "string",
      "entities_owned": {
        "node_type": "S3Bucket",
        "id": "arn:aws:s3:::amazon-connect-53f87966654d"
        }
    }

"groups": [
  {
    "name": "developers",
    "identity": "developers",
    "full_name": null,
    "is_security_group": null,
    "assumed_role_arns": {
      "identity": ["arn:aws:iam::123456789012:role/S3Access"]
    },
    "tags": [],
    "groups": [
      { "group_1_identity": "parent" },
      { "group_2_identity": "parent" }
    ],
    "custom_properties": {}
  }
]

  "apps": [
    {
      "id": "app1",
      "name": "Application 1",
      "description": "This is a sample application",
      "assumed_role_arns": [
        {
          "identity": "arn:aws:iam::1234567890:role/DevAppRole"
        }
      ],
      "custom_properties": {
        "owner_org": "engineering"
      },
      "tags": []
    }
  ]

    {
      "name": "willis",
      "email": "[email protected]",
      "identity": "cwilliams",
      "groups": [
        {
          "identity": "everyone"
        }
      ],
      "custom_properties": {
        "region": "NorthAmerica",
        "is_contractor": true
      },
      "app_assignments": [
        {
          "id": "assignment1",
          "name": "Assignment",
          "app_id": "app1",
          "custom_properties": {
            "assigned_on": "2024-12-05T12:42:25+00:00"
          }
        }
      ]
    }

{
  "value": {
    "id": "532f6fe3-189f-4576-afdf-8913088961e4",
    "name": "Simple IdP",
    "custom_template": "identity_provider",
    "state": "ENABLED",
    "application_types": [],
    "resource_types": [],
    "idp_types": []
  }
}

curl -X POST 'https://<veza_url>/api/v1/providers/custom/532f6fe3-189f-4576-afdf-8913088961e4/datasources' \
-H 'authorization: Bearer '<access_token> \
--data-binary '{"id":"532f6fe3-189f-4576-afdf-8913088961e4", "name":"SimpleDataSource"}'

curl -X POST 'https://<veza_url>/api/v1/providers/custom/532f6fe3-189f-4576-afdf-8913088961e4/datasources/b6a32af6-b854-47e1-8325-e5984f78bb4d:push' \
-H 'authorization: Bearer '<access_token> \
--compressed --data-binary @payload.json

payload.json

{
  "id": "532f6fe3-189f-4576-afdf-8913088961e4",
  "data_source_id": "b6a32af6-b854-47e1-8325-e5984f78bb4d",
  "json_data": "{\n\"name\":\"CustomIdentityProvider\",\n\"idp_type\": ... "
}

{
  "identity_mapping_configuration": {
    "mappings": [
      {
        "destination_datasource_type": "OKTA",
        "property_matchers": [
          {
            "source_property": "EMAIL",
            "destination_property": "EMAIL"
          }
        ],
        "transformations": [
          "IGNORE_SPECIAL"
        ]
      },
      {
        "destination_datasource_type": "AZURE_AD",
        "property_matchers": [
          {
            "source_property": "EMAIL",
            "destination_property": "EMAIL"
          }
        ],
        "transformations": [
          "IGNORE_DOMAIN"
        ]
      },
      {
        "destination_datasource_type": "GITHUB_USERS",
        "property_matchers": [
          {
            "source_property": "EMAIL",
            "destination_property": "UNIQUE_ID"
          }
        ]
      }
    ]
  }
}

{
  "incremental_change": true,
  "identity_mapping_configuration": {
    "operation": "modify",
    "mappings": [
      {
        "destination_datasource_type": "GITHUB_USERS",
        "property_matchers": [
          {
            "source_property": "EMAIL",
            "destination_property": "UNIQUE_ID"
          }
        ]
      },
      {
        "destination_datasource_type": "SQL_SERVER",
        "property_matchers": [
          {
            "source_property": "EMAIL",
            "destination_property": "EMAIL"
          }
        ],
        "transformations": [
          "IGNORE_DOMAIN"
        ]
      }
    ]
  }
}

