Overview

The Adobe Enterprise integration enables Veza to discover and analyze users, groups, and administrative roles within your Adobe environment. This integration uses Adobe's User Management API (v2) to provide visibility into user access, group memberships, and product license assignments across your Adobe organization.

The integration supports:

• Discovery of Adobe Enterprise users and their properties

• Mapping of user groups and product profiles

• Analysis of group types and license quotas

• Adobe admin role assignments

Prerequisites

The integration uses OAuth 2.0 client credentials flow. You will need:

• An Adobe Enterprise account

• Adobe Organization ID (format: xxxxx@AdobeOrg)

• API credentials from Adobe Developer Console (Client ID and Client Secret)

• Veza platform access with permissions to add new integrations

The integration uses Adobe's User Management API v2 to collect:

• Users: /v2/usermanagement/users/{org_id}

• Groups: /v2/usermanagement/groups/{org_id}

Finding Your Organization ID

The Organization ID is a unique identifier in the format {hex_number}@AdobeOrg (e.g., A495E53@AdobeOrg). You can find this value:

1. In the Adobe Admin Console URL path when logged in

2. In the Adobe IO Console under your User Management integration settings

Generating Adobe Credentials

Follow the instructions in Setting up the OAuth Server-to-Server credential to create a new Project and credentials.

Select the "User Management API" when configuring the Products & services for the Project.

Note the API Key (Client ID) and generated access token (Client Secret).

Configuring Adobe Enterprise on the Veza Platform

1. In Veza, use the main menu to open the Integrations page.

2. Click Add Integration and search for Adobe Enterprise.

3. Click on Adobe Enterprise and to open the configuration form.

4. Enter the required information:

   Field

   Description

   Required

   Format/Notes

   Name

   A unique name for this integration instance

   Yes

   Insight Point

   The Insight Point this integration will be associated with

   Yes

   Organization ID

   Adobe Organization ID

   Yes

   Must end with @AdobeOrg

   Client ID

   Adobe API Client ID

   Yes

   From Adobe Developer Console

   Client Secret

   Adobe API Client Secret

   Yes

   From Adobe Developer Console

5. Click Create Integration to save the configuration.

Verifying the Integration

1. To check integration status:

   1. On the Veza Integrations list, click the integration name to view details.

   2. On the details page, review the list of data sources.

   3. Use the Status column to check if the data source is unavailable or has an error.

   4. Click on an individual status to show more details.

2. To view discovered entities:

   1. On the Veza Integrations list, click View Dashboard to show an overview of the entities Veza has discovered.

   2. Click an entity type to view the results in Query Builder.

   3. Review the entities to validate that results and attributes are as expected.

Notes and Supported Entities

Application

Type: "Adobe Enterprise"

Users

Groups

Built-in Roles and Permissions

The integration supports three built-in administrative roles:

Each role has a corresponding permission of the same name. All permissions are of type "uncategorized".

Role Properties

Permission Properties

Relationships

Additional Resources

• Adobe User Management API Documentation

• Adobe Admin Console

Overview

The Veza integration for Jenkins enables the discovery of Users and Roles, and permissions. One configured, Veza uses Jenkins APIs to populate the Authorization Graph with entities and metadata. The integration supports project-based Matrix Authorization and role-based access controls.

To enable the integration:

Jenkins Setup

Create a user and API token for the Veza integration:

1. Create a Jenkins user for the integration. Log in to Jenkins and go to Dashboard → Manage Jenkins → Users → Create User. Enter the name, password, and email-address and save your changes.

2. Assign them a role with the Overall Read permission under Manage Jenkins > Manage and Assign Roles.

3. Get an API token for the user. Browse to your Jenkins instance, log in and go to (Your Username) > Configure > API Token.

4. Click Add New Token. Give the token a name and save the value.

Veza Setup

Add the integration to Veza:

1. Browse to your Veza instance and log in.

2. Go to Integrations.

3. Click Add Integration. Select Jenkins as the integration to add. Click Next.

4. Complete the required fields:

   • Jenkins Token: the token you created for the integrations.

   • URL: URL of the Jenkins environment. Ensure the URL ends with a /.

   • Username: Integration user name.

5. Click Save to enable the integration.

Supported Entities

ID and Name are collected for both users and roles. Veza discovers and processes all permissions found in Jenkins.

Jenkins User

A Jenkins User represents an account with specific permissions and roles within the Jenkins automation server. This entity is subject to access control with varying levels of permissions, such as read, write, and execute, on different Jenkins resources.

Jenkins Role

A Jenkins Role is a set of capabilities assigned to a Jenkins User or group of users within Jenkins.

Overview

Veza can discover and analyze permissions in SharePoint Server environments that are configured with Microsoft Entra ID (formerly Azure AD) federated authentication. This offers visibility into your on-premises SharePoint infrastructure using an existing Azure Integration, including:

• Site collections and sub-sites discovery

• Document libraries and folders

• Effective permission analysis

• Microsoft Entra ID user and group federation

• Optional site filtering with allow and deny lists

Prerequisites

• SharePoint Server 2013 or newer

• The SharePoint environment must be configured for federated authentication with Microsoft Entra ID following Microsoft's official documentation

• The Azure integration in Veza must be configured with a valid SSL certificate for SharePoint site discovery (Signed certificate recommended for production environments)

Configuring the Azure Integration for SharePoint Server

You can connect to SharePoint by providing a certificate for app-only access when configuring an Azure integration. For testing environments, you can generate a self-signed certificate following the Microsoft documentation.

The integration requires read-only API permissions to discover SharePoint resources:

1. Go to the Integrations page and add or edit an Azure integration, following the instructions in Microsoft Azure.

2. In Azure, create or edit the app registration for the integration with the additional API scopes:

   • SharePoint:

     • User.Read.All

     • Sites.Read.All

   • Microsoft Graph API:

     • Directory.Read.All

     • Files.Read.All

     • Sites.Read.All

     • Reports.Read.All

3. Enable SharePoint discovery by providing a certificate for app-only access and granting optional API permissions as documented in Microsoft SharePoint Online.

4. If you are limiting the services discovered by the integration, ensure that SharePoint is enabled under Limited Services in the integration configuration.

5. (Optional) In the Limit Services > SharePoint section, add SharePoint site URLs to the allow or deny lists to limit extraction of specific sites. The integration will detect all on-premesis SharePoint sites included in the /sites/getAllSites Microsoft Graph API response.

6. Save your changes to the integration configuration after supplying the X.509 certificate and password, if encrypted.

7. When discovery completes, perform a Graph search for relationships between Azure AD Users and SharePoint Sites to validate that on-premises sites are appearing as expected.

If your Okta Multi-factor enrollment policies are such that traffic from Veza's Cloud IP Addresses is denied the ability to use a factor, Veza will not be able to detect user enrollment in that factor. As a result, the "MFA Active" property for Okta users will be "False," even if factors are enabled for the user. To prevent this, you can can:

• Configure an Okta Network Zone that allows optional MFA factors

• Use an Insight Point to connect to Okta from an IP address internal to your data center that does not have these restrictions

See below for more details and steps to enable:

Background

Okta MFA enrollment policies have the ability to not only set enrollment but also define usage. MFA enrollment policies work by evaluating from the highest priority to the lowest priority at the policy level (filtered by groups), and then at the rule level (filtered by Network Zones and App Condition).

This means that if there is not a policy rule that fits the incoming request, Okta will check the next policy that applies to the user until it finds one (Default Policy applies to everyone and Default Rule applies everywhere).

Resolution

There are 2 options to allow Veza to fully collect MFA enrollment.

1. Configure a Network Zone specifically for the Veza IP Addresses and allow the factors as optional at the Policy level and deny the Enrollment at the Policy Rule Level:

   • Create an Okta Group to control scope during deployment.

   • Configure Network IP Zones for Veza's Cloud IP Addresses under Gateway IPs.

   • Create a Veza MFA Enrollment Policy.

     • For Assigned Groups, enter the group created in step 1.

     • All authenticators are Optional (OIE requires 1 as Required).

