1 of 100

Adobe Enterprise

Configuring the Veza integration for Adobe Enterprise.

Overview

The Adobe Enterprise integration enables Veza to discover and analyze users, groups, and administrative roles within your Adobe environment. This integration uses Adobe's User Management API (v2) to provide visibility into user access, group memberships, and product license assignments across your Adobe organization.

The integration supports:

Discovery of Adobe Enterprise users and their properties

Add Existing AWS Accounts

Integrate multiple existing accounts in an Organization using AWS CloudFormation

AWS CloudFormation allows organizations to easily deploy AWS resources into existing accounts within the AWS Organization. Veza integrates with AWS CloudFormation to enable one-touch registration of AWS accounts with the Veza platform.

To control which AWS accounts will register with the Veza platform, the provided CloudFormation template can apply to the AWS Organization as a whole, specific Organizational Units within the AWS Organization, or specific AWS accounts.

The template will create the required IAM resources and a Lambda function responsible for registering and updating the managed account where it is deployed, and create a Veza AWS Integration for the account.

Integration Details

AWS DynamoDB

Discovery of DynamoDB Data Resources with Veza

Veza will automatically catalog DynamoDB resources for configured AWS accounts. All discovered DynamoDB tables, secondary indexes, and streams can be viewed in the data catalog, with cross-service effective permissions available in Access Graph search. DynamoDB insights are included in select Reports, or can be viewed using the Saved Queries panel.

Notes

To extract authorization metadata for DynamoDB, the IAM policy granting discovery and extraction permissions must include the following statement:

  {
      "Sid": "DynamoDB",
      "Effect": "Allow",
      "Action": [
        "dynamodb:ListTables",
        "dynamodb:DescribeTable",
        "dynamodb:ListStreams",
        "dynamodb:DescribeStream"
        ],
      "Resource": "*"
  }

These permissions are included in the latest ; if you are upgrading from release 2021.6.xyou will need to update the policy attached to the Insight Point, IAM user, or IAM role used for discovery.

Supported Resources / Sub-resources

DynamoDB Table
DynamoDB Secondary Index
DynamoDB Stream

AWS KMS

Automatic Classification for AWS Key Management Service

Veza natively supports AWS Key Management Service (KMS) for all configured AWS accounts. You can use the Access Graph to display all Customer Master Keys (CMKs), and view cross-service relationships between IAM roles and policies, KMS keys, and data sources.

Any AWS tags and aliases are automatically extracted when discovering KMS keys. These can be viewed from the entity details, and used to filter search results.

Configuration

As KMS discovery is enabled by default, no additional configuration is required. For more granular control over which AWS data resources are cataloged, you can select specific services for extraction by navigating to the Veza Integrations page, and choosing the "edit" option for the AWS account.

In order for a CMK to be discoverable, its Key Policy must have IAM permissions enabled, or grant the Veza AWS IAM principal directly. are enabled by the default AWS KMS key policy, by a statement such as:

To read authorization metadata for KMS, the IAM policy used by the Veza-AWS connector must include the following statement:

The last two permissions (kms:GetKeyRotationStatus and kms:ListKeyRotations) are required to show the AWS KMS CMK "Last Rotated At" attribute in Veza.

AWS RDS PostgreSQL

Creating a local user for gathering database-level metadata

When connecting an AWS account to Veza, the recommended IAM policy includes permissions to discover PostgreSQL instances and clusters on RDS. To gather additional metadata, Veza will need to be able to execute database commands as a local user, as described in this document.

Prerequisites

AWS IAM must be enabled
You will need administrator privileges to create the local user, which will be used to connect at runtime
An is recommended for RDS PostgreSQL discovery.

Granting Veza Access

There are two options to allow Veza access to RDS PostgreSQL databases, depending on whether your instance configuration has revokedpublic privileges for the pg_catalog schema, as is a common security practice.

A) If you if you have not revoked the default public privileges on your schema, you only need to create the user and grant the rds_iam privilege:

B) If you have revoked the default privileges from your schema, you should instead run the following command to create the user and grant select permissions for the required tables:

Verify that the RDS PostgreSQL DB User specified in the Veza IAM policy for the integration is the same as the local database user you create, for example:

"Resource": "arn:aws:rds-db:us-east-1:123456789:dbuser:*/<my_veza_db_user>"

Note that in the current release, the local username must be the same for all the RDS PostgreSQL resources to discover. You can specify this RDS PostgreSQL DB User name when configuring an .

The next time Veza connects to the AWS account, the database will be registered and appear under "Discovered Data Sources" on the Integrations > All Data Sources tab.

IAM Policy for RDS Discovery

The following sections must be included in your Veza IAM policy. Update the bracketed values to contain your actual region, account ID, and the database username you specified when .

Beeline

Configuring the Veza integration for Beeline

Overview

Early Access: Beeline is available in Early Access. Please contact our support team to enable the integration.

The Veza integration for the Beeline workforce platform enables discovery of Beeline employees, and can be enabled as a source of identity for lifecycle management policies. HRIS metadata from Beeline can be used to enrich queries, access reviews, and enable provisioning and de-provisioning flows when employees are added or removed, or their status changes.

Configuring Beeline

The Veza Beeline connector uses Beeline's Reporting as a Service (RaaS) feature to retrieve employees and their attributes.

After enabling RaaS, a BeeLine report with the corresponding values must be created in advance. Please contact our support team to coordinate report creation for the latest supported attributes.

Ensure that the RaaS feature is enabled.
Generate an API key for the integration user, that Veza will use for the discovery. This user can be an existing Beeline user or a new user.
1. Note the ClientSecret, UserName and UserAPIKey from the API Authentication Page

Configuring the Beeline Integration on Veza

On the Veza Integrations page, click Add Integration and locate the Beeline tile.
Configure the integration with the following fields:
1. Name - Name for the integration
2. Site ID - Customer or Project identifier for the Beeline instance

Notes and Supported Entities

Beeline Employee

Employee fields ingested by Veza will depend on the report configuration. Currently, the following attributes are supported:

id
employee number
first name
last name

Concur

Configuring the Veza integration for Concur

Overview

Concur is an enterprise-level expense management platform that automates expense reports, approvals, and payments. The integration facilitates data exchange between Veza and Concur, for user and role discovery.

Confluent

Configuring the Veza Integration for Confluent

Overview

The Veza integration for Confluent enables the discovery of Users, Groups, Roles, Clusters, and Environments from the Confluent platform. Veza uses Confluent APIs to populate the Access Graph with entities and metadata.

This document explains how to enable and create a Confluent integration. See for more details.

CSV Upload API

Automating updating CSV integration data

Overview

In addition to using a simple web interface to update CSV data manually, you can automate a process to push new data using the Veza REST API and refresh the Veza graph. This document includes example utilities using Python and CLI tools.

Using the Upload CSV REST API

After creating a CSV upload integration, you can use the REST API operation to upload new CSV data.

Whenever a CSV is submitted, it is processed based on the current configuration of the CSV Upload Integration provider, including any column mapping settings.Authentication: To make API calls, you must include an authorization token in the header of each request. This can be:

A Personal API Key for a Veza administrator
A Team API Key, for a team assigned to manage CSV Upload integrations

See for more details on creating API keys.

Note: The CSV data must be complete for each upload. Veza will remove entities from the Graph for any entities that were present in the previous upload, but not in the current upload.

Retrieving Integration IDs

Using the REST API requires the Integration (Provider) and Data Source IDs. You can retrieve these in Veza on the Integration Details > Data Source tab:

On the Veza Integrations page, click the CSV integration to view details
On the Data Source tab, click the data source name to view details
Copy the values from the Properties table:
1. The unique data source "Id"

Uploading the Data

Uploading the CSV data is made with a post call to the /api/v1/providers/custom/{provider_id}/datasources/{data_source_id}:push_csv endpoint.

Note: The CSV contents must be base64-encoded into the JSON body of the request. Raw CSV values are rejected. You can automatically convert the data as part of your implementation, as shown below.

Example using Curl

Example using Python

DocuSign

Configuring the Veza integration for DocuSign

Overview

The DocuSign integration enables discovery of identities, groups, and permissions within a DocuSign account. It uses Open Authorization API to create the following entities:

Account → Custom Application

Dropbox

Configuring the Veza integration for Dropbox

Overview

The Dropbox integration enables discovery of users, groups, folders, and files within a Dropbox Business account. Veza parses group memberships and permissions to show the full range of user access on the cloud-based content management, collaboration and file sharing service.

Access Reviews: Review user and group access to files and folders in Dropbox

Jenkins

Configuring the Veza integration for Jenkins

Overview

The Veza integration for Jenkins enables the discovery of Users and Roles, and permissions. One configured, Veza uses Jenkins APIs to populate the Access Graph with entities and metadata. The integration supports project-based Matrix Authorization and role-based access controls.

To enable the integration:

Azure SQL Database

Configuring Azure SQL database for Veza discovery

Resources and authorization for Azure SQL Database are automatically discovered for connected Azure tenants, unless the service is disabled in the .

To collect complete authorization metadata for each database, you will need to create a local database user that the app registration can connect as to execute read-only queries.

You will need access to Azure SQL Database(s) and permission to create the local user.
The Azure SQL Database must have an .

Microsoft SharePoint Server

Configuring the Veza integration for SharePoint Server (on-premises).

Overview

Veza can discover and analyze permissions in SharePoint Server environments that are configured with Microsoft Entra ID (formerly Azure AD) federated authentication. This offers visibility into your on-premises SharePoint infrastructure using an existing Azure Integration, including:

Site collections and sub-sites discovery
Document libraries and folders
Effective permission analysis
Microsoft Entra ID user and group federation
Optional site filtering with allow and deny lists

Prerequisites

SharePoint Server 2013 or newer
The SharePoint environment must be configured for federated authentication with Microsoft Entra ID following Microsoft's
The Azure integration in Veza must be configured with a valid SSL certificate for SharePoint site discovery (Signed certificate recommended for production environments)

Configuring the Azure Integration for SharePoint Server

You can connect to SharePoint by providing a certificate for app-only access when configuring an Azure integration. For testing environments, you can generate a self-signed certificate following the .

The integration requires read-only API permissions to discover SharePoint resources:

Go to the Integrations page and add or edit an Azure integration, following the instructions in .
In Azure, create or edit the app registration for the integration with the additional API scopes:
- SharePoint:
  - User.Read.All

Okta MFA status

Additional steps may be needed to fully gather enrolled MFA factors for Okta identities

If your Okta Multi-factor enrollment policies are such that traffic from Veza's Cloud IP Addresses is denied the ability to use a factor, Veza will not be able to detect user enrollment in that factor. As a result, the "MFA Active" property for Okta users will be "False," even if factors are enabled for the user. To prevent this, you can can:

Configure an Okta Network Zone that allows optional MFA factors
Use an Insight Point to connect to Okta from an IP address internal to your data center that does not have these restrictions

See below for more details and steps to enable:

Background

Okta have the ability to not only set enrollment but also define usage. MFA enrollment policies work by evaluating from the highest priority to the lowest priority at the policy level (filtered by groups), and then at the rule level (filtered by and ).

This means that if there is not a policy rule that fits the incoming request, Okta will check the next policy that applies to the user until it finds one (Default Policy applies to everyone and Default Rule applies everywhere).

Resolution

There are 2 options to allow Veza to fully collect MFA enrollment.

Configure a Network Zone specifically for the Veza IP Addresses and allow the factors as optional at the Policy level and deny the Enrollment at the Policy Rule Level:
- Create an Okta Group to control scope during deployment.
- Configure for under Gateway IPs.

Oracle EPM

Configuring the Veza integration for Oracle Enterprise Performance Management (EPM)

Overview

The Veza integration for Oracle Enterprise Performance Management (EPM) discovers users, groups and roles assigned in EPM. Veza uses an Oracle EPM service account connect to the EPM APIs to run the built in EPM reports for user group and role assignments.

  {
    "Sid": "KMS",
    "Effect": "Allow",
    "Action": [
      "kms:GetKeyPolicy",
      "kms:ListAliases",
      "kms:ListKeyPolicies",
      "kms:ListKeys",
      "kms:ListResourceTags",
      "kms:DescribeKey",
      "kms:GetKeyRotationStatus",
      "kms:ListKeyRotations"
    ],
    "Resource": "*"
  }

CREATE USER [db_user] WITH LOGIN;
GRANT rds_iam TO [db_user];
GRANT SELECT ON
  pg_catalog.pg_user,
  pg_catalog.pg_group,
  pg_catalog.pg_namespace,
  pg_catalog.pg_class,
  pg_catalog.pg_database,
  pg_catalog.pg_auth_members,
  pg_catalog.pg_attribute,
  pg_catalog.pg_roles,
  pg_catalog.pg_trigger,
  pg_catalog.pg_proc,
  pg_catalog.pg_collation,
  pg_catalog.pg_conversion,
  pg_catalog.pg_type,
  pg_catalog.pg_event_trigger,
  pg_catalog.pg_extension,
  pg_catalog.pg_foreign_data_wrapper,
  pg_catalog.pg_foreign_table,
  pg_catalog.pg_language,
  pg_catalog.pg_largeobject_metadata,
  pg_catalog.pg_operator,
  pg_catalog.pg_opclass,
  pg_catalog.pg_opfamily,
  pg_catalog.pg_policy,
  pg_catalog.pg_publication,
  pg_catalog.pg_sequence,
  pg_catalog.pg_foreign_server,
  pg_catalog.pg_statistic_ext,
  pg_catalog.pg_subscription,
  pg_catalog.pg_tablespace,
  pg_catalog.pg_ts_config,
  pg_catalog.pg_ts_dict,
  pg_catalog.pg_parameter_acl
TO [db_user];

{
  "Sid": "RDS",
  "Effect": "Allow",
  "Action": [
    "rds:DescribeDBInstances",
    "rds:DescribeDBClusters"
    ],
  "Resource": "*"
},
{
  "Sid": "RdsDbConnect",
  "Effect": "Allow",
  "Action": [
    "rds-db:connect"
    ],
  "Resource": "arn:aws:rds-db:<region>:<account_id>:dbuser:<cluster-name>/<db_user>"
}

AWS RDS MySQL

Discovering granular MySQL permissions with Veza

When connecting an AWS account to Veza, the recommended IAM policy includes permissions to discover RDS instances and clusters. To gather additional metadata, Veza will need to be able to execute database commands as a local user, as described in this document.

RDS MySQL databases are discovered by Veza via role assumption to a local MySQL user, granted the necessary read-only permissions. Veza creates authorization entities for:

RDS MySQL Database
RDS MySQL Function
RDS MySQL Instance
RDS MySQL Local User
RDS MySQL Local User Instance
RDS MySQL Procedure
RDS MySQL Role
RDS MySQL Role Instance
RDS MySQL Service
RDS MySQL Table
RDS MySQL Trigger

By default, extraction excludes the buil-in MySQL tables sys, performance_schema, information_schema, and mysql. These system-created tables are potentially of interest as they can contain sensitive data, and are discoverable on an optional basis. Enable Gather System Tables in the parent AWS integration configuration to show these Table entities and permissions in Veza.

Prerequisites

You will need admin access and privileges to create a local user, which will be used to connect at runtime
An is recommended for RDS MySQL discovery.
- The Insight Point egress IP needs to be permitted in the RDS .

Support for Amazon Aurora

RDS MySQL databases managed by Amazon Aurora are automatically discovered when RDS extraction is enabled for a configured AWS account.
Connected instances are mapped to the top-level Aurora RDS cluster in Access Graph search.
Since all instances in an Aurora cluster are replicas of the same MySQL database, each has the same database-level properties.

1. Configure the IAM Policy

Ensure that the IAM policy configured during AWS setup includes the <db_user> name of the MySQL user, and is the same as the RDS MySQL DB User name specified in AWS integration configuration. Below is a minimal policy allowing the required actions for discovery.

To discover individual RDS instances across multiple regions, you will need to create additional Resource entries in the Veza IAM policy for each region, for example:

"Resource": "arn:aws:rds-db:us-east-1:123456789:dbuser:*/veza_user" "Resource": "arn:aws:rds-db:us-west-1:123456789:dbuser:*/veza_user"

Alternatively, you can use wildcard operator (*) to match all regions, accounts, and databases:

"Resource": "arn:aws:rds-db:*:*:dbuser:*/veza_user"

2. Create the local user

Connect to your database, and execute the following command to create a Veza User and grant the needed privileges for discovery. Replace [veza_user] with the name of the actual database user specified in your policy:

The next time Veza connects to the configured AWS account, the RDS MySQL server will be registered and appear under "Discovered Data Sources" on the Integrations > All Data Sources tab.

AWS Redshift

Configuring AWS Redshift for Veza discovery

The recommended AWS connector policy only includes API permissions to get authorization metadata for Redshift clusters. To connect to Redshift databases for full discovery, a local Redshift user with the redshift:GetClusterCredentialsIAM privilege is required. You can allow this via IAM policy in one of two ways, described in the steps below.

Additionally, the local user will also need read-only database permissions on the warehouses to discover.

1. Update AWS IAM policy

A) AWS can automatically create a local user with the same name as the IAM principal initiating the connection. This can be accomplished in your policy using the condition key ${redshift:DbUser}, as in line 6 of the following example:

Note that the name of the provisioned Redshift user will be transformed to lowercase, and any dashes will be replaced with underscores (For an IAM user or role Veza-AI, the Redshift user name will be veza_ai).

You will still need to manually grant the SELECT privileges for the local user using the commands in the section.

B) If you would prefer to connect as a local user that you will create yourself, you must specify that user explicitly in the policy, for example:

The db_user username must be the same as the "Redshift DB User User" specified when configuring the AWS account on the Veza Integrations page.

Connect to the Redshift warehouse and create the user:

2. Grant Redshift database permissions

The redshift-data:ExecuteStatement only allows the Veza service principal to run Redshift queries—the exact data Veza can access is governed within Redshift. Database permissions must be granted to the local user for each instance you want to discover.

Connect to the data warehouse and use the following GRANT SELECT command:

The next time Veza conducts discovery for the parent AWS account, the instance will be registered and appear under "Discovered Data Sources" on the Integrations > All Data Sources_ tab.

For further reference, see the in the official AWS documentation.

LastPass

Configuring the Veza integration for LastPass

The Veza integration for LastPass Enterprise connects to the platform to discover users, groups, roles, and folders used to store and share passwords and other secrets. Use the integration to:

Search for LastPass users and shared folders, and create rules and alerts.
See effective permissions within LastPass for users and groups, based on their roles.
Review LastPass user > group, user > folder, and user > role assignments.

Requirements

LastPass enterprise policies can restrict API access to report-only. This policy must be disabled to permit the Veza integration to make the required API calls.

You can view and manage this policy under LastPass Admin Console > Settings > Policies > Restrict Enterprise API to event reporting

The connector uses the LastPass Enterprise API to fetch authorization metadata. You will need a LastPass account number (cid) and provisioning hash (prohash) to authenticate. To retrieve these values, log in to LastPass using an account with permission to access the Admin Console at .

Account ID: Unique Account ID provided by LastPass. This can be retrieved on page:
Provisioning Hash: This API secret can be generated on the LastPass Admin page. Go to to manage provisoning hashes.

You can use an existing provisioning hash, which is unique for your organizations LastPass Enterprise API. If you cannot retrieve the current value, you will need to regenerate it and update any other applications to use the new hash.

See for the latest guidance from LastPass.

Veza setup

To enable Veza to gather data from the LastPass platform:

Browse to your Veza instance
In the left navigation, expand Configuration, then click Integrations
In the main pane, click Add Integration. Pick LastPass.
Enter the required details:

Notes and supported entities

LastPass User

Veza discovers and shows the following metadata for LastPass User entities. Attribute filters can be used to constrain searches and access reviews based on these properties:

Attribute (type)

Description

LastPass Group

Veza discovers and shows the following metadata for LastPass Group entities. Attribute filters can be used to constrain searches and access reviews based on these properties:

Attribute (type)

Description

LastPass Folder

LastPass folders have the following attributes:

Attribute (type)

Description

LastPass Application Roles

The Veza LastPass integration discovers the user's role in LastPass as either Admin or User. LastPass does not currently return information about customer-created Admin Levels. Any admin-level user will be assigned the Admin role for the LastPass application. All other users will be assigned the User role.

LastPass Folder Roles

Users assigned to a Shared Folder (either directly or by group membership) have Roles based on the configuration of permissions on the assignment.

Veza creates these Access Graph entities to represent access controls enabled when managing Shared Folder recipients in LastPass:

LastPass Configuration

State

Veza Role

A user may have multiple roles on a folder based on the pairings of these permissions.

BambooHR

Configuring the Veza integration for BambooHR

The Veza integration for BambooHR connects to the HRIS platform to discover user profiles and attributes, and group assignments within the application. BambooHR users typically access the platform to track hours worked, manage benefits enrollment, and administer payroll from a single platform. Use the integration to:

Search for users and filter the results based on metadata Veza collects.
Review user > group assignments within BambooHR.
Create alerts and rules to alert for changes in user attributes such as Activity Status.

Requirements

The connector uses the BambooHR Reports API to gather the required authorization metadata. To enable the connector on Veza, you will need to supply an API key and the company domain to connect to:

Company Domain: The name of the company from your BambooHR login URL: https://{company_domain}.bamboohr.com/.
API Key: Unique API Key provided by BambooHR. Each user can have one or more secret keys that identify that user to the API. The secret key is a 160-bit number expressed in hexadecimal form.

To create an API key in BambooHR, follow these steps:

Log in to BambooHR and click on your name in the upper right corner of any page to open the user menu. Optionally, you can create a dedicated BambooHR user for the integration, and complete these steps after logging in as that user. Note that users must have Full Admin access to create API keys.
Click API Keys.

See for official documentation on creating BambooHR API keys.

Adding a BambooHR Integration to Veza

To enable Veza to gather data from the BambooHR platform:

Browse to your Veza instance.
In the left navigation, expand Configuration, then click Integrations.
In the main pane, click Add Integration and choose BambooHR.
Enter the required details:

Notes and Supported Entities

Veza discovers and shows the following metadata for BambooHR User entities, which can be used to narrow searches and access reviews using attribute filters:

Attribute (type)

Description

LDAP Server Configuration Examples

Platform-specific examples for configuring LDAP servers to work with Veza.

This guide provides platform-specific examples for configuring LDAP servers to allow read-only access for the Veza integration. Configure your LDAP server to provide the minimal permissions required for Veza to discover users, groups, and their relationships.

Active Directory Users: Use the dedicated Microsoft Active Directory integration for Active Directory Domain Services instead of this generic LDAP connector for optimal functionality and support.

OpenLDAP Configuration

OpenLDAP uses Access Control Lists (ACLs) defined in slapd.conf or through dynamic configuration. The service account needs read access to the target organizational units.

Example ACL Configuration:

Service Account Creation:

Oracle Unified Directory Configuration

Oracle Unified Directory uses Access Control Instructions (ACIs) for permission management. Configure through Oracle Directory Services Manager or command line.

Example ACI Configuration:

IBM Directory Server Configuration

IBM Directory Server uses ACLs similar to other enterprise LDAP implementations. Configure through the IBM Directory Server Web Administration Tool.

ACL Example:

ForgeRock Directory Services Configuration

ForgeRock Directory Services uses ACIs similar to Oracle Unified Directory. Configure through the ForgeRock Directory Services Control Center.

Example ACI Configuration:

Red Hat Identity Manager Configuration

Red Hat Identity Manager (IdM) uses groupOfNames object class with member attributes instead of the default groupOfUniqueNames with uniqueMember. Configure the Veza integration with these specific settings:

Groups Object Class: groupOfNames
Group Member Attribute: member (or leave blank for auto-detection)

IdM provides built-in permission and role management through the ipa command-line interface. Create appropriate permissions for the Veza service account to read user and group information according to your organization's IdM configuration policies.

General Security Considerations

When configuring any LDAP server for Veza integration:

Principle of Least Privilege: Grant only the minimum read permissions necessary for user and group discovery
SSL/TLS Encryption: Always use LDAPS (port 636) or StartTLS to encrypt communication
Service Account Security: Use a dedicated service account with a strong password and appropriate expiration policies
Network Security: Ensure the LDAP server is accessible only from authorized Veza components

Testing Configuration

After configuring your LDAP server, verify the service account can access required data:

Consult your LDAP server documentation for platform-specific configuration details and best practices.

Reteriving Signing Certificate

Many LDAPS deployments use a locally signed certificate for encrypting the traffic in-flight. The singing Certificate Authority (CA) must be provided during configuration for Veza to trust the connection.

The CA can be retrieved from the server using openssl tool to inspect the signing certificate for the connection.

The command will output summary information about the signing certificates in the connection. Copy the base64 encoded text between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- to a text file. if there are multiple certificates, each can be added to the same file. Save this file and upload it for the Ca Certificate during configuration.

Ivanti Neurons

Configuring the Veza HRIS integration for Ivanti Neurons

Overview

The Veza integration for the Ivanti Neurons HRIS system streamlines identity governance by automatically synchronizing employee data with Veza's Identity Security platform. This integration enables organizations to:

Maintain current employee data across your identity security infrastructure
Enrich Veza search results with up-to-date employee information
Streamline access reviews with accurate organizational context
Support automated lifecycle management workflows using Ivanti Neurons as a source of identity

This guide will walk you through creating the required API credentials in Ivanti, configuring the integration in Veza, and including custom employee attributes (optional).

Configuring Ivanti

The Veza Ivanti Nurons connector requires an API key to connect and collect the employee information. Follow the steps in the Ivanti

Create the API key for a user with administrative read permissions to view all employees.

Configuring the Ivanti Nurons Integration on Veza

Most customers will require a Veza Insight Point to be deployed in their environment to access their Ivanti Nurons instance. Follow the steps <> for more on deploying a Veza Insight Point.

On the Veza Integrations page, click Add Integration and locate the Ivanti Nurons HR tile.
Configure the integration with the following fields:
1. Set the Insight Point - Select the Insight Point that will have access to the Ivanti Nurons instance
2. Name

Notes and Supported Entities

Ivanti Employee

The Veza connector gathers employee metadata from the employees business object. Business Objects can be viewed from the Ivanti Configuration console, under Build > Business Objects

The following Employee properties are collected by default and mapped to the Veza Employee object.

Employee Property

API Field

Notes

Collecting Additional Fields

Any additional field from the employee business object can be extracted as a string by adding it to a comma-separated list in the Additional Properties field during integration configuration. These values will be added as custom properties on the Employee object shown in Veza.

For example, to collect the employees DN and extensionAttribute1 set Additional Properties to DN,extensionAttribute1

Expensify

Configuring the Veza integration for Expensify

Overview

The Veza integration for Expensify enables discovery of users, workspaces, and roles within the expense management system.

Use it to:

Search for any Expensify user by department or who they submit expenses to.
Review Expensify Role and Workspace assignments for all users or specific Workspaces.
Create rules and alerts when changes occur (such as when a new Policy Admin is detected or a Workspace is added).

See for more details.

Configuring Expensify

The integration uses the Expensify Enterprise Import/Export API to fetch the data.

To connect, Veza will need your Expensify partnerUserID and partnerUserSecret.
Veza recommends creating a unique user and using their API credentials for the integration. The integration user should have the AUDITOR role to gather the required authorization metadata.

To get the User ID and User Secret, log in to Expensify and go to the Integrations page: https://www.expensify.com/tools/integrations/.

If you've already generated these for another application, you will need to use the existing ID and Secret. Otherwise you can regenerate the credentials.
See the for more details.

Configuring Expensify on the Veza Platform

In Veza, open the Integrations page.
Click Add Integration and pick Expensify as the type of integration to add
Enter the required information and Save the configuration

Field

Notes

Notes and Supported Entities

Veza creates Access Graph entities to represent Expensify Users and Expensify Groups. You can create filters and rules based on the following attributes.

Expensify Users

Expensify Users represent individual employees who log to report or approve expenses, or any other task on the platform.

Attribute

Notes

Expensify Workspaces (as Groups)

Expensify Workspaces define common rules for expense management, used to organize departments, teams, or other groups of users.

Attribute

Notes

Expensify Roles

Roles define the relationship an individual users has to a Workspace, such as Policy Admin, Auditor or Employee, and represent a set of permissions.