curl --location 'https://<veza_url>/api/v1/providers/custom/816d6e51-6d6a-4279-ba41-2e7c732be880/datasources/716026b5-4b84-4b2f-a805-b41a6ec69cf3:push' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <API_KEY>' \
--data '{
    "id": "816d6e51-6d6a-4279-ba41-2e7c732be880",
    "data_source_id": "716026b5-4b84-4b2f-a805-b41a6ec69cf3",
    "json_data": "{\"incremental_change\":true,\"identity_mapping_configuration\":{\"operation\":\"modify\",\"mappings\":[{\"destination_datasource_type\":\"GITHUB_USERS\",\"property_matchers\":[{\"source_property\":\"EMAIL\",\"destination_property\":\"UNIQUE_ID\"}]},{\"destination_datasource_type\":\"SQL_SERVER\",\"property_matchers\":[{\"source_property\":\"EMAIL\",\"destination_property\":\"EMAIL\"}],\"transformations\":[\"IGNORE_DOMAIN\"]}]}}"
}'

Custom Application

Template for pushing custom data source entities and authorization

Overview

The Custom Application Template can be used to model most applications and services. It can describe many common entity types (such as users, groups, and resources), and should be the starting point for most custom connectors.

The template has three primary elements, covered in detail in this document:

Applications - describes one or more application instances for the custom data source. An application may consist of any of the following entities:
- Local Users - defines the users of the application. The local user entity can be used to store the properties of the user specific to the application (such as last_login_at) and can be linked to a source identity like Okta or AzureAD.
- Local Groups - defines a group of users, permissions to the application or resources can be assigned to a group.
Permissions - define the applications specific permissions and map to Veza canonical permissions.
Identity to Permissions - Assign local and federated users and groups to permissions or roles to the application and resources.
Additionally, a may describe user-configured key:pair values that can be applied to entities in the payload.

To use the generic app template, set the template type to application when creating a new data provider:

Enabling Lifecycle Management with SCIM

If your custom application exposes SCIM 2.0 compliant endpoints, you can enable automated provisioning and deprovisioning through Veza Lifecycle Management and Access Requests by setting the external_lifecycle_management_type parameter to SCIM:

This enables Veza to automate user provisioning, deprovisioning, and group membership management for your custom application. For detailed configuration and supported operations, see .

Sample Payload

Simple Custom Application

This example demonstrates using local users and groups to assign permissions directly to the application and resources.

Sample Application using Roles

Custom Properties and Tags

and can be applied to most objects in the OAA payload: the application and its local_users, local_groups, local_roles and resources/sub_resources.

Define custom properties

Set custom properties

In the rest of the payload, for each object that should have additional properties, add a custom_properties array containing the property keys and values:

Use incremental updates to remove tags: Resubmitting a payload with different tags will apply any new tags, but not remove existing ones. To remove a tag already applied to an entity, you will need to use the remove_tag operation.

Validation and Troubleshooting

The API response will provide information for invalid data submission. You can check Veza events for updates on parsing status. Errors won't typically occur during parsing, as the metadata is validated upon push. To ensure a valid payload, you should:

Confirm all string fields are are valid UTF-8 strings no larger than 256 bytes.
Check that all required fields are present. Tags and properties are optional. You can null empty groups, roles, and other "empty" but required keys.
A 200 OK response may include warnings when matching IDP identities can't be found

Applications

The OAA payload must contain at least one top-level application. To model data systems with multiple components (such as different servers or repositories), applications can have resources and sub-resources.

You can also specify more than one application in the OAA payload, each with its own identities, permissions, roles, and resources.

The application_typeis applied to all application resources and identities, and can be used as a filterable property in Veza search.

Application Properties

Field

Type

Description

Optional fields: some values in the schema are optional. When submitting a payload without a required field, an error message will help identify the issue. The following guidelines apply:

Any type of data in a JSON payload can be null (not set).
Unused optional arrays and objects should be empty {} or [].
Unused optional strings, numbers, and booleans should be null.

OAA apps need to contain at least one identity, which could be a local_group, local_role, or an IdP identity. Role assignments are made in the section.

Resources

Each application can contain one or more resources that users can access. Resources can have additional searchable properties and may contain additional sub-resources.

Sub-resources describe additional layers of the application principals can have authorization to, and support the same properties as resources, including additionally nested sub-resources.

Resource Properties

An application can have any number of nested sub resources.

Field

Type

Description

* A specific resource type must have only resources with an id, or only resources without an id. When used identity_to_permissions assignments are made by the id value and name functions as a display name.