     • Create a Veza Policy Rule:

       1. IF User's IP is "in zone" (Add the Zone for Veza's Cloud IP Addresses)

       2. AND User is accessing "Okta"

       3. THEN Enrollment is "Allowed if required authenticators are missing".

   • Test the configuration by adding users to the group.

     • Veza should see everything and user experience should not be affected.

     • After testing, Remove the "Assigned" Group, and Apply the "Everyone" group.

2. Have Veza traffic to Okta run through an Insight Point installed in your data center. This asumes your data center IP Addresses do not have the same restrictions as Veza's Cloud IP Addresses.

Veza connects to standalone SQL Server instances via a local user, using the configured host, port, username, and password. Typically, an Insight Point is recommended to enable a secure connection between Veza and the SQL host. For testing purposes, you can use the internal Insight Point, assuming that firewall rules allow communication with Veza.

NOTE: System databases are not included in the database fetching.

Configuring SQL Database user

1. Connect to your SQL Server and create new SQL Server Login with password.

To enable discovery for SQL Server, you will need credentials for a local SQL Server user (Login with password). Connect to the server using your client of choice, and create the user with the command:

CREATE LOGIN <db_user> WITH PASSWORD = '<password>';

2. Assign read only permissions for the service account.

Grant the following permissions to the SQL Server Login from the previous step:

SQL 2008 and 2012

GRANT VIEW ANY DEFINITION TO <db_user>;
GRANT VIEW ANY DATABASE TO <db_user>;
GRANT CONNECT SQL TO <db_user>;

SQL 2014 and later

GRANT VIEW ANY DEFINITION TO <db_user>;
GRANT CONNECT ANY DATABASE TO <db_user>;

Configure Veza

To add the connection, go to Configuration > Integrations_ > Create Integration and choose "SQL Server".

1. If you are using an external Insight Point for discovery, change the selection from the default internal Insight Point to the one you deployed.

2. Enter the server Host, Port, Login user and Password.

3. Optionally, prevent discovery of some databases and schema by adding database names to the allow and deny lists. If the allow list is populated, only those resources are discovered. If the deny list is populated, those resources are skipped, while all others are discovered.

4. Click Save to enable the integration and queue parsing. The SQL Server will be registered and appear under "Discovered Data Sources" on the Configuration > All Data Sources tab.

Overview

Early Access: Beeline is available in Early Access. Please contact our support team to enable the integration.

The Veza integration for the Beeline workforce platform enables discovery of Beeline employees, and can be enabled as a source of identity for lifecycle management policies. HRIS metadata from Beeline can be used to enrich queries, access reviews, and enable provisioning and de-provisioning flows when employees are added or removed, or their status changes.

Configuring Beeline

The Veza Beeline connector uses Beeline's Reporting as a Service (RaaS) feature to retrieve employees and their attributes.

After enabling RaaS, a BeeLine report with the corresponding values must be created in advance. Please contact our support team to coordinate report creation for the latest supported attributes.

1. Ensure that the RaaS feature is enabled.

2. Generate an API key for the integration user, that Veza will use for the discovery. This user can be an existing Beeline user or a new user.

   1. Note the ClientSecret, UserName and UserAPIKey from the API Authentication Page

3. Find the Report ID by opening it in your browser and copying the UUID value from the URL. The report ID will be the part after the ReportID= parameter.

4. Note your Customer ID or Project ID from the Beeline URL. This will be the value after beeline.com such as beeline.com/acme/ or beeline.com/proj1345 depending on if it is a production or development tenant.

Configuring the Beeline Integration on Veza

1. On the Veza Integrations page, click Add Integration and locate the Beeline tile.

2. Configure the integration with the following fields:

   1. Name - Name for the integration

   2. Site ID - Customer or Project identifier for the Beeline instance

   3. Client Secret - Client secret value from the API key generated

   4. User Name - User name for corresponding API key

   5. User API Key - The API key value

   6. Report ID - UUID identifier for published report

   7. URL - Optional: For non-production tenants the URL for connecting to the API. For development projects sites this value is typically https://projapi.beeline.com.

3. Enable lifecycle management (optional): On the Integrations page, find the BeeLine integration. In the Lifecycle Management column, toggle the slider to enable the integration as an identity source.

Notes and Supported Entities

Beeline Employee

Employee fields ingested by Veza will depend on the report configuration. Currently, the following attributes are supported:

• id

• employee number

• first name

• last name

• preferred name

• display full name

• canonical name

• email

• work location

• cost center

• employement status

• is active

• start date

• job title

• address

• admin ou

• current end date

• external id

• hiring manager name

• internal job grouping

• manager hierarchy level two name

• manager hierarchy level three name

• manager hierarchy level four name

• requires system access

Overview

Concur is an enterprise-level expense management platform that automates expense reports, approvals, and payments. The integration facilitates data exchange between Veza and Concur, for user and role discovery.

Configuring Concur

Pre-requisites

Before configuring Concur, you must create a new integration application within Concur and generate OAuth 2.0 credentials. Follow these steps:

1. Navigate to the in Concur and create a new app.

   • Provide a name and description for the app.

2. Add allowed grants:

   • refresh_token, password

3. Add allowed scopes:

   • openid, identity.user.core.read, identity.user.enterprise.read, identity.user.ids.read, identity.company.core.read, spend.user.general.read, identity.user.coresensitive.read.

4. Submit and note down the Client ID and Client Secret values.

5. Go to the page. Enter the app ID and click submit.

6. Note the Company UUID and Request Token. You will exchange the temporary token for a refresh token prior to configuring the integration in Veza.

Generating a Refresh Token

Use the curl command to obtain a refresh token. This command must be run within 24 hours of generating the request token.

Replace placeholders with the actual Client ID, Client Secret, Company UUID, and Request Token:

From the response, collect the refresh_token value, and use it to configure the integration in Veza.

Configuring Concur in Veza

1. In Veza, open the Integrations page.

2. Click Add New and pick Concur as the type of integration to add

3. Enter the Client ID, Client Secret, and Refresh Token, then Save the configuration

Supported Entities and Properties

Concur User

A user account within the Concur system, typically for submitting, managing, and reporting business expenses. The connector supports user attributes:

• is_active: True if User is active on Concur

• cost_center: User’s cost center

• employee_number: User’s employee number if set in Concur

• start_date: User’s start date

• termination_date: User’s termination date

• email: User's email address

Concur Role

Concur Roles determine what level of access and abilities a user has within the system. Built-in roles include approver, processor, or administrator.

The Concur connector currently discovers user roles for:

• Base Concur application

• Concur Spend integration

The Veza integration for Egnyte enables the discovery of Users, Groups, and Roles from the Egnyte platform. Veza uses Egnyte APIs to populate the Authorization Graph with user, group, and role information. Use it to:

• Find users and groups roles within a Workspace.

• Find identities with specific permissions in Egnyte.

Note that resources such as individual channels are not discovered. While Veza collects role information, the associated permissions with the roles will not be found in the connector.

Egnyte Setup

Before adding the integration to Veza, you need a token to make authenticated requests on the Egnyte platform:

1. Get the application API key for your application. Log in to developers.egnyte.com, and go to your profile. Search for Keys.

   • Ensure the API key user has admin-level permissions. Veza will only use the necessary scopes, which are egnyte.user, egnyte.group and egnyte.permissions.

2. Follow the official to generate an API Token from your API Key and Client ID.

3. Copy the generated API Token returned from the API call.

Veza Setup

To enable Veza to gather data from Egnyte:

1. Log in to your Veza platform.

2. Go to Integrations.

3. In the main pane, click Add Integration > Egnyte.

4. Enter the required fields:

   • Insight Point: Use the default data plane unless connecting with a deployed .

   • Name: A friendly name to identify the integration.

   • API Token: A token generated from the API Key, allowing Veza to make the required API calls.

   • API URL: The URL for your Egnyte instance (e.g. www.{org-name}.egnyte.com/pubapi).