Attribute

Notes

CSV_PAYLOAD=$(cat my_app_data.csv | base64)
curl --location https://example.vezacloud.com/api/v1/providers/custom/40bdd318-d320-4574-be90-ca556d59889a/datasources/9bc29dc6-8cd0-4926-992e-7d720305ae2f:push_csv \
--request POST \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $VEZA_API_KEY" \
--data "{\"csv_data\": \"${CSV_PAYLOAD}\"}"

#!/usr/bin/env python3

import base64
import json
import os
import sys

import oaaclient.utils as oaautils
from oaaclient.client import OAAClient, OAAClientError

veza_url = "https://example.vezacloud.com"
veza_api_key = os.getenv("VEZA_API_KEY")

provider_id = "UUID of Provider"
data_source_id = "UUID of Data Source"

source_csv = "path/to/my_file.csv"

print("Connecting to Veza")
try:
    veza_con = OAAClient(veza_url, veza_api_key)
except OAAClientError as e:
    print("Error connecting to Veza tenant")
    print(e)
    sys.exit(1)

print("Loading CSV file")
with open(source_csv, "rb") as f:
    encoded_csv = base64.b64encode(f.read())

print("Pushing data to Veza")
try:
    push_request = {"id": provider_id, "data_source_id": data_source_id, "csv_data": encoded_csv.decode()}
    veza_con.api_post(f"/api/v1/providers/custom/{provider_id}/datasources/{data_source_id}:push_csv", push_request)
    print("Push succeeded")
except OAAClientError as e:
    log.error(f"{e.error}: {e.message} ({e.status_code})")
    if hasattr(e, "details"):
        for d in e.details:
            log.error(d)
    sys.exit(3)

# Replace placeholders with actual values
curl --location 'https://us.api.concursolutions.com/oauth2/v0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=YOUR_CLIENT_ID' \
--data-urlencode 'client_secret=YOUR_CLIENT_SECRET' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=YOUR_COMPANY_UUID' \
--data-urlencode 'password=YOUR_REQUEST_TOKEN' \
--data-urlencode 'credtype=authtoken'

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RDS",
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstances",
        "rds:DescribeDBClusters"
      ],
      "Resource": "*"
    },
    {
      "Sid": "RdsDbConnect",
      "Effect": "Allow",
      "Action": [
        "rds-db:connect"
      ],
      "Resource": "arn:aws:rds-db:<region>:<account_id>:dbuser:<cluster-name>/<db_user>"
    }
  ]
}

CREATE USER [veza_user] IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

GRANT REFERENCES ON *.* TO [veza_user];
GRANT SELECT ON mysql.user TO [veza_user];
GRANT SELECT ON mysql.db TO [veza_user];
GRANT SELECT ON mysql.tables_priv TO [veza_user];
GRANT SELECT ON mysql.columns_priv TO [veza_user];
GRANT SELECT ON mysql.global_grants TO [veza_user];
GRANT SELECT ON mysql.procs_priv TO [veza_user];
GRANT SELECT ON mysql.proxies_priv TO [veza_user];

-- Only if MySQL version is up to 5.7
GRANT SELECT ON mysql.proc TO [veza_user];

-- Only if MySQL version is 8+
GRANT SELECT ON mysql.role_edges TO [veza_user];
GRANT SHOW_ROUTINE ON *.* TO [veza_user];

-- If including triggers
GRANT TRIGGER ON *.* TO [veza_user];

{
    "Sid": "RedshiftCredentials",
    "Effect": "Allow",
    "Action": "redshift:GetClusterCredentials",
    "Resource": [
        "arn:aws:redshift:<region>:<account_id>:dbuser:<cluster-name>/${redshift:DbUser}",
        "arn:aws:redshift:<region>:<account-id>:dbname:<cluster-name>/*"
    ]
},
{
     "Sid": "RedshiftDescribe",
     "Effect": "Allow",
     "Action": [
         "redshift:DescribeClusters",
         "redshift-data:GetStatementResult",
         "redshift-data:DescribeStatement"
     ],
     "Resource": "*"
 },
 {
     "Sid": "RedshiftExecute",
     "Effect": "Allow",
     "Action": "redshift-data:ExecuteStatement",
     "Resource": "arn:aws:redshift:<region>:<account-id>:cluster:<cluster-name>"
 }

{
    "Sid": "RedshiftCredentials",
    "Effect": "Allow",
    "Action": "redshift:GetClusterCredentials",
    "Resource": [
        "arn:aws:redshift:<region>:<account_id>:dbuser:<cluster-name>/<db_user>",
        "arn:aws:redshift:<region>:<account-id>:dbname:<cluster-name>/*"
    ]
},
{
     "Sid": "RedshiftDescribe",
     "Effect": "Allow",
     "Action": [
         "redshift:DescribeClusters",
         "redshift-data:GetStatementResult",
         "redshift-data:DescribeStatement"
     ],
     "Resource": "*"
 },
 {
     "Sid": "RedshiftExecute",
     "Effect": "Allow",
     "Action": "redshift-data:ExecuteStatement",
     "Resource": "arn:aws:redshift:<region>:<account-id>:cluster:<cluster-name>"
 }

GRANT SELECT ON
  pg_catalog.pg_user,
  pg_catalog.pg_group,
  pg_catalog.pg_database,
  pg_catalog.pg_namespace,
  pg_catalog.pg_class,
  pg_catalog.pg_class_info,
  pg_catalog.pg_attribute_info
TO
  [veza_user];

# Grant read access to Veza service account
access to dn.subtree="dc=example,dc=com"
    by dn="cn=veza-service,ou=serviceaccounts,dc=example,dc=com" read
    by * none

# Alternative: Grant read to specific OUs only
access to dn.subtree="ou=users,dc=example,dc=com"
    by dn="cn=veza-service,ou=serviceaccounts,dc=example,dc=com" read
access to dn.subtree="ou=groups,dc=example,dc=com"
    by dn="cn=veza-service,ou=serviceaccounts,dc=example,dc=com" read

dn: cn=veza-service,ou=serviceaccounts,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: veza-service
sn: Service
description: Veza LDAP Integration Service Account
userPassword: {SSHA}[generated-password-hash]

# Grant read access to base DN
aci: (target="ldap:///dc=example,dc=com")(targetattr="*")
    (version 3.0; acl "Veza Service Account Read Access";
    allow (read,search,compare)
    userdn="ldap:///cn=veza-service,ou=serviceaccounts,dc=example,dc=com";)

# Restrict to specific attributes if needed
aci: (target="ldap:///dc=example,dc=com")
    (targetattr="cn||displayName||mail||uniqueMember||dn")
    (version 3.0; acl "Veza Limited Attribute Access";
    allow (read,search,compare)
    userdn="ldap:///cn=veza-service,ou=serviceaccounts,dc=example,dc=com";)

# Basic read access ACL
dn: cn=ReadAccess,cn=ibmacl,dc=example,dc=com
objectclass: accessControlSubentry
objectclass: ibmacl
cn: ReadAccess
ibm-accessGroup: cn=veza-service,ou=serviceaccounts,dc=example,dc=com
ibm-accessLevel: normal

# Grant read access to Veza service account
aci: (target="ldap:///dc=example,dc=com")(targetattr="*")
    (version 3.0; acl "Veza Service Account Access";
    allow (read,search,compare)
    userdn="ldap:///cn=veza-service,ou=serviceaccounts,dc=example,dc=com";)

# Test basic connectivity and authentication
ldapsearch -x -H ldaps://your-ldap-server:636 \
    -D "cn=veza-service,ou=serviceaccounts,dc=example,dc=com" \
    -W -b "dc=example,dc=com" \
    "(objectClass=*)" dn

# Test user discovery
ldapsearch -x -H ldaps://your-ldap-server:636 \
    -D "cn=veza-service,ou=serviceaccounts,dc=example,dc=com" \
    -W -b "dc=example,dc=com" \
    "(objectClass=person)" cn displayName mail

# Test group discovery
ldapsearch -x -H ldaps://your-ldap-server:636 \
    -D "cn=veza-service,ou=serviceaccounts,dc=example,dc=com" \
    -W -b "dc=example,dc=com" \
    "(objectClass=groupOfUniqueNames)" cn uniqueMember

Boomi

Configuring the Veza integration for Boomi

Overview

Boomi is an integration platform as a service (iPaaS) that facilitates connecting applications, data, and processes across various environments. The Veza integration for Boomi Enterprise Platform uses the AtomSphere API to discover users, roles, and permissions on the platform. After enabling the integration, you can:

Review Boomi User to Boomi Role assignments, with support for external user mappings.
Get visibility on privileges granted via custom roles and review built-in role usage.
Monitor Boomi user accounts with the "API Access" role used for programmatic access.

This document will help you configure the integration for your tenant. For more details see .

Configuring Boomi

Step one: Create an Account in Boomi

Create an account for the integration user in Boomi:

Log in to Boomi Enterprise Platform as an administrator.
Go to Settings > User Management.
Create a new role and assign the following Privileges. The new role should not inherit from any other role. API Access Account Administration

See [Adding a custom role)(https://help.boomi.com/docs/Atomsphere/Platform/t-atm-Adding_a_custom_role_de2bd23b-ce3a-4db3-9656-cacab756e76e) and for official documentation.

Step two: Generate an API token

To create a token, you must create an integration user with the API Access role. The API Token feature must be enabled under Settings > Account Information and Setup > Boomi AtomSphere API Tokens.

Log in to Boomi as the integration user.
Navigate to Settings > My User Settings > AtomSphere API Tokens.
Generate and copy the API token.

Save the token to use when configuring the integration in Veza.

See for more details.

Configuring Boomi on the Veza Platform

In Veza, go to the Integrations page.
Click Add Integration and search for Boomi. Click on it and click Next to add an integration.
Enter the required information:
- Account Id: Id of the Account. Used for Hostname in the URL (e.g.,

Custom identity mappings for Boomi

If your organization uses single sign-on to federate access to Boomi, you can add a custom mapping by editing the identity provider configuration. Add mappings to match external identities in your IdP to user accounts they can access with SSO.

See .

Notes and Supported Entities

The integration uses the OAA Application template to model Boomi users, roles, and privileges:

Boomi Platform Account → Custom Application
Boomi Account Users → Local User
Boomi Account user’s Role → Local Role
Boomi Account Role’s Privileges → Local Permissions

Veza creates graph entities to represent Boomi Users, Roles, and the individual Privileges they can access.

Boomi Account Users

Represents a local Boomi user, with the attributes:

Attribute

Notes

Boomi Account Roles

A built-in or custom role:

Attribute

Notes

Built-in roles provide access to common functionality in Boomi. You can use Veza to review user-to-role assignments, or track when the number of users with a role increases or decreases. Built-in roles include:

Administrator: Full access to all features, including API access, API management, account administration, account group management, Atom management (both read and write), Boomi Assure, build (read and write), cloud management, dashboard access, environment management, execution of processes, integration pack management, licensing view, packaged component management and deployment, process library management, scheduling, trading partner management, user management, view audit logs, view data, and view results.
Standard User: Access to Atom management (both read and write), Boomi Assure, build (read and write), developer tools, environment management, execution of processes, integration pack management, licensing view, packaged component management and deployment, process library management, scheduling, trading partner management, view data, and view results.
Production Support: Access to Atom management (both read and write), execution of processes, licensing view, packaged component deployment, scheduling, view data, and view results.

Administrators can also create Custom Roles. These have specific privileges tailored to organizational needs. See .

Boomi Account Privileges

An individual system permission assigned to a role or directly to a user:

Attribute

Notes

Roles define a group of system permissions within Boomi. Example Roles and Privileges:

Bullhorn

Early Access: This integration is provided as an Open Authorization API (OAA) connector package. Contact our support team for more information.

Bullhorn Connector for Veza

The Veza connector for Bullhorn enables users to import Bullhorn User entitlements into Veza. Users are imported along with the entitlements summary to show the Bullhorn User Type for each user and the permissions that the user type is entitled to.

Application Mappings

The Bullhorn connector uses the OAA Custom Application model. The following table shows how Veza Custom Application entities correspond to Bullhorn entities.

Bullhorn

Veza

Properties

The following entity properties are imported:

Entity

Property

Description

Running the Importer

Bullhorn does not currently provide the necessary API endpoints to extract the authorization information programmatically. Identity and authorization information is imported through CSV data that can be collected from Bullhorn.

The importer takes in a parameter --name, this name will appear in the name of the Application entity in Veza as Bullhorn - {name} and will be used for the Veza data source name. The name must remain consistent for subsequent imports. After the initial run, if --name does not match a previously used name the importer will stop. To create new instances run with --create once to create the new data source.

Bullhorn

Export the User list from Bullhorn and convert to CSV file. The exported data should include the following required headers. Additional columns are ignored:

Request an export of the User Type entitlements from Bullhorn support. The provided data should be converted to CSV if not already in CSV format. Expected format is Entitlements as rows and User Types as columns with Type and Entitlement columns.

Veza

Generate a Veza user API key by navigating to Administration -> API Keys. Choose Add New. Give the key a name and copy the token, which will only be shown once.

Running the Connector

Command Line

Install the requirements:
Set the secrets:
Run the connector:

Parameters

CLI Parameter

Environment Variable

Description

Databricks (Single Workspace)

Configuring the Veza integration for Databricks

Overview

The Veza Databricks integration provides visibility into access and permissions for your Databricks machine learning platform. Veza integrates directly with workspace-level Databricks configurations to:

Discover access relationships between users, groups, service principals, and resources
Visualize access across catalogs, clusters, notebooks, schemas, and more with Veza's Access Graph
Identify excessive group assignments, admin overreach, and service principal sprawl

This integration connects to individual Databricks workspaces using personal access token (PAT) authentication. Veza discovers entity and authorization metadata using the native Databricks REST API, including workspace resources, the hive_metastore catalog, schemas, tables, and permissions.

For organizations that use single sign-on (SSO) for federated access to Databricks, the integration discovers authorization and effective permissions that Azure AD, Okta, and AWS Identity Center identities have on Databricks resources.

When to use this integration: Use this integration for standalone Databricks workspaces or legacy deployments without Unity Catalog. For organizations using Unity Catalog to govern access to Databricks across multiple workspaces on Microsoft Azure, AWS, or Google Cloud, see for account-level discovery configured through cloud provider integrations.

For details on supported entities and attributes, see .

Requirements

To connect to , the workspace must enable both Workspace Access Control and Cluster, Pool, and Jobs Access Control. These features require a Premium Azure Databricks plan. To enable these settings:

As a Databricks administrator, click your username in the top bar of the Azure Databricks workspace and click Admin Settings.
Open Workspace Settings.
Toggle Workspace Access Control and Cluster, Pool and Jobs Access Control.
Click Confirm.

See for details.

Authentication

The integration requires a Databricks user with account admin rights (required to list all workspace entities and permissions). Using a non-admin user token will result in an incomplete discovery.

Veza can connect as.
1. As an account admin, log in to the account console.
2. Click Account Console > User management.
3. On the Users tab, click Add User.

See for more information.

Note: The account admin role ensures complete discovery of workspace resources. Personal Access Token discovery requires workspace admin permissions and may not be available on all Databricks tiers. If unavailable, the integration continues without PAT metadata.

Creating a cluster

To extract metadata for the Databricks storage layer, Veza needs to run SQL queries on one of the clusters in the workspace. You should create a separate cluster for this purpose. The cluster will be automatically started only when Veza is conducting extractions, and automatically stopped after a set amount of inactivity.

To create a cluster from the Databricks UI, pick Create > Cluster:

The cluster can be a small single-node cluster
You should enable termination after an inactivity period (~10 minutes)
Add spark.databricks.acl.sqlOnly true to Advanced Options > Spark > Spark config
Ensure the user created for the Veza integration has CAN_MANAGE

Once the cluster is running, copy the cluster's HTTP endpoint from Advanced Options > JDBC/ODBC > HTTP path.

For more details on creating Databricks clusters see .

Veza Configuration

From the Veza Configuration panel, navigate to the Apps & Data Sources tab. Scroll down to the Standalone Databases section and click Add New. Choose "Databricks" and provide the required information:

Field

Details

The Azure, AWS Identity Center, or Okta Identity Provider used for SSO must be integrated with Veza as a data source.

Identity Mappings

To enable email-based mapping between Identity Provider identities and Databricks users:

Use Access Graph to search for the Azure AD Domain, Okta Domain, or AWS Identity Center service. Open the Entity Details and copy the Datasource ID.
Open Data Catalog > Apps and Data Sources and find your Databricks provider under Standalone Databases. Click Edit. If you haven't configured the provider yet, click Add New and choose Databricks.
Select your SSO provider as the SSO type. For SSO ID, use the Datasource ID

Provider

Datasource ID

For other identity providers, or for more complex mapping rules, use .

Notes and Supported Entities

Every Databricks workspace has a central Hive metastore accessible by all clusters to store table metadata. This metastore (hive_metastore) is the sole catalog entity discovered by this integration, along with schemas, tables, and permissions on those entities. Hive metastores do not support assigning permissions to catalogs.

For Databricks entity types, attributes, permissions, and effective access calculations, see the .

Workspace Mode

Identity Entities: Users, Service Principals, Groups, and Personal Access Tokens at the workspace level
Data Entities: Workspace, hive_metastore Catalog, Schemas, Tables, and Views
Workspace Objects: Directories and Notebooks with permission inheritance

Important: Permissions on data tables are only enforced when both workspace settings enable table ACLs and the cluster supports table ACLs (High Concurrency clusters only). If table ACLs are not enabled for a cluster, all users with cluster access can query all tables accessible from that cluster.

Effective Permissions

From Access Graph, select an EP node and click Explain Effective Permissions to view the raw Databricks ACLs that result in a set of effective permissions. Effective Permissions can account for the following scenarios:

In Databricks, Access Control Lists (ACLs) regulate an identity's permissions to access data tables, clusters, pools, jobs, as well as workspace objects such as notebooks, experiments, and folders. By default those controls are turned off: all users are allowed to do anything.
Permissions can be inherited from the parent entity.
Permissions on data tables are only available when enabled both in workspace settings and the cluster (available only on High Concurrency clusters).
If permissions on data tables aren't enabled for a cluster, then all users that have permissions on that cluster can also access all tables.

Coupa

Configuring the Veza integration for Coupa

Overview

The Veza-built connector for Coupa enables discovery of a single Coupa instance, including details for each user and their group and role memberships.

See notes and supported entities for more details.

Configuring Coupa

To connect to Coupa’s REST API, Veza uses Oauth2 authentication based on a client id and secret. To generate a new client and credentials, log into Coupa as an admin user:

Go to Setup > Oauth2/OpenID Connect Clients
Click Create and pick Client Credentials for the Grant type
Enter the required fields and enable the scope:

See the for more details.

Configuring Coupa on the Veza Platform

In Veza, open the Integrations page.
Click Add New and pick Coupa as the type of integration to add
Enter the required information and Save the configuration

Field

Notes

Notes and Supported Entities

Roles and Permissions

Veza is unable to collect role permissions automatically due to the Coupa REST API not supporting returning role permission information. By default, all Local Roles created for Coupa roles are populated with a single permission named for the role that is Uncategorized.

Optionally, a Coupa permissions export can be uploaded when configuring the integration to map permissions to roles. When provided, this exported data is incorporated into Veza's Access Graph. Important: The role permissions in Veza will reflect the state of permissions as of the last uploaded export - there is no automatic synchronization with Coupa's current permissions.

To create a report of Role Permissions:

Go to Setup > Company Setup > Permissions
Click "Export to" and select CSV file format

The resulting CSV from Coupa should be uploaded as-is without modifications. The export should contain the following header:

The CSV can be uploaded as part of the initial configuration of the Integration, and updated at any time by uploading a new CSV by editing the integration.

Permission Name Handling

Veza creates permissions by combining the Controller and Action fields from the CSV export. When the CSV contains multiple entries with identical controller-action combinations (but different descriptions or role assignments), Veza automatically appends a numeric identifier to ensure unique permission names.

For example, if your CSV export contains:

requisition_lines,retry_realtime_verification,To re-initiate open buy item verification.,...
requisition_lines,retry_realtime_verification,Retry Realtime Verification,...

This helps to ensure all permission mappings derived from the Coupa export are preserved in Veza's Access Graph, even when Coupa contains duplicate controller-action combinations with different role assignments.

Coupa User

Attribute

Notes

Coupa Group

Coupa has multiple different types of Groups. Each group is mapped to a “Local Group” with a group_type property set to indicate its type. Veza currently collects User, Account and Content groups.

Attribute

Notes

Coupa Role

Attribute

Notes

Note: Only roles with users assigned are discovered by the integration. Unused roles will not appear in Veza.

Google Drive

Configuring the Veza integration for Google Drive

Overview

The Veza integration for Google Drive discovers shared drives, folders, and permissions within Google Drive file systems.

How It Works

The integration uses a Google Cloud IAM service account to interact with the Google Drive v3 API, enabling it to list Shared Drives, Folders, and folder permissions. The service account needs to be added as a viewer to shared drives to retrieve listings and permissions. New drives the service account is a viewer on are extracted during data source discovery, which runs periodically after configuration.

Custom entity mapping:

Server: Google Workspace
Mount: Shared Drive
Folder: Folder

Drive and Folder Permissions

Google Drive has four roles that can be assigned to Shared Drives or Folders, and they are common between them. The role reference is as follows:

Organizer
File Organizer
Write
Commenter

Note: The owner role is not currently supported.

Sharing permissions are associated with Google Workspace Users or Groups based on the role that identity has on the drive/folder.

Additionally properties are discovered for the sharing settings on the mount and drive:

domain_users_only: boolean indicating whether the drive/folder allows anyone in the domain access.
domain_role: string set with the domain shared role if shared.
shared_anyone: boolean indicating whether the drive/folder is shared with anyone with the link.

Google provides multiple settings that can be configured by an Administrator on a Shared Drive that can limit the sharing options and scopes for drives. Veza represents these as properties on each Shared Drive to allow for searching. The table below explains the relationship between the Google setting description and the Veza property.

Google Shared Drive Setting

Veza Property

Value when Checked

Setup

Google Setup

Google Drive connector uses a Google Workspace user to perform discovery. Permissions are granted to Veza to assume this user via an OAuth flow. Integration capabilities depend on the Workspace user's role and the shared drives they can view:

If the Google User is a Super Admin, Veza can discover all Google Drives and permissions. If using a Super Admin, check the Domain Admin Access box when adding the integration to Veza.
If the user is not a Super Admin, then the user must be added as a viewer to each Google Drive the integration will discover.
To discover Folder permissions on a drive, the User must be added as a viewer to the drive, regardless of role.

To create an OAuth app, assign scopes, and retrieve the credentials:

Log into Google Cloud Console https://console.cloud.google.com/
Create a new project https://developers.google.com/workspace/guides/create-project and select that project
Navigate to APIs & Services
Select Enabled APIs & Services from the left and click + Enable APIs and Services from the top to enable a new API

Configuring Google Drive on the Veza Platform

In Veza, open the Integrations page.
Click Add New and pick Google Drive as the type of integration to add
Enter the required information and Save the configuration

Field

Notes

Click the Authorize button and complete the flow through the Google consent screens.
After being redirected to the Edit Integration page, save the integration.

Automatically Add New AWS Accounts

Integrate new AWS accounts in an organization using Landing Zones.

Overview

AWS Control Tower allows organizations to easily deploy AWS accounts into an organization, ensure that those accounts adhere to existing security policies, and create a baseline set of standard resources in each account.

Veza integrates with AWS Control Tower to automatically register accounts added to an AWS Control Tower Landing Zone. When an AWS account is provisioned within the OU, the provided CloudFormation template will create the required IAM resources in the AWS account, and create a new Veza integration.

Integration Details

Veza’s AWS Control Tower integration is delivered as an AWS CloudFormation template that can be installed in an organization’s Control Tower root account. The integration consists of three main infrastructure components:

An AWS Lambda function that runs in the Control Tower root account
- This Lambda function executes when accounts are created or updated in the Control Tower Landing Zone (either by Service Catalog or Account Factory)
- The function interacts with Veza APIs to ensure that the child account is registered as a Cloud Provider in the organization’s Veza instance

The Veza-provided cloud formation script runs on account enrollment and account update. Any existing AWS accounts will need to be to trigger the script in the parent account and integrate the child accounts with Veza.

Installation

Before deploying the Veza AWS Control Tower integration, two pieces of data are required from the Veza instance.

Make note of the URL used to connect to the Veza (ex: https://example.cookiecloud.ai)
Generate an for use by the Control Tower root account

AWS Configuration

The following steps should be completed in the AWS Control Tower root account by an administrator IAM user:

CloudFormation

Log into the AWS console, click Services, then search for and select CloudFormation.
In the left navigation bar, click Stacks.
In the right corner of the main pane, click Create Stack, then select With new resources (standard) from the dropdown menu.

Once the CloudFormation Stack is provisioned, the integration is enabled.

Control Tower

To see the integration in action, create an AWS account inside the Control Tower Landing Zone

Log into the AWS console, click Services, then search for and select Control Tower.
In the left navigation bar, click Account Factory.
In the right corner of the main pane, click Enroll Account.

The account creation and enrollment process can take up to 30 minutes. Once finished, the account will show Enrolled in the Control Tower Accounts view.

Once the account shows as Enrolled, it will also be automatically integrated with the Veza instance referenced in the CloudFormation setup.

Re-enroll member accounts

Any currently-enrolled AWS accounts must be re-enrolled to trigger the script and integrate them with Veza. To remove an account from management so that it can be re-enrolled with Control Tower:

Open the AWS .
Open the Provisioned products list.
Choose the account to remove from AWS Control Tower management.
Choose Terminate from the Actions menu and confirm the decision.

For more information see in the AWS documentation.

S3 Information

Veza CloudFormation scripts are hosted on AWS S3. You can either use the defaults provided below or host your own modified versions.

If using a customized template, you should update the Amazon S3 URL when creating the CloudFormation stack, and set an appropriate VezaManagedAccountTemplateUrl when specifying the stack details.

Hubspot

Configuring the Veza integration for HubSpot.

The Veza integration for HubSpot enables discovery of users, teams, and roles on the HubSpot CRM platform, enabling search, insights, and access reviews involving user access to HubSpot.

The integration includes out-of-the-box queries. You can modify these based on your actual environment to create dashboards and rules for the risks and trends you want to monitor:

All HubSpot local user accounts
HubSpot roles that have users assigned
Number of users who have been granted the Super Admin role in HubSpot
Total number of HubSpot Roles
All HubSpot local Teams
HubSpot teams that have users assigned
HubSpot Local Users with an Okta identity
HubSpot Local Users who do not have an Okta identity
HubSpot Local Users with an Azure AD identity
HubSpot Local Users who do not have an Azure AD identity

This document includes steps to enable the HubSpot integration in Veza, and supported entity details.

Configuring the HubSpot Integration

To configure the integration, you will need a HubSpot access token for a private app.

Creating a private app enables Veza to use HubSpot's APIs to access specific data within your HubSpot account using an access token unique to the private app. You can create an app by following the instructions in . You must be a super admin to access private apps in your HubSpot account.

Create a HubSpot private app and access token

In HubSpot, click the settings icon in the main navigation bar.
On the left sidebar, open Integrations > Private Apps.
Click Create Private App.
On the Basic Info tab, configure the details of your app:

Enable the HubSpot integration in Veza

In Veza, open the Integrations page.
Click Add New and pick HubSpot as the type of integration to add.
Enter the required information and Save the configuration.

Field

Notes

Notes and Supported Entities

The HubSpot integration uses standard custom application entity types to model users, teams, and permissions in the Access Graph:

HubSpot User → Local User
HubSpot Teams → Local Groups
HubSpot Permission Sets → Local Roles
- HubSpot Permission Sets will only be collected for Enterprise HubSpot subscriptions.

Veza collects the following attributes for HubSpot entities:

Entity

Property

Description

Jira Data Center

Configuring the Veza integration for Jira Data Center

Overview

This integration enables discovery of Users and Groups, Projects, and Project Roles for Jira Data Center. Use it to:

Search and visualize relationships between Jira users and projects, and the roles granting access.
Review the state of authorization within Jira, such as User > Role, User > Group, or Group > Project access.
Create rules to trigger alerts when entities in Jira are added or removed, or when attributes change.
Visualize federated access to Jira Data Center for IdP identities.

See for more information.

Configuring Jira Data Center

Veza connects to Jira Data Center with API keys generated for a Jira user. You should create a Jira user for the integration, and supply the user's API credentials when configuring the integration on Veza.

Create a Jira User for the integration

Log in to Jira as an administrator or system administrator.
Click the Administration icon at the top right and pick User Management from the dropdown. Click Create user.
Enter a username, password, and email address and save the changes.
Assign the jira-administrators

See for more details.

Generate a Personal Access token

Create a Personal Access Token for a user with Admin-level permissions.

Log in to Jira with the new user account.
In Jira, click your profile picture at the top right of the screen to open the Profile. Choose Personal Access Tokens.
Click Create Token and give it a name. Optionally, you can set a date for the token to expire.
Click Create to save the token. Copy the value.

Save the token in a secure location, and enter it when configuring the integration on Veza. See .

Configuring Jira Data Center on the Veza Platform

To enable the integration and queue the first extraction:

In Veza, go to Integrations.
Click Add Integration and pick Jira Data Center as the type of integration to add.
Enter the required information and Save the configuration.

Field

Notes

Notes and Supported Entities

Veza discovers the following entities and properties within Jira Data Center, and represents them in Access Graph following the OAA Application model:

Jira Software Data Center Business → Custom Application
Jira Software Data Center Project → Custom Resource
Jira Software Data Center Group → Local Group
Jira Software Data Center User → Local User

The integration is tested with Jira Data Center and Jira Server version 9.6.

Jira Data Center Project

Attribute

Description

Project Permission Schemes: Jira Permission Schemes can grant users and groups permissions on Project through multiple mechanism. Depending on how the permission is assigned the permission can show up differently in Veza. A single permission can be assigned multiple ways.

Application Role- Permission is assigned to the Groups that hold the Application Role.
Project Role - The permissions are added to the Project Local Role. Role holders (users/groups) are assigned the role on the project.
User- Permission is assigned directly to the Local User.
Group- Permission is assigned directly to the Local Group.

The following assignment types are not currently supported. These permissions would only apply to specific items inside the project and not the project as a whole:

Reporter
Assignee
Group By Custom Field

Public permissions (Anyone) are represented as a property on the Project. The custom property has_public_permissions will be True if the Project has any public permissions. The public permissions are listed in the public_permissions property on the Project.

Global Permissions: The connector does not currently support the discovery of global and system-level permissions.

Jira Data Center Group

Attribute

Description

Jira Data Center User

Attribute

Description

Due to Atlassian API limitations, the integration cannot currently retrieve Jira user attributes: createdAt, lastLoginAt, deactivatedAt, and lastChangeAt.