Resource Connections

In the system being modeled, application resources and sub-resources (such as virtual machines or Looker views) have access to other entities in the Veza Access Graph.

If an application resource or sub-resource is able to assume the permissions of a local user, IAM role, or Enterprise application, you can specify the connections to another graph entity node_type and id:

The following node types are currently available:

SnowflakeUser
GoogleCloudServiceAccount
AwsIamRole

Identities

Applications can have local users and groups for identities. For users and groups that correlate to an external Identity Provider (for example accounts automatically provisioned by the IdP), you can map the principal to the IdP entity name or login email in identities.

Local Users

Contains any users whose profiles and authentication are handled and stored by the custom application. Local users include their group assignments and any federated identities that should be mapped to the local user:

Field

Type

Description

local Groups

If the application has any groups, describe each one in the local_groups array.

Group assignments for entities are defined in identity_to_permissions.

Field

Type

Description

*Must match a discovered Okta or Azure entity Name, PrincipalName, or Identity

Local Roles

Local roles define collections of local permissions that can be assigned to multiple resources. In the applications section, roles are named and mapped to permissions. Role assignments are defined in identity_to_permissions.

Field

Type

Description

Local Access Credentials

Access credentials represent API keys, tokens, certificates, or other non-human authentication methods used by applications or services.

Field

Type

Description

permissions

Bind local permissions to the corresponding Veza canonical permission(s). Each native application permission should be included as an object, mapped to the corresponding data/non-data actions it allows.

Canonical permission types are:

DataRead
DataWrite
MetadataRead

Field

Type

Description

To better model systems where roles can contain different permissions to different types of resources, permissions can apply to individual resource_types.

When the payload is parsed, individual permissions are created for each type of resource the permission applies to.
Without resource_types specified, the permission will function normally. When directly connecting principals and resources, resource_type is ignored.

`identity_to_permissions`

Contains an object for each local and IdP identity, and the individual permissions to applications and resources.

You can bind permissions to federated users and groups by providing the principal’s IDP login email or group name as the identity, and setting the identity_type to idp.
Permissions and role assignments can apply to the entire application or scoped to specific resources.

Field

Type

Description

Each identity can be either a local_user, local_role, local_group, or local_access_creds name, or the identifier of an IdP user, group, or role (email address or group name).
identity_type

application_permissions

Binds the identity (IdP entity, local user, or local group) to local permission, by application and resources.

Field

Type

Description

role_assignments

Local roles are assigned to identities in the role_assignments array. Roles can apply to the entire application or only to specific (sub) resources.

Field

Type

Description

Identities to Permissions mapping

The identity_to_permissions array defines how identities are authorized to applications and resources. Each entry maps an identity to its application permissions and/or role assignments. See the section above for field details.

idp

local_user

local_group

local_role

local_access_creds

curl -X POST "https://{VEZA_URL}/api/v1/providers/custom" \
-H "authorization: Bearer {API_KEY}" \
-H "Content-Type: application/json" \
--data '{
  "name": "MyCustomApp",
  "custom_template": "application",
  "external_lifecycle_management_type": "SCIM"
}'

