1 of 3

Tags

Create, apply, and remove Veza tags

curl 'https://{{VezaUrl}}/api/v1/graph/nodes/veza_tags' \
  --data-raw '{
      "node_id":"arn:aws:s3:::aws-cloudtrail-logs-527398259632-c98becd0",
      "tags":[
          {"key":"custom_tag","value":"one"}
        ]
    }'

Quick Start

For the examples below, BASEURL should be the address of your Veza instance, such as https://<org>.vezacloud.com.

export BASEURL=https://<org>.vezacloud.com} \
export TOKEN=Sk9lcmEta2w2c2padklkaDhOcDVhTWdVU3FlTlpVajg=

Use Get Query Spec Nodes to find Snowflake tables reachable by federated Okta users belonging to the Finance department:

curl $BASEURL/api/v1/assessments/query_spec:nodes \
  -H 'authorization: Bearer '$TOKEN \
  --data-raw '{
  "query_type": "SOURCE_TO_DESTINATION",
  "include_nodes": true,
  "source_node_types": {
    "nodes": [
      {
        "node_type": "SnowflakeTable"
      }
    ]
  },
  "destination_node_types": {
    "nodes": [
      {
        "node_type": "OktaUser",
        "condition_expression": {
          "specs": [
            {
              "fn": "CONTAINS",
              "property": "department",
              "value": "Finance"
            }
          ]
        }
      }
    ]
  }
}'

The response will include the table id:

{
  "values": [
    {
      "id": "dn44266.us-east-2.aws.snowflakecomputing.com/database/LOCATION/schema/COUNTRIES/table/USA",
      "type": "SnowflakeTable",
      "properties": {
        "created_at": "2021-05-14T21:18:55Z",
        "name": "USA"
      },
      "destination_node_count": 1,
      "permissions": []
    }
  ],
  "next_page_token": "MzA=",
  "has_more": false
  }

Apply a tag by specifying a key and optional value:

curl $BASEURL/api/v1/graph/nodes/veza_tags \
  -H 'authorization: Bearer '$TOKEN \
  --data-raw '{
  "node_id": "dn44266.us-east-2.aws.snowflakecomputing.com/database/LOCATION/schema/COUNTRIES/table/USA",
  "tags": [
    {
      "key": "department",
      "value": "finance"
    }
  ]
  }'

Remove a tag by providing the entity id and the tag key to delete:

  curl $BASEURL/api/v1/graph/veza_tags:remove \
  -H 'authorization: Bearer '$TOKEN \
  --data-raw '{
  "node_id": "dn44266.us-east-2.aws.snowflakecomputing.com/database/LOCATION/schema/COUNTRIES/table/USA",
  "tag_key": "department"
  }'

Create, Add, Remove Tag

Create, apply, and remove Veza tags

New in 2022.3.2: Tagging operations are now available as part of the v1/ API set.

Methods

Create Veza Tag

Post {VezaURL}/api/v1/graph/tags

Define a new tag that can be applied to any discovered entity, as a key:value pair. The tag value is optional.

{
    "tag": {
        "key": "note",
        "value": "tags_can_be_used_as_searchable_properties,_or_add_extended_notes"
    }
}

Parameter

Description

tag

body

Contains a single key:value pair

key

body

Max length 255 characters (alphanumeric and _)

value

body

Max length 4096 characters (alphanumeric, _ and ,).

A successful response will be empty ({}).

Add Veza Tag

Post {VezaURL}/api/v1/graph/nodes/tags

Apply one or more tags to an entity by providing an entity ID. A new Tag will be created if one doesn't already exist.

{
    "node_id": "080551dc-aef9-46e4-9654-a6362d7baeee",
    "tags": [
        {
            "key": "PII",
            "value": "GRPC"
        }
        {
            "key": "environment",
            "value": "production"
        }
    ]
}

Parameter

Description

node_id

body

Veza entity ID

tags

body

Array of tags to add

To retrieve an entity ID, you can use the Query Builder API, or browse the Identity Data Entities catalog.

Remove Veza Tag

Post {VezaURL}/api/v1/graph/nodes/tags:remove

Remove a tag from an entity.