5. Click Save to enable the integration.

Supported Entities

Veza creates the following entities to represent Egnyte identities and access controls, along with some additional attributes:

Egnyte User

Egnyte Role

Egnyte Group

Overview

The DocuSign integration enables discovery of identities, groups, and permissions within a DocuSign account. It uses Open Authorization API to create the following entities:

• Account → Custom Application

• UserGroups → Local Groups

• User → Local User

• Permission Profiles → Local Roles

• Permission Profiles → Custom Permissions

Requirements

To set up the DocuSign integration in Veza, you will need to create a DocuSign app and configure Veza with the necessary credentials. This includes the Client ID, Client Secret, and Refresh Token. Additionally, you will need the base URI for DocuSign API calls.

Create a DocuSign App

Using a DocuSign developer account, and get the Client ID and Client Secret:

1. Go to Apps and Keys in DocuSign. Click Add App and Integration Key, and complete the required fields.

2. Under Authentication, click Add Secret Key and save it to use as Client Secret.

3. Save your changes and save the Integration Key to use as a Client ID.

Obtain a Refresh Token

Get a Refresh Token, following the instructions in . You will need to get an authorization code for the Veza app, and use it to request an access token.

The response will contain the refresh token:

Retrieve the DocuSign Base URI

After obtaining an access token, you can retrieve your DocuSign base URI by making an API request:

Copy the base_url from the response.

Configuring DocuSign on the Veza Platform

To enable Veza to gather data from DocuSign, follow these steps:

1. Log in to Veza and go to Integrations

2. In the main pane, click Add Integration. Click DocuSign.

3. Complete the required fields:

• Name: Friendly name to identify the DocuSign account in Veza

• Base URL: DocuSign Base URI. Example, https://demo.docusign.net/restapi/

• Client ID: Integration app Client ID

• Client Secret: Integration app Client Secret

• Refresh Token: Refresh Token for DocuSign API integration

Veza will automatically catalog DynamoDB resources for configured AWS accounts. All discovered DynamoDB tables, secondary indexes, and streams can be viewed in the data catalog, with cross-service effective permissions available in Authorization Graph search. DynamoDB insights are included in select Reports, or can be viewed using the Saved Queries panel.

Notes

To extract authorization metadata for DynamoDB, the IAM policy granting discovery and extraction permissions must include the following statement:

These permissions are included in the latest ; if you are upgrading from release 2021.6.xyou will need to update the policy attached to the Insight Point, IAM user, or IAM role used for discovery.

Supported Resources / Sub-resources

• DynamoDB Table

• DynamoDB Secondary Index

• DynamoDB Stream

Veza offers integrations for cloud providers, data systems (such as Snowflake, AWS RedShift, GCP BigQuery, Azure SharePoint, SQL Server), SaaS applications (SalesForce, NetSuite, JIRA, GitHub, GitLab, and others), and services such as AWS KMS and Azure VPC. Additionally, Veza's Open Authorization API (OAA) enables the integration of custom applications and identity providers. You can also import identity and permissions metadata from any source using CSV Upload.

Veza also provides outbound integrations for platforms such as Slack, Jira, and ServiceNow, and webhooks for publishing events to any external system. Veza can also integrate with Okta, AzureAD, or another compatible identity provider (IdPs) for Single Sign-On (SSO) and MFA.

This page lists all built-in integrations with links to configuration guides. Please contact our support team to learn more about enabling early access integrations on the Veza platform.

• See Integrations Overview for more information about how Veza integrations work. See Configuring Integrations for instructions to enable and manage data sources on the Veza Integrations page.

Identity Providers

• Active Directory

• AWS IAM

• AzureAD

• GCP IAM

• Google Workspace

• Okta

• OneLogin

• Oracle Cloud IAM

• PingOne

• Auth0

Cloud Services

Amazon Web Services (AWS)

See AWS for details on adding an account to Veza.

• AWS Cognito

• AWS DynamoDB

• AWS EC2

• AWS EMR

• AWS IAM

• AWS IAM Identity Center

• AWS KMS

• AWS Lambda

• AWS Redshift

• AWS RDS Services

• AWS RDS Aurora

• AWS RDS MySQL

• AWS RDS Oracle Database

• AWS RDS PostgresQL

• AWS RDS SQL Server

• AWS S3

• AWS Security Groups

• AWS VPC

• AWS EKS

Microsoft Azure**

See Azure for details on adding a tenant to Veza.

• Azure Blob Storage

• Azure Data Lake

• Azure Key Vault

• Azure RBAC

• Azure SQL Database

• Azure SQL Server

• Azure Virtual Machines

• Azure Virtual Networks

• Azure Security Groups

• Azure Cognitive Services + Azure OpenAI

• Azure AKS

• Azure PostgreSQL

• Microsoft Intune

Google Cloud Platform (GCP)

See Google Cloud Platform for details on integrating your Google organization with Veza.

• Identity and Access Management (IAM)

• BigQuery

• Cloud Run

• Cloud Storage

• Compute Engine

• Key Management Service (KMS)

• Virtual Private Cloud (VPC)

Oracle Cloud Infrastructure (OCI)

See Oracle Cloud Infrastructure for setup instructions.

• OCI IAM

• OCI Object Store

Salesforce Commerce Cloud

See Salesforce Commerce Cloud for setup instructions.

• Salesforce Business Manager

Data Lakes

• Databricks (Unity Catalog)

• Databricks (Workspace)

• FiveTran (Supported via SCIM)

• MongoDB Atlas

• Snowflake Data Cloud

• Trino SQL Query Engine (formerly PrestoDB)

SaaS Applications and Platforms

• 1Password

• Adobe Enterprise

• Anaplan

• Atlassian Cloud (Confluence, Jira, BitBucket)

• BlackLine

• BambooHR

• Beeline

• Boomi

• Box.com

• Bullhorn

• Celonis (Supported via SCIM)

• Cerner (Early Access)

• Cisco Duo

• Clickhouse

• Concur

• Confluent

• Coupa

• Coupa Contingent Workforce

• Crowdstrike Falcon

• Delinea Secret Server

• Device42

• DocuSign

• DropBox

• Egnyte

• Envoy (Supported via SCIM)

• Exchange Online (Microsoft 365)

• Expensify

• Fastly

• GitHub (Enterprise Cloud and Server)

• GitLab

• Google Drive

• Harness (Supported via SCIM)

• HashiCorp Vault

• HiBob

• Hubspot

• IBM Aspera

• iManage

• IronClad (Supported via SCIM)

• Ivanti Neurons

• Jamf Pro

• Jenkins

• JFrog Artifactory

• LastPass

• Looker

• Microsoft Dynamics 365

• Netsuite

• New Relic

• OpenAI

• Oracle E-Business Suite (EBS)

• Oracle EPM

• Oracle Fusion Cloud

• oracle JD Edwards EnterpriseOne

• Palo Alto Networks SASE / Prisma Access

• PagerDuty

• Power BI

• Privacera

• Qualys

• QNXT

• Ramp

• Redis Cloud

• Rollbar

• Salesforce

• SAP SucessFactors

• ServiceNow

• SharePoint Online / OneDrive (Configured through the Azure Integration)

• Sigma Computing (Supported via SCIM)

• Slack

• SmartSheet

• Spotio

• Sumo Logic

• Tableau

• Teleport

• Terraform

• ThoughtSpot

• Thousand Eyes (Supported via SCIM)

• Trello

• Twingate (Supported via SCIM)

• UKGPro

• Veza

• Workato

• Workday

• YouTrack

• Zapier (Supported via SCIM)

• Zendesk

• Zip

• Zoom

• Zscaler

On-Premises Data Systems

• Apache Cassandra

• Bitbucket Data Center

• Confluence Server

• Jira Data Center / Jira Server

• Microsoft SQL Server

• MongoDB

• Oracle Database

• PostgreSQL

• PTC Windchill

• SharePoint Server

• Solarwinds Platform

• Windows Servers + SMB

• Veza

CSV Upload

CSV Upload enables data source owners and administrators to import identity and authorization metadata from sources that don't have built-in Veza integration. You can create an integration using a CSV file when you need to:

• Import user and authorization data from legacy or custom applications

• Integrate with any SaaS application that supports CSV exports

• Model employee access to homegrown or specialized systems

• Upload employee metadata as a source of identity for Lifecycle Management workflows

For instructions, examples, and troubleshooting guidance, see the CSV Upload documentation.