{
  "custom_property_definition": {
    "applications": [
      {
        "application_type": "sample",
        "application_properties": {},
        "local_user_properties": {},
        "local_group_properties": {},
        "local_role_properties": {},
        "resources": []
      }
    ]
  },
  "applications": [
    {
      "name": "Sample App",
      "application_type": "sample",
      "description": "This is a sample app",
      "local_users": [
        {
          "id": "0000000001",
          "name": "bob",
          "identities": [
            "[email protected]"
          ],
          "is_active": true,
          "created_at": "2022-01-26T20:48:12.460Z"
        },
        {
          "id": "0000000002",
          "name": "jane",
          "identities": [
            "[email protected]"
          ],
          "groups": [
            "admins"
          ],
          "created_at": "2021-08-13T06:28:13.250Z"
        }
      ],
      "local_groups": [
        {
          "id": "admins",
          "name": "Administrators"
        }
      ],
      "local_roles": [],
      "tags": [],
      "custom_properties": {},
      "resources": [
        {
          "id": "0001",
          "name": "Entity1",
          "resource_type": "thing",
          "description": "Some entity in the application",
          "sub_resources": [
            {
              "name": "Child 1",
              "resource_type": "child",
              "description": "My information about resource"
            }
          ]
        },
        {
          "id": "0002",
          "name": "Entity2",
          "resource_type": "thing",
          "description": "Another entity in the application"
        }
      ]
    }
  ],
  "permissions": [
    {
      "name": "admin",
      "permission_type": [
        "DataRead",
        "DataWrite"
      ],
      "apply_to_sub_resources": false,
      "resource_types": []
    },
    {
      "name": "operator",
      "permission_type": [
        "DataRead",
        "MetadataRead"
      ],
      "apply_to_sub_resources": false,
      "resource_types": []
    },
    {
      "name": "manager",
      "permission_type": [
        "MetadataWrite"
      ],
      "apply_to_sub_resources": false,
      "resource_types": []
    }
  ],
  "identity_to_permissions": [
    {
      "identity": "0000000001",
      "identity_type": "local_user",
      "application_permissions": [
        {
          "application": "Sample App",
          "permission": "operator",
          "apply_to_application": true
        },
        {
          "application": "Sample App",
          "resources": [
            "0001"
          ],
          "permission": "manager"
        }
      ]
    },
    {
      "identity": "admins",
      "identity_type": "local_group",
      "application_permissions": [
        {
          "application": "Sample App",
          "permission": "admin",
          "apply_to_application": true
        }
      ]
    }
  ]
}

{
  "applications": [
    {
      "name": "Sample App",
      "application_type": "sample",
      "description": "This is a sample app",
      "local_users": [
        {
          "name": "bob",
          "identities": [
            "[email protected]"
          ],
          "is_active": true,
          "created_at": "2022-01-26T20:48:12.460Z",
          "id": "0000000001"
        },
        {
          "name": "jane",
          "identities": [
            "[email protected]"
          ],
          "created_at": "2021-08-13T06:28:13.250Z",
          "id": "0000000002"
        }
      ],
      "local_groups": [],
      "local_roles": [
        {
          "id": "admin",
          "name": "Administrator",
          "permissions": [
            "manage_users"
          ],
          "tags": [],
          "custom_properties": {}
        },
        {
          "id": "user",
          "name": "User",
          "permissions": [
            "view_tickets",
            "close_tickets"
          ],
          "tags": [],
          "custom_properties": {}
        }
      ],
      "tags": [],
      "custom_properties": {},
      "resources": []
    }
  ],
  "permissions": [
    {
      "name": "manage_users",
      "permission_type": [
        "MetadataWrite"
      ],
      "apply_to_sub_resources": false,
      "resource_types": []
    },
    {
      "name": "view_tickets",
      "permission_type": [
        "DataRead"
      ],
      "apply_to_sub_resources": false,
      "resource_types": []
    },
    {
      "name": "close_tickets",
      "permission_type": [
        "MetadataWrite"
      ],
      "apply_to_sub_resources": false,
      "resource_types": []
    }
  ],
  "identity_to_permissions": [
    {
      "identity": "0000000001",
      "identity_type": "local_user",
      "role_assignments": [
        {
          "application": "Sample App",
          "role": "user",
          "apply_to_application": true,
          "resources": []
        }
      ]
    },
    {
      "identity": "0000000002",
      "identity_type": "local_user",
      "role_assignments": [
        {
          "application": "Sample App",
          "role": "user",
          "apply_to_application": true,
          "resources": []
        },
        {
          "application": "Sample App",
          "role": "admin",
          "apply_to_application": true,
          "resources": []
        }
      ]
    }
  ]
}

  "custom_property_definition": {
    "applications": [
      {
        "application_type": "sample",
        "application_properties": {},
        "local_user_properties": {
          "license_type": "STRING",
          "license_expires": "TIMESTAMP"
        },
        "local_group_properties": {},
        "local_role_properties": {},
        "role_assignment_properties": {},
        "access_cred_properties": {},
        "resources": []
      }
    ]
  }

      "local_users": [
        {
          "id": "001010",
          "name": "bob",
          "identities": [
            "[email protected]"
          ],
          "groups": null,
          "is_active": true,
          "created_at": "2022-01-26T20:48:12.460Z",
          "last_login_at": null,
          "deactivated_at": null,
          "password_last_changed_at": null,
          "tags": [],
          "custom_properties": {
            "license_type": "pro",
            "license_expires": "2023-01-01T00:00:00.000Z"
          }
        }
      ]