Jira Data Center Role

Attribute

Description

{
  "requires_update": true,
  "google_cloud_customer_id": "{id}",
  "current_permissions": [],
  "required_permissions": [
    "bigquery.datasets.get",
    "bigquery.datasets.getIamPolicy",
    "bigquery.tables.get",
    "bigquery.tables.getIamPolicy",
    "bigquery.tables.list",
    "cloudkms.cryptoKeyVersions.get",
    "cloudkms.cryptoKeyVersions.list",
    "cloudkms.cryptoKeys.get",
    "cloudkms.cryptoKeys.getIamPolicy",
    "cloudkms.cryptoKeys.list",
    "cloudkms.keyRings.get",
    "cloudkms.keyRings.getIamPolicy",
    "cloudkms.keyRings.list",
    "cloudkms.locations.get",
    "cloudkms.locations.list",
    "cloudsql.databases.list",
    "cloudsql.instances.list",
    "cloudsql.users.list",
    "compute.instances.getIamPolicy",
    "compute.instances.list",
    "compute.networks.list",
    "compute.regions.list",
    "compute.subnetworks.getIamPolicy",
    "compute.subnetworks.list",
    "compute.zones.list",
    "container.clusters.list",
    "iam.roles.get",
    "iam.roles.list",
    "iam.serviceAccounts.list",
    "logging.logEntries.list",
    "resourcemanager.folders.getIamPolicy",
    "resourcemanager.folders.list",
    "resourcemanager.organizations.get",
    "resourcemanager.organizations.getIamPolicy",
    "resourcemanager.projects.get",
    "resourcemanager.projects.getIamPolicy",
    "resourcemanager.projects.list",
    "resourcemanager.tagKeys.get",
    "resourcemanager.tagKeys.list",
    "resourcemanager.tagValues.get",
    "resourcemanager.tagValues.list",
    "run.services.getIamPolicy",
    "run.services.list",
    "secretmanager.locations.get",
    "secretmanager.locations.list",
    "secretmanager.secrets.create",
    "secretmanager.secrets.createTagBinding",
    "secretmanager.secrets.delete",
    "secretmanager.secrets.deleteTagBinding",
    "secretmanager.secrets.get",
    "secretmanager.secrets.getIamPolicy",
    "secretmanager.secrets.list",
    "secretmanager.secrets.listEffectiveTags",
    "secretmanager.secrets.listTagBindings",
    "secretmanager.secrets.setIamPolicy",
    "secretmanager.secrets.update",
    "secretmanager.versions.access",
    "secretmanager.versions.add",
    "secretmanager.versions.destroy",
    "secretmanager.versions.disable",
    "secretmanager.versions.enable",
    "secretmanager.versions.get",
    "secretmanager.versions.list",
    "serviceusage.services.list",
    "storage.buckets.getIamPolicy",
    "storage.buckets.list"
  ],
  "required_actions": [
    "logging.logEntries.list",
    "secretmanager.locations.get",
    "secretmanager.locations.list",
    "secretmanager.secrets.create",
    "secretmanager.secrets.createTagBinding",
    "secretmanager.secrets.delete",
    "secretmanager.secrets.deleteTagBinding",
    "secretmanager.secrets.get",
    "secretmanager.secrets.getIamPolicy",
    "secretmanager.secrets.list",
    "secretmanager.secrets.listEffectiveTags",
    "secretmanager.secrets.listTagBindings",
    "secretmanager.secrets.setIamPolicy",
    "secretmanager.secrets.update",
    "secretmanager.versions.access",
    "secretmanager.versions.add",
    "secretmanager.versions.destroy",
    "secretmanager.versions.disable",
    "secretmanager.versions.enable",
    "secretmanager.versions.get",
    "secretmanager.versions.list"
  ],
  "overprivileged_actions": [
    "cloudkms.cryptoKeyVersions.viewPublicKey",
    "run.locations.list"
  ]
}

CREATE USER '[veza_user]'@'%' IDENTIFIED BY '[your-strong-password]';

GRANT REFERENCES ON *.* TO [veza_user];
GRANT SELECT ON mysql.user TO [veza_user];
GRANT SELECT ON mysql.db TO [veza_user];
GRANT SELECT ON mysql.tables_priv TO [veza_user];
GRANT SELECT ON mysql.columns_priv TO [veza_user];
GRANT SELECT ON mysql.global_grants TO [veza_user];
GRANT SELECT ON mysql.procs_priv TO [veza_user];
GRANT SELECT ON mysql.proxies_priv TO [veza_user];

-- Only if MySQL version is up to 5.7
GRANT SELECT ON mysql.proc TO [veza_user];

-- Only if MySQL version is 8+
GRANT SELECT ON mysql.role_edges TO [veza_user];
GRANT SHOW_ROUTINE ON *.* TO [veza_user];

-- If including triggers
GRANT TRIGGER ON *.* TO [veza_user];

In Step 1: Specify Template form, enter https://veza-controltower.s3.us-east-2.amazonaws.com/veza.yaml as the Amazon S3 URL.

https://<yourCompany>.jamfcloud.com/

https://api.boomi.com/api/rest/v1/{{accountId}}/

{
    "id": "9ba2e34c-2818-11e6-a17b-45f3f0dc7cd7",
    "name": "MDM Administrator",
    "description": "Boomi Default MDM Administrator Role.",
    "Privileges": [
        {"name": "MDM_DESTROY"},
        {"name": "MDM_SOURCE_ATTACH"},
        {"name": "MDM_BATCH_ADMIN"},
        {"name": "MDM_DASHBOARD"},
        {"name": "MDM_EDIT_MODELS"},
        {"name": "MDM_STEWARDSHIP"},
        {"name": "MDM_VIEW_DATA"},
        {"name": "MDM_VIEW_REPOSITORIES"},
        {"name": "MDM_VIEW_MODELS"},
        {"name": "MDM_STEWARDSHIP_MGMT"},
        {"name": "MDM_REPORTING_HISTORY"},
        {"name": "MDM_VIEW_LOGS"},
        {"name": "MDM_SOURCE_MGMT"},
        {"name": "MDM_DEPLOY"},
        {"name": "MDM_REPORTING_OPS"},
        {"name": "MDM_REPOSITORY_MGMT"}
    ]
}

Device42

Configuring the Veza integration for Device42.

Overview

The Device42 integration enables Veza to discover and analyze users, groups, and permissions within your Device42 environment, for insights into your IT asset management and data center infrastructure.

The integration supports:

Discovery of Device42 admin users and their properties
Mapping of Device42 admin groups and their members
Analysis of permissions assigned to admin users and groups
Visualization of Device42 data within the Veza platform for comprehensive access governance

Prerequisites

A Device42 instance with administrator access
API access enabled in your Device42 environment
Veza platform access with permissions to add new integrations

Configuring Device42

Generate API Credentials

Log in to your Device42 account as a superuser.
Open the Resources tab.
In the Secrets section, click on API Clients.
Click Add to create a new API client.

Note: Ensure that the user generating the API credentials is a Superuser and has their is_staff property set to False.

Configuring Device42 on the Veza Platform

In Veza, use the main menu to open the Integrations page.
Click Add Integration and search for Device42.
Click on Device42 and then click Next.
Enter the required information:

Verifying the Integration

To check integration status:
1. On the Veza Integrations list, click the integration name to view details.
2. On the details page, review the list of data sources.
3. Use the Status column to check if the data source is unavailable or has an error.

Supported Entities and Attributes

Users (Admin Users)

Attribute

Description

Groups (Admin Groups)

Attribute

Description

Built-in Queries

The Device42 integration includes pre-configured queries to help you quickly gain insights into your Device42 environment. These queries can be used out-of-the-box or serve as a starting point for more complex analyses:

Monitor the overall number of admin users and groups
Track user activity and identify potentially dormant accounts
Ensure deprovisioning of inactive users
Identify superusers for privileged access management

Device42 Admin Users
- Description: All Device42 local admin user accounts
- Type: Inventory count
Device42 Active Admin Users

Device42 Admin Groups
- Description: All Device42 local admin groups
- Type: Inventory count
Device42 Admin Groups with Users

Identity Correlation Queries

Device42 Admin Users Related to Okta Users
- Description: Device42 local admin users with an Okta identity
- Type: Inventory count
Device42 Admin Users Not Related to Okta Users

Additional Resources

Box

Configuring the Veza integration for Box

The Veza integration for Box gathers Box Users, Groups, Roles, and Folders from the storage platform. Search, Insights, and Workflows for Box provide the ability to:

See all Box users with administrative privileges on a Box tenant
Review folders that have external guest collaborators.
Review folders with Internal guest collaborators.
Map Okta and Azure AD users and local Box users to ensure there are no local-only users.
Create reports and rules for Box administrators and external collaborators

This guide includes steps to create a Box App to enable the connection, and configure the integration for Veza. See for more details.

Configuration - Box

The Veza Box integration is compatible with Box, Business, Business Plus, Enterprise, and Enterprise Plus account types. Individual and Team Accounts are not supported.

The integration uses a to collect metadata. To create this read-only service principal:

Box enforces a monthly limit of 50,000 API calls per Box user and App. You can configure more than one Veza Box App if the limit is reached.

Log in to your Box account and open the Developer Console.
Click the "Create New App" button and select "Custom App".
Select Server Authentication (with JWT) as the Authentication Method
Click "Create App".

Configure the custom app in Box:

For "App Access Level" select App + Enterprise Access.
Under the Application Scopes section ensure the following boxes are checked:
- Content Actions/Read all files and folders stored in Box

Generate a key pair and authorize the custom app:

Under Add and Manage Public Keys click Generate a Public/Private Keypair. A JSON file will be downloaded automatically, containing the private portion of the key and passphrase.
- Optionally, you can upload an existing key pair, download the configuration file manually, and complete the key portion.
Under the Authorization tab click Review and Submit to make your new app available.

The JSON file downloaded in step 1 contains the necessary configuration information for setting up the integration in Veza:

Configuration - Veza

In Veza, go to Configuration > Integrations
Click Add New and choose Box as the integration type
Complete the required fields:

Field

Description

Supported Entities

Box Enterprise
Box User
Box Group
Box Role

Entity Attributes and notes:

Box User

A Box user represents an account on the platform used to access personal files and collaborate with others.

User Properties

Details

Only users from the enterprise are represented as graph entities. External collaborators are shown in Folder properties.

Box Role

For Box, roles are a set of permissions that can be assigned to a user or group of users, defining the actions an identity can perform, and what data they can access within the platform.

Role Properties

Details

Box User(s) and Group(s) can have a Role defined on Folder(s). Roles can be owner, co-owner, editor, viewer uploader, previewer uploader, viewer, previewer, or uploader.

Box Folder

Box folders are containers used to organize and store files and documents. Folders can be organized hierarchically to create a logical structure for file storage.

A Box User's folders can be private or shared with specific collaborators or groups. Users can set permissions for each folder, determining who has access to the folder and what actions they can perform on the files within the folder.

Box Folder entity attributes indicate external collaborators: HasExternalCollaborators, and a list of ExternalCollaborators containing user IDs, and possibly name and e-mail (if "Include External Collaborator Details" is enabled).

In Graph search, you will be able to see the folder contents of all users' root (home) folders. Box Home Folder entities represent the root-level folder for each Box User.

Folder Properties

Details

Crowdstrike Falcon

Configuring the Veza integration for Crowdstrike

Overview

The Veza integration for Crowdstrike Falcon enables the discovery of Users, Roles, and permissions from the Crowdstrike Falcon platform. Veza uses Crowdstrike APIs to populate the Access Graph with entities and metadata.

Optional: For customers with access to Crowdstrike Identity Protection, the integration supports bidirectional risk score synchronization between Veza and Falcon. See Risk Score Integration for configuration details.

This document explains how to enable and configure a Crowdstrike Falcon integration.

Configuring Crowdstrike

Before adding the integration to Veza, create an API client on the Crowdstrike platform for the connection.

Browse to your Crowdstrike Falcon instance (ex: https://falcon.us-2.crowdstrike.com/) and log in
Click the hamburger icon in the upper-left corner to open the navigation bar
Click Support and resources in the left navigation bar, then click API clients and keys in the Resources and tools section of the navigation submenu

Configuring Crowdstrike on the Veza Platform

To enable Veza to gather data from the Crowdstrike Falcon platform:

In Veza, open the Integrations page.
Click Add New and pick Crowdstrike as the type of integration to add
Enter the required information and Save the configuration

Field

Notes

Supported Entities

The Veza integration for Crowdstrike Falcon discovers the following entities and attributes from the Crowdstrike API:

Many entities include additional attributes populated by Veza's enrichment system (such as owners, identity classifications, and risk scores). See for details on configuring these attributes.

Identity Entities

Crowdstrike User

User account on the Crowdstrike Falcon platform. Users can be assigned to roles that grant permissions to perform actions within Falcon.

Attributes:

id
name (constructed from [first_name] and [last_name])
first_name

Identity Mapping:

Users are mapped to identity providers via their email address

Crowdstrike Role

Role defining a set of permissions within the Crowdstrike Falcon platform. Roles are assigned to users to grant them specific capabilities.

Attributes:

id
name (derived from [display_name])
description

Notes:

Each role is associated with a permission entity that shares the same ID as the role

Assignment Entities

Crowdstrike Role Assignment

Association linking a user to a role within the Crowdstrike Falcon platform. Role assignments determine the permissions available to each user.

Attributes:

user_uuid
role_id
role_name

Notes:

Each role automatically includes a permission with the same ID, representing the capabilities granted by that role assignment

Risk Score Integration

Risk Score Import

When Risk Score import is enabled, Veza imports identity risk scores from Crowdstrike Falcon Identity Protection and applies them as custom tags on identities in Veza.

Supported Identity Sources:

Okta users
Azure Active Directory / Entra users

Custom Tags Applied:

Tag Name

Description

When Risk Score import is enabled:

Veza queries for Okta and Azure AD identities.
Risk scores are retrieved from CrowdStrike Identity Protection's GraphQL API.
Identities are matched by email address.
The risk score and severity are applied as custom tags to matched identities in Veza.

Risk Score Export

When Risk Score export is enabled, Veza performs the following steps:

Queries for all identities with risk scores of 50 or higher.
Groups the identities by email address.
Marks the corresponding users in Crowdstrike Falcon for administrative investigation.

This enables security teams to take action in Falcon based on risk signals detected by Veza's access analytics.

Databricks (Unity Catalog)

Configuring the Veza integration for Databricks with Unity Catalog enabled.

Overview

The Veza Databricks integration with Unity Catalog discovers access and permissions across your Databricks deployment. Veza integrates directly with Unity Catalog-enabled and workspace-level Databricks configurations to:

Discover access relationships between users, groups, service principals, and resources
Visualize access across catalogs, clusters, notebooks, schemas, and more with Veza's Access Graph
Identify excessive group assignments, admin overreach, and service principal sprawl

For organizations using Unity Catalog to govern access to Databricks, Databricks discovery is enabled in your cloud provider integration configuration for , , or . Veza connects to your Databricks account to discover authorization metadata for all workspaces and resources the service principal can access, including:

Account-level users, service principals, and groups
Unity Catalog metastores and catalogs shared with workspaces
All workspace resources (clusters, notebooks, directories, jobs, pipelines)
OAuth applications and federation policies

Use Unity Catalog integration for Databricks deployments with centralized governance across multiple workspaces. For standalone Databricks workspaces without Unity Catalog, see .

For details on supported entities and attributes, see .

Requirements

To enable the integration, you will need:

A Databricks account on the Premium plan, with SSO (Unified Login) enabled.
Microsoft Azure, Google Cloud: The Veza service principal for the cloud provider integration must be assigned to access the account via SSO as an account admin.
AWS: Veza uses OAuth credentials for a Databricks service account with the Account admin role
The Veza service principal must be assigned as an admin on all workspaces to fully discover all sub-resources.

Permission Requirements for Full Discovery:

Personal Access Tokens: Requires workspace admin role. May not be available on all Databricks pricing tiers. If unavailable, extraction continues without PAT discovery.
Jobs, Pipelines, and Permissions: Workspace admin enables complete discovery of all jobs, pipelines, and their permissions across the workspace.

Configure a Veza service principal

The integration requires a Databricks service principal with account admin privileges (required to list all workspace entities and permissions):

Databricks on AWS: OAuth2 token for a Databricks service account (M2M access).
Databricks on Google Cloud Platform: Google Service Account configured for the integration.
Databricks on Microsoft Azure: Azure App Integration configured for discovery.

OAuth M2M for AWS

To create a service principal for Databricks on AWS, log in to the Databricks account console as an administrator:

Go to User management.
Under Service principals, click Add service principal.
Enter a name and click Add.
On the Roles tab, enable Account admin to enable account-level API calls.

Assign your service principal to identity federated workspaces.

Open Workspaces and click your workspace name.
Go to Permissions > Add permissions.
Search for the user, Assign the Admin permission level and save the changes. Get an OAuth client secret:

To create an OAuth secret for a service principal using the account console:

In the Databricks account console, open User management.
On the Service principals tab, find the service principal.
Under OAuth secrets, click Generate secret.
Copy the Secret and Client ID, and then click Done.

For more details see in the Databricks documentation.

Create a Databricks cluster

Veza will run SQL queries on a Databricks cluster to collect metadata. Veza recommends a dedicated cluster for this purpose.

You will identify the cluster by when configuring the integration.
To extract Databricks metastore schemas, the cluster must have Unity Catalog enabled. A tag indicates when the cluster is attached to a Unity Catalog metastore and uses a Unity-Catalog-capable access mode (shared or single user).

To create a cluster from the Databricks UI, pick Create > Cluster:

The cluster can be a small single-node cluster
You should enable termination after an inactivity period (~10 minutes). The cluster will automatically start for extractions, and stop automatically when inactive.
Enable spark.databricks.acl.sqlOnly true under Advanced Options > Spark > Spark config
Ensure the Veza service principal has

For more details on creating Databricks clusters see .

Assign the Veza user to Databricks workspaces

The Veza service principal must be a workspace-level administrator to discover Workspaces subresources such as notebooks and clusters. Without admin permissions, the integration will not be able to gather metadata for the workspace.

To add the Veza service principal to a workspace with the admin role:

Using the Databricks account admin console (for workspaces with identity federation):

Open Workspaces and click your workspace name.
Go to Permissions > Add permissions.
Search for the user, Assign the Admin permission level and save the changes.

Using the Workspace admin console:

Click your username in the top bar of the Databricks workspace and select Admin Settings.
Open Identity and access.
Go to Users > Manage > Add User.
Click Add new to create a new user and enter the email of the Veza service account.

See for more detail.

Enable Databricks extraction

Databricks extraction is disabled by default. To enable the service, edit the AWS, Google Cloud Platform, or Microsoft Azure integration:

Go to the Veza Integrations page.
Find the integration on the list and click Edit.
In the third section Limit Services, tick Limit {Integration} Services
Click Select All to enable all services, or tick the boxes for services your company uses. Tick the box next to

Notes and Supported Entities

Veza discovers Unity Catalog entities at two levels:

Account-level entities:

Account
Account Users, Service Principals, and Groups (with role assignments)
Catalogs (Unity Catalog-managed)
Metastores

Workspace-level entities (all entities from workspace mode):

Users, Service Principals, Groups, and Personal Access Tokens
Schemas, Tables, and Views
Directories and Notebooks
Clusters, Jobs, and Pipelines

For more information about each entity type see .

OpenAI

Configuring the Veza integration for OpenAI

Overview

The Veza OpenAI integration provides visibility into your organization's access to OpenAI resources, helping secure AI innovations and prevent identity-based threats. This integration discovers all users with access to your OpenAI organization, maps their assigned roles, and visualizes permissions relationships to help maintain proper access control.

The integration enables:

Discovery of all users with access to your OpenAI organization
Mapping of assigned roles (Owner/Reader) to specific permissions
Visibility into access rights including API usage, organization management, billing modifications, and member management
Access review and alert rules based on user access to OpenAI

See for more details.

Configuring OpenAI

To integrate OpenAI with Veza, you'll need to obtain your Organization ID and generate an API key.

Get your Organization ID

Sign in to the OpenAI
Click Manage Account from the user dropdown in the upper right corner
Navigate to the Settings section
Note your Organization ID (will begin with "org-")

Generate an API Key

While in the OpenAI Dashboard, navigate to API Keys
Click Create new secret key
Give your key a name that indicates it's for Veza integration (e.g., "Veza-Integration")
Copy the API key immediately, as you won't be able to see it again

See the for more details.

Configuring OpenAI on the Veza Platform

This integration is provided as an Open Authorization API (OAA) connector package. There are multiple options for running the connector, including command line and Docker.

Prerequisites

Contact your Veza support representative to obtain the preview OAA connector.
Generate an for your Veza user.

Command Line Setup

Install the requirements with Python 3.8+:
Export the required environmental variables:
Run the connector:

Docker Setup

A Dockerfile is included in the repository. Running the container will perform the OpenAI discovery and OAA push then exit. Schedule the container to run on a regular interval.

Build the container:
Run the container with all required parameters:

Configuration Options

Parameter

Environmental Variable

Required

Notes

Notes and Supported Entities

The OpenAI integration discovers users and their respective roles within your OpenAI organization.

Organization Properties

Entity

Property

Description

User Properties

Entity

Property

Description

Supported Roles and Permissions

The integration maps OpenAI roles to specific permissions:

Role

Permissions

Custom Permissions

Permission

Description

Allow group id <Group-OCID> to read users in tenancy
Allow group id <Group-OCID> to inspect compartments in tenancy
Allow group id <Group-OCID> to read domains in tenancy
Allow group id <Group-OCID> to read groups in tenancy
Allow group id <Group-OCID> to inspect policies in tenancy
Allow group id <Group-OCID> to read buckets in tenancy
Allow group id <Group-OCID> to read objectstorage-namespaces in tenancy

CAN_MANAGE

{
  "boxAppSettings": {
    "clientID": "<clientID>",
    "clientSecret": "<clientSecret>",
    "appAuth": {
      "publicKeyID": "<publicKeyID>",
      "privateKey": "<privateKey>",
      "passphrase": "<passphrase>"
    }
  },
  "enterpriseID": "123456"
}

docker run --rm \
 -e OPENAI_ORG_ID="org-your_organization_id" \
 -e OPENAI_API_KEY="your_openai_api_key" \
 -e VEZA_URL="https://your-instance.vezacloud.com" \
 -e VEZA_API_KEY="your_veza_api_key" \
 veza_openai

CREATE USER 'veza' IDENTIFIED BY 'replace_with_secure_password';
GRANT SELECT ON confluence_db.`cwd_user` to 'veza';
GRANT SELECT ON confluence_db.`user_mapping` to 'veza';
GRANT SELECT ON confluence_db.`cwd_group` to 'veza';
GRANT SELECT ON confluence_db.`cwd_membership` to 'veza';
GRANT SELECT ON confluence_db.`cwd_user_attribute` to 'veza';
GRANT SELECT ON confluence_db.`SPACES` to 'veza';
GRANT SELECT ON confluence_db.`SPACEPERMISSIONS` to 'veza';

last_name

cid

Using AWS Secrets Manager for Database Extraction

Configure the AWS integration to use Secrets Manager secrets to extract standalone databases.

Early Access Using AWS Secrets Manager to store database extraction credentials is currently supported in Early Access for compatible integrations. Please contact our support team to enable this feature.

Credential Fallback Behavior

When using AWS Secrets Manager for database credentials:

Primary: Credentials are retrieved from AWS Secrets Manager first
Fallback: If secrets retrieval fails, the system falls back to username and password fields (if provided)

For maximum security, omit username/password fields to rely solely on Secrets Manager. Including backup credentials can provide operational resilience for temporary secrets issues.

Overview

Veza can retrieve database credentials from AWS Secrets Manager with automatic fallback to direct credentials for standalone databases (MySQL, PostgreSQL, Oracle, SQL Server, MongoDB, Cassandra). The system prioritizes secrets but provides resilience through fallback authentication.

Secrets must contain "username" and "password" keys as JSON properties.

Configuration Requirements

✅ Requirements Checklist

AWS Secrets Manager secret contains username and password keys
IAM role created for secrets access in AWS account containing secrets

Configuration

Required Fields

resource_id: Connection string in format protocol:hostname:port
secret_id: ARN of the AWS Secrets Manager secret
aws_assume_role_name: IAM role name for secrets access

Supported Databases

Database

Protocol

Example Resource ID

Example Configuration

IAM Role and Trust Policy Setup

You must create an IAM role in the AWS account containing the secrets with a trust policy that allows the Veza Insight Point role to assume it.

IAM Role Trust Policy

Create an IAM role (e.g., veza-secrets-access-role) with this trust policy:

IAM Role Permissions Policy

Attach this permissions policy to the IAM role to allow access to secrets:

Note: The trust policy and role assumption are required for all standalone database configurations. The trust policy allows Veza's Insight Point role to assume the customer role that has access to Secrets Manager.

Secrets API

API Endpoints

Operation

Method

Endpoint

When making API requests, ensure that the resource_id parameter is URL-encoded. This is particularly important because the resource_id can be an AWS ARN or an SQL connection string. These values can contain special characters, such as : and /, which can interfere with API routing if not properly encoded.

For example, if the resource_id is mysql:db.example.com:3306, the URL-encoded request should be:

Get Secrets Mapping

List all resource-to-secret mappings for an AWS Integration

GET <BASE URL>/api/private/providers/{provider_id}/secrets

Response:

Set Secrets Mapping

Set a mapping of all secrets for an AWS integration.

PUT <BASE URL>/api/private/providers/{provider_id}/secrets

Example API Call:

Clear Secrets Mapping

Delete all secrets mapped for an integration, specified by AWS integration ID.

DELETE <BASE URL>/api/private/providers/{provider_id}/secrets

Delete Secrets Mapping

Remove a single mapping, specified by ID.

DELETE <BASE URL>/api/private/providers/{provider_id}/secret/{resource_id}

Get Mapping for Resource

Return the secret id for a specified resource.

GET <BASE URL>/api/private/providers/{provider_id}/secret/{resource_id}

Request body:

Set Mapping for Resource

Update the integration secrets mapping to use a new secret ID for the specified resource.

PUT <BASE URL>/api/private/providers/{provider_id}/secret/{resource_id}

Request body:

Troubleshooting

Common Issues and Solutions

Issue

Cause

Solution

Known Limitations

Important Limitations:

Secret Updates: Once a secret is injected into a datasource configuration, it cannot be changed. To update credentials, you must delete and recreate the integration.
Temporary Solution: The current AWS Secrets Manager integration for standalone databases is a temporary solution. A more comprehensive secret vault implementation is planned for future releases.

Additional Resources

AWS DocumentDB

Discovering Amazon DocumentDB clusters and database-level permissions with Veza

When connecting an AWS account to Veza, the recommended IAM policy includes permissions to discover DocumentDB clusters. To gather database-level metadata (users, roles, and permissions), Veza will need to be able to execute database commands as a local user, as described in this document.

Overview

Amazon DocumentDB is a fully managed document database service designed for MongoDB compatibility. Veza provides two-tier discovery similar to RDS MySQL and PostgreSQL: cluster infrastructure metadata is discovered through AWS APIs, while database-level permissions are extracted using the MongoDB wire protocol.

When you enable DocumentDB in your AWS integration, Veza automatically discovers all DocumentDB clusters (both regular and elastic) in your account. If you provide database credentials, Veza connects to each cluster, lists available databases, and creates separate datasources for each one to extract users, roles, and granular permissions.

Authorization Entities

Cluster metadata is always discovered when DocumentDB is enabled. Database-level entities require credentials:

Discovery Tier

Entity Types

Requirements

Prerequisites

Cluster discovery requires an existing in Veza with at least one successful extraction and appropriate IAM permissions (detailed in ). This discovers cluster metadata for both regular and elastic DocumentDB clusters.

To enable database-level discovery, you'll need network connectivity from Veza to your DocumentDB endpoints. An is recommended for production environments and must be configured to allow outbound connections to your DocumentDB clusters through . You'll also need admin access to create a MongoDB-compatible read-only user as described in .

IAM Configuration

Recommended: Least-Privilege Custom Policy

Veza recommends creating a custom IAM policy with only the required permissions for DocumentDB cluster discovery:

rds:DescribeDBClusters - DocumentDB regular clusters are built on RDS technology and use RDS APIs
docdb-elastic:ListClusters - Lists all elastic DocumentDB clusters in your account
docdb-elastic:GetCluster - Retrieves detailed metadata for each elastic cluster

These are included in the recommended Veza connector policy, enabling cluster-level discovery as part of the default AWS integration:

AWS provides managed policies that include the necessary permissions, though they grant additional permissions beyond what Veza requires:

AmazonDocDBReadOnlyAccess - Includes rds:DescribeDBClusters plus 35+ other RDS permissions
AmazonDocDBElasticReadOnlyAccess - Includes both elastic DocumentDB permissions plus ec2:CreateTags and ec2:DescribeSubnets

Database User Configuration

To enable database-level discovery, create a local user in your DocumentDB cluster with read-only access to database metadata. Veza needs listDatabases to enumerate databases, find on the system.users collection to read user definitions, and viewRole to inspect role definitions and permissions.

Connect to your DocumentDB cluster and run the following commands to create a role with these privileges and assign it to a new user:

Note: The user and role names (veza-extractor-user and veza-extractor-role) are examples. You can use any names that comply with your organization's naming conventions.

Veza Configuration

Enable DocumentDB in Your AWS Integration

In Veza, go to the Integrations overview
Find your existing AWS integration and click to edit it
In the integration configuration, enable the DocumentDB service
(Optional) To enable database-level discovery, configure the following fields:

The next time Veza connects, DocumentDB clusters are discovered automatically through AWS APIs. If database credentials are configured, Veza connects to each cluster and discovers databases. Each discovered database is displayed as a separate datasource under Integrations > All Data Sources.

Notes and Supported Entities

When DocumentDB is enabled in your AWS integration, Veza automatically discovers cluster infrastructure for both regular and elastic clusters in available or ACTIVE status. If database credentials are configured, Veza connects to each cluster to extract database-level authorization metadata. Each discovered database appears as a separate datasource in Veza.

DocumentDB Cluster

Represents a DocumentDB cluster infrastructure resource discovered via AWS APIs. Clusters serve as the parent container for databases and provide network connectivity configuration.

Attribute

Description

DocumentDB Database

Represents an individual database within a DocumentDB cluster. Discovered through MongoDB wire protocol when database credentials are configured. Each database becomes a separate datasource in Veza.

Attribute

Description

DocumentDB User

Represents a database user identity with authentication and authorization privileges. Users are scoped to a specific database (the authentication database) but may have permissions across multiple databases through role assignments.