Generic SCIM Connector

Veza supports the collection of authorization metadata from applications with Users and Groups SCIM endpoints with our in-platform Generic SCIM Connector.

Open Authorization API (OAA)

Veza OAA is an Open Source framework for adding any custom applications to Veza. Veza develops and supports an expanding suite of OAA connectors, alongside several Community developed connectors. Additionally, any application can be integrated using OAA templates (see below) and Veza-provided OAA SDK.

OAA provides templates for modeling identities, resources, and access controls within custom applications and identity providers, which can be published with a Veza-developed python client or a custom script.

• Custom Application: Map federated identities to custom resources

• Custom Identity Provider: Map external resources to custom users and groups

• Custom Human Resource Information System (HRIS): Upload employee metadata, enabling identity mapping, enrichment and Lifecycle Management actions.

Overview

The Veza integration for BlackLine enables gathering User, Group and Role assignments from the BlackLine financial automation platform.

Configuring BlackLine

1. Create a BlackLine user for API access

   • The user must have the API Role and be a System Administrator to make the necessary requests

2. Generate an API key for the user for the BlackLine API Administration Portal or Financial Close System

3. Request OAuth 2.0 credentials from the BlackLine customer support team:

   • Required API features: Accounts

   • Required scopes: bl_users, bl_mdm

   • Their team should return a PDF with the OAuth app credentials. Use this support-provided installation form to configure the integration on Veza.

For more detail on obtaining credentials and BlackLine API keys, see Getting Started in the official developer documentation.

Configuring BlackLine on the Veza Platform

1. On the Veza Integrations page, add a BlackLine Integration with the following fields:

   • Name - integration name

   • URL - URL for BlackLine instance from installation form e.g. https://us.api.blackline.com

   • Username - Username of BlackLine user for the integration

   • API Key - API key generated for the user

   • Client ID - The Client ID from the support-provided installation form

   • Client Secret - The Client Secret from the installation form

   • Instance ID - UUID-type string from the Installation form Scope following the instance_. Do not include the scope strings such as bl.users bl.mdm.

NOTE: Please contact Blackline Customer Support if you need the values for URL, Username, API key, Client ID, Client Secret and Instance ID.

Notes and Supported Entities

BlackLine Users

BlackLine Group

BlackLine Product (as Resource)

BlackLine Role

Roles are assigned to Users or Groups to either BlackLine Application or specific BlackLine Product (resource) as configured in BlackLine.

Overview

The Veza integration for Crowdstrike enables the discovery of Users, Roles, and permissions from the Crowdstrike Falcon platform. Veza uses Crowdstrike APIs to populate the Authorization Graph with entities and metadata.

This document explains how to enable and create a Crowdstrike Falcon integration. See notes and supported entities for more details.

Risk Score Import/Export (Optional)

For customers with access to Crowdstrike Identity Protection, the Veza integration for Crowdstrike can be configured to import identity risk scores from the Falcon platform and store them as custom tags on identities in Veza.

Veza can also be configured to mark identities on the Falcon platform to trigger administrative investigation if the identity's Veza Risk Score is greater than 50.

Configuring Crowdstrike

Before adding the integration to Veza, create an API client on the Crowdstrike platform for the connection.

1. Browse to your Crowdstrike Falcon instance (ex: https://falcon.us-2.crowdstrike.com/) and log in

2. Click the hamburger icon in the upper-left corner to open the navigation bar

3. Click Support and resources in the left navigation bar, then click API clients and keys in the Resources and tools section of the navigation submenu

4. Click Create API client in the upper-right corner of the screen

5. Enter the following details in the Create API client modal window:

   • Client name: a distinct name for the API client

   • Description: an optional description of the API client's purpose

   • Scope:

     • Locate User management and click the Read checkbox

     • If Risk Score import/export will be enabled, locate Identity Protection GraphQL and click the Write checkbox

6. Click Create at the bottom of the modal

7. From the API client created window, record the Client ID, Secret, and Base URL output values

8. Click Done to close the modal

Configuring Crowdstrike on the Veza Platform

To enable Veza to gather data from the Crowdstrike Falcon platform:

1. In Veza, open the Integrations page.

2. Click Add New and pick Crowdstrike as the type of integration to add

3. Enter the required information and Save the configuration

Notes and Supported Entities

The connector discovers the following entities and attributes:

Crowdstrike User

Crowdstrike Role

Risk Score Import

If Risk Score import is enabled, Okta and Azure Active Directory / Entra identities that exist on the Crowdstrike Identity Protection platform will be updated with two new tags in Veza:

Overview

The Veza integration for IBM Aspera on Cloud enables gathering User, Groups, Roles and Workspace memberships for the cloud-based file transfer platform.

Configuring Aspera

1. Generate a key pair to use for authentication (if creating a new user):

   1. Use the command to generate the private portion ssh-keygen -t rsa -b 4096 -m PEM -f jwtRS256.key.

   2. Do not set a password.

   3. Create a public key from the private key: openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub.

2. Create or use an existing user for authentication:

   1. For a new user, set the user's public key to the public portion of the generated key pair.

   2. For an existing user and key pair set, use the corresponding public key to configure the integration in Veza.

3. Go to Integrations -> API clients to create an API client:

   1. Enter a name.

   2. Enter the Veza URL for the Redirect URI.

   3. Enable Enable JWT Grant type.

   4. Deselect Client can retrieve token for all users and pick the configured user.

   5. Click create and note the Client ID and Client Secret

4. Note the Aspera Organization name. This is your Aspera sub-domain, for example https://<org_name>.ibmaspera.com.

Configuring Aspera on the Veza Platform

1. On the Veza Integrations page, add a Aspera Integration with the following fields:

   1. Name - Name for integration

   2. Client Id - Client ID from the API client

   3. Client Secret - Corresponding Client Secret

   4. Username - Username for API client user with public key.

   5. Organization Name - Aspera Organization name

Notes and Supported Entities

Aspera Users

Aspera Group

Aspera Workspace

Aspera Roles

Users are assigned roles to the Organization and Workspace based on their configured status

Organization Roles

• Organization Admin

• ATS Admin

• Member

Workspace Roles

• Manager

• Member

Overview

The Veza integration for Oracle Enterprise Performance Management (EPM) discovers users, groups and roles assigned in EPM. Veza uses an Oracle EPM service account connect to the EPM APIs to run the built in EPM reports for user group and role assignments.

Configuring Oracle EPM

1. Create a service account in Oracle EPM for Veza to use:

   1. From Account Type list select Basic Auth and set a username and password

   2. Account must have Service Administrator role

   3. Note the username and password

   4. For more information on Service Accounts see Oracle Documentation

2. Note the URL of the Oracle EPM instance

Configuring Veza Platform

1. In Veza, open the Integrations page.

2. Click Add New and pick Oracle EPM as the type of integration to add

3. Enter the required information and Save the configuration

Notes and Supported Entities

Veza discovers and shows the following metadata for EPM entities. Attribute filters can be used to constrain searches and access reviews based on these properties

Oracle EPM User

Oracle EPM Group

Oracle EPM Role

Note: Oracle EPM API does not return information on role configurations and permissions

Overview

The Veza MySQL integration provides visibility into database security posture by discovering local users, roles, resources, and permissions within a MySQL instance. This integration enables security teams and database administrators to:

• Map and monitor access across databases, tables, triggers and routines

• Analyze role-based access control (RBAC) including privilege inheritance

• Identify users and roles with elevated privileges

• Track permission delegation through grant options

• Monitor administrative capabilities and sensitive operations

For managed MySQL instances, see RDS MySQL documentation.