Parameter

Description

node_id

body

ID of the entity to modify

tag_key

body

Must contain a single tag to remove

{
	"node_id": "080551dc-aef9-46e4-9654-a6362d7baeee",
	"tag_key": "environment"
}

A successful response will be empty ({}).

Promoted Tags

Operations for adding, removing, and listing tags for entity enrichment.

Tag promotion for Access Reviews is currently available in Early Access. Please contact our support team to enable this capability.

Use these APIs to define the tags Veza should treat as customer-defined properties. Access Reviews that involve these entity types will include columns showing the tag name and value.

For example, in AWS, you may automatically tag identities with a 3rd-party security tool, or use tags to label S3 buckets containing sensitive data. When a tag is promoted, Veza Access Reviews will treat the tag as a built-in entity attribute, and show this information for reviewers in an optional column.

Promote tag

Add a promotion rule by specifying its type and key, and the entity types it applies to:

include_entity_types: if true, promote tags for the listed type(s).
exclude_entity_type: if true, promotes tags for all entities except the listed type(s).

AWSTag
CookieTag (Veza Tag)
GoogleCloudLabel

Entity types for tag promotion should be concrete types. You can confirm the format by viewing details for any graph node, and checking the Type attribute, for example:

OAA.PagerDuty.User
ActiveDirectoryUser
OAA.custom_idp.IDPUser

Demote tag

Remove a promotion rule for the specified tag key and type. Demotions apply on the next data source parse.

Get all promotion rules for all entity types.

Tags

Create, apply, and remove Veza tags

is a product capability allowing organizations to add additional metadata to the entities (such as users, roles, tables, or any other resource/identity) discovered by Veza.

curl 'https://{{VezaUrl}}/api/v1/graph/nodes/veza_tags' \
  --data-raw '{
      "node_id":"arn:aws:s3:::aws-cloudtrail-logs-527398259632-c98becd0",
      "tags":[
          {"key":"custom_tag","value":"one"}
        ]
    }'

You can filter results for entities with a given tag, create based on tags, or use them to add context and notes that other users can view and search by.

To apply a tag, you will need the ID of the node to modify. Calling will return IDs as part of the search result. You can also retrieve this value by clicking Show Details for the entity in Authorization Graph, or checking the ID column from Identity Data Entities or the Query Builder.

Quick Start

Generate a bearer token from .

For the examples below, BASEURL should be the address of your Veza instance, such as https://<org>.vezacloud.com.

export BASEURL=https://<org>.vezacloud.com} \
export TOKEN=Sk9lcmEta2w2c2padklkaDhOcDVhTWdVU3FlTlpVajg=

Use Get Query Spec Nodes to find Snowflake tables reachable by federated Okta users belonging to the Finance department:

curl $BASEURL/api/v1/assessments/query_spec:nodes \
  -H 'authorization: Bearer '$TOKEN \
  --data-raw '{
  "query_type": "SOURCE_TO_DESTINATION",
  "include_nodes": true,
  "source_node_types": {
    "nodes": [
      {
        "node_type": "SnowflakeTable"
      }
    ]
  },
  "destination_node_types": {
    "nodes": [
      {
        "node_type": "OktaUser",
        "condition_expression": {
          "specs": [
            {
              "fn": "CONTAINS",
              "property": "department",
              "value": "Finance"
            }
          ]
        }
      }
    ]
  }
}'

The response will include the table id:

{
  "values": [
    {
      "id": "dn44266.us-east-2.aws.snowflakecomputing.com/database/LOCATION/schema/COUNTRIES/table/USA",
      "type": "SnowflakeTable",
      "properties": {
        "created_at": "2021-05-14T21:18:55Z",
        "name": "USA"
      },
      "destination_node_count": 1,
      "permissions": []
    }
  ],
  "next_page_token": "MzA=",
  "has_more": false
  }

Apply a tag by specifying a key and optional value:

curl $BASEURL/api/v1/graph/nodes/veza_tags \
  -H 'authorization: Bearer '$TOKEN \
  --data-raw '{
  "node_id": "dn44266.us-east-2.aws.snowflakecomputing.com/database/LOCATION/schema/COUNTRIES/table/USA",
  "tags": [
    {
      "key": "department",
      "value": "finance"
    }
  ]
  }'

Remove a tag by providing the entity id and the tag key to delete:

  curl $BASEURL/api/v1/graph/veza_tags:remove \
  -H 'authorization: Bearer '$TOKEN \
  --data-raw '{
  "node_id": "dn44266.us-east-2.aws.snowflakecomputing.com/database/LOCATION/schema/COUNTRIES/table/USA",
  "tag_key": "department"
  }'

Create, Add, Remove Tag

Create, apply, and remove Veza tags

New in 2022.3.2: Tagging operations are now available as part of the v1/ API set.