Attribute

Description

DocumentDB Role

Represents a role that grants specific privileges on database resources. Roles can be assigned to users and can inherit from other roles. Veza discovers both built-in roles (like read, readWrite, dbAdmin) and custom roles.

Attribute

Description

Permissions

DocumentDB uses the MongoDB privilege system with three resource scopes. Veza translates these MongoDB-specific actions into abstract permissions (DataRead, DataWrite, MetadataRead, etc.) for cross-platform analysis:

Cluster-level privileges (56 actions): Administrative operations affecting the entire cluster, such as listDatabases, serverStatus, addShard, replSetConfigure
Database-level privileges (25 actions): Database management operations like createUser, dropUser, grantRole, viewRole

For the complete list of supported actions and their abstract privilege mappings, see .

Credential Configuration

Database credentials are optional; the integration will still discover cluster metadata. After configuring credentials, the same username and password apply to all clusters in your AWS account.

The integration currently supports MongoDB native authentication (username and password); AWS IAM database authentication is not supported.

MongoDB Compatibility

DocumentDB implements the MongoDB 3.6, 4.0, or 5.0 wire protocol. Veza connects using a standard MongoDB-compatible client, making database-level discovery functionally identical to standalone MongoDB integration.

Network Requirements

Database-level discovery requires network connectivity from your Veza Insight Point to DocumentDB cluster endpoints. For production environments, you can deploy an in the same AWS region as your clusters and configure security group inbound rules to allow connections from the Insight Point's IP address. For multi-region deployments, ensure your Insight Point can reach all cluster endpoints or deploy region-specific Insight Points.

Testing and Security

Before enabling production discovery, test with a non-production cluster to verify connectivity and permissions. Use the least-privilege IAM policy for cluster discovery and create a dedicated read-only MongoDB user with only the required privileges (listDatabases, find on system.users, viewRole).

Activity Monitoring for AWS

Identify overprovisioned and inactive users using CloudTrail logs.

ℹ️ Early Access: Monitoring for AWS is part of Access Monitoring, which must be enabled by our support team.

Veza gathers CloudTrail logs to audit user activity and generates Over Provisioned Scores (OPS) to show the percentage of unutilized access. This document provides steps to enable audit log extraction for an integrated AWS account.

Notes

Supported Entities: Veza generates over-provisioned scores for these relationships:
Source Entity
Destination Entity
* Requires Activity Monitoring for Okta
Monitoring for multiple AWS accounts: To enable Activity Monitoring across several accounts in your organization, you'll need to repeat these steps for each integration for each account. In Query Builder results, OPS will be N/A for users from accounts where Activity Monitoring is not enabled.
The Activity Monitoring dashboard shows the dormant and over-provisioned AWS IAM Users, based on the resources they can access and the current Activity Monitoring time range. You can add constraints on OPS to Queries and Rules to enforce policies around user activity and actual resource usage.
Activity Monitoring Attributes: Veza creates properties to track different types of activity based on the resource type:
- AWS IAM User:
  - Last Activity At: Timestamp of the most recent activity where the user was the principal, including activities in services not currently supported in Activity Monitoring (e.g., EC2 RunInstances)

Enabling Activity Monitoring for AWS

You can enable monitoring for a single AWS account with an account-level trail, or create an organization trail containing events from several regions and accounts:

In AWS, create an organization or account-level trail for activity monitoring, or use an existing one. If you have many accounts where you want to enable monitoring, an organization trail is recommended for easier configuration.
In AWS, ensure the Veza service principal has authorization to discover cloud trails and read the trail in S3.
In Veza, enable audit logs for each AWS account integration. You can specify the same S3 bucket and organization trail (identified by its AWS resource name) for all integrations.

Enabling Activity Monitoring with AWS Control Tower For organizations that use AWS Control Tower to govern a multi-account AWS environment, AWS CloudTrail is configured by default, with two key accounts:

A Management account at the organization root, where Control Tower is configured.
A Log Archive

See the following steps for more details. Apply the appropriate policies based on your CloudTrail configuration:

Step 1: Retrieve CloudTrail region and trail name

Each account integration connects to a single Trail with event logs for the desired regions, accounts, and resources to gather activity data.

To use an existing Trail, search for CloudTrail on the AWS Console, and save the name and region for configuring the integration in Veza. The trail must include S3, Secret Manager, and IAM events.
If Veza cannot use an existing Trail, see for the current instructions from AWS.

Step 2: Update AWS integration permissions

To enable Audit Log Extraction and Activity Monitoring for several AWS account integrations in Veza, you will need to update the within each AWS account to grant access to the S3 bucket and trail.

The AWS IAM Policy used by each Veza-AWS integration must grant permissions to read CloudTrail metadata, and list and retrieve objects in the S3 bucket and path where the CloudTrail logs are stored.

Follow the instructions below for organization or account trails, depending on your AWS architecture.

To update the integration trust policy:

On the AWS IAM Console, open the Policies page and locate the one used by the Veza-AWS Integration.
Search for the following SID, and create it if necessary:
This is required to discover if trails exist in the AWS account. Creating an AWS integration using the recommended policy includes the CloudTrail statement by default.
Enable access to account and organization-level cloud trails, using the examples below.

Policy for audit log extraction

Update the integration IAM policy for the account where the organization trails resides to include the following statement. Depending on your environment, this could be the management account, or a dedicated log archive account. The following statement will allow Veza read access to retrieve logs from S3:

To configure Activity Monitoring, use the organization trail ARN to for accounts in the organization where you want to enable monitoring. Choose "Extract for Organization" for the account where logs are stored. For other accounts in the organization, enter the trail ARN and select "Skip Extraction".

See for more on configuring organization trails in AWS.

To enable audit logs for multiple AWS accounts with account-level trails configured, each AWS account integration must have read permissions to discover trails and retrieve logs from S3.

See for more information about account-level trails.

Integration trust policy

For each account where you want to enable activity monitoring, update the integration policy to include the statement:

Step 3: Enable Audit Logs for the AWS Integration

In Veza, enable audit logs for each account where activity monitoring will be active:

On the Veza Integrations page, go to the Integrations page and click Enable Audit Logs next to the name of the AWS integration.
In the modal, enter the values from AWS:
- The name of the Trail Veza will connect to, e.g., veza_s3_monitoring. For Organization trails, use the full ARN as the name, or when the trail is owned by an account other than the integration account.

iManage

Configuring the Veza integration for iManage

Overview

The Veza integration for iManage connects to the work management platform to discover users, their groups and roles, and the shared libraries they can access. Use the integration to:

Search for employees with access to data in iManage, based on their group and role assignments.
Review user permissions within iManage based on groups, roles, or the resources they can access.
Filter queries and create alert rules based on the authorization metadata discovered by Veza.

To configure the integration, you must enable the Veza - iManage Integration app for your organization's iManage account and add the integration to Veza using the app's credentials.

See for more details.

Configuring iManage

The integration requires a custom application installed by the iManage team.

For customers who use iManage Cloud, request an application for your account by emailing .

For self-managed iManage, create an app registration for your app in Control Center. Ensure the application is configured to use the OAuth2 client_id and secret. Note the values for the configuration steps below.

Once the app is installed, you can log in to iManage to get the application client ID. The client secret will be provided to the email requesting the custom application from iManage's team.

Request the Veza - iManage Integration app. The app must have access to the iManage Control Center.
Log in to iManage. Your account needs the App Management, Group Management, Role Management, and User Management privileges to access and use the integration.
The user must have access to the Veza - iManage Integration application to get Client ID and Client Secret for configuration.

Add an iManage integration to Veza

To configure the iManage integration in Veza:

Log in to your Veza instance.
Choose Integrations from the main navigation to open the overview page.
In the main pane, click Add Integration.
Choose iManage

Notes and Supported Entities

Veza represents identities and access within iManage with the following graph entities:

iManage Customer → iManage Application
iManage Library → iManage Resource
iManage Group & Library Group → iManage Group
iManage User & Library User → iManage User

User Attributes

allow_logon: Indicates if the user is allowed to sign in. If true, the user is allowed to sign in. If false, the user is not allowed to sign in.
create_date: User’s created date.
last_modified_at: User’s edit date. (Custom Property: Yes, Used field edit_date)

Group Attributes

id: Group’s ID.
full_name: Group's name.
group_number: Group’s Number.
create_date: Group’s Creation time.

Role Attributes

id: Role's ID.
name: Role's name.
description: Indicates the description of the role.
database: Indicates the database of the role.

Permission Attributes

app_management: Either admin or no_access.
encryption_management: Either admin or no_access.

LDAP

Configuring the Veza integration for LDAP directories.

Overview

Veza provides a generic LDAP integration to connect to directory services that support the Lightweight Directory Access Protocol (LDAP). This integration enables you to discover users, groups, and their relationships within your LDAP directory and map them to the Veza access graph.

The LDAP integration provides centralized identity discovery, group membership analysis, cross-system identity correlation, and organizational context. The generic nature of this integration allows it to work with any LDAPv3-compliant directory service, including OpenLDAP, Red Hat Identity Manager, Oracle Unified Directory, IBM Directory Server, and ForgeRock Directory Services.

Prerequisites

To configure a new LDAP integration, you will need:

The LDAP server hostname or IP address and port (typically 389 for LDAP or 636 for LDAPS)
A username and password for an LDAP user with read access to the directory
For LDAPS (recommended): SSL/TLS certificate used by the LDAP server
The base DN for the directory search (example: dc=example,dc=com)

Required LDAP Operations

The Veza LDAP connector performs these operations on your directory:

Authentication: Binds to the LDAP server using the configured service account credentials.

User Discovery: Executes subtree searches from the Base DN to find all entities matching the specified Users Object Class (e.g., person, inetOrgPerson).

Group Discovery: Performs subtree searches to identify group entities using configurable object classes (default: groupOfUniqueNames, also supports groupOfNames and others), and extracts membership information using the appropriate member attribute.

Attribute Reading: Retrieves specific attributes from discovered users and groups to populate the Veza access graph with identity and relationship data.

Required Attributes

The integration reads these attributes from your LDAP directory:

Entity Type

Required Attributes

Optional Attributes

Purpose

*The member attribute is automatically determined based on the group object class: uniqueMember for groupOfUniqueNames, member for groupOfNames, or can be explicitly configured.

Configuration

Configure the LDAP integration in Veza to connect to your directory server and begin discovering identity data.

In Veza, go to the Integrations page.
Click Add Integration and search for "LDAP". Click on the LDAP tile to open the integration configuration.
Complete the required configuration parameters detailed below.
Click Create Integration to save and create the integration.

Configuration Parameters

Parameter

Required

Type

Description

Mapping Configuration: Define how identities or groups map to each other. This optional section allows you to configure between your LDAP directory and other integrated systems.

Configuration Best Practices

LDAP URL Format: If no protocol is specified, ldaps:// is automatically added for security. Always use LDAPS when possible for encrypted communication.

Multiple Object Classes: For Users Object Class, you can specify multiple classes separated by commas (e.g., person,inetOrgPerson) to accommodate mixed environments.

Group Object Class Flexibility: The integration supports different LDAP group implementations. By default, it uses groupOfUniqueNames with uniqueMember attributes, but can be configured for groupOfNames with member attributes, or other custom group schemas. This enables compatibility with various LDAP implementations including Red Hat Identity Manager.

Custom Properties: All custom property lists use semicolon (;) separators. For optimal performance, only gather essential custom attributes.

Included Groups: Use full DN format with semicolon separators (e.g., ou=Engineering,dc=example,dc=com;ou=Sales,dc=example,dc=com) to limit scope and improve extraction performance.

Custom Properties

The LDAP integration supports extracting custom user attributes beyond the standard LDAP schema. To include custom attributes during discovery, specify them by name and data type in the integration configuration.

For example, if your LDAP directory includes a custom attribute for employee department, you can use this information for by adding it to the configuration.

Configuration: Add custom attribute names (semicolon-separated) to the appropriate field based on data type:

Custom String Properties: Text-based attributes (e.g., department, title, telephoneNumber)
Custom Number Properties: Numeric attributes (e.g., employeeNumber, uidNumber)

The specified attributes will appear on Access Graph entities after the next extraction, enabling Search, Rules, and Access Reviews based on the values.

Red Hat Identity Manager

Groups Object Class: groupOfNames
Group Member Attribute: member (or leave blank for auto-detection)

Advanced Configuration Options

Filtering and Scoping: Use the "Included Groups" parameter to limit extraction scope to specific organizational units. This improves performance and focuses the integration on relevant directory sections.

Performance Optimization: For large directories with 100,000+ users, use "Included Groups" to limit scope to relevant organizational units, limit custom properties to essential attributes only, and monitor extraction performance through the Veza integrations dashboard.

See for detailed information about supported entities and schema variations.

See for platform-specific LDAP server setup guidance.

Notes & Supported Entities

Supported entity types and more information about the Veza-Google connector.

Veza integrates with Google to parse service and resource metadata using native workspace and project APIs, using a service account with read-only permissions.

Veza creates entities in the data catalog to represent the discovered projects, services, resources, and identities.

The identities, resources, and authorization relationships that Veza discovers are limited by the service account role, the project APIs you have enabled, and any limits set on data source extraction.

Cross-Service Connections

Veza discovers authorization relationships for federated Azure AD and Okta users with permissions on Google Cloud Platform resources. These correlations are made based on user and and groups assignment to the Google Cloud and Google Cloud SSO Okta Apps and AzureAD Enterprise Applications.

For Okta domains configured to sync to Google Workspace, entities are mapped based on user email address or group name.
For Azure RBAC users, mapping can use email address, name, or service principal. Groups are mapped by name.

Supported Entities

Workspace, Group, and Domain Entities

The Google integration supports the following entities are part of the IAM and Workspace services which are enabled by default:

Google Domains
Google Organization Unit
Google User
Google Workspace Account

Google Cloud Project Entities

Organization
Project
Folder
Service Account

Google Cloud Storage Entities

For projects with the Cloud Storage API enabled:

Storage Service
Storage Bucket

Google Cloud Compute Entities

For projects with the Compute Engine API enabled:

Compute Service
Subnet
VPC
Virtual Machine

Key Management Service Entities

For projects with the KMS API enabled:

KMS Service
KMS Key Ring
KMS Key

BigQuery Entities

For projects with the BigQuery API enabled:

BigQuery Service
BigQuery Dataset
BigQuery Table

Cloud Run

Google Cloud Run Service
- parent_id: ID of the parent project, e.g. projects/696313754797
- google_cloud_organization_name: Organization name, e.g. organizations/475292842812

Google Kubernetes Engine

Veza automatically discovers the following Kubernetes entities and attributes. To discover cluster-level permissions, use the dedicated integration.

Google Kubernetes Engine Service
- parent_id: ID of the parent project, e.g. projects/696313754797
- google_cloud_organization_name: Organization name, e.g. organizations/475292842812

Cloud SQL Entities

Veza discovers the following entities and attributes when provided optional :

Google Cloud SQL Service
- parent_id: ID of the parent project, such as projects/696313754797
- google_cloud_organization_name: Organization name, such as organizations/475292842812

Vertex AI Entities

Veza discovers the following entities and attributes for projects with the Vertex AI API enabled and when provided optional :

Vertex AI Service
- parent_id: ID of the parent project, such as projects/696313754797
- google_cloud_organization_name: Organization name, such as organizations/475292842812

Vertex AI Reasoning Engines represent AI agents that execute custom code and tools. They are classified as non-human identities and have connections to Google Cloud IAM Service Accounts. Vertex AI Endpoints use Vertex AI Models for serving predictions and support resource-level IAM policies. The integration supports effective permission analysis across 1,249+ Vertex AI-specific permissions.

Effective Permissions

Google Cloud IAM Effective Permission

Effective Permissions represents the C/R/U/D data and non-data actions a principal can take on a resource. Using , specify an EP to show only users who can take those actions. Click Explain Effective Permissions on an un-grouped EP node to show the native actions it represents.

Google Workspace User Active Status

The Is Active property for a Google Workspace user is determined by their suspended and archived status. A user is considered Is Active: true unless their account is either suspended or archived.

If a user's suspended property is true or their archived property is true, their Is Active status will be false. The Is Suspended and Is Archived attributes can be used for more granular filtering.

Oracle Database (AWS RDS)

Configuring the Veza integration for Oracle Database on AWS RDS.

Overview

Veza supports Oracle Database on AWS RDS as part of the AWS integration. When enabled for an AWS integration, Veza will discover Oracle Database instances and clusters in the account, and connect to each database to extract authorization metadata.

This document includes steps to enable Oracle Database extraction for a configured AWS integration. See Notes and Supported Entities for more information about the metadata collected by Veza.

Configure Oracle Database discovery for AWS RDS

To discover Oracle Database on RDS, you will need:

An enabled for the host AWS account.
A local database user created in each Oracle database to discover, including any tenant databases.
An is recommended for secure communication between Veza and the databases to extract. The parent AWS integration should be configured to use this insight point.

Update Veza-AWS extraction policy

In the AWS account console, ensure that the includes the rds:DescribeTenantDatabases capability. The RDS section should look like:

Create local database users

Create a local user in each Oracle database to discover (including tenant databases):

Log in to the Oracle Database instance as an administrator.
Create a local user. This user must have the same name and password for all Oracle databases the integration will discover.
Grant permissions: GRANT SELECT ANY DICTIONARY TO veza_db_user;
Repeat this process for each database to extract authorization metadata.

Enable Oracle Database discovery and extraction

In Veza, go to the Integrations page.
Search for the parent AWS account integration and click Edit.
In the configuration, check that the DB User matches the name of the user you created.
Enter the user Password.

Connection Security

AWS RDS Oracle instances can require SSL/TLS encrypted connections depending on your RDS instance configuration. The integration supports three connection security modes for RDS Oracle databases.

TLS with CA Certificate

The integration establishes an encrypted TLS connection using a CA certificate to verify the RDS Oracle server's identity. Upload a PEM-encoded CA certificate file (.pem, maximum 1MB) through the integration configuration interface. AWS provides RDS certificate bundles that can be downloaded from the . The integration automatically detects whether your RDS instances use port 1521 (standard) or 2484 (SSL/TLS default) and negotiates appropriate TLS protocol versions.

To configure TLS with a CA certificate, select TLS from the Connection Security dropdown and upload your CA certificate file when prompted.

Oracle Wallet

The integration establishes an encrypted connection using an Oracle Wallet file. Upload an auto-login wallet file (cwallet.sso, maximum 1MB) that contains the necessary certificates, private keys, and trusted Certificate Authorities. This method is less common for RDS deployments but supported for organizations that standardize on Oracle Wallet across all Oracle database types.

To configure Oracle Wallet authentication, select Oracle Wallet from the Connection Security dropdown and upload your wallet file when prompted.

Default (Unencrypted)

The integration connects without SSL/TLS encryption. Database credentials and authorization metadata are transmitted in cleartext. This mode should only be used for development or testing RDS instances that do not process sensitive data.

Notes and Supported Entities

The AWS integration discovers RDS Services, RDS Clusters, and RDS Instances, which can be RDS Oracle instances. These can contain a single Oracle DB Database, or multiple tenant databases, modeled with the following graph entities:

OracleDB Database

Represents an Oracle database instance. Multitenant configurations can have more than one database within a single RDS Oracle instance.

Attribute

Description

OracleDB Object Privilege Grants

Represents the privilege grants for objects in the Oracle database. These are granted explicitly to Users and Roles and apply to specific Tables.

Attribute

Description

There are no explicit privileges over schemas in OracleDB versions currently supported by AWS. Each user owns their own schema, created for each user.

Note that Column privileges are not yet modeled. Schema privileges are only available in Oracle DB version 23 (not currently supported on AWS RDS).

OracleDB Roles

Represents the roles defined within the Oracle database. Roles describe Object Privilege Grants that enable specific actions on tables. OracleDB roles can assume other roles.

Attribute

Description

OracleDB Schema

Represents a schema within the Oracle database. A schema within an OracleDB Database contains individual tables. Users can be assigned to Schema as owners.

Attribute

Description

OracleDB User

Represents a user within the Oracle database. OracleDB Users are local accounts within a database.

Attribute

Description

OracleDB Table

Represents a table within the Oracle database. Veza shows effective permissions from OracleDB Users to OracleDB Tables.

Attribute

Description

Custom Date Properties: Date/timestamp attributes (e.g., accountExpires, pwdLastSet)

createCollection

{
  "secrets": [{
    "resource_id": "mysql:db.example.com:3306",
    "secret_id": "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysql-creds",
    "aws_assume_role_name": "veza-secrets-access-role",
    "aws_assume_role_external_id": "veza-external-id-12345"
  }]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::276883211366:role/live-insight-point"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "your-external-id-here"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::276883211366:role/staginglive-insight-point"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "your-external-id-here"
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "secretsmanager:GetSecretValue",
            "kms:Decrypt"
        ],
        "Resource": [
            "arn:aws:secretsmanager:region:account-id:secret:*",
            "arn:aws:kms:region:account-id:key/*"
        ]
    }]
}

{
  "secrets": [
    {
      "resource_id": "mysql:db1.example.com:3306",
      "secret_id": "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysql-db1"
    },
    {
      "resource_id": "postgresql:db2.example.com:5432",
      "secret_id": "arn:aws:secretsmanager:us-east-1:123456789012:secret:postgres-db2"
    }
  ]
}

curl -X PUT 'https://your-veza.com/api/private/providers/{provider_id}/secrets' \
  -H 'Authorization: Bearer YOUR_API_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "secrets": [{
      "resource_id": "mysql:db.example.com:3306",
      "secret_id": "arn:aws:secretsmanager:us-east-1:123456789012:secret:mysql-creds",
      "aws_assume_role_name": "veza-secrets-access-role",
      "aws_assume_role_external_id": "veza-external-id-12345"
    }]
  }'

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DocumentDBClusterDiscovery",
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBClusters",
        "docdb-elastic:ListClusters",
        "docdb-elastic:GetCluster"
      ],
      "Resource": "*"
    }
  ]
}

use admin

db.createRole(
   {
     role: "veza-extractor-role",
     privileges: [
       { resource: { cluster: true }, actions: [ "listDatabases" ] },
       { resource: { db: "", collection: "system.users" }, actions: [ "find" ] },
       { resource: { db: "", collection: "" }, actions: [ "viewRole" ] }
     ],
     roles: []
   }
)

db.createUser(
  {
    user: "veza-extractor-user",
    pwd: passwordPrompt(),  // or cleartext password
    roles: [
       { role: "veza-extractor-role", db: "admin" }
    ]
  }
)

admin

no_access

Notes & Supported Entities

Supported entity types and more information about the Veza-Azure connector.

Veza integrates with Azure to parse service and resource metadata using Microsoft Graph APIs, connecting as an Enterprise Application granted read-only permissions. Veza creates entities in the data catalog to represent the discovered tenants, subscriptions, resources, and identities.

You can interact with the catalog using Veza's search interfaces, or get immediate insights using built-in reporting queries.

See the sections in this document for more information about the supported entity types for Microsoft Azure:

User Risk Information

Veza can collect and display risk information for users in your Azure AD tenant. This includes the user's risk level, risk state, risk details, and when the risk status was last updated. This feature requires a Microsoft Entra ID P2 license and the IdentityRiskyUser.Read.All permission for the Microsoft Graph API.

The following risk-related properties are collected:

riskLevel: Indicates the level of risk for the user (low, medium, high, hidden, none)
riskState: Shows the current state of the user's risk (none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised)
riskDetail: Provides detailed information about the risk state

This information can help identify and monitor potentially compromised or risky user accounts in your Azure AD environment.

Azure CosmosDB Support

The integration supports Azure CosmosDB NoSQL databases, for visibility into database accounts, role assignments, and access patterns. The integration discovers:

CosmosDB Account Services
Database Accounts
SQL Role Definitions and Assignments
Effective Permissions

CosmosDB extraction is disabled by default. To enable this functionality:

When configuring the Azure integration, select "Limited services" under Limit Services
In the services selection list, choose "Azure CosmosDB" along with all other services you want to extract.

Authorization & Access

CosmosDB uses three authorization mechanisms:

Role-Based Access Control (RBAC) with Azure Active Directory
Primary/Secondary Keys
Resource Tokens

Veza focuses on RBAC permissions to show connections between Azure AD identities and CosmosDB resources. This provides visibility into:

Which users and groups have access to CosmosDB accounts and databases
How these permissions are assigned through role memberships
The effective permissions users have on CosmosDB resources

Scope & Limitations

Only CosmosDB NoSQL (core) API accounts are supported at present
Container-level resources and permissions are not included in extraction
Database-level users and permissions typically used for application end-users are not extracted

Required Permissions

The Veza service principal needs the Cosmos DB Account Reader role for extraction, which provides access to:

Microsoft.DocumentDB/databaseAccounts/read
Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/read
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/read

These permissions allow Veza to discover core CosmosDB resources. No additional Microsoft Graph API permissions are required beyond the standard set used for Azure integration.

Azure RBAC

Azure Subscription
Azure Tenant
Azure Management Group
Azure Resource Group

Azure Cloud Infrastructure

Azure Infrastructure Service
Azure Virtual Machine
Azure Virtual Network
Network Security Group

Azure AD

AzureAD entities appear on left in Access Graph results, and can have federated access (cross-service connections) to external resources such as Snowflake tables or AWS S3 buckets.

If Veza cannot automatically detect your single sign-on configuration, you can add a to correlate Azure AD users with local accounts in other integrations.

Azure AD Domain
Azure AD User
Azure AD Group
Azure AD Role

An Azure AD Premium P1/P2 license is required to gather Azure AD User last login dates. The Veza integration must also have the AuditLog.Read.All graph permission.

If your organization uses Azure AD as an identity provider, but no other services, you might want to to skip extracting unnecessary resources.

SharePoint Online

To enable optional discovery of SharePoint Online, you will need to upload a valid LDAP certificate and ensure the service account has the required API permissions. See for more details.

SharePoint Online (service)
SharePoint User
SharePoint Group
SharePoint Site

Storage

Azure Blob Service
Azure Blob Container
Datalake Filesystem
Datalake Directory

Azure Data Lake

No additional configuration is needed to discover Azure Data Lake Storage (ADLS). You can enable or disable ADLS as a data source using the provider configuration menu for the Azure tenant Select Services to Enable.

ADLS Gen. 1 is not supported. The max directory extraction depth is 2 levels.
Storage accounts have new properties: allowBlobPublicAcccess, allowSharedKeyAccess (default value null is equivalent to false), is_adls_gen2_enabled

Azure SQL

To collect granular authorization for each Azure SQL database, you will need to create a local SQL user that Veza can use to execute read-only queries. See for instructions to create a SQL database user for Veza.

SQL Server Service
SQL Server Instance
SQL Server Login
SQL Server Role

Microsoft Intune

Microsoft Intune requires .

Intune Managed Device
Intune Role Assignment
Intune Role
Intune Resource Action

Microsoft Teams

The Azure integration can discover teams, channels, and guest users for Microsoft Teams, providing visibility into your Azure AD user and group permissions on shared resources, and access for external organization users.

Required permissions:

Team.ReadBasic.All
TeamMember.Read.All
Channel.ReadBasic.All

Supported entities:

Team
Channel
External Organization User
- Represents a team or channel member from an external organization, which might not exist as a discovered Azure AD User.

Note that the following metadata is not available from the current version of Graph API:

Membership Settings For Shared And Private Channels
Public Channel Moderators

Microsoft Copilot Studio

Microsoft Copilot Studio integration discovers AI bots (Copilots) and their components within Power Platform environments. This integration requires Dynamics 365 environments to be configured.

Prerequisites:

Dynamics 365 environments must be configured in the Azure integration
The service principal requires Dynamics CRM API access with user_impersonation scope

Supported entities:

Microsoft Copilot Studio Bot
Microsoft Copilot Studio Topic
Microsoft Copilot Studio Action
Microsoft Copilot Studio Custom GPT

The integration maps permissions through Azure Dynamics 365 security roles, providing visibility into who can access, modify, or invoke conversational AI bots. Both system-level permissions (Owner, Service Principal) and role-based access control through Dynamics 365 security roles with depth-level scoping (Global/Deep/Local/Basic) are supported.

Microsoft Dynamics 365 CRM

Configuring the Veza integration for Microsoft Dynamics 365 CRM

Veza's integration with Microsoft Dynamics 365 CRM allows you to discover and visualize permissions data from your Dynamics 365 CRM environments, including Business Units, Users, Teams, Application Users, and Security Roles. This integration shows connections between Azure AD Users, Groups, and Service Principals, and the permissions they can assume within Dynamics 365 CRM.

Prerequisites

Before setting up the Dynamics 365 CRM integration:

Complete the Microsoft Azure integration guide. The integration will use the enterprise application created during setup.

Finding the Dynamics 365 CRM Environment URL

When configuring the Dynamics 365 CRM integration, you must provide the correct URL, which can be found on the organizations page:

Log in to
Click on Environments
Select the Environment you are integrating
Locate the URL shown under the Environment URL field (the top field)

Important: URLs must include the https:// protocol and must NOT include any trailing slashes at the end. For example, use https://org1.crm.dynamics.com not https://org1.crm.dynamics.com/.

Grant Azure AD Enterprise Application access to Dynamics 365 CRM

In order for Veza to extract Dynamics 365 CRM data, you need to grant your Azure AD Enterprise Application access to the Dynamics 365 environments:

Visit and choose the environment to connect to
Go to Settings > Users + Permissions > Application Users and click New app user
Select the Microsoft Azure AD enterprise application you created during Azure integration setup
Pick the Business unit and assign a Service Reader

Enabling Enterprise App to access your Dynamics 365 CRM Environment does not use a paid license.