Configuring MySQL

Veza requires a MySQL user with read-only permissions to discover resources and permissions. Connect to your database, and execute the following commands to create a Veza User and grant the needed privileges for discovery. Replace [veza_user] with the name of the actual database user you want to create:

CREATE USER '[veza_user]'@'%' IDENTIFIED BY '[your-strong-password]';

GRANT REFERENCES ON *.* TO [veza_user];
GRANT SELECT ON mysql.user TO [veza_user];
GRANT SELECT ON mysql.db TO [veza_user];
GRANT SELECT ON mysql.tables_priv TO [veza_user];
GRANT SELECT ON mysql.columns_priv TO [veza_user];
GRANT SELECT ON mysql.global_grants TO [veza_user];
GRANT SELECT ON mysql.procs_priv TO [veza_user];
GRANT SELECT ON mysql.proxies_priv TO [veza_user];

-- Only if MySQL version is up to 5.7
GRANT SELECT ON mysql.proc TO [veza_user];

-- Only if MySQL version is 8+
GRANT SELECT ON mysql.role_edges TO [veza_user];
GRANT SHOW_ROUTINE ON *.* TO [veza_user];

-- If including triggers
GRANT TRIGGER ON *.* TO [veza_user];

Configuring MySQL on the Veza Platform

1. Before configuring the integration, you must have:

   • Network connectivity from Veza to your MySQL server via:

     • A deployed Insight Point in your network (recommended for production)

     • Direct connection using Veza's internal Insight Point (suitable for testing)

2. On the Veza Integrations page select Add Integration and locate the MySQL tile. Configure the integration with the following fields:

   • Insight Point: Choose whether to use the default data plane or a deployed Insight Point

   • Name: A friendly name to identify the unique integration

   • Host: The hostname or IP address of the MySQL server.

   • Port: The port number on which the MySQL server is listening (default is usually 3306).

   • Username: The username to authenticate with the MySQL server.

   • Password: The password associated with the provided username.

3. Click Create Integration to save the configuration

Supported Entities

Veza discovers the following MySQL entities:

• MySQL Instance

• MySQL Database

• MySQL Local User

• MySQL Local User Instance

• MySQL Role

• MySQL Role Instance

• MySQL Routine (Function/Procedure)

• MySQL Table

• MySQL Trigger

Early Access: The Power BI integration is provided as an Early Access feature. Please contact our support team for more details

Overview

The Veza integration for Power BI enables discovery of Users and Groups assigned to Workspaces in Power BI cloud environments connected to Azure AD tenants.

Configuring Power BI

The Veza Connector for Power BI uses an Azure App Registration to authenticate to the Power BI Admin API. This can either be a new app registration or an app used for an existing Veza-Azure integration. Follow the steps below to enable Power BI access for the app registration, creating one if necessary:

From the Azure Portal:

1. Create a new Application and generate credentials. If you are using an existing app created for Azure discovery, skip this step.

   1. Generate a client ID and Secret value for the application to use for authentication.

2. Note the Tenant ID of the application.

3. Create an Entra (Azure AD) Security Group, used to authorize the Application to use the Power BI admin API.

4. Add the Application to the Security Group.

From the Power BI Admin Portal:

1. Navigate to Admin API settings

   1. Under Service principals can access read-only admin APIs ensure that it is enabled.

   2. Add the security group created above to the specific security groups allowed and apply the settings.

Power BI settings can take 15 minutes to propogate, you may need to wait before configuring the Veza integration

Configuring Power BI on the Veza Platform

1. On the Veza Integrations page select Add Integration and locate the Power BI tile. Configure the integration with the following fields:

   1. Name - Name for the integration

   2. Tenant ID - The Azure Tenant ID that Power BI is connected to where the app registration is created

   3. Client ID - The client ID of the app registration.

   4. Client Secret - The ID of the secret generated for the app registration.

Notes and Supported Entities

Power BI User and Groups

Power BI users and groups are managed via Azure Entra (Azure AD). User and Group entities in the Veza graph serve to connect the Power BI role to the correct Azure user.

Power BI Roles

Power BI Workspace

Overview

The Veza integration for PagerDuty connects to the incident management platform to gather authorization for users that are configured in PagerDuty, their base role for the PagerDuty application, and their assigned Teams and Team roles.

Configuring PagerDuty

To authenticate with PagerDuty, Veza requires an API key for a PagerDuty user. To generate this API key (also referred to as a token):

1. Log in to PagerDuty.

2. Click the Integrations menu button in the middle of the PagerDuty screen, then click API Access Keys.

3. Click the Generate new API Key button to obtain an access token.

4. Enter a description, click on Create Key and Save the API token. Copy the token value to use when configuring Veza.

See the PagerDuty documentation for the most up-to-date guidance.

Configuring PagerDuty on the Veza Platform

1. In Veza, open the Integrations page..

2. Click Add Integration and pick PagerDuty as the type of integration to add.

3. Enter the required information and Save the configuration.

Notes and Supported Entities

Veza creates Authorization Graph nodes to model PagerDuty teams, users, roles, and role permissions:

• PagerDuty Business → PagerDuty Application

• PagerDuty Team → PagerDuty Resource

• PagerDuty Team → PagerDuty Group

• PagerDuty User → PagerDuty User

• PagerDuty User Role → PagerDuty Role

• PagerDuty User Role → PagerDuty Permission

This connector uses the PagerDuty API to extract the identity and authorization information for users. Users are connected by identity based on their email address configured in PagerDuty.

PageDuty Teams are represented both as a local group and a resource. If the User has a Team Role it is represented on the resource. The Local Group can be used for purely membership queries, while role assignments to the resource should be used to audit a user's permission within a PagerDuty Team.

PagerDuty User

PagerDuty Group

PagerDuty Team (as Resource)

The Veza integration for HubSpot enables discovery of users, teams, and roles on the HubSpot CRM platform, enabling search, insights, and access reviews involving user access to HubSpot.

The integration includes out-of-the-box queries. You can modify these based on your actual environment to create dashboards and rules for the risks and trends you want to monitor:

• All HubSpot local user accounts

• HubSpot roles that have users assigned

• Number of users who have been granted the Super Admin role in HubSpot

• Total number of HubSpot Roles

• All HubSpot local Teams

• HubSpot teams that have users assigned

• HubSpot Local Users with an Okta identity

• HubSpot Local Users who do not have an Okta identity

• HubSpot Local Users with an Azure AD identity

• HubSpot Local Users who do not have an Azure AD identity

This document includes steps to enable the HubSpot integration in Veza, and supported entity details.

Configuring the HubSpot Integration

To configure the integration, you will need a HubSpot access token for a private app.

Creating a private app enables Veza to use HubSpot's APIs to access specific data within your HubSpot account using an access token unique to the private app. You can create an app by following the instructions in Private Apps. You must be a super admin to access private apps in your HubSpot account.

Create a HubSpot private app and access token

1. In HubSpot, click the settings icon in the main navigation bar.

2. On the left sidebar, open Integrations > Private Apps.

3. Click Create Private App.

4. On the Basic Info tab, configure the details of your app:

   • Enter your app's name.

   • Hover over the placeholder logo and click the upload icon to upload a square image that will serve as the logo for your app.

   • Enter a description for your app.

5. Click the Scopes tab to add required scopes:

   • settings.users.teams.read

   • settings.users.read

6. Click Create App in the top right to save your changes.

7. On the Auth tab of the application details, click Show Token and copy the app access token:

Enable the HubSpot integration in Veza

1. In Veza, open the Integrations page.

2. Click Add New and pick HubSpot as the type of integration to add.

3. Enter the required information and Save the configuration.

Notes and Supported Entities

The HubSpot integration uses standard custom application entity types to model users, teams, and permissions in the authorization graph:

• HubSpot User → Local User

• HubSpot Teams → Local Groups

• HubSpot Permission Sets → Local Roles

Veza collects the following attributes for HubSpot entities:

Overview

In addition to using a simple web interface to update CSV data manually, you can automate a process to push new data using the Veza REST API and refresh the Veza graph. This document includes example utilities using Python and CLI tools.

Using the Upload CSV REST API

After creating a CSV upload integration, you can use the REST API operation Push Custom Provider Datasource CSV to upload new CSV data.