Methods

Create Veza Tag

Post {VezaURL}/api/v1/graph/tags

Define a new tag that can be applied to any discovered entity, as a key:value pair. The tag value is optional.

{
    "tag": {
        "key": "note",
        "value": "tags_can_be_used_as_searchable_properties,_or_add_extended_notes"
    }
}

Parameter

Description

tag

body

Contains a single key:value pair

key

body

Max length 255 characters (alphanumeric and _)

value

body

Max length 4096 characters (alphanumeric, _ and ,).

A successful response will be empty ({}).

Add Veza Tag

Post {VezaURL}/api/v1/graph/nodes/tags

Apply one or more tags to an entity by providing an entity ID. A new Tag will be created if one doesn't already exist.

{
    "node_id": "080551dc-aef9-46e4-9654-a6362d7baeee",
    "tags": [
        {
            "key": "PII",
            "value": "GRPC"
        }
        {
            "key": "environment",
            "value": "production"
        }
    ]
}

Parameter

Description

node_id

body

Veza entity ID

tags

body

Array of tags to add

To retrieve an entity ID, you can use the Query Builder API, or browse the Identity Data Entities catalog.

Remove Veza Tag

Post {VezaURL}/api/v1/graph/nodes/tags:remove

Remove a tag from an entity.

Parameter

Description

node_id

body

ID of the entity to modify

tag_key

body

Must contain a single tag to remove

{
	"node_id": "080551dc-aef9-46e4-9654-a6362d7baeee",
	"tag_key": "environment"
}

A successful response will be empty ({}).

Promoted Tags

Operations for adding, removing, and listing tags for entity enrichment.

Tag promotion for Access Reviews is currently available in Early Access. Please contact our support team to enable this capability.

Use these APIs to define the tags Veza should treat as customer-defined properties. Access Reviews that involve these entity types will include columns showing the tag name and value.

Promote tag

Add a promotion rule by specifying its type and key, and the entity types it applies to:

include_entity_types: if true, promote tags for the listed type(s).
exclude_entity_type: if true, promotes tags for all entities except the listed type(s).

You can promote tags for any integration that supports them, such as Snowflake or Google Cloud. Use for integrations that do not support vendor-native tags or when built-in tagging is unavailable. Example tag types:

AWSTag
CookieTag (Veza Tag)
GoogleCloudLabel

Entity types for tag promotion should be concrete types. You can confirm the format by viewing details for any graph node, and checking the Type attribute, for example:

OAA.PagerDuty.User
ActiveDirectoryUser
OAA.custom_idp.IDPUser

Demote tag

Remove a promotion rule for the specified tag key and type. Demotions apply on the next data source parse.

Get all promotion rules for all entity types.

Tags

Quick Start

Create, Add, Remove Tag

Methods

Create Veza Tag

Add Veza Tag

Remove Veza Tag

Promoted Tags

Promote tag

Demote tag

Tags

Quick Start

Create, Add, Remove Tag

Methods

Create Veza Tag

Add Veza Tag

Remove Veza Tag

Promoted Tags

Promote tag

Demote tag

List Tag Promotions

Promote Tag

Demote Tag

Tags

Quick Start

Create, Add, Remove Tag

Methods

Create Veza Tag

Add Veza Tag

Remove Veza Tag

Promoted Tags

Promote tag

Demote tag

List tag promotions

Tags

Quick Start

Create, Add, Remove Tag

Methods

Create Veza Tag

Add Veza Tag

Remove Veza Tag

Promoted Tags

Promote tag

Demote tag

List tag promotions

List Tag Promotions

Promote Tag

Demote Tag