Configure Dynamics 365 CRM in Veza

After setting up the necessary permissions:

Log in to Veza and navigate to Integrations
Edit your existing Microsoft Azure integration (or add a new one)
In the Dynamics 365 CRM Environments field, enter a comma-separated list of environments to discover
- Example: https://org1.crm.dynamics.com,https://org2.crm.dynamics.com

Integration Architecture

The Dynamics 365 CRM integration operates as part of the Microsoft Azure integration rather than as a standalone connector. It leverages the same Enterprise Application credentials used for the Azure integration to access Dynamics 365 CRM environments.

The integration discovers organizational structure, security roles, and permission assignments within Dynamics 365 CRM environments and maps them to Azure AD identities. This allows you to visualize which Azure AD users, groups, and applications have access to Dynamics 365 CRM resources.

Supported Entities and Attributes

Veza discovers the following resources and permissions in Dynamics 365 CRM:

Environment

The Dynamics 365 CRM environment serves as the top-level container for all CRM resources.

Type: Dynamics365Environment
Key Properties:
- environment_url - The URL used to access the environment

Business Units

Business Units are organizational divisions that structure a company within Dynamics 365, separating access to business data while sharing core information.

Type: Dynamics365BusinessUnit
Key Properties:
- cost_center - Cost center associated with the business unit

Users

Users represent people who access the Dynamics 365 system, mapped to Azure AD accounts, with permissions defined by their security roles and business unit assignments.

Type: Dynamics365User
Key Properties:
- access_mode - User's access mode (read-write, admin, etc.)

Teams

Teams are groups of users who share common access permissions, providing a way to manage access across business functions or project boundaries.

Type: Dynamics365Team
Key Properties:
- azure_ad_object_id - Azure AD object ID for teams mapped to Azure AD groups

Application Users

Application Users represent non-interactive service accounts or applications that need programmatic access to Dynamics 365 data using service principals.

Type: Dynamics365ApplicationUser
Key Properties:
- application_user_id - Unique identifier for the application user

Security Roles

Security Roles define permission sets that control which actions users can perform on different record types, determining create, read, write, and delete access levels.

Type: Dynamics365SecurityRole
Key Properties:
- is_inherited - Whether the security role is inherited

Relationship Types

The Dynamics 365 CRM integration discovers the following relationship types:

Relationship

Description

Technical Limitations

The integration currently does not support custom entity types in Dynamics 365 CRM
Field-level security permissions are not currently extracted
Limited to API-accessible security metadata; does not include permissions managed through custom code

Troubleshooting

If you encounter issues connecting to your Dynamics 365 CRM environment:

Verify the URL is formatted correctly with https:// and no trailing /
Confirm the Azure AD Enterprise Application has been properly set up as an Application User in Dynamics 365
Ensure the Application User has at least the Service Reader security role

For more details about managing application users in Power Platform, see the Microsoft documentation:

{
  "Sid": "CloudTrail",
  "Effect": "Allow",
  "Action": [
    "cloudtrail:GetTrail"
  ],
  "Resource": "*"
},
{
  "Sid": "CloudTrail-S3",
  "Effect": "Allow",
  "Action": [
    "s3:GetObject",
    "s3:ListBucket"
  ],
  "Resource": [
    "arn:aws:s3:::<bucket name>/AWSLogs/<organization id>/*",
    "arn:aws:s3:::<bucket name>"
  ]
}

{
  "Sid": "CloudTrail-S3",
  "Effect": "Allow",
  "Action": [
    "s3:GetObject",
    "s3:ListBucket"
  ],
  "Resource": [
     "arn:aws:s3:::<bucket name>/AWSLogs/<path to the files for the veza account>/*",
     "arn:aws:s3:::<bucket name>"
  ]
}

{
  "Sid": "sid",
  "Effect": "Allow",
  "Principal": {
    "AWS": "<ARN of the Veza user or role>"
  },
  "Action": [
    "s3:GetObject"
  ],
  "Resource": "arn:aws:s3:::<bucket name>/AWSLogs/<path to the files for the veza account>/*",
}
{
  "Sid": "sid",
  "Effect": "Allow",
  "Principal": {
    "AWS": "<ARN of the Veza user or role>"
  },
  "Action": [
    "s3:ListBucket",
  ],
  "Resource": [
    "arn:aws:s3:::<bucket name>"
  ]
}

To: [email protected]
Subject: Veza – iManage Integration for <CompanyName> in cloudimanage.com

Body: Please create a new Veza – iManage Integration application for <CompanyName> in cloudimanage.com
Name: Veza – iManage Integration
Customer Name: ______
Customer/Tenant ID: ______
Redirect URL (if applicable): ______

CREATE ROLE <ROLENAME> WITH PASSWORD = <PASSWORD> AND LOGIN = true;
GRANT SELECT ON system_schema.keyspaces TO <ROLENAME>;
GRANT SELECT ON system_schema.tables TO <ROLENAME>;
GRANT SELECT ON system_auth.roles TO <ROLENAME>;
GRANT SELECT ON system_auth.role_permissions TO <ROLENAME>;

Microsoft.DocumentDB/databaseAccounts/databases/read

publicAccess

ChannelMember.Read.All

environment_id - Unique identifier for the environment

description - Description of the business unit

application_id - Associated application ID (if applicable)

administrator_id - ID of the team administrator

application_type - Type of application

is_managed - Whether the security role is managed

# Test LDAP bind and search capabilities
ldapsearch -x -H ldaps://your-ldap-server:636 \
    -D "cn=veza-service,ou=serviceaccounts,dc=example,dc=com" \
    -W -b "dc=example,dc=com" \
    "(objectClass=person)" cn displayName mail

Database Application

Import identity and authorization data from databases into Veza

Overview

Use the Database Application integration to incorporate identity and authorization metadata from sources that do not have built-in Veza connectors but can export or provide data as the result of a SQL query.

You can create a Database Application integration in Veza to:

Import user and authorization data from legacy or custom applications
Integrate with SaaS applications backed by a database
Model employee access to bespoke or specialized systems

The integration uses the Open Authorization API (OAA) to map database query results to the OAA Application template.

The Application template models users, groups, roles, and resources across applications for a wide variety of authorization use cases. An introduction to the Application Template .

When to use the Database Application integration

The Database Application integration is ideal for systems that do not provide REST API access to authorization metadata but store that data in a SQL database.

Legacy applications with user and role tables
Custom business applications built in-house
Other specialized industry tools without native APIs that are backed by a SQL database

The Database Application integration enables modeling identity and permissions metadata for any application not natively supported by Veza with flexible column mapping, custom properties, and support for popular SQL servers.

Adding a Database Application integration

Prerequisites

To create a Database Application integration, you will need:

The connection details for the SQL host (including server type, hostname, port, and credentials)
A read-only SQL query that returns the information to be included in the integration
- This query can be as simple as SELECT * from <table_name> or a complex query that includes multiple joins and named columns.

For more information about Veza user roles and permissions, see .

Supported SQL server types

The Database Application integration supports connecting to the following SQL server types:

Microsoft SQL Server
MySQL / MariaDB
Oracle Database
PostgreSQL

Create a Database Application integration

To create a new Database Application integration:

Navigate to Integrations > Add Integration
Choose Database Application from the options
Enter an integration name
- Use a title that uniquely identifies this integration source

Column mapping

The Database Application integration allows you to map columns in your SQL query result to specific Veza attributes.

For each column provided by the result, you should:

Click Add Column Definition
Provide the name of the column from the SQL query result
Select the target entity type for mapping (available entities depend on the selected template)
Select the specific entity attribute to map to (only attributes applicable to the selected entity type will be shown)

Supported entity types and attributes

For all entities, an ID or Name is required. If ID is not provided, Name is automatically used as the unique identifier for the entity. Both are also supported.

The available entity types and attributes depend on the template you select. Each template supports different entity types.

Application Template Entities

User Attributes

Attribute

Description

Group Attributes

Attribute

Description

Role Attributes

Attribute

Description

Resource Attributes

Attribute

Description

Note: Resource Type is configured at the Application template level (not per-column mapping) and applies to all resources created by this integration.

Data type handling

Boolean values

The following values are treated as TRUE (case-insensitive):

true, t
yes, y
1

Any other value is treated as FALSE.

Timestamp formats

Veza supports standard timestamp formats:

2023-04-12T15:34:56.123456789Z (RFC3339 with nanoseconds)
2006-01-02T15:04:05Z07:00 (RFC3339)
20060102150405 (Active Directory format)

Timestamps are considered unset when the value is never, null, none, false, 0 or empty. Invalid timestamps will result in a processing error.

String lists

For attributes that support lists (such as Role Name List, and Group Name List), values should be comma-separated within the cell and the list enclosed by quotes ".

Updating a Database Application integration

Incremental updates are not supported; you must submit the complete data set for each update.

⚠️ Warning: Configuration Updates

When updating the configuration fields or mappings for an existing Database Application integration, changes are not reflected until after the next SQL query extraction is processed. For example when updating the Application Type field, changing this field alone and saving the integration will not immediately change the type in the Veza system. The new type will not be available in graph or in other features such as Lifecycle Management (LCM) until after the next upload is processed.

Required Process for changing configurations:

Update mappings for an integration

Find the Database Application integration on the Veza Integrations page
Click the integration name to view details
Click Edit
In the integration configuration, click Edit above the table of current mappings

Processing rules

Multiple Rows per Entity: If the same entity (user, group, or role) exists in multiple rows, Veza processes them as follows:
- Properties are set based on the first row where the entity ID (or Name if it is being used as the unique ID) occurs
- For subsequent rows with the same identifier, only relationship assignments are processed (for example user to group, or user to role)

ALTER SESSION SET CONTAINER=CDB$ROOT;
CREATE USER c##veza_db_user IDENTIFIED BY password1223;
GRANT CREATE SESSION, ALTER SESSION TO c##veza_db_user CONTAINER=ALL;
GRANT SELECT ANY DICTIONARY TO c##veza_db_user CONTAINER=ALL;
ALTER USER c##veza_db_user SET container_data=all CONTAINER=CURRENT;

-- Connect to CDB root for common user creation
ALTER SESSION SET CONTAINER=CDB$ROOT;

-- Create the lifecycle management user
CREATE USER c##veza_lcm_user IDENTIFIED BY your_secure_password;

-- Basic connection privileges
GRANT CREATE SESSION, ALTER SESSION TO c##veza_lcm_user CONTAINER=ALL;

-- Read privileges for data extraction and user/role discovery
GRANT SELECT ANY DICTIONARY TO c##veza_lcm_user CONTAINER=ALL;

-- User management privileges
GRANT CREATE USER TO c##veza_lcm_user CONTAINER=ALL;
GRANT DROP USER TO c##veza_lcm_user CONTAINER=ALL;
GRANT ALTER USER TO c##veza_lcm_user CONTAINER=ALL;

-- Role management privileges
GRANT CREATE ROLE TO c##veza_lcm_user CONTAINER=ALL;
-- Note: DROP ROLE privilege doesn't exist - CREATE ROLE allows both create and drop
GRANT GRANT ANY ROLE TO c##veza_lcm_user CONTAINER=ALL;

-- System privilege management (for granting CREATE SESSION to new users)
GRANT GRANT ANY PRIVILEGE TO c##veza_lcm_user CONTAINER=ALL;

-- Container data access for multi-tenant environments
ALTER USER c##veza_lcm_user SET container_data=all CONTAINER=CURRENT;

name

2006-01-30 15:04:05Z07:00

-- Create a new user
CREATE USER ebs_integration IDENTIFIED BY "Password123"
DEFAULT TABLESPACE users
TEMPORARY TABLESPACE temp
QUOTA UNLIMITED ON users;

-- Grant basic connect role
GRANT CREATE SESSION TO ebs_integration;

-- Grant object permissions
GRANT SELECT ON apps.FND_APPLICATION_VL TO ebs_integration;
GRANT SELECT ON apps.FND_CONCURRENT_PROGRAMS_VL TO ebs_integration;
GRANT SELECT ON apps.FND_FORM_FUNCTIONS_VL TO ebs_integration;
GRANT SELECT ON apps.FND_MENU_ENTRIES_VL TO ebs_integration;
GRANT SELECT ON apps.FND_MENUS_VL TO ebs_integration;
GRANT SELECT ON apps.FND_PROFILE_OPTIONS_VL TO ebs_integration;
GRANT SELECT ON apps.FND_PROFILE_OPTION_VALUES TO ebs_integration;
GRANT SELECT ON apps.FND_REQUEST_GROUPS TO ebs_integration;
GRANT SELECT ON apps.FND_REQUEST_GROUP_UNITS TO ebs_integration;
GRANT SELECT ON apps.FND_REQUEST_SET_PROGRAMS TO ebs_integration;
GRANT SELECT ON apps.FND_REQUEST_SETS_VL TO ebs_integration;
GRANT SELECT ON apps.FND_REQUEST_SET_STAGES_VL TO ebs_integration;
GRANT SELECT ON apps.FND_RESPONSIBILITY_VL TO ebs_integration;
GRANT SELECT ON apps.FND_RESP_FUNCTIONS TO ebs_integration;
GRANT SELECT ON apps.FND_USER TO ebs_integration;
GRANT SELECT ON apps.GL_ACCESS_SETS TO ebs_integration;
GRANT SELECT ON apps.GL_ACCESS_SET_NORM_ASSIGN TO ebs_integration;
GRANT SELECT ON apps.GL_LEDGERS TO ebs_integration;
GRANT SELECT ON apps.GL_LEDGER_SETS_V TO ebs_integration;
GRANT SELECT ON apps.GL_LEDGER_SET_NORM_ASSIGN TO ebs_integration;
GRANT SELECT ON apps.HR_OPERATING_UNITS TO ebs_integration;
GRANT SELECT ON apps.ORG_ORGANIZATION_DEFINITIONS TO ebs_integration;
GRANT SELECT ON apps.PER_ALL_PEOPLE_F TO ebs_integration;
GRANT SELECT ON apps.PER_SECURITY_ORGANIZATIONS TO ebs_integration;
GRANT SELECT ON apps.PER_SECURITY_PROFILES_V TO ebs_integration;
GRANT SELECT ON apps.WF_ROLES TO ebs_integration;
GRANT SELECT ON apps.WF_ROLE_HIERARCHIES TO ebs_integration;
GRANT SELECT ON apps.WF_USER_ROLES TO ebs_integration;
GRANT SELECT ON apps.PO_AGENTS TO ebs_integration;

-- Create a profile with the SESSION_PER_USER limit
CREATE PROFILE ebs_integration_profile LIMIT
SESSIONS_PER_USER 5;

-- Assign this profile to the integration user
ALTER USER ebs_integration PROFILE ebs_integration_profile;

verify-ca - Require SSL and verify CA certificate

CSV Upload

Import identity and authorization data from CSV files into Veza

Overview

Use CSV Upload to integrate identity and authorization metadata from sources that don't have built-in Veza connectors, but can export or provide data in tabular format.

You can create a CSV integration in Veza to:

Import user and authorization data from legacy or custom applications
Integrate with SaaS applications that support CSV exports
Model employee access to homegrown or specialized systems
Upload employee metadata from your HRIS as a source of identity for Lifecycle Management workflows

The integration uses the Open Authorization API (OAA) to map CSV data to supported OAA templates:

Application - Models Users, Groups, Roles, and Resources across applications for a wide variety of authorization use cases. An introduction to the Application Template .
Human Resource Information Systems (HRIS) - Models employee information from HR sources for use with Lifecycle Management (LCM).

Application Template - Use Custom Applications to model business applications and access permissions:

Models Users, Groups, Roles, and Resources across applications
For example, you can upload user permissions from a homegrown CRM system, data store, or any other application users can access.

HRIS Template - Use for employee data from HR systems

Models employee information and organizational structure
For example, you can upload employee data for manager-based Access Reviews and automated provisioning with Lifecycle Management.

Which template should I choose? If your CSV contains information about who can access what resources, choose Application. If it contains employee information like departments and managers, choose HRIS.

Warning: Mapping Employment Status Properties with HRIS CSV

When manually mapping your HRIS CSV, use only one of the following two fields: is_active or employment_status to avoid misleading data on employment type.

When to Use CSV Integration

CSV integration is ideal for systems that export tabular data but lack dedicated Veza connectors:

Legacy applications with user permission exports
Custom business applications built in-house
HR systems for employee lifecycle management
Specialized industry tools without native APIs

CSV import enables modeling identity and permissions metadata for any application not natively supported by Veza, with flexible column mapping, custom properties, and support for multiple data formats.

Adding a CSV Integration

Prerequisites

To create an integration from CSV, you will need:

A CSV file containing relevant data with column headers
Sufficient permissions in Veza (Admin or OAA CSV Manager role)
Understanding of the data model for the source application
A plan for mapping between CSV columns and Veza attributes

For more information about user roles and permissions, see .

Format Requirements

CSV (Comma-Separated Values) is a widely used file format that stores tabular data in plain text. Each row represents a record or a relationship between entities (e.g., User to Role), and columns represent attributes.

When importing from CSV:

The first row must contain column headers
Each column can be mapped to a specific Veza attribute or custom attribute
Columns can be ignored after uploading the file
At minimum, you must map columns for unique identifiers (such as user ID or Name) for each entity type you plan to import (e.g., Users, Groups, Roles, or Employees).

Column Header Case Sensitivity: Column headers must be unique regardless of case. While the mapping interface is case-sensitive and may allow you to map columns with similar names like "Email" and "email", the import process is case-insensitive and will fail if duplicate column names exist with different casing. Ensure all column headers have distinct names.

Create a CSV Integration

To create a new CSV integration:

Go to Integrations > Add Integration
Choose Upload CSV from the options
Upload a logo for the provider (optional) - This will appear throughout the Veza UI, including in Graph search, to identify the integration and entity types.
Enter an integration name

CSV Column Mapping

The CSV integration allows you to map columns in your file to specific Veza attributes. After uploading the CSV, Veza automatically detects all columns and presents them for mapping.

For each column, you can:

Select to include or exclude the column
Select the target entity type for mapping (available entities depend on the selected template)
Select the specific entity attribute to map to (only attributes applicable to the selected entity type will be shown)
For custom properties, specify a name and data type

Example: Mapping CSV columns to Application template entities and attributes

For more examples and detailed mapping patterns, see .

Supported Entity Types and Attributes

For all entities, an ID or Name is required. If ID is not provided, Name is automatically used as the unique identifier for the entity. Both are also supported.

The available entity types and attributes depend on the template you select. Each template supports different entity types.

⚠️ Warning: Mapping Properties with HRIS CSV

When manually mapping your HRIS CSV, use only one of the following two fields: is_active or employment_status to avoid misleading data on employment type.

Application Template Entities

User Attributes

Attribute

Description

Group Attributes

Attribute

Description

Role Attributes

Attribute

Description

HR System Template Entities

Employee Attributes

Attribute

Description

Data Type Handling

Boolean Values

The following values are treated as TRUE (case-insensitive):

true, t
yes, y
1

Any other value is treated as FALSE.

Timestamp Formats

Veza supports multiple timestamp formats:

2023-04-12T15:34:56.123456789Z (RFC3339 with nanoseconds)
2006-01-02T15:04:05Z07:00 (RFC3339)
20060102150405 (Active Directory format)

Timestamps are considered unset when the value is never, null, none, false, 0 or empty. Invalid timestamps will result in a processing error.

String Lists

For attributes that support lists (like Role Name List, and Group Name List), values should be comma-separated within the cell and the list enclosude by quotes ".

Updating a CSV Integration

Incremental updates are not supported; you must submit the complete data set for each update.

⚠️ Warning: Configuration Updates

When updating the configuration fields or mappings for an existing CSV integration, changes are not reflected until after the next CSV Upload is processed. For example when updating the HRIS Type field, changing this field alone and saving the integration will not immediately change the type Veza system. Then new type will not be availble in graph or in other features such as Lifecycle Management (LCM) until after the next upload is processed.

Required Process for changing configurations:

Push new data for an existing integration

Find the CSV integration on the Veza Integrations page
Click on the integration name to view details
Under Data Sources, click Upload CSV
Select your updated CSV file and click Upload

Update mappings for an integration

Find the CSV integration on the Veza Integrations page
Click on the integration name to view details
Click Edit
In the integration configuration, click Edit above the table of current mappings

CSV Manager Role

Veza provides a limited privilege "CSV Manager" role for users that need permission to manage a CSV integration, but should not have access to other functionality in Veza.

Early Access Feature: The CSV Manager role is currently in early access and must be enabled by Veza support before it can be assigned to users. Contact your Customer Success Manager or submit a support request to enable this role.

Users with this role can:

Create new CSV integrations
Upload new CSV data
Edit existing CSV integrations, including delete

This role can be combined with to further limit a user's scope. When a user with the CSV manager role is added to a non-root team, they can only manage CSV integrations assigned to their team.

Processing Rules

Multiple Rows per Entity: If the same entity (user, group, or role) appears in multiple rows, Veza processes them as follows:
- Properties are set based on the first row where the entity ID (or Name if it is being used as the unique ID) appears
- For subsequent rows with the same identifier, only relationship assignments are processed (for example user to group, or user to role)

2006-01-30 15:04:05Z07:00

Microsoft Active Directory

Configuring the Veza integration for Microsoft Active Directory.

This topic is for legacy Active Directory Domain Services. Azure AD is automatically parsed for configured Azure tenants.

Native Identity Mapping: If you also have Azure AD integrated, Veza automatically creates identity relationships between Active Directory users/groups and Azure AD users/groups. Custom identity mapping is only needed for connecting to other systems. See Custom Identity Mappings for details.

Veza discovers Active Directory entities and authorization by connecting as a read-only user with an LDAP certificate. To enable a secure connection to the AD Domain Controller, the integration is typically configured to use an deployed within your cloud environment.

See for more detail on how Veza converts AD User properties for use in search filters or to refine Access Review queries.

Prerequisites

To configure a new Active Directory integration, you will need the following:

Either of the following:
- IP address of an AD Domain Controller (preferably the domain controller with the )
- FQDN of a domain controller or load balancer for environments using DNS resolution
Username and password for Active Directory user with Read Only access to the Domain

When using domain names for connection, ensure your LDAPS certificates include the appropriate FQDNs in the Subject Alternative Name (SAN) field. This includes both individual domain controller FQDNs and load balancer FQDNs if used.

Load Balancer Configuration

If using a load balancer for your domain controllers:

Configure session persistence (sticky sessions) on the load balancer
Ensure all domain controllers behind the load balancer trust the same root Certificate Authority (CA) that issued the LDAPS certificates
The LDAPS certificate must include the load balancer's FQDN in the Subject Alternative Name (SAN) field

Get or Generate an LDAP certificate

If LDAPS is enabled for Active Directory, Veza requires the public certificate in base64 format (.CER Base-64) to validate the LDAPS connection.

Certificate Storage and Security: The LDAP certificate (public portion only) is stored encrypted within Veza's system and can only be accessed via authenticated API calls. For on-premises deployments using Insight Points:

The certificate is encrypted using both application-layer and storage-layer encryption
The certificate can only be decrypted by the Insight Point within your network

Using Microsoft Management Console (MMC) - Recommended Method

From the Domain Controller, open a new MMC console (Run -> mmc.exe)
Add the Snap-in Certificates and select Computer account when prompted, then select Local computer and click Finish to complete the snap-in addition process
Open the Personal/Certificates folder

Test LDAPS Connectivity

To test the LDAPS connectivity locally before submitting the certificate to Veza:

Open LDP.exe on the Domain Controller
Click the Connection menu and choose Connect...
Type the Domain Controller FQDN and Port Number as 636 and click OK
You should see "Established connection to [Domain Controller]" and the Base DN details

Alternative Methods

You can also retrieve the certificate using Python:

To retrieve an LDAPS certificate using openssl:

If LDAPS was not already enabled, follow the steps below to generate a new certificate that includes a Subject Alternative Name (SAN). To get a new certificate with certreq.exe:

Please only follow these instructions if you do not already have LDAPS enabled on your AD DC.

Prepare the request.inf configuration file (see example below)
Generate cert request from the .inf file: certreq -new request.inf request.req
Submit the request to a CA (output is RequestID).
certreq -submit request.req certnew.cer You might need to specify a Certificate Template as part of the submit command, for example: certreq -submit -attrib "certificatetemplate:webserver" request.req

The certificate must use the SAN, as shown in the [Extensions] block in the example configuration:

For more information see the Microsoft documentation to .

Kerberos Authentication

Veza supports authenticating to the Active Directory LDAP server via simple LDAP bind or with Kerberos authentication.

If Kerberos authentication is selected, Veza will generate a simple Kerberos configuration file (krb5.conf) with the following format:

The integration will request a Ticket Granting Ticket (TGT) and Service Ticket from the hostname provided in the integration configuration before authenticating to the LDAP server with Kerberos password authentication.

Creating an Active Directory integration in Veza

In Veza, browse to the Integrations page. Click Add Integration and search for Active Directory. Click on the tile to add an integration.

Field

Description

Security Note: For enhanced security, you can store Active Directory credentials in an external secrets vault instead of directly in Veza. This keeps sensitive credentials in your private network. See for configuration details.

To connect to multiple AD domains, you will need add a new integration for each domain to discover
LDAP Certificate and Password are secret, and will need to be re-entered if changing the Insight Point used for the AD integration
You can see all extracted AD entities under Data Catalog > Entities. Veza-built queries for Active Directory can be found in and on the Saved Queries page

Notes and Supported Entities

Active Directory Domain
Active Directory Computer
Active Directory Group
Active Directory User

Veza discovers built-in attributes for Active Directory Users, which can be used to specify the scope of Access Reviews and filter search results. In some cases, Veza derives values from other properties, or changes AD property names for consistency with other integrations.

To discover custom properties created in Active Directory, specify them by name and type in the Custom Properties section when configuring the integration
To discover additional built-in properties, please contact our support team with more detail about your case

Veza Attribute

AD Attribute

Notes

Active Directory User Active Status

The Is Active property for an Active Directory user is determined by their userAccountControl attribute. A user is considered Is Active: true unless their account has the ACCOUNTDISABLE flag set.

Other userAccountControl flags, such as LOCKOUT or PASSWORD_EXPIRED, do not affect the Is Active status. The full list of flags is available in the User Account Control attribute for more granular filtering. See for possible values.

Last Logon Attribute Behavior

In Veza, the Last Logon value represents the most recent activity visible from the connected Domain Controller. For users who authenticate to multiple Domain Controllers, the actual logon may have occurred on a different DC. It will not be reflected in the lastLogon value from the queried DC

The lastLogonTimestamp provides a more consistent view across the full organization, but can be up to 14 days (or the configured sync interval) behind actual logon activity

The Last Logon attribute in Veza represents the most recent logon time for an Active Directory user. Due to Active Directory's distributed architecture, this value requires special handling:

lastLogon: This attribute updates every time a user authenticates, but only on the specific Domain Controller where authentication occurred. This attribute is not replicated between Domain Controllers.
lastLogonTimestamp: This attribute replicates across all Domain Controllers in the domain, but only updates when current_time - msDS-LogonTimeSyncInterval has passed (typically 14 days by default).

Since Veza connects to a single Domain Controller for each Active Directory integration, during extraction the integration will:

Retrieve both lastLogon and lastLogonTimestamp attributes
Compare the two timestamps
Uses whichever value is more recent

For more information, see Microsoft's documentation on and attributes.

CREATE USER [db_user] WITH LOGIN PASSWORD '[password]';
GRANT SELECT ON
  pg_catalog.pg_user,
  pg_catalog.pg_group,
  pg_catalog.pg_namespace,
  pg_catalog.pg_class,
  pg_catalog.pg_database,
  pg_catalog.pg_auth_members,
  pg_catalog.pg_attribute,
  pg_catalog.pg_roles,
  pg_catalog.pg_trigger,
  pg_catalog.pg_proc,
  pg_catalog.pg_collation,
  pg_catalog.pg_conversion,
  pg_catalog.pg_type,
  pg_catalog.pg_event_trigger,
  pg_catalog.pg_extension,
  pg_catalog.pg_foreign_data_wrapper,
  pg_catalog.pg_foreign_table,
  pg_catalog.pg_language,
  pg_catalog.pg_largeobject_metadata,
  pg_catalog.pg_operator,
  pg_catalog.pg_opclass,
  pg_catalog.pg_opfamily,
  pg_catalog.pg_policy,
  pg_catalog.pg_publication,
  pg_catalog.pg_sequence,
  pg_catalog.pg_foreign_server,
  pg_catalog.pg_statistic_ext,
  pg_catalog.pg_subscription,
  pg_catalog.pg_tablespace,
  pg_catalog.pg_ts_config,
  pg_catalog.pg_ts_dict,
  pg_catalog.pg_parameter_acl
TO [db_user];

DO $$
DECLARE
    result integer;
BEGIN
    SELECT 1 FROM pg_catalog.pg_user LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_group LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_namespace LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_class LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_database LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_auth_members LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_attribute LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_roles LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_trigger LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_proc LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_collation LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_conversion LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_type LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_event_trigger LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_extension LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_foreign_data_wrapper LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_foreign_table LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_languageLIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_largeobject_metadata LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_operator LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_opclass LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_opfamily LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_policy LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_publication LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_sequence LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_foreign_server LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_statistic_ext LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_subscription LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_tablespace LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_ts_config LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_ts_dict LIMIT 1 INTO result;
    SELECT 1 FROM pg_catalog.pg_parameter_acl LIMIT 1 INTO result;
    RAISE NOTICE 'All queries were successful';
EXCEPTION
    WHEN OTHERS THEN
        RAISE NOTICE 'A read query failed';
END $$;

Okta

Configuring the Veza integration for Okta.

Veza integrates with Okta to gather individual user metadata, applications, groups, and domains. After synchronizing with Okta, Veza shows the relationships connecting Okta identities and the external data sources and services they access (such as Snowflake databases, SQL tables, or AWS S3 buckets).

Native Identity Mapping: If you have a Google Workspace application configured in Okta, Veza automatically creates identity relationships to Google Workspace users and groups. Custom identity mapping is only needed for other integrations. See Custom Identity Mappings for details.