Whenever a CSV is submitted, it is processed based on the current configuration of the CSV Upload Integration provider, including any column mapping settings.Authentication: To make API calls, you must include an authorization token in the header of each request. This can be:

• A Personal API Key for a Veza administrator

• A Team API Key, for a team assigned to manage CSV Upload integrations

See Authentication for more details on creating API keys.

Note: The CSV data must be complete for each upload. Veza will remove entities from the Graph for any entities that were present in the previous upload, but not in the current upload.

Retrieving Integration IDs

Using the REST API requires the Integration (Provider) and Data Source IDs. You can retrieve these in Veza on the Integration Details > Data Source tab:

1. On the Veza Integrations page, click the CSV integration to view details

2. On the Data Source tab, click the data source name to view details

3. Copy the values from the Properties table:

   1. The unique data source "Id"

   2. The "Provider Id"

   Both values are in UUID format, e.g., 19b0c736-6686-4708-87e2-92171db6afb3.

Uploading the Data

Uploading the CSV data is made with a post call to the /api/v1/providers/custom/{provider_id}/datasources/{data_source_id}:push_csv endpoint.

Note: The CSV contents must be base64-encoded into the JSON body of the request. Raw CSV values are rejected. You can automatically convert the data as part of your implementation, as shown below.

{
    "csv_data": "abc123="
}

Example using Curl

CSV_PAYLOAD=$(cat my_app_data.csv | base64)
curl --location https://example.vezacloud.com/api/v1/providers/custom/40bdd318-d320-4574-be90-ca556d59889a/datasources/9bc29dc6-8cd0-4926-992e-7d720305ae2f:push_csv \
--request POST \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $VEZA_API_KEY" \
--data "{\"csv_data\": \"${CSV_PAYLOAD}\"}"

Example using Python

#!/usr/bin/env python3

import base64
import json
import os
import sys

import oaaclient.utils as oaautils
from oaaclient.client import OAAClient, OAAClientError

veza_url = "https://example.vezacloud.com"
veza_api_key = os.getenv("VEZA_API_KEY")

provider_id = "UUID of Provider"
data_source_id = "UUID of Data Source"

source_csv = "path/to/my_file.csv"

print("Connecting to Veza")
try:
    veza_con = OAAClient(veza_url, veza_api_key)
except OAAClientError as e:
    print("Error connecting to Veza tenant")
    print(e)
    sys.exit(1)

print("Loading CSV file")
with open(source_csv, "rb") as f:
    encoded_csv = base64.b64encode(f.read())

print("Pushing data to Veza")
try:
    push_request = {"id": provider_id, "data_source_id": data_source_id, "csv_data": encoded_csv.decode()}
    veza_con.api_post(f"/api/v1/providers/custom/{provider_id}/datasources/{data_source_id}:push_csv", push_request)
    print("Push succeeded")
except OAAClientError as e:
    log.error(f"{e.error}: {e.message} ({e.status_code})")
    if hasattr(e, "details"):
        for d in e.details:
            log.error(d)
    sys.exit(3)

Resources and authorization for Azure SQL Database are automatically discovered for connected Azure tenants, unless the service is disabled in the provider settings.

To collect complete authorization metadata for each database, you will need to create a local database user that the app registration can connect as to execute read-only queries.

• You will need access to Azure SQL Database(s) and permission to create the local user.

• The Azure SQL Database must have an Azure AD Admin configured.

• The database user must have the same name as the Azure app registration used for discovery, or match the "DB User" name provided when configuring the connection.

Create a local database user the Veza service principal can assume

Connect to your database and create a user, updating db_user in the examples to match the name of the Veza app registration:

CREATE USER [db_user] FROM EXTERNAL PROVIDER

Note that you must connect using Azure AD Authentication to create the Azure AD-connected local user.

Grant select permissions to the sys schema:

GRANT VIEW DEFINITION TO [db_user]

Grant Reader role to the Azure subscription

The app registration must have the Reader role to the Azure subscription attached to the resources to discover. You can check if this was already configured during provider setup, by viewing the subscription's role assignments under Access Control (IAM):

1. From your Azure portal, browse to Subscriptions and choose the registered to the SQL DB. From Access Control (IAM) choose Add > Add role assignments, and select the Reader role:

2. Click Next, and choose Select members on the next screen. Select the Veza app registration.

3. Review and assign the role. You can verify the subscription's role assignments from the main Access control panel.

The next time Veza conducts discovery of your Azure tenant, the new data source will be registered and appear on the Configuration > Apps and Data Sources panel.

Overview

The Veza integration for Delinea Secret Server enables the discovery of Users, Groups, Roles, and permissions from the Delinea Secret Server platform. Veza uses Delinea APIs to populate the Authorization Graph with entities and metadata.

This document explains how to enable and create a Delinea Secret Server integration. See notes and supported entities for more details.

Configuring Delinea Secret Server

Before adding the integration to Veza, create or select a user account for the connection.

To create a single user on the Delinea Secret Server platform, browse to your Delinea instance as an administrator, go to Admin -> User Management, then select Create User

Once the user account has been created or identified, record the username and password for the account, then ensure that the account is assigned the following roles:

Configuring Delinea Secret Server on the Veza Platform

To enable Veza to gather data from the Delinea Secret Server platform:

1. In Veza, open the Integrations page.

2. Click Add New and pick Delinea as the type of integration to add.

3. Enter the required information and Save the configuration.

Notes and Supported Entities

The connector discovers the following entities and attributes:

Delinea Secret Server User

Delinea Secret Server Group

Delinea Secret Server Role

This integration discovers Users, Groups, and Projects for GitLab software development platform, along with authorization data for each group and projects. The integration supports self-hosted and SaaS GitLab deployments.

The GitLab integration requires a read-only access token for authentication, and will discover all groups, sub-groups, and projects the token can access. For self-hosted (non-SaaS) environments, you can optionally discover all groups and additional user information by providing an admin token.

See for more information.

Setup

Generate a GitLab access token

1. Generate a under GitLab Edit profile > Access Tokens.

   • For self-hosted, we recommend generating a personal access token for an Admin-level user to enable full discovery.

   • For GitLab SaaS, a group token will typically be most appropriate. Personal access tokens for a group Owner can also be used.

   • Assign the access token read_api access only.

   • Assign the token a name and expiration date.

   • Save the generated token and use it to configure the integration.

Add the integration to Veza

To enable the integration:

1. Browse to the Veza platform and log in.

2. Go to Integrations.

3. Click Create Integration. Select GitLab as the integration to add.

4. Complete the required fields:

   • Insight Point: By default, integrations run on the Veza SaaS platform. Optionally, you can make an internal connection to GitLab with a deployed .

   • Name: Friendly name for the GitLab deployment.

   • URL: GitLab URL for the connection. Use https://gitlab.com for SaaS or specify URL for self-managed GitLab.

   • Access Token: Integration Access Token.

5. Click Create Integration to save and enable the configuration.

Notes and supported entities

This connector creates the following entities to map applications and identities to permissions:

GitLab groups are represented both as a Group for User membership and as a Group Resource to show user's role in the group and associated permissions (such as Developer, Owner, Guest).

Attributes

Limitations

• Attributes above marked with * are only available on self-hosted with an admin token

• Does not currently process external users

Overview

The Veza integration for Kubernetes enables gathering information about the RBAC roles existing in a cluster, and who has permissions on Kubernetes services and resources.

The integration supports self-hosted deployments and managed Kubernetes services. If you've also integrated Microsoft Azure or Amazon Web Services with Veza, the Kubernetes integration can show authorization relationships connecting users and Kubernetes services, clusters, and roles.

For example, for AWS EKS, the integration provides visibility into:

• K8s Clusters in EKS services

• Service-linked roles for EKS

• AWS IAM Users and Roles with access to K8s clusters

• Paths connecting IAM User → AWS IAM Role → AWS EKS Services → K8s RBAC → K8s Clusters

See for more details.

Configuring Kubernetes

You must install an Insight Point within the cluster to enable a secure connection and collect Kubernetes RBAC metadata. Follow the instructions in to get a Veza-provided OCI image.