{
  "applications": [
    {
      "name": "Custom App",
      "application_type": "Source Control",
      "description": "Has a resource for each repository",
      "custom_properties": {},
      "tags": [],
      "owners": [],
      "local_users": [],
      "local_groups": [],
      "local_roles": [],
      "resources": []
    }
  ]
}

"resources": [
  {
    "name": "Entity1",
    "id": "Unique ID",
    "resource_type": "thing",
    "description": "Some entity in the application",
    "sub_resources": [
      {
        "name": "Child 1",
        "resource_type": "child",
        "description": "My information about resource",
        "sub_resources": [],
        "custom_properties": {},
        "tags": [],
        "owners": []
      }
    ],
    "custom_properties": {},
    "tags": [],
    "owners": []
  },
  {
    "name": "Entity2",
    "id": "Another Unique ID",
    "resource_type": "thing",
    "description": "Another entity in the application",
    "sub_resources": [],
    "custom_properties": {},
    "tags": [],
    "owners": [],
  }
]

"local_users": [
  {
    "id": "egray",
    "name": "Evan Gray",
    "email": "[email protected]",
    "identities": ["[email protected]"],
    "groups": ["contractors"],
    "is_active": true,
    "created_at": "2020-12-19T16:39:57-08:00",
    "last_login_at": "2021-11-19T14:19:30-08:00",
    "password_last_changed_at": null,
    "deactivated_at": null,
    "custom_properties": {},
    "tags": [],
    "owners": []
   }
]

"local_groups": [
  {
    "name": "US Contractors",
    "id": "us-contractors",
    "identities": ["[email protected]"],
    "groups": [
      "all-contractors",
      "all-workers"
    ],
    "tags": [],
    "owners": []
  }
]

"local_roles": [
    {
        "name": "administrator",
        "id": "0001",
        "permissions": ["create","destroy"]
    },
    {
        "name": "operator",
        "id": "0002",
        "permissions": ["pull", "read"],
        "tags": [],
        "owners": []
    }
]

"local_access_creds": [
  {
    "name": "Production API Key",
    "id": "prod-key-001",
    "created_at": "2023-01-15T08:00:00.000Z",
    "expires_at": "2024-01-15T08:00:00.000Z",
    "last_used_at": "2023-12-01T14:30:00.000Z",
    "can_expire": true,
    "is_active": true,
    "custom_properties": {},
    "tags": [],
    "owners": []
  }
]

"permissions": [
   {
     "name": "Admin",
     "permission_type": [
       "DataRead",
       "DataWrite",
       "MetadataRead",
       "MetadataWrite"
     ]
   },
   {
     "name": "Operator",
     "permission_type": [
       "MetadataRead",
       "DataRead"
     ]
   },
   {
     "name": "Inactive",
     "permission_type": [
       "NonData"
     ]
   }
 ]

"identity_to_permissions": [
     {
       "identity": "Evan Gray",
       "identity_type": "local_user",
       "application_permissions": [
          {
           "application": "Veza AI",
           "resources": ["terraform-dev", "prod"],
           "permission": "pull"
         },
         {
           "application": "Veza AI",
           "resources": ["terraform-dev", "prod"],
           "permission": "push"
         }
       ]
     }
   ]

{
    "identity": "[email protected]",
    "identity_type": "idp",
    "application_permissions":
    [
        {
            "application": "source control",
            "resources": ["util-tools", "terraform"],
            "apply_to_application": false,
            "permission": "write"
        },
        {
            "application": "source control",
            "resources": [],
            "apply_to_application": true,
            "permission": "read"
        }
    ]
}

{
    "identity": "john_smith",
    "identity_type": "local_user",
    "role_assignments":[
        {
            "application": "custom application",
            "role": "administrator",
            "apply_to_application": true,
            "resources": []
        },
        {
            "application": "custom application",
            "role": "ops",
            "apply_to_application": false,
            "resources": ["oaa-vm-1"]
        }
    ]
}