You can use Okta properties such as country, department, or login date to filter queries and define access reviewers for Okta users
If Veza does not detect an identity mapping from Okta to another integrated data source, you can define the relationships with
If your organization uses in addition to the standard properties collected by Veza, you can enable them on the Veza configuration screen.

Integrating with Okta

Veza can establish a connection to Okta using OAuth 2.0 application credentials or user API keys. OAuth is recommended to provide greater control over application permissions, but you can use API keys for testing or non-production environments.

Overview Video - Okta Integration

Admin Role Requirements

Veza requires admin-level permissions in your Okta organization to gather user, group, application, and role metadata. Based on successful customer implementations, you have two authentication approaches:

Role Type

Permission Scope

Implementation Notes

OAuth Support

API Token Support

Custom admin roles provide the exact permissions required by Veza while maintaining least privilege access principles. This approach addresses security policies that restrict broad administrative privileges for third-party integrations.

Creating a custom admin role (Preferred)

Prerequisites:

Okta organization with custom role feature enabled
Current Okta user has Super Administrator rights (Okta platform requirement for creating custom roles)

Authentication using OAuth 2.0 Credentials

Choose one of the admin role options from the section above. If you encounter a permissions error during role assignment, navigate to Okta Settings > Features and enable the Assign admin roles to public client app option.

Go to Applications after logging into your Okta account. Record your Okta organization's URL, omitting https://
Create a new app:
- Click on Create App Integration.

Custom Role Alignment: If using a custom admin role, these OAuth scopes should align with the UI permissions configured in your role.

On the Admin Roles tab, click Edit Assignments > Add Assignment. Assign your chosen admin role (custom admin role recommended, or read-only administrator) and save the changes.

Authenticate with an admin user API token

Create a user for Veza and assign an administrator role:

Open Directory > People and click Add Person.
Enter user details for the profile (such as VezaIntegration). Click Save.
Open Security > Administrators and click Add Administrator.

Get an access token for the Okta user

Sign in to your Okta domain with the admin username and password.
Go to Security > API using the admin console menu. Open the Tokens tab.
Click Create Token.
Give it a name and click Create Token.

For more information, see in the Okta documentation.

Configure the Veza integration for Okta

Go to the Veza Integrations page to enable the Okta integration:

Click Integrations on the main navigation.
Click Add Integration > Okta.
Enter your organization's Okta Domain to authenticate with.
Pick the Credential Type: API token or OAuth.

Verify Integration Setup

After creating the integration, verify that Veza can successfully connect to your Okta organization and discover entities:

Check Integration Status: On the Integrations page, locate your Okta integration and verify the status shows "Connected" or "Extracting". Initial extraction may take several minutes depending on your organization size.
Monitor Data Source Discovery: Click on your Okta integration to open the details page, then select the Data Sources tab to see all discovered Okta domains and applications.
Review Integration Events: Select the Events tab to view connection logs and verify there are no permission errors or authentication failures.

For troubleshooting integration issues, see the Active Jobs page under Integrations to monitor real-time extraction status and identify any errors requiring attention.

By default, Veza discovers all Okta domains and applications in the account. You can deselect the "Gather All Applications" option to only sync specific apps based on the settings.

Note: When adding application names to the allowlist or denylist fields, enclose app names containing spaces or special characters in double quotes. For example: "My Database (Production)", "Test Environment #1". App names without spaces or special characters do not require quotes.

Enable Audit Logs for Okta

Veza can parse Okta system logs to extract activity metadata. This enables two key capabilities:

Incremental Extraction for the Okta integration: Enabling audit logs allows updates to Access Graph metadata only for entities that have changed since the last snapshot. This reduces the time needed to gather users, groups, apps, and roles during each sync. Administrators should enable this feature post-Okta integration setup to improve extraction speed and minimize traffic to Okta API endpoints.
Support for , including generation of Over Provisioned Scores for Okta users.

To enable audit logs for an Okta integration:

Open the Integrations overview and locate the Okta integration.
Click Actions > Enable Audit Logs.

To disable activity monitoring and incremental extraction, toggle the option to Disable Audit Logs.

Okta Custom Properties

Your Okta organization might add additional user metadata with . To include these custom properties during discovery, specify the Name and data Type of each property to collect.

For example, if your organization used a custom attribute to track employee region, you can use this information for by adding the custom property to the Okta integration configuration.

On Edit Integration > Custom Properties tab, click Add Custom Property.
Enter the variable name region as the property name to collect.
Pick String as the property type.

The specified attributes will appear on Access Graph entities the next time Veza connects to the Okta domain.

The supported types are:

String
Number
Boolean
RFC339 Timestamp

Veza honors RFC339 timestamp formats, such as: 2006-01-02T15:04:05Z07:00, 2006-01-02T15:04:05.999999999Z07:00, 2006-01-02 15:04:05Z07:00, 2006-01-02 15:04:05, 2006-01-02, 2006-01-02T, 2006-01-02T15:04:05, 2006-01-02T15:04:05Z Time values in the format "18:47:12.019Z" (that do not contain dates) are only supported in strings.

Okta custom identity mappings

Veza can automatically detect relationships for Okta and AWS, Snowflake, and other providers. However, some connections to standalone data sources need to be explicitly mapped.

Administrators can disable default IdP User > Local User mapping by email when adding a custom mapping.
Administrators can configure up to four property matchers for custom identity mapping based on possible combinations of user name and email. If any matcher is valid, Veza connects the IdP and local identities.
When submitting authorization metadata for custom apps with the , local users, groups, roles, and permissions are mapped to Okta identities by login email and group name.

Use to manually create a connection to another provider. For example, employees might be able to access a standalone SQL database with their Okta credentials:

Open the Okta provider configuration menu (Configuration > Identity Providers > Add or Edit)
Click Identity Mapping Configurations
Pick the Destination Datasource Type. The mapping will apply to all resources of the chosen provider (such as SQL Server).

Notes and supported entities

Veza gathers metadata and creates searchable Access Graph entities to represent:

Okta Domains: Organizational domains configured in Okta
Okta Users: Individual user accounts with profile attributes, status, and group memberships
Okta Groups: User groups for managing access and permissions
Okta Apps: Applications integrated with Okta for SSO and access management

Okta User Active Status

The Is Active property for an Okta user is determined by their status in Okta. A user is considered Is Active: true if their status is one of the following:

ACTIVE
PASSWORD_RESET
LOCKED_OUT

If a user's status is anything else (e.g., STAGED, DEPROVISIONED, SUSPENDED, DEACTIVATED), their Is Active status will be false. The raw status is available in the Status attribute for more granular filtering.

Okta API Tokens

Okta API Token entities represent active API tokens in your Okta organization. These tokens are created by administrators to authenticate API calls to Okta services. Each API token entity includes the following attributes:

Name: The descriptive name assigned to the API token
Client Name: The client application name associated with the token (if applicable)
User ID: The Okta user ID of the token owner
Created At: Timestamp when the token was created

API tokens are connected to their owner via a "Has Access Credentials" relationship, allowing you to identify which users have administrative API access to your Okta organization.

Okta Application Client Secrets

Okta Application Client Secret entities represent OAuth 2.0 client secrets used by Okta applications for authentication. These secrets are critical credentials that allow applications to authenticate to Okta and other services. Each client secret entity includes the following attributes:

Key ID (kid): Unique identifier for the secret
Status: Current status of the secret (e.g., ACTIVE, INACTIVE)
Last Updated: Timestamp when the secret was last modified
Expires At: Secret expiration date (if set)

Okta Application Refresh Tokens

Okta Application Refresh Token entities represent OAuth 2.0 refresh tokens that provide persistent access to resources. These tokens allow applications and users to maintain access without re-authentication. Each refresh token entity includes the following attributes:

Client ID: The OAuth client application identifier
User ID: Associated user ID (if user-specific)
Scope: List of OAuth scopes granted to the token
Status: Current token status (e.g., ACTIVE, REVOKED)

Okta Application Key Credentials

Okta Application Key Credential entities represent public key credentials (certificates) used by Okta applications for authentication and signing. These credentials enable secure, certificate-based authentication for applications. Each key credential entity includes the following attributes:

Key ID (kid): Unique identifier for the credential
Key Type: Type of cryptographic key (e.g., RSA, EC)
Algorithm: Signing algorithm used (e.g., RS256, ES256)
Usage: Key usage purpose (e.g., sig for signature)

Veza Integrations

Support for 300+ enterprise systems (Cloud Providers, Databases, Data Lakes, SaaS Applications, Custom Applications, and On-Prem Systems)

Veza offers integrations for cloud providers, data systems (such as Snowflake, AWS RedShift, GCP BigQuery, Azure SharePoint, SQL Server), SaaS applications (SalesForce, NetSuite, JIRA, GitHub, GitLab, and others), and services such as AWS KMS and Azure VPC. Additionally, Veza's Open Authorization API (OAA) enables the integration of custom applications and identity providers. You can also import identity and permissions metadata from any source using CSV Upload.

Veza also provides outbound integrations for platforms such as Slack, Jira, and ServiceNow, and webhooks for publishing events to any external system. Veza can also integrate with Okta, AzureAD, or another compatible identity provider (IdPs) for Single Sign-On (SSO) and MFA.

This page lists all built-in integrations with links to configuration guides. Please contact our support team to learn more about enabling early access integrations on the Veza platform.

See for more information about how Veza integrations work. See for instructions to enable and manage data sources on the Veza Integrations page.

Identity Providers

Cloud Services

Amazon Web Services (AWS)

See for details on adding an account to Veza.

AWS Cognito
AWS DynamoDB
AWS EC2
AWS EMR

Microsoft Azure**

See for details on adding a tenant to Veza.

Azure Blob Storage
Azure Data Lake
Azure Key Vault
Azure RBAC

Google Cloud Platform (GCP)

See for details on integrating your Google organization with Veza.

Identity and Access Management (IAM)
BigQuery
Cloud Run
Cloud Storage

Oracle Cloud Infrastructure (OCI)

See for setup instructions.

OCI IAM
OCI Object Store

Salesforce Commerce Cloud

See for setup instructions.

Salesforce Business Manager

Data Lakes

FiveTran (Supported via )

SaaS Applications and Platforms

On-Premises Data Systems

CSV Upload

CSV Upload enables data source owners and administrators to import identity and authorization metadata from sources that don't have built-in Veza integration. You can create an integration using a CSV file when you need to:

Import user and authorization data from legacy or custom applications
Integrate with any SaaS application that supports CSV exports
Model employee access to homegrown or specialized systems
Upload employee metadata as a source of identity for Lifecycle Management workflows

For instructions, examples, and troubleshooting guidance, see the .

Generic LDAP Standard Connector

Veza provides a generic connector that supports LDAPv3-compliant directory services, such as OpenLDAP, Red Hat Identity Manager, Oracle Unified Directory, IBM Directory Server, and ForgeRock Directory Services. This integration allows discovery of users, groups, and organizational relationships across diverse LDAP implementations.

Generic SCIM Connector

Veza supports the collection of authorization metadata from applications with Users and Groups SCIM endpoints with our in-platform Generic Connector.

Open Authorization API (OAA)

Veza OAA is an Open Source framework for adding any custom applications to Veza. Veza develops and supports an expanding suite of OAA connectors, alongside several Community developed connectors. Additionally, any application can be integrated using OAA templates (see below) and Veza-provided OAA SDK.

OAA provides templates for modeling identities, resources, and access controls within custom applications and identity providers, which can be published with a Veza-developed or a custom script.

: Map federated identities to custom resources
: Map external resources to custom users and groups
: Upload employee metadata, enabling identity mapping, enrichment and Lifecycle Management actions.

request.inf

[Version]

Signature="$Windows NT$"

[NewRequest]
Subject = "CN=corp-ad-01.corp.veza.com"

KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[Extensions]

2.5.29.17 = "{text}"
_continue_ = "dns=corp-ad-01.corp.veza.com"

krb5.conf

[libdefaults]
   default_realm = <domain>
   dns_lookup_kdc = true
   dns_lookup_realm = true

[realms]
   <domain> = {
      kdc = <AD domain fully qualified domain name for cert>
      admin_server = <AD domain fully qualified domain name for cert>
   }

MongoDB

Configuring the Veza integration for MongoDB and MongoDB Atlas

Overview

The Veza integration for MongoDB supports on-premise deployments and the MongoDB Atlas Database-as-a-service (DBaaS) platform. It enables discovery of standalone MongoDB clusters, MongoDB Atlas user permissions, and User permissions on MongoDB databases deployed in Atlas. After configuring the integration, you can use Veza Search, Workflows, and Insights to:

Show all Database Users, and the built-in or custom Database Roles a User has for each Database
Show the effective permissions Database Users have on the Databases and Clusters they have access to.
Show the effective permissions Users have on Clusters, Serverless Instances, and Global Clusters.
Show the Atlas Organizations and Projects accessible by Users in an Atlas Account, and what Atlas Roles users can assume.
Show Atlas Organizations that Atlas Users belong to, and the teams they belong to in those Organizations.

This documentation includes instructions to:

See for more details.

Configuring MongoDB Atlas

Veza connects to MongoDB Atlas using API Keys. You will need to enter the Public Key and Private Key to configure the integration in Veza. Additionally, Veza will need a username and password of a MongoDB Atlas User authorized for each project in the Organization to discover.

You will need the Organization Owner permission to grant API access to your Atlas organization.
The clusters to discover need to be accessible over internet, or allow communication with a deployed . Follow to configure network access for MongoDB Atlas. As a user with the Project Owner role, you will need to:
- Using the UI: Under the Security section, click Network Access to open the IP Access List tab. Click Add IP Address.

AWS IAM Roles (Early Access): AWS customers can optionally use the “Assume AWS Role” connection type when creating a MongoDB Atlas integration. This can be a new role or the same one used for the . To configure the MongoDB connection, you will provide the:

Role ARN: The ARN of the AWS IAM role that will be used to perform the extraction.

Generate Atlas Administration API credentials for the MongoDB organization

Create an API Key within the Atlas Organization Veza will connect to. The API key must have the scope Organization Read Only.

To create a key from the Atlas UI:

Open your organization's Access Manager page
Click Create API Key.
Give the key a name and description.
Assign a new role for the API key with the Organization Read Only

See the documentation for more details.

Create a database user for each of the projects in the MongoDB organization

Add database users for each project in the Organization. To create a new user using password authentication with the Atlas UI:

On the left navigation, click Security > Database Access. Click Add New Database User.
Choose Password for the Authentication Method.
Enter a username and password. You can optionally Autogenerate the password. Note that the password and username must be the same for each project user you will create.

See the documentation for more details.

Configuring MongoDB (standalone)

To discover a standalone MongoDB cluster, Veza connects as a local user with the following permissions:

listDatabases on cluster
find on system.users collection in any database
viewRole on any collection in any database

You should deploy an within the same network as the cluster for a secure connection.

Create local user and role

Connect to the standalone deployment and run the following command to create a role with the required permissions, and create a user with the role:

After creating a user and assigning the required permissions, configure the integration on Veza by providing the username, password, and the URI of the MongoDB cluster.

Configuring MongoDB on the Veza Platform

After preparing the required credentials, log in to Veza as an administrator to add the integration:

In Veza, open the Integrations page.
Click Add New and pick MongoDB or MongoDB Atlas as the type of integration to add
Enter the required information and Save the configuration

Standalone MongoDB

To create the MongoDB Atlas integration, you will need the database URI and the username and password created when

Field

Notes

MongoDB Atlas

To create the MongoDB Atlas integration, you will need the API credentials, username, and password created when

Field

Notes

To discover more than one Organizations in a single Account, click Add Key Pair to add additional API credentials.

Notes and Supported Entities

Veza supports the following entity types and entity attributes:

MongoDB Atlas Account

Represents the overarching account associated with MongoDB Atlas, typically belonging to an organization or individual.

Attribute

Type

Description

MongoDB Atlas User

Represents a user account within MongoDB Atlas, identified by a unique ID and associated with an email address.

Attribute

Type

Description

MongoDB Atlas Organization

Represents an organization in MongoDB Atlas, identifiable by its unique ID and organizational name.

Attribute

Type

Description

MongoDB Atlas Organization Role

Denotes the role or permissions assigned to a user within a MongoDB Atlas organization, governing their access and privileges.

Attribute

Type

Description

MongoDB Atlas Project

Represents a project in MongoDB Atlas, identified by a unique ID and a descriptive name, used for grouping related resources.

Attribute

Type

Description

MongoDB Atlas Project Role

Denotes the role or permissions assigned to a user within a MongoDB Atlas project, governing their access and privileges to project resources.

Attribute

Type

Description

MongoDB Atlas Team

Represents a team within a MongoDB Atlas project, identifiable by a unique ID and a name, used for collaborative project management.

Attribute

Type

Description

MongoDB Database Deployment

Refers to a specific deployment of a MongoDB database, characterized by a unique ID, a name, type, and an indication of its operational status (paused or active).

Attribute

Type

Description

MongoDB Database User

Represents a user account with specific access rights within a MongoDB database, defined by a username and the associated database name.

Attribute

Type

Description

When configuring a standalone MongoDB cluster, Veza discovers the following entities:

MongoDB Cluster

Represents an independent MongoDB database cluster, typically running on a single server or a set of servers, used for data storage and retrieval.

Attribute

Type

Description

MongoDB User

Denotes a user account associated with a standalone MongoDB cluster. MongoDB User entities have a unique ID and includes information about the associated database and the username for authentication.

Attribute

Type

Description

MongoDB Database

Represents an individual database within a cluster, used for organizing and storing collections of data.

Attribute

Type

Description

MongoDB Role

Denotes a role or set of permissions assigned to a user within a standalone MongoDB cluster, governing their access and privileges to perform operations on databases and collections. It is identified by a unique ID.

Attribute

Type

Description

MongoDB Effective Permission

Represents computed effective permissions that MongoDB users have on cluster and database resources, derived from their assigned roles and privileges.

Attribute

Type

Description

HashiCorp Vault

Configuring the Veza integration for HashiCorp Vault Server

Overview

HashiCorp Vault enables organizations to securely store and manage secrets, according to policies. Secrets can be API keys, passwords, or certificates, or other data objects where access is tightly regulated. The Veza integration connects to a self-managed or cloud-hosted Vault cluster to discover users, namespaces, and resources, including:

Principals

HashiCorp Vault Alias

Resources:

HashiCorp Vault Namespace
HashiCorp Vault System Backend
HashiCorp Vault Auth Method
HashiCorp Vault Auth Method Subresource

The integration can show:

Vault users with access to Vault secrets, and the path of authentication for those users.
Identities with access via passwords, app roles, AWS IAM, and Okta
All secrets and the users authorized for those secrets. See for more details.

Configuring HashiCorp Vault

Veza connects to HashiCorp Vault by assuming an application role in your environment. You will need to create an role AppRole that will be used for extraction. Then, attach it to a policy granting the required permissions for extraction.

You can do this by connecting to your server and running vault commands:

Create a policy for the Veza role

Create the policy to attach to the Veza AppRole. Paste the following policy into a text file and save it veza-policy.hcl.

Veza extraction policy for HashiCorp Vault (with nested namespace support)

The policy below includes support for nested namespaces up to 4 levels deep. HashiCorp Vault's + wildcard matches only one path segment, so each namespace depth level requires explicit path declarations.

For flat namespace structures: If your Vault deployment uses only root-level namespaces (no nested namespaces), you can use the simplified policy shown below in the second expandable section. Most organizations with complex Vault deployments require the full nested namespace policy below.

Simplified policy for flat namespace structures (root-level only)

If your Vault deployment does not use nested namespaces, you can use this simplified policy:

Troubleshooting nested namespace permissions

If extraction fails with 403 Forbidden: permission denied errors when accessing nested namespaces:

Verify namespace depth: Count the levels in your namespace paths (e.g., admin/engineering/us-east is 3 levels)
Check policy coverage: Ensure the policy includes path entries matching your namespace depth
Test with explicit paths: If wildcards don't work, try creating explicit paths for specific namespaces

Add the policy to Vault, adjusting the name and path of the saved policy as needed:

Create an Application Role

Enable authentication and create the role:

The response should be: Success! Enabled approle auth method at: approle/

Create the AppRole, and attach the policy you created:

The response will include the path to the app role: Success! Data written to: auth/approle/role/veza-extraction-role

Get the role ID and secret ID (sensitive):

This returns the role_id, e.g. 10d51ce2-16bd-444b-4330-8fdcebfeda98

Get the secret ID:

Copy the secret_id, e.g. 16f03071-3ea6-2505-7bcc-153683766133.

Configuring HashiCorp Vault on the Veza Platform

To enable the integration:

In Veza, go to the Integrations page.
Click Add Integration and pick HashiCorp Vault as the type of integration to add. Click Next under the list of integrations.
Enter the required information and Save the configuration

Field

Notes

Identity Mappings

If your users can log into Vault with single sign-on, you will need to specify this relationship in a . For example, you can connect Okta Users to matching HashiCorp Aliases by adding a mapping configuration on the Okta integration. Pick HashiCorp Vault as the destination data source, using Alias Unique ID as the mapping property.

Notes and Supported Entities

HashiCorp Vault Cluster

Represents a top-level HashiCorp Vault Cluster. A Vault cluster is a set of Vault servers that share the same data storage backend, clustered for high availability and scaling.

HashiCorp Vault Namespace

Namespaces in Vault provide a way to partition resources and delegate management of those resources.

The root namespace is named admin. Namespaces can be nested.

HashiCorp Vault Group

Groups can be nested and can have a policy attached. Groups are a way to organize and manage entities (such as users or machines) in Vault.

Group memberships defined in one namespace referencing an entity from another namespace are not supported.

HashiCorp Vault Alias

Aliases represent principals that can access Vault resources. These are identities that can be used for authentication and authorization purposes in Vault.

HashiCorp Vault System Backend

Represents the API used to perform system actions such as creating namespaces. The system backend is a built-in secrets engine in Vault that allows management of system-level functionality.

HashiCorp Vault Auth Method

Authentication methods in Vault are the components used to authenticate clients and map them to internal entities. Veza currently supports vault authentication methods:

AppRole
AWS
Google Cloud Platform
Microsoft Azure

Contact our support team if your organization uses an alternative auth method.

HashiCorp Vault Auth Method Subresource

Can have a policy attached. Auth method subresources are specific configurations or resources within an authentication method, such as roles or bindings.

HashiCorp Vault Secrets Engine

Secrets engines in Vault are the components that store and manage secrets and other sensitive data. Veza currently supports the following secrets engines:

Key/Value Store (v2)
AWS
Microsoft Azure
GCP

HashiCorp Vault Secrets Engine Subresource

Alternatively called secrets. Some resources are not as sensitive, such as roles generated dynamically. Secrets engine subresources are specific configurations or resources within a secrets engine, such as key-value pairs or roles.

KV2 Key Extraction: When the "Extract KV2 Subkeys" option is enabled for the integration, Veza will extract the individual key names within each KV2 secret, providing more granular visibility into the structure of your secrets without retrieving their values. This feature requires the read capability on /+/subkeys/* paths in the Vault policy.

HashiCorp Vault KV2 Subkey

KV2 Subkeys represent individual keys within a KV2 (Key/Value version 2) secret. This entity type is only created when the "Extract KV2 Subkeys" option is enabled on the integration.

Note that Veza extracts only the key names and structure—never the actual secret values to provide visibility into secret organization while maintaining security.

Attributes:

Subkey Name: The name of the key within the secret (e.g., username, password, api_key)
Parent Secret Path: The path to the parent KV2 secret that contains this key
Created At: The timestamp when the parent secret was created

KV2 Subkeys are connected to their parent Secrets Engine Subresource via a "Has key" relationship.

HashiCorp Vault Policy

Policy consists of statements that can allow or deny access to resources. Statements consist of a path (can include wildcards) and capabilities. Longer prefix paths take precedence over shorter ones. Policies in Vault are used to govern the access permissions of entities to various resources.

Entities in Vault can have a policy attached.

Namespaces

Namespaces are path-based and can be nested. Parent namespaces can define policies related to child namespaces. Namespaces provide a way to partition resources and allow delegated management of those resources in Vault.

Effective Permissions and Cross-Service Connections

Veza generates effective permissions between principals (HashiCorp Vault Alias) and resources (Namespaces, System Backend, Auth Method, Auth Method Subresource, Secrets Engine, Secrets Engine Subresource, KV2 Subkey, Policy). Veza also shows connections between Vault namespaces, Vault namespace and cluster, Vault namespace and IdPs, and Vault namespace and existing integrations.

When KV2 key extraction is enabled, effective permissions are calculated at the granular subkey level, allowing you to see which users have access to specific keys within KV2 secrets.

Limitations

Two Vault authorization concepts are not supported at present:

Templated Policies A policy may contain a set of variables. For instance, take the following policy clause:
This allows each user access to a user-specific area. Veza doesn't currently resolve these templates to show access to secrets.
External Namespace Group Memberships
Group memberships can be defined across different namespaces, independent of their hierarchy. An entity defined in one namespace can be referenced in a group in another namespace. Veza does not currently fetch policies across namespaces.

CSV Upload Examples

Common patterns for importing identity and permissions metadata from CSV files

This document provides practical examples for mapping data from CSV files into Veza using the CSV Upload integration.

You can use the CSV integration to flexibly model user, group, and role relationships based on data exported from the source application. This document includes examples from basic user data import to modeling more complex organizational structures, which you can adapt based on your needs.

CSV Upload Examples

Mapping Concepts

When importing CSV data into Veza, you are typically establishing one or more of these key components:

Entities: Users, groups, and roles that exist in your application
Attributes: Properties that describe each entity (e.g., name, email, status)
Relationships: Connections between entities (user belongs to group, user has role)

The examples below demonstrate different approaches to mapping these components from CSV data into Veza's Access Graph.

Basic User Mapping Example

For a simple file containing user records, one user per row with a list or groups and roles. You can map columns directly:

CSV Column

Entity Type

Veza Attribute

Required?

Example CSV:

Your CSV files may have column names that differ from Veza's standard attribute names.

CSV Column

Entity Type

Suggested Mapping

Group and Role Assignment Methods

The CSV integration supports two methods for assigning users to groups and roles:

Method 1: Using List Columns

Use a single column containing comma-separated values to assign a user to multiple groups or roles at once.

Column mapping:

CSV Column

Entity Type

Veza Attribute

Example CSV:

Key points about list columns:

Values must be comma-separated
Enclose lists in quotes if they contain commas
Whitespace around values is automatically trimmed
Empty values are ignored

Method 2: Using Multiple Rows Per User

You can incrementally assign roles or groups using multiple rows with the same user id. This approach is useful when:

You have many groups or roles per user
Your source system exports data in this format
You need to include additional details for roles or groups such as custom properties

Example CSV:

Key points about multiple row assignments:

The first occurrence of an entity id sets all properties for that entity. If the same user or role is listed more than once, the user or role attributes are not updated for rows after the first.
Subsequent rows only process new group and role assignments

Advanced Role Permissions

The CSV can include a column with a list of permissions for each role. This enables searching and filtering by permission in Veza:

You can assign permissions to roles and then users to roles:

Note: If permissions column is not defined any Roles are automatically assigned the Member permission

Real-World Example: Complex Organization Structure

This example shows how to represent a complex organizational structure with departments, teams, roles with permissions, and user assignments:

Column mapping for this example:

CSV Column

Entity Type

Veza Attribute

This example CSV will create:

7 user entities with their properties
Department groups (Engineering, Product, Marketing, Finance, HR, Sales)
Team groups (Backend, Architecture, Frontend, Product Management, UX Research, Content, Social, Accounting, Recruiting, Enterprise Sales)
Multiple role assignments per user

Supported Timestamp Formats

The CSV integration supports various timestamp formats:

Timestamps are considered unset when the value is never, null, none, false, or 0. Invalid timestamps will result in a processing error.

Boolean Value Handling

When mapping to boolean attributes like is_active:

TRUE values: true, t, yes, y, 1, active, enabled
FALSE values: Any other value including false, f

Example CSV:

Custom Properties Example

Any column can be mapped to a custom property for any entity type. When mapping to a custom property:

Select Custom Property as the attribute
Enter a name for the custom property
Select the data type (String, Number, Boolean, Timestamp, or String List

Example CSV:

Entity Owner Example

Designated Entity Owners can up supplied for supported Application entity types as part of the CSV. This allows for automatically assigning the owner from the value in the CSV.

This example indicates the owner of the Role and could be used auto-assign Access Review rows to the owner for each role.

Example CSV:

CSV Column

Entity Type

Suggested Mapping

Note that when a is configured, Owner Type is optional. Otherwise, the owner type is used to specify the type of entity in Veza Graph that will be assigned as an owner. This will typically be a User entity in your organization's Identity Provider (such as an Okta, Azure AD User, or Active Directory User), representing a top-level human identity.