Configuring Kubernetes on the Veza Platform

1. In Veza, open the Integrations page.

2. Click Add Integration and pick Kubernetes as the type of integration to add

3. Enter the required information and Save the configuration.

Generic Kubernetes Deployment

To integrate with a cluster that is not managed in EKS, AKS, or GKE, enter the:

• Cluster ID: the unique identifier of the Kubernetes cluster to discover, containing the specified . The exact format can vary depending on environment where the Kubernetes cluster is deployed, e.g. us-east-onprem-cluster.

AWS Elastic Kubernetes Service (EKS)

To integrate with Kubernetes on EKS, enter the:

• Cluster ID: ARN of the EKS cluster, e.g. arn:aws:eks:us-east-1:123456789012:cluster/my-eks-cluster

• Tenant ID: ID of the parent AWS account, e.g. 123456789012

Microsoft Azure Kubernetes Service (AKS)

To integrate with Kubernetes on AKS, enter the:

• Cluster Name: Human-readable name of the cluster in AWS, e.g. example-cluster

• Tenant ID: ID of the parent Azure tenant. This is an Azure Directory ID in the format 12345678-9abc-def0-1234-56789abcdef0

• Subscription ID: Globally unique identifier assigned to the parent Azure subscription, e.g. 12345678-9abc-def0-1234-56789abcdef0

• Resource Group: Name of the logical container the cluster is located, e.g. myResourceGroup.

Google Kubernetes Engine (GKE)

To integrate with Kubernetes on GKE, enter the:

• Project ID: Unique identifier for the Google Cloud Project, e.g. project-id

• Location: Geographic area of the GKE Service, e.g. us-central1

• Cluster Name: Name of the cluster to discover, e.g. gke-cluster-name

Notes and Supported Entities

Kubernetes Cluster

Kubernetes clusters contain groups of nodes that work together to run containerized applications and services.

Kubernetes Group

Kubernetes Role

Roles represent permissions granted to a user or a group of users within a specific namespace. A cluster role is a set of permissions that can be granted to a user or a group of users within the entire cluster.

Kubernetes Role Binding

A Role Binding connects a Role (or a ClusterRole) to a user, a group of users or a service account within a specific namespace. Cluster Role Bindings connect a ClusterRole to a user, a group of users or a service account within the entire cluster.

Kubernetes Service Account

An identity used by applications running in the Kubernetes cluster to authenticate and interact with the Kubernetes API server.

Kubernetes User

A local identity used to authenticate and interact with a cluster. Assigned roles allow users to perform specific actions within namespaces or across the entire cluster.

Overview

The Dropbox integration enables discovery of users, groups, folders, and files within a Dropbox Business account. Veza parses group memberships and permissions to show the full range of user access on the cloud-based content management, collaboration and file sharing service.

• Access Reviews: Review user and group access to files and folders in Dropbox

• Search: Search for users based on permission type or group membership

• Rules and Alerts: Create rules for alerts when users are added to critical groups or new users gain access to sensitive folders

See for more details.

Configuring Dropbox

Veza connects to Dropbox with an OAuth 2.0 authentication flow. You will log in to Dropbox to approve permissions for the Veza application as part of adding the integration in Veza.

Individual Permissions:

• View information about members' Dropbox files and folders

• View members' Dropbox sharing settings and collaborators and manually added Dropbox contacts

• View basic information about members' Dropbox account such as username, email, and country

Team Permissions:

• View content of and information about your team's files and folders and view and edit governance data of your team's files and folders

• View your team group membership and team membership

• View structure of your team's and members' folders

• View basic information about your team including names, user count, and team settings

Configuring Dropbox on the Veza Platform

To add a Dropbox account for discovery:

1. In Veza, go to the Integrations page.

2. Click Add Integration and search for Dropbox. Choose it and click Next to add an integration.

3. Enter the required information

4. Click Authorize to approve the connection in Dropbox. Log in as a Dropbox administrator and click Allow to enable the integration.

5. Click Create Integration to save the configuration.

Notes and Supported Entities

A Dropbox Business account (Dropbox Team) is the top level entity. A team has users (members) who can share their files and folders (resources). Permissions on the shared item can be Editor or Viewer. Users can belong to groups, which can also have permissions on files and folders.

Veza shows team-owned (or account level) folders in addition to user’s folders.

Veza creates the following Authorization Graph entities to model authorization in Dropbox:

Dropbox Tenant

Top-level entity representing a Dropbox Team.

• Tenant Unique ID: Dropbox Team ID (e.g dbtid:asdasdaskjdnajksdakjdkasgAQDLO_eiMaQ)

Dropbox User

• Created at: Timestamp when the user account was created

• User Unique Id: Unique identifier for the user

• Email: User's email address

• Groups: List of groups the user belongs to

• Identity Unique Id: Unique identifier for the user's identity

• Is active: Boolean indicating if the user account is active or not

Dropbox Group

• Group Unique ID: Unique identifier for the group

Dropbox Group Membership

Represents a User > Group assignment in Dropbox.

Dropbox Permission

• Permissions: Can be owner, editor, viewer, viewer_no_comment, traverse, other.

Dropbox Folder

The Dropbox Folder entity represents a folder in the Dropbox file system.

The Veza integration for LastPass Enterprise connects to the platform to discover users, groups, roles, and folders used to store and share passwords and other secrets. Use the integration to:

• Search for LastPass users and shared folders, and create rules and alerts.

• See effective permissions within LastPass for users and groups, based on their roles.

• Review LastPass user > group, user > folder, and user > role assignments.

Requirements

The connector uses the LastPass Enterprise API to fetch authorization metadata. You will need a LastPass account number (cid) and provisioning hash (prohash) to authenticate. To retrieve these values, log in to LastPass using an account with permission to access the Admin Console at .

• Account ID: Unique Account ID provided by LastPass. This can be retrieved on page:

• Provisioning Hash: This API secret can be generated on the LastPass Admin page. Go to to manage provisoning hashes.

You can use an existing provisioning hash, which is unique for your organizations LastPass Enterprise API. If you cannot retrieve the current value, you will need to regenerate it and update any other applications to use the new hash.

See for the latest guidance from LastPass.

Veza setup

To enable Veza to gather data from the LastPass platform:

1. Browse to your Veza instance

2. In the left navigation, expand Configuration, then click Integrations

3. In the main pane, click Add Integration. Pick LastPass.

4. Enter the required details:

   • Insight Point: Use the default option unless you need to use an external Insight Point for the connection.

   • Name: A friendly name to identify the unique connection.

   • Account ID: The account number (CID) shown on the LastPass dashboard, e.g. 123456789012

   • Provisioning Hash: your LastPass API secret, e.g. 94b95bc8bdf562b32e98eac06e9f6d597111e58XXXXXXX6584b3535d322718bc.

Notes and supported entities

LastPass User

Veza discovers and shows the following metadata for LastPass User entities. Attribute filters can be used to constrain searches and access reviews based on these properties:

LastPass Group

Veza discovers and shows the following metadata for LastPass Group entities. Attribute filters can be used to constrain searches and access reviews based on these properties:

LastPass Folder

LastPass folders have the following attributes:

LastPass Application Roles

The Veza LastPass integration discovers the user's role in LastPass as either Admin or User. LastPass does not currently return information about customer-created Admin Levels. Any admin-level user will be assigned the Admin role for the LastPass application. All other users will be assigned the User role.

LastPass Folder Roles

Users assigned to a Shared Folder (either directly or by group membership) have Roles based on the configuration of permissions on the assignment.

Veza creates these Authorization Graph entities to represent access controls enabled when managing Shared Folder recipients in LastPass:

A user may have multiple roles on a folder based on the pairings of these permissions.

Overview

The Veza integration for Palo Alto Networks enables the discovery of applications, users, roles, and permissions from the Palo Alto Networks SASE platform. Veza uses Palo Alto Networks APIs to populate the Authorization Graph with entities and metadata.

This document explains how to enable and create a Palo Alto Networks integration. See for more details.