  "identity_to_permissions": [
    {
      "identity": "0000000001",
      "identity_type": "local_user",
      "role_assignments": [
        {
          "application": "Sample App",
          "role": "user",
          "apply_to_application": true,
          "resources": []
        }
      ]
    },
    {
      "identity": "0000000002",
      "identity_type": "local_user",
      "role_assignments": [
        {
          "application": "Sample App",
          "role": "user",
          "apply_to_application": true,
          "resources": []
        },
        {
          "application": "Sample App",
          "role": "admin",
          "apply_to_application": true,
          "resources": []
        }
      ]
    }
  ]

OAA Templates

hashtagCustom Application

hashtagCustom Identity Provider

hashtagCustom Principal

hashtagSecret Store

hashtagEntity Enrichment

Custom Principal

Custom HRIS Provider

hashtagOverview

hashtagHRIS template example

hashtagCustom properties

hashtagIdentity mappings

hashtagCustom HRIS System

hashtagCustom HRIS Employee

hashtagCustom HRIS Group

Secret Store

Entity Enrichment

hashtagSample payload

hashtagTop-level payload

hashtagEnriched entity property definitions

hashtagProperty definition fields

hashtagSupported property types

hashtagEnriched entities

hashtagEnriched entity fields

hashtagCreating and updating enrichment data

hashtagLimitations

OAA Templates

hashtagCustom Application

hashtagCustom Identity Provider

hashtagCustom Principal

hashtagSecret Store

hashtagEntity Enrichment

Entity Enrichment

hashtagSample payload

hashtagTop-level payload

hashtagEnriched entity property definitions

hashtagProperty definition fields

hashtagSupported property types

hashtagEnriched entities

hashtagEnriched entity fields

hashtagCreating and updating enrichment data

hashtagLimitations

Custom HRIS Provider

hashtagOverview

hashtagHRIS template example

hashtagCustom properties

hashtagIdentity mappings

hashtagCustom HRIS System

hashtagCustom HRIS Employee

hashtagCustom HRIS Group

Secret Store

Custom Principal

hashtagSample Payloads

hashtagExample: Custom PAM Integration

hashtagTop-Level Payload

hashtagSecret Store object

hashtagSecret Store Properties

hashtagPermissions

hashtagPermission Properties

hashtagVaults

hashtagVault Properties

hashtagVault Entries

hashtagVault Entry Properties

hashtagVault Entry Identities

hashtagIdentity Properties

hashtagIdentity to Permissions

hashtagIdentity-to-Permission Properties

hashtagPermission Assignments

hashtagCustom Property Definitions

hashtagIncremental Updates

hashtagCreating and Updating a Secret Store

hashtagSample Payloads

hashtagReal-World Example: Atlassian Cloud Admin

hashtagTop-Level Payload

hashtagTenant

hashtagTenant Properties

hashtagUsers

hashtagUser Properties

hashtagGroups

hashtagGroup Properties

Custom Application

Custom Identity Provider

Custom Principal

Secret Store

Entity Enrichment

Overview

HRIS template example

Custom properties

Identity mappings

Custom HRIS System

Custom HRIS Employee

Custom HRIS Group

Sample payload

Top-level payload

Enriched entity property definitions

Property definition fields

Supported property types

Enriched entities

Enriched entity fields

Creating and updating enrichment data

Limitations

Custom Application

Custom Identity Provider

Custom Principal

Secret Store

Entity Enrichment

Sample payload

Top-level payload

Enriched entity property definitions

Property definition fields

Supported property types

Enriched entities

Enriched entity fields

Creating and updating enrichment data

Limitations

Overview

HRIS template example

Custom properties

Identity mappings

Custom HRIS System

Custom HRIS Employee

Custom HRIS Group

Sample Payloads

Example: Custom PAM Integration

Top-Level Payload

Secret Store object

Secret Store Properties

Permissions

Permission Properties

Vaults

Vault Properties

Vault Entries

Vault Entry Properties

Vault Entry Identities

Identity Properties

Identity to Permissions

Identity-to-Permission Properties

Permission Assignments

Custom Property Definitions

Incremental Updates

Creating and Updating a Secret Store

Sample Payloads

Real-World Example: Atlassian Cloud Admin

Top-Level Payload

Tenant

Tenant Properties

Users

User Properties

Groups

Group Properties

Custom Property Definitions

Incremental Updates

Creating and Updating a Custom Principal

Sample Template and Features

Modeling Assumable Amazon Web Services Roles

Source Identity Assignments

Resource Manager Assignments

Manager Assignments

Custom Properties and Tags

Incremental Updates