For more information about Entity Owners, see:

no

n

0

inactive

disabled

# Create an access list entry for the IP address 192.0.2.15 in the project with ID 5e2211c17a3e5a48f5497de3:
atlas accessList create 192.0.2.15 --type ipAddress --projectId 5e2211c17a3e5a48f5497de3 --comment "IP address for app server 2" --output json

use admin
db.createRole(
   {
     role: "veza-extractor-role",
     privileges: [
       { resource: { cluster: true }, actions: [ "listDatabases" ] },
       { resource: { db: "", collection: "system.users" }, actions: [ "find" ] },
       { resource: { db: "", collection: "" }, actions: [ "viewRole" ] }
     ],
     roles: []
   }
)
db.createUser(
  {
    user: "veza-extractor-user",
    pwd: passwordPrompt(),  // or cleartext password
    roles: [
       { role: "veza-extractor-role", db: "admin" }
    ]
  }
)

path "/sys/namespaces" {
  capabilities = ["list"]
}

# entities

path "/identity/entity/id" {
  capabilities = ["list"]
}

path "/identity/entity/id/*" {
  capabilities = ["read"]
}

# groups

path "/identity/group/id" {
  capabilities = ["list"]
}

path "/identity/group/id/*" {
  capabilities = ["read"]
}

# auth methods

path "/sys/auth" {
  capabilities = ["read"]
}

path "/auth/+/role" {
  capabilities = ["list"]
}

path "/auth/+/role/*" {
  capabilities = ["read"]
}

path "/auth/+/roles" {
  capabilities = ["list"]
}

path "/auth/+/roles/*" {
  capabilities = ["read"]
}

path "/auth/+/users" {
  capabilities = ["list"]
}

path "/auth/+/users/*" {
  capabilities = ["read"]
}

path "/auth/+/groups" {
  capabilities = ["list"]
}

path "/auth/+/groups/*" {
  capabilities = ["read"]
}

# policies

path "/sys/policies/acl" {
  capabilities = ["list"]
}

path "/sys/policies/acl/*" {
  capabilities = ["read"]
}

# secrets engines

path "/sys/mounts" {
  capabilities = ["read"]
}

path "/+/metadata/*" { # kv2
  capabilities = ["list", "read"]
}

path "/+/subkeys/*" { # kv2 subkeys (required for KV2 key extraction)
  capabilities = ["read"]
}

path "/+/roles" { # aws, azure
  capabilities = ["list"]
}

path "/+/roles/*" { # aws, azure
  capabilities = ["read"]
}

path "/+/rolesets" { # gcp
  capabilities = ["list"]
}

path "/+/rolesets/*" { # gcp
  capabilities = ["read"]
}

path "/+/static-accounts" { # gcp
  capabilities = ["list"]
}

path "/+/impersonated-accounts" { # gcp
  capabilities = ["list"]
}

# namespaces
# --- From /sys/namespaces ---
path "+/sys/namespaces" {
  capabilities = ["list"]
}
path "+/+/sys/namespaces" {
  capabilities = ["list"]
}
path "+/+/+/sys/namespaces" {
  capabilities = ["list"]
}

# --- From /identity/entity/id ---
path "+/identity/entity/id" {
  capabilities = ["list"]
}
path "+/+/identity/entity/id" {
  capabilities = ["list"]
}
path "+/+/+/identity/entity/id" {
  capabilities = ["list"]
}

# --- From /identity/entity/id/* ---
path "+/identity/entity/id/*" {
  capabilities = ["read"]
}
path "+/+/identity/entity/id/*" {
  capabilities = ["read"]
}
path "+/+/+/identity/entity/id/*" {
  capabilities = ["read"]
}

# --- From /identity/group/id ---
path "+/identity/group/id" {
  capabilities = ["list"]
}
path "+/+/identity/group/id" {
  capabilities = ["list"]
}
path "+/+/+/identity/group/id" {
  capabilities = ["list"]
}

# --- From /identity/group/id/* ---
path "+/identity/group/id/*" {
  capabilities = ["read"]
}
path "+/+/identity/group/id/*" {
  capabilities = ["read"]
}
path "+/+/+/identity/group/id/*" {
  capabilities = ["read"]
}

# --- From /sys/auth ---
path "+/sys/auth" {
  capabilities = ["read"]
}
path "+/+/sys/auth" {
  capabilities = ["read"]
}
path "+/+/+/sys/auth" {
  capabilities = ["read"]
}

# --- From /auth/+/role ---
path "+/auth/+/role" {
  capabilities = ["list"]
}
path "+/+/auth/+/role" {
  capabilities = ["list"]
}
path "+/+/+/auth/+/role" {
  capabilities = ["list"]
}

# --- From /auth/+/role/* ---
path "+/auth/+/role/*" {
  capabilities = ["read"]
}
path "+/+/auth/+/role/*" {
  capabilities = ["read"]
}
path "+/+/+/auth/+/role/*" {
  capabilities = ["read"]
}

# --- From /auth/+/roles ---
path "+/auth/+/roles" {
  capabilities = ["list"]
}
path "+/+/auth/+/roles" {
  capabilities = ["list"]
}
path "+/+/+/auth/+/roles" {
  capabilities = ["list"]
}

# --- From /auth/+/roles/* ---
path "+/auth/+/roles/*" {
  capabilities = ["read"]
}
path "+/+/auth/+/roles/*" {
  capabilities = ["read"]
}
path "+/+/+/auth/+/roles/*" {
  capabilities = ["read"]
}

# --- From /auth/+/users ---
path "+/auth/+/users" {
  capabilities = ["list"]
}
path "+/+/auth/+/users" {
  capabilities = ["list"]
}
path "+/+/+/auth/+/users" {
  capabilities = ["list"]
}

# --- From /auth/+/users/* ---
path "+/auth/+/users/*" {
  capabilities = ["read"]
}
path "+/+/auth/+/users/*" {
  capabilities = ["read"]
}
path "+/+/+/auth/+/users/*" {
  capabilities = ["read"]
}

# --- From /auth/+/groups ---
path "+/auth/+/groups" {
  capabilities = ["list"]
}
path "+/+/auth/+/groups" {
  capabilities = ["list"]
}
path "+/+/+/auth/+/groups" {
  capabilities = ["list"]
}

# --- From /auth/+/groups/* ---
path "+/auth/+/groups/*" {
  capabilities = ["read"]
}
path "+/+/auth/+/groups/*" {
  capabilities = ["read"]
}
path "+/+/+/auth/+/groups/*" {
  capabilities = ["read"]
}

# --- From /sys/policies/acl ---
path "+/sys/policies/acl" {
  capabilities = ["list"]
}
path "+/+/sys/policies/acl" {
  capabilities = ["list"]
}
path "+/+/+/sys/policies/acl" {
  capabilities = ["list"]
}

# --- From /sys/policies/acl/* ---
path "+/sys/policies/acl/*" {
  capabilities = ["read"]
}
path "+/+/sys/policies/acl/*" {
  capabilities = ["read"]
}
path "+/+/+/sys/policies/acl/*" {
  capabilities = ["read"]
}

# --- From /sys/mounts ---
path "+/sys/mounts" {
  capabilities = ["read"]
}
path "+/+/sys/mounts" {
  capabilities = ["read"]
}
path "+/+/+/sys/mounts" {
  capabilities = ["read"]
}

# --- From /+/metadata/* ---
path "+/+/metadata/*" { # kv2
  capabilities = ["list", "read"]
}
path "+/+/+/metadata/*" { # kv2
  capabilities = ["list", "read"]
}
path "+/+/+/+/metadata/*" { # kv2
  capabilities = ["list", "read"]
}

# --- From /+/subkeys/* ---
path "+/+/subkeys/*" { # kv2 subkeys
  capabilities = ["read"]
}
path "+/+/+/subkeys/*" { # kv2 subkeys
  capabilities = ["read"]
}
path "+/+/+/+/subkeys/*" { # kv2 subkeys
  capabilities = ["read"]
}

# --- From /+/roles ---
path "+/+/roles" { # aws, azure
  capabilities = ["list"]
}
path "+/+/+/roles" { # aws, azure
  capabilities = ["list"]
}
path "+/+/+/+/roles" { # aws, azure
  capabilities = ["list"]
}

# --- From /+/roles/* ---
path "+/+/roles/*" { # aws, azure
  capabilities = ["read"]
}
path "+/+/+/roles/*" { # aws, azure
  capabilities = ["read"]
}
path "+/+/+/+/roles/*" { # aws, azure
  capabilities = ["read"]
}

# --- From /+/rolesets ---
path "+/+/rolesets" { # gcp
  capabilities = ["list"]
}
path "+/+/+/rolesets" { # gcp
  capabilities = ["list"]
}
path "+/+/+/+/rolesets" { # gcp
  capabilities = ["list"]
}

# --- From /+/rolesets/* ---
path "+/+/rolesets/*" { # gcp
  capabilities = ["read"]
}
path "+/+/+/rolesets/*" { # gcp
  capabilities = ["read"]
}
path "+/+/+/+/rolesets/*" { # gcp
  capabilities = ["read"]
}

# --- From /+/static-accounts ---
path "+/+/static-accounts" { # gcp
  capabilities = ["list"]
}
path "+/+/+/static-accounts" { # gcp
  capabilities = ["list"]
}
path "+/+/+/+/static-accounts" { # gcp
  capabilities = ["list"]
}

# --- From /+/impersonated-accounts ---
path "+/+/impersonated-accounts" { # gcp
  capabilities = ["list"]
}
path "+/+/+/impersonated-accounts" { # gcp
  capabilities = ["list"]
}
path "+/+/+/+/impersonated-accounts" { # gcp
  capabilities = ["list"]
}

path "/sys/namespaces" {
  capabilities = ["list"]
}

# entities

path "/identity/entity/id" {
  capabilities = ["list"]
}

path "/identity/entity/id/*" {
  capabilities = ["read"]
}

# groups

path "/identity/group/id" {
  capabilities = ["list"]
}

path "/identity/group/id/*" {
  capabilities = ["read"]
}

# auth methods

path "/sys/auth" {
  capabilities = ["read"]
}

path "/auth/+/role" {
  capabilities = ["list"]
}

path "/auth/+/role/*" {
  capabilities = ["read"]
}

path "/auth/+/roles" {
  capabilities = ["list"]
}

path "/auth/+/roles/*" {
  capabilities = ["read"]
}

path "/auth/+/users" {
  capabilities = ["list"]
}

path "/auth/+/users/*" {
  capabilities = ["read"]
}

path "/auth/+/groups" {
  capabilities = ["list"]
}

path "/auth/+/groups/*" {
  capabilities = ["read"]
}

# policies

path "/sys/policies/acl" {
  capabilities = ["list"]
}

path "/sys/policies/acl/*" {
  capabilities = ["read"]
}

# secrets engines

path "/sys/mounts" {
  capabilities = ["read"]
}

path "/+/metadata/*" { # kv2
  capabilities = ["list", "read"]
}

path "/+/subkeys/*" { # kv2 subkeys (required for KV2 key extraction)
  capabilities = ["read"]
}

path "/+/roles" { # aws, azure
  capabilities = ["list"]
}

path "/+/roles/*" { # aws, azure
  capabilities = ["read"]
}

path "/+/rolesets" { # gcp
  capabilities = ["list"]
}

path "/+/rolesets/*" { # gcp
  capabilities = ["read"]
}

path "/+/static-accounts" { # gcp
  capabilities = ["list"]
}

path "/+/impersonated-accounts" { # gcp
  capabilities = ["list"]
}

employee_id,display_name,email_address,account_status,join_date,last_access,password_updated,termination_date,groups,roles
EMP001,Alex Johnson,[email protected],active,2023-04-15,2025-02-15T09:30:45Z,2024-11-10T08:15:30Z,,"Engineering, DevOps","Developer, System Administrator"
EMP002,Taylor Smith,[email protected],true,2022-09-20,2025-03-01T11:45:20Z,2024-10-05T14:30:15Z,,"Product, UX Research","Product Manager, UX Designer"
EMP003,Jordan Lee,[email protected],inactive,2021-11-05,2024-10-10T16:20:30Z,2024-06-15T09:45:10Z,2025-01-15,"Marketing, Content","Content Creator, Social Media Manager"
EMP004,Casey Morgan,[email protected],1,2023-08-22,2025-02-28T15:10:25Z,2024-12-20T10:30:45Z,,"Finance, Accounting","Financial Analyst, Auditor"
EMP005,Riley Brown,[email protected],0,2022-03-10,2024-11-15T08:45:30Z,2024-08-05T11:20:15Z,2024-12-31,"HR, Recruiting","HR Specialist, Talent Acquisition"

user_id,groups,roles
user1,"Engineering, QA Team, Product Team","Software Engineer, Technical Lead"
user2,Marketing,"Content Writer, Editor"
user3,Finance,"Accountant, Auditor"
user4,HR,HR Specialist
user5,"Support, Training",Customer Support Representative

user_id,name,email,active,group,role,role_description
user1,Alice Smith,[email protected],true,Engineering,Software Engineer,Core development role
user1,Alice Smith,[email protected],true,QA Team,Technical Lead,Testing oversight role
user1,Alice Smith,[email protected],true,Product Team,Technical Lead,Product development leadership
user2,Bob Johnson,[email protected],false,Marketing,Content Writer,Content creation role
user2,Bob Johnson,[email protected],false,Marketing,Editor,Content review role

user_id,name,email,is_active,groups,role,permissions
USR001,Alex Johnson,[email protected],true,"Dev Team",Developer,"view_code, edit_code"
USR001,Alex Johnson,[email protected],true,"Backend Group",Code Reviewer,"approve_pull_requests"
USR002,Taylor Smith,[email protected],yes,"Ops Team",System Administrator,"manage_infrastructure"
USR002,Taylor Smith,[email protected],yes,"Cloud Admin",Release Manager,"deploy_production"
USR003,Jordan Lee,[email protected],1,"Product Team",Product Owner,"create_requirements"
USR003,Jordan Lee,[email protected],1,"Analytics Users",Data Analyst,"view_analytics"

user_id,display_name,email,active,department,team,job_title,role,role_permissions
emp101,John Smith,[email protected],true,Engineering,Backend,"Senior Developer","Developer Lead","read_all,write_backend,deploy_backend"
emp101,John Smith,[email protected],true,Engineering,Architecture,"Senior Developer","Architecture Committee","approve_designs,modify_architecture"
emp102,Jane Doe,[email protected],true,Engineering,Frontend,"UI Developer","Frontend Developer","read_all,write_frontend,deploy_frontend"
emp103,Robert Johnson,[email protected],true,Product,"Product Management","Product Owner","Product Manager","read_all,create_requirements,approve_features"
emp103,Robert Johnson,[email protected],true,Product,"UX Research","Product Owner","User Researcher","conduct_research,analyze_results"
emp104,Maria Garcia,[email protected],true,Marketing,Content,"Marketing Specialist","Content Creator","read_marketing,write_content"
emp104,Maria Garcia,[email protected],true,Marketing,Social,"Marketing Specialist","Social Media Manager","post_social,analyze_metrics"
emp105,David Lee,[email protected],true,Finance,Accounting,"Finance Manager","Financial Controller","approve_expenses,manage_budgets,generate_reports"
emp106,Sarah Wilson,[email protected],true,HR,Recruiting,"HR Specialist","Recruiter","post_jobs,review_applications,conduct_interviews"
emp107,Michael Brown,[email protected],true,Sales,"Enterprise Sales","Sales Executive","Account Manager","manage_clients,create_proposals,close_deals"

user_id,name,email,active,created_at,last_login_at,password_last_changed_at,deactivated_at
TS001,Timestamp Example 1,[email protected],true,2023-04-12T15:34:56.123456789Z,2006-01-02T15:04:05Z07:00,20060102150405,
TS002,Timestamp Example 2,[email protected],true,2006-01-30 15:04:05Z07:00,2006-01-30 15:04:05,2006-01-30,2006-01-30T
TS003,Timestamp Example 3,[email protected],true,2006-01-30T15:04:05,2006-01-30T15:04:05Z,never,null
TS004,Timestamp Example 4,[email protected],false,2024-03-15,none,false,0
TS005,Timestamp Example 5,[email protected],true,1/2/2006,1/15/2023,11/22/2024,

user_id,name,email,active
B001,Boolean Example 1,[email protected],true
B002,Boolean Example 2,[email protected],t
B003,Boolean Example 3,[email protected],yes
B004,Boolean Example 4,[email protected],y
B005,Boolean Example 5,[email protected],1
B006,Boolean Example 6,[email protected],active
B007,Boolean Example 7,[email protected],enabled
B008,Boolean Example 8,[email protected],false
B009,Boolean Example 9,[email protected],f
B010,Boolean Example 10,[email protected],no
B011,Boolean Example 11,[email protected],n
B012,Boolean Example 12,[email protected],0
B013,Boolean Example 13,[email protected],inactive
B014,Boolean Example 14,[email protected],disabled

user_id,name,email,active,department,title,office_location,hire_date,employee_type,salary_band,performance_rating,certification,languages,project_ids,manager_id,emergency_contact
CP001,Custom Property Example 1,[email protected],true,Engineering,Senior Developer,New York,2023-01-15,Full-time,B4,Exceeds Expectations,"AWS Certified, Azure Expert","Java, Python, Go","PROJ-001, PROJ-002",MGR-101,John Smith (555-123-4567)
CP002,Custom Property Example 2,[email protected],true,Marketing,Marketing Manager,San Francisco,2022-05-10,Full-time,C2,Meets Expectations,Google Analytics,"English, Spanish",PROJ-003,MGR-102,Mary Johnson (555-987-6543)
CP003,Custom Property Example 3,[email protected],false,Finance,Financial Analyst,Chicago,2023-08-22,Contract,A3,Needs Improvement,CPA,"English, French","PROJ-004, PROJ-005, PROJ-006",MGR-103,Robert Davis (555-456-7890)

user_id,user_name,role_name,role_owner,role_owner_type
10001,bob,admin,[email protected],,oktauser
10002,sue,admin,[email protected],oktauser
10003,marry,user,[email protected],oktauser
10004,jane,user,[email protected],oktauser
10005,sam,viewer,[email protected],oktauser
10006,adam,viewer,[email protected],oktauser
10007,brett,ops,[email protected],oktauser
10008,robert,ops,[email protected],oktauser
10009,chris,manager,,
10010,nick,manager,,

Databricks: Entities and Permissions Reference

Databricks entity types, attributes, and permissions reference

This document provides reference information about the entity types, attributes, and permissions that Veza discovers from Databricks integrations. This information applies to both workspace-level and Unity Catalog integrations.

Integration Architecture

Within Databricks, Access Control Lists (ACLs) govern permissions to different entities such as catalogs, schemas, tables, clusters, directories, and notebooks.

Veza discovers entity and authorization metadata using the native Databricks REST API and executes SQL queries on designated clusters to extract table-level metadata and permissions.

Workspace Mode: Connects directly to individual workspaces using personal access token authentication. This is configured as a standalone Databricks integration. The integration supports workspace resources and the hive_metastore catalog.

Unity Catalog Mode: Connects at the account level using OAuth or SSO. This is configured as part of your cloud provider integration (, , or ) (not as a standalone integration). When enabled, Veza discovers account-level resources, multiple workspaces, Unity Catalog metastores, and all associated resources.

In Databricks Unity Catalog, Users, Service Principals, Groups, and Catalogs exist at both account and workspace levels, with account-level identities linked to their workspace-level counterparts.

Supported Entities

Identity Entities

User

Local workspace user account. Users can be members of groups, own resources, and have permissions granted directly or through group membership.

Attributes:

email
emails
system_id
is_disabled

Service Principal

Non-human identity used for programmatic access and automation. Service principals can authenticate to Databricks and have permissions managed similarly to users.

Attributes:

application_id
system_id
is_disabled

Group

Group for organizing users and service principals. Groups can contain users, service principals, and other groups (nested membership).

Attributes:

identity_unique_id
roles (Unity Catalog)
indirect_roles (Unity Catalog)

Personal Access Token

Authentication token owned by a user or service principal. PATs provide programmatic access to Databricks with the same permissions as the owning identity.

Attributes:

token_id
created_by_id
created_by_username

Notes:

Personal Access Tokens automatically inherit all permissions from their owning identity
Token discovery requires workspace admin permissions and may not be available on all Databricks pricing tiers
Expired tokens are excluded from discovery

Container Entities

Account (Unity Catalog)

Top-level container for Unity Catalog resources including metastores, workspaces, account-level identities, and OAuth applications.

Attributes:

account_id

Workspace

Container for workspace resources including users, groups, clusters, directories, notebooks, and catalogs.

Attributes:

sso_id
sso_type
metastore_id

Metastore (Unity Catalog)

Unity Catalog metastore that can be shared across multiple workspaces and contains catalogs.

Attributes:

metastore_id
region

Data Entities

Catalog

Database catalog containing schemas.

Attributes:

catalog_type
metastore_id
isolation_mode

Notes:

Workspace mode only discovers the hive_metastore catalog
Hive metastores do not support catalog-level permission grants
Unity Catalog mode discovers all catalogs within attached metastores

Schema

Database schema within a catalog, containing tables and views.

Attributes:

catalog_name
workspace_host
metastore_id

Table

Data table within a schema.

Attributes:

Name
ID

View

Database view within a schema. Views are virtual tables based on queries, with independent permissions that control who can query them.

Attributes:

Name
ID

Workspace Objects

Notebook

Executable code document that can be attached to a cluster. Notebooks contain code, visualizations, and documentation.

Attributes:

depth
path
workspace_host

Compute Resources

Cluster

Compute cluster (set of Spark computation resources) used to run notebooks and jobs.

Attributes:

local_disk_encryption_enabled
autotermination_minutes
creator_user_name

Job

Automated workflow for running data engineering, data science, and analytics workloads.

Attributes:

job_id
creator_user_name
created_time

Pipeline

Delta Live Tables pipeline for building reliable data processing pipelines with automatic testing and monitoring.

Attributes:

pipeline_id
cluster_id
creator_user_name

Security Entities (Unity Catalog)

Account Service Principal Secret (Unity Catalog)

OAuth secret for account-level service principals.

Attributes:

service_principal_app_id
secret_status
secret_name

Account Service Principal Federation Policy (Unity Catalog)

OIDC federation policy for a specific account service principal, enabling workload identity federation.

Attributes:

service_principal_app_id
policy_name
policy_description

Account Federation Policy (Unity Catalog)

Account-level OIDC federation policy that can be referenced by multiple identities.

Attributes:

policy_name
policy_description
policy_uid

OAuth Applications (Unity Catalog)

Published OAuth App Integration (Unity Catalog)

Pre-configured Databricks-provided OAuth application.

Attributes:

app_id
integration_id
app_name
created_at

Custom OAuth App Integration (Unity Catalog)

User-created OAuth application with custom configuration.

Attributes:

client_id
integration_id
app_name
created_at

Permissions and Effective Access

Databricks uses Access Control Lists (ACLs) to control access to different types of resources. Veza models these native privileges and generates Effective Permissions, showing the cumulative access granted through:

Direct privilege assignments to users or service principals
Group membership (including nested groups)
Personal Access Token inheritance from owning identity
Directory and notebook permission inheritance

Permission Types by Resource

Data Object Permissions

Permissions that apply to Catalogs, Schemas, Tables, and Views:

Permission

Description

Directory and Notebook Permissions

Permission

Description

Cluster Permissions

Permission

Description

Job Permissions

Permission

Description

Pipeline Permissions

Permission

Description

Unsupported Entities

The following Databricks entity types are not currently supported:

SQL Warehouse
Experiment
Cluster Pool
Query

identity_unique_id

created_at

workspace_hosts

num_workers

effective_budget_policy_id

run_as_user_name

created_at

policy_uid

created_at

Option 1: Workload Identity Federation (Recommended)

Workload Identity Federation allows Veza to access Google Cloud resources securely without storing long-lived credentials. It uses a trust relationship between Veza's AWS role and your Google Cloud service account.

Integration Flow:

Veza's AWS role requests access to Google Cloud resources.
AWS generates a signed token proving Veza's identity.
Google Cloud validates the token via the established trust relationship.
Google Cloud issues temporary credentials for the service account.
Veza uses these temporary credentials to access authorized resources.

To enable Workload Identity Federation, enable the required APIs for your Google Cloud project, then create a Workload Identity Pool and configure AWS as the identity provider. After configuring service account impersonation to grant access to Veza's AWS role, you can download the credential configuration file for integration setup.

Prerequisites

Retrieve Veza's AWS Role ARN:
- When configuring a Google Cloud integration in Veza, the full Assume Role ARN is displayed at the top of the configuration form.
- Copy this ARN, as you will need the AWS Account ID and Role Name from it to configure the integration in Google Cloud.
- Example ARN format:

Step 1: Create Service Account

Navigate to IAM & Admin >
Click Create Service Account
Provide a name, ID, and description
Note the service account email address

Step 2: Enable Required APIs

Enable the following APIs for your Google Cloud project:

IAM API
Cloud Resource Manager API
IAM Service Account Credentials API
Security Token Service API

Step 3: Create Workload Identity Pool

To create a pool, choose IAM & Admin > Workload Identity Pools from the Google Cloud Console. Follow these steps to add a pool for the Veza integration:

In the Google Cloud console, go to New workload provider and pool
Provide a pool name (e.g., veza-federation-pool)
Add a description
Click Continue

Step 4: Add AWS as Identity Provider

Select AWS as the provider
Configure the provider details:
- Provider name: e.g., Veza AWS Provider
- Provider ID

Step 5: Configure Service Account Impersonation

Go to the pool details page
Select Grant Access
In the dialog, select Grant access using Service Account impersonation
Choose the service account created for the Veza integration from the Select service account dropdown

Step 6: Download Configuration

On the provider details page, select Connected service accounts
Find the integration service account and click Download
Select the AWS provider and click Download config

The configuration file will look similar to:

Save this file for use in the Veza integration setup.

See for detailed instructions.

Troubleshooting

If you encounter the error Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist), follow these steps:

Enable audit logging for Workload Identity Federation:
- Go to IAM & Admin --> Audit Logs in the Google Cloud Console
- Find the project where you configured Workload Identity Federation
- Enable audit logging for "Identity and Access Management (IAM) API"

Example log entry: principalSubject: "arn:aws:sts::123456789012:assumed-role/veza-integration-role/veza-gcp-federation"

The log explorer will show whether the correct AWS role is attempting access and help identify any misconfigurations in the identity pool settings. For more details about Workload Identity Federation audit logging, see .

iam.roles.get
iam.roles.list
iam.serviceAccounts.list
iam.denypolicies.get
iam.denypolicies.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.get
serviceusage.services.list
resourcemanager.tagValues.list
resourcemanager.tagValues.get
resourcemanager.tagKeys.list
resourcemanager.tagKeys.get
compute.instances.listTagBindings
storage.buckets.listTagBindings
bigquery.datasets.listTagBindings
bigquery.tables.listTagBindings
cloudkms.keyRings.listTagBindings
cloudkms.cryptoKeys.listTagBindings
run.services.listTagBindings
cloudsql.instances.listTagBindings
secretmanager.secrets.listTagBindings

gcloud iam roles create VEZA_ROLE_NAME --organization=YOUR_ORG_ID --permissions=\
iam.roles.get,\
iam.roles.list,\
iam.serviceAccounts.list,\
iam.denypolicies.get,\
iam.denypolicies.list,\
resourcemanager.folders.getIamPolicy,\
resourcemanager.folders.list,\
resourcemanager.organizations.get,\
resourcemanager.organizations.getIamPolicy,\
resourcemanager.projects.getIamPolicy,\
resourcemanager.projects.list,\
resourcemanager.projects.get,\
serviceusage.services.list,\
resourcemanager.tagValues.list,\
resourcemanager.tagValues.get,\
resourcemanager.tagKeys.list,\
resourcemanager.tagKeys.get,\
compute.instances.listTagBindings,\
storage.buckets.listTagBindings,\
bigquery.datasets.listTagBindings,\
bigquery.tables.listTagBindings,\
cloudkms.keyRings.listTagBindings,\
cloudkms.cryptoKeys.listTagBindings,\
run.services.listTagBindings,\
cloudsql.instances.listTagBindings,\
secretmanager.secrets.listTagBindings,\
storage.buckets.getIamPolicy,\
storage.buckets.list,\
compute.instances.list,\
compute.instances.getIamPolicy,\
compute.networks.list,\
compute.regions.list,\
compute.subnetworks.getIamPolicy,\
compute.subnetworks.list,\
compute.zones.list,\
cloudkms.locations.get,\
cloudkms.locations.list,\
cloudkms.cryptoKeyVersions.get,\
cloudkms.cryptoKeyVersions.list,\
cloudkms.cryptoKeyVersions.viewPublicKey,\
cloudkms.cryptoKeys.getIamPolicy,\
cloudkms.cryptoKeys.get,\
cloudkms.cryptoKeys.list,\
cloudkms.keyRings.get,\
cloudkms.keyRings.list,\
cloudkms.keyRings.getIamPolicy,\
bigquery.datasets.getIamPolicy,\
bigquery.datasets.get,\
bigquery.tables.getIamPolicy,\
bigquery.tables.get,\
bigquery.tables.list,\
run.services.list,\
run.services.getIamPolicy,\
run.locations.list,\
cloudsql.instances.list,\
cloudsql.users.list,\
cloudsql.databases.list,\
container.clusters.list,\
secretmanager.secrets.list,\
secretmanager.secrets.get,\
secretmanager.secrets.getIamPolicy,\
secretmanager.versions.list,\
secretmanager.versions.get,\
secretmanager.locations.get,\
secretmanager.locations.list,\
secretmanager.secrets.listEffectiveTags,\
secretmanager.secrets.listTagBindings,\
logging.logEntries.list

Policy.Read.All (Used to evaluate Conditional Access policies for service principals)

arn:aws:iam::064704382911:role/tenant1-insight-point

veza-aws-prod

{
   "universe_domain": "googleapis.com",
   "type": "external_account",
   "audience": "//iam.googleapis.com/projects/<project_id>/locations/global/workloadIdentityPools/<pool_name>/providers/<provider_name>",
   "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
   "token_url": "https://sts.googleapis.com/v1/token",
   "credential_source": {
      "environment_id": "aws1",
      "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
   }
}

https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.domain.readonly
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
https://www.googleapis.com/auth/apps.groups.settings

Microsoft SharePoint Online

Enabling Veza discovery of SharePoint resources

Prerequisites: You must have an existing Azure integration configured before setting up SharePoint discovery.

To enable SharePoint discovery for an Azure tenant configuration, you will need to upload an X.509 certificate for authentication. Once provided, Veza will automatically extract permissions metadata for SharePoint Online resources, and show effective permissions for AzureAD users and groups to SharePoint servers, sites, libraries, and folders.

1. Prepare certificate

Microsoft and Veza recommend using a valid signed certificate, but you can use a self-signed certificate if needed.

To create a self-signed certificate and private key:

Copy the script full script on this page: .
Save the script with a text editor Create-SelfSignedCertificate.ps1
Open PowerShell as an Administrator and invoke the script

2. Configure the Veza Enterprise App

If you haven't already completed the steps to , you should do so before continuing.