Configuring Palo Alto Networks SASE / Prisma Access

Before adding the integration to Veza, create a service account for the connection and record your tenant ID.

To create a service user on the Palo Alto Networks platform, follow these steps:

1. Browse to your Strata Cloud Manager instance as an administrator.

2. In the left navigation pane, click the Settings gear. Click Identity & Access.

3. In the Identity & Access pane that appears, record and store the tenant ID (TSG ID) displayed at the top of the pane, then click the Add Identity button.

4. In the modal that appears, provide the following information:

   • Identity Type: Service Account

   • Service Account Name: Enter a unique name for the service account (ex: svc-veza-integration)

   • Service Account Contact: Enter an optional email for the owner of the service account

   • Description: Enter an optional description for the service account's purpose

5. Click Next.

6. On the Client Credentials screen that appears, copy and save the Client ID and Client Secret. Click Next.

7. On the Assign Roles screen, click the dropdown menu under Apps & Services and enable All Apps & Services. Click the Role box and pick View Only Administrator.

Configuring Palo Alto Networks on the Veza Platform

To enable Veza to gather data from the Palo Alto Networks platform, follow these steps:

1. In Veza, open the Integrations page.

2. Click Add New and pick Palo Alto Networks as the type of integration to add. Click Next.

3. Enter the required information (below) and Save the configuration.

Notes and Supported Entities

The connector discovers the following entities and attributes:

Palo Alto Applications

The connector discovers the following applications on the Palo Alto Networks platform:

Palo Alto Networks User

The connector discovers human users and service account users.

Palo Alto Networks Role

The connector discovers both built-in and custom roles and their permissions.

The Veza integration for BambooHR connects to the HRIS platform to discover user profiles and attributes, and group assignments within the application. BambooHR users typically access the platform to track hours worked, manage benefits enrollment, and administer payroll from a single platform. Use the integration to:

• Search for users and filter the results based on metadata Veza collects.

• Review user > group assignments within BambooHR.

• Create alerts and rules to alert for changes in user attributes such as Activity Status.

Requirements

The connector uses the BambooHR Reports API to gather the required authorization metadata. To enable the connector on Veza, you will need to supply an API key and the company domain to connect to:

• Company Domain: The name of the company from your BambooHR login URL: https://{company_domain}.bamboohr.com/.

• API Key: Unique API Key provided by BambooHR. Each user can have one or more secret keys that identify that user to the API. The secret key is a 160-bit number expressed in hexadecimal form.

To create an API key in BambooHR, follow these steps:

1. Log in to BambooHR and click on your name in the upper right corner of any page to open the user menu. Optionally, you can create a dedicated BambooHR user for the integration, and complete these steps after logging in as that user. Note that users must have Full Admin access to create API keys.

2. Click API Keys.

3. On the following page, click on Add New Key.

4. Enter an API Key Name then click Generate Key. A random string will appear, similar to 6d925aae960335ba7824f6e0c5cfadc1dc0c027a. Save this value in a secure location.

See for official documentation on creating BambooHR API keys.

Adding a BambooHR Integration to Veza

To enable Veza to gather data from the BambooHR platform:

1. Browse to your Veza instance.

2. In the left navigation, expand Configuration, then click Integrations.

3. In the main pane, click Add Integration and choose BambooHR.

4. Enter the required details:

   • Insight Point: Use the default option unless you need to use an external Insight Point for the connection.

   • Name: A friendly name to identify the unique connection.

   • Company Domain: The BambooHR company identifier from your login URL, excluding the full URL, e.g., company_name.

   • API Key: The BambooHR secret key from the steps above, e.g., 6d925aae960335ba7824f6e0c5cfadc1dc0c027a.

   • IdP Types: Comma-separated list of IdP types for mapping external identities, e.g., okta,active_directory,azure_ad,custom,google_workspace,one_login.

Notes and Supported Entities

Veza discovers and shows the following metadata for BambooHR User entities, which can be used to narrow searches and access reviews using attribute filters:

Overview

The Veza integration for Expensify enables discovery of users, workspaces, and roles within the expense management system.

Use it to:

• Search for any Expensify user by department or who they submit expenses to.

• Review Expensify Role and Workspace assignments for all users or specific Workspaces.

• Create rules and alerts when changes occur (such as when a new Policy Admin is detected or a Workspace is added).

See for more details.

Configuring Expensify

The integration uses the Expensify Enterprise Import/Export API to fetch the data.

• To connect, Veza will need your Expensify partnerUserID and partnerUserSecret.

• Veza recommends creating a unique user and using their API credentials for the integration. The integration user should have the AUDITOR role to gather the required authorization metadata.

To get the User ID and User Secret, log in to Expensify and go to the Integrations page: https://www.expensify.com/tools/integrations/.

• If you've already generated these for another application, you will need to use the existing ID and Secret. Otherwise you can regenerate the credentials.

• See the for more details.

Configuring Expensify on the Veza Platform

1. In Veza, open the Integrations page.

2. Click Add Integration and pick Expensify as the type of integration to add

3. Enter the required information and Save the configuration

Notes and Supported Entities

Veza creates Authorization Graph entities to represent Expensify Users and Expensify Groups. You can create filters and rules based on the following attributes.

Expensify Users

Expensify Users represent individual employees who log to report or approve expenses, or any other task on the platform.

Expensify Workspaces (as Groups)

Expensify Workspaces define common rules for expense management, used to organize departments, teams, or other groups of users.

Expensify Roles

Roles define the relationship an individual users has to a Workspace, such as Policy Admin, Auditor or Employee, and represent a set of permissions.

Overview

The Veza integration for Oracle Fusion Cloud supports collecting Users, Groups, and Roles for the Oracle Fusion Cloud ERP platform.

See for more details.

Configuring Oracle Fusion

Veza uses pre-defined reports in Oracle Fusion to collect user role information. These reports are defined in an Oracle Fusion catalog file that can be downloaded below.

1. Create a user for the connector to use. The connector uses that user name and password combination to connect to both the Oracle Fusion REST API and BI Publisher.

2. Upload the Veza_v2.catalog file to the BI Catalog.

   1. Navigate to the instance's Catalog page: https://<instance>.oraclecloud.com/analytics/saw.dll?catalog

   2. Under Shared Folders/Custom select Unarchive and upload the Veza.catalog file

   3. Verify that a new folder containing two entities is created (Custom/Veza/v2). This Data Model and Report allow the connector to make the necessary queries to collect the detailed role information.

   4. Ensure the intended user has permission on both the Data Model and Report objects.

Configuring Oracle Fusion Integration on Veza Platform

1. In Veza, open the Integrations page.

2. Click Add New and pick Oracle Fusion Cloud as the type of integration to add

3. Enter the required information and Save the configuration

Notes and Supported Entities

Oracle Fusion Cloud User

Oracle Fusion Cloud Role

Oracle Fusion Security Context (as Resource)

Oracle Fusion Security Contexts (e.g. 'Asset Book', 'Business Unit', 'Ledger') are represented as Resources. Users may have specific roles assigned to specific Security Contexts in addition to application-wide roles.

Veza natively supports AWS for all configured AWS accounts. You can use the Authorization Graph to display all Customer Master Keys (CMKs), and view cross-service relationships between IAM roles and policies, KMS keys, and data sources.

Any AWS tags and aliases are automatically extracted when discovering KMS keys. These can be viewed from the entity details, and used to filter search results.

Configuration

As KMS discovery is enabled by default, no additional configuration is required. For more granular control over which AWS data resources are cataloged, you can select specific services for extraction by navigating to the Veza Integrations page, and choosing the "edit" option for the AWS account.

In order for a CMK to be discoverable, its Key Policy must have IAM permissions enabled, or grant the Veza AWS IAM principal directly. are enabled by the default AWS KMS key policy, by a statement such as:

To read authorization metadata for KMS, the IAM policy used by the Veza-AWS connector must include the following statement:

The last two permissions (kms:GetKeyRotationStatus and kms:ListKeyRotations) are required to show the AWS KMS CMK "Last Rotated At" attribute in Veza.