From your Microsoft Azure Portal, go to Azure Active Directory and select "App Registrations"
Select the app registration used by Veza for discovery of the Azure tenant
Click on API permissions, and "Add a permission" Grant the following Application Permissions:

Required Permissions Checklist:

SharePoint permissions:
- User.Read.All
- Sites.Read.All
Microsoft Graph permissions:

Go to the app registration's Certificates & Secrets, click "Upload certificate," and provide the public key from the key pair from step 1.
Verify that the certificate has been uploaded by selecting "Manifest" and checking the keyCredentials property.

3. Configure Veza

You can upload the required certificate when to Veza, or by navigating to the Integrations page and editing an existing Azure tenant. Upload the certificate pair from the first step.

Enabling Last Activity Date for SharePoint Sites

To enable parsing of Last Activity Date as a searchable property for SharePoint sites, you will need to disable :

From the Office 365 admin center, go to Settings > Org Settings > Services
Select Reports
Clear the checkbox for Display concealed user, group, and site names in all reports, and save your changes

Note: Last activity stats are only obtainable for top-level sites (not sub-sites).

Core SharePoint Entities

The SharePoint integration discovers and analyzes the following core entities within your SharePoint environment, creating relationships between resources, permissions, and identities:

SharePoint Sites

Individual SharePoint sites including both Communication sites and Team sites, with activity metrics and permission tracking.

Attribute

Notes

SharePoint Users

Individual user accounts with access to SharePoint resources, including both internal users and external guests with activity tracking.

Attribute

Notes

SharePoint Libraries

Document libraries and other content repositories within SharePoint sites, with permission inheritance and content management features.

Attribute

Notes

SharePoint Folders

Organizational folders within SharePoint libraries, with hierarchical structure and sharing capabilities.

Attribute

Notes

SharePoint Lists

SharePoint lists for structured data, task management, and custom applications within sites.

Attribute

Notes

SharePoint Groups

SharePoint-specific security groups for managing permissions to sites, libraries, and lists.

Attribute

Notes

SharePoint Site Memberships

Administrative relationship nodes that connect Azure AD users to special site-level roles such as Site Administrator or Guest access.

Attribute

Notes

The entities listed above reflect the limitations of read-only SharePoint API and Microsoft Graph API access. Additional entities are supported with optional permissions described in the section below.

Cross-Service Identity Correlation

When deployed alongside an , Veza automatically correlates SharePoint users and groups with their corresponding Azure AD identities. This correlation enables access analysis across both platforms.

Cross-service correlation requires both Azure and SharePoint integrations to be configured and running. The correlation happens automatically when both integrations are present.

SharePoint Permissions

SharePoint uses a complex permission system that combines role-based access control with granular permissions. Veza discovers and analyzes all permission types to provide visibility into access rights.

Permission Categories:

Standard Access Levels:

read - Read-only access to content
write - Ability to modify existing content
owner - Full control including permission management

Permission Inheritance:

inherited_read - Read permissions inherited from parent
inherited_write - Write permissions inherited from parent
inherited_owner - Owner permissions inherited from parent

SharePoint-Specific Permissions:

SharePoint provides 34 granular permissions organized into functional categories:

View List Items - View items in lists and document libraries
Add List Items - Add items to lists and document libraries
Edit List Items - Edit items in lists and document libraries

Azure Enterprise Application Permissions:

When integrated with Azure AD, SharePoint also supports enterprise application permissions for sites and files:

Office365SharePointOnline.Sites.Read.All - Read site collections and sites
Office365SharePointOnline.Sites.ReadWrite.All - Read and write site collections and sites
Office365SharePointOnline.Sites.FullControl.All - Full control of site collections and sites

Permission Inheritance Patterns:

SharePoint permissions follow a hierarchical inheritance model. Users can have unique permissions at any level, breaking inheritance from parent objects.

SharePoint Permission Inheritance Hierarchy

Tenant Level - SharePoint Online tenant settings
Site Collection Level - Individual sites inherit from tenant

Term Store Entities

When the Term Store permissions are configured (see ), Veza discovers SharePoint Term Store administrative access and creates the following graph entities and relationships:

Term Store

Centralized taxonomy management resource that allows administrators to create, organize, and manage metadata across SharePoint sites through terms, term sets, and term groups.

Attribute

Notes

Term Store Membership

Administrative relationship nodes that connect Azure AD principals (users and groups) to Term Store administrator roles, representing who has administrative control over the taxonomy management system.

Attribute

Notes

Expanded Functionality

When granted write-level or admin-level permissions, Veza can gather additional entities and properties. The following table identifies our expanded support and the required permissions:

Entity / Property

API Permissions

Additional Entities

SharePoint Roles

Role definitions that define sets of granular permissions for SharePoint sites, lists, and libraries.

Attribute

Notes

SharePoint Role Assignments

Connections between principals (users/groups) and roles on specific SharePoint resources, enabling granular permission tracking.

Attribute

Notes

SharePoint Grouped Resources

Performance optimization entities that group multiple resources sharing identical permission patterns, reducing graph complexity for large SharePoint environments.

Attribute

Notes

Enabling List and Site Permissions will create distinct Permission nodes connecting principal-type entities such as users to SharePoint Site and List entities.

Sharing Capability is a property on the tenant-level SharePoint Online Server entity indicating the maximum-permitted sharing settings for sharable objects within the tenant. The value can be:

Value

Description

Sharing capability is not currently provided for child Sites and Libraries due to Microsoft API limitations.

Term Store Permissions enable Veza to discover SharePoint Term Store administrators and their access relationships. Term Store is a centralized taxonomy management system that allows administrators to create, organize, and manage metadata across SharePoint sites through terms (categories, tags, or keywords) grouped into term sets.

Veza discovers Term Store administrative access for:

Azure AD Users
Microsoft 365 Groups (Azure AD Groups)

Only Term Store and corresponding admins are supported (term sets are not included). Security groups are not supported due to SharePoint API limitations.

Additional Setup Requirements for Term Store:

Prerequisites: You must have an existing configured before proceeding with Term Store setup.

Term Store discovery requires additional configuration beyond the standard Azure app registration.

Step 1: Configure SharePoint App Permissions

Follow these steps to register your existing Azure app with SharePoint and grant it the additional taxonomy permissions needed for Term Store discovery:

Navigate to https://<your-organization>-admin.sharepoint.com/_layouts/15/appinv.aspx
In the App Id field, paste the Client ID from the app registration you're currently using for SharePoint
Click Lookup to auto-populate the form fields
If the App Domain and Redirect URL fields are empty, enter:

After trusting the app, you should be redirected to the SharePoint home page, indicating successful registration.

Step 2: Configure PowerShell Settings

This step is required to prevent "Token Type Not Allowed" errors. SharePoint has the DisableCustomAppAuthentication property set to True by default, which blocks the authentication method needed for Term Store access.

The commands below must be run on a Windows machine. PowerShell on Linux or macOS is not fully compatible and does not support the required commands.

PowerShell Configuration Steps:

Install the SharePoint Online Management Shell module
Connect to your SharePoint Online tenant
Disable custom app authentication restriction
Verify the setting was applied

Detailed PowerShell Commands

Install the SharePoint Online Management Shell module:
Connect to your SharePoint Online tenant:
You will be prompted to enter credentials. Use an account with SharePoint Administrator permissions.

Additional Resources:

Important: Term Store support is currently available but depends on Azure Access Control service, which Microsoft will retire on April 2, 2026. Future availability depends on Microsoft providing alternative authentication methods.

direct_read - Direct read permissions assigned at resource level

<AppPermissionRequests AllowAppOnlyPolicy="true">
    <AppPermissionRequest Scope="http://sharepoint/taxonomy" Right="Read" />
    <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read" />
    <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Read" />
</AppPermissionRequests>

Notes & Supported Entities

Supported entity types and more information about the Veza-AWS connector.

Veza integrates with AWS to parse service and resource metadata using native API calls. You can enable a read-only connection via an IAM user, an assumed IAM role, or using an Insight Point running on EC2.

Veza creates entities in the data catalog to represent discovered resources and identities, including tags and attributes applied within AWS. To gather granular metadata for database services such as RDS, Veza requires additional permissions to connect as a local user and execute queries when data APIs aren't available.

Veza analyzes cross-service connections between discovered entities, calculates effective permissions, and identifies authorization paths, including the cumulative effects of permission boundaries, service control policies, group memberships, and hierarchical policy statements. These relationships can be searched in the Access Graph, or audited using Workflows or the Query Builder.

To show external identities with access to AWS resources, Veza supports identity federation, displaying permissions for external users and groups from providers such as Okta, Azure AD, and custom identity providers.

Supported Services and Entities

Note that by default, all regions and services are extracted. Allow/deny lists can contain string lists (including wildcards) of resources names to ignore.

Amazon Cognito

Supported entities:

Cognito Service
Cognito Identity Pool

Amazon EC2

Supported entities:

EC2 Service
EC2 VPC
EC2 Security Group
EC2 Instance

As of Veza 2021.2.1, EC2 discovery is supported for up to 1000 instances per AWS account.

Amazon Elastic Container Registry (ECR)

Supported entities:

ECR Service
ECR Private Registry
ECR Private Repository
ECR Public Registry

Amazon Elastic Kubernetes Service (EKS)

Supported entities:

EKS Service
EKS Cluster

Amazon Elastic MapReduce (EMR)

Supported entities:

EMR Service
EMR Cluster
EMR Node
EMR Studio

The EMR service to discover must use EC2 (EMR on EKS isn't yet supported). See for more details.

Amazon Redshift

Supported entities:

Redshift Cluster
Redshift Database
Redshift Schema
Redshift Effective Permission

The default policy only includes API permissions to get authorization metadata for Redshift clusters. To connect to Redshift databases for full discovery, a with the redshift:GetClusterCredentials IAM privilege must be available.

Amazon S3

Supported entities:

S3 Service
S3 Bucket
S3 Bucket Policies
S3 Bucket Policy Statement

As of release 2022.2.1, effective permissions to S3 now consider object-level permissions granted via IAM policy. Access Points are not yet supported. S3 bucket objects can have individual Access Control Lists. Since Veza doesn't parse individual bucket objects, object-level permissions may not be authoritative for buckets allowing ACLs.

AWS DynamoDB

Supported entities:

DynamoDB Service
DynamoDB Table
DynamoDB Secondary Index
DynamoDB Stream

See for more information.

AWS IAM

Identity and Access Management

Supported entities:

AWS Accounts
IAM Groups
IAM Users
IAM Roles

AWS IAM Policy entities have the attribute Permissions Boundary Usage Count, enabling queries on unused policies with no relationship to any principals.

IAM Roles Anywhere

Supported entities:

Trust Anchors
Certificate Revocation Lists (CRLs)
Profiles

IAM Roles Anywhere enables workloads running outside of AWS to obtain temporary AWS credentials using X.509 certificate-based authentication instead of long-term access keys. Veza discovers the trust relationships and maps certificates to their associated permission sets.

AWS Certificate Manager

Supported entities:

X.509 Certificates
Certificate metadata and tags

AWS Certificate Manager support enables discovery and tracking of X.509 certificates used for authentication across AWS services, including certificates used with IAM Roles Anywhere.

AWS IAM Identity Center

Supported entities:

Identity Center Service
Identity Center User
Identity Center Group
Identity Center Permission Set

Identity Center is a service only available in the management account of an organization. To discover Identity Center entities, the region configured for the AWS account integration must match the region IAM Identity Center is enabled in. For example, if the IAM Identity Center is enabled in us-east-1, the AWS Integration must have the us-east-1 region defined. Otherwise, AWS IAM Identity Center will not appear as a Data Source.

AWS Key Management Service (KMS)

Supported entities:

KMS Service
KMS Customer Managed Key (CMK)
KMS Policy
KMS Policy Statements

In order for a CMK to be discoverable, its Key Policy must have IAM permissions enabled, or grant the Veza AWS IAM principal directly.

AWS Lambda

Supported entities:

Lambda Service
Lambda Function

AWS Organizations and Organizational Units

Supported entities:

AWS Organization Unit
AWS Organization Account

You can track org unit accounts not yet configured for discovery using the assessments AWS Accounts that are part of an organization but not managed.

AWS RDS

Supported entities:

RDS Service
RDS Instance
RDS Cluster
RDS Cluster Instance

RDS MySQL

Supported entities:

RDS MySQL Database
RDS MySQL Function
RDS MySQL Instance
RDS MySQL Local User

RDS PostgreSQL

Supported entities:

PostgreSQL User
PostgreSQL Database
PostgreSQL Group
PostgreSQL Instance

To get database-level metadata, users, and privileges, Veza will need to execute database queries as a local Postgres or MySQL user.

Amazon DocumentDB

Amazon DocumentDB is a fully managed document database service designed for MongoDB compatibility. Veza provides two-tier discovery: cluster metadata via AWS APIs and optional database-level extraction (users, roles, permissions) using MongoDB protocol.

Supported entities:

Cluster-level (always discovered):

DocumentDB Cluster (regular and elastic)

Database-level (requires credentials):

DocumentDB Database
DocumentDB User
DocumentDB Role

Required IAM Permissions (Least Privilege):

See for complete setup instructions, including database user configuration for granular permission discovery.

Amazon Neptune

Supported entities:

Neptune Service
Neptune Global Database
Neptune Cluster
Neptune Instance

Amazon Neptune is AWS's managed graph database service designed for applications that work with highly connected datasets. Neptune supports both property graphs (using Gremlin and openCypher query languages) and RDF graphs (using SPARQL).

Neptune uses a hierarchical structure where Global Databases span multiple AWS regions for global applications, containing primary and secondary Clusters. Each Cluster consists of multiple Instances (one primary writer and up to 15 read replicas) that share underlying managed storage. Global Databases enable cross-region replication with typically sub-second latency.

Veza extracts Neptune resources and their hierarchical relationships, including the connections between Global Databases, Clusters, and Instances, as well as IAM relationships that govern access to Neptune resources. This provides visibility into both the graph database structure and the authorization paths that control access to your graph data.

AWS Secrets Manager

Supported entities:

Secrets Manager Service
Secrets Manager Secret

AWS Systems Manager Parameter Store

AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets. Parameters support organization using forward-slash delimited paths (like /MyApp/Prod/Database/Password) that enable structured querying and granular access control based on path hierarchy. Veza extracts parameters from each AWS region specified in the integration configuration, as Parameter Store data is region-specific and stored separately in each region.

Veza extracts parameter metadata including type, tier, version, description, expiration policies, and modification timestamps. SecureString parameters are automatically linked to their KMS encryption keys, enabling visibility into the encryption chain and key access permissions. Veza analyzes IAM permission relationships to show which principals can access, modify, or delete parameters.

Systems Manager Service

The AWS Systems Manager service entity represents the centralized management hub for infrastructure operations, enabling secure remote management, automation, and compliance across AWS resources without requiring direct server access.

Attribute Name

Description

Systems Manager Parameter

A Parameter Store parameter represents a stored piece of configuration data or secret (such as passwords, database strings, AMI IDs, or license codes) that can be referenced by applications and AWS services, supporting versioning and hierarchical organization.

Attribute Name

Description

Parameter Types:

String - Plain text configuration values such as application URLs, AMI IDs, and license codes that don't require encryption
StringList - Comma-separated lists of values for storing multiple related configuration items that can be processed as a list
SecureString - Encrypted parameters using AWS KMS for sensitive data like passwords and secrets that require access control and audit trails

Required IAM Permissions:

AWS Bedrock

AWS Bedrock is a fully managed service that offers a choice of high-performing foundation models from leading AI companies through a single API, along with capabilities to build generative AI applications with security, privacy, and responsible AI practices.

Supported entities:

Bedrock Service
Bedrock Agent
Bedrock Agent Alias
Bedrock Agent Version

Bedrock Service

The AWS Bedrock service entity represents the main service instance providing access to foundation models and AI capabilities.

Attribute Name

Description

Bedrock Agent

AI agents that can reason through problems and execute multi-step tasks using foundation models.

Attribute Name

Description

Bedrock Agent Alias

Named references to specific agent versions that enable routing requests to particular agent configurations.

Attribute Name

Description

Bedrock Agent Version

Immutable snapshots of agent configurations enabling version control and rollback capabilities.

Attribute Name

Description

Bedrock Action Group

Defines the actions an agent can perform by connecting to APIs or functions.

Attribute Name

Description

Bedrock Foundation Model

Pre-trained models from AI providers available through the Bedrock API.

Attribute Name

Description

Bedrock Custom Model

Fine-tuned versions of foundation models customized with organization-specific data.

Attribute Name

Description

Bedrock Imported Model

Third-party models imported into Bedrock from external sources.

Attribute Name

Description

Bedrock Knowledge Base

Vector databases for retrieval-augmented generation (RAG) applications.

Attribute Name

Description

Bedrock Knowledge Base Data Source

Data sources that populate knowledge bases with content for retrieval operations.

Attribute Name

Description

Bedrock Prompt

Reusable prompt templates for consistent model interactions.

Attribute Name

Description

Bedrock Prompt Version

Versioned instances of prompts enabling change tracking and rollback.

Attribute Name

Description

Bedrock Prompt Router

Intelligent routing system that directs requests to optimal models based on criteria.

Attribute Name

Description

Bedrock Guardrail

Safety controls that filter and moderate model inputs and outputs.

Attribute Name

Description

Bedrock Guardrail Version

Versioned guardrail configurations for tracking policy changes over time.

Attribute Name

Description

Required IAM Permissions:

Search for AWS Entities

The Access Graph includes some additional support for searching AWS entities:

To see the native AWS permissions for an Effective Permission, select an ungrouped EP node and choose Explain Effective Permissions on the actions sidebar
To view an AWS IAM policy, select a Policy node and choose Show JSON Document from the actions sidebar
To understand how one IAM role can assume another role, select an AWS IAM Role and choose Explain Assume Role from the actions sidebar. See for details.

API Rate Limits

Following best practices for AWS client applications, Veza implements an exponential backoff mechanism for requests (see the AWS documentation on for more information). This should prevent hitting endpoint rate limits, and provide ample room for other services to consume the same APIs.

By default, exponential backoff is configured for up to 10 attempts, with a max wait of 300 seconds.

Adding Accounts with Veza APIs

You can use the to configure AWS connectors programmatically.

For example:

Note that by default, all regions and services are extracted. Allow/deny lists can contain string lists (including wildcards) of resources names to ignore.

Conditions in Policy Statements

Veza does not currently support all AWS policy conditions operators and keys. For more details on IAM policy condition operators, see the .

The unsupported conditions include ones that are difficult to parse or meaningless in Veza's graph representation, such as DateGreaterThan:aws:CurrentTime. However, unsupported conditions CAN have a meaningful impact on the actual access granted to principals shown in Graph.

When Veza detects an unsupported condition, the boolean property Unsupported Condition is set to True for the corresponding Policy Statement and Permission nodes. This property can be used in an attribute filter to display query results that are or are not impacted by unsupported conditions.

Veza supports the following condition operators, grouped by type:

StringEquals
StringNotEquals
StringEqualsIgnoreCase

AWS IAM Role relationships may be nested (a role assignment can imply membership in another). When this is the case, an icon will indicate that the node has a hierarchical relationship. Choose Show Hierarchy to open a detailed view. Entities will have a hierarchical_level to enable search on nested nodes.

StringNotEqualsIgnoreCase

{
  "Sid": "Bedrock",
  "Effect": "Allow",
  "Action": [
    "bedrock:ListFoundationModels",
    "bedrock:ListCustomModels",
    "bedrock:ListImportedModels",
    "bedrock:ListAgents",
    "bedrock:GetAgent",
    "bedrock:ListAgentAliases",
    "bedrock:ListAgentVersions",
    "bedrock:ListAgentActionGroups",
    "bedrock:ListAgentKnowledgeBases",
    "bedrock:ListKnowledgeBases",
    "bedrock:ListDataSources",
    "bedrock:ListPrompts",
    "bedrock:ListPromptRouters",
    "bedrock:ListGuardrails"
  ],
  "Resource": "*"
}

curl -X POST '{baseurl}/api/v1/providers/aws
-d  {
  "values": [
    {
      "name": "AWS-Org",
      "type": "AWS",
      "data_plane_id": "a2e32a80-9d64-4725-b4a9-8de6ffd0682b",
      "status": "SUCCESS",
      "account_id": "123456789010",
      "credentials_type": "ASSUME_CUSTOMER_ROLE",
      "access_key_id": null,
      "assume_role_name": "veza-connector",
      "assume_role_external_id": "0477997275",
      "regions": [],
      "db_user": "veza_db_user",
      "services": [],
      "redshift_database_allow_list": [],
      "redshift_database_deny_list": [],
      "rds_database_allow_list": [],
      "rds_database_deny_list": [],
      "s3_bucket_allow_list": [],
      "s3_bucket_deny_list": []
    }
  ]
}

Microsoft Azure AD

Configuring the Veza integration for Microsoft Azure AD (Entra ID).

Veza discovers Authorization metadata for Azure Active Directory, including roles, groups, users, and service principals, for any Microsoft Azure tenant integrated with Veza.

Native Identity Mapping: If you also have Active Directory integrated, Veza automatically creates identity relationships between Azure AD users/groups and Active Directory users/groups when the Azure AD entity has the onPremisesSyncEnabled flag. Custom identity mapping is only needed for connecting to other systems. See Custom Identity Mappings for details.

Enabling this integration can help:

Identify privileged access paths, including time-bound and just-in-time assignments
Track group-based inheritance of privileged roles
Conduct access reviews direct and group-based assignments

If your organization only utilizes Azure AD, and doesn't require Veza discovery of entities such as storage resources, virtual machines, or SQL databases, you can disable those services and data sources when editing or adding an Azure integration.

Custom Security Attributes

Veza can optionally gather and show on Azure AD objects. To enable this, the Enterprise Application used by Veza to connect must have the CustomSecAttributeAssignment.Read.All Microsoft Graph permission. Attributes to gather must be specified in the Azure integration configuration.

Privileged Identity Management (PIM)

Microsoft Entra Privileged Identity Management (PIM) is a service for managing and monitoring access to important resources within an organization. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions.

To support PIM discovery, the Veza Enterprise Application in Azure AD requires the following Microsoft Graph API permissions:

RoleManagement.Read.All
PrivilegedAccess.Read.AzureAD
Group.Read.All

When available, Veza can provide visibility into both direct assignments and group-based assignments:

PIM for Roles: Just-in-time access to Azure AD administrative roles
PIM for Groups: Just-in-time membership and ownership of security groups or Microsoft 365 groups

PIM Assignment Types and Status

In Azure PIM, assignments can be either active (direct access without activation) or eligible (requiring activation when needed). Veza distinguishes between these statuses in the Access Graph:

Eligible assignments appear with an Azure AD Role Eligibility Schedule node between the user and role
Active assignments (including activated PIM assignments) appear as direct connections without the eligibility schedule node

Understanding this distinction can help identify both current access and potential future access.

Access Graph Representation

Veza represents different PIM assignment types in the Access Graph with paths between graph nodes:

User assigned (Active) to Role: Azure AD User → Azure AD Role
User assigned (Active) to Role via Group: Azure AD User → Azure AD Group → Azure AD Role
User Eligible for a Role: Azure AD User → Azure AD Role Eligibility Schedule → Azure AD Role

Important: These intermediate entities (Azure AD Role Eligibility Schedule nodes) are filtered out in Effective query mode. To view, search, or create access reviews that include PIM eligibility schedules, you must use .

When evaluating PIM eligibility, the following conditions apply:

Only assignments that have started (past their start date) and have not expired are shown in the graph
Future assignments and expired assignments are not displayed
When a user activates an eligible assignment, Microsoft creates a temporary active assignment (typically for up to 8 hours). Veza represents this as a direct connection, assuming data source extraction and parsing runs after activation and before expiration.
Groups cannot activate themselves; only individual members of a group can activate their eligible assignments

Supported Entities and Attributes

Veza discovers and maps Azure AD (Entra ID) entities and their relationships to enable queries based on attributes and relationships in your identity environment.

The integration standardizes Application and Directory role permissions to effective create, read, update, and delete actions, and detects the following relationships between entities:

User and group membership, including nested groups
Service principal assignments to roles and resources
Role eligibility and assignments
Group ownership and management

See below for all supported entities and attributes.

Azure AD User

Represents a user identity in Microsoft Entra ID (formerly Azure AD). User objects store authentication and profile information for organizational members, guests, and external identities. Users can sign into Microsoft Entra ID, access protected resources, and be assigned to groups, roles, and applications.

Entity Type Group: IDP_USER

Attribute

Type

Required

Description

Azure AD User Active Status

The Is Active property for an Azure AD user is determined by the account_enabled attribute. If account_enabled is true, then Is Active will be true. If account_enabled is false, then Is Active will be false.

Azure AD Group

Represents a collection of users in Microsoft Entra ID used for assigning access rights and permissions. Groups can be security groups (used to manage access to shared resources) or Microsoft 365 groups (providing collaboration opportunities), with support for dynamic membership rules and nested groups.

Entity Type Group: IDP_GROUP

Attribute

Type

Required

Description

Note: Some group attributes are only collected when specific configuration options are enabled during Azure integration setup:
allow_external_senders, hide_from_address_lists, and hide_from_outlook_clients require the "Gather Group Extra Information" option
owners requires the "Gather Group Owner Details" option
These options require additional API calls that can significantly increase extraction time. See the

Azure AD Role

Represents administrative roles within Microsoft Entra ID that define permissions for managing tenant resources. Roles can be built-in (predefined by Microsoft) or custom roles created by administrators, and are assigned to users, groups, or service principals to delegate identity management tasks.

Entity Type Group: ROLE

Attribute

Type

Required

Description

Azure AD Enterprise Application

Represents a service principal in Microsoft Entra ID, which is the local representation of an application in a specific tenant. Service principals define what an application can do within your tenant, including what resources it can access and what authentication methods it uses. They serve as the security identity for applications accessing resources secured by Microsoft Entra ID.

Entity Type Group: SERVICE_ACCOUNT

Attribute

Type

Required

Description

Azure AD Device

Represents a device registered or joined to Microsoft Entra ID. Devices can be Azure AD joined, hybrid joined, or registered, and are used in conditional access policies and device-based access controls. Device objects store information about platform, compliance state, and management status for making authentication and authorization decisions.

Entity Type Group: SERVICE_ACCOUNT

Attribute

Type

Required

Description

Azure AD App Role

Represents roles defined within applications for role-based access control (RBAC). App roles allow developers to define authorization parameters within their applications and enable administrators to assign these roles to users, groups, or service principals. When a user signs in, Microsoft Entra ID emits a roles claim for each assigned role, which applications can use for authorization decisions.

Entity Type Group: APPLICATION_ROLE

Attribute

Type

Required

Description

Azure AD Conditional Access Policy

Represents Microsoft Entra ID's policy engine for enforcing security controls based on specific conditions. Conditional Access policies function as if-then statements that evaluate signals (like user, device, location, and risk) when authentication occurs and enforce organizational access requirements such as MFA, device compliance, or session controls before granting access to resources.

Entity Type Group: POLICY

Attribute

Type

Required

Description

Azure AD Domain

Represents a DNS domain associated with a Microsoft Entra ID tenant. Domains are used for user principal names (UPNs), email addresses, and application identifiers. Domains can be the initial onmicrosoft.com domain or custom verified domains that prove ownership of the namespace for use with Microsoft Entra ID services.

Entity Type Group: DOMAIN

Attribute

Type

Required

Description

Azure AD License

Represents a product license assigned to users in Microsoft Entra ID that grants access to Microsoft cloud services and applications. Licenses determine which features and capabilities are available to users, including Microsoft 365 services, Entra ID Premium features (like Conditional Access), and other Microsoft cloud products.

Entity Type Group: ROLE

Attribute

Type

Required

Description

Next Steps: Complete Microsoft 365 Integration

Important for Microsoft 365 Users: If your organization uses Exchange Online for email and collaboration, you should enable the Exchange Online service after completing your Azure AD setup. See the for detailed configuration instructions.

Consider enabling these additional Microsoft 365 services in your Azure integration:

- Email permissions, distribution groups, and mailbox access
- Document and site permissions
- Team channels and collaboration access
Microsoft Intune - Device management and compliance (see )

Adobe Enterprise

Overview

Add Existing AWS Accounts

Integration Details

AWS DynamoDB

Notes

Supported Resources / Sub-resources

AWS KMS

Configuration

AWS RDS PostgreSQL

Prerequisites

Granting Veza Access

IAM Policy for RDS Discovery

Beeline

Overview

Configuring Beeline

Configuring the Beeline Integration on Veza

Notes and Supported Entities

Beeline Employee

Concur

Overview

Confluent

Overview

CSV Upload API

Overview

Using the Upload CSV REST API

Retrieving Integration IDs

Uploading the Data

Example using Curl

Example using Python

DocuSign

Overview

Dropbox

Overview

Jenkins

Overview

Azure SQL Database

Microsoft SharePoint Server

Overview

Prerequisites

Configuring the Azure Integration for SharePoint Server

Okta MFA status

Background

Resolution

Oracle EPM

Overview

AWS DynamoDB

Notes

Supported Resources / Sub-resources

AWS KMS

Configuration

Adobe Enterprise

Overview

Add Existing AWS Accounts

Integration Details

Jenkins

Overview

Veza Setup

Supported Entities

Jenkins User

Jenkins Role

Prerequisites

Finding Your Organization ID

Generating Adobe Credentials

Configuring Adobe Enterprise on the Veza Platform

Verifying the Integration

Notes and Supported Entities

Application

Users

Groups

Built-in Roles and Permissions

Additional Resources

Installation

AWS Configuration

S3 Information

AWS RDS PostgreSQL

Prerequisites

Granting Veza Access

IAM Policy for RDS Discovery

CSV Upload API

Grant `Reader` role to the Azure